feat: Initialize Zastava Webhook service with TLS and Authority authentication

- Added Program.cs to set up the web application with Serilog for logging, health check endpoints, and a placeholder admission endpoint. - Configured Kestrel server to use TLS 1.3 and handle client certificates appropriately. - Created StellaOps.Zastava.Webhook.csproj with necessary dependencies including Serilog and Polly. - Documented tasks in TASKS.md for the Zastava Webhook project, outlining current work and exit criteria for each task.
2025-10-19 18:36:22 +03:00
parent 7e2fa0a42a
commit 5ce40d2eeb
966 changed files with 91038 additions and 1850 deletions
--- a/etc/authority.yaml.sample
+++ b/etc/authority.yaml.sample
@@ -83,6 +83,29 @@ plugins:
        - password
        - mfa

+# OAuth client registrations issued by Authority. These examples cover Notify WebService
+# in dev (notify.dev audience) and production (notify audience). Replace the secret files
+# with paths to your sealed credentials before enabling bootstrap mode.
+clients:
+  - clientId: "notify-web-dev"
+    displayName: "Notify WebService (dev)"
+    grantTypes: [ "client_credentials" ]
+    audiences: [ "notify.dev" ]
+    scopes: [ "notify.read", "notify.admin" ]
+    senderConstraint: "dpop"
+    auth:
+      type: "client_secret"
+      secretFile: "../secrets/notify-web-dev.secret"
+  - clientId: "notify-web"
+    displayName: "Notify WebService"
+    grantTypes: [ "client_credentials" ]
+    audiences: [ "notify" ]
+    scopes: [ "notify.read", "notify.admin" ]
+    senderConstraint: "dpop"
+    auth:
+      type: "client_secret"
+      secretFile: "../secrets/notify-web.secret"
+
 # CIDR ranges that bypass network-sensitive policies (e.g. on-host cron jobs).
 # Keep the list tight: localhost is sufficient for most air-gapped installs.
 bypassNetworks:
--- a/etc/notify.dev.yaml
+++ b/etc/notify.dev.yaml
@@ -0,0 +1,43 @@
+# Notify WebService configuration — development
+
+storage:
+  driver: mongo
+  connectionString: "mongodb://notify-mongo.dev.svc.cluster.local:27017"
+  database: "stellaops_notify_dev"
+  commandTimeoutSeconds: 30
+
+authority:
+  enabled: true
+  issuer: "https://authority.dev.stella-ops.local"
+  metadataAddress: "https://authority.dev.stella-ops.local/.well-known/openid-configuration"
+  requireHttpsMetadata: false
+  allowAnonymousFallback: false
+  backchannelTimeoutSeconds: 30
+  tokenClockSkewSeconds: 60
+  audiences:
+    - notify.dev
+  readScope: notify.read
+  adminScope: notify.admin
+
+api:
+  basePath: "/api/v1/notify"
+  internalBasePath: "/internal/notify"
+  tenantHeader: "X-StellaOps-Tenant"
+
+plugins:
+  baseDirectory: "../"
+  directory: "plugins/notify"
+  searchPatterns:
+    - "StellaOps.Notify.Connectors.*.dll"
+  orderedPlugins:
+    - StellaOps.Notify.Connectors.Slack
+    - StellaOps.Notify.Connectors.Teams
+    - StellaOps.Notify.Connectors.Email
+    - StellaOps.Notify.Connectors.Webhook
+
+telemetry:
+  enableRequestLogging: true
+  minimumLogLevel: Debug
+
+# Development override: when the Authority service is not available, set
+# authority.enabled: false and authority.developmentSigningKey to a 32+ byte secret.
