consolidation of some of the modules, localization fixes, product advisories work, qa work
This commit is contained in:
master
@@ -61,6 +61,8 @@ x-router-microservice-defaults: &router-microservice-defaults
|
||||
Router__Messaging__HeartbeatInterval: "10s"
|
||||
Router__Messaging__valkey__ConnectionString: "cache.stella-ops.local:6379"
|
||||
Router__Messaging__valkey__Database: "0"
|
||||
# Identity envelope verification (signed by gateway, verified by services)
|
||||
Router__IdentityEnvelopeSigningKey: "${STELLAOPS_IDENTITY_ENVELOPE_SIGNING_KEY}"
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Common anchors for the 60-service stack
|
||||
@@ -105,6 +107,7 @@ volumes:
|
||||
advisory-ai-plans:
|
||||
advisory-ai-outputs:
|
||||
evidence-data:
|
||||
taskrunner-artifacts-data:
|
||||
|
||||
services:
|
||||
# ===========================================================================
|
||||
@@ -299,6 +302,8 @@ services:
|
||||
Gateway__Transports__Messaging__LeaseDuration: "5m"
|
||||
Gateway__Transports__Messaging__BatchSize: "10"
|
||||
Gateway__Transports__Messaging__HeartbeatInterval: "10s"
|
||||
# Identity envelope signing (gateway -> microservice auth)
|
||||
Gateway__Auth__IdentityEnvelopeSigningKey: "${STELLAOPS_IDENTITY_ENVELOPE_SIGNING_KEY}"
|
||||
# Audience validation disabled until authority includes aud in access tokens
|
||||
# Gateway__Auth__Authority__Audiences__0: "stella-ops-api"
|
||||
Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Debug"
|
||||
@@ -337,11 +342,16 @@ services:
|
||||
Platform__Authority__Issuer: "https://authority.stella-ops.local/"
|
||||
Platform__Authority__RequireHttpsMetadata: "false"
|
||||
Platform__Authority__BypassNetworks__0: "172.19.0.0/16"
|
||||
Logging__LogLevel__StellaOps.Auth: "Debug"
|
||||
Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Debug"
|
||||
Logging__LogLevel__Microsoft.AspNetCore.Authorization: "Debug"
|
||||
Platform__Storage__Driver: "postgres"
|
||||
Platform__Storage__PostgresConnectionString: *postgres-connection
|
||||
Platform__EnvironmentSettings__RedirectUri: "https://stella-ops.local/auth/callback"
|
||||
Platform__EnvironmentSettings__PostLogoutRedirectUri: "https://stella-ops.local/"
|
||||
Platform__EnvironmentSettings__Scope: "openid profile email offline_access ui.read ui.admin authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve orch:read analytics.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit"
|
||||
Platform__EnvironmentSettings__AuthorizeEndpoint: "https://127.1.0.1/connect/authorize"
|
||||
Platform__EnvironmentSettings__TokenEndpoint: "https://127.1.0.1/connect/token"
|
||||
Platform__EnvironmentSettings__RedirectUri: "https://127.1.0.1/auth/callback"
|
||||
Platform__EnvironmentSettings__PostLogoutRedirectUri: "https://127.1.0.1/"
|
||||
Platform__EnvironmentSettings__Scope: "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate timeline:read timeline:write"
|
||||
STELLAOPS_ROUTER_URL: "http://router.stella-ops.local"
|
||||
STELLAOPS_PLATFORM_URL: "http://platform.stella-ops.local"
|
||||
STELLAOPS_AUTHORITY_URL: "http://authority.stella-ops.local"
|
||||
@@ -357,7 +367,7 @@ services:
|
||||
STELLAOPS_POLICY_ENGINE_URL: "http://policy-engine.stella-ops.local"
|
||||
STELLAOPS_POLICY_GATEWAY_URL: "http://policy-gateway.stella-ops.local"
|
||||
STELLAOPS_RISKENGINE_URL: "http://riskengine.stella-ops.local"
|
||||
STELLAOPS_ORCHESTRATOR_URL: "http://orchestrator.stella-ops.local"
|
||||
STELLAOPS_JOBENGINE_URL: "http://jobengine.stella-ops.local"
|
||||
STELLAOPS_TASKRUNNER_URL: "http://taskrunner.stella-ops.local"
|
||||
STELLAOPS_SCHEDULER_URL: "http://scheduler.stella-ops.local"
|
||||
STELLAOPS_GRAPH_URL: "http://graph.stella-ops.local"
|
||||
@@ -437,7 +447,11 @@ services:
|
||||
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__Enabled: "true"
|
||||
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__TenantId: "demo-prod"
|
||||
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Username: "admin"
|
||||
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Password: "password"
|
||||
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Password: "Admin@Stella2026!"
