openvas
| Field |
Value |
| Service |
openvas |
| Purpose |
Vulnerability scanning and security assessment platform |
| Criticality |
Tier 2 |
| Owner |
Platform / Security owner |
| Clusters |
homelab |
| Namespace |
openvas |
| Exposure |
internet |
| Stateful |
yes |
| Backup class |
snapshot |
| RPO / RTO |
Daily backup target, 4 to 8 hours to restore |
| Last reviewed |
2026-05-20 |
1. Service Overview
OpenVAS packages the Greenbone Community Edition scanner stack with feeds, PostgreSQL, Redis, and external HTTPS access.
Summary
If it fails, vulnerability scanning and assessment workflows stop and feed state may need recovery.
Dependencies
| Dependency |
Type |
Why it matters |
| PostgreSQL |
database |
Stores scanner metadata and platform state |
| Redis |
queue / runtime |
Required by the scanner stack |
| Traefik |
ingress |
Exposes the Greenbone UI |
2. Architecture Diagram
[Browser]
-> [Traefik]
-> [Greenbone UI and manager]
-> [Scanner components]
-> [PostgreSQL / Redis / PVC-backed feeds]
3. Deployment Specifications
| Item |
Value |
| Source path |
openvas/base and openvas/overlays/homelab |
| Deployment model |
Kustomize plus Fleet bundle |
| Namespace |
openvas |
| Workload kind |
Multiple Deployments, StatefulSet, and CronJob |
| Chart or image version |
See base manifests for current image tags |
| Config files |
base/kustomization.yaml, overlays/homelab/kustomization.yaml, fleet.yaml |
Cluster mapping
| Cluster |
Overlay path |
Notes |
| homelab |
openvas/overlays/homelab |
Current homelab deployment |
4. Configuration Guide
Environment variables
| Variable |
Source |
Purpose |
Secret? |
| Greenbone runtime settings |
base manifests, overlays, and secrets |
Configure feeds, DB connectivity, and UI behavior |
mixed |
ConfigMaps
| Resource |
Path |
Purpose |
| Kustomize-managed runtime config |
openvas/base and openvas/overlays/homelab |
Controls the multi-component deployment |
Secrets management
- Secret names: DB credentials, feed credentials, and runtime secrets in the openvas namespace
- Source of truth: overlay secret inputs and generated manifests
- Rotation trigger: security response, credential rotation, or feed endpoint changes
- Recovery note: restore all service secrets before restarting the scanner stack
5. Access Protocols
| Path |
URL or endpoint |
Audience |
Auth |
TLS terminates at |
| Internal |
Services inside the openvas namespace |
Cluster workloads |
namespace RBAC |
Traefik / service |
| External |
https://openvas.mutana.fr |
Operators and security users |
OpenVAS auth |
Traefik |
6. Operations and Observability
- Primary health indicators: UI reachable, feeds updated, scanner pods healthy, and DB responsive.
- Dashboards or alerts: shared monitoring plus CronJob and pod health.
- Log locations: OpenVAS manager, scanner, Redis, and PostgreSQL logs.
- Known failure modes: stale feeds, PVC issues, DB startup failures, and ingress drift.
7. Backup and Recovery Notes
- Backup method: PostgreSQL backup plus PVC snapshot for feed and scanner data.
- Restore prerequisites: restored DB state, feed data, and runtime secrets.
- Related runbook: ../runbooks/openvas.md
8. Release and Change Notes
- Current deployed app version: see openvas/base image tags.
- Current chart version: N/A.
- Last significant change: Greenbone Community Edition manifests introduced and documented under the homelab overlay.
- Rollback reference: previous overlay revision in Git.