devops folders consolidate

2026-01-25 23:27:41 +02:00
parent 6e687b523a
commit a50bbb38ef
334 changed files with 35079 additions and 5569 deletions
--- a/deploy/compose/env/cas.env.example
+++ b/deploy/compose/env/cas.env.example
@@ -0,0 +1,118 @@
+# CAS (Content Addressable Storage) Environment Configuration
+# Copy to .env and customize for your deployment
+#
+# Aligned with best-in-class vulnerability scanner retention policies:
+# - Trivy: 7 days vulnerability DB
+# - Grype: 5 days DB, configurable
+# - Anchore Enterprise: 90-365 days typical
+# - Snyk Enterprise: 365 days
+
+# =============================================================================
+# DATA PATHS (ensure directories exist with proper permissions)
+# =============================================================================
+CAS_DATA_PATH=/var/lib/stellaops/cas
+CAS_EVIDENCE_PATH=/var/lib/stellaops/evidence
+CAS_ATTESTATION_PATH=/var/lib/stellaops/attestations
+
+# =============================================================================
+# RUSTFS CONFIGURATION
+# =============================================================================
+RUSTFS_LOG_LEVEL=info
+RUSTFS_COMPRESSION=zstd
+RUSTFS_COMPRESSION_LEVEL=3
+
+# =============================================================================
+# PORTS
+# =============================================================================
+RUSTFS_CAS_PORT=8180
+RUSTFS_EVIDENCE_PORT=8181
+RUSTFS_ATTESTATION_PORT=8182
+
+# =============================================================================
+# ACCESS CONTROL - API KEYS
+# IMPORTANT: Change these in production!
+# =============================================================================
+
+# CAS Storage (mutable, lifecycle-managed)
+RUSTFS_CAS_API_KEY=cas-api-key-CHANGE-IN-PRODUCTION
+RUSTFS_CAS_READONLY_KEY=cas-readonly-key-CHANGE-IN-PRODUCTION
+
+# Evidence Storage (immutable)
+RUSTFS_EVIDENCE_API_KEY=evidence-api-key-CHANGE-IN-PRODUCTION
+RUSTFS_EVIDENCE_READONLY_KEY=evidence-readonly-key-CHANGE-IN-PRODUCTION
+
+# Attestation Storage (immutable)
+RUSTFS_ATTESTATION_API_KEY=attestation-api-key-CHANGE-IN-PRODUCTION
+RUSTFS_ATTESTATION_READONLY_KEY=attestation-readonly-key-CHANGE-IN-PRODUCTION
+
+# =============================================================================
+# SERVICE ACCOUNT KEYS
+# Each service has its own key for fine-grained access control
+# IMPORTANT: Generate unique keys per environment!
+# =============================================================================
+
+# Scanner service - access to scanner artifacts, surface cache, runtime facts
+RUSTFS_SCANNER_KEY=scanner-svc-key-GENERATE-UNIQUE
+# Bucket access: scanner-artifacts (rw), surface-cache (rw), runtime-facts (rw)
+
+# Signals service - access to runtime facts, signals data, provenance feed
+RUSTFS_SIGNALS_KEY=signals-svc-key-GENERATE-UNIQUE
+# Bucket access: runtime-facts (rw), signals-data (rw), provenance-feed (rw)
+
+# Replay service - access to replay bundles, inputs lock files
+RUSTFS_REPLAY_KEY=replay-svc-key-GENERATE-UNIQUE
+# Bucket access: replay-bundles (rw), inputs-lock (rw)
+
+# Ledger service - access to evidence bundles, merkle roots, hash chains
+RUSTFS_LEDGER_KEY=ledger-svc-key-GENERATE-UNIQUE
+# Bucket access: evidence-bundles (rw), merkle-roots (rw), hash-chains (rw)
+
+# Exporter service - read-only access to evidence bundles
+RUSTFS_EXPORTER_KEY=exporter-svc-key-GENERATE-UNIQUE
+# Bucket access: evidence-bundles (r)
+
+# Attestor service - access to attestations, DSSE envelopes, Rekor receipts
+RUSTFS_ATTESTOR_KEY=attestor-svc-key-GENERATE-UNIQUE
+# Bucket access: attestations (rw), dsse-envelopes (rw), rekor-receipts (rw)
+
+# Verifier service - read-only access to attestations
+RUSTFS_VERIFIER_KEY=verifier-svc-key-GENERATE-UNIQUE
+# Bucket access: attestations (r), dsse-envelopes (r), rekor-receipts (r)
+
+# Global read-only key (for debugging/auditing)
+RUSTFS_READONLY_KEY=readonly-global-key-GENERATE-UNIQUE
+# Bucket access: * (r)
+
+# =============================================================================
+# LIFECYCLE MANAGEMENT
+# =============================================================================
+# Cron schedule for retention policy enforcement (default: 3 AM daily)
+LIFECYCLE_CRON=0 3 * * *
+LIFECYCLE_TELEMETRY=true
+
+# =============================================================================
+# RETENTION POLICIES (days, 0 = indefinite)
+# Aligned with enterprise vulnerability scanner best practices
+# =============================================================================
+# Vulnerability DB: 7 days (matches Trivy default, Grype uses 5)
+CAS_RETENTION_VULNERABILITY_DB_DAYS=7
+
+# SBOM artifacts: 365 days (audit compliance - SOC2, ISO27001, FedRAMP)
+CAS_RETENTION_SBOM_ARTIFACTS_DAYS=365
+
+# Scan results: 90 days (common compliance window)
+CAS_RETENTION_SCAN_RESULTS_DAYS=90
+
+# Evidence bundles: indefinite (content-addressed, immutable, audit trail)
+CAS_RETENTION_EVIDENCE_BUNDLES_DAYS=0
+
+# Attestations: indefinite (signed, immutable, verifiable)
+CAS_RETENTION_ATTESTATIONS_DAYS=0
+
+# Temporary artifacts: 1 day (work-in-progress, intermediate files)
+CAS_RETENTION_TEMP_ARTIFACTS_DAYS=1
+
+# =============================================================================
+# TELEMETRY (optional)
+# =============================================================================
+OTLP_ENDPOINT=
--- a/deploy/compose/env/compliance-china.env.example
+++ b/deploy/compose/env/compliance-china.env.example
@@ -0,0 +1,48 @@
+# =============================================================================
+# STELLA OPS CHINA COMPLIANCE ENVIRONMENT
+# =============================================================================
+# Environment template for China (SM2/SM3/SM4) compliance deployments.
+#
+# Usage with simulation:
+#   cp env/compliance-china.env.example .env
+#   docker compose -f docker-compose.stella-ops.yml \
+#     -f docker-compose.compliance-china.yml \
+#     -f docker-compose.crypto-sim.yml up -d
+#
+# Usage with SM Remote (production):
+#   docker compose -f docker-compose.stella-ops.yml \
+#     -f docker-compose.compliance-china.yml \
+#     -f docker-compose.sm-remote.yml up -d
+#
+# =============================================================================
+
+# Crypto profile
+STELLAOPS_CRYPTO_PROFILE=china
+
+# =============================================================================
+# SM REMOTE SERVICE CONFIGURATION
+# =============================================================================
+
+SM_REMOTE_PORT=56080
+
+# Software-only SM2 provider (for testing/development)
+SM_SOFT_ALLOWED=1
+
+# OSCCA-certified HSM configuration (for production)
+# Set these when using a certified hardware security module
+SM_REMOTE_HSM_URL=
+SM_REMOTE_HSM_API_KEY=
+SM_REMOTE_HSM_TIMEOUT=30000
+
+# Client certificate authentication for HSM (optional)
+SM_REMOTE_CLIENT_CERT_PATH=
+SM_REMOTE_CLIENT_CERT_PASSWORD=
+
+# =============================================================================
+# CRYPTO SIMULATION (for testing only)
+# =============================================================================
+
+# Enable simulation mode
+STELLAOPS_CRYPTO_ENABLE_SIM=1
+STELLAOPS_CRYPTO_SIM_URL=http://sim-crypto:8080
+SIM_CRYPTO_PORT=18090
--- a/deploy/compose/env/compliance-eu.env.example
+++ b/deploy/compose/env/compliance-eu.env.example
@@ -0,0 +1,40 @@
+# =============================================================================
+# STELLA OPS EU COMPLIANCE ENVIRONMENT
+# =============================================================================
+# Environment template for EU (eIDAS) compliance deployments.
+#
+# Usage with simulation:
+#   cp env/compliance-eu.env.example .env
+#   docker compose -f docker-compose.stella-ops.yml \
+#     -f docker-compose.compliance-eu.yml \
+#     -f docker-compose.crypto-sim.yml up -d
+#
+# Usage for production:
+#   docker compose -f docker-compose.stella-ops.yml \
+#     -f docker-compose.compliance-eu.yml up -d
+#
+# Note: EU eIDAS deployments typically integrate with external Qualified Trust
+# Service Providers (QTSPs) rather than hosting crypto locally.
+#
+# =============================================================================
+
+# Crypto profile
+STELLAOPS_CRYPTO_PROFILE=eu
+
+# =============================================================================
+# eIDAS / QTSP CONFIGURATION
+# =============================================================================
+
+# Qualified Trust Service Provider integration (configure in application settings)
+# EIDAS_QTSP_URL=https://qtsp.example.eu
+# EIDAS_QTSP_CLIENT_ID=
+# EIDAS_QTSP_CLIENT_SECRET=
+
+# =============================================================================
+# CRYPTO SIMULATION (for testing only)
+# =============================================================================
+
+# Enable simulation mode
+STELLAOPS_CRYPTO_ENABLE_SIM=1
+STELLAOPS_CRYPTO_SIM_URL=http://sim-crypto:8080
+SIM_CRYPTO_PORT=18090
--- a/deploy/compose/env/compliance-russia.env.example
+++ b/deploy/compose/env/compliance-russia.env.example
@@ -0,0 +1,51 @@
+# =============================================================================
+# STELLA OPS RUSSIA COMPLIANCE ENVIRONMENT
+# =============================================================================
+# Environment template for Russia (GOST R 34.10-2012) compliance deployments.
+#
+# Usage with simulation:
+#   cp env/compliance-russia.env.example .env
+#   docker compose -f docker-compose.stella-ops.yml \
+#     -f docker-compose.compliance-russia.yml \
+#     -f docker-compose.crypto-sim.yml up -d
+#
+# Usage with CryptoPro CSP (production):
+#   CRYPTOPRO_ACCEPT_EULA=1 docker compose -f docker-compose.stella-ops.yml \
+#     -f docker-compose.compliance-russia.yml \
+#     -f docker-compose.cryptopro.yml up -d
+#
+# =============================================================================
+
+# Crypto profile
+STELLAOPS_CRYPTO_PROFILE=russia
+
+# =============================================================================
+# CRYPTOPRO CSP CONFIGURATION
+# =============================================================================
+
+CRYPTOPRO_PORT=18080
+
+# IMPORTANT: Set to 1 to accept CryptoPro EULA (required for production)
+CRYPTOPRO_ACCEPT_EULA=0
+
+# CryptoPro container settings
+CRYPTOPRO_CONTAINER_NAME=stellaops-signing
+CRYPTOPRO_USE_MACHINE_STORE=true
+CRYPTOPRO_PROVIDER_TYPE=80
+
+# =============================================================================
+# GOST ALGORITHM CONFIGURATION
+# =============================================================================
+
+# Default GOST algorithms
+CRYPTOPRO_GOST_SIGNATURE_ALGORITHM=GOST R 34.10-2012
+CRYPTOPRO_GOST_HASH_ALGORITHM=GOST R 34.11-2012
+
+# =============================================================================
+# CRYPTO SIMULATION (for testing only)
+# =============================================================================
+
+# Enable simulation mode
+STELLAOPS_CRYPTO_ENABLE_SIM=1
+STELLAOPS_CRYPTO_SIM_URL=http://sim-crypto:8080
+SIM_CRYPTO_PORT=18090
--- a/deploy/compose/env/stellaops.env.example
+++ b/deploy/compose/env/stellaops.env.example
@@ -0,0 +1,171 @@
+# =============================================================================
+# STELLA OPS ENVIRONMENT CONFIGURATION
+# =============================================================================
+# Main environment template for docker-compose.stella-ops.yml
+# Copy to .env and customize for your deployment.
+#
+# Usage:
+#   cp env/stellaops.env.example .env
+#   docker compose -f docker-compose.stella-ops.yml up -d
+#
+# =============================================================================
+
+# =============================================================================
+# INFRASTRUCTURE
+# =============================================================================
+
+# PostgreSQL Database
+POSTGRES_USER=stellaops
+POSTGRES_PASSWORD=REPLACE_WITH_STRONG_PASSWORD
+POSTGRES_DB=stellaops_platform
+POSTGRES_PORT=5432
+
+# Valkey (Redis-compatible cache and messaging)
+VALKEY_PORT=6379
+
+# RustFS Object Storage
+RUSTFS_HTTP_PORT=8080
+
+# =============================================================================
+# CORE SERVICES
+# =============================================================================
+
+# Authority (OAuth2/OIDC)
+AUTHORITY_ISSUER=https://authority.example.com
+AUTHORITY_PORT=8440
+AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:30:00
+
+# Signer
+SIGNER_POE_INTROSPECT_URL=https://licensing.example.com/introspect
+SIGNER_PORT=8441
+
+# Attestor
+ATTESTOR_PORT=8442
+
+# Issuer Directory
+ISSUER_DIRECTORY_PORT=8447
+ISSUER_DIRECTORY_SEED_CSAF=true
+
+# Concelier
+CONCELIER_PORT=8445
+
+# Notify
+NOTIFY_WEB_PORT=8446
+
+# Web UI
+UI_PORT=8443
+
+# =============================================================================
+# SCANNER CONFIGURATION
+# =============================================================================
+
+SCANNER_WEB_PORT=8444
+
+# Queue configuration (Valkey only - NATS removed)
+SCANNER__QUEUE__BROKER=valkey://valkey:6379
+
+# Event streaming
+SCANNER_EVENTS_ENABLED=false
+SCANNER_EVENTS_DRIVER=valkey
+SCANNER_EVENTS_DSN=valkey:6379
+SCANNER_EVENTS_STREAM=stella.events
+SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
+SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
+
+# Surface cache configuration
+SCANNER_SURFACE_FS_ENDPOINT=http://rustfs:8080
+SCANNER_SURFACE_FS_BUCKET=surface-cache
+SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
+SCANNER_SURFACE_CACHE_QUOTA_MB=4096
+SCANNER_SURFACE_PREFETCH_ENABLED=false
+SCANNER_SURFACE_TENANT=default
+SCANNER_SURFACE_FEATURES=
+SCANNER_SURFACE_SECRETS_PROVIDER=file
+SCANNER_SURFACE_SECRETS_NAMESPACE=
+SCANNER_SURFACE_SECRETS_ROOT=/etc/stellaops/secrets
+SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER=
+SCANNER_SURFACE_SECRETS_ALLOW_INLINE=false
+SURFACE_SECRETS_HOST_PATH=./offline/surface-secrets
+
+# Offline Kit configuration
+SCANNER_OFFLINEKIT_ENABLED=false
+SCANNER_OFFLINEKIT_REQUIREDSSE=true
+SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
+SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY=/etc/stellaops/trust-roots
+SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY=/var/lib/stellaops/rekor-snapshot
+SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH=./offline/trust-roots
+SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH=./offline/rekor-snapshot
+
+# =============================================================================
+# SCHEDULER CONFIGURATION
+# =============================================================================
+
+# Queue configuration (Valkey only - NATS removed)
+SCHEDULER__QUEUE__KIND=Valkey
+SCHEDULER__QUEUE__VALKEY__URL=valkey:6379
+SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
+
+# =============================================================================
+# REKOR / SIGSTORE CONFIGURATION
+# =============================================================================
+
+# Rekor server URL (default: public Sigstore, use http://rekor-v2:3000 for local)