--- a/etc/notify.prod.yaml
+++ b/etc/notify.prod.yaml
@@ -0,0 +1,40 @@
+# Notify WebService configuration — production
+
+storage:
+  driver: mongo
+  connectionString: "mongodb://notify-mongo.prod.svc.cluster.local:27017"
+  database: "stellaops_notify"
+  commandTimeoutSeconds: 60
+
+authority:
+  enabled: true
+  issuer: "https://authority.stella-ops.org"
+  metadataAddress: "https://authority.stella-ops.org/.well-known/openid-configuration"
+  requireHttpsMetadata: true
+  allowAnonymousFallback: false
+  backchannelTimeoutSeconds: 30
+  tokenClockSkewSeconds: 60
+  audiences:
+    - notify
+  readScope: notify.read
+  adminScope: notify.admin
+
+api:
+  basePath: "/api/v1/notify"
+  internalBasePath: "/internal/notify"
+  tenantHeader: "X-StellaOps-Tenant"
+
+plugins:
+  baseDirectory: "/var/opt/stellaops"
+  directory: "plugins/notify"
+  searchPatterns:
+    - "StellaOps.Notify.Connectors.*.dll"
+  orderedPlugins:
+    - StellaOps.Notify.Connectors.Slack
+    - StellaOps.Notify.Connectors.Teams
+    - StellaOps.Notify.Connectors.Email
+    - StellaOps.Notify.Connectors.Webhook
+
+telemetry:
+  enableRequestLogging: true
+  minimumLogLevel: Warning
--- a/etc/notify.stage.yaml
+++ b/etc/notify.stage.yaml
@@ -0,0 +1,40 @@
+# Notify WebService configuration — staging
+
+storage:
+  driver: mongo
+  connectionString: "mongodb://notify-mongo.stage.svc.cluster.local:27017"
+  database: "stellaops_notify_stage"
+  commandTimeoutSeconds: 45
+
+authority:
+  enabled: true
+  issuer: "https://authority.stage.stella-ops.org"
+  metadataAddress: "https://authority.stage.stella-ops.org/.well-known/openid-configuration"
+  requireHttpsMetadata: true
+  allowAnonymousFallback: false
+  backchannelTimeoutSeconds: 30
+  tokenClockSkewSeconds: 60
+  audiences:
+    - notify
+  readScope: notify.read
+  adminScope: notify.admin
+
+api:
+  basePath: "/api/v1/notify"
+  internalBasePath: "/internal/notify"
+  tenantHeader: "X-StellaOps-Tenant"
+
+plugins:
+  baseDirectory: "/opt/stellaops"
+  directory: "plugins/notify"
+  searchPatterns:
+    - "StellaOps.Notify.Connectors.*.dll"
+  orderedPlugins:
+    - StellaOps.Notify.Connectors.Slack
+    - StellaOps.Notify.Connectors.Teams
+    - StellaOps.Notify.Connectors.Email
+    - StellaOps.Notify.Connectors.Webhook
+
+telemetry:
+  enableRequestLogging: true
+  minimumLogLevel: Information
--- a/etc/notify.yaml.sample
+++ b/etc/notify.yaml.sample
@@ -0,0 +1,46 @@
+# Notify WebService sample configuration
+
+storage:
+  # Use "mongo" for production deployments; set to "memory" only for tests/dev harnesses.
+  driver: mongo
+  connectionString: "mongodb://localhost:27017"
+  database: "stellaops_notify"
+  commandTimeoutSeconds: 30
+
+authority:
+  enabled: true
+  issuer: "https://authority.stella-ops.local"
+  metadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
+  requireHttpsMetadata: true
+  allowAnonymousFallback: false
+  backchannelTimeoutSeconds: 30
+  tokenClockSkewSeconds: 60
+  audiences:
+    - notify
+  readScope: notify.read
+  adminScope: notify.admin
+
+api:
+  basePath: "/api/v1/notify"
+  internalBasePath: "/internal/notify"
+  tenantHeader: "X-StellaOps-Tenant"
+
+plugins:
+  baseDirectory: "../"
+  directory: "plugins/notify"
+  searchPatterns:
+    - "StellaOps.Notify.Connectors.*.dll"
+  orderedPlugins:
+    - StellaOps.Notify.Connectors.Slack
+    - StellaOps.Notify.Connectors.Teams
+    - StellaOps.Notify.Connectors.Email
+    - StellaOps.Notify.Connectors.Webhook
+
+telemetry:
+  enableRequestLogging: true
+  minimumLogLevel: Information
+
+# When running in development without Authority, set the following instead:
+# authority:
+#   enabled: false
+#   developmentSigningKey: "change-me-32-bytes-minimum-signing-key"
--- a/etc/secrets/.gitkeep
+++ b/etc/secrets/.gitkeep
--- a/etc/secrets/notify-web-dev.secret.example
+++ b/etc/secrets/notify-web-dev.secret.example
@@ -0,0 +1,3 @@
+# Replace this file with the actual client secret for the notify-web-dev Authority client.
+# Store the secret with restrictive permissions (chmod 600) and mount/read-only in deployments.
+NOTIFY_WEB_DEV_CLIENT_SECRET=change-me-dev
--- a/etc/secrets/notify-web.secret.example
+++ b/etc/secrets/notify-web.secret.example
@@ -0,0 +1,3 @@
+# Replace this file with the production client secret for the notify-web Authority client.
+# Keep outside source control and mount via secrets manager in Kubernetes/offline kit bundles.
+NOTIFY_WEB_CLIENT_SECRET=change-me-prod