docs consolidation
This commit is contained in:
StellaOps Bot
@@ -1,8 +1,48 @@
|
||||
# Platform topology (detailed)
|
||||
|
||||
This document provides a clean, audit-friendly view of StellaOps platform topology without relying on fragile ASCII diagrams. For module-specific details (APIs, schemas, operations), use `docs/modules/`.
|
||||
This document provides a comprehensive view of StellaOps platform topology. For module-specific details (APIs, schemas, operations), see `docs/modules/`.
|
||||
|
||||
## Layers
|
||||
## Component topology (quick reference)
|
||||
|
||||
```
|
||||
CLIENT LAYER
|
||||
├─ stella CLI → Gateway (JWT + DPoP auth)
|
||||
├─ Web UI (Angular) → Gateway (JWT + DPoP auth)
|
||||
├─ CI/CD Pipelines → Gateway (JWT + DPoP auth)
|
||||
└─ Zastava Observer → Scanner (runtime scans)
|
||||
|
||||
INFRASTRUCTURE (REQUIRED)
|
||||
├─ PostgreSQL v16+ → Primary database (ALL services)
|
||||
├─ Valkey v8.0 → Cache, DPoP, queues, events
|
||||
└─ RustFS → Object storage (S3 API)
|
||||
|
||||
INFRASTRUCTURE (OPTIONAL)
|
||||
└─ NATS JetStream → Alternative messaging (Valkey is default)
|
||||
|
||||
GATEWAY LAYER
|
||||
└─ Gateway.WebService → Auth, routing, rate limiting
|
||||
|
||||
AUTH & CRYPTO
|
||||
├─ Authority → OAuth2/OIDC, OpTok issuance
|
||||
├─ Signer → DSSE signing (FIPS/GOST/SM)
|
||||
└─ Attestor → Rekor v2 transparency log
|
||||
|
||||
CORE ENGINES
|
||||
├─ Scanner.WebService → Scan orchestration
|
||||
├─ Scanner.Worker → Image analysis, SBOM generation
|
||||
├─ Concelier.WebService → Advisory ingestion (NVD, Red Hat, etc.)
|
||||
├─ Excititor.WebService → VEX ingestion + consensus
|
||||
├─ Policy.Gateway → OPA/Rego policy evaluation
|
||||
├─ Scheduler.WebService → Re-scan orchestration
|
||||
├─ Notify.WebService → Notification orchestration
|
||||
├─ Notify.Worker → Slack/Teams/Email delivery
|
||||
└─ Orchestrator.WebService → DAG workflows, pack runs
|
||||
|
||||
SUPPORTING
|
||||
└─ IssuerDirectory → VEX issuer trust registry
|
||||
```
|
||||
|
||||
## Layers (tabular reference)
|
||||
|
||||
| Layer | Primary components | Responsibility |
|
||||
| --- | --- | --- |
|
||||
@@ -12,6 +52,108 @@ This document provides a clean, audit-friendly view of StellaOps platform topolo
|
||||
| Core engines | Scanner, Concelier, Excititor, Policy, Scheduler, Notify, Orchestrator | Scanning, ingestion, verdicts, orchestration, notifications, exports. |
|
||||
| Data plane | PostgreSQL, Valkey, RustFS (S3), optional NATS | Persistent state, queues/streams, artifact storage, optional alternative messaging. |
|
||||
|
||||
## Service categories (detailed)
|
||||
|
||||
| Category | Services | Purpose |
|
||||
|----------|----------|---------|
|
||||
| **Gateway** | Gateway.WebService | API routing, auth enforcement |
|
||||
| **Auth & Security** | Authority, Signer, Attestor | OAuth2, signing, transparency |
|
||||
| **Scanning** | Scanner.Web, Scanner.Worker | Container analysis, SBOM |
|
||||
| **Advisory** | Concelier.Web, Concelier.Worker | Vulnerability ingestion |
|
||||
| **VEX** | Excititor.Web, Excititor.Worker | Exploitability statements |
|
||||
| **Policy** | Policy.Gateway, Policy Engine | OPA/Rego evaluation |
|
||||
| **Orchestration** | Scheduler, Orchestrator | Job coordination |
|
||||
| **Notifications** | Notify.Web, Notify.Worker | Delivery to Slack/Teams/Email |
|
||||
|
||||
## Layered architecture diagram
|
||||
|
||||
```
|
||||
┌─────────────────────────────────────────────────────────────────────┐
|
||||
│ USER EXPERIENCE │
|
||||
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
|
||||
│ │ Gateway │ │ Web (UI) │ │ CLI │ │
|
||||
│ │ (API Router) │ │ (Angular v17)│ │(Multi-plat) │ │
|
||||
│ └──────────────┘ └──────────────┘ └──────────────┘ │
|
||||
└─────────────────────────────────────────────────────────────────────┘
|
||||
│
|
||||
▼
|
||||
┌─────────────────────────────────────────────────────────────────────┐
|
||||
│ DATA & EXPORT │
|
||||