+REKOR_SERVER_URL=https://rekor.sigstore.dev
+REKOR_VERSION=V2
+REKOR_TILE_BASE_URL=
+REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
+REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
+
+# =============================================================================
+# ADVISORY AI CONFIGURATION
+# =============================================================================
+
+ADVISORY_AI_WEB_PORT=8448
+ADVISORY_AI_SBOM_BASEADDRESS=http://scanner-web:8444
+ADVISORY_AI_INFERENCE_MODE=Local
+ADVISORY_AI_REMOTE_BASEADDRESS=
+ADVISORY_AI_REMOTE_APIKEY=
+
+# =============================================================================
+# CRYPTO CONFIGURATION
+# =============================================================================
+
+# Crypto profile: default, china, russia, eu
+STELLAOPS_CRYPTO_PROFILE=default
+
+# Enable crypto simulation (for testing)
+STELLAOPS_CRYPTO_ENABLE_SIM=0
+STELLAOPS_CRYPTO_SIM_URL=http://sim-crypto:8080
+
+# CryptoPro (Russia only) - requires EULA acceptance
+CRYPTOPRO_PORT=18080
+CRYPTOPRO_ACCEPT_EULA=0
+CRYPTOPRO_CONTAINER_NAME=stellaops-signing
+CRYPTOPRO_USE_MACHINE_STORE=true
+CRYPTOPRO_PROVIDER_TYPE=80
+
+# SM Remote (China only)
+SM_REMOTE_PORT=56080
+SM_SOFT_ALLOWED=1
+SM_REMOTE_HSM_URL=
+SM_REMOTE_HSM_API_KEY=
+SM_REMOTE_HSM_TIMEOUT=30000
+
+# =============================================================================
+# NETWORKING
+# =============================================================================
+
+# External reverse proxy network (Traefik, Envoy, etc.)
+FRONTDOOR_NETWORK=stellaops_frontdoor
+
+# =============================================================================
+# TELEMETRY (optional)
+# =============================================================================
+
+OTEL_GRPC_PORT=4317
+OTEL_HTTP_PORT=4318
+OTEL_PROMETHEUS_PORT=9464
+PROMETHEUS_PORT=9090
+TEMPO_PORT=3200
+LOKI_PORT=3100
+PROMETHEUS_RETENTION=15d
--- a/deploy/compose/env/testing.env.example
+++ b/deploy/compose/env/testing.env.example
@@ -0,0 +1,45 @@
+# =============================================================================
+# STELLA OPS TESTING ENVIRONMENT CONFIGURATION
+# =============================================================================
+# Environment template for docker-compose.testing.yml
+# Uses different ports to avoid conflicts with development/production.
+#
+# Usage:
+#   cp env/testing.env.example .env
+#   docker compose -f docker-compose.testing.yml --profile ci up -d
+#
+# =============================================================================
+
+# =============================================================================
+# CI INFRASTRUCTURE (different ports to avoid conflicts)
+# =============================================================================
+
+# PostgreSQL Test Database (port 5433)
+TEST_POSTGRES_PORT=5433
+TEST_POSTGRES_USER=stellaops_ci
+TEST_POSTGRES_PASSWORD=ci_test_password
+TEST_POSTGRES_DB=stellaops_test
+
+# Valkey Test (port 6380)
+TEST_VALKEY_PORT=6380
+
+# RustFS Test (port 8180)
+TEST_RUSTFS_PORT=8180
+
+# Mock Registry (port 5001)
+TEST_REGISTRY_PORT=5001
+
+# =============================================================================
+# GITEA CONFIGURATION
+# =============================================================================
+
+TEST_GITEA_PORT=3000
+TEST_GITEA_SSH_PORT=3022
+
+# =============================================================================
+# SIGSTORE TOOLS
+# =============================================================================
+
+# Rekor CLI and Cosign versions (for sigstore profile)
+REKOR_CLI_VERSION=v1.4.3
+COSIGN_VERSION=v3.0.4