Skip to content

openvas

Metadata

Field Value
Service openvas
Purpose Vulnerability scanning and security assessment platform
Criticality Tier 2
Owner Platform / Security owner
Clusters homelab
Namespace openvas
Exposure internet
Stateful yes
Backup class snapshot
RPO / RTO Daily backup target, 4 to 8 hours to restore
Last reviewed 2026-05-20

1. Service Overview

OpenVAS packages the Greenbone Community Edition scanner stack with feeds, PostgreSQL, Redis, and external HTTPS access.

Summary

If it fails, vulnerability scanning and assessment workflows stop and feed state may need recovery.

Dependencies

Dependency Type Why it matters
PostgreSQL database Stores scanner metadata and platform state
Redis queue / runtime Required by the scanner stack
Traefik ingress Exposes the Greenbone UI

2. Architecture Diagram

[Browser]
  -> [Traefik]
  -> [Greenbone UI and manager]
  -> [Scanner components]
  -> [PostgreSQL / Redis / PVC-backed feeds]

3. Deployment Specifications

Item Value
Source path openvas/base and openvas/overlays/homelab
Deployment model Kustomize plus Fleet bundle
Namespace openvas
Workload kind Multiple Deployments, StatefulSet, and CronJob
Chart or image version See base manifests for current image tags
Config files base/kustomization.yaml, overlays/homelab/kustomization.yaml, fleet.yaml

Cluster mapping

Cluster Overlay path Notes
homelab openvas/overlays/homelab Current homelab deployment

4. Configuration Guide

Environment variables

Variable Source Purpose Secret?
Greenbone runtime settings base manifests, overlays, and secrets Configure feeds, DB connectivity, and UI behavior mixed

ConfigMaps

Resource Path Purpose
Kustomize-managed runtime config openvas/base and openvas/overlays/homelab Controls the multi-component deployment

Secrets management

  • Secret names: DB credentials, feed credentials, and runtime secrets in the openvas namespace
  • Source of truth: overlay secret inputs and generated manifests
  • Rotation trigger: security response, credential rotation, or feed endpoint changes
  • Recovery note: restore all service secrets before restarting the scanner stack

5. Access Protocols

Path URL or endpoint Audience Auth TLS terminates at
Internal Services inside the openvas namespace Cluster workloads namespace RBAC Traefik / service
External https://openvas.mutana.fr Operators and security users OpenVAS auth Traefik

6. Operations and Observability

  • Primary health indicators: UI reachable, feeds updated, scanner pods healthy, and DB responsive.
  • Dashboards or alerts: shared monitoring plus CronJob and pod health.
  • Log locations: OpenVAS manager, scanner, Redis, and PostgreSQL logs.
  • Known failure modes: stale feeds, PVC issues, DB startup failures, and ingress drift.

7. Backup and Recovery Notes

  • Backup method: PostgreSQL backup plus PVC snapshot for feed and scanner data.
  • Restore prerequisites: restored DB state, feed data, and runtime secrets.
  • Related runbook: ../runbooks/openvas.md

8. Release and Change Notes

  • Current deployed app version: see openvas/base image tags.
  • Current chart version: N/A.
  • Last significant change: Greenbone Community Edition manifests introduced and documented under the homelab overlay.
  • Rollback reference: previous overlay revision in Git.