feat: Implement air-gap functionality with timeline impact and evidence snapshot services

- Added AirgapTimelineImpact, AirgapTimelineImpactInput, and AirgapTimelineImpactResult records for managing air-gap bundle import impacts. - Introduced EvidenceSnapshotRecord, EvidenceSnapshotLinkInput, and EvidenceSnapshotLinkResult records for linking findings to evidence snapshots. - Created IEvidenceSnapshotRepository interface for managing evidence snapshot records. - Developed StalenessValidationService to validate staleness and enforce freshness thresholds. - Implemented AirgapTimelineService for emitting timeline events related to bundle imports. - Added EvidenceSnapshotService for linking findings to evidence snapshots and verifying their validity. - Introduced AirGapOptions for configuring air-gap staleness enforcement and thresholds. - Added minimal jsPDF stub for offline/testing builds in the web application. - Created TypeScript definitions for jsPDF to enhance type safety in the web application.
2025-12-06 01:30:08 +02:00
parent 6c1177a6ce
commit 2eaf0f699b
144 changed files with 7578 additions and 2581 deletions
--- a/deploy/helm/stellaops/templates/core.yaml
+++ b/deploy/helm/stellaops/templates/core.yaml
@@ -19,18 +19,30 @@ spec:
  selector:
    matchLabels:
      {{- include "stellaops.selectorLabels" (dict "root" $root "name" $name "svc" $svc) | nindent 6 }}
-  template:
-    metadata:
-      labels:
-        {{- include "stellaops.selectorLabels" (dict "root" $root "name" $name "svc" $svc) | nindent 8 }}
-      annotations:
-        stellaops.release/version: {{ $root.Values.global.release.version | quote }}
-        stellaops.release/channel: {{ $root.Values.global.release.channel | quote }}
-    spec:
-      containers:
-        - name: {{ $name }}
-          image: {{ $svc.image | quote }}
-          imagePullPolicy: {{ default $root.Values.global.image.pullPolicy $svc.imagePullPolicy }}
+  template:
+    metadata:
+      labels:
+        {{- include "stellaops.selectorLabels" (dict "root" $root "name" $name "svc" $svc) | nindent 8 }}
+      {{- if $svc.podAnnotations }}
+      annotations:
+{{ toYaml $svc.podAnnotations | nindent 8 }}
+      {{- end }}
+      annotations:
+        stellaops.release/version: {{ $root.Values.global.release.version | quote }}
+        stellaops.release/channel: {{ $root.Values.global.release.channel | quote }}
+    spec:
+      {{- if $svc.podSecurityContext }}
+      securityContext:
+{{ toYaml $svc.podSecurityContext | nindent 6 }}
+      {{- end }}
+      containers:
+        - name: {{ $name }}
+          image: {{ $svc.image | quote }}
+          imagePullPolicy: {{ default $root.Values.global.image.pullPolicy $svc.imagePullPolicy }}
+{{- if $svc.securityContext }}
+          securityContext:
+{{ toYaml $svc.securityContext | nindent 12 }}
+{{- end }}
 {{- if $svc.command }}
          command:
 {{- range $cmd := $svc.command }}
@@ -81,10 +93,18 @@ spec:
              containerPort: {{ default (index $svcService "port") (index $svcService "targetPort") }}
              protocol: {{ default "TCP" (index $svcService "protocol") }}
 {{- end }}
-{{- if $svc.resources }}
-          resources:
-{{ toYaml $svc.resources | nindent 12 }}
-{{- end }}
+{{- if $svc.resources }}
+          resources:
+{{ toYaml $svc.resources | nindent 12 }}
+{{- end }}
+{{- if $svc.securityContext }}
+          securityContext:
+{{ toYaml $svc.securityContext | nindent 12 }}
+{{- end }}
+{{- if $svc.securityContext }}
+          securityContext:
+{{ toYaml $svc.securityContext | nindent 12 }}
+{{- end }}
 {{- if $svc.livenessProbe }}
          livenessProbe:
 {{ toYaml $svc.livenessProbe | nindent 12 }}
@@ -148,13 +168,32 @@ spec:
      affinity:
 {{ toYaml $svc.affinity | nindent 8 }}
      {{- end }}
-      {{- if $svc.tolerations }}
-      tolerations:
-{{ toYaml $svc.tolerations | nindent 8 }}
-      {{- end }}
---
-{{- if $svc.service }}
-apiVersion: v1
+{{- if $svc.tolerations }}
+      tolerations:
+{{ toYaml $svc.tolerations | nindent 8 }}
+      {{- end }}
+      {{- if $svc.pdb }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "stellaops.fullname" (dict "root" $root "name" $name) }}
+  labels:
+    {{- include "stellaops.labels" (dict "root" $root "name" $name "svc" $svc) | nindent 4 }}
