compose and authority fixes. finish sprints.
This commit is contained in:
master
@@ -35,6 +35,9 @@ x-kestrel-cert: &kestrel-cert
|
||||
x-cert-volume: &cert-volume
|
||||
"../../etc/authority/keys:/app/etc/certs:ro"
|
||||
|
||||
x-ca-bundle: &ca-bundle
|
||||
"./combined-ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt:ro"
|
||||
|
||||
x-plugin-tmpfs: &plugin-tmpfs
|
||||
/app/plugins:
|
||||
mode: "1777"
|
||||
@@ -235,9 +238,21 @@ services:
|
||||
<<: *kestrel-cert
|
||||
ConnectionStrings__Default: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
Gateway__Auth__DpopEnabled: "false"
|
||||
Gateway__Auth__Authority__Issuer: "https://authority.stella-ops.local/"
|
||||
Gateway__Auth__Authority__RequireHttpsMetadata: "false"
|
||||
Gateway__Auth__Authority__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
|
||||
# Audience validation disabled until authority includes aud in access tokens
|
||||
# Gateway__Auth__Authority__Audiences__0: "stella-ops-api"
|
||||
Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Debug"
|
||||
Logging__LogLevel__Microsoft.IdentityModel: "Debug"
|
||||
Logging__LogLevel__StellaOps: "Debug"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- console-dist:/app/wwwroot:ro
|
||||
- ./router-gateway-local.json:/app/appsettings.local.json:ro
|
||||
- ./envsettings-override.json:/app/envsettings-override.json:ro
|
||||
- ./gateway-ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt:ro
|
||||
ports:
|
||||
- "127.1.0.1:80:8080"
|
||||
- "127.1.0.1:443:443"
|
||||
@@ -263,14 +278,14 @@ services:
|
||||
<<: *kestrel-cert
|
||||
ConnectionStrings__Default: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
Platform__Authority__Issuer: "https://stella-ops.local"
|
||||
Platform__Authority__Issuer: "https://authority.stella-ops.local/"
|
||||
Platform__Authority__RequireHttpsMetadata: "false"
|
||||
Platform__Authority__BypassNetworks__0: "172.19.0.0/16"
|
||||
Platform__Storage__Driver: "postgres"
|
||||
Platform__Storage__PostgresConnectionString: *postgres-connection
|
||||
Platform__EnvironmentSettings__RedirectUri: "https://stella-ops.local/auth/callback"
|
||||
Platform__EnvironmentSettings__PostLogoutRedirectUri: "https://stella-ops.local/"
|
||||
Platform__EnvironmentSettings__Scope: "openid profile email ui.read ui.admin authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve orch:read analytics.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit"
|
||||
Platform__EnvironmentSettings__Scope: "openid profile email offline_access ui.read ui.admin authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve orch:read analytics.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit"
|
||||
STELLAOPS_ROUTER_URL: "http://router.stella-ops.local"
|
||||
STELLAOPS_PLATFORM_URL: "http://platform.stella-ops.local"
|
||||
STELLAOPS_AUTHORITY_URL: "http://authority.stella-ops.local"
|
||||
@@ -317,6 +332,7 @@ services:
|
||||
STELLAOPS_UNKNOWNS_URL: "http://unknowns.stella-ops.local"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
ports:
|
||||
- "127.1.0.3:80:80"
|
||||
networks:
|
||||
@@ -343,6 +359,8 @@ services:
|
||||
ASPNETCORE_URLS: "http://+:8440"
|
||||
Kestrel__Certificates__Default__Path: "/app/etc/authority/keys/kestrel-dev.pfx"
|
||||
Kestrel__Certificates__Default__Password: "devpass"
|
||||
STELLAOPS_DISABLE_TRANSPORT_SECURITY: "true"
|
||||
STELLAOPS_AUTHORITY_AUTHORITY__ACCESSTOKENLIFETIME: "00:30:00"
|
||||
STELLAOPS_AUTHORITY_AUTHORITY__SCHEMAVERSION: "1"
|
||||
STELLAOPS_AUTHORITY_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER:-http://authority.stella-ops.local}"
|
||||
