stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

license switch agpl -> busl1, sprints work, new product advisories

Browse Source
This commit is contained in:
master
2026-01-20 15:32:20 +02:00
parent 4903395618
commit c32fff8f86
1835 changed files with 38630 additions and 4359 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
devops/compose/README.md
View File

@@ -11,12 +11,13 @@ These Compose bundles ship the minimum services required to exercise the scanner
| `docker-compose.prod.yaml` | Production cutover stack with front-door network hand-off and Notify events enabled. |
| `docker-compose.airgap.yaml` | Stable stack with air-gapped defaults (no outbound hostnames). |
| `docker-compose.mirror.yaml` | Managed mirror topology for `*.stella-ops.org` distribution (Concelier + Excititor + CDN gateway). |
| `docker-compose.rekor-v2.yaml` | Rekor v2 tiles overlay (MySQL-free) for bundled transparency logs. |
| `docker-compose.telemetry.yaml` | Optional OpenTelemetry collector overlay (mutual TLS, OTLP ingest endpoints). |
| `docker-compose.telemetry-storage.yaml` | Prometheus/Tempo/Loki storage overlay with multi-tenant defaults. |
| `docker-compose.gpu.yaml` | Optional GPU overlay enabling NVIDIA devices for Advisory AI web/worker. Apply with `-f docker-compose.<env>.yaml -f docker-compose.gpu.yaml`. |
| `env/*.env.example` | Seed `.env` files that document required secrets and ports per profile. |
| `scripts/backup.sh` | Pauses workers and creates tar.gz of Mongo/MinIO/Redis volumes (deterministic snapshot). |
| `scripts/reset.sh` | Stops the stack and removes Mongo/MinIO/Redis volumes after explicit confirmation. |
| `scripts/backup.sh` | Pauses workers and creates tar.gz of Mongo/MinIO/Valkey volumes (deterministic snapshot). |
| `scripts/reset.sh` | Stops the stack and removes Mongo/MinIO/Valkey volumes after explicit confirmation. |
| `scripts/quickstart.sh` | Helper to validate config and start dev stack; set `USE_MOCK=1` to include `docker-compose.mock.yaml` overlay. |
| `docker-compose.mock.yaml` | Dev-only overlay with placeholder digests for missing services (orchestrator, policy-registry, packs, task-runner, VEX/Vuln stack). Use only with mock release manifest `deploy/releases/2025.09-mock-dev.yaml`. |
@@ -30,6 +31,19 @@ docker compose --env-file dev.env -f docker-compose.dev.yaml up -d
The stage and airgap variants behave the same way—swap the file names accordingly. All profiles expose 443/8443 for the UI and REST APIs, and they share a `stellaops` Docker network scoped to the compose project.
### Rekor v2 overlay (tiles)
Use the overlay below and set the Rekor env vars in your `.env` file (see
`env/dev.env.example`):
```bash
docker compose --env-file dev.env \
-f docker-compose.dev.yaml \
-f docker-compose.rekor-v2.yaml \
--profile sigstore up -d
```
> **Surface.Secrets:** set `SCANNER_SURFACE_SECRETS_PROVIDER`/`SCANNER_SURFACE_SECRETS_ROOT` in your `.env` and point `SURFACE_SECRETS_HOST_PATH` to the decrypted bundle path (default `./offline/surface-secrets`). The stack mounts that path read-only into Scanner Web/Worker so `secret://` references resolve without embedding plaintext.
> **Graph Explorer reminder:** If you enable Cartographer or Graph API containers alongside these profiles, update `etc/authority.yaml` so the `cartographer-service` client is marked with `properties.serviceIdentity: "cartographer"` and carries a tenant hint. The Authority host now refuses `graph:write` tokens without that marker, so apply the configuration change before rolling out the updated images.

26
devops/compose/docker-compose.airgap.yaml
View File

@@ -20,7 +20,7 @@ volumes:
services:
postgres:
image: docker.io/library/postgres:17
image: docker.io/library/postgres:18.1
restart: unless-stopped
environment:
POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
@@ -48,7 +48,7 @@ services:
labels: *release-labels
valkey:
image: docker.io/valkey/valkey:8.0
image: docker.io/valkey/valkey:9.0.1
restart: unless-stopped
command: ["valkey-server", "--appendonly", "yes"]
volumes:
@@ -60,7 +60,7 @@ services:
labels: *release-labels
rustfs:
image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
restart: unless-stopped
environment:
@@ -74,6 +74,24 @@ services:
- stellaops
labels: *release-labels
rekor-cli:
image: ghcr.io/sigstore/rekor-cli:v1.4.3
entrypoint: ["rekor-cli"]
command: ["version"]
profiles: ["sigstore"]
networks:
- stellaops
labels: *release-labels
cosign:
image: ghcr.io/sigstore/cosign:v3.0.4
entrypoint: ["cosign"]
command: ["version"]
profiles: ["sigstore"]
networks:
- stellaops
labels: *release-labels
nats:
image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
command:
@@ -381,3 +399,5 @@ services:
networks:
- stellaops
labels: *release-labels

25
devops/compose/docker-compose.cas.yaml
View File

@@ -52,7 +52,7 @@ volumes:
services:
# Primary CAS storage - runtime facts, signals, replay artifacts
rustfs-cas:
image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
restart: unless-stopped
environment:
@@ -99,7 +99,7 @@ services:
# Evidence storage - Merkle roots, hash chains, evidence bundles (immutable)
rustfs-evidence:
image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data", "--immutable"]
restart: unless-stopped
environment:
@@ -135,7 +135,7 @@ services:
# Attestation storage - DSSE envelopes, in-toto attestations (immutable)
rustfs-attestation:
image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data", "--immutable"]
restart: unless-stopped
environment:
@@ -169,6 +169,24 @@ services:
retries: 3
start_period: 10s
rekor-cli:
image: ghcr.io/sigstore/rekor-cli:v1.4.3
entrypoint: ["rekor-cli"]
command: ["version"]
profiles: ["sigstore"]
networks:
- cas
labels: *release-labels
cosign:
image: ghcr.io/sigstore/cosign:v3.0.4
entrypoint: ["cosign"]
command: ["version"]
profiles: ["sigstore"]
networks:
- cas
labels: *release-labels
# Lifecycle manager - enforces retention policies
cas-lifecycle:
image: registry.stella-ops.org/stellaops/cas-lifecycle:2025.10.0-edge
@@ -189,3 +207,4 @@ services:
networks:
- cas
labels: *release-labels

26
devops/compose/docker-compose.china.yml
View File

@@ -32,7 +32,7 @@ volumes:
services:
postgres:
image: docker.io/library/postgres:16
image: docker.io/library/postgres:18.1
restart: unless-stopped
environment:
POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
@@ -49,7 +49,7 @@ services:
labels: *release-labels
valkey:
image: docker.io/valkey/valkey:8.0
image: docker.io/valkey/valkey:9.0.1
restart: unless-stopped
command: ["valkey-server", "--appendonly", "yes"]
volumes:
@@ -61,7 +61,7 @@ services:
labels: *release-labels
rustfs:
image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
restart: unless-stopped
environment:
@@ -75,6 +75,24 @@ services:
- stellaops
labels: *release-labels
rekor-cli:
image: ghcr.io/sigstore/rekor-cli:v1.4.3
entrypoint: ["rekor-cli"]
command: ["version"]
profiles: ["sigstore"]
networks:
- stellaops
labels: *release-labels
cosign:
image: ghcr.io/sigstore/cosign:v3.0.4
entrypoint: ["cosign"]
command: ["version"]
profiles: ["sigstore"]
networks:
- stellaops
labels: *release-labels
nats:
image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
command:
@@ -299,3 +317,5 @@ services:
networks:
- stellaops
labels: *release-labels