+spec:
+  {{- if $svc.pdb.minAvailable }}
+  minAvailable: {{ $svc.pdb.minAvailable }}
+  {{- end }}
+  {{- if $svc.pdb.maxUnavailable }}
+  maxUnavailable: {{ $svc.pdb.maxUnavailable }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "stellaops.selectorLabels" (dict "root" $root "name" $name "svc" $svc) | nindent 6 }}
+      {{- end }}
+---
+{{- if $svc.service }}
+apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "stellaops.fullname" (dict "root" $root "name" $name) }}
--- a/deploy/helm/stellaops/templates/externalsecrets.yaml
+++ b/deploy/helm/stellaops/templates/externalsecrets.yaml
@@ -0,0 +1,28 @@
+{{- if and .Values.externalSecrets.enabled .Values.externalSecrets.secrets }}
+{{- range $secret := .Values.externalSecrets.secrets }}
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ include "stellaops.fullname" $ }}-{{ $secret.name }}
+  labels:
+    {{- include "stellaops.labels" $ | nindent 4 }}
+spec:
+  refreshInterval: {{ default "1h" $secret.refreshInterval }}
+  secretStoreRef:
+    name: {{ $secret.storeRef.name }}
+    kind: {{ default "ClusterSecretStore" $secret.storeRef.kind }}
+  target:
+    name: {{ $secret.target.name | default (printf "%s-%s" (include "stellaops.fullname" $) $secret.name) }}
+    creationPolicy: {{ default "Owner" $secret.target.creationPolicy }}
+  data:
+    {{- range $secret.data }}
+    - secretKey: {{ .key }}
+      remoteRef:
+        key: {{ .remoteKey }}
+        {{- if .property }}
+        property: {{ .property }}
+        {{- end }}
+    {{- end }}
+---
+{{- end }}
+{{- end }}
--- a/deploy/helm/stellaops/templates/ingress.yaml
+++ b/deploy/helm/stellaops/templates/ingress.yaml
@@ -0,0 +1,32 @@
+{{- if and .Values.ingress.enabled .Values.ingress.hosts }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "stellaops.fullname" . }}
+  labels:
+    {{- include "stellaops.labels" . | nindent 4 }}
+  annotations:
+    {{- range $k, $v := .Values.ingress.annotations }}
+    {{ $k }}: {{ $v | quote }}
+    {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.className | default "nginx" | quote }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts: {{ toYaml .hosts | nindent 6 }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host }}
+      http:
+        paths:
+          - path: {{ .path | default "/" }}
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "stellaops.fullname" $ }}-gateway
+                port:
+                  number: {{ .servicePort | default 80 }}
+    {{- end }}
+{{- end }}
--- a/deploy/helm/stellaops/templates/migrations.yaml
+++ b/deploy/helm/stellaops/templates/migrations.yaml
@@ -0,0 +1,50 @@
+{{- if and .Values.migrations.enabled .Values.migrations.jobs }}
+{{- range $job := .Values.migrations.jobs }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "stellaops.fullname" $ }}-migration-{{ $job.name | trunc 30 | trimSuffix "-" }}
+  labels:
+    {{- include "stellaops.labels" $ | nindent 4 }}
+    stellaops.io/component: migration
+    stellaops.io/migration-name: {{ $job.name | quote }}
+spec:
+  backoffLimit: {{ default 3 $job.backoffLimit }}
+  ttlSecondsAfterFinished: {{ default 3600 $job.ttlSecondsAfterFinished }}
+  template:
+    metadata:
+      labels:
+        {{- include "stellaops.selectorLabels" $ | nindent 8 }}
+        stellaops.io/component: migration
+        stellaops.io/migration-name: {{ $job.name | quote }}
+    spec:
+      restartPolicy: {{ default "Never" $job.restartPolicy }}
+      serviceAccountName: {{ default "default" $job.serviceAccountName }}
+      containers:
+        - name: {{ $job.name | trunc 50 | trimSuffix "-" }}
+          image: {{ $job.image | quote }}
+          imagePullPolicy: {{ default "IfNotPresent" $job.imagePullPolicy }}
+          command: {{- if $job.command }} {{ toJson $job.command }} {{- else }} null {{- end }}
+          args: {{- if $job.args }} {{ toJson $job.args }} {{- else }} null {{- end }}
+          env:
+            {{- if $job.env }}
+            {{- range $k, $v := $job.env }}
+            - name: {{ $k }}
+              value: {{ $v | quote }}
+            {{- end }}
+            {{- end }}
+          envFrom:
+            {{- if $job.envFrom }}
+            {{- toYaml $job.envFrom | nindent 12 }}
+            {{- end }}
+          resources:
+            {{- if $job.resources }}
+            {{- toYaml $job.resources | nindent 12 }}
+            {{- else }}{}
+            {{- end }}
+      imagePullSecrets:
+        {{- if $.Values.global.image.pullSecrets }}
+        {{- toYaml $.Values.global.image.pullSecrets | nindent 8 }}
+        {{- end }}
+{{- end }}
+{{- end }}
--- a/deploy/helm/stellaops/templates/networkpolicy.yaml
+++ b/deploy/helm/stellaops/templates/networkpolicy.yaml
@@ -0,0 +1,45 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "stellaops.fullname" . }}-default
+  labels:
+    {{- include "stellaops.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "stellaops.selectorLabelsRoot" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        {{- if .Values.networkPolicy.ingressNamespaces }}
+        - namespaceSelector:
+            matchLabels:
+              {{- toYaml .Values.networkPolicy.ingressNamespaces | nindent 14 }}
+        {{- end }}
+        {{- if .Values.networkPolicy.ingressPods }}
+        - podSelector:
+            matchLabels:
+              {{- toYaml .Values.networkPolicy.ingressPods | nindent 14 }}
+        {{- end }}
+      ports:
+        - protocol: TCP
+          port: {{ default 80 .Values.networkPolicy.ingressPort }}
+  egress:
+    - to:
+        {{- if .Values.networkPolicy.egressNamespaces }}
+        - namespaceSelector:
+            matchLabels:
+              {{- toYaml .Values.networkPolicy.egressNamespaces | nindent 14 }}
+        {{- end }}
+        {{- if .Values.networkPolicy.egressPods }}
+        - podSelector:
+            matchLabels:
+              {{- toYaml .Values.networkPolicy.egressPods | nindent 14 }}
+        {{- end }}
+      ports:
+        - protocol: TCP
+          port: {{ default 443 .Values.networkPolicy.egressPort }}
+{{- end }}
--- a/deploy/helm/stellaops/values-airgap.yaml
+++ b/deploy/helm/stellaops/values-airgap.yaml
@@ -9,6 +9,30 @@ global:
  labels:
    stellaops.io/channel: airgap

+migrations:
+  enabled: false
+  jobs: []
+
+networkPolicy:
+  enabled: true
+  ingressPort: 8443
+  egressPort: 443
+  ingressNamespaces:
+    kubernetes.io/metadata.name: stellaops
+  egressNamespaces:
+    kubernetes.io/metadata.name: stellaops
+
+ingress:
+  enabled: false
+  className: nginx
+  annotations: {}
+  hosts: []
+  tls: []
+
+externalSecrets:
+  enabled: false
+  secrets: []
+
 configMaps:
  notify-config:
    data:
--- a/deploy/helm/stellaops/values-prod.yaml
+++ b/deploy/helm/stellaops/values-prod.yaml
@@ -10,6 +10,51 @@ global:
    stellaops.io/channel: stable
    stellaops.io/profile: prod

+# Migration jobs for controlled rollouts (disabled by default)
+migrations:
+  enabled: false
+  jobs: []
+
+networkPolicy:
+  enabled: true
+  ingressPort: 8443
+  egressPort: 443
+  ingressNamespaces:
+    kubernetes.io/metadata.name: stellaops
+  egressNamespaces:
+    kubernetes.io/metadata.name: stellaops
+
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+  hosts:
+    - host: gateway.prod.stella-ops.org
+      path: /
+      servicePort: 80
+  tls:
+    - secretName: stellaops-prod-tls
+      hosts:
+        - gateway.prod.stella-ops.org
+
+externalSecrets:
+  enabled: true
+  secrets:
+    - name: core-secrets
+      storeRef:
+        name: stellaops-secret-store
+        kind: ClusterSecretStore
+      target:
+        name: stellaops-prod-core
+      data:
+        - key: STELLAOPS_AUTHORITY__JWT__SIGNINGKEY
+          remoteKey: prod/authority/jwt-signing-key
+        - key: STELLAOPS_SECRETS_ENCRYPTION_KEY
+          remoteKey: prod/core/secrets-encryption-key
+
 configMaps:
  notify-config:
    data:
--- a/deploy/helm/stellaops/values.yaml
+++ b/deploy/helm/stellaops/values.yaml
@@ -8,6 +8,30 @@ global:
    pullPolicy: IfNotPresent
  labels: {}

+migrations:
+  enabled: false
+  jobs: []
+
+networkPolicy:
+  enabled: false
+  ingressPort: 80
+  egressPort: 443
+  ingressNamespaces: {}
+  ingressPods: {}
+  egressNamespaces: {}
+  egressPods: {}
+
+ingress:
+  enabled: false
+  className: nginx
+  annotations: {}
+  hosts: []
+  tls: []
+
+externalSecrets:
+  enabled: false
+  secrets: []
+
 # Surface.Env configuration for Scanner/Zastava components
 # See docs/modules/scanner/design/surface-env.md for details
 surface: