stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity

Resolve Concelier/Excititor merge conflicts

Browse Source
This commit is contained in:
root
2025-10-20 14:19:25 +03:00
parent 67d581d2e8 5fd4032c7c
commit 09b6a28172
2687 changed files with 212646 additions and 85913 deletions
Download Patch File Download Diff File Expand all files Collapse all files

203
etc/authority.yaml.sample
View File

@@ -1,90 +1,113 @@
# StellaOps Authority configuration template.
# Copy to ../etc/authority.yaml (relative to the Authority content root)
# and adjust values to fit your environment. Environment variables
# prefixed with STELLAOPS_AUTHORITY_ override these values at runtime.
# Example: STELLAOPS_AUTHORITY__ISSUER=https://authority.example.com
schemaVersion: 1
# Absolute issuer URI advertised to clients. Use HTTPS for anything
# beyond loopback development.
issuer: "https://authority.stella-ops.local"
# Token lifetimes expressed as HH:MM:SS or DD.HH:MM:SS.
accessTokenLifetime: "00:15:00"
refreshTokenLifetime: "30.00:00:00"
identityTokenLifetime: "00:05:00"
authorizationCodeLifetime: "00:05:00"
deviceCodeLifetime: "00:15:00"
# MongoDB storage connection details.
storage:
connectionString: "mongodb://localhost:27017/stellaops-authority"
# databaseName: "stellaops_authority"
commandTimeout: "00:00:30"
# Signing configuration for revocation bundles and JWKS.
signing:
enabled: true
activeKeyId: "authority-signing-2025-dev"
keyPath: "../certificates/authority-signing-2025-dev.pem"
algorithm: "ES256"
keySource: "file"
# provider: "default"
additionalKeys:
- keyId: "authority-signing-dev"
path: "../certificates/authority-signing-dev.pem"
source: "file"
# Rotation flow:
# 1. Generate a new PEM under ./certificates (e.g. authority-signing-2026-dev.pem).
# 2. Trigger the .gitea/workflows/authority-key-rotation.yml workflow (or run
# ops/authority/key-rotation.sh) with the new keyId/keyPath.
# 3. Update activeKeyId/keyPath above and move the previous key into additionalKeys
# so restarts retain retired material for JWKS consumers.
# Bootstrap administrative endpoints (initial provisioning).
bootstrap:
enabled: false
apiKey: "change-me"
defaultIdentityProvider: "standard"
# Directories scanned for Authority plug-ins. Relative paths resolve
# against the application content root, enabling air-gapped deployments
# that package plug-ins alongside binaries.
pluginDirectories:
- "../PluginBinaries/Authority"
# "/var/lib/stellaops/authority/plugins"
# Plug-in manifests live in descriptors below; per-plugin settings are stored
# in the configurationDirectory (YAML files). Authority will load any enabled
# plugins and surface their metadata/capabilities to the host.
plugins:
configurationDirectory: "../etc/authority.plugins"
descriptors:
standard:
type: "standard"
assemblyName: "StellaOps.Authority.Plugin.Standard"
enabled: true
configFile: "standard.yaml"
capabilities:
- password
- bootstrap
- clientProvisioning
metadata:
defaultRole: "operators"
# Example for an external identity provider plugin. Leave disabled unless
# the plug-in package exists under PluginBinaries/Authority.
ldap:
type: "ldap"
assemblyName: "StellaOps.Authority.Plugin.Ldap"
enabled: false
configFile: "ldap.yaml"
capabilities:
- password
- mfa
# CIDR ranges that bypass network-sensitive policies (e.g. on-host cron jobs).
# Keep the list tight: localhost is sufficient for most air-gapped installs.
bypassNetworks:
- "127.0.0.1/32"
- "::1/128"
# StellaOps Authority configuration template.
# Copy to ../etc/authority.yaml (relative to the Authority content root)
# and adjust values to fit your environment. Environment variables
# prefixed with STELLAOPS_AUTHORITY_ override these values at runtime.
# Example: STELLAOPS_AUTHORITY__ISSUER=https://authority.example.com
schemaVersion: 1
# Absolute issuer URI advertised to clients. Use HTTPS for anything
# beyond loopback development.
issuer: "https://authority.stella-ops.local"
# Token lifetimes expressed as HH:MM:SS or DD.HH:MM:SS.
accessTokenLifetime: "00:15:00"
refreshTokenLifetime: "30.00:00:00"
identityTokenLifetime: "00:05:00"
authorizationCodeLifetime: "00:05:00"
deviceCodeLifetime: "00:15:00"
# MongoDB storage connection details.
storage:
connectionString: "mongodb://localhost:27017/stellaops-authority"
# databaseName: "stellaops_authority"
commandTimeout: "00:00:30"
# Signing configuration for revocation bundles and JWKS.
signing:
enabled: true
activeKeyId: "authority-signing-2025-dev"
keyPath: "../certificates/authority-signing-2025-dev.pem"
algorithm: "ES256"
keySource: "file"
# provider: "default"
additionalKeys:
- keyId: "authority-signing-dev"
path: "../certificates/authority-signing-dev.pem"
source: "file"
# Rotation flow:
# 1. Generate a new PEM under ./certificates (e.g. authority-signing-2026-dev.pem).
# 2. Trigger the .gitea/workflows/authority-key-rotation.yml workflow (or run
# ops/authority/key-rotation.sh) with the new keyId/keyPath.
# 3. Update activeKeyId/keyPath above and move the previous key into additionalKeys
# so restarts retain retired material for JWKS consumers.
# Bootstrap administrative endpoints (initial provisioning).
bootstrap:
enabled: false
apiKey: "change-me"
defaultIdentityProvider: "standard"
# Directories scanned for Authority plug-ins. Relative paths resolve
# against the application content root, enabling air-gapped deployments
# that package plug-ins alongside binaries.
pluginDirectories:
- "../StellaOps.Authority.PluginBinaries"
# "/var/lib/stellaops/authority/plugins"
# Plug-in manifests live in descriptors below; per-plugin settings are stored
# in the configurationDirectory (YAML files). Authority will load any enabled
# plugins and surface their metadata/capabilities to the host.
plugins:
configurationDirectory: "../etc/authority.plugins"
descriptors:
standard:
type: "standard"
assemblyName: "StellaOps.Authority.Plugin.Standard"
enabled: true
configFile: "standard.yaml"
capabilities:
- password
- bootstrap
- clientProvisioning
metadata:
defaultRole: "operators"
# Example for an external identity provider plugin. Leave disabled unless
# the plug-in package exists under StellaOps.Authority.PluginBinaries.
ldap:
type: "ldap"
assemblyName: "StellaOps.Authority.Plugin.Ldap"
enabled: false
configFile: "ldap.yaml"
capabilities:
- password
- mfa
# OAuth client registrations issued by Authority. These examples cover Notify WebService
# in dev (notify.dev audience) and production (notify audience). Replace the secret files
# with paths to your sealed credentials before enabling bootstrap mode.
clients:
- clientId: "notify-web-dev"
displayName: "Notify WebService (dev)"
grantTypes: [ "client_credentials" ]
audiences: [ "notify.dev" ]
scopes: [ "notify.read", "notify.admin" ]
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/notify-web-dev.secret"
- clientId: "notify-web"
displayName: "Notify WebService"
grantTypes: [ "client_credentials" ]
audiences: [ "notify" ]
scopes: [ "notify.read", "notify.admin" ]
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/notify-web.secret"
# CIDR ranges that bypass network-sensitive policies (e.g. on-host cron jobs).
# Keep the list tight: localhost is sufficient for most air-gapped installs.
bypassNetworks:
- "127.0.0.1/32"
- "::1/128"

