refactor(compose): split monolith into stella-infra + stella-services
- Extract infrastructure (postgres, valkey, rustfs, zot, rekor) to docker-compose.stella-infra.yml - Move application services to docker-compose.stella-services.yml - Convert scalar YAML anchors to .env variables for cross-file compatibility - Duplicate structural anchors locally in services file - Remove cross-file depends_on (services already have connection retry) - Legacy monolith retained for backwards compatibility Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
@@ -1,10 +1,15 @@
|
||||
# =============================================================================
|
||||
# STELLA OPS - MAIN STACK
|
||||
# STELLA OPS - MAIN STACK (LEGACY MONOLITH)
|
||||
# =============================================================================
|
||||
# Consolidated Docker Compose for the complete StellaOps platform.
|
||||
# Infrastructure: PostgreSQL 18.1, Valkey 9.0.1, SeaweedFS (S3), Rekor v2, Zot (OCI)
|
||||
#
|
||||
# Usage:
|
||||
# PREFERRED: Use the split files instead of this monolith:
|
||||
# docker compose \
|
||||
# -f docker-compose.stella-infra.yml \
|
||||
# -f docker-compose.stella-services.yml up -d
|
||||
#
|
||||
# Legacy monolith usage (this file):
|
||||
# docker compose -f devops/compose/docker-compose.stella-ops.yml up -d
|
||||
#
|
||||
# With Sigstore tools:
|
||||
@@ -426,7 +431,7 @@ services:
|
||||
STELLAOPS_VEXLENS_URL: "http://vexlens.stella-ops.local"
|
||||
STELLAOPS_VULNEXPLORER_URL: "http://vulnexplorer.stella-ops.local"
|
||||
STELLAOPS_POLICY_ENGINE_URL: "http://policy-engine.stella-ops.local"
|
||||
STELLAOPS_POLICY_GATEWAY_URL: "http://policy-gateway.stella-ops.local"
|
||||
# STELLAOPS_POLICY_GATEWAY_URL removed: gateway merged into policy-engine
|
||||
STELLAOPS_RISKENGINE_URL: "http://riskengine.stella-ops.local"
|
||||
STELLAOPS_JOBENGINE_URL: "http://jobengine.stella-ops.local"
|
||||
STELLAOPS_TASKRUNNER_URL: "http://taskrunner.stella-ops.local"
|
||||
@@ -439,7 +444,7 @@ services:
|
||||
STELLAOPS_FINDINGS_LEDGER_URL: "http://findings.stella-ops.local"
|
||||
STELLAOPS_DOCTOR_URL: "http://doctor.stella-ops.local"
|
||||
STELLAOPS_OPSMEMORY_URL: "http://opsmemory.stella-ops.local"
|
||||
STELLAOPS_NOTIFIER_URL: "http://notifier.stella-ops.local"
|
||||
STELLAOPS_NOTIFIER_URL: "http://notify.stella-ops.local"
|
||||
STELLAOPS_NOTIFY_URL: "http://notify.stella-ops.local"
|
||||
STELLAOPS_SIGNER_URL: "http://signer.stella-ops.local"
|
||||
STELLAOPS_SMREMOTE_URL: "http://smremote.stella-ops.local"
|
||||
@@ -1074,50 +1079,6 @@ services:
|
||||
stellaops:
|
||||
aliases:
|
||||
- policy-engine.stella-ops.local
|
||||
frontdoor: {}
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
|
||||
<<: *healthcheck-tcp
|
||||
labels: *release-labels
|
||||
|
||||
# --- Slot 15: Policy Gateway -----------------------------------------------
|
||||
policy:
|
||||
<<: *resources-medium
|
||||
image: stellaops/policy:dev
|
||||
container_name: stellaops-policy
|
||||
restart: unless-stopped
|
||||
depends_on: *depends-infra
|
||||
environment:
|
||||
ASPNETCORE_URLS: "http://+:8084"
|
||||
<<: [*kestrel-cert, *router-microservice-defaults, *gc-medium]
|
||||
ConnectionStrings__Default: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
Postgres__Policy__ConnectionString: *postgres-connection
|
||||
PolicyGateway__ResourceServer__Authority: "https://authority.stella-ops.local/"
|
||||
PolicyGateway__ResourceServer__RequireHttpsMetadata: "false"
|
||||
PolicyGateway__ResourceServer__Audiences__0: ""
|
||||
PolicyGateway__ResourceServer__RequiredScopes__0: "policy:read"
|
||||
PolicyGateway__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
|
||||
# In local compose, callers should forward their own token. Disable fallback
|
||||
# client-credentials to avoid 500s on invalid_scope when no Authorization header is present.
|
||||
PolicyGateway__PolicyEngine__ClientCredentials__Enabled: "false"
|
||||
# Bootstrap-prefixed vars (read by StellaOpsConfigurationBootstrapper before DI)
|
||||
STELLAOPS_POLICY_GATEWAY_PolicyGateway__ResourceServer__Authority: "https://authority.stella-ops.local/"
|
||||
STELLAOPS_POLICY_GATEWAY_PolicyGateway__ResourceServer__RequireHttpsMetadata: "false"
|
||||
STELLAOPS_POLICY_GATEWAY_PolicyGateway__ResourceServer__Audiences__0: ""
|
||||
STELLAOPS_POLICY_GATEWAY_PolicyGateway__ResourceServer__RequiredScopes__0: "policy:read"
|
||||
STELLAOPS_POLICY_GATEWAY_PolicyGateway__PolicyEngine__ClientCredentials__Enabled: "false"
|
||||
STELLAOPS_POLICY_GATEWAY_Postgres__Policy__ConnectionString: *postgres-connection
|
||||
Router__Enabled: "${POLICY_GATEWAY_ROUTER_ENABLED:-true}"
|
||||
Router__Messaging__ConsumerGroup: "policy-gateway"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
ports:
|
||||
- "127.1.0.15:80:80"
|
||||
networks:
|
||||
stellaops:
|
||||
aliases:
|
||||
- policy-gateway.stella-ops.local
|
||||
frontdoor: {}
|
||||
healthcheck:
|
||||
@@ -1125,6 +1086,14 @@ services:
|
||||
<<: *healthcheck-tcp
|
||||
labels: *release-labels
|
||||
|
||||
# --- Slot 15: Policy Gateway (DEPRECATED - merged into policy-engine above)
|
||||
# Kept commented out for reference; remove in next compose cleanup.
|
||||
# policy:
|
||||
# <<: *resources-medium
|
||||
# image: stellaops/policy:dev
|
||||
# container_name: stellaops-policy
|
||||
# ... (merged into policy-engine service above)
|
||||
|
||||
# --- Slot 16: RiskEngine [src/Findings/StellaOps.RiskEngine.*] ---------------
|
||||
riskengine-web:
|
||||
<<: *resources-medium
|
||||
@@ -1658,43 +1627,43 @@ services:
|
||||
<<: *healthcheck-tcp
|
||||
labels: *release-labels
|
||||
|
||||
# --- Slot 28: Notifier ----------------------------------------------------
|
||||
notifier-web:
|
||||
<<: *resources-medium
|
||||
image: stellaops/notifier-web:dev
|
||||
container_name: stellaops-notifier-web
|
||||
restart: unless-stopped
|
||||
depends_on: *depends-infra
|
||||
environment:
|
||||
ASPNETCORE_URLS: "http://+:8080"
|
||||
<<: [*kestrel-cert, *router-microservice-defaults, *gc-medium]
|
||||
ConnectionStrings__Default: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
|
||||
Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
|
||||
Authority__ResourceServer__RequireHttpsMetadata: "false"
|
||||
Authority__ResourceServer__Audiences__0: ""
|
||||
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
|
||||
Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
|
||||
Authority__ResourceServer__BypassNetworks__2: "::1/128"
|
||||
Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
|
||||
Authority__ResourceServer__BypassNetworks__4: "::/0"
|
||||
Router__Enabled: "${NOTIFIER_ROUTER_ENABLED:-true}"
|
||||
Router__Messaging__ConsumerGroup: "notifier"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
- *ca-bundle
|
||||
ports:
|
||||
- "127.1.0.28:80:80"
|
||||
networks:
|
||||
stellaops:
|
||||
aliases:
|
||||
- notifier.stella-ops.local
|
||||
frontdoor: {}
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
|
||||
<<: *healthcheck-tcp
|
||||
labels: *release-labels
|
||||
# --- Slot 28: Notifier (MERGED into notify-web — kept commented for rollback) ---
|
||||
# notifier-web:
|
||||
# <<: *resources-medium
|
||||
# image: stellaops/notifier-web:dev
|
||||
# container_name: stellaops-notifier-web
|
||||
# restart: unless-stopped
|
||||
# depends_on: *depends-infra
|
||||
# environment:
|
||||
# ASPNETCORE_URLS: "http://+:8080"
|
||||
# <<: [*kestrel-cert, *router-microservice-defaults, *gc-medium]
|
