stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(devops): local GitLab secret bootstrap + integration registration scripts

Browse Source 
Adds PowerShell helpers to seed the local Stella Ops stack with a working
GitLab + integrations configuration:
- bootstrap-local-gitlab-secrets.ps1 provisions GitLab's JWT signing secret
  and admin PAT into Vault/Authority.
- register-local-integrations.ps1 POSTs the canonical integration records
  (GitLab, Jenkins, Harbor, Gitea, Nexus, etc.) against the Integrations
  service for first-run local environments.

Docs: INSTALL_GUIDE.md + integrations/LOCAL_SERVICES.md document the new
helpers. devops/compose README and router-gateway-local.json get the
corresponding route wiring. Two new sprint files track the follow-on work
(SPRINT_20260413_002, SPRINT_20260413_003).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
2026-04-13 21:59:13 +03:00
parent 71dd1efc34
commit a19987979d
8 changed files with 934 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
docs/INSTALL_GUIDE.md
View File

@@ -171,6 +171,50 @@ docker compose -f docker-compose.stella-ops.yml ps
curl -k https://stella-ops.local # should return the Angular UI
```
For a fresh local developer install, populate the live integration catalog with:
```powershell
powershell -ExecutionPolicy Bypass -File scripts/register-local-integrations.ps1 `
-Tenant demo-prod
```
This converges the default local-ready lane to 13 healthy providers:
Harbor fixture, Docker Registry, Nexus, GitHub App fixture, Gitea, Jenkins,
Vault, Consul, eBPF runtime-host fixture, MinIO, and the three feed mirror
providers (`StellaOpsMirror`, `NvdMirror`, `OsvMirror`).
GitLab server/CI and the GitLab registry remain opt-in because they require
Vault-backed credentials. The scripted local path is:
```powershell
powershell -ExecutionPolicy Bypass -File scripts/bootstrap-local-gitlab-secrets.ps1 `
-VerifyRegistry
powershell -ExecutionPolicy Bypass -File scripts/register-local-integrations.ps1 `
-Tenant demo-prod `
-IncludeGitLab
powershell -ExecutionPolicy Bypass -File scripts/register-local-integrations.ps1 `
-Tenant demo-prod `
-IncludeGitLab `
-IncludeGitLabRegistry
```
Or run the GitLab-backed registration in one step:
```powershell
powershell -ExecutionPolicy Bypass -File scripts/register-local-integrations.ps1 `
-Tenant demo-prod `
-IncludeGitLab `
-IncludeGitLabRegistry `
-BootstrapGitLabSecrets
```
`scripts/bootstrap-local-gitlab-secrets.ps1` reuses a valid `secret/gitlab`
secret when possible and otherwise rotates the local `stella-local-integration`
PAT, then writes both `authref://vault/gitlab#access-token` and
`authref://vault/gitlab#registry-basic` into the dev Vault.
## Air-gapped deployments
For offline/air-gapped environments, use the sealed CI compose file and offline telemetry overlay: