devops folders consolidate
This commit is contained in:
master
104
devops/compose/env/airgap.env.example
vendored
104
devops/compose/env/airgap.env.example
vendored
@@ -1,104 +0,0 @@
|
||||
# Substitutions for docker-compose.airgap.yaml
|
||||
|
||||
# PostgreSQL Database
|
||||
POSTGRES_USER=stellaops
|
||||
POSTGRES_PASSWORD=airgap-postgres-password
|
||||
POSTGRES_DB=stellaops_platform
|
||||
POSTGRES_PORT=25432
|
||||
|
||||
# Valkey (Redis-compatible cache and messaging)
|
||||
VALKEY_PORT=26379
|
||||
|
||||
# RustFS Object Storage
|
||||
RUSTFS_HTTP_PORT=8080
|
||||
|
||||
# Authority (OAuth2/OIDC)
|
||||
AUTHORITY_ISSUER=https://authority.airgap.local
|
||||
AUTHORITY_PORT=8440
|
||||
AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:45:00
|
||||
|
||||
# Signer
|
||||
SIGNER_POE_INTROSPECT_URL=file:///offline/poe/introspect.json
|
||||
SIGNER_PORT=8441
|
||||
|
||||
# Attestor
|
||||
ATTESTOR_PORT=8442
|
||||
|
||||
# Rekor Configuration (Attestor/Scanner)
|
||||
# Server URL - default is public Sigstore Rekor (use http://rekor-v2:3000 when running the Rekor v2 compose overlay)
|
||||
REKOR_SERVER_URL=https://rekor.sigstore.dev
|
||||
# Log version: Auto or V2 (V2 uses tile-based Sunlight format)
|
||||
REKOR_VERSION=V2
|
||||
# Tile base URL for V2 (optional, defaults to {REKOR_SERVER_URL}/tile/)
|
||||
REKOR_TILE_BASE_URL=
|
||||
# Log ID for multi-log environments (Sigstore production log ID)
|
||||
REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
|
||||
|
||||
# Rekor v2 tiles image (pin to digest when mirroring)
|
||||
REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
|
||||
|
||||
# Issuer Directory
|
||||
ISSUER_DIRECTORY_PORT=8447
|
||||
ISSUER_DIRECTORY_SEED_CSAF=true
|
||||
|
||||
# Concelier
|
||||
CONCELIER_PORT=8445
|
||||
|
||||
# Scanner
|
||||
SCANNER_WEB_PORT=8444
|
||||
SCANNER_QUEUE_BROKER=valkey://valkey:6379
|
||||
SCANNER_EVENTS_ENABLED=false
|
||||
SCANNER_EVENTS_DRIVER=valkey
|
||||
SCANNER_EVENTS_DSN=
|
||||
SCANNER_EVENTS_STREAM=stella.events
|
||||
SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
|
||||
SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
|
||||
|
||||
# Surface.Env configuration
|
||||
SCANNER_SURFACE_FS_ENDPOINT=http://rustfs:8080
|
||||
SCANNER_SURFACE_FS_BUCKET=surface-cache
|
||||
SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
|
||||
SCANNER_SURFACE_CACHE_QUOTA_MB=4096
|
||||
SCANNER_SURFACE_PREFETCH_ENABLED=false
|
||||
SCANNER_SURFACE_TENANT=default
|
||||
SCANNER_SURFACE_FEATURES=
|
||||
SCANNER_SURFACE_SECRETS_PROVIDER=file
|
||||
SCANNER_SURFACE_SECRETS_NAMESPACE=
|
||||
SCANNER_SURFACE_SECRETS_ROOT=/etc/stellaops/secrets
|
||||
SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER=
|
||||
SCANNER_SURFACE_SECRETS_ALLOW_INLINE=false
|
||||
SURFACE_SECRETS_HOST_PATH=./offline/surface-secrets
|
||||
|
||||
# Offline Kit configuration
|
||||
SCANNER_OFFLINEKIT_ENABLED=false
|
||||
SCANNER_OFFLINEKIT_REQUIREDSSE=true
|
||||
SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
|
||||
SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY=/etc/stellaops/trust-roots
|
||||
SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY=/var/lib/stellaops/rekor-snapshot