32
devops/compose/docker-compose.ci.yaml
View File

@@ -9,10 +9,12 @@
# docker compose -f devops/compose/docker-compose.ci.yaml down -v
#
# Services:
# - postgres-ci: PostgreSQL 16 for integration tests (port 5433)
# - postgres-ci: PostgreSQL 18.1 for integration tests (port 5433)
# - valkey-ci: Valkey/Redis for caching tests (port 6380)
# - nats-ci: NATS JetStream for messaging tests (port 4223)
# - mock-registry: Local container registry for release testing (port 5001)
# - rekor-cli: Rekor CLI tool (profile: sigstore)
# - cosign: Cosign tool (profile: sigstore)
#
# =============================================================================
@@ -29,10 +31,10 @@ volumes:
services:
# ---------------------------------------------------------------------------
# PostgreSQL 16 - Primary database for integration tests
# PostgreSQL 18.1 - Primary database for integration tests
# ---------------------------------------------------------------------------
postgres-ci:
image: postgres:16-alpine
image: postgres:18.1-alpine
container_name: stellaops-postgres-ci
environment:
POSTGRES_USER: stellaops_ci
@@ -55,10 +57,10 @@ services:
restart: unless-stopped
# ---------------------------------------------------------------------------
# Valkey 8.0 - Redis-compatible cache for caching tests
# Valkey 9.0.1 - Redis-compatible cache for caching tests
# ---------------------------------------------------------------------------
valkey-ci:
image: valkey/valkey:8.0-alpine
image: valkey/valkey:9.0.1-alpine
container_name: stellaops-valkey-ci
command: ["valkey-server", "--appendonly", "yes", "--maxmemory", "256mb", "--maxmemory-policy", "allkeys-lru"]
ports:
@@ -74,6 +76,25 @@ services:
retries: 5
restart: unless-stopped
# ---------------------------------------------------------------------------
# Sigstore tools - Rekor CLI and Cosign (on-demand)
# ---------------------------------------------------------------------------
rekor-cli:
image: ghcr.io/sigstore/rekor-cli:v1.4.3
entrypoint: ["rekor-cli"]
command: ["version"]
profiles: ["sigstore"]
networks:
- ci-net
cosign:
image: ghcr.io/sigstore/cosign:v3.0.4
entrypoint: ["cosign"]
command: ["version"]
profiles: ["sigstore"]
networks:
- ci-net
# ---------------------------------------------------------------------------
# NATS JetStream - Message queue for messaging tests
# ---------------------------------------------------------------------------
@@ -128,3 +149,4 @@ services:
timeout: 5s
retries: 5
restart: unless-stopped

46
devops/compose/docker-compose.dev.yaml
View File

@@ -19,7 +19,7 @@ volumes:
services:
postgres:
image: docker.io/library/postgres:16
image: docker.io/library/postgres:18.1
restart: unless-stopped
environment:
POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
@@ -36,7 +36,7 @@ services:
labels: *release-labels
valkey:
image: docker.io/valkey/valkey:8.0
image: docker.io/valkey/valkey:9.0.1
restart: unless-stopped
command: ["valkey-server", "--appendonly", "yes"]
volumes:
@@ -47,22 +47,40 @@ services:
- stellaops
labels: *release-labels
rustfs:
image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
restart: unless-stopped
rustfs:
image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
restart: unless-stopped
environment:
RUSTFS__LOG__LEVEL: info
RUSTFS__STORAGE__PATH: /data
volumes:
- rustfs-data:/data
ports:
- "${RUSTFS_HTTP_PORT:-8080}:8080"
networks:
- stellaops
labels: *release-labels
nats:
ports:
- "${RUSTFS_HTTP_PORT:-8080}:8080"
networks:
- stellaops
labels: *release-labels
rekor-cli:
image: ghcr.io/sigstore/rekor-cli:v1.4.3
entrypoint: ["rekor-cli"]
command: ["version"]
profiles: ["sigstore"]
networks:
- stellaops
labels: *release-labels
cosign:
image: ghcr.io/sigstore/cosign:v3.0.4
entrypoint: ["cosign"]
command: ["version"]
profiles: ["sigstore"]
networks:
- stellaops
labels: *release-labels
nats:
image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
command:
- "-js"
@@ -363,3 +381,5 @@ services:
networks:
- stellaops
labels: *release-labels

26
devops/compose/docker-compose.eu.yml
View File

@@ -32,7 +32,7 @@ volumes:
services:
postgres:
image: docker.io/library/postgres:16
image: docker.io/library/postgres:18.1
restart: unless-stopped
environment:
POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
@@ -49,7 +49,7 @@ services:
labels: *release-labels
valkey:
image: docker.io/valkey/valkey:8.0
image: docker.io/valkey/valkey:9.0.1
restart: unless-stopped
command: ["valkey-server", "--appendonly", "yes"]
volumes:
@@ -61,7 +61,7 @@ services:
labels: *release-labels
rustfs:
image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
restart: unless-stopped
environment:
@@ -75,6 +75,24 @@ services:
- stellaops
labels: *release-labels
rekor-cli:
image: ghcr.io/sigstore/rekor-cli:v1.4.3
entrypoint: ["rekor-cli"]
command: ["version"]
profiles: ["sigstore"]
networks:
- stellaops
labels: *release-labels
cosign:
image: ghcr.io/sigstore/cosign:v3.0.4
entrypoint: ["cosign"]
command: ["version"]
profiles: ["sigstore"]
networks:
- stellaops
labels: *release-labels
nats:
image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
command:
@@ -299,3 +317,5 @@ services:
networks:
- stellaops
labels: *release-labels

26
devops/compose/docker-compose.international.yml
View File

@@ -32,7 +32,7 @@ volumes:
services:
postgres:
image: docker.io/library/postgres:16
image: docker.io/library/postgres:18.1
restart: unless-stopped
environment:
POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
@@ -49,7 +49,7 @@ services:
labels: *release-labels
valkey:
image: docker.io/valkey/valkey:8.0
image: docker.io/valkey/valkey:9.0.1
restart: unless-stopped
command: ["valkey-server", "--appendonly", "yes"]
volumes:
@@ -61,7 +61,7 @@ services:
labels: *release-labels
rustfs:
image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
restart: unless-stopped
environment:
@@ -75,6 +75,24 @@ services:
- stellaops
labels: *release-labels
rekor-cli:
image: ghcr.io/sigstore/rekor-cli:v1.4.3
entrypoint: ["rekor-cli"]
command: ["version"]
profiles: ["sigstore"]
networks:
- stellaops
labels: *release-labels
cosign:
image: ghcr.io/sigstore/cosign:v3.0.4
entrypoint: ["cosign"]
command: ["version"]
profiles: ["sigstore"]
networks:
- stellaops
labels: *release-labels
nats:
image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
command:
@@ -299,3 +317,5 @@ services:
networks:
- stellaops
labels: *release-labels

46
devops/compose/docker-compose.prod.yaml
View File

@@ -23,7 +23,7 @@ volumes:
services:
valkey:
image: docker.io/valkey/valkey:8.0
image: docker.io/valkey/valkey:9.0.1
restart: unless-stopped
command: ["valkey-server", "--appendonly", "yes"]
volumes:
@@ -34,22 +34,40 @@ services:
- stellaops
labels: *release-labels
rustfs:
image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
restart: unless-stopped
rustfs:
image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
restart: unless-stopped
environment:
RUSTFS__LOG__LEVEL: info
RUSTFS__STORAGE__PATH: /data
volumes:
- rustfs-data:/data
ports:
- "${RUSTFS_HTTP_PORT:-8080}:8080"
networks:
- stellaops
labels: *release-labels
nats:
ports:
- "${RUSTFS_HTTP_PORT:-8080}:8080"
networks:
- stellaops
labels: *release-labels
rekor-cli:
image: ghcr.io/sigstore/rekor-cli:v1.4.3
entrypoint: ["rekor-cli"]
command: ["version"]
profiles: ["sigstore"]
networks:
- stellaops
labels: *release-labels
cosign:
image: ghcr.io/sigstore/cosign:v3.0.4
entrypoint: ["cosign"]
command: ["version"]
profiles: ["sigstore"]
networks:
- stellaops
labels: *release-labels
nats:
image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
command:
- "-js"
@@ -123,7 +141,7 @@ services:
labels: *release-labels
postgres:
image: docker.io/library/postgres:16
image: docker.io/library/postgres:18.1
restart: unless-stopped
environment:
POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
@@ -378,3 +396,5 @@ services:
- stellaops
- frontdoor
labels: *release-labels

