stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

compose and authority fixes. finish sprints.

Browse Source
This commit is contained in:
master
2026-02-17 21:59:47 +02:00
parent fb46a927ad
commit 49cdebe2f1
187 changed files with 23189 additions and 1439 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
devops/compose/.env
View File

@@ -31,7 +31,7 @@ RUSTFS_HTTP_PORT=8080
# =============================================================================
# Authority (OAuth2/OIDC)
AUTHORITY_ISSUER=https://authority.stella-ops.local
AUTHORITY_ISSUER=https://authority.stella-ops.local/
AUTHORITY_PORT=8440
AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:30:00

20
devops/compose/authority-ca.crt Normal file
View File

@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDVjCCAj6gAwIBAgIUFdSu0cveQ9JuE2a+AzpO3utUdtowDQYJKoZIhvcNAQEL
BQAwGzEZMBcGA1UEAwwQc3RlbGxhLW9wcy5sb2NhbDAeFw0yNjAyMTUxMjU1MTZa
Fw0yNzAyMTUxMjU1MTZaMBsxGTAXBgNVBAMMEHN0ZWxsYS1vcHMubG9jYWwwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChWrG9mv+gON1MnCdsv4bJV5Pd
Feham3Qm3ReYEmQNJxhec7nMZ0Sj2tn3/8YUzIGMwuyOt4oBHHyUgjd/Eja099VP
I3R6rehrNDA0nud1iomxwsyeRiVAd+Jiq7LPyuV2+OUffldkn+iUDjUPihiuz7mW
uvWznRe04PW1KRg9N65KCGrf1caT4UOGCaioyDAnUGJ/lJFmRbSp67lkQE0+1Tau
K9+j3FOETwo63oXD8yiFuAWxOq8gx2/XrYy9HK8VvQDMH87A8H1jBQi5GXr1vAVN
iOm3J0xECqvX8ET+30iM/oQ5nrS8G7w5bhHN9FCWvaEjBQtOzYgtcAS01e+dAgMB
AAGjgZEwgY4wHQYDVR0OBBYEFKgKfOkmKWdl2o7wDHzqmYhcAXoeMB8GA1UdIwQY
MBaAFKgKfOkmKWdl2o7wDHzqmYhcAXoeMA8GA1UdEwEB/wQFMAMBAf8wOwYDVR0R
BDQwMoIQc3RlbGxhLW9wcy5sb2NhbIISKi5zdGVsbGEtb3BzLmxvY2FshwR/AQAB
hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQBNU1kWpS8Y80hY6bPfdgR10TEzS2eD
9ThHXQ5xomw1rbPdcSBebSTtg2nwpXmuLJTC512GCx0BjYP11Ww6pOfVrL/TZJBm
Cc1OKikWIsBmz4fa5un15XktcxMHiOy8InmykMP/p8Xox4j1nCuYpweApK86gFfa
TvelsNH849Lt3+6ykup29fPDDLMxYg0CH768DZccdfd9jU1piLelrsHeyrV9bV8d
PMe/Ue4c1FMm+usRPmD+Dl+Nt4sJrNed3+FEvJRQ9Rp4rahpludN7nlT2ONSxc71
GcPjtM31knasvEN7O/1uGTiKY9Db/erTDmAmoH5yTq0bZ4mtb07mWX/J
-----END CERTIFICATE-----

