feat: Initialize Zastava Webhook service with TLS and Authority authentication

- Added Program.cs to set up the web application with Serilog for logging, health check endpoints, and a placeholder admission endpoint. - Configured Kestrel server to use TLS 1.3 and handle client certificates appropriately. - Created StellaOps.Zastava.Webhook.csproj with necessary dependencies including Serilog and Polly. - Documented tasks in TASKS.md for the Zastava Webhook project, outlining current work and exit criteria for each task.
2025-10-19 18:36:22 +03:00
parent 7e2fa0a42a
commit 5ce40d2eeb
966 changed files with 91038 additions and 1850 deletions
--- a/etc/authority.yaml.sample
+++ b/etc/authority.yaml.sample
@@ -83,6 +83,29 @@ plugins:
        - password
        - mfa

+# OAuth client registrations issued by Authority. These examples cover Notify WebService
+# in dev (notify.dev audience) and production (notify audience). Replace the secret files
+# with paths to your sealed credentials before enabling bootstrap mode.
+clients:
+  - clientId: "notify-web-dev"
+    displayName: "Notify WebService (dev)"
+    grantTypes: [ "client_credentials" ]
+    audiences: [ "notify.dev" ]
+    scopes: [ "notify.read", "notify.admin" ]
+    senderConstraint: "dpop"
+    auth:
+      type: "client_secret"
+      secretFile: "../secrets/notify-web-dev.secret"
+  - clientId: "notify-web"
+    displayName: "Notify WebService"
+    grantTypes: [ "client_credentials" ]
+    audiences: [ "notify" ]
+    scopes: [ "notify.read", "notify.admin" ]
+    senderConstraint: "dpop"
+    auth:
+      type: "client_secret"
+      secretFile: "../secrets/notify-web.secret"
+
 # CIDR ranges that bypass network-sensitive policies (e.g. on-host cron jobs).
 # Keep the list tight: localhost is sufficient for most air-gapped installs.
 bypassNetworks: