feat: bundle XTM One in the default stack#574
Closed
azubiolo-filigran wants to merge 2 commits into
Closed
Conversation
|
Thank you for your contribution, but we need you to sign your commits. Please see https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits |
Adds XTM One alongside OpenCTI in the default compose: - New pgsql-copilot service (pgvector/pgvector:pg17) for XTM One's vector store, with dedicated credentials. - New xtm-one + xtm-one-worker services on port 4000, sharing the existing redis and minio. - PLATFORM_REGISTRATION_TOKEN shared secret plumbed into the opencti service (XTM__XTM_ONE_URL / XTM__XTM_ONE_TOKEN) and into XTM One (OPENCTI_* federation env vars). - .env.sample documents the new XTM ONE block. Refs XTM-One-Platform/xtm-one#1011
azubiolo-filigran
force-pushed
the
feat/xtm-one-default
branch
from
5e4bc64 to
ff2ee3a
Compare
- Set APP__BASE_URL=http://opencti:8080 so OpenCTI validates the JWT
audience claim correctly (was using the external URL which doesn't
match what XTM One puts in the token).
- Set BASE_URL=http://xtm-one:4000 so the JWT issuer claim points to
the internal Docker hostname (OpenCTI fetches JWKS from {iss}/xtm/auth/jwks).
- Align XTM_ONE_ADMIN_EMAIL with OPENCTI_ADMIN_EMAIL so the JWT email
claim resolves to an existing user in OpenCTI.
- Use lowercase 'changeme' for XTM_ONE_ADMIN_PASSWORD to match OpenCTI convention.
Member
Author
✅ Tested: OpenCTI + XTM One Docker SetupClean Steps to reproduce# 1. Clone repos side-by-side
git clone git@github.com:OpenCTI-Platform/docker.git opencti-docker
git clone git@github.com:XTM-One-Platform/xtm-one.git xtm-one
cd opencti-docker
git checkout feat/xtm-one-default
# 2. Create .env from sample (only 3 values MUST be changed)
cp .env.sample .env
sed -i "s/OPENCTI_ADMIN_TOKEN=ChangeMe_UUIDv4/OPENCTI_ADMIN_TOKEN=$(uuidgen)/" .env
sed -i "s|OPENCTI_ENCRYPTION_KEY=ChangeMeWithGeneratedBase64Key|OPENCTI_ENCRYPTION_KEY=$(openssl rand -base64 32)|" .env
sed -i "s/XTM_ONE_SECRET_KEY=ChangeMeWithGeneratedRandomString/XTM_ONE_SECRET_KEY=$(openssl rand -hex 32)/" .env
# 3. Build and start
docker compose up -d --build
# 4. Wait (~1-2 min) then verify
docker compose ps # all services healthy
Credentials
What was verified
Key fixes in this commit
DependencyRequires XTM-One-Platform/xtm-one#1070 ( |
Member
Author
Updated: Build from local XTM One cloneThe compose file now includes # Clone both repos side-by-side
git clone git@github.com:OpenCTI-Platform/docker.git opencti-docker
git clone git@github.com:XTM-One-Platform/xtm-one.git xtm-one
cd opencti-docker
git checkout feat/xtm-one-default
# Create .env and start
cp .env.sample .env
sed -i "s/OPENCTI_ADMIN_TOKEN=ChangeMe_UUIDv4/OPENCTI_ADMIN_TOKEN=$(uuidgen)/" .env
sed -i "s|OPENCTI_ENCRYPTION_KEY=ChangeMeWithGeneratedBase64Key|OPENCTI_ENCRYPTION_KEY=$(openssl rand -base64 32)|" .env
sed -i "s/XTM_ONE_SECRET_KEY=ChangeMeWithGeneratedRandomString/XTM_ONE_SECRET_KEY=$(openssl rand -hex 32)/" .env
# Build and start
docker compose up -d --build
|
Member
Author
|
Closing in favor of a new PR from the upstream branch (same changes). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Objective
Adds XTM One alongside OpenCTI in the default Docker stack so
docker compose up -dbrings the full XTM One + OpenCTI experience by default.Refs XTM-One-Platform/xtm-one#1011. Companion PRs:
Changes
New services
pgsql-copilot(pgvector/pgvector:pg17) — Postgres+pgvector instance dedicated to XTM One, with its own credentials.xtm-one— exposes the XTM One UI/API on${XTM_ONE_PORT}(default4000), reuses the existingredisandminio.xtm-one-worker— async worker, depends onxtm-onebeing healthy.Inter-platform wiring
PLATFORM_REGISTRATION_TOKENshared secret.openctiservice now receivesXTM__XTM_ONE_URL/XTM__XTM_ONE_TOKEN.xtm-oneservice receivesOPENCTI_*federation env vars (URL, internal API URL, admin token).Documentation
.env.samplegets a newXTM ONEblock documenting admin credentials, image tag, dedicated Postgres credentials, S3 bucket, optional license, and the sharedPLATFORM_REGISTRATION_TOKEN.Scope
docker-compose.ymlis touched.docker-compose.dev.ymlanddocker-compose.opensearch.ymlare intentionally left alone for now and will be handled in follow-ups if needed.Verification
The same configuration has been validated end-to-end inside the unified xtm-docker stack (companion PR FiligranHQ/xtm-docker#15): all services reach
healthy, OpenCTI and XTM One register successfully viaPLATFORM_REGISTRATION_TOKEN, and cross-platform features work as expected.Notes
OPENCTI_ENCRYPTION_KEYmust be a 32-byte base64 string (openssl rand -base64 32), not a UUID. The placeholder in.env.samplealready hints at this; happy to add a more explicit comment if reviewers want.FiligranHQ/xtm-docker(canonical source). Keeping it minimal so future syncs stay easy.