|
||||
SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH=./offline/trust-roots
|
||||
SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH=./offline/rekor-snapshot
|
||||
|
||||
# Zastava inherits Scanner defaults; override if Observer/Webhook diverge
|
||||
ZASTAVA_SURFACE_FS_ENDPOINT=${SCANNER_SURFACE_FS_ENDPOINT}
|
||||
ZASTAVA_SURFACE_CACHE_ROOT=${SCANNER_SURFACE_CACHE_ROOT}
|
||||
|
||||
# Scheduler
|
||||
SCHEDULER_QUEUE_KIND=Valkey
|
||||
SCHEDULER_QUEUE_VALKEY_URL=valkey:6379
|
||||
SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
|
||||
|
||||
# Notify
|
||||
NOTIFY_WEB_PORT=9446
|
||||
|
||||
# Advisory AI
|
||||
ADVISORY_AI_WEB_PORT=8448
|
||||
ADVISORY_AI_SBOM_BASEADDRESS=http://scanner-web:8444
|
||||
ADVISORY_AI_INFERENCE_MODE=Local
|
||||
ADVISORY_AI_REMOTE_BASEADDRESS=
|
||||
ADVISORY_AI_REMOTE_APIKEY=
|
||||
|
||||
# Web UI
|
||||
UI_PORT=9443
|
||||
|
||||
# NATS
|
||||
NATS_CLIENT_PORT=24222
|
||||
48
devops/compose/env/compliance-china.env.example
vendored
Normal file
48
devops/compose/env/compliance-china.env.example
vendored
Normal file
@@ -0,0 +1,48 @@
|
||||
# =============================================================================
|
||||
# STELLA OPS CHINA COMPLIANCE ENVIRONMENT
|
||||
# =============================================================================
|
||||
# Environment template for China (SM2/SM3/SM4) compliance deployments.
|
||||
#
|
||||
# Usage with simulation:
|
||||
# cp env/compliance-china.env.example .env
|
||||
# docker compose -f docker-compose.stella-ops.yml \
|
||||
# -f docker-compose.compliance-china.yml \
|
||||
# -f docker-compose.crypto-sim.yml up -d
|
||||
#
|
||||
# Usage with SM Remote (production):
|
||||
# docker compose -f docker-compose.stella-ops.yml \
|
||||
# -f docker-compose.compliance-china.yml \
|
||||
# -f docker-compose.sm-remote.yml up -d
|
||||
#
|
||||
# =============================================================================
|
||||
|
||||
# Crypto profile
|
||||
STELLAOPS_CRYPTO_PROFILE=china
|
||||
|
||||
# =============================================================================
|
||||
# SM REMOTE SERVICE CONFIGURATION
|
||||
# =============================================================================
|
||||
|
||||
SM_REMOTE_PORT=56080
|
||||
|
||||
# Software-only SM2 provider (for testing/development)
|
||||
SM_SOFT_ALLOWED=1
|
||||
|
||||
# OSCCA-certified HSM configuration (for production)
|
||||
# Set these when using a certified hardware security module
|
||||
SM_REMOTE_HSM_URL=
|
||||
SM_REMOTE_HSM_API_KEY=
|
||||
SM_REMOTE_HSM_TIMEOUT=30000
|
||||
|
||||
# Client certificate authentication for HSM (optional)
|
||||
SM_REMOTE_CLIENT_CERT_PATH=
|
||||
SM_REMOTE_CLIENT_CERT_PASSWORD=
|
||||
|
||||
# =============================================================================
|
||||
# CRYPTO SIMULATION (for testing only)
|
||||
# =============================================================================
|
||||
|
||||
# Enable simulation mode
|
||||
STELLAOPS_CRYPTO_ENABLE_SIM=1
|
||||
STELLAOPS_CRYPTO_SIM_URL=http://sim-crypto:8080
|
||||
SIM_CRYPTO_PORT=18090
|
||||
40
devops/compose/env/compliance-eu.env.example
vendored
Normal file
40
devops/compose/env/compliance-eu.env.example
vendored
Normal file
@@ -0,0 +1,40 @@
|
||||
# =============================================================================
|
||||
# STELLA OPS EU COMPLIANCE ENVIRONMENT
|
||||
# =============================================================================
|
||||
# Environment template for EU (eIDAS) compliance deployments.
|
||||
#
|
||||
# Usage with simulation:
|
||||
# cp env/compliance-eu.env.example .env
|
||||
# docker compose -f docker-compose.stella-ops.yml \
|
||||
# -f docker-compose.compliance-eu.yml \
|
||||
# -f docker-compose.crypto-sim.yml up -d
|
||||
#
|
||||
# Usage for production:
|
||||
# docker compose -f docker-compose.stella-ops.yml \
|
||||
# -f docker-compose.compliance-eu.yml up -d
|
||||
#
|
||||
# Note: EU eIDAS deployments typically integrate with external Qualified Trust
|
||||
# Service Providers (QTSPs) rather than hosting crypto locally.
|
||||
#
|
||||
# =============================================================================
|
||||
|
||||
# Crypto profile
|
||||
STELLAOPS_CRYPTO_PROFILE=eu
|
||||
|
||||
# =============================================================================
|
||||
# eIDAS / QTSP CONFIGURATION
|
||||
# =============================================================================
|
||||
|
||||
# Qualified Trust Service Provider integration (configure in application settings)
|
||||
# EIDAS_QTSP_URL=https://qtsp.example.eu
|
||||
# EIDAS_QTSP_CLIENT_ID=
|
||||
# EIDAS_QTSP_CLIENT_SECRET=
|
||||
|
||||
# =============================================================================
|