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
|
||||
│ │ExportCenter │ │EvidenceLocker│ │FindingsLedger│ │
|
||||
│ │(SARIF/SBOM) │ │(Artifacts) │ │(Audit Trail) │ │
|
||||
│ └──────────────┘ └──────────────┘ └──────────────┘ │
|
||||
└─────────────────────────────────────────────────────────────────────┘
|
||||
│
|
||||
▼
|
||||
┌─────────────────────────────────────────────────────────────────────┐
|
||||
│ EVENTS & NOTIFICATIONS │
|
||||
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
|
||||
│ │ Notify │ │ Notifier │ │TimelineIndex │ │
|
||||
│ │(Slack/Teams) │ │ (Advanced) │ │ (Events) │ │
|
||||
│ └──────────────┘ └──────────────┘ └──────────────┘ │
|
||||
└─────────────────────────────────────────────────────────────────────┘
|
||||
│
|
||||
▼
|
||||
┌─────────────────────────────────────────────────────────────────────┐
|
||||
│ ORCHESTRATION & WORKFLOW │
|
||||
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
|
||||
│ │ Scheduler │ │ Orchestrator │ │ TaskRunner │ │
|
||||
│ │(Job Sched) │ │(Coordinator) │ │(Executor) │ │
|
||||
│ └──────────────┘ └──────────────┘ └──────────────┘ │
|
||||
└─────────────────────────────────────────────────────────────────────┘
|
||||
│
|
||||
▼
|
||||
┌─────────────────────────────────────────────────────────────────────┐
|
||||
│ SCANNING & ANALYSIS │
|
||||
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
|
||||
│ │Scanner.Web │ │Scanner.Worker│ │ AdvisoryAI │ │
|
||||
│ │(API/Control) │ │(Analyzers) │ │(ML Analysis) │ │
|
||||
│ └──────────────┘ └──────────────┘ └──────────────┘ │
|
||||
│ ┌──────────────┐ ┌──────────────┐ │
|
||||
│ │ RiskEngine │ │ Policy │ │
|
||||
│ │ (Scoring) │ │ (Engine) │ │
|
||||
│ └──────────────┘ └──────────────┘ │
|
||||
└─────────────────────────────────────────────────────────────────────┘
|
||||
│
|
||||
▼
|
||||
┌─────────────────────────────────────────────────────────────────────┐
|
||||
│ INGESTION & AGGREGATION │
|
||||
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
|
||||
│ │ Concelier │ │ Excititor │ │IssuerDirectry│ │
|
||||
│ │(Advisories) │ │ (VEX) │ │(CSAF Pubshrs)│ │
|
||||
│ └──────────────┘ └──────────────┘ └──────────────┘ │
|
||||
└─────────────────────────────────────────────────────────────────────┘
|
||||
│
|
||||
▼
|
||||
┌─────────────────────────────────────────────────────────────────────┐
|
||||
│ AUTHENTICATION & SIGNING │
|
||||
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
|
||||
│ │ Authority │─▶│ Signer │─▶│ Attestor │ │
|
||||
│ │ (OAuth2/OIDC)│ │(DSSE/PKIX) │ │(in-toto/DSSE)│ │
|
||||
│ └──────────────┘ └──────────────┘ └──────────────┘ │
|
||||
└─────────────────────────────────────────────────────────────────────┘
|
||||
│
|
||||
▼
|
||||
┌─────────────────────────────────────────────────────────────────────┐
|
||||
│ INFRASTRUCTURE LAYER │
|
||||
│ ┌──────────────────┐ ┌──────────────────┐ ┌─────────────────┐ │
|
||||
│ │ PostgreSQL │ │ Valkey │ │ RustFS │ │
|
||||
│ │ (v16+ ONLY) │ │ (Redis-compat) │ │ (S3-like API) │ │
|
||||
│ │ │ │ - Caching │ │ - Artifacts │ │
|
||||
│ │ All services use │ │ - DPoP nonces │ │ - SBOMs │ │
|
||||
│ │ PostgreSQL for │ │ - Event queues │ │ - Signatures │ │
|
||||
│ │ persistent data │ │ - Rate limiting│ │ │ │
|
||||
│ └──────────────────┘ └──────────────────┘ └─────────────────┘ │
|
||||
│ │
|
||||
│ ┌──────────────────────────────────────────────────────────────┐ │
|
||||
│ │ Optional: NATS JetStream (alternative transport for queues) │ │
|
||||
│ │ Only used if explicitly configured in appsettings │ │
|
||||
│ └──────────────────────────────────────────────────────────────┘ │
|
||||
└─────────────────────────────────────────────────────────────────────┘
|
||||
```
|
||||
|
||||
## Notes
|
||||
|
||||
- Module dossiers live under `docs/modules/<module>/architecture.md`.
|
||||
- Deployment defaults (ports, profile overlays, pinned digests) live under `deploy/` (`deploy/compose/`, `deploy/helm/`, `deploy/releases/`).
|
||||
|
||||
Reference in New Issue
Block a user