|
||||
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Roles__0: "admin"
|
||||
STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__ID: "demo-prod"
|
||||
STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__DISPLAYNAME: "Demo Production"
|
||||
STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__STATUS: "active"
|
||||
<<: *router-microservice-defaults
|
||||
Router__Enabled: "${AUTHORITY_ROUTER_ENABLED:-true}"
|
||||
Router__Messaging__ConsumerGroup: "authority"
|
||||
@@ -751,6 +765,14 @@ services:
|
||||
CONCELIER_POSTGRESSTORAGE__CONNECTIONSTRING: *postgres-connection
|
||||
CONCELIER_POSTGRESSTORAGE__ENABLED: "true"
|
||||
CONCELIER_S3__ENDPOINT: "http://s3.stella-ops.local:8333"
|
||||
CONCELIER_AUTHORITY__ENABLED: "true"
|
||||
CONCELIER_AUTHORITY__ISSUER: "https://authority.stella-ops.local/"
|
||||
CONCELIER_AUTHORITY__REQUIREHTTPSMETADATA: "false"
|
||||
CONCELIER_AUTHORITY__METADATAADDRESS: "https://authority.stella-ops.local/.well-known/openid-configuration"
|
||||
CONCELIER_AUTHORITY__BYPASSNETWORKS__0: "172.19.0.0/16"
|
||||
CONCELIER_AUTHORITY__BYPASSNETWORKS__1: "172.20.0.0/16"
|
||||
CONCELIER_AUTHORITY__BYPASSNETWORKS__2: "0.0.0.0/0"
|
||||
CONCELIER_AUTHORITY__AUDIENCES__0: "stellaops"
|
||||
CONCELIER_AUTHORITY__BASEURL: "https://authority.stella-ops.local"
|
||||
CONCELIER_AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
|
||||
CONCELIER_AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "${AUTHORITY_OFFLINE_CACHE_TOLERANCE:-00:30:00}"
|
||||
@@ -897,7 +919,7 @@ services:
|
||||
<<: *healthcheck-tcp
|
||||
labels: *release-labels
|
||||
|
||||
# --- Slot 13: VulnExplorer (api) -------------------------------------------
|
||||
# --- Slot 13: VulnExplorer (api) [src/Findings/StellaOps.VulnExplorer.Api] ---
|
||||
api:
|
||||
image: stellaops/api:dev
|
||||
container_name: stellaops-api
|
||||
@@ -1015,7 +1037,7 @@ services:
|
||||
<<: *healthcheck-tcp
|
||||
labels: *release-labels
|
||||
|
||||
# --- Slot 16: RiskEngine ---------------------------------------------------
|
||||
# --- Slot 16: RiskEngine [src/Findings/StellaOps.RiskEngine.*] ---------------
|
||||
riskengine-web:
|
||||
image: stellaops/riskengine-web:dev
|
||||
container_name: stellaops-riskengine-web
|
||||
@@ -1026,6 +1048,8 @@ services:
|
||||
<<: [*kestrel-cert, *router-microservice-defaults]
|
||||
ConnectionStrings__Default: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
RISKENGINE__STORAGE__DRIVER: "postgres"
|
||||
RISKENGINE__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
|
||||
Router__Enabled: "${RISKENGINE_ROUTER_ENABLED:-true}"
|
||||
Router__Messaging__ConsumerGroup: "riskengine"
|
||||
volumes:
|
||||
@@ -1062,9 +1086,9 @@ services:
|
||||
labels: *release-labels
|
||||
|
||||
# --- Slot 17: Orchestrator -------------------------------------------------
|
||||
orchestrator:
|
||||
image: stellaops/orchestrator:dev
|
||||
container_name: stellaops-orchestrator
|
||||
jobengine:
|
||||
image: stellaops/jobengine:dev
|
||||
container_name: stellaops-jobengine
|
||||
restart: unless-stopped
|
||||
depends_on: *depends-infra
|
||||
environment:
|
||||
@@ -1072,25 +1096,35 @@ services:
|
||||
<<: [*kestrel-cert, *router-microservice-defaults]
|
||||
ConnectionStrings__Default: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
|
||||
Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
|
||||
Authority__ResourceServer__RequireHttpsMetadata: "false"
|
||||
Authority__ResourceServer__Audiences__0: ""
|
||||
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
|
||||
Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
|
||||
Authority__ResourceServer__BypassNetworks__2: "::1/128"
|
||||
Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
|
||||
