Skip to content

Configuration

All configuration ships as Kubernetes Secrets, one per service (no ConfigMaps). Each service loads its Secret via envFrom. Copy each example, fill in the values, and keep the filled copies out of version control. Integration keys use codenames rather than vendor brands.

The backend and the three workers (ai-worker, asm-worker, brand-worker) run the same image and share one Secret.

backend.secret.example.yaml
# All env for the backend and the three workers (ai-worker, asm-worker,
# brand-worker) in a single Secret. They share the same image and env.
# Copy to backend.secret.yaml, fill in, and never commit the filled copy.
# Integration keys use codenames rather than vendor brands.
apiVersion: v1
kind: Secret
metadata:
name: zenintel-backend-secret
namespace: zenintel
type: Opaque
stringData:
# --- Core ---
PORT: "8080"
DOMAIN: "zen-intel.example.com"
SSL_EMAIL: "ops@example.com"
IN_PROCESS_WORKERS: "false"
AI_SERVICE_URL: "http://ai-service:8081"
BACKEND_URL: "http://backend:8080/api/"
ARTICLE_BACKEND_URL: "https://articles.example.com"
FRONTEND_URL: "https://zen-intel.example.com/"
JWT_SECRET: "CHANGEME-generate-a-64-char-random-string"
DEFAULT_ADMIN_PASSWORD: "CHANGEME"
# --- Data services ---
# PostgreSQL comes from CloudNativePG (read/write Service postgres-rw).
# This password must match the zenintel-pg-app secret in data/postgres.yaml.
DATABASE_URL: "postgres://zenintel:CHANGEME@postgres-rw:5432/zenintel?sslmode=require"
POSTGRES_DB: "zenintel"
CACHE_PROVIDER: "redis"
REDIS_ADDR: "redis:6379"
REDIS_PASSWORD: "CHANGEME"
REDIS_DB: "0"
# Reserved. The app does not consume RabbitMQ yet, but the broker is deployed.
RABBITMQ_URL: "amqp://zenintel:CHANGEME@rabbitmq:5672/"
# --- LLM Service ---
LLM_API_KEY: ""
# --- Upstream API endpoints ---
PHANTOM_API_URL: "https://phantom.example.com/api"
OSINT_LOOKUP_API_URL: "https://osint-lookup.example.com"
VIRUS_SCANNER_API_URL: "https://virus-scanner.example.com/api/v3"
MALWARE_FEED_API_URL: "https://malware-feed.example.com/api/v1/"
DARKWEB_WATCHER_BASE_URL: "https://darkweb-watcher.example.com/api/public"
XTI_BASE_URL: "https://xti.example.com/api/"
# --- Integration keys ---
PHANTOM_API_KEY: ""
OSINT_LOOKUP_API_KEY: ""
VIRUS_SCANNER_API_KEY: ""
MALWARE_FEED_API_KEY: ""
EXPOSURE_SCANNER_API_KEY: ""
SEARCH_PROVIDER_API_KEY: ""
CERT_MONITOR_API_KEY: ""
GITHUB_TOKEN: ""
VULN_DB_CVE_API_KEY: ""
VULN_DB_NVD_API_KEY: ""
XTI_API_KEY: ""
# --- Bundled scan tools ---
PORT_SCANNER_ENABLED: "true"
PORT_SCANNER_PATH: "nmap"
PORT_SCANNER_ARGS: "-sV -sC -T4 --top-ports 1000"
DOMAIN_MONITOR_PATH: "dnstwist"
SUBFINDER_PATH: "subfinder"
HTTPX_PATH: "httpx"
NAABU_PATH: "naabu"
NAABU_PORTS: "1-65535"
TLSX_PATH: "tlsx"
UNCOVER_PATH: "uncover"
ASNMAP_PATH: "asnmap"
KATANA_PATH: "katana"
CLOUDLIST_PATH: "cloudlist"
CLOUDLIST_CONFIG: ""
VULN_SCANNER_ENABLED: "true"
VULN_SCANNER_PATH: "nuclei"
VULN_SCANNER_TEMPLATES: ""
VULN_SCANNER_SEVERITY: "medium,high,critical"
# --- ASM ---
ASM_ALERT_CHANNELS: "telegram"
ASM_AUTO_PROMOTE_HIGH: "true"
ASM_AUTO_EXTRACT_IOCS: "true"
# --- Intel Sharing Platform ---
INTEL_SHARING_ENABLED: "false"
INTEL_SHARING_BASE_URL: ""
INTEL_SHARING_API_KEY: ""
INTEL_SHARING_VERIFY_SSL: "true"
INTEL_SHARING_POLL_INTERVAL: "30m"
INTEL_SHARING_LOOKBACK_HOURS: "24"
INTEL_SHARING_MAX_ATTR_PER_POLL: "1000"
INTEL_SHARING_MAX_EVENTS_PER_POLL: "100"
# --- Intel Knowledge Base ---
INTEL_KB_ENABLED: "false"
INTEL_KB_URL: ""
INTEL_KB_API_KEY: ""
INTEL_KB_VERIFY_SSL: "true"
INTEL_KB_POLL_INTERVAL: "30m"
INTEL_KB_LOOKBACK_HOURS: "6"
INTEL_KB_MIN_SCORE: "50"
# --- Quotas ---
AI_DAILY_TASK_LIMIT_PER_USER: "50"
AI_DAILY_CHAT_LIMIT_PER_USER: "200"
INTEL_DAILY_TASK_LIMIT_PER_USER: "100"
INTEL_DAILY_QUERY_LIMIT_PER_USER: "500"
# --- Alert channels ---
TELEGRAM_BOT_TOKEN: ""
TELEGRAM_BOT_USERNAME: ""
TELEGRAM_WEBHOOK_SECRET: ""
SLACK_WEBHOOK_URL: ""
TEAMS_WEBHOOK_URL: ""
# --- Payment ---
PAYMENT_API_BASE_URL: ""
PAYMENT_SECRET_KEY: ""
PAYMENT_WEBHOOK_TOKEN: ""
ai-service.secret.example.yaml
# Credentials for the Python AI service. It only needs the LLM key.
apiVersion: v1
kind: Secret
metadata:
name: zenintel-ai-service-secret
namespace: zenintel
type: Opaque
stringData:
LLM_API_KEY: ""
frontend.secret.example.yaml
# All env for the frontend in a single Secret.
apiVersion: v1
kind: Secret
metadata:
name: zenintel-frontend-secret
namespace: zenintel
type: Opaque
stringData:
BACKEND_URL: "http://backend:8080"
ARTICLE_BACKEND_URL: "https://articles.example.com"
NODE_ENV: "production"
  • DOMAIN: public hostname, must match the TLS certificate from DNS and TLS.
  • JWT_SECRET: unique per deployment.
  • DEFAULT_ADMIN_PASSWORD: change it from the shipped default.
  • LLM_API_KEY: the client’s own key or the Zentara Gateway. Without it, AI features cannot run.

The DATABASE_URL password must match the CloudNativePG credentials in data/postgres.yaml. Keep REDIS_PASSWORD and the RabbitMQ password in sync with their pods.

Integration keys use codenames rather than vendor brands, for example VIRUS_SCANNER_API_KEY and INTEL_SHARING_API_KEY. Only the LLM key is required. Every other integration is optional. See Enable integrations for the full list and the client-owned versus Zentara Gateway decision.