STELLAOPS_AUTHORITY_AUTHORITY__STORAGE__CONNECTIONSTRING: *postgres-connection
|
||||
@@ -387,10 +405,12 @@ services:
|
||||
<<: *kestrel-cert
|
||||
ConnectionStrings__Default: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
Gateway__Auth__DpopEnabled: "false"
|
||||
Gateway__Auth__Authority__Issuer: "https://authority.stella-ops.local/"
|
||||
Gateway__Auth__Authority__RequireHttpsMetadata: "false"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
ports:
|
||||
- "127.1.0.5:80:80"
|
||||
networks:
|
||||
@@ -475,9 +495,10 @@ services:
|
||||
EvidenceLocker__Signing__KeyId: "dev-evidence-key"
|
||||
EvidenceLocker__Quotas__MaxMaterialCount: "128"
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
EvidenceLocker__Authority__BaseUrl: "http://authority.stella-ops.local"
|
||||
EvidenceLocker__Authority__BaseUrl: "https://authority.stella-ops.local"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
- evidence-data:/data/evidence
|
||||
ports:
|
||||
- "127.1.0.7:80:80"
|
||||
@@ -649,12 +670,13 @@ services:
|
||||
CONCELIER_POSTGRESSTORAGE__CONNECTIONSTRING: *postgres-connection
|
||||
CONCELIER_POSTGRESSTORAGE__ENABLED: "true"
|
||||
CONCELIER_S3__ENDPOINT: "http://s3.stella-ops.local:8333"
|
||||
CONCELIER_AUTHORITY__BASEURL: "http://authority.stella-ops.local"
|
||||
CONCELIER_AUTHORITY__BASEURL: "https://authority.stella-ops.local"
|
||||
CONCELIER_AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
|
||||
CONCELIER_AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "${AUTHORITY_OFFLINE_CACHE_TOLERANCE:-00:30:00}"
|
||||
volumes:
|
||||
- concelier-jobs:/var/lib/concelier/jobs
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
tmpfs:
|
||||
- /app/plugins:mode=1777
|
||||
ports:
|
||||
@@ -685,11 +707,12 @@ services:
|
||||
Excititor__Storage__Driver: "postgres"
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
# TenantAuthorityOptionsValidator requires BaseUrls dict with at least one entry
|
||||
Excititor__Authority__BaseUrls__default: "http://authority.stella-ops.local"
|
||||
Excititor__Authority__BaseUrls__default: "https://authority.stella-ops.local"
|
||||
# IssuerDirectoryClientOptions.Validate() requires BaseAddress
|
||||
IssuerDirectory__Client__BaseAddress: "http://issuerdirectory.stella-ops.local"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
tmpfs:
|
||||
- /app/plugins:mode=1777
|
||||
ports:
|
||||
@@ -723,11 +746,12 @@ services:
|
||||
Excititor__Storage__Driver: "postgres"
|
||||
Excititor__Worker__DisableConsensus: "true"
|
||||
# TenantAuthorityOptionsValidator requires BaseUrls dict with at least one entry
|
||||
Excititor__Authority__BaseUrls__default: "http://authority.stella-ops.local"
|
||||
Excititor__Authority__BaseUrls__default: "https://authority.stella-ops.local"
|
||||
# IssuerDirectoryClientOptions.Validate() requires BaseAddress
|
||||
IssuerDirectory__Client__BaseAddress: "http://issuerdirectory.stella-ops.local"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
networks:
|
||||
stellaops:
|
||||
aliases:
|
||||
@@ -825,14 +849,27 @@ services:
|
||||
STELLAOPS_POLICY_ENGINE_Postgres__Policy__ConnectionString: *postgres-connection
|
||||
STELLAOPS_POLICY_ENGINE_ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__Authority: "https://authority.stella-ops.local/"
|
||||
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__MetadataAddress: "http://authority.stella-ops.local/.well-known/openid-configuration"
|
||||
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
|
||||
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__RequireHttpsMetadata: "false"
|
||||
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__Audiences__0: "/scanner"