||||
# CRYPTO SIMULATION (for testing only)
|
||||
# =============================================================================
|
||||
|
||||
# Enable simulation mode
|
||||
STELLAOPS_CRYPTO_ENABLE_SIM=1
|
||||
STELLAOPS_CRYPTO_SIM_URL=http://sim-crypto:8080
|
||||
SIM_CRYPTO_PORT=18090
|
||||
51
devops/compose/env/compliance-russia.env.example
vendored
Normal file
51
devops/compose/env/compliance-russia.env.example
vendored
Normal file
@@ -0,0 +1,51 @@
|
||||
# =============================================================================
|
||||
# STELLA OPS RUSSIA COMPLIANCE ENVIRONMENT
|
||||
# =============================================================================
|
||||
# Environment template for Russia (GOST R 34.10-2012) compliance deployments.
|
||||
#
|
||||
# Usage with simulation:
|
||||
# cp env/compliance-russia.env.example .env
|
||||
# docker compose -f docker-compose.stella-ops.yml \
|
||||
# -f docker-compose.compliance-russia.yml \
|
||||
# -f docker-compose.crypto-sim.yml up -d
|
||||
#
|
||||
# Usage with CryptoPro CSP (production):
|
||||
# CRYPTOPRO_ACCEPT_EULA=1 docker compose -f docker-compose.stella-ops.yml \
|
||||
# -f docker-compose.compliance-russia.yml \
|
||||
# -f docker-compose.cryptopro.yml up -d
|
||||
#
|
||||
# =============================================================================
|
||||
|
||||
# Crypto profile
|
||||
STELLAOPS_CRYPTO_PROFILE=russia
|
||||
|
||||
# =============================================================================
|
||||
# CRYPTOPRO CSP CONFIGURATION
|
||||
# =============================================================================
|
||||
|
||||
CRYPTOPRO_PORT=18080
|
||||
|
||||
# IMPORTANT: Set to 1 to accept CryptoPro EULA (required for production)
|
||||
CRYPTOPRO_ACCEPT_EULA=0
|
||||
|
||||
# CryptoPro container settings
|
||||
CRYPTOPRO_CONTAINER_NAME=stellaops-signing
|
||||
CRYPTOPRO_USE_MACHINE_STORE=true
|
||||
CRYPTOPRO_PROVIDER_TYPE=80
|
||||
|
||||
# =============================================================================
|
||||
# GOST ALGORITHM CONFIGURATION
|
||||
# =============================================================================
|
||||
|
||||
# Default GOST algorithms
|
||||
CRYPTOPRO_GOST_SIGNATURE_ALGORITHM=GOST R 34.10-2012
|
||||
CRYPTOPRO_GOST_HASH_ALGORITHM=GOST R 34.11-2012
|
||||
|
||||
# =============================================================================
|
||||
# CRYPTO SIMULATION (for testing only)
|
||||
# =============================================================================
|
||||
|
||||
# Enable simulation mode
|
||||
STELLAOPS_CRYPTO_ENABLE_SIM=1
|
||||
STELLAOPS_CRYPTO_SIM_URL=http://sim-crypto:8080
|
||||
SIM_CRYPTO_PORT=18090
|
||||
91
devops/compose/env/dev.env.example
vendored
91
devops/compose/env/dev.env.example
vendored
@@ -1,91 +0,0 @@
|
||||
# Substitutions for docker-compose.dev.yaml
|
||||
|
||||
# PostgreSQL Database
|
||||
POSTGRES_USER=stellaops
|
||||
POSTGRES_PASSWORD=dev-postgres-password
|
||||
POSTGRES_DB=stellaops_platform
|
||||
POSTGRES_PORT=5432
|
||||
|
||||
# Valkey (Redis-compatible cache and messaging)
|
||||
VALKEY_PORT=6379
|
||||
|
||||
# RustFS Object Storage
|
||||
RUSTFS_HTTP_PORT=8080
|
||||
|
||||
# Authority (OAuth2/OIDC)
|
||||
AUTHORITY_ISSUER=https://authority.localtest.me
|
||||
AUTHORITY_PORT=8440
|
||||
|
||||
# Signer
|
||||
SIGNER_POE_INTROSPECT_URL=https://licensing.svc.local/introspect
|
||||
SIGNER_PORT=8441
|
||||
|
||||
# Attestor
|
||||
ATTESTOR_PORT=8442
|
||||
|
||||
# Rekor Configuration (Attestor/Scanner)
|
||||
# Server URL - default is public Sigstore Rekor (use http://rekor-v2:3000 when running the Rekor v2 compose overlay)
|
||||
REKOR_SERVER_URL=https://rekor.sigstore.dev
|
||||
# Log version: Auto or V2 (V2 uses tile-based Sunlight format)
|
||||
REKOR_VERSION=V2
|
||||
# Tile base URL for V2 (optional, defaults to {REKOR_SERVER_URL}/tile/)
|
||||
REKOR_TILE_BASE_URL=
|
||||
# Log ID for multi-log environments (Sigstore production log ID)
|
||||
REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
|
||||
|
||||
# Rekor v2 tiles image (pin to digest when mirroring)
|
||||
REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
|
||||
|
||||
# Issuer Directory
|
||||
ISSUER_DIRECTORY_PORT=8447
|
||||
ISSUER_DIRECTORY_SEED_CSAF=true
|
||||
|
||||
# Concelier
|
||||
CONCELIER_PORT=8445
|
||||
|
||||
# Scanner
|
||||
SCANNER_WEB_PORT=8444
|
||||
SCANNER_QUEUE_BROKER=nats://nats:4222
|
||||
SCANNER_EVENTS_ENABLED=false
|
||||
SCANNER_EVENTS_DRIVER=valkey
|
||||
SCANNER_EVENTS_DSN=valkey:6379
|
||||
SCANNER_EVENTS_STREAM=stella.events
|
||||
SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
|
||||
SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
|
||||
|
||||
# Surface.Env defaults keep worker/web service aligned with local RustFS and inline secrets
|
