devops folders consolidate

2026-01-25 23:27:41 +02:00
parent 6e687b523a
commit a50bbb38ef
334 changed files with 35079 additions and 5569 deletions
--- a/deploy/compose/docker-compose.sealed-ci.yml
+++ b/deploy/compose/docker-compose.sealed-ci.yml
@@ -0,0 +1,121 @@
+# =============================================================================
+# SEALED CI - AIR-GAPPED TESTING ENVIRONMENT
+# =============================================================================
+# Sealed/air-gapped CI environment for testing offline functionality.
+# All services run in isolated network with no external egress.
+#
+# Usage:
+#   docker compose -f docker-compose.sealed-ci.yml up -d
+# =============================================================================
+
+x-release-labels: &release-labels
+  com.stellaops.profile: 'sealed-ci'
+  com.stellaops.airgap.mode: 'sealed'
+
+networks:
+  sealed-ci:
+    driver: bridge
+
+volumes:
+  sealed-postgres-data:
+  sealed-valkey-data:
+
+services:
+  postgres:
+    image: docker.io/library/postgres@sha256:8e97b8526ed19304b144f7478bc9201646acf0723cdc6e4b19bc9eb34879a27e
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: sealedci
+      POSTGRES_PASSWORD: sealedci-secret
+      POSTGRES_DB: stellaops
+    volumes:
+      - sealed-postgres-data:/var/lib/postgresql/data
+    networks:
+      - sealed-ci
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U sealedci -d stellaops"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    labels: *release-labels
+
+  valkey:
+    image: docker.io/valkey/valkey:9.0.1-alpine
+    restart: unless-stopped
+    command: ["valkey-server", "--appendonly", "yes"]
+    volumes:
+      - sealed-valkey-data:/data
+    networks:
+      - sealed-ci
+    healthcheck:
+      test: ["CMD", "valkey-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    labels: *release-labels
+
+  authority:
+    image: registry.stella-ops.org/stellaops/authority@sha256:a8e8faec44a579aa5714e58be835f25575710430b1ad2ccd1282a018cd9ffcdd
+    depends_on:
+      postgres:
+        condition: service_healthy
+      valkey:
+        condition: service_healthy
+    restart: unless-stopped
+    environment:
+      ASPNETCORE_URLS: http://+:5088
+      STELLAOPS_AUTHORITY__ISSUER: http://authority.sealed-ci.local
+      STELLAOPS_AUTHORITY__STORAGE__DRIVER: postgres
+      STELLAOPS_AUTHORITY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=authority;Username=sealedci;Password=sealedci-secret"
+      STELLAOPS_AUTHORITY__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
+      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: /app/plugins
+      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: /app/plugins
+      STELLAOPS_AUTHORITY__SECURITY__SENDERCONSTRAINTS__DPOP__ENABLED: 'true'
+      STELLAOPS_AUTHORITY__SECURITY__SENDERCONSTRAINTS__MTLS__ENABLED: 'true'
+      STELLAOPS_AUTHORITY__AIRGAP__EGRESS__MODE: Sealed
+    volumes:
+      - ../services/sealed-mode-ci/authority.harness.yaml:/etc/authority.yaml:ro
+      - ../services/sealed-mode-ci/plugins:/app/plugins:ro
+      - ../../certificates:/certificates:ro
+    ports:
+      - '5088:5088'
+    networks:
+      - sealed-ci
+    labels: *release-labels
+
+  signer:
+    image: registry.stella-ops.org/stellaops/signer@sha256:8bfef9a75783883d49fc18e3566553934e970b00ee090abee9cb110d2d5c3298
+    depends_on:
+      - authority
+    restart: unless-stopped
+    environment:
+      ASPNETCORE_URLS: http://+:6088
+      SIGNER__AUTHORITY__BASEURL: http://authority:5088
+      SIGNER__POE__INTROSPECTURL: http://authority:5088/device-code
+      SIGNER__STORAGE__DRIVER: postgres
+      SIGNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=signer;Username=sealedci;Password=sealedci-secret"
+      SIGNER__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
+      SIGNER__SEALED__MODE: Enabled
+    ports:
+      - '6088:6088'
+    networks:
+      - sealed-ci
+    labels: *release-labels
+
+  attestor:
+    image: registry.stella-ops.org/stellaops/attestor@sha256:5cc417948c029da01dccf36e4645d961a3f6d8de7e62fe98d845f07cd2282114
+    depends_on:
+      - signer
+    restart: unless-stopped
+    environment:
+      ASPNETCORE_URLS: http://+:7088
+      ATTESTOR__SIGNER__BASEURL: http://signer:6088
+      ATTESTOR__STORAGE__DRIVER: postgres
+      ATTESTOR__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=attestor;Username=sealedci;Password=sealedci-secret"
+      ATTESTOR__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
+      ATTESTOR__SEALED__MODE: Enabled
+    ports:
+      - '7088:7088'
+    networks:
+      - sealed-ci
+    labels: *release-labels