Initial commit (history squashed)

2025-10-07 10:14:21 +03:00
commit b97fc7685a
1132 changed files with 117842 additions and 0 deletions
--- a/ops/authority/AGENTS.md
+++ b/ops/authority/AGENTS.md
@@ -0,0 +1,16 @@
+# Authority DevOps Crew
+
+## Mission
+Operate and harden the StellaOps Authority platform in production and air-gapped environments: container images, deployment assets, observability defaults, backup/restore, and runtime key management.
+
+## Focus Areas
+- **Build & Packaging** – Dockerfiles, OCI bundles, offline artefact refresh.
+- **Deployment Tooling** – Compose/Kubernetes manifests, secrets bootstrap, upgrade paths.
+- **Observability** – Logging defaults, metrics/trace exporters, dashboards, alert policies.
+- **Continuity & Security** – Backup/restore guides, key rotation playbooks, revocation propagation.
+
+## Working Agreements
+- Track work in `ops/authority/TASKS.md` (TODO → DOING → DONE/BLOCKED); keep entries dated.
+- Validate container changes with the CI pipeline (`ops/authority` GitHub workflow) before marking DONE.
+- Update operator documentation in `docs/` together with any behavioural change.
+- Coordinate with Authority Core and Security Guild before altering sensitive defaults (rate limits, crypto providers, revocation jobs).
--- a/ops/authority/Dockerfile
+++ b/ops/authority/Dockerfile
@@ -0,0 +1,38 @@
+# syntax=docker/dockerfile:1.7-labs
+
+#
+# StellaOps Authority – distroless container build
+# Produces a minimal image containing the Authority host and its plugins.
+#
+
+ARG SDK_IMAGE=mcr.microsoft.com/dotnet/nightly/sdk:10.0
+ARG RUNTIME_IMAGE=gcr.io/distroless/dotnet/aspnet:latest
+
+FROM ${SDK_IMAGE} AS build
+
+WORKDIR /src
+
+# Restore & publish
+COPY . .
+RUN dotnet restore src/StellaOps.sln
+RUN dotnet publish src/StellaOps.Authority/StellaOps.Authority/StellaOps.Authority.csproj \
+    -c Release \
+    -o /app/publish \
+    /p:UseAppHost=false
+
+FROM ${RUNTIME_IMAGE} AS runtime
+
+WORKDIR /app
+
+ENV ASPNETCORE_URLS=http://0.0.0.0:8080
+ENV STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0=/app/plugins
+ENV STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY=/app/etc/authority.plugins
+
+COPY --from=build /app/publish ./
+
+# Provide writable mount points for configs/keys/plugins
+VOLUME ["/app/etc", "/app/plugins", "/app/keys"]
+
+EXPOSE 8080
+
+ENTRYPOINT ["dotnet", "StellaOps.Authority.dll"]
--- a/ops/authority/README.md
+++ b/ops/authority/README.md
@@ -0,0 +1,39 @@
+# StellaOps Authority Container Scaffold
+
+This directory provides a distroless Dockerfile and `docker-compose` sample for bootstrapping the Authority service alongside MongoDB (required) and Redis (optional).
+
+## Prerequisites
+
+- Docker Engine 25+ and Compose V2
+- .NET 10 preview SDK (only required when building locally outside of Compose)
+- Populated Authority configuration at `etc/authority.yaml` and plugin manifests under `etc/authority.plugins/`
+
+## Usage
+
+```bash
+# 1. Ensure configuration files exist (copied from etc/authority.yaml.sample, etc/authority.plugins/*.yaml)
+# 2. Build and start the stack
+docker compose -f ops/authority/docker-compose.authority.yaml up --build
+```
+
+`authority.yaml` is mounted read-only at `/etc/authority.yaml` inside the container. Plugin manifests are mounted to `/app/etc/authority.plugins`. Update the issuer URL plus any Mongo credentials in the compose file or via an `.env`.
+
+To run with pre-built images, replace the `build:` block in the compose file with an `image:` reference.
+
+## Volumes
+
+- `mongo-data` – persists MongoDB state.
+- `redis-data` – optional Redis persistence (enable the service before use).
+- `authority-keys` – writable volume for Authority signing keys.
+
+## Environment overrides
+
+Key environment variables (mirroring `StellaOpsAuthorityOptions`):
+
+| Variable | Description |
+| --- | --- |
+| `STELLAOPS_AUTHORITY__ISSUER` | Public issuer URL advertised by Authority |
+| `STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0` | Primary plugin binaries directory inside the container |
+| `STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY` | Path to plugin manifest directory |
+
+For additional options, see `etc/authority.yaml.sample`.
--- a/ops/authority/TASKS.md
+++ b/ops/authority/TASKS.md
@@ -0,0 +1,6 @@
+# Authority DevOps Task Board (UTC 2025-10-10)
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| OPS3.KEY-ROTATION | BLOCKED | DevOps Crew, Authority Core | CORE10.JWKS | Implement key rotation tooling + pipeline hook once rotating JWKS lands. Document SOP and secret handling. | ✅ CLI/script rotates keys + updates JWKS; ✅ Pipeline job documented; ✅ docs/ops runbook updated. |
--- a/ops/authority/docker-compose.authority.yaml
+++ b/ops/authority/docker-compose.authority.yaml
@@ -0,0 +1,58 @@
+version: "3.9"
+
+services:
+  authority:
+    build:
+      context: ../..
+      dockerfile: ops/authority/Dockerfile
+    image: stellaops-authority:dev
+    container_name: stellaops-authority
+    depends_on:
+      mongo:
+        condition: service_started
+    environment:
+      # Override issuer to match your deployment URL.
+      STELLAOPS_AUTHORITY__ISSUER: "https://authority.localtest.me"
+      # Point the Authority host at the Mongo instance defined below.
+      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
+      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
+    volumes:
+      # Mount Authority configuration + plugins (edit etc/authority.yaml before running).
+      - ../../etc/authority.yaml:/etc/authority.yaml:ro
+      - ../../etc/authority.plugins:/app/etc/authority.plugins:ro
+      # Optional: persist plugin binaries or key material outside the container.
+      - authority-keys:/app/keys
+    ports:
+      - "8080:8080"
+    restart: unless-stopped
+
+  mongo:
+    image: mongo:7
+    container_name: stellaops-authority-mongo
+    command: ["mongod", "--bind_ip_all"]
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: stellaops
+      MONGO_INITDB_ROOT_PASSWORD: stellaops
+    volumes:
+      - mongo-data:/data/db
+    ports:
+      - "27017:27017"
+    restart: unless-stopped
+
+  redis:
+    image: redis:7-alpine
+    container_name: stellaops-authority-redis
+    command: ["redis-server", "--save", "60", "1"]
+    volumes:
+      - redis-data:/data
+    ports:
+      - "6379:6379"
+    restart: unless-stopped
+    # Uncomment to enable if/when Authority consumes Redis.
+    # deploy:
+    #   replicas: 0
+
+volumes:
+  mongo-data:
+  redis-data:
+  authority-keys: