From c467b4d4b7aab147658cfa7a8fdd734524d42744 Mon Sep 17 00:00:00 2001 From: master <> Date: Wed, 5 Nov 2025 16:28:05 +0200 Subject: [PATCH] Add TLS certificates and private keys for telemetry components - Added CA certificate (ca.crt) and private key (ca.key) for secure communication. - Added client certificate (client.crt) and private key (client.key) for client authentication. - Added collector certificate (collector.crt) and private key (collector.key) for collector authentication. --- .gitea/workflows/build-test-deploy.yml | 48 ++++++ docs/implplan/SPRINT_190_ops_offline.md | 3 +- ops/deploy/telemetry/certs/ca.crt | 28 ++++ ops/deploy/telemetry/certs/ca.key | 52 ++++++ ops/deploy/telemetry/certs/client.crt | 32 ++++ ops/deploy/telemetry/certs/client.key | 52 ++++++ ops/deploy/telemetry/certs/collector.crt | 32 ++++ ops/deploy/telemetry/certs/collector.key | 52 ++++++ ops/devops/TASKS.md | 6 +- .../package_offline_bundle.cpython-312.pyc | Bin 7173 -> 0 bytes ops/devops/telemetry/generate_dev_tls.sh | 154 +++++++++--------- 11 files changed, 379 insertions(+), 80 deletions(-) create mode 100644 ops/deploy/telemetry/certs/ca.crt create mode 100644 ops/deploy/telemetry/certs/ca.key create mode 100644 ops/deploy/telemetry/certs/client.crt create mode 100644 ops/deploy/telemetry/certs/client.key create mode 100644 ops/deploy/telemetry/certs/collector.crt create mode 100644 ops/deploy/telemetry/certs/collector.key delete mode 100644 ops/devops/telemetry/__pycache__/package_offline_bundle.cpython-312.pyc diff --git a/.gitea/workflows/build-test-deploy.yml b/.gitea/workflows/build-test-deploy.yml index 2b3ddab4b..e16945c45 100644 --- a/.gitea/workflows/build-test-deploy.yml +++ b/.gitea/workflows/build-test-deploy.yml @@ -81,12 +81,60 @@ jobs: - name: Validate telemetry storage configuration run: python3 ops/devops/telemetry/validate_storage_stack.py + - name: Telemetry tenant isolation smoke + env: + COMPOSE_DIR: ${GITHUB_WORKSPACE}/deploy/compose + run: | + set -euo pipefail + ./ops/devops/telemetry/generate_dev_tls.sh + COMPOSE_DIR="${COMPOSE_DIR:-${GITHUB_WORKSPACE}/deploy/compose}" + cleanup() { + set +e + (cd "$COMPOSE_DIR" && docker compose -f docker-compose.telemetry.yaml down -v --remove-orphans >/dev/null 2>&1) + (cd "$COMPOSE_DIR" && docker compose -f docker-compose.telemetry-storage.yaml