An operator that automates the deployment and lifecycle management of the ExploitIQ Stack on OpenShift and Kubernetes clusters.
For the fastest deployment on OpenShift using OperatorHub:
-
Create a project:
oc new-project exploit-iq
-
Install the operator from OperatorHub (web console: Operators → OperatorHub → ExploitIQ)
-
Create required Secrets (refer to Prerequisites)
-
Deploy the stack:
oc apply -f config/samples/exploitiq_v1alpha1_exploitiqstack.yaml
For Kubernetes installations or advanced configurations, refer to the sections below.
The operator manages the following components:
- Argilla: User feedback collection and management
- Cache: Reverse proxy and cache for external APIs (NVD, GitHub, FIRST, NVIDIA NIM, OpenAI)
- ComponentSyncer: Primary orchestrator for product analysis
- Database: MongoDB instance
- Engine: Primary analysis engine
- WebApp: Quarkus-based UI and API
- OpenShift: Version 4.16 or later (recommended)
- Kubernetes: Version 1.29 or later with persistent storage
- Kubernetes only: Ingress controller (optional, for external access)
The operator does not manage sensitive credentials. Create the following Secrets in your application namespace before deploying the stack. All Secret manifests use stringData for plain-text values, which the API server automatically encodes.
The Cache and WebApp components require API keys for external services.
Obtaining API Keys:
ghsa_api_key: GitHub Personal Access Token for GitHub Security Advisory API. Generate at https://github.com/settings/tokens with appropriate scopesnvidia_api_key: NVIDIA NGC API key from https://org.ngc.nvidia.comserpapi_api_key: SerpAPI key from https://serpapi.com/manage-api-key
For additional details, refer to the upstream README.
Create the Secret:
apiVersion: v1
kind: Secret
metadata:
name: exploit-iq-secret
type: Opaque
stringData:
ghsa_api_key: "YOUR_KEY"
ngc_api_key: "YOUR_KEY"
nvd_api_key: "YOUR_KEY"
nvidia_api_key: "YOUR_KEY"
registry_redhat_password: "YOUR_KEY"
registry_redhat_username: "YOUR_KEY"
serpapi_api_key: "YOUR_KEY"The Engine and WebApp components require credentials to pull images from the Quay private registry.
-
Log in to Quay:
podman login quay.io
-
Create the pull Secret:
cat ${HOME}/.docker/config.json | jq '{auths: {"quay.io": .auths["quay.io"]}}' > quay-pull-secret.json oc create secret generic exploit-iq-pull-secret \ --from-file=.dockerconfigjson=quay-pull-secret.json \ --type=kubernetes.io/dockerconfigjson rm quay-pull-secret.json
The operator requires credentials to pull images from the Red Hat registry for product scanning features. Create a registry service account before completing these steps.
The WebApp references this Secret with the default name image-registry-credentials:
apiVersion: v1
kind: Secret
metadata:
name: image-registry-credentials
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: "<BASE64_DOCKER_CONFIG_JSON>"On OpenShift, if you want to provide your own OAuth client secret and base domain for the OpenShift OAuthClient, create the following Secret. If this Secret does not exist, the operator generates a random client secret and determines the base domain automatically.
-
Generate an OAuth client secret (16+ characters recommended):
openssl rand -base64 32
-
Retrieve your cluster base domain:
oc get dns cluster -o jsonpath='{.spec.baseDomain}' -
Create the Secret:
apiVersion: v1 kind: Secret metadata: name: oauth-client-secret type: Opaque stringData: client-secret: "<OAUTH_CLIENT_SECRET>" openshift-domain: "<CLUSTER_BASE_DOMAIN>"
On Kubernetes with OIDC sidecar authentication, use spec.auth.oidc.clientSecretRef in the ExploitIQStack CR instead. Refer to config/samples/exploitiq_v1alpha1_exploitiqstack_kubernetes_oidc.yaml for an example.
-
Build and push your own catalog image (refer to Building a CatalogSource for details):
make catalog-build catalog-push CATALOG_IMG=<your-registry>/exploit-iq-operator-catalog:latest
-
Create a CatalogSource in the
openshift-marketplacenamespace:oc create -f - <<EOF apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: name: exploit-iq-catalog namespace: openshift-marketplace spec: displayName: ExploitIQ image: '<your-catalog-image>' publisher: Red Hat sourceType: grpc updateStrategy: registryPoll: interval: 15m EOF
-
Wait for the CatalogSource pod to become ready:
oc -n openshift-marketplace wait --for=condition=Ready pod \ -l olm.catalogSource=exploit-iq-catalog --timeout=300s -
Install the operator from the web console:
- Navigate to Operators → OperatorHub
- Select the ExploitIQ source
- Select the operator
- Click Install
-
Wait for the operator to become ready:
oc wait --for=condition=ready pod \ -l app.kubernetes.io/name=exploit-iq-operator \ -n exploit-iq-operator-system \ --timeout=300s
After installing the operator, create an ExploitIQStack instance:
-
Create or select your project:
oc new-project exploit-iq
-
Create the required Secrets (refer to Prerequisites)
-
Create the
ExploitIQStackinstance:oc apply -f config/samples/exploitiq_v1alpha1_exploitiqstack.yaml
Example minimal CR:
apiVersion: exploitiq.openshift.io/v1alpha1 kind: ExploitIQStack metadata: name: example spec: engine: pullSecretRef: name: exploit-iq-pull-secret webApp: registryCredentialsSecretRef: name: image-registry-credentials
The operator reconciles the CR and deploys all stack components.
For Kubernetes installations (without OLM), refer to docs/installing_kubernetes.md.
Delete all ExploitIQStack custom resources:
oc delete exploitiqstack --all -n <namespace>Or delete a specific instance:
oc delete -f config/samples/exploitiq_v1alpha1_exploitiqstack.yamlFor OLM-based installations, uninstall the operator from the web console (Operators → Installed Operators) or using the oc CLI.
For Kubernetes installations using make deploy, refer to docs/installing_kubernetes.md.
For building, testing, and contributing to the operator, refer to docs/developing.md.