34
devops/compose/docker-compose.rekor-v2.yaml Normal file
View File

@@ -0,0 +1,34 @@
# Rekor v2 tiles stack (MySQL-free).
# Usage:
# docker compose -f devops/compose/docker-compose.dev.yaml \
# -f devops/compose/docker-compose.rekor-v2.yaml --profile sigstore up -d
#
# Notes:
# - This overlay runs Rekor v2 (rekor-tiles) with a POSIX tiles volume.
# - Pin the image digest via REKOR_TILES_IMAGE in your env file.
# - Keep it on the internal stellaops network unless you explicitly need
# external access.
x-rekor-v2-labels: &rekor-v2-labels
com.stellaops.profile: "sigstore"
com.stellaops.component: "rekor-v2"
networks:
stellaops:
driver: bridge
volumes:
rekor-tiles-data:
services:
rekor-v2:
image: ${REKOR_TILES_IMAGE:-ghcr.io/sigstore/rekor-tiles:latest}
restart: unless-stopped
networks:
- stellaops
volumes:
- rekor-tiles-data:/var/lib/rekor-tiles
# Backend-specific flags/env are intentionally omitted here; follow the
# rekor-tiles documentation for POSIX backend defaults.
profiles: ["sigstore"]
labels: *rekor-v2-labels

26
devops/compose/docker-compose.russia.yml
View File

@@ -32,7 +32,7 @@ volumes:
services:
postgres:
image: docker.io/library/postgres:16
image: docker.io/library/postgres:18.1
restart: unless-stopped
environment:
POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
@@ -49,7 +49,7 @@ services:
labels: *release-labels
valkey:
image: docker.io/valkey/valkey:8.0
image: docker.io/valkey/valkey:9.0.1
restart: unless-stopped
command: ["valkey-server", "--appendonly", "yes"]
volumes:
@@ -61,7 +61,7 @@ services:
labels: *release-labels
rustfs:
image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
restart: unless-stopped
environment:
@@ -75,6 +75,24 @@ services:
- stellaops
labels: *release-labels
rekor-cli:
image: ghcr.io/sigstore/rekor-cli:v1.4.3
entrypoint: ["rekor-cli"]
command: ["version"]
profiles: ["sigstore"]
networks:
- stellaops
labels: *release-labels
cosign:
image: ghcr.io/sigstore/cosign:v3.0.4
entrypoint: ["cosign"]
command: ["version"]
profiles: ["sigstore"]
networks:
- stellaops
labels: *release-labels
nats:
image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
command:
@@ -299,3 +317,5 @@ services:
networks:
- stellaops
labels: *release-labels

46
devops/compose/docker-compose.stage.yaml
View File

@@ -20,7 +20,7 @@ volumes:
services:
valkey:
image: docker.io/valkey/valkey:8.0
image: docker.io/valkey/valkey:9.0.1
restart: unless-stopped
command: ["valkey-server", "--appendonly", "yes"]
volumes:
@@ -32,7 +32,7 @@ services:
labels: *release-labels
postgres:
image: docker.io/library/postgres:16
image: docker.io/library/postgres:18.1
restart: unless-stopped
environment:
POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
@@ -47,22 +47,40 @@ services:
- stellaops
labels: *release-labels
rustfs:
image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
restart: unless-stopped
rustfs:
image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
restart: unless-stopped
environment:
RUSTFS__LOG__LEVEL: info
RUSTFS__STORAGE__PATH: /data
volumes:
- rustfs-data:/data
ports:
- "${RUSTFS_HTTP_PORT:-8080}:8080"
networks:
- stellaops
labels: *release-labels
nats:
ports:
- "${RUSTFS_HTTP_PORT:-8080}:8080"
networks:
- stellaops
labels: *release-labels
rekor-cli:
image: ghcr.io/sigstore/rekor-cli:v1.4.3
entrypoint: ["rekor-cli"]
command: ["version"]
profiles: ["sigstore"]
networks:
- stellaops
labels: *release-labels
cosign:
image: ghcr.io/sigstore/cosign:v3.0.4
entrypoint: ["cosign"]
command: ["version"]
profiles: ["sigstore"]
networks:
- stellaops
labels: *release-labels
nats:
image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
command:
- "-js"
@@ -367,3 +385,5 @@ services:
networks:
- stellaops
labels: *release-labels

13
devops/compose/env/airgap.env.example vendored
View File

@@ -24,6 +24,19 @@ SIGNER_PORT=8441
# Attestor
ATTESTOR_PORT=8442
# Rekor Configuration (Attestor/Scanner)
# Server URL - default is public Sigstore Rekor (use http://rekor-v2:3000 when running the Rekor v2 compose overlay)
REKOR_SERVER_URL=https://rekor.sigstore.dev
# Log version: Auto or V2 (V2 uses tile-based Sunlight format)
REKOR_VERSION=V2
# Tile base URL for V2 (optional, defaults to {REKOR_SERVER_URL}/tile/)
REKOR_TILE_BASE_URL=
# Log ID for multi-log environments (Sigstore production log ID)
REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
# Rekor v2 tiles image (pin to digest when mirroring)
REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
# Issuer Directory
ISSUER_DIRECTORY_PORT=8447
ISSUER_DIRECTORY_SEED_CSAF=true

11
devops/compose/env/dev.env.example vendored
View File

@@ -24,16 +24,17 @@ SIGNER_PORT=8441
ATTESTOR_PORT=8442
# Rekor Configuration (Attestor/Scanner)
# Server URL - default is public Sigstore Rekor
# Server URL - default is public Sigstore Rekor (use http://rekor-v2:3000 when running the Rekor v2 compose overlay)
REKOR_SERVER_URL=https://rekor.sigstore.dev
# Log version: Auto, V1, or V2 (V2 uses tile-based Sunlight format)
REKOR_VERSION=Auto
# Log version: Auto or V2 (V2 uses tile-based Sunlight format)
REKOR_VERSION=V2
# Tile base URL for V2 (optional, defaults to {REKOR_SERVER_URL}/tile/)
REKOR_TILE_BASE_URL=
# Log ID for multi-log environments (Sigstore production log ID)
REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
# Prefer tile proofs when Version=Auto
REKOR_PREFER_TILE_PROOFS=false
# Rekor v2 tiles image (pin to digest when mirroring)
REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
# Issuer Directory
ISSUER_DIRECTORY_PORT=8447

13
devops/compose/env/prod.env.example vendored
View File

@@ -25,6 +25,19 @@ SIGNER_PORT=8441
# Attestor
ATTESTOR_PORT=8442
# Rekor Configuration (Attestor/Scanner)
# Server URL - default is public Sigstore Rekor (use http://rekor-v2:3000 when running the Rekor v2 compose overlay)
REKOR_SERVER_URL=https://rekor.sigstore.dev
# Log version: Auto or V2 (V2 uses tile-based Sunlight format)
REKOR_VERSION=V2
# Tile base URL for V2 (optional, defaults to {REKOR_SERVER_URL}/tile/)
REKOR_TILE_BASE_URL=
# Log ID for multi-log environments (Sigstore production log ID)
REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
# Rekor v2 tiles image (pin to digest when mirroring)
REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
# Issuer Directory
ISSUER_DIRECTORY_PORT=8447
ISSUER_DIRECTORY_SEED_CSAF=true

13
devops/compose/env/stage.env.example vendored
View File

@@ -24,6 +24,19 @@ SIGNER_PORT=8441
# Attestor
ATTESTOR_PORT=8442
# Rekor Configuration (Attestor/Scanner)
# Server URL - default is public Sigstore Rekor (use http://rekor-v2:3000 when running the Rekor v2 compose overlay)
REKOR_SERVER_URL=https://rekor.sigstore.dev
# Log version: Auto or V2 (V2 uses tile-based Sunlight format)
REKOR_VERSION=V2
# Tile base URL for V2 (optional, defaults to {REKOR_SERVER_URL}/tile/)
REKOR_TILE_BASE_URL=
# Log ID for multi-log environments (Sigstore production log ID)
REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
# Rekor v2 tiles image (pin to digest when mirroring)
REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
# Issuer Directory
ISSUER_DIRECTORY_PORT=8447
ISSUER_DIRECTORY_SEED_CSAF=true