Authority__ResourceServer__BypassNetworks__4: "::/0"
|
||||
Router__Enabled: "${ORCHESTRATOR_ROUTER_ENABLED:-true}"
|
||||
Router__Messaging__ConsumerGroup: "orchestrator"
|
||||
Router__Messaging__ConsumerGroup: "jobengine"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
ports:
|
||||
- "127.1.0.17:80:80"
|
||||
networks:
|
||||
stellaops:
|
||||
aliases:
|
||||
- orchestrator.stella-ops.local
|
||||
- jobengine.stella-ops.local
|
||||
frontdoor: {}
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
|
||||
<<: *healthcheck-tcp
|
||||
labels: *release-labels
|
||||
|
||||
orchestrator-worker:
|
||||
image: stellaops/orchestrator-worker:dev
|
||||
container_name: stellaops-orchestrator-worker
|
||||
jobengine-worker:
|
||||
image: stellaops/jobengine-worker:dev
|
||||
container_name: stellaops-jobengine-worker
|
||||
restart: unless-stopped
|
||||
depends_on: *depends-infra
|
||||
environment:
|
||||
@@ -1104,7 +1138,7 @@ services:
|
||||
networks:
|
||||
stellaops:
|
||||
aliases:
|
||||
- orchestrator-worker.stella-ops.local
|
||||
- jobengine-worker.stella-ops.local
|
||||
labels: *release-labels
|
||||
|
||||
# --- Slot 18: TaskRunner ---------------------------------------------------
|
||||
@@ -1118,10 +1152,15 @@ services:
|
||||
<<: [*kestrel-cert, *router-microservice-defaults]
|
||||
ConnectionStrings__Default: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
TASKRUNNER__STORAGE__DRIVER: "postgres"
|
||||
TASKRUNNER__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
|
||||
TASKRUNNER__STORAGE__OBJECTSTORE__DRIVER: "seed-fs"
|
||||
TASKRUNNER__STORAGE__OBJECTSTORE__SEEDFS__ROOTPATH: "/app/artifacts"
|
||||
Router__Enabled: "${TASKRUNNER_ROUTER_ENABLED:-true}"
|
||||
Router__Messaging__ConsumerGroup: "taskrunner"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- taskrunner-artifacts-data:/app/artifacts
|
||||
ports:
|
||||
- "127.1.0.18:80:80"
|
||||
networks:
|
||||
@@ -1143,14 +1182,18 @@ services:
|
||||
<<: *kestrel-cert
|
||||
ConnectionStrings__Default: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
TASKRUNNER__STORAGE__DRIVER: "postgres"
|
||||
TASKRUNNER__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
|
||||
TASKRUNNER__STORAGE__OBJECTSTORE__DRIVER: "seed-fs"
|
||||
TASKRUNNER__STORAGE__OBJECTSTORE__SEEDFS__ROOTPATH: "/app/artifacts"
|
||||
# AirGap egress policy (disable for dev)
|
||||
AirGap__Egress__Enabled: "false"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- taskrunner-artifacts-data:/app/artifacts
|
||||
tmpfs:
|
||||
- /app/queue:mode=1777
|
||||
- /app/state:mode=1777
|
||||
- /app/artifacts:mode=1777
|
||||
- /app/approvals:mode=1777
|
||||
- /app/logs:mode=1777
|
||||
networks:
|
||||
@@ -1376,6 +1419,11 @@ services:
|
||||
<<: [*kestrel-cert, *router-microservice-defaults]
|
||||
ConnectionStrings__Default: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
Authority__ResourceServer__Authority: "http://authority.stella-ops.local/"
|
||||
Authority__ResourceServer__RequireHttpsMetadata: "false"
|
||||
Authority__ResourceServer__Audiences__0: ""
|
||||
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
|
||||
Authority__ResourceServer__BypassNetworks__1: "172.20.0.0/16"
|
||||
Router__Enabled: "${TIMELINE_SERVICE_ROUTER_ENABLED:-true}"
|
||||
Router__Messaging__ConsumerGroup: "timeline"
|
||||
volumes:
|
||||
@@ -1489,7 +1537,7 @@ services:
|
||||
- doctor-scheduler.stella-ops.local
|
||||
labels: *release-labels
|
||||
|
||||
# --- Slot 27: OpsMemory ---------------------------------------------------
|
||||
# --- Slot 27: OpsMemory (src/AdvisoryAI/StellaOps.OpsMemory.WebService) ---
|
||||
opsmemory-web:
|
||||
image: stellaops/opsmemory-web:dev
|
||||
container_name: stellaops-opsmemory-web
|
||||
@@ -1527,10 +1575,20 @@ services:
|
||||
<<: [*kestrel-cert, *router-microservice-defaults]
|
||||
ConnectionStrings__Default: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
|
||||
Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
|
||||
Authority__ResourceServer__RequireHttpsMetadata: "false"
|
||||
Authority__ResourceServer__Audiences__0: ""
|
||||
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
|
||||
Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
|
||||
Authority__ResourceServer__BypassNetworks__2: "::1/128"
|
||||
Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
|
||||
Authority__ResourceServer__BypassNetworks__4: "::/0"
|
||||
Router__Enabled: "${NOTIFIER_ROUTER_ENABLED:-true}"
|
||||
Router__Messaging__ConsumerGroup: "notifier"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
ports:
|
||||
- "127.1.0.28:80:80"
|
||||
networks:
|
||||
@@ -1722,6 +1780,10 @@ services:
|
||||
<<: [*kestrel-cert, *router-microservice-defaults]
|
||||
ConnectionStrings__Default: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
PACKSREGISTRY__STORAGE__DRIVER: "postgres"
|
||||
PACKSREGISTRY__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
|
||||
PACKSREGISTRY__STORAGE__OBJECTSTORE__DRIVER: "seed-fs"
|
||||
PACKSREGISTRY__STORAGE__OBJECTSTORE__SEEDFS__ROOTPATH: "/app/data/packs"
|
||||
Router__Enabled: "${PACKSREGISTRY_ROUTER_ENABLED:-true}"
|
||||
Router__Messaging__ConsumerGroup: "packsregistry"
|
||||
volumes:
|
||||
@@ -1990,6 +2052,10 @@ services:
|
||||
<<: [*kestrel-cert, *router-microservice-defaults]
|
||||
ConnectionStrings__Default: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
REPLAY__STORAGE__DRIVER: "postgres"
|
||||
REPLAY__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
|
||||
REPLAY__STORAGE__OBJECTSTORE__DRIVER: "seed-fs"
|
||||
REPLAY__STORAGE__OBJECTSTORE__SEEDFS__ROOTPATH: "/app/data/replay-snapshots"
|
||||
Router__Enabled: "${REPLAY_ROUTER_ENABLED:-true}"
|
||||
Router__Messaging__ConsumerGroup: "replay"
|
||||
volumes:
|
||||
@@ -2018,10 +2084,20 @@ services:
|
||||
ConnectionStrings__IntegrationsDb: *postgres-connection
|
||||
ConnectionStrings__Default: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
|
||||
Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
|
||||
Authority__ResourceServer__RequireHttpsMetadata: "false"
|
||||
Authority__ResourceServer__Audiences__0: ""
|
||||
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
|
||||
Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
|
||||
Authority__ResourceServer__BypassNetworks__2: "::1/128"
|
||||
Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
|
||||
Authority__ResourceServer__BypassNetworks__4: "::/0"
|
||||
Router__Enabled: "${INTEGRATIONS_ROUTER_ENABLED:-true}"
|
||||
Router__Messaging__ConsumerGroup: "integrations"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
ports:
|
||||
- "127.1.0.42:80:80"
|
||||
networks:
|
||||
@@ -2087,10 +2163,20 @@ services:
|
||||
<<: [*kestrel-cert, *router-microservice-defaults]
|
||||
ConnectionStrings__Default: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
|
||||
Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
|
||||
Authority__ResourceServer__RequireHttpsMetadata: "false"
|
||||
Authority__ResourceServer__Audiences__0: ""
|
||||
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
|
||||
Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
|
||||
Authority__ResourceServer__BypassNetworks__2: "::1/128"
|
||||
Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
|
||||
Authority__ResourceServer__BypassNetworks__4: "::/0"
|
||||
Router__Enabled: "${SIGNALS_ROUTER_ENABLED:-true}"
|
||||
Router__Messaging__ConsumerGroup: "signals"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
ports:
|
||||
- "127.1.0.43:80:80"
|
||||
networks:
|
||||
|
||||
Reference in New Issue
Block a user