||||
SCANNER_SURFACE_FS_ENDPOINT=http://rustfs:8080/api/v1
|
||||
SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
|
||||
SCANNER_SURFACE_SECRETS_PROVIDER=inline
|
||||
SCANNER_SURFACE_SECRETS_ROOT=
|
||||
|
||||
# Zastava inherits Scanner defaults; override if Observer/Webhook diverge
|
||||
ZASTAVA_SURFACE_FS_ENDPOINT=${SCANNER_SURFACE_FS_ENDPOINT}
|
||||
ZASTAVA_SURFACE_CACHE_ROOT=${SCANNER_SURFACE_CACHE_ROOT}
|
||||
ZASTAVA_SURFACE_SECRETS_PROVIDER=${SCANNER_SURFACE_SECRETS_PROVIDER}
|
||||
ZASTAVA_SURFACE_SECRETS_ROOT=${SCANNER_SURFACE_SECRETS_ROOT}
|
||||
|
||||
# Scheduler
|
||||
SCHEDULER_QUEUE_KIND=Nats
|
||||
SCHEDULER_QUEUE_NATS_URL=nats://nats:4222
|
||||
SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
|
||||
|
||||
# Notify
|
||||
NOTIFY_WEB_PORT=8446
|
||||
|
||||
# Advisory AI
|
||||
ADVISORY_AI_WEB_PORT=8448
|
||||
ADVISORY_AI_SBOM_BASEADDRESS=http://scanner-web:8444
|
||||
ADVISORY_AI_INFERENCE_MODE=Local
|
||||
ADVISORY_AI_REMOTE_BASEADDRESS=
|
||||
ADVISORY_AI_REMOTE_APIKEY=
|
||||
|
||||
# Web UI
|
||||
UI_PORT=8443
|
||||
|
||||
# NATS
|
||||
NATS_CLIENT_PORT=4222
|
||||
|
||||
# CryptoPro (optional)
|
||||
CRYPTOPRO_PORT=18080
|
||||
CRYPTOPRO_ACCEPT_EULA=0
|
||||
64
devops/compose/env/mirror.env.example
vendored
64
devops/compose/env/mirror.env.example
vendored
@@ -1,64 +0,0 @@
|
||||
# Managed mirror profile substitutions
|
||||
|
||||
# Core infrastructure credentials
|
||||
MONGO_INITDB_ROOT_USERNAME=stellaops_mirror
|
||||
MONGO_INITDB_ROOT_PASSWORD=mirror-password
|
||||
MINIO_ROOT_USER=stellaops-mirror
|
||||
MINIO_ROOT_PASSWORD=mirror-minio-secret
|
||||
RUSTFS_HTTP_PORT=8080
|
||||
|
||||
# Scanner surface integration
|
||||
SCANNER_SURFACE_FS_ENDPOINT=http://rustfs:8080/api/v1
|
||||
SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
|
||||
SCANNER_SURFACE_SECRETS_PROVIDER=file
|
||||
SCANNER_SURFACE_SECRETS_ROOT=/etc/stellaops/secrets
|
||||
|
||||
# Mirror HTTP listeners
|
||||
MIRROR_GATEWAY_HTTP_PORT=8080
|
||||
MIRROR_GATEWAY_HTTPS_PORT=9443
|
||||
|
||||
# Concelier mirror configuration
|
||||
CONCELIER_MIRROR_LATEST_SEGMENT=latest
|
||||
CONCELIER_MIRROR_DIRECTORY_SEGMENT=mirror
|
||||
CONCELIER_MIRROR_REQUIRE_AUTH=true
|
||||
CONCELIER_MIRROR_INDEX_BUDGET=600
|
||||
CONCELIER_MIRROR_DOMAIN_PRIMARY_ID=primary
|
||||
CONCELIER_MIRROR_DOMAIN_PRIMARY_NAME=Primary Mirror
|
||||
CONCELIER_MIRROR_DOMAIN_PRIMARY_AUTH=true
|
||||
CONCELIER_MIRROR_DOMAIN_PRIMARY_DOWNLOAD_BUDGET=3600
|
||||
CONCELIER_MIRROR_DOMAIN_SECONDARY_ID=community
|
||||
CONCELIER_MIRROR_DOMAIN_SECONDARY_NAME=Community Mirror
|
||||
CONCELIER_MIRROR_DOMAIN_SECONDARY_AUTH=false
|
||||
CONCELIER_MIRROR_DOMAIN_SECONDARY_DOWNLOAD_BUDGET=1800
|
||||
|
||||
# Authority integration (tokens issued by production Authority)
|
||||
CONCELIER_AUTHORITY_ENABLED=true
|
||||
CONCELIER_AUTHORITY_ALLOW_ANON=false
|
||||
CONCELIER_AUTHORITY_ISSUER=https://authority.stella-ops.org
|
||||
CONCELIER_AUTHORITY_METADATA=
|
||||
CONCELIER_AUTHORITY_CLIENT_ID=stellaops-concelier-mirror
|
||||
CONCELIER_AUTHORITY_SCOPE=concelier.mirror.read
|
||||
CONCELIER_AUTHORITY_AUDIENCE=api://concelier.mirror
|
||||
|
||||
# Excititor mirror configuration
|
||||
EXCITITOR_MONGO_DATABASE=excititor
|
||||
EXCITITOR_FILESYSTEM_OVERWRITE=false
|
||||
EXCITITOR_MIRROR_DOMAIN_PRIMARY_ID=primary
|
||||
EXCITITOR_MIRROR_DOMAIN_PRIMARY_NAME=Primary Mirror
|
||||
EXCITITOR_MIRROR_DOMAIN_PRIMARY_AUTH=true
|
||||
EXCITITOR_MIRROR_DOMAIN_PRIMARY_INDEX_BUDGET=300
|
||||
EXCITITOR_MIRROR_DOMAIN_PRIMARY_DOWNLOAD_BUDGET=2400
|
||||
EXCITITOR_MIRROR_PRIMARY_EXPORT_CONSENSUS_KEY=consensus-json
|
||||
EXCITITOR_MIRROR_PRIMARY_EXPORT_CONSENSUS_FORMAT=json
|
||||
EXCITITOR_MIRROR_PRIMARY_EXPORT_CONSENSUS_VIEW=consensus
|
||||
EXCITITOR_MIRROR_PRIMARY_EXPORT_OPENVEX_KEY=consensus-openvex
|
||||
EXCITITOR_MIRROR_PRIMARY_EXPORT_OPENVEX_FORMAT=openvex
|
||||
EXCITITOR_MIRROR_PRIMARY_EXPORT_OPENVEX_VIEW=consensus
|
||||
EXCITITOR_MIRROR_DOMAIN_SECONDARY_ID=community
|
||||
EXCITITOR_MIRROR_DOMAIN_SECONDARY_NAME=Community Mirror
|
||||
EXCITITOR_MIRROR_DOMAIN_SECONDARY_AUTH=false
|
||||
EXCITITOR_MIRROR_DOMAIN_SECONDARY_INDEX_BUDGET=120
|
||||
EXCITITOR_MIRROR_DOMAIN_SECONDARY_DOWNLOAD_BUDGET=600
|
||||
EXCITITOR_MIRROR_SECONDARY_EXPORT_KEY=community-consensus
|
||||
EXCITITOR_MIRROR_SECONDARY_EXPORT_FORMAT=json
|
||||
EXCITITOR_MIRROR_SECONDARY_EXPORT_VIEW=consensus
|
||||
12
devops/compose/env/mock.env.example
vendored
12
devops/compose/env/mock.env.example
vendored
@@ -1,12 +0,0 @@
|
||||
# Dev-only overlay env for docker-compose.mock.yaml
|
||||
# Use together with dev.env.example:
|
||||
# docker compose --env-file env/dev.env.example --env-file env/mock.env.example -f docker-compose.dev.yaml -f docker-compose.mock.yaml config