210
etc/feedser.yaml.sample → etc/concelier.yaml.sample
View File

@@ -1,97 +1,113 @@
# Feedser configuration template for StellaOps deployments.
# Copy to ../etc/feedser.yaml (relative to the web service content root)
# and adjust the values to match your environment. Environment variables
# (prefixed with FEEDSER_) override these settings at runtime.
storage:
driver: mongo
# Mongo connection string. Use SRV URI or standard connection string.
dsn: "mongodb://feedser:feedser@mongo:27017/feedser?authSource=admin"
# Optional database name; defaults to the name embedded in the DSN or 'feedser'.
database: "feedser"
# Mongo command timeout in seconds.
commandTimeoutSeconds: 30
plugins:
# Feedser resolves plug-ins relative to the content root; override as needed.
baseDirectory: ".."
directory: "PluginBinaries"
searchPatterns:
- "StellaOps.Feedser.Plugin.*.dll"
telemetry:
enabled: true
enableTracing: false
enableMetrics: false
enableLogging: true
minimumLogLevel: "Information"
serviceName: "stellaops-feedser"
# Configure OTLP endpoint when shipping traces/metrics/logs out-of-band.
otlpEndpoint: ""
# Optional headers for OTLP exporters, for example authentication tokens.
otlpHeaders: {}
# Attach additional resource attributes to telemetry exports.
resourceAttributes:
deployment.environment: "local"
# Emit console exporters for local debugging.
exportConsole: true
authority:
enabled: false
# Temporary rollout flag. When true, Feedser logs anonymous access but does not fail requests
# without tokens. Set to false before 2025-12-31 UTC to enforce authentication fully.
allowAnonymousFallback: true
# Issuer advertised by StellaOps Authority (e.g. https://authority.stella-ops.local).
issuer: "https://authority.stella-ops.local"
# Optional explicit metadata address; defaults to {issuer}/.well-known/openid-configuration.
metadataAddress: ""
requireHttpsMetadata: true
backchannelTimeoutSeconds: 30
tokenClockSkewSeconds: 60
audiences:
- "api://feedser"
requiredScopes:
- "feedser.jobs.trigger"
# Outbound credentials Feedser can use to call Authority (client credentials flow).
clientId: "feedser-jobs"
# Prefer storing the secret outside of the config file. Provide either clientSecret or clientSecretFile.
clientSecret: ""
clientSecretFile: ""
clientScopes:
- "feedser.jobs.trigger"
resilience:
# Enable deterministic retry/backoff when Authority is briefly unavailable.
enableRetries: true
retryDelays:
- "00:00:01"
- "00:00:02"
- "00:00:05"
# Allow stale discovery/JWKS responses when Authority is offline (extend tolerance as needed for air-gapped mirrors).
allowOfflineCacheFallback: true
offlineCacheTolerance: "00:10:00"
# Networks allowed to bypass authentication (loopback by default for on-host cron jobs).
bypassNetworks:
- "127.0.0.1/32"
- "::1/128"
sources:
ghsa:
apiToken: "${GITHUB_PAT}"
pageSize: 50
maxPagesPerFetch: 5
requestDelay: "00:00:00.200"
failureBackoff: "00:05:00"
rateLimitWarningThreshold: 500
secondaryRateLimitBackoff: "00:02:00"
cve:
baseEndpoint: "https://cveawg.mitre.org/api/"
apiOrg: ""
apiUser: ""
apiKey: ""
# Optional mirror used when credentials are unavailable.
seedDirectory: "./seed-data/cve"
pageSize: 200
maxPagesPerFetch: 5
initialBackfill: "30.00:00:00"
requestDelay: "00:00:00.250"
failureBackoff: "00:10:00"
# Concelier configuration template for StellaOps deployments.
# Copy to ../etc/concelier.yaml (relative to the web service content root)
# and adjust the values to match your environment. Environment variables
# (prefixed with CONCELIER_) override these settings at runtime.
storage:
driver: mongo
# Mongo connection string. Use SRV URI or standard connection string.
dsn: "mongodb://concelier:concelier@mongo:27017/concelier?authSource=admin"
# Optional database name; defaults to the name embedded in the DSN or 'concelier'.
database: "concelier"
# Mongo command timeout in seconds.
commandTimeoutSeconds: 30
plugins:
# Concelier resolves plug-ins relative to the content root; override as needed.
baseDirectory: ".."
directory: "StellaOps.Concelier.PluginBinaries"
searchPatterns:
- "StellaOps.Concelier.Plugin.*.dll"
telemetry:
enabled: true
enableTracing: false
enableMetrics: false
enableLogging: true
minimumLogLevel: "Information"
serviceName: "stellaops-concelier"
# Configure OTLP endpoint when shipping traces/metrics/logs out-of-band.
otlpEndpoint: ""
# Optional headers for OTLP exporters, for example authentication tokens.
otlpHeaders: {}
# Attach additional resource attributes to telemetry exports.
resourceAttributes:
deployment.environment: "local"
# Emit console exporters for local debugging.
exportConsole: true
authority:
enabled: false
# Temporary rollout flag. When true, Concelier logs anonymous access but does not fail requests
# without tokens. Set to false before 2025-12-31 UTC to enforce authentication fully.
allowAnonymousFallback: true
# Issuer advertised by StellaOps Authority (e.g. https://authority.stella-ops.local).
issuer: "https://authority.stella-ops.local"
# Optional explicit metadata address; defaults to {issuer}/.well-known/openid-configuration.
metadataAddress: ""
requireHttpsMetadata: true
backchannelTimeoutSeconds: 30
tokenClockSkewSeconds: 60
audiences:
- "api://concelier"
requiredScopes:
- "concelier.jobs.trigger"
# Outbound credentials Concelier can use to call Authority (client credentials flow).
clientId: "concelier-jobs"
# Prefer storing the secret outside of the config file. Provide either clientSecret or clientSecretFile.
clientSecret: ""
clientSecretFile: ""
clientScopes:
- "concelier.jobs.trigger"
resilience:
# Enable deterministic retry/backoff when Authority is briefly unavailable.
enableRetries: true
retryDelays:
- "00:00:01"
- "00:00:02"
- "00:00:05"
# Allow stale discovery/JWKS responses when Authority is offline (extend tolerance as needed for air-gapped mirrors).
allowOfflineCacheFallback: true
offlineCacheTolerance: "00:10:00"
# Networks allowed to bypass authentication (loopback by default for on-host cron jobs).
bypassNetworks:
- "127.0.0.1/32"
- "::1/128"
mirror:
enabled: false
# Directory containing JSON exporter outputs (absolute or relative to content root).
exportRoot: "exports/json"
# Optional explicit export identifier; defaults to `latest` symlink or most recent export.
activeExportId: ""
latestDirectoryName: "latest"
mirrorDirectoryName: "mirror"
requireAuthentication: false
maxIndexRequestsPerHour: 600
domains:
- id: "primary"
displayName: "Primary Mirror"
requireAuthentication: false
maxDownloadRequestsPerHour: 1200
sources:
ghsa:
apiToken: "${GITHUB_PAT}"
pageSize: 50
maxPagesPerFetch: 5
requestDelay: "00:00:00.200"
failureBackoff: "00:05:00"
rateLimitWarningThreshold: 500
secondaryRateLimitBackoff: "00:02:00"
cve:
baseEndpoint: "https://cveawg.mitre.org/api/"
apiOrg: ""
apiUser: ""
apiKey: ""
# Optional mirror used when credentials are unavailable.
seedDirectory: "./seed-data/cve"
pageSize: 200
maxPagesPerFetch: 5
initialBackfill: "30.00:00:00"
requestDelay: "00:00:00.250"
failureBackoff: "00:10:00"