||||
# ConnectionStrings__Default: *postgres-connection
|
||||
# ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
# Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
|
||||
# Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
|
||||
# Authority__ResourceServer__RequireHttpsMetadata: "false"
|
||||
# Authority__ResourceServer__Audiences__0: ""
|
||||
# Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
|
||||
# Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
|
||||
# Authority__ResourceServer__BypassNetworks__2: "::1/128"
|
||||
# Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
|
||||
# Authority__ResourceServer__BypassNetworks__4: "::/0"
|
||||
# Router__Enabled: "${NOTIFIER_ROUTER_ENABLED:-true}"
|
||||
# Router__Messaging__ConsumerGroup: "notifier"
|
||||
# volumes:
|
||||
# - *cert-volume
|
||||
# - *ca-bundle
|
||||
# ports:
|
||||
# - "127.1.0.28:80:80"
|
||||
# networks:
|
||||
# stellaops:
|
||||
# aliases:
|
||||
# - notifier.stella-ops.local
|
||||
# frontdoor: {}
|
||||
# healthcheck:
|
||||
# test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
|
||||
# <<: *healthcheck-tcp
|
||||
# labels: *release-labels
|
||||
|
||||
notifier-worker:
|
||||
<<: *resources-light
|
||||
@@ -1750,6 +1719,7 @@ services:
|
||||
stellaops:
|
||||
aliases:
|
||||
- notify.stella-ops.local
|
||||
- notifier.stella-ops.local # merged from notifier-web
|
||||
frontdoor: {}
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
|
||||
@@ -1786,33 +1756,7 @@ services:
|
||||
<<: *healthcheck-tcp
|
||||
labels: *release-labels
|
||||
|
||||
# --- Slot 31: SmRemote ----------------------------------------------------
|
||||
smremote:
|
||||
<<: *resources-light
|
||||
image: stellaops/smremote:dev
|
||||
container_name: stellaops-smremote
|
||||
restart: unless-stopped
|
||||
depends_on: *depends-infra
|
||||
environment:
|
||||
ASPNETCORE_URLS: "http://+:8080"
|
||||
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
|
||||
ConnectionStrings__Default: *postgres-connection
|
||||
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
|
||||
Router__Enabled: "${SMREMOTE_ROUTER_ENABLED:-true}"
|
||||
Router__Messaging__ConsumerGroup: "smremote"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
ports:
|
||||
- "127.1.0.31:80:80"
|
||||
networks:
|
||||
stellaops:
|
||||
aliases:
|
||||
- smremote.stella-ops.local
|
||||
frontdoor: {}
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/8080'"]
|
||||
<<: *healthcheck-tcp
|
||||
labels: *release-labels
|
||||
# --- Slot 31: SmRemote (moved to docker-compose.crypto-provider.smremote.yml) ---
|
||||
|
||||
# --- Slot 32: AirGap Controller --------------------------------------------
|
||||
airgap-controller:
|
||||
@@ -2332,7 +2276,7 @@ services:
|
||||
ADVISORYAI__KnowledgeSearch__VexAdapterEnabled: "true"
|
||||
ADVISORYAI__KnowledgeSearch__VexAdapterBaseUrl: "http://concelier.stella-ops.local"
|
||||
ADVISORYAI__KnowledgeSearch__PolicyAdapterEnabled: "true"
|
||||
ADVISORYAI__KnowledgeSearch__PolicyAdapterBaseUrl: "http://policy-gateway.stella-ops.local"
|
||||
ADVISORYAI__KnowledgeSearch__PolicyAdapterBaseUrl: "http://policy-engine.stella-ops.local"
|
||||
Router__Enabled: "${ADVISORYAI_ROUTER_ENABLED:-true}"
|
||||
Router__Messaging__ConsumerGroup: "advisoryai"
|
||||
ports:
|
||||
@@ -2375,7 +2319,7 @@ services:
|
||||
ADVISORYAI__KnowledgeSearch__VexAdapterEnabled: "true"
|
||||
ADVISORYAI__KnowledgeSearch__VexAdapterBaseUrl: "http://concelier.stella-ops.local"
|
||||
ADVISORYAI__KnowledgeSearch__PolicyAdapterEnabled: "true"
|
||||
ADVISORYAI__KnowledgeSearch__PolicyAdapterBaseUrl: "http://policy-gateway.stella-ops.local"
|
||||
ADVISORYAI__KnowledgeSearch__PolicyAdapterBaseUrl: "http://policy-engine.stella-ops.local"
|
||||
volumes:
|
||||
- *cert-volume
|
||||
networks:
|
||||
|
||||
Reference in New Issue
Block a user