down -v --remove-orphans >/dev/null 2>&1) + } + trap cleanup EXIT + (cd "$COMPOSE_DIR" && docker compose -f docker-compose.telemetry-storage.yaml up -d) + (cd "$COMPOSE_DIR" && docker compose -f docker-compose.telemetry.yaml up -d) + sleep 5 + python3 ops/devops/telemetry/smoke_otel_collector.py --host localhost + python3 ops/devops/telemetry/tenant_isolation_smoke.py \ + --collector https://localhost:4318/v1 \ + --tempo https://localhost:3200 \ + --loki https://localhost:3100 + - name: Setup .NET ${{ env.DOTNET_VERSION }} uses: actions/setup-dotnet@v4 with: dotnet-version: ${{ env.DOTNET_VERSION }} include-prerelease: true + - name: Build CLI multi-runtime binaries + run: | + set -euo pipefail + export DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1 + RUNTIMES=(linux-x64 linux-arm64 osx-x64 osx-arm64 win-x64) + rm -rf out/cli-ci + for runtime in "${RUNTIMES[@]}"; do + dotnet publish src/Cli/StellaOps.Cli/StellaOps.Cli.csproj \ + --configuration $BUILD_CONFIGURATION \ + --runtime "$runtime" \ + --self-contained true \ + /p:PublishSingleFile=true \ + /p:IncludeNativeLibrariesForSelfExtract=true \ + /p:EnableCompressionInSingleFile=true \ + /p:InvariantGlobalization=true \ + --output "out/cli-ci/${runtime}" + done + + - name: Run CLI unit tests + run: | + mkdir -p "$TEST_RESULTS_DIR" + dotnet test src/Cli/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj \ + --configuration $BUILD_CONFIGURATION \ + --logger "trx;LogFileName=stellaops-cli-tests.trx" \ + --results-directory "$TEST_RESULTS_DIR" + - name: Restore Concelier solution run: dotnet restore src/Concelier/StellaOps.Concelier.sln diff --git a/docs/implplan/SPRINT_190_ops_offline.md b/docs/implplan/SPRINT_190_ops_offline.md index b4a90fb68..057687d23 100644 --- a/docs/implplan/SPRINT_190_ops_offline.md +++ b/docs/implplan/SPRINT_190_ops_offline.md @@ -69,7 +69,7 @@ DEVOPS-ATTEST-74-002 | TODO | Integrate attestation bundle builds into release/o DEVOPS-ATTEST-75-001 | TODO | Add dashboards/alerts for signing latency, verification failures, key rotation events. Dependencies: DEVOPS-ATTEST-74-002. | DevOps Guild, Observability Guild (ops/devops/TASKS.md) DEVOPS-CLI-41-001 | TODO | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums), parity matrix CI enforcement, and release artifact signing. | DevOps Guild, DevEx/CLI Guild (ops/devops/TASKS.md) DEVOPS-CLI-42-001 | TODO | Add CLI golden output tests, parity diff automation, pack run CI harness, and artifact cache for remote mode. Dependencies: DEVOPS-CLI-41-001. | DevOps Guild (ops/devops/TASKS.md) -DEVOPS-CLI-43-001 | DOING (2025-10-27) | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, and Task Pack chaos tests. Dependencies: DEVOPS-CLI-42-001. | DevOps Guild (ops/devops/TASKS.md) +DEVOPS-CLI-43-001 | DONE (2025-11-05) | Build/Test workflow publishes CLI for linux/mac/windows and runs CLI tests; release enforces parity gate and signs SBOMs. | DevOps Guild (ops/devops/TASKS.md) DEVOPS-CLI-43-002 | TODO | Implement Task Pack chaos smoke in CI (random failure injection, resume, sealed-mode toggle) and publish evidence bundles for review. Dependencies: DEVOPS-CLI-43-001. | DevOps Guild, Task Runner Guild (ops/devops/TASKS.md) DEVOPS-CLI-43-003 | TODO | Integrate CLI golden output/parity diff automation into release gating; export parity report artifact consumed by Console Downloads workspace. Dependencies: DEVOPS-CLI-43-002. | DevOps Guild, DevEx/CLI Guild (ops/devops/TASKS.md) DEVOPS-CONSOLE-23-001 | BLOCKED (2025-10-26) | Add console CI workflow (pnpm cache, lint, type-check, unit, Storybook a11y, Playwright, Lighthouse) with offline runners and artifact retention for screenshots/reports. | DevOps Guild, Console Guild (ops/devops/TASKS.md) @@ -98,6 +98,7 @@ DEVOPS-LNM-22-003 | TODO | Add CI/monitoring coverage for new metrics (`advisory DEVOPS-OAS-61-001 | TODO | Add CI stages for OpenAPI linting, validation, and compatibility diff; enforce gating on PRs. | DevOps Guild, API Contracts Guild (ops/devops/TASKS.md) DEVOPS-OAS-61-002 | TODO | Integrate mock server + contract test suite into PR and nightly workflows; publish artifacts. Dependencies: DEVOPS-OAS-61-001. | DevOps Guild, Contract Testing Guild (ops/devops/TASKS.md) DEVOPS-OBS-50-002 | DONE (2025-11-05) | Tempo/Loki exporters added to collector, tenant isolation smoke + validation scripts landed, storage configs validated. | DevOps Guild, Security Guild (ops/devops/TASKS.md) +DEVOPS-OBS-50-003 | DONE (2025-11-05) | Git workflow runs docker-compose-backed tenant isolation smoke alongside collector test. | DevOps Guild (ops/devops/TASKS.md) DEVOPS-OBS-51-001 | TODO | Implement SLO evaluator service (burn rate