43
etc/notify.dev.yaml Normal file
View File

@@ -0,0 +1,43 @@
# Notify WebService configuration — development
storage:
driver: mongo
connectionString: "mongodb://notify-mongo.dev.svc.cluster.local:27017"
database: "stellaops_notify_dev"
commandTimeoutSeconds: 30
authority:
enabled: true
issuer: "https://authority.dev.stella-ops.local"
metadataAddress: "https://authority.dev.stella-ops.local/.well-known/openid-configuration"
requireHttpsMetadata: false
allowAnonymousFallback: false
backchannelTimeoutSeconds: 30
tokenClockSkewSeconds: 60
audiences:
- notify.dev
readScope: notify.read
adminScope: notify.admin
api:
basePath: "/api/v1/notify"
internalBasePath: "/internal/notify"
tenantHeader: "X-StellaOps-Tenant"
plugins:
baseDirectory: "../"
directory: "plugins/notify"
searchPatterns:
- "StellaOps.Notify.Connectors.*.dll"
orderedPlugins:
- StellaOps.Notify.Connectors.Slack
- StellaOps.Notify.Connectors.Teams
- StellaOps.Notify.Connectors.Email
- StellaOps.Notify.Connectors.Webhook
telemetry:
enableRequestLogging: true
minimumLogLevel: Debug
# Development override: when the Authority service is not available, set
# authority.enabled: false and authority.developmentSigningKey to a 32+ byte secret.

40
etc/notify.prod.yaml Normal file
View File

@@ -0,0 +1,40 @@
# Notify WebService configuration — production
storage:
driver: mongo
connectionString: "mongodb://notify-mongo.prod.svc.cluster.local:27017"
database: "stellaops_notify"
commandTimeoutSeconds: 60
authority:
enabled: true
issuer: "https://authority.stella-ops.org"
metadataAddress: "https://authority.stella-ops.org/.well-known/openid-configuration"
requireHttpsMetadata: true
allowAnonymousFallback: false
backchannelTimeoutSeconds: 30
tokenClockSkewSeconds: 60
audiences:
- notify
readScope: notify.read
adminScope: notify.admin
api:
basePath: "/api/v1/notify"
internalBasePath: "/internal/notify"
tenantHeader: "X-StellaOps-Tenant"
plugins:
baseDirectory: "/var/opt/stellaops"
directory: "plugins/notify"
searchPatterns:
- "StellaOps.Notify.Connectors.*.dll"
orderedPlugins:
- StellaOps.Notify.Connectors.Slack
- StellaOps.Notify.Connectors.Teams
- StellaOps.Notify.Connectors.Email
- StellaOps.Notify.Connectors.Webhook
telemetry:
enableRequestLogging: true
minimumLogLevel: Warning

