up

2025-11-28 09:40:40 +02:00
parent 1c6730a1d2
commit 05da719048
206 changed files with 34741 additions and 1751 deletions
--- a/deploy/helm/stellaops/values.yaml
+++ b/deploy/helm/stellaops/values.yaml
@@ -1,13 +1,57 @@
-global:
-  release:
-    version: ""
-    channel: ""
-    manifestSha256: ""
-  profile: ""
-  image:
-    pullPolicy: IfNotPresent
-  labels: {}
-
+global:
+  release:
+    version: ""
+    channel: ""
+    manifestSha256: ""
+  profile: ""
+  image:
+    pullPolicy: IfNotPresent
+  labels: {}
+
+# Surface.Env configuration for Scanner/Zastava components
+# See docs/modules/scanner/design/surface-env.md for details
+surface:
+  # Surface.FS storage configuration
+  fs:
+    # Base URI for Surface.FS / RustFS / S3-compatible store (required)
+    endpoint: ""
+    # Bucket/container for manifests and artefacts
+    bucket: "surface-cache"
+    # Optional region for S3-compatible stores (AWS/GCS)
+    region: ""
+  # Local cache configuration
+  cache:
+    # Local directory for warm caches
+    root: "/var/lib/stellaops/surface"
+    # Soft limit for on-disk cache usage in MB (64-262144)
+    quotaMb: 4096
+    # Enable manifest prefetch threads
+    prefetchEnabled: false
+  # Tenant configuration
+  tenant: "default"
+  # Comma-separated feature switches
+  features: ""
+  # TLS configuration for client authentication
+  tls:
+    # Path to PEM/PKCS#12 certificate file
+    certPath: ""
+    # Optional private key path when cert/key stored separately
+    keyPath: ""
+    # Secret name containing TLS cert/key
+    secretName: ""
+  # Secrets provider configuration
+  secrets:
+    # Provider ID: kubernetes, file, inline
+    provider: "kubernetes"
+    # Kubernetes namespace for secrets provider
+    namespace: ""
+    # Path or base for file provider
+    root: ""
+    # Optional fallback provider ID
+    fallbackProvider: ""
+    # Allow inline secrets (disable in production)
+    allowInline: false
+
 telemetry:
  collector:
    enabled: false
@@ -35,6 +79,25 @@ telemetry:
    resources: {}

 configMaps:
+  # Surface.Env environment variables for Scanner/Zastava components
+  surface-env:
+    data:
+      SCANNER_SURFACE_FS_ENDPOINT: "{{ .Values.surface.fs.endpoint }}"
+      SCANNER_SURFACE_FS_BUCKET: "{{ .Values.surface.fs.bucket }}"
+      SCANNER_SURFACE_FS_REGION: "{{ .Values.surface.fs.region }}"
+      SCANNER_SURFACE_CACHE_ROOT: "{{ .Values.surface.cache.root }}"
+      SCANNER_SURFACE_CACHE_QUOTA_MB: "{{ .Values.surface.cache.quotaMb }}"
+      SCANNER_SURFACE_PREFETCH_ENABLED: "{{ .Values.surface.cache.prefetchEnabled }}"
+      SCANNER_SURFACE_TENANT: "{{ .Values.surface.tenant }}"
+      SCANNER_SURFACE_FEATURES: "{{ .Values.surface.features }}"
+      SCANNER_SURFACE_TLS_CERT_PATH: "{{ .Values.surface.tls.certPath }}"
+      SCANNER_SURFACE_TLS_KEY_PATH: "{{ .Values.surface.tls.keyPath }}"
+      SCANNER_SURFACE_SECRETS_PROVIDER: "{{ .Values.surface.secrets.provider }}"
+      SCANNER_SURFACE_SECRETS_NAMESPACE: "{{ .Values.surface.secrets.namespace }}"
+      SCANNER_SURFACE_SECRETS_ROOT: "{{ .Values.surface.secrets.root }}"
+      SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER: "{{ .Values.surface.secrets.fallbackProvider }}"
+      SCANNER_SURFACE_SECRETS_ALLOW_INLINE: "{{ .Values.surface.secrets.allowInline }}"
+
  issuer-directory-config:
    data:
      issuer-directory.yaml: |