3630
devops/compose/combined-ca-bundle.crt Normal file
View File

File diff suppressed because it is too large Load Diff

89
devops/compose/docker-compose.stella-ops.yml
View File

@@ -35,6 +35,9 @@ x-kestrel-cert: &kestrel-cert
x-cert-volume: &cert-volume
"../../etc/authority/keys:/app/etc/certs:ro"
x-ca-bundle: &ca-bundle
"./combined-ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt:ro"
x-plugin-tmpfs: &plugin-tmpfs
/app/plugins:
mode: "1777"
@@ -235,9 +238,21 @@ services:
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Gateway__Auth__DpopEnabled: "false"
Gateway__Auth__Authority__Issuer: "https://authority.stella-ops.local/"
Gateway__Auth__Authority__RequireHttpsMetadata: "false"
Gateway__Auth__Authority__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
# Audience validation disabled until authority includes aud in access tokens
# Gateway__Auth__Authority__Audiences__0: "stella-ops-api"
Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Debug"
Logging__LogLevel__Microsoft.IdentityModel: "Debug"
Logging__LogLevel__StellaOps: "Debug"
volumes:
- *cert-volume
- console-dist:/app/wwwroot:ro
- ./router-gateway-local.json:/app/appsettings.local.json:ro
- ./envsettings-override.json:/app/envsettings-override.json:ro
- ./gateway-ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt:ro
ports:
- "127.1.0.1:80:8080"
- "127.1.0.1:443:443"
@@ -263,14 +278,14 @@ services:
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Platform__Authority__Issuer: "https://stella-ops.local"
Platform__Authority__Issuer: "https://authority.stella-ops.local/"
Platform__Authority__RequireHttpsMetadata: "false"
Platform__Authority__BypassNetworks__0: "172.19.0.0/16"
Platform__Storage__Driver: "postgres"
Platform__Storage__PostgresConnectionString: *postgres-connection
Platform__EnvironmentSettings__RedirectUri: "https://stella-ops.local/auth/callback"
Platform__EnvironmentSettings__PostLogoutRedirectUri: "https://stella-ops.local/"
Platform__EnvironmentSettings__Scope: "openid profile email ui.read ui.admin authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve orch:read analytics.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit"
Platform__EnvironmentSettings__Scope: "openid profile email offline_access ui.read ui.admin authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve orch:read analytics.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit"
STELLAOPS_ROUTER_URL: "http://router.stella-ops.local"
STELLAOPS_PLATFORM_URL: "http://platform.stella-ops.local"
STELLAOPS_AUTHORITY_URL: "http://authority.stella-ops.local"
@@ -317,6 +332,7 @@ services:
STELLAOPS_UNKNOWNS_URL: "http://unknowns.stella-ops.local"
volumes:
- *cert-volume
- *ca-bundle
ports:
- "127.1.0.3:80:80"
networks:
@@ -343,6 +359,8 @@ services:
ASPNETCORE_URLS: "http://+:8440"
Kestrel__Certificates__Default__Path: "/app/etc/authority/keys/kestrel-dev.pfx"
Kestrel__Certificates__Default__Password: "devpass"
STELLAOPS_DISABLE_TRANSPORT_SECURITY: "true"
STELLAOPS_AUTHORITY_AUTHORITY__ACCESSTOKENLIFETIME: "00:30:00"
STELLAOPS_AUTHORITY_AUTHORITY__SCHEMAVERSION: "1"
STELLAOPS_AUTHORITY_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER:-http://authority.stella-ops.local}"
STELLAOPS_AUTHORITY_AUTHORITY__STORAGE__CONNECTIONSTRING: *postgres-connection
@@ -387,10 +405,12 @@ services:
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Gateway__Auth__DpopEnabled: "false"
Gateway__Auth__Authority__Issuer: "https://authority.stella-ops.local/"
Gateway__Auth__Authority__RequireHttpsMetadata: "false"
volumes:
- *cert-volume
- *ca-bundle
ports:
- "127.1.0.5:80:80"
networks:
@@ -475,9 +495,10 @@ services:
EvidenceLocker__Signing__KeyId: "dev-evidence-key"
EvidenceLocker__Quotas__MaxMaterialCount: "128"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
EvidenceLocker__Authority__BaseUrl: "http://authority.stella-ops.local"
EvidenceLocker__Authority__BaseUrl: "https://authority.stella-ops.local"
volumes:
- *cert-volume
- *ca-bundle
- evidence-data:/data/evidence
ports:
- "127.1.0.7:80:80"
@@ -649,12 +670,13 @@ services:
CONCELIER_POSTGRESSTORAGE__CONNECTIONSTRING: *postgres-connection
CONCELIER_POSTGRESSTORAGE__ENABLED: "true"
CONCELIER_S3__ENDPOINT: "http://s3.stella-ops.local:8333"
CONCELIER_AUTHORITY__BASEURL: "http://authority.stella-ops.local"
CONCELIER_AUTHORITY__BASEURL: "https://authority.stella-ops.local"
CONCELIER_AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
CONCELIER_AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "${AUTHORITY_OFFLINE_CACHE_TOLERANCE:-00:30:00}"
volumes:
- concelier-jobs:/var/lib/concelier/jobs
- *cert-volume
- *ca-bundle
tmpfs:
- /app/plugins:mode=1777
ports:
@@ -685,11 +707,12 @@ services:
Excititor__Storage__Driver: "postgres"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
# TenantAuthorityOptionsValidator requires BaseUrls dict with at least one entry
Excititor__Authority__BaseUrls__default: "http://authority.stella-ops.local"
Excititor__Authority__BaseUrls__default: "https://authority.stella-ops.local"
# IssuerDirectoryClientOptions.Validate() requires BaseAddress
IssuerDirectory__Client__BaseAddress: "http://issuerdirectory.stella-ops.local"
volumes:
- *cert-volume
- *ca-bundle
tmpfs:
- /app/plugins:mode=1777
ports:
@@ -723,11 +746,12 @@ services:
Excititor__Storage__Driver: "postgres"
Excititor__Worker__DisableConsensus: "true"
# TenantAuthorityOptionsValidator requires BaseUrls dict with at least one entry
Excititor__Authority__BaseUrls__default: "http://authority.stella-ops.local"
Excititor__Authority__BaseUrls__default: "https://authority.stella-ops.local"
# IssuerDirectoryClientOptions.Validate() requires BaseAddress
IssuerDirectory__Client__BaseAddress: "http://issuerdirectory.stella-ops.local"
volumes:
- *cert-volume
- *ca-bundle
networks:
stellaops:
aliases:
@@ -825,14 +849,27 @@ services:
STELLAOPS_POLICY_ENGINE_Postgres__Policy__ConnectionString: *postgres-connection
STELLAOPS_POLICY_ENGINE_ConnectionStrings__Redis: "cache.stella-ops.local:6379"
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__Authority: "https://authority.stella-ops.local/"
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__MetadataAddress: "http://authority.stella-ops.local/.well-known/openid-configuration"
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__RequireHttpsMetadata: "false"
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__Audiences__0: "/scanner"
# UI tokens in local compose currently carry scopes but no aud claim.
# Keep this empty and let Program.cs explicitly clear default audience lists.
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__Audiences__0: ""
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__RequiredScopes__0: "policy:read"
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__BypassNetworks__2: "::1/128"
PolicyEngine__ResourceServer__Authority: "https://authority.stella-ops.local/"
PolicyEngine__ResourceServer__RequireHttpsMetadata: "false"
PolicyEngine__ResourceServer__Audiences__0: ""
PolicyEngine__ResourceServer__RequiredScopes__0: "policy:read"
PolicyEngine__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
PolicyEngine__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
PolicyEngine__ResourceServer__BypassNetworks__2: "::1/128"
Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Debug"
Logging__LogLevel__Microsoft.IdentityModel: "Debug"
volumes:
- *cert-volume
- *ca-bundle
ports:
- "127.1.0.14:80:80"
networks:
@@ -857,15 +894,24 @@ services:
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Postgres__Policy__ConnectionString: *postgres-connection
PolicyGateway__ResourceServer__Authority: "http://authority.stella-ops.local"
PolicyGateway__ResourceServer__Authority: "https://authority.stella-ops.local/"
PolicyGateway__ResourceServer__RequireHttpsMetadata: "false"
PolicyGateway__ResourceServer__Audiences__0: ""
PolicyGateway__ResourceServer__RequiredScopes__0: "policy:read"
PolicyGateway__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
# In local compose, callers should forward their own token. Disable fallback
# client-credentials to avoid 500s on invalid_scope when no Authorization header is present.
PolicyGateway__PolicyEngine__ClientCredentials__Enabled: "false"
# Bootstrap-prefixed vars (read by StellaOpsConfigurationBootstrapper before DI)
STELLAOPS_POLICY_GATEWAY_PolicyGateway__ResourceServer__Authority: "http://authority.stella-ops.local"
STELLAOPS_POLICY_GATEWAY_PolicyGateway__ResourceServer__Authority: "https://authority.stella-ops.local/"
STELLAOPS_POLICY_GATEWAY_PolicyGateway__ResourceServer__RequireHttpsMetadata: "false"