|
||||
# UI tokens in local compose currently carry scopes but no aud claim.
|
||||
# Keep this empty and let Program.cs explicitly clear default audience lists.
|
||||
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__Audiences__0: ""
|
||||
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__RequiredScopes__0: "policy:read"
|
||||
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
|
||||
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
|
||||
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__BypassNetworks__2: "::1/128"
|
||||
PolicyEngine__ResourceServer__Authority: "https://authority.stella-ops.local/"
|
||||
PolicyEngine__ResourceServer__RequireHttpsMetadata: "false"
|
||||
PolicyEngine__ResourceServer__Audiences__0: ""
|
||||
PolicyEngine__ResourceServer__RequiredScopes__0: "policy:read"
|
||||
PolicyEngine__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
|
||||
PolicyEngine__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
|
||||
PolicyEngine__ResourceServer__BypassNetworks__2: "::1/128"
|
||||
Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Debug"
|
||||
Logging__LogLevel__Microsoft.IdentityModel: "Debug"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
ports:
|
||||
- "127.1.0.14:80:80"
|
||||
networks:
|
||||
@@ -857,15 +894,24 @@ services:
|
||||
ConnectionStrings__Default: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
Postgres__Policy__ConnectionString: *postgres-connection
|
||||
PolicyGateway__ResourceServer__Authority: "http://authority.stella-ops.local"
|
||||
PolicyGateway__ResourceServer__Authority: "https://authority.stella-ops.local/"
|
||||
PolicyGateway__ResourceServer__RequireHttpsMetadata: "false"
|
||||
PolicyGateway__ResourceServer__Audiences__0: ""
|
||||
PolicyGateway__ResourceServer__RequiredScopes__0: "policy:read"
|
||||
PolicyGateway__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
|
||||
# In local compose, callers should forward their own token. Disable fallback
|
||||
# client-credentials to avoid 500s on invalid_scope when no Authorization header is present.
|
||||
PolicyGateway__PolicyEngine__ClientCredentials__Enabled: "false"
|
||||
# Bootstrap-prefixed vars (read by StellaOpsConfigurationBootstrapper before DI)
|
||||
STELLAOPS_POLICY_GATEWAY_PolicyGateway__ResourceServer__Authority: "http://authority.stella-ops.local"
|
||||
STELLAOPS_POLICY_GATEWAY_PolicyGateway__ResourceServer__Authority: "https://authority.stella-ops.local/"
|
||||
STELLAOPS_POLICY_GATEWAY_PolicyGateway__ResourceServer__RequireHttpsMetadata: "false"
|
||||
STELLAOPS_POLICY_GATEWAY_PolicyGateway__ResourceServer__Audiences__0: ""
|
||||
STELLAOPS_POLICY_GATEWAY_PolicyGateway__ResourceServer__RequiredScopes__0: "policy:read"
|
||||
STELLAOPS_POLICY_GATEWAY_PolicyGateway__PolicyEngine__ClientCredentials__Enabled: "false"
|
||||
STELLAOPS_POLICY_GATEWAY_Postgres__Policy__ConnectionString: *postgres-connection
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
ports:
|
||||
- "127.1.0.15:80:80"
|
||||
networks:
|
||||
@@ -1240,9 +1286,14 @@ services:
|
||||
ConnectionStrings__FindingsLedger: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
findings__ledger__Database__ConnectionString: *postgres-connection
|
||||
findings__ledger__Authority__Issuer: "http://authority.stella-ops.local"
|
||||
findings__ledger__Authority__Issuer: "https://authority.stella-ops.local/"
|
||||
findings__ledger__Authority__RequireHttpsMetadata: "false"