|
||||
|
||||
# Optional: override ports if you expose mock services
|
||||
ORCHESTRATOR_PORT=8450
|
||||
POLICY_REGISTRY_PORT=8451
|
||||
VEX_LENS_PORT=8452
|
||||
FINDINGS_LEDGER_PORT=8453
|
||||
VULN_EXPLORER_API_PORT=8454
|
||||
PACKS_REGISTRY_PORT=8455
|
||||
TASK_RUNNER_PORT=8456
|
||||
109
devops/compose/env/prod.env.example
vendored
109
devops/compose/env/prod.env.example
vendored
@@ -1,109 +0,0 @@
|
||||
# Substitutions for docker-compose.prod.yaml
|
||||
# WARNING: Replace all placeholder secrets with values sourced from your secret manager.
|
||||
|
||||
# PostgreSQL Database
|
||||
POSTGRES_USER=stellaops-prod
|
||||
POSTGRES_PASSWORD=REPLACE_WITH_STRONG_PASSWORD
|
||||
POSTGRES_DB=stellaops_platform
|
||||
POSTGRES_PORT=5432
|
||||
|
||||
# Valkey (Redis-compatible cache and messaging)
|
||||
VALKEY_PORT=6379
|
||||
|
||||
# RustFS Object Storage
|
||||
RUSTFS_HTTP_PORT=8080
|
||||
|
||||
# Authority (OAuth2/OIDC)
|
||||
AUTHORITY_ISSUER=https://authority.prod.stella-ops.org
|
||||
AUTHORITY_PORT=8440
|
||||
AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:30:00
|
||||
|
||||
# Signer
|
||||
SIGNER_POE_INTROSPECT_URL=https://licensing.prod.stella-ops.org/introspect
|
||||
SIGNER_PORT=8441
|
||||
|
||||
# Attestor
|
||||
ATTESTOR_PORT=8442
|
||||
|
||||
# Rekor Configuration (Attestor/Scanner)
|
||||
# Server URL - default is public Sigstore Rekor (use http://rekor-v2:3000 when running the Rekor v2 compose overlay)
|
||||
REKOR_SERVER_URL=https://rekor.sigstore.dev
|
||||
# Log version: Auto or V2 (V2 uses tile-based Sunlight format)
|
||||
REKOR_VERSION=V2
|
||||
# Tile base URL for V2 (optional, defaults to {REKOR_SERVER_URL}/tile/)
|
||||
REKOR_TILE_BASE_URL=
|
||||
# Log ID for multi-log environments (Sigstore production log ID)
|
||||
REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
|
||||
|
||||
# Rekor v2 tiles image (pin to digest when mirroring)
|
||||
REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
|
||||
|
||||
# Issuer Directory
|
||||
ISSUER_DIRECTORY_PORT=8447
|
||||
ISSUER_DIRECTORY_SEED_CSAF=true
|
||||
|
||||
# Concelier
|
||||
CONCELIER_PORT=8445
|
||||
|
||||
# Scanner
|
||||
SCANNER_WEB_PORT=8444
|
||||
SCANNER_QUEUE_BROKER=valkey://valkey:6379
|
||||
# `true` enables signed scanner events for Notify ingestion.
|
||||
SCANNER_EVENTS_ENABLED=true
|
||||
SCANNER_EVENTS_DRIVER=valkey
|
||||
SCANNER_EVENTS_DSN=
|
||||
SCANNER_EVENTS_STREAM=stella.events
|
||||
SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
|
||||
SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
|
||||
|
||||
# Surface.Env configuration
|
||||
SCANNER_SURFACE_FS_ENDPOINT=https://surfacefs.prod.stella-ops.org/api/v1
|
||||
SCANNER_SURFACE_FS_BUCKET=surface-cache
|
||||
SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
|
||||
SCANNER_SURFACE_CACHE_QUOTA_MB=4096
|
||||
SCANNER_SURFACE_PREFETCH_ENABLED=false
|
||||
SCANNER_SURFACE_TENANT=default
|
||||
SCANNER_SURFACE_FEATURES=
|
||||
SCANNER_SURFACE_SECRETS_PROVIDER=kubernetes
|
||||
SCANNER_SURFACE_SECRETS_NAMESPACE=
|
||||
SCANNER_SURFACE_SECRETS_ROOT=stellaops/scanner
|
||||
SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER=
|
||||
SCANNER_SURFACE_SECRETS_ALLOW_INLINE=false
|
||||
SURFACE_SECRETS_HOST_PATH=./offline/surface-secrets
|
||||
|
||||
# Offline Kit configuration
|
||||
SCANNER_OFFLINEKIT_ENABLED=false
|
||||
SCANNER_OFFLINEKIT_REQUIREDSSE=true
|
||||
SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
|
||||
SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY=/etc/stellaops/trust-roots
|
||||
SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY=/var/lib/stellaops/rekor-snapshot