STELLAOPS_POLICY_GATEWAY_PolicyGateway__ResourceServer__Audiences__0: ""
STELLAOPS_POLICY_GATEWAY_PolicyGateway__ResourceServer__RequiredScopes__0: "policy:read"
STELLAOPS_POLICY_GATEWAY_PolicyGateway__PolicyEngine__ClientCredentials__Enabled: "false"
STELLAOPS_POLICY_GATEWAY_Postgres__Policy__ConnectionString: *postgres-connection
volumes:
- *cert-volume
- *ca-bundle
ports:
- "127.1.0.15:80:80"
networks:
@@ -1240,9 +1286,14 @@ services:
ConnectionStrings__FindingsLedger: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
findings__ledger__Database__ConnectionString: *postgres-connection
findings__ledger__Authority__Issuer: "http://authority.stella-ops.local"
findings__ledger__Authority__Issuer: "https://authority.stella-ops.local/"
findings__ledger__Authority__RequireHttpsMetadata: "false"
# Local compose UI tokens may omit aud; keep audience validation relaxed.
findings__ledger__Authority__Audiences__0: ""
findings__ledger__Authority__RequiredScopes__0: "findings:read"
findings__ledger__Authority__BypassNetworks__0: "172.19.0.0/16"
Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Debug"
Logging__LogLevel__Microsoft.IdentityModel: "Debug"
findings__ledger__Attachments__EncryptionKey: "IiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiI="
findings__ledger__Attachments__SignedUrlBase: "http://findings.stella-ops.local/attachments"
findings__ledger__Attachments__SignedUrlSecret: "dev-signed-url-secret"
@@ -1250,6 +1301,7 @@ services:
findings__ledger__Attachments__RequireConsoleCsrf: "false"
volumes:
- *cert-volume
- *ca-bundle
ports:
- "127.1.0.25:80:80"
networks:
@@ -1273,11 +1325,12 @@ services:
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Doctor__Authority__Issuer: "http://authority.stella-ops.local"
Doctor__Authority__Issuer: "https://authority.stella-ops.local/"
Doctor__Authority__RequireHttpsMetadata: "false"
Doctor__Authority__BypassNetworks__0: "172.19.0.0/16"
volumes:
- *cert-volume
- *ca-bundle
ports:
- "127.1.0.26:80:80"
networks:
@@ -1577,7 +1630,7 @@ services:
RegistryTokenService__Signing__KeyPath: "/app/etc/certs/kestrel-dev.pfx"
RegistryTokenService__Signing__Lifetime: "00:05:00"
RegistryTokenService__Registry__Realm: "http://registry.stella-ops.local"
RegistryTokenService__Authority__Issuer: "http://authority.stella-ops.local"
RegistryTokenService__Authority__Issuer: "https://authority.stella-ops.local/"
RegistryTokenService__Authority__Audience: "api://registry"
RegistryTokenService__Authority__RequireHttpsMetadata: "false"
RegistryTokenService__Plans__0__Name: "default"
@@ -1586,6 +1639,7 @@ services:
RegistryTokenService__Plans__0__Repositories__0__Actions__1: "push"
volumes:
- *cert-volume
- *ca-bundle
ports:
- "127.1.0.35:80:80"
networks:
@@ -1644,6 +1698,7 @@ services:
volumes:
- ../../etc/issuer-directory:/app/etc/issuer-directory:ro
- *cert-volume
- *ca-bundle
ports:
- "127.1.0.37:80:80"
networks:
@@ -1666,11 +1721,12 @@ services:
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Authority__ResourceServer__Authority: "http://authority.stella-ops.local"
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
Authority__ResourceServer__RequireHttpsMetadata: "false"
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
volumes:
- *cert-volume
- *ca-bundle
ports:
- "127.1.0.38:80:80"
networks:
@@ -1818,13 +1874,13 @@ services:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
# Runtime authority (used by token provider for OIDC discovery)
zastava__runtime__authority__Issuer: "http://authority.stella-ops.local"
zastava__runtime__authority__Issuer: "https://authority.stella-ops.local/"
zastava__runtime__authority__allowStaticTokenFallback: "true"
zastava__runtime__authority__staticTokenValue: "dev-bypass-token"
zastava__runtime__tenant: "default"
zastava__runtime__environment: "local"
# Webhook authority
zastava__webhook__authority__Issuer: "http://authority.stella-ops.local"
zastava__webhook__authority__Issuer: "https://authority.stella-ops.local/"
zastava__webhook__authority__staticTokenValue: "dev-bypass-token"
# TLS (PFX from cert volume)
zastava__webhook__tls__mode: "Secret"
@@ -1835,6 +1891,7 @@ services:
zastava__webhook__backend__allowInsecureHttp: "true"
volumes:
- *cert-volume
- *ca-bundle
networks:
stellaops:
aliases:

63
devops/compose/envsettings-override.json Normal file
View File

@@ -0,0 +1,63 @@
{
"authority": {
"issuer": "https://authority.stella-ops.local/",
"clientId": "stella-ops-ui",
"authorizeEndpoint": "https://authority.stella-ops.local/connect/authorize",
"tokenEndpoint": "https://authority.stella-ops.local/connect/token",
"redirectUri": "https://stella-ops.local/auth/callback",
"postLogoutRedirectUri": "https://stella-ops.local/",
"scope": "openid profile email offline_access ui.read ui.admin authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve orch:read analytics.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit",
"audience": "stella-ops-api",
"dpopAlgorithms": [
"ES256"
],
"refreshLeewaySeconds": 60
},
"apiBaseUrls": {
"vulnexplorer": "http://vulnexplorer.stella-ops.local",
"replay": "http://replay.stella-ops.local",
"notify": "http://notify.stella-ops.local",
"notifier": "http://notifier.stella-ops.local",
"airgapController": "http://airgap-controller.stella-ops.local",
"gateway": "http://gateway.stella-ops.local",
"doctor": "http://doctor.stella-ops.local",
"taskrunner": "http://taskrunner.stella-ops.local",
"timelineindexer": "http://timelineindexer.stella-ops.local",
"timeline": "http://timeline.stella-ops.local",
"packsregistry": "http://packsregistry.stella-ops.local",
"findingsLedger": "http://findings.stella-ops.local",
"policyGateway": "http://policy-gateway.stella-ops.local",
"registryTokenservice": "http://registry-token.stella-ops.local",
"graph": "http://graph.stella-ops.local",
"issuerdirectory": "http://issuerdirectory.stella-ops.local",
"router": "http://router.stella-ops.local",
"integrations": "http://integrations.stella-ops.local",
"platform": "http://platform.stella-ops.local",
"smremote": "http://smremote.stella-ops.local",
"signals": "http://signals.stella-ops.local",
"vexlens": "http://vexlens.stella-ops.local",
"scheduler": "http://scheduler.stella-ops.local",
"concelier": "http://concelier.stella-ops.local",
"opsmemory": "http://opsmemory.stella-ops.local",
"binaryindex": "http://binaryindex.stella-ops.local",
"signer": "http://signer.stella-ops.local",
"reachgraph": "http://reachgraph.stella-ops.local",
"authority": "http://authority.stella-ops.local",
"unknowns": "http://unknowns.stella-ops.local",
"scanner": "http://scanner.stella-ops.local",
"sbomservice": "http://sbomservice.stella-ops.local",
"symbols": "http://symbols.stella-ops.local",
"orchestrator": "http://orchestrator.stella-ops.local",
"policyEngine": "http://policy-engine.stella-ops.local",
"attestor": "http://attestor.stella-ops.local",
"vexhub": "http://vexhub.stella-ops.local",
"riskengine": "http://riskengine.stella-ops.local",
"airgapTime": "http://airgap-time.stella-ops.local",
"advisoryai": "http://advisoryai.stella-ops.local",
"excititor": "http://excititor.stella-ops.local",
"cartographer": "http://cartographer.stella-ops.local",
"evidencelocker": "http://evidencelocker.stella-ops.local",
"exportcenter": "http://exportcenter.stella-ops.local"
},
"setup": "complete"
}

8
devops/compose/findings-appsettings-local.yaml Normal file
View File

@@ -0,0 +1,8 @@
findings:
ledger:
Authority:
Issuer: "https://authority.stella-ops.local/"
RequireHttpsMetadata: false
BypassNetworks:
- "172.19.0.0/16"
- "127.0.0.0/8"

5
devops/compose/findings-ledger-override.yaml Normal file
View File

@@ -0,0 +1,5 @@
findings:
ledger:
Authority:
BypassNetworks:
- "172.19.0.0/16"