|
||||
# Local compose UI tokens may omit aud; keep audience validation relaxed.
|
||||
findings__ledger__Authority__Audiences__0: ""
|
||||
findings__ledger__Authority__RequiredScopes__0: "findings:read"
|
||||
findings__ledger__Authority__BypassNetworks__0: "172.19.0.0/16"
|
||||
Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Debug"
|
||||
Logging__LogLevel__Microsoft.IdentityModel: "Debug"
|
||||
findings__ledger__Attachments__EncryptionKey: "IiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiI="
|
||||
findings__ledger__Attachments__SignedUrlBase: "http://findings.stella-ops.local/attachments"
|
||||
findings__ledger__Attachments__SignedUrlSecret: "dev-signed-url-secret"
|
||||
@@ -1250,6 +1301,7 @@ services:
|
||||
findings__ledger__Attachments__RequireConsoleCsrf: "false"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
ports:
|
||||
- "127.1.0.25:80:80"
|
||||
networks:
|
||||
@@ -1273,11 +1325,12 @@ services:
|
||||
<<: *kestrel-cert
|
||||
ConnectionStrings__Default: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
Doctor__Authority__Issuer: "http://authority.stella-ops.local"
|
||||
Doctor__Authority__Issuer: "https://authority.stella-ops.local/"
|
||||
Doctor__Authority__RequireHttpsMetadata: "false"
|
||||
Doctor__Authority__BypassNetworks__0: "172.19.0.0/16"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
ports:
|
||||
- "127.1.0.26:80:80"
|
||||
networks:
|
||||
@@ -1577,7 +1630,7 @@ services:
|
||||
RegistryTokenService__Signing__KeyPath: "/app/etc/certs/kestrel-dev.pfx"
|
||||
RegistryTokenService__Signing__Lifetime: "00:05:00"
|
||||
RegistryTokenService__Registry__Realm: "http://registry.stella-ops.local"
|
||||
RegistryTokenService__Authority__Issuer: "http://authority.stella-ops.local"
|
||||
RegistryTokenService__Authority__Issuer: "https://authority.stella-ops.local/"
|
||||
RegistryTokenService__Authority__Audience: "api://registry"
|
||||
RegistryTokenService__Authority__RequireHttpsMetadata: "false"
|
||||
RegistryTokenService__Plans__0__Name: "default"
|
||||
@@ -1586,6 +1639,7 @@ services:
|
||||
RegistryTokenService__Plans__0__Repositories__0__Actions__1: "push"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
ports:
|
||||
- "127.1.0.35:80:80"
|
||||
networks:
|
||||
@@ -1644,6 +1698,7 @@ services:
|
||||
volumes:
|
||||
- ../../etc/issuer-directory:/app/etc/issuer-directory:ro
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
ports:
|
||||
- "127.1.0.37:80:80"
|
||||
networks:
|
||||
@@ -1666,11 +1721,12 @@ services:
|
||||
<<: *kestrel-cert
|
||||
ConnectionStrings__Default: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
Authority__ResourceServer__Authority: "http://authority.stella-ops.local"
|
||||
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
|
||||
Authority__ResourceServer__RequireHttpsMetadata: "false"
|
||||
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
ports:
|
||||
- "127.1.0.38:80:80"
|
||||
networks:
|
||||
@@ -1818,13 +1874,13 @@ services:
|
||||
ASPNETCORE_URLS: "http://+:8080"
|
||||
<<: *kestrel-cert
|
||||
# Runtime authority (used by token provider for OIDC discovery)
|
||||
zastava__runtime__authority__Issuer: "http://authority.stella-ops.local"
|
||||
zastava__runtime__authority__Issuer: "https://authority.stella-ops.local/"
|
||||
zastava__runtime__authority__allowStaticTokenFallback: "true"
|
||||
zastava__runtime__authority__staticTokenValue: "dev-bypass-token"
|
||||
zastava__runtime__tenant: "default"
|
||||
zastava__runtime__environment: "local"
|
||||
# Webhook authority
|
||||
zastava__webhook__authority__Issuer: "http://authority.stella-ops.local"
|
||||
zastava__webhook__authority__Issuer: "https://authority.stella-ops.local/"
|
||||
zastava__webhook__authority__staticTokenValue: "dev-bypass-token"
|
||||
# TLS (PFX from cert volume)
|
||||
zastava__webhook__tls__mode: "Secret"
|
||||
@@ -1835,6 +1891,7 @@ services:
|
||||
zastava__webhook__backend__allowInsecureHttp: "true"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
networks:
|
||||
stellaops:
|
||||
aliases:
|
||||
|
||||
Reference in New Issue
Block a user