|
||||
SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH=./offline/trust-roots
|
||||
SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH=./offline/rekor-snapshot
|
||||
|
||||
# Zastava inherits Scanner defaults; override if Observer/Webhook diverge
|
||||
ZASTAVA_SURFACE_FS_ENDPOINT=${SCANNER_SURFACE_FS_ENDPOINT}
|
||||
ZASTAVA_SURFACE_CACHE_ROOT=${SCANNER_SURFACE_CACHE_ROOT}
|
||||
|
||||
# Scheduler
|
||||
SCHEDULER_QUEUE_KIND=Valkey
|
||||
SCHEDULER_QUEUE_VALKEY_URL=valkey:6379
|
||||
SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
|
||||
|
||||
# Notify
|
||||
NOTIFY_WEB_PORT=8446
|
||||
|
||||
# Advisory AI
|
||||
ADVISORY_AI_WEB_PORT=8448
|
||||
ADVISORY_AI_SBOM_BASEADDRESS=https://scanner-web:8444
|
||||
ADVISORY_AI_INFERENCE_MODE=Local
|
||||
ADVISORY_AI_REMOTE_BASEADDRESS=
|
||||
ADVISORY_AI_REMOTE_APIKEY=
|
||||
|
||||
# Web UI
|
||||
UI_PORT=8443
|
||||
|
||||
# NATS
|
||||
NATS_CLIENT_PORT=4222
|
||||
|
||||
# External reverse proxy (Traefik, Envoy, etc.) that terminates TLS.
|
||||
FRONTDOOR_NETWORK=stellaops_frontdoor
|
||||
104
devops/compose/env/stage.env.example
vendored
104
devops/compose/env/stage.env.example
vendored
@@ -1,104 +0,0 @@
|
||||
# Substitutions for docker-compose.stage.yaml
|
||||
|
||||
# PostgreSQL Database
|
||||
POSTGRES_USER=stellaops
|
||||
POSTGRES_PASSWORD=stage-postgres-password
|
||||
POSTGRES_DB=stellaops_platform
|
||||
POSTGRES_PORT=5432
|
||||
|
||||
# Valkey (Redis-compatible cache and messaging)
|
||||
VALKEY_PORT=6379
|
||||
|
||||
# RustFS Object Storage
|
||||
RUSTFS_HTTP_PORT=8080
|
||||
|
||||
# Authority (OAuth2/OIDC)
|
||||
AUTHORITY_ISSUER=https://authority.stage.stella-ops.internal
|
||||
AUTHORITY_PORT=8440
|
||||
AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:30:00
|
||||
|
||||
# Signer
|
||||
SIGNER_POE_INTROSPECT_URL=https://licensing.stage.stella-ops.internal/introspect
|
||||
SIGNER_PORT=8441
|
||||
|
||||
# Attestor
|
||||
ATTESTOR_PORT=8442
|
||||
|
||||
# Rekor Configuration (Attestor/Scanner)
|
||||
# Server URL - default is public Sigstore Rekor (use http://rekor-v2:3000 when running the Rekor v2 compose overlay)
|
||||
REKOR_SERVER_URL=https://rekor.sigstore.dev
|
||||
# Log version: Auto or V2 (V2 uses tile-based Sunlight format)
|
||||
REKOR_VERSION=V2
|
||||
# Tile base URL for V2 (optional, defaults to {REKOR_SERVER_URL}/tile/)
|
||||
REKOR_TILE_BASE_URL=
|
||||
# Log ID for multi-log environments (Sigstore production log ID)
|
||||
REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
|
||||
|
||||
# Rekor v2 tiles image (pin to digest when mirroring)
|
||||
REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
|
||||
|
||||
# Issuer Directory
|
||||
ISSUER_DIRECTORY_PORT=8447
|
||||
ISSUER_DIRECTORY_SEED_CSAF=true
|
||||
|
||||
# Concelier
|
||||
CONCELIER_PORT=8445
|
||||
|
||||
# Scanner
|
||||
SCANNER_WEB_PORT=8444
|
||||
SCANNER_QUEUE_BROKER=valkey://valkey:6379
|
||||
SCANNER_EVENTS_ENABLED=false
|
||||
SCANNER_EVENTS_DRIVER=valkey
|
||||
SCANNER_EVENTS_DSN=
|
||||
SCANNER_EVENTS_STREAM=stella.events
|
||||
SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
|
||||
SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
|
||||
|
||||
# Surface.Env configuration
|
||||
SCANNER_SURFACE_FS_ENDPOINT=http://rustfs:8080
|
||||
SCANNER_SURFACE_FS_BUCKET=surface-cache
|
||||
SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
|
||||
SCANNER_SURFACE_CACHE_QUOTA_MB=4096
|
||||
SCANNER_SURFACE_PREFETCH_ENABLED=false
|
||||
SCANNER_SURFACE_TENANT=default
|
||||
SCANNER_SURFACE_FEATURES=
|
||||
SCANNER_SURFACE_SECRETS_PROVIDER=kubernetes
|
||||
SCANNER_SURFACE_SECRETS_NAMESPACE=
|
||||
SCANNER_SURFACE_SECRETS_ROOT=stellaops/scanner
|
||||
SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER=
|
||||
SCANNER_SURFACE_SECRETS_ALLOW_INLINE=false
|
||||
SURFACE_SECRETS_HOST_PATH=./offline/surface-secrets
|
||||
|
||||
# Offline Kit configuration
|
||||
SCANNER_OFFLINEKIT_ENABLED=false
|
||||
SCANNER_OFFLINEKIT_REQUIREDSSE=true
|
||||
SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
|
||||
SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY=/etc/stellaops/trust-roots
|
||||
SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY=/var/lib/stellaops/rekor-snapshot
|
||||
SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH=./offline/trust-roots
|
||||
SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH=./offline/rekor-snapshot
|
||||
|
||||
# Zastava inherits Scanner defaults; override if Observer/Webhook diverge
|
||||
ZASTAVA_SURFACE_FS_ENDPOINT=${SCANNER_SURFACE_FS_ENDPOINT}
|
||||
ZASTAVA_SURFACE_CACHE_ROOT=${SCANNER_SURFACE_CACHE_ROOT}
|
||||
|
||||
# Scheduler
|
||||
SCHEDULER_QUEUE_KIND=Valkey
|
||||
SCHEDULER_QUEUE_VALKEY_URL=valkey:6379
|
||||
SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
|
||||
|
||||
# Notify
|
||||
NOTIFY_WEB_PORT=8446
|
||||
|
||||
# Advisory AI
|
||||
ADVISORY_AI_WEB_PORT=8448
|
||||
ADVISORY_AI_SBOM_BASEADDRESS=http://scanner-web:8444
|
||||
ADVISORY_AI_INFERENCE_MODE=Local
|
||||
ADVISORY_AI_REMOTE_BASEADDRESS=
|
||||
ADVISORY_AI_REMOTE_APIKEY=
|
||||
|
||||
# Web UI
|
||||
UI_PORT=8443
|
||||
|
||||
# NATS
|
||||
NATS_CLIENT_PORT=4222
|
||||
171
devops/compose/env/stellaops.env.example
vendored
Normal file
171
devops/compose/env/stellaops.env.example
vendored
Normal file
@@ -0,0 +1,171 @@
|
||||
# =============================================================================
|
||||
# STELLA OPS ENVIRONMENT CONFIGURATION
|
||||
# =============================================================================
|
||||
# Main environment template for docker-compose.stella-ops.yml
|
||||
# Copy to .env and customize for your deployment.
|
||||
#
|
||||
# Usage:
|
||||
# cp env/stellaops.env.example .env
|
||||
# docker compose -f docker-compose.stella-ops.yml up -d
|
||||
#
|
||||
# =============================================================================
|
||||
|
||||
# =============================================================================
|
||||
# INFRASTRUCTURE
|
||||
# =============================================================================
|
||||
|
||||
# PostgreSQL Database
|
||||
POSTGRES_USER=stellaops
|
||||
POSTGRES_PASSWORD=REPLACE_WITH_STRONG_PASSWORD
|
||||
POSTGRES_DB=stellaops_platform
|
||||
POSTGRES_PORT=5432
|
||||
|
||||
# Valkey (Redis-compatible cache and messaging)
|
||||
VALKEY_PORT=6379
|
||||
|
||||
# RustFS Object Storage
|
||||
RUSTFS_HTTP_PORT=8080
|
||||
|
||||
# =============================================================================
|
||||
# CORE SERVICES
|
||||
# =============================================================================
|
||||
|
||||
# Authority (OAuth2/OIDC)
|
||||
AUTHORITY_ISSUER=https://authority.example.com
|
||||
AUTHORITY_PORT=8440
|
||||
AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:30:00
|
||||
|
||||
# Signer
|
||||
SIGNER_POE_INTROSPECT_URL=https://licensing.example.com/introspect
|
||||
SIGNER_PORT=8441
|
||||
|
||||
# Attestor
|
||||
ATTESTOR_PORT=8442
|
||||
|
||||
# Issuer Directory
|
||||
ISSUER_DIRECTORY_PORT=8447
|
||||
ISSUER_DIRECTORY_SEED_CSAF=true
|
||||
|
||||
# Concelier
|
||||
CONCELIER_PORT=8445
|
||||
|
||||
# Notify
|
||||
NOTIFY_WEB_PORT=8446
|
||||
|
||||
# Web UI
|
||||
UI_PORT=8443
|
||||
|
||||
# =============================================================================
|
||||
# SCANNER CONFIGURATION
|
||||
# =============================================================================
|
||||
|
||||
SCANNER_WEB_PORT=8444
|
||||
|
||||
# Queue configuration (Valkey only - NATS removed)
|
||||
SCANNER__QUEUE__BROKER=valkey://valkey:6379
|
||||
|
||||
# Event streaming
|
||||
SCANNER_EVENTS_ENABLED=false
|
||||
SCANNER_EVENTS_DRIVER=valkey
|
||||
SCANNER_EVENTS_DSN=valkey:6379
|
||||
SCANNER_EVENTS_STREAM=stella.events
|
||||
SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
|
||||
SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
|
||||
|
||||
# Surface cache configuration
|
||||
SCANNER_SURFACE_FS_ENDPOINT=http://rustfs:8080
|
||||
SCANNER_SURFACE_FS_BUCKET=surface-cache
|
||||
SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
|
||||
SCANNER_SURFACE_CACHE_QUOTA_MB=4096
|
||||
SCANNER_SURFACE_PREFETCH_ENABLED=false
|
||||
SCANNER_SURFACE_TENANT=default
|
||||
SCANNER_SURFACE_FEATURES=
|
||||
SCANNER_SURFACE_SECRETS_PROVIDER=file
|
||||
SCANNER_SURFACE_SECRETS_NAMESPACE=
|
||||
SCANNER_SURFACE_SECRETS_ROOT=/etc/stellaops/secrets
|
||||
SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER=
|
||||
SCANNER_SURFACE_SECRETS_ALLOW_INLINE=false
|
||||
SURFACE_SECRETS_HOST_PATH=./offline/surface-secrets
|
||||
|
||||
# Offline Kit configuration
|
||||
SCANNER_OFFLINEKIT_ENABLED=false
|
||||
SCANNER_OFFLINEKIT_REQUIREDSSE=true
|
||||
SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
|
||||
SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY=/etc/stellaops/trust-roots
|
||||
SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY=/var/lib/stellaops/rekor-snapshot
|
||||
SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH=./offline/trust-roots
|
||||
SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH=./offline/rekor-snapshot
|
||||
|
||||
# =============================================================================
|
||||
# SCHEDULER CONFIGURATION
|
||||
# =============================================================================
|
||||
|
||||
# Queue configuration (Valkey only - NATS removed)
|
||||
SCHEDULER__QUEUE__KIND=Valkey
|
||||
SCHEDULER__QUEUE__VALKEY__URL=valkey:6379
|
||||
SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
|
||||
|
||||
# =============================================================================
|
||||
# REKOR / SIGSTORE CONFIGURATION
|
||||
# =============================================================================
|
||||
|
||||
# Rekor server URL (default: public Sigstore, use http://rekor-v2:3000 for local)
|
||||
REKOR_SERVER_URL=https://rekor.sigstore.dev
|
||||
REKOR_VERSION=V2
|
||||
REKOR_TILE_BASE_URL=
|
||||
REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
|
||||
REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
|
||||
|
||||
# =============================================================================
|
||||
# ADVISORY AI CONFIGURATION
|
||||
# =============================================================================
|
||||
|
||||
ADVISORY_AI_WEB_PORT=8448
|
||||
ADVISORY_AI_SBOM_BASEADDRESS=http://scanner-web:8444
|
||||
ADVISORY_AI_INFERENCE_MODE=Local
|
||||
ADVISORY_AI_REMOTE_BASEADDRESS=
|
||||
ADVISORY_AI_REMOTE_APIKEY=
|
||||
|
||||
# =============================================================================
|
||||
# CRYPTO CONFIGURATION
|
||||
# =============================================================================
|
||||
|
||||
# Crypto profile: default, china, russia, eu
|
||||
STELLAOPS_CRYPTO_PROFILE=default
|
||||
|
||||
# Enable crypto simulation (for testing)
|
||||
STELLAOPS_CRYPTO_ENABLE_SIM=0
|
||||
STELLAOPS_CRYPTO_SIM_URL=http://sim-crypto:8080
|
||||
|
||||
# CryptoPro (Russia only) - requires EULA acceptance
|
||||
CRYPTOPRO_PORT=18080
|
||||
CRYPTOPRO_ACCEPT_EULA=0
|
||||
CRYPTOPRO_CONTAINER_NAME=stellaops-signing
|
||||
CRYPTOPRO_USE_MACHINE_STORE=true
|
||||
CRYPTOPRO_PROVIDER_TYPE=80
|
||||
|
||||
# SM Remote (China only)
|
||||
SM_REMOTE_PORT=56080
|
||||
SM_SOFT_ALLOWED=1
|
||||
SM_REMOTE_HSM_URL=
|
||||
SM_REMOTE_HSM_API_KEY=
|
||||
SM_REMOTE_HSM_TIMEOUT=30000
|
||||
|
||||
# =============================================================================
|
||||
# NETWORKING
|
||||
# =============================================================================
|
||||
|
||||
# External reverse proxy network (Traefik, Envoy, etc.)
|
||||
FRONTDOOR_NETWORK=stellaops_frontdoor
|
||||
|
||||
# =============================================================================
|
||||
# TELEMETRY (optional)
|
||||
# =============================================================================
|
||||
|
||||
OTEL_GRPC_PORT=4317
|
||||
OTEL_HTTP_PORT=4318
|
||||
OTEL_PROMETHEUS_PORT=9464
|
||||
PROMETHEUS_PORT=9090
|
||||
TEMPO_PORT=3200
|
||||
LOKI_PORT=3100
|
||||
PROMETHEUS_RETENTION=15d
|
||||
45
devops/compose/env/testing.env.example
vendored
Normal file
45
devops/compose/env/testing.env.example
vendored
Normal file
@@ -0,0 +1,45 @@
|
||||
# =============================================================================
|
||||
# STELLA OPS TESTING ENVIRONMENT CONFIGURATION
|
||||
# =============================================================================
|
||||
# Environment template for docker-compose.testing.yml
|
||||
# Uses different ports to avoid conflicts with development/production.
|
||||
#
|
||||
# Usage:
|
||||
# cp env/testing.env.example .env
|
||||
# docker compose -f docker-compose.testing.yml --profile ci up -d
|
||||
#
|
||||
# =============================================================================
|
||||
|
||||
# =============================================================================
|
||||
# CI INFRASTRUCTURE (different ports to avoid conflicts)
|
||||
# =============================================================================
|
||||
|
||||
# PostgreSQL Test Database (port 5433)
|
||||
TEST_POSTGRES_PORT=5433
|
||||
TEST_POSTGRES_USER=stellaops_ci
|
||||
TEST_POSTGRES_PASSWORD=ci_test_password
|
||||
TEST_POSTGRES_DB=stellaops_test
|
||||
|
||||
# Valkey Test (port 6380)
|
||||
TEST_VALKEY_PORT=6380
|
||||
|
||||
# RustFS Test (port 8180)
|
||||
TEST_RUSTFS_PORT=8180
|
||||
|
||||
# Mock Registry (port 5001)
|
||||
TEST_REGISTRY_PORT=5001
|
||||
|
||||
# =============================================================================
|
||||
# GITEA CONFIGURATION
|
||||
# =============================================================================
|
||||
|
||||
TEST_GITEA_PORT=3000
|
||||
TEST_GITEA_SSH_PORT=3022
|
||||
|
||||
# =============================================================================
|
||||
# SIGSTORE TOOLS
|
||||
# =============================================================================
|
||||
|
||||
# Rekor CLI and Cosign versions (for sigstore profile)
|
||||
REKOR_CLI_VERSION=v1.4.3
|
||||
COSIGN_VERSION=v3.0.4
|
||||
Reference in New Issue
Block a user