3630
devops/compose/gateway-ca-bundle.crt Normal file
View File

File diff suppressed because it is too large Load Diff

143
devops/compose/router-gateway-local.json Normal file
View File

@@ -0,0 +1,143 @@
{
"Gateway": {
"Auth": {
"DpopEnabled": false,
"AllowAnonymous": true,
"EnableLegacyHeaders": true,
"AllowScopeHeader": false,
"Authority": {
"Issuer": "https://authority.stella-ops.local/",
"RequireHttpsMetadata": false,
"MetadataAddress": "https://authority.stella-ops.local/.well-known/openid-configuration",
"Audiences": []
}
},
"Routes": [
{ "Type": "ReverseProxy", "Path": "/api/v1/release-orchestrator", "TranslatesTo": "http://orchestrator.stella-ops.local/api/v1/release-orchestrator" },
{ "Type": "ReverseProxy", "Path": "/api/v1/vex", "TranslatesTo": "http://vexhub.stella-ops.local/api/v1/vex" },
{ "Type": "ReverseProxy", "Path": "/api/v1/vexlens", "TranslatesTo": "http://vexlens.stella-ops.local/api/v1/vexlens" },
{ "Type": "ReverseProxy", "Path": "/api/v1/notify", "TranslatesTo": "http://notify.stella-ops.local/api/v1/notify" },
{ "Type": "ReverseProxy", "Path": "/api/v1/notifier", "TranslatesTo": "http://notifier.stella-ops.local/api/v1/notifier" },
{ "Type": "ReverseProxy", "Path": "/api/v1/concelier", "TranslatesTo": "http://concelier.stella-ops.local/api/v1/concelier" },
{ "Type": "ReverseProxy", "Path": "/api/v1/platform", "TranslatesTo": "http://platform.stella-ops.local/api/v1/platform" },
{ "Type": "ReverseProxy", "Path": "/api/v1/scanner", "TranslatesTo": "http://scanner.stella-ops.local/api/v1/scanner" },
{ "Type": "ReverseProxy", "Path": "/api/v1/findings", "TranslatesTo": "http://findings.stella-ops.local/api/v1/findings", "PreserveAuthHeaders": true },
{ "Type": "ReverseProxy", "Path": "/api/v1/integrations", "TranslatesTo": "http://integrations.stella-ops.local/api/v1/integrations", "PreserveAuthHeaders": true },
{ "Type": "ReverseProxy", "Path": "/api/v1/policy", "TranslatesTo": "http://policy-gateway.stella-ops.local/api/v1/policy" },
{ "Type": "ReverseProxy", "Path": "/api/v1/reachability", "TranslatesTo": "http://reachgraph.stella-ops.local/api/v1/reachability" },
{ "Type": "ReverseProxy", "Path": "/api/v1/attestor", "TranslatesTo": "http://attestor.stella-ops.local/api/v1/attestor" },
{ "Type": "ReverseProxy", "Path": "/api/v1/attestations", "TranslatesTo": "http://attestor.stella-ops.local/api/v1/attestations" },
{ "Type": "ReverseProxy", "Path": "/api/v1/sbom", "TranslatesTo": "http://sbomservice.stella-ops.local/api/v1/sbom" },
{ "Type": "ReverseProxy", "Path": "/api/v1/signals", "TranslatesTo": "http://signals.stella-ops.local/api/v1/signals" },
{ "Type": "ReverseProxy", "Path": "/api/v1/orchestrator", "TranslatesTo": "http://orchestrator.stella-ops.local/api/v1/orchestrator" },
{ "Type": "ReverseProxy", "Path": "/api/v1/authority/quotas", "TranslatesTo": "http://platform.stella-ops.local/api/v1/authority/quotas", "PreserveAuthHeaders": true },
{ "Type": "ReverseProxy", "Path": "/api/v1/authority", "TranslatesTo": "https://authority.stella-ops.local/api/v1/authority", "PreserveAuthHeaders": true },
{ "Type": "ReverseProxy", "Path": "/api/v1/trust", "TranslatesTo": "https://authority.stella-ops.local/api/v1/trust", "PreserveAuthHeaders": true },
{ "Type": "ReverseProxy", "Path": "/api/v1/evidence", "TranslatesTo": "http://evidencelocker.stella-ops.local/api/v1/evidence" },
{ "Type": "ReverseProxy", "Path": "/api/v1/proofs", "TranslatesTo": "http://evidencelocker.stella-ops.local/api/v1/proofs" },
{ "Type": "ReverseProxy", "Path": "/api/v1/timeline", "TranslatesTo": "http://timelineindexer.stella-ops.local/api/v1/timeline" },
{ "Type": "ReverseProxy", "Path": "/api/v1/advisory-ai", "TranslatesTo": "http://advisoryai.stella-ops.local/api/v1/advisory-ai" },
{ "Type": "ReverseProxy", "Path": "/api/v1/advisory", "TranslatesTo": "http://advisoryai.stella-ops.local/api/v1/advisory" },
{ "Type": "ReverseProxy", "Path": "/api/v1/vulnerabilities", "TranslatesTo": "http://scanner.stella-ops.local/api/v1/vulnerabilities" },
{ "Type": "ReverseProxy", "Path": "/api/v1/watchlist", "TranslatesTo": "http://scanner.stella-ops.local/api/v1/watchlist" },
{ "Type": "ReverseProxy", "Path": "/api/v1/resolve", "TranslatesTo": "http://binaryindex.stella-ops.local/api/v1/resolve" },
{ "Type": "ReverseProxy", "Path": "/api/v1/ops/binaryindex", "TranslatesTo": "http://binaryindex.stella-ops.local/api/v1/ops/binaryindex" },
{ "Type": "ReverseProxy", "Path": "/api/v1/verdicts", "TranslatesTo": "http://evidencelocker.stella-ops.local/api/v1/verdicts" },
{ "Type": "ReverseProxy", "Path": "/api/v1/lineage", "TranslatesTo": "http://sbomservice.stella-ops.local/api/v1/lineage" },
{ "Type": "ReverseProxy", "Path": "/api/v1/export", "TranslatesTo": "http://exportcenter.stella-ops.local/api/v1/export" },
{ "Type": "ReverseProxy", "Path": "/api/v1/triage", "TranslatesTo": "http://scanner.stella-ops.local/api/v1/triage" },
{ "Type": "ReverseProxy", "Path": "/api/v1/governance", "TranslatesTo": "http://policy-gateway.stella-ops.local/api/v1/governance" },
{ "Type": "ReverseProxy", "Path": "/api/v1/determinization", "TranslatesTo": "http://policy-engine.stella-ops.local/api/v1/determinization" },
{ "Type": "ReverseProxy", "Path": "/api/v1/opsmemory", "TranslatesTo": "http://opsmemory.stella-ops.local/api/v1/opsmemory" },
{ "Type": "ReverseProxy", "Path": "/api/v1/secrets", "TranslatesTo": "http://scanner.stella-ops.local/api/v1/secrets" },
{ "Type": "ReverseProxy", "Path": "/api/v1/sources", "TranslatesTo": "http://sbomservice.stella-ops.local/api/v1/sources" },
{ "Type": "ReverseProxy", "Path": "/api/v1/workflows", "TranslatesTo": "http://orchestrator.stella-ops.local/api/v1/workflows" },
{ "Type": "ReverseProxy", "Path": "/api/v1/witnesses", "TranslatesTo": "http://attestor.stella-ops.local/api/v1/witnesses" },
{ "Type": "ReverseProxy", "Path": "/v1/evidence-packs", "TranslatesTo": "http://evidencelocker.stella-ops.local/v1/evidence-packs" },
{ "Type": "ReverseProxy", "Path": "/v1/runs", "TranslatesTo": "http://orchestrator.stella-ops.local/v1/runs" },
{ "Type": "ReverseProxy", "Path": "/v1/advisory-ai", "TranslatesTo": "http://advisoryai.stella-ops.local/v1/advisory-ai" },
{ "Type": "ReverseProxy", "Path": "/v1/audit-bundles", "TranslatesTo": "http://evidencelocker.stella-ops.local/v1/audit-bundles" },
{ "Type": "ReverseProxy", "Path": "/policy", "TranslatesTo": "http://policy-gateway.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/api/cvss", "TranslatesTo": "http://policy-gateway.stella-ops.local/api/cvss", "PreserveAuthHeaders": true },
{ "Type": "ReverseProxy", "Path": "/api/policy", "TranslatesTo": "http://policy-gateway.stella-ops.local/api/policy", "PreserveAuthHeaders": true },
{ "Type": "ReverseProxy", "Path": "/api/risk", "TranslatesTo": "http://policy-engine.stella-ops.local/api/risk", "PreserveAuthHeaders": true },
{ "Type": "ReverseProxy", "Path": "/api/analytics", "TranslatesTo": "http://platform.stella-ops.local/api/analytics" },
{ "Type": "ReverseProxy", "Path": "/api/release-orchestrator", "TranslatesTo": "http://orchestrator.stella-ops.local/api/release-orchestrator" },
{ "Type": "ReverseProxy", "Path": "/api/releases", "TranslatesTo": "http://orchestrator.stella-ops.local/api/releases" },
{ "Type": "ReverseProxy", "Path": "/api/approvals", "TranslatesTo": "http://orchestrator.stella-ops.local/api/approvals" },
{ "Type": "ReverseProxy", "Path": "/api/gate", "TranslatesTo": "http://policy-gateway.stella-ops.local/api/gate", "PreserveAuthHeaders": true },
{ "Type": "ReverseProxy", "Path": "/api/risk-budget", "TranslatesTo": "http://policy-engine.stella-ops.local/api/risk-budget" },
{ "Type": "ReverseProxy", "Path": "/api/fix-verification", "TranslatesTo": "http://scanner.stella-ops.local/api/fix-verification" },
{ "Type": "ReverseProxy", "Path": "/api/compare", "TranslatesTo": "http://sbomservice.stella-ops.local/api/compare" },
{ "Type": "ReverseProxy", "Path": "/api/change-traces", "TranslatesTo": "http://sbomservice.stella-ops.local/api/change-traces" },
{ "Type": "ReverseProxy", "Path": "/api/exceptions", "TranslatesTo": "http://policy-gateway.stella-ops.local/api/exceptions", "PreserveAuthHeaders": true },
{ "Type": "ReverseProxy", "Path": "/api/verdicts", "TranslatesTo": "http://evidencelocker.stella-ops.local/api/verdicts" },
{ "Type": "ReverseProxy", "Path": "/api/orchestrator", "TranslatesTo": "http://orchestrator.stella-ops.local/api/orchestrator" },
{ "Type": "ReverseProxy", "Path": "/api/v1/gateway/rate-limits", "TranslatesTo": "http://platform.stella-ops.local/api/v1/gateway/rate-limits", "PreserveAuthHeaders": true },
{ "Type": "ReverseProxy", "Path": "/api/sbomservice", "TranslatesTo": "http://sbomservice.stella-ops.local/api/sbomservice" },
{ "Type": "ReverseProxy", "Path": "/api/vuln-explorer", "TranslatesTo": "http://vulnexplorer.stella-ops.local/api/vuln-explorer" },
{ "Type": "ReverseProxy", "Path": "/api/vex", "TranslatesTo": "http://vexhub.stella-ops.local/api/vex" },
{ "Type": "ReverseProxy", "Path": "/api/admin", "TranslatesTo": "http://platform.stella-ops.local/api/admin" },
{ "Type": "ReverseProxy", "Path": "/api/scheduler", "TranslatesTo": "http://scheduler.stella-ops.local/api/scheduler" },
{ "Type": "ReverseProxy", "Path": "/api/doctor", "TranslatesTo": "http://doctor.stella-ops.local/api/doctor" },
{ "Type": "ReverseProxy", "Path": "/api", "TranslatesTo": "http://platform.stella-ops.local/api" },
{ "Type": "StaticFile", "Path": "/platform/envsettings.json", "TranslatesTo": "/app/envsettings-override.json" },
{ "Type": "ReverseProxy", "Path": "/platform", "TranslatesTo": "http://platform.stella-ops.local/platform" },
{ "Type": "ReverseProxy", "Path": "/connect", "TranslatesTo": "https://authority.stella-ops.local", "PreserveAuthHeaders": true },
{ "Type": "ReverseProxy", "Path": "/.well-known", "TranslatesTo": "https://authority.stella-ops.local/.well-known", "PreserveAuthHeaders": true },
{ "Type": "ReverseProxy", "Path": "/jwks", "TranslatesTo": "https://authority.stella-ops.local/jwks", "PreserveAuthHeaders": true },
{ "Type": "ReverseProxy", "Path": "/authority", "TranslatesTo": "https://authority.stella-ops.local/authority", "PreserveAuthHeaders": true },
{ "Type": "ReverseProxy", "Path": "/console", "TranslatesTo": "https://authority.stella-ops.local/console", "PreserveAuthHeaders": true },
{ "Type": "ReverseProxy", "Path": "/envsettings.json", "TranslatesTo": "http://platform.stella-ops.local/platform/envsettings.json" },
{ "Type": "ReverseProxy", "Path": "/gateway", "TranslatesTo": "http://gateway.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/scanner", "TranslatesTo": "http://scanner.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/policyGateway", "TranslatesTo": "http://policy-gateway.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/policyEngine", "TranslatesTo": "http://policy-engine.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/concelier", "TranslatesTo": "http://concelier.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/attestor", "TranslatesTo": "http://attestor.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/notify", "TranslatesTo": "http://notify.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/notifier", "TranslatesTo": "http://notifier.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/scheduler", "TranslatesTo": "http://scheduler.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/signals", "TranslatesTo": "http://signals.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/excititor", "TranslatesTo": "http://excititor.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/findingsLedger", "TranslatesTo": "http://findings.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/vexhub", "TranslatesTo": "http://vexhub.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/vexlens", "TranslatesTo": "http://vexlens.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/orchestrator", "TranslatesTo": "http://orchestrator.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/taskrunner", "TranslatesTo": "http://taskrunner.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/cartographer", "TranslatesTo": "http://cartographer.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/reachgraph", "TranslatesTo": "http://reachgraph.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/doctor", "TranslatesTo": "http://doctor.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/integrations", "TranslatesTo": "http://integrations.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/replay", "TranslatesTo": "http://replay.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/exportcenter", "TranslatesTo": "http://exportcenter.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/evidencelocker", "TranslatesTo": "http://evidencelocker.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/signer", "TranslatesTo": "http://signer.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/binaryindex", "TranslatesTo": "http://binaryindex.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/riskengine", "TranslatesTo": "http://riskengine.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/vulnexplorer", "TranslatesTo": "http://vulnexplorer.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/sbomservice", "TranslatesTo": "http://sbomservice.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/advisoryai", "TranslatesTo": "http://advisoryai.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/unknowns", "TranslatesTo": "http://unknowns.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/timelineindexer", "TranslatesTo": "http://timelineindexer.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/opsmemory", "TranslatesTo": "http://opsmemory.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/issuerdirectory", "TranslatesTo": "http://issuerdirectory.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/symbols", "TranslatesTo": "http://symbols.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/packsregistry", "TranslatesTo": "http://packsregistry.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/registryTokenservice", "TranslatesTo": "http://registry-token.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/airgapController", "TranslatesTo": "http://airgap-controller.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/airgapTime", "TranslatesTo": "http://airgap-time.stella-ops.local" },
{ "Type": "ReverseProxy", "Path": "/smremote", "TranslatesTo": "http://smremote.stella-ops.local" },
{ "Type": "StaticFiles", "Path": "/", "TranslatesTo": "/app/wwwroot", "Headers": { "x-spa-fallback": "true" } },
{ "Type": "NotFoundPage", "Path": "/_error/404", "TranslatesTo": "/app/wwwroot/index.html" },
{ "Type": "ServerErrorPage", "Path": "/_error/500", "TranslatesTo": "/app/wwwroot/index.html" }
]
},
"Logging": {
"LogLevel": {
"Microsoft.AspNetCore.Authentication": "Debug",
"Microsoft.IdentityModel": "Debug",
"StellaOps": "Debug"
}
}
}

3610
devops/compose/system-ca-bundle.crt Normal file
View File

File diff suppressed because it is too large Load Diff