40
etc/notify.stage.yaml Normal file
View File

@@ -0,0 +1,40 @@
# Notify WebService configuration — staging
storage:
driver: mongo
connectionString: "mongodb://notify-mongo.stage.svc.cluster.local:27017"
database: "stellaops_notify_stage"
commandTimeoutSeconds: 45
authority:
enabled: true
issuer: "https://authority.stage.stella-ops.org"
metadataAddress: "https://authority.stage.stella-ops.org/.well-known/openid-configuration"
requireHttpsMetadata: true
allowAnonymousFallback: false
backchannelTimeoutSeconds: 30
tokenClockSkewSeconds: 60
audiences:
- notify
readScope: notify.read
adminScope: notify.admin
api:
basePath: "/api/v1/notify"
internalBasePath: "/internal/notify"
tenantHeader: "X-StellaOps-Tenant"
plugins:
baseDirectory: "/opt/stellaops"
directory: "plugins/notify"
searchPatterns:
- "StellaOps.Notify.Connectors.*.dll"
orderedPlugins:
- StellaOps.Notify.Connectors.Slack
- StellaOps.Notify.Connectors.Teams
- StellaOps.Notify.Connectors.Email
- StellaOps.Notify.Connectors.Webhook
telemetry:
enableRequestLogging: true
minimumLogLevel: Information

59
etc/notify.yaml.sample Normal file
View File

@@ -0,0 +1,59 @@
# Notify WebService sample configuration
storage:
# Use "mongo" for production deployments; set to "memory" only for tests/dev harnesses.
driver: mongo
connectionString: "mongodb://localhost:27017"
database: "stellaops_notify"
commandTimeoutSeconds: 30
authority:
enabled: true
issuer: "https://authority.stella-ops.local"
metadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
requireHttpsMetadata: true
allowAnonymousFallback: false
backchannelTimeoutSeconds: 30
tokenClockSkewSeconds: 60
audiences:
- notify
readScope: notify.read
adminScope: notify.admin
api:
basePath: "/api/v1/notify"
internalBasePath: "/internal/notify"
tenantHeader: "X-StellaOps-Tenant"
rateLimits:
deliveryHistory:
enabled: true
tokenLimit: 60
tokensPerPeriod: 30
replenishmentPeriodSeconds: 60
queueLimit: 20
testSend:
enabled: true
tokenLimit: 5
tokensPerPeriod: 5
replenishmentPeriodSeconds: 60
queueLimit: 2
plugins:
baseDirectory: "../"
directory: "plugins/notify"
searchPatterns:
- "StellaOps.Notify.Connectors.*.dll"
orderedPlugins:
- StellaOps.Notify.Connectors.Slack
- StellaOps.Notify.Connectors.Teams
- StellaOps.Notify.Connectors.Email
- StellaOps.Notify.Connectors.Webhook
telemetry:
enableRequestLogging: true
minimumLogLevel: Information
# When running in development without Authority, set the following instead:
# authority:
# enabled: false
# developmentSigningKey: "change-me-32-bytes-minimum-signing-key"

0
etc/secrets/.gitkeep Normal file
View File

3
etc/secrets/notify-web-dev.secret.example Normal file
View File

@@ -0,0 +1,3 @@
# Replace this file with the actual client secret for the notify-web-dev Authority client.
# Store the secret with restrictive permissions (chmod 600) and mount/read-only in deployments.
NOTIFY_WEB_DEV_CLIENT_SECRET=change-me-dev

3
etc/secrets/notify-web.secret.example Normal file
View File

@@ -0,0 +1,3 @@
# Replace this file with the production client secret for the notify-web Authority client.
# Keep outside source control and mount via secrets manager in Kubernetes/offline kit bundles.
NOTIFY_WEB_CLIENT_SECRET=change-me-prod