calculators, webhook emitters), Grafana dashboards, and alert routing to Notifier. Provide Terraform/Helm automation. Dependencies: DEVOPS-OBS-50-002. | DevOps Guild, Observability Guild (ops/devops/TASKS.md) DEVOPS-OBS-52-001 | TODO | Configure streaming pipeline (NATS/Redis/Kafka) with retention, partitioning, and backpressure tuning for timeline events; add CI validation of schema + rate caps. Dependencies: DEVOPS-OBS-51-001. | DevOps Guild, Timeline Indexer Guild (ops/devops/TASKS.md) DEVOPS-OBS-53-001 | TODO | Provision object storage with WORM/retention options (S3 Object Lock / MinIO immutability), legal hold automation, and backup/restore scripts for evidence locker. Dependencies: DEVOPS-OBS-52-001. | DevOps Guild, Evidence Locker Guild (ops/devops/TASKS.md) diff --git a/ops/deploy/telemetry/certs/ca.crt b/ops/deploy/telemetry/certs/ca.crt new file mode 100644 index 000000000..93cfbbb16 --- /dev/null +++ b/ops/deploy/telemetry/certs/ca.crt @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIE0TCCArkCFDKF9uZOnv4aZOLZaMxkCQRXh8WaMA0GCSqGSIb3DQEBCwUAMCUx +IzAhBgNVBAMMGlN0ZWxsYU9wcyBEZXYgVGVsZW1ldHJ5IENBMB4XDTI1MTEwNTEz +MTQxNloXDTI2MTEwNTEzMTQxNlowJTEjMCEGA1UEAwwaU3RlbGxhT3BzIERldiBU +ZWxlbWV0cnkgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCsyoJs +EiYwwH+3FeQGxh0C2e3c6QscMy3Vd+RY5RfVjtWjv7aRfCPegOEf9xARzoy+he2c +42QaBvSnxZ43yDzKMYTwFkGwi1qFF68dqr8gb4iww3kf+YE09XI7zngH185v1NKi +Mo61iYTkbf3Er6VqYhsDNGVEQQt4g+JXeTHORxmEJUef36ZqLPCGNnRP/HGxvrLH +FDjUBCpkjhEUoP7Aqm5hbPcC8KUpKerGBirNsbvuhja+qUhglpdsihgdAiWHUrf1 +lUgQAHDAfM8AtG+v6uWu+0LkxIHc31EAMRn46ZpDZP6Paye9vfJdV4GM387vU5Ts +0ugdn8BX9PAvCxOhqJ2Lp2Es3Umg0bBa9iYB/KUdhDp+WmVCcUGthmx/V03dwhEu ++Abqdi9J6ngMIBjB7RPOuTZYPgb9y8YdLKDjOMTzIUGLGWk5Q7OhiGMZYowFRa1G +0ZhOqiV2N9GrCt2wFAqlLEork07zwmeeDfE/7xrkDqc0jNjf8WoLqcVPhsLLpToT +4oG40WIHdbMmjw5dXoFUcqLWKKkLvo5R9LXbR8zlHDlELlbMX31DH7aOeqlB7Jx+ +Ya9fwNngEalvrci3WT/CV5bfxXAK57U+ffnYuzhrn3S5PQ4eCQ7QNTC+LZEiJ4XP +X/KygY1aPFWzQkmPkrBgz/5dS5wfLeHO36ckRwIDAQABMA0GCSqGSIb3DQEBCwUA +A4ICAQBy353C03SUJC38Ukpq5Gwp3xX/MViM9tcv+G25DFNxz7334glgpeVqQ9HD +r42DwHaJjudWiTEZ73B2cf3Bs1DLpRLFk9AqsNVp+IlFKBRNgWDyev5UnRhDS/c5 +4MbwVr54Sn/6KVy56MEBLanQLgRB9iHhwekZYZpVkKS8gvdvMzkdj0kJJSYaMJSc +0TzeL6nQHCuczI9lQ8ofV7yj1s3+XerzC3eKrze3iqc6o6J9163e6rPtm20plaEC +fgo9NCjB9IRlBdsUuzFUYfgqsN7eisGHKXpFeA4D+Ox47v8uBCtK7zxrd3blvgts +uNdJImGnjSRXB1C2KNjluCIaTvET4a8cq1nFUAlnA4pJXGwlRkJW42ncKUfEeIGN +YltnLiwwf2PR/NCpFg+dMvrGwHKe0vHJluJi4cuvlnyh7YjEnn/2fDqUBwXfL7wW +bRq1oC+o6Vd526BwQiysmp8bwkzsoZEgqSXYEiyP/PMBDrHvTWWi7Uj0mFSJfNIK +r/3XbKCLfaCqZgm5CjFzpgy71aNMJE5NC7lKJNt7P67ZsyBDEYPleNIlTI9CZBY5 +ChaLedsHqEZgMcD3Hj5ETha8gbIf/07bMvFd/P6+lKq7IRwjozBAx7r8xrfepb0E +OYqSDgxoHRhYoJzAbrY8w3rhmubb9we/HxcYBlunnN20c8lL6g== +-----END CERTIFICATE----- diff --git a/ops/deploy/telemetry/certs/ca.key b/ops/deploy/telemetry/certs/ca.key new file mode 100644 index 000000000..e8cde1224 --- /dev/null +++ b/ops/deploy/telemetry/certs/ca.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCsyoJsEiYwwH+3 +FeQGxh0C2e3c6QscMy3Vd+RY5RfVjtWjv7aRfCPegOEf9xARzoy+he2c42QaBvSn +xZ43yDzKMYTwFkGwi1qFF68dqr8gb4iww3kf+YE09XI7zngH185v1NKiMo61iYTk +bf3Er6VqYhsDNGVEQQt4g+JXeTHORxmEJUef36ZqLPCGNnRP/HGxvrLHFDjUBCpk +jhEUoP7Aqm5hbPcC8KUpKerGBirNsbvuhja+qUhglpdsihgdAiWHUrf1lUgQAHDA +fM8AtG+v6uWu+0LkxIHc31EAMRn46ZpDZP6Paye9vfJdV4GM387vU5Ts0ugdn8BX +9PAvCxOhqJ2Lp2Es3Umg0bBa9iYB/KUdhDp+WmVCcUGthmx/V03dwhEu+Abqdi9J +6ngMIBjB7RPOuTZYPgb9y8YdLKDjOMTzIUGLGWk5Q7OhiGMZYowFRa1G0ZhOqiV2 +N9GrCt2wFAqlLEork07zwmeeDfE/7xrkDqc0jNjf8WoLqcVPhsLLpToT4oG40WIH +dbMmjw5dXoFUcqLWKKkLvo5R9LXbR8zlHDlELlbMX31DH7aOeqlB7Jx+Ya9fwNng +Ealvrci3WT/CV5bfxXAK57U+ffnYuzhrn3S5PQ4eCQ7QNTC+LZEiJ4XPX/KygY1a +PFWzQkmPkrBgz/5dS5wfLeHO36ckRwIDAQABAoICABFrFqurRrNKbHV53PM73GfR +rTNEQMz2ccvfmqLFcVojXHD13gMbdwgyiL8uqi2JW1HHcXULzSb8hYQ2HSV1Z39g +b4y+SZ/w5E6fXRVKBZtQ8wASrG6nObmrdnkF7r6nqBVI6HTWUOGG++EFH3xI0o1/ +V0bC7ORtBCmBbfswae9n5nAWS/qXUpDId/Snn6ECizmGRkJgTPw+cUGSurEQK64j +YB4tHFdtB9E2+wY8T+tNW+sHF5Svvu6Rr7EO2LBv63WRRp8YjdujF7qnujxRdCLR +NJcnmA40qvynfGRfDsWzUswxbaHqhOaRM9HqBNK9KwCgNdaLyj9WP87+D4pGfRN3 +h4Fr4DTFHz96yV4WHACx5PKdOjUyK5a28EsKMfaCA9ky3IU6Np84NMGxOY8/HVet +MkBFtZsAKOZrocCih1ZbDZRvMg0lEcLwLEL7yObMT2w/aG5M9Ppj+D/B+d4x0c/f +6I+WRsBH4d3Ynbsicyn0Axuciu3+V44HAiNqccoA78lEGhTMbJ3NG38Y6EIQFbgV +XwF+pmNyiXx0C2lm56OfRG6/DcizmHX3ID7aRkzg0dM7HYHGGcdgX3nVN7sLPH3e +2KDi2LOCZdFFW10EFpPN8gygammhrDFFszgdjDkI/FxU8itiHyL25xRFJWwliwGr +G3taY+NAYn+udaUC3UixAoIBAQDvemYBS//LpGHL/86RTG3EAdgVswSJJCBTmlAC +qNF7oj843ewwfX2H/EhRTjm/6DH5443b1menqDXce5wTauGpYtu3XPoDWHepTM0J +FzM8oFdRYNzgqEMOp7oUMULZkyEA6EFMWYSSB+n+Ce7QRPtb3vr4RNAW45nIxAV5 +kKJ5qVsOS9xY79wWt5GglHHsFG6Lu3nYfzCw/w79BRmVu900KaF+ZEHuKi/lfySG +eSzVUw26cL35QJ73AsBseUUHRLLVqMO8qZmzII6Y0cE3AiZnyBsX1/FmmZwWrw5Y +Z1TPuEtkM/Dla6oY+Vcu/G86+L936Z6Yr9UP7q1yChbuDHgXAoIBAQC4tk0P02SL +ucyI6+YF3vQSmXKlWPqqOPExeVTaxtlHKuxWVS7LfsCn6H6WErB2hoRroBsL6vwp +zCEskSdwq47OmxfAcN3EZ3Bn2E1z457NO7vzEio4uufwtzsOHZnI8CD/ZNOin/km +M0RWgezYkDeCeO+/Hk7KBhO+Mlb/ZH7Bgb8F+UiqH3HoKnZIJ3Hgf/skakE5hXdb +sHV6w8/U1QsoioWbmk/8vlPCY2mAQniZtDVwMzIiWgrQWyLLvd061C/Iy/7C2uR+ +87g/SWL8xxHhwLK0GHfHCh9VOZOatJSVdPf1p9eH+Qzw0gskYMChL1MwwtO8YiJP +kNgrlY31RiNRAoIBAQCukC4i69899klDhuhwiaHJqv50ctXvkeHujyGbjquEz7P+ +I+azQgZrRb8BZWA7P2qOmQ0jHprYX4lDeuc+UD7GVkWK1793CNnREyayZbL3knmT +3GOlb4HSAPlnFrGAH/uCycoveWFlgVdT0rG+J0qCoXuX1bFJvgavjhPflUqaHJU/ +SpUIT2/DL3R79TlFuW8LdFFROwWnP4URctI/j32jNGV/2F0m2qGnTJK3Y0UHC0+K +g/w24J//toXFjHCA59bkX+yubYKYTDcltmB9VJfiNr9pFgPlojthXaG7Vzc/Yzux +gxsqYNzQ75BZs7Dw77nCEw2Eh0dsIbNU2X31cClpAoIBAE9xgOVsmxMJf3HoW89s +m/cf7lI1WeI6iWoo8BkEa1ETogBjtLOrOXs+IKu1MBZaNrv/aYKPt5LWi/IaICdy +cgJkbCvFn2wovQy82FserB9DMMwTpPsvUDCU7h5dFtZ4iQivOeL5APSwGhVG3jIq +nOVN1HeTtnlncbhc+FPxyh66CgmstNcOnTQohyTzaiQPh1mbJaByyeoyk+SQMWQt +mRX/tgU9smdXCLlTfn2+mRYqjs1KB6cEqSACAo40g+EYf9DSBCmUcbA0bKszihKE +ICnDcljJKUL/FIjYMabZQgqh+z+5x5ZgxHMTM92ai18H9rTDJsQgRPeJqZ/dO+gh +GXECggEBAOf4EahtXAnijFG4razL1xZL5ITdJJQkfgZJDvu3sfS0euzbvnINP3uj +qyB+8C81nBMMbD7StLXxqRYX3yJgcyfayae91rym/MUPx8r9qQbXSI+IqMAkNhHZ +ciTKGq6uVxarUYtNIbRArvRG8qS4mRkl/jF8X0+t3AkFSyp4qeD2wvRM0LNFzhwO +oXwipHEXUwzm13mA6O9rgWbYA7R/I0wUJffZVWh0dlKsj+AYkUDH4GJW13vQeodh +zmB7vVYkC9hlNkH7Df8KP+xN2NCeq/UOHjQwZuOl/lP9WAvATU18sYn5suZieKiI +JsLb8CGIEEsgMR8I5fIQdaIeFM5zC8c= +-----END PRIVATE KEY----- diff --git a/ops/deploy/telemetry/certs/client.crt b/ops/deploy/telemetry/certs/client.crt new file mode 100644 index 000000000..6715a649a --- /dev/null +++ b/ops/deploy/telemetry/certs/client.crt @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFijCCA3KgAwIBAgIURlzXP0kww1npXz/oCffRcM5B7QEwDQYJKoZIhvcNAQEL +BQAwJTEjMCEGA1UEAwwaU3RlbGxhT3BzIERldiBUZWxlbWV0cnkgQ0EwHhcNMjUx +MTA1MTMxNDE4WhcNMjYxMTA1MTMxNDE4WjAgMR4wHAYDVQQDDBVzdGVsbGFvcHMt +b3RlbC1jbGllbnQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCh0uCg +HSZRLFXeGx0444w0Ig9+gplsaf+Jf2nK7KAMAOqRadozjzECeK0wopuZ7gCmCtRA +XBfKxJpoz50poMR44emL7ETbDqFHRW1zfERQfU17LpOd4Sw++BULDQHobB2/2nRg +Fe2s1gPJKfLnN/u5b8CWWNu0iRl2buaoM9tsXY7XFZ4VK/R23MAlUwm+dwMGu256 +8dGnf6Htmm2uypPEAq8MfJhcnix2BRG7JPi1FR4ZubXut/k0qN1EvWOfZEHVQmxN +PbcPDV8D/pqGIG11Yiz2aaAxQcwm2V++fh9bwE+ZC6wtcGi4jcSZ2OOTAZht2V1S +ZEw6M0dOrvoS8s76vfiBKxF5HzTImD/ysfC/9EHTs+3EUK25p8ZKDjoisKP7DwZ1 +7IhxFZ6vkHv+AAaOera6JdsbquCIL6bUg9EDjq7aZOQoBMKTAecbPVEigsrnC4VY +U4qXH6sr9S1uub1wBe41+4Ae6G6oEWtdfWOBydYBjAVcbrk/LXXOuYk6cP1ajOYQ +Y0Y0NrIhGhR8k74TtVWfYZqAFDiKPdUI/HWlW0IZnxFqggLgQ+phNoPveQhu9kbe +nCnp5J+ej/YY5Xey37k6nIDh260ZomlizFnzxG07L457iIxhtpGq27OeMtZVi8yS +r4xxbEBWge1t3pqk5PzIR7s/qVkvlobTtU1QlwIDAQABo4G2MIGzMBMGA1UdJQQM +MAoGCCsGAQUFBwMCMDEGA1UdEQQqMCiCFXN0ZWxsYW9wcy1vdGVsLWNsaWVudIIJ +bG9jYWxob3N0hwR/AAABMB0GA1UdDgQWBBTFQj7R63yc+tf1xNK9aO9afwPZDDBK +BgNVHSMEQzBBoSmkJzAlMSMwIQYDVQQDDBpTdGVsbGFPcHMgRGV2IFRlbGVtZXRy +eSBDQYIUMoX25k6e/hpk4tlozGQJBFeHxZowDQYJKoZIhvcNAQELBQADggIBAIw0 +q9ulVu3mKpONcyGBf7a104uI45bc8xjihqgbd2ovFpyCORg63ejrvr4IUBzz+7E+ +M4rKZENE6SliI42cXXWiown/g/k75DdRGUF7opjcWMt0OjTU5G8vvhdHc26Xc6Sa +k/qxbX8qydgPaa9MC2aohY902xwQ4OryQB/vBgukbvEdva/h3DsS3vWz0DPm3TgR +D/gJZYWu66P1yuljb3q2UOGRUjwhrZSI+0gq4q2yaT85MEXgL+QlFtAiXkVxjS2y +LRLQ3b7PJjoUZI3msREQyLPphmKJHBx1cfGJc1vxV93ZzjFc8FPnpFRqqNG+xYSl +8REsB1xjPz1tSEi0mFe226S8xCSgGcAk7wi2Urw+BZiKxpZ8ATXH0awCsl42W1w1 +8oxN9c/8/S6qE3+1LF3QZiFm6I3HDQ61zSHPxbasuI5Y5+c7Z3A1UVTxCGAMUBPE +zDP3XHwQkV27P3ChlUzP0ohTJgJvny81aIpZGJk/gTloPCNuKxLwVXLnR8qFR01U +5HtWXkgMkpukh1S4wEDzN6IiLqyWsntoewwe6evqwbLRkUGsiqIHGzTI23B4UvFN +qBonwFDGulP9t/VH33f+vmLnGv7ERVXRiVTXKts2cVGhGhWLyV+a/H5cF6pJKyet +W2jYvD5N0Vzpw9IdQCIASSQ1ntYcTwW/CIz0ZkDW +-----END CERTIFICATE----- diff --git a/ops/deploy/telemetry/certs/client.key b/ops/deploy/telemetry/certs/client.key new file mode 100644 index 000000000..35aa5eaa5 --- /dev/null +++ b/ops/deploy/telemetry/certs/client.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCh0uCgHSZRLFXe +Gx0444w0Ig9+gplsaf+Jf2nK7KAMAOqRadozjzECeK0wopuZ7gCmCtRAXBfKxJpo +z50poMR44emL7ETbDqFHRW1zfERQfU17LpOd4Sw++BULDQHobB2/2nRgFe2s1gPJ +KfLnN/u5b8CWWNu0iRl2buaoM9tsXY7XFZ4VK/R23MAlUwm+dwMGu2568dGnf6Ht +mm2uypPEAq8MfJhcnix2BRG7JPi1FR4ZubXut/k0qN1EvWOfZEHVQmxNPbcPDV8D +/pqGIG11Yiz2aaAxQcwm2V++fh9bwE+ZC6wtcGi4jcSZ2OOTAZht2V1SZEw6M0dO +rvoS8s76vfiBKxF5HzTImD/ysfC/9EHTs+3EUK25p8ZKDjoisKP7DwZ17IhxFZ6v +kHv+AAaOera6JdsbquCIL6bUg9EDjq7aZOQoBMKTAecbPVEigsrnC4VYU4qXH6sr +9S1uub1wBe41+4Ae6G6oEWtdfWOBydYBjAVcbrk/LXXOuYk6cP1ajOYQY0Y0NrIh +GhR8k74TtVWfYZqAFDiKPdUI/HWlW0IZnxFqggLgQ+phNoPveQhu9kbenCnp5J+e +j/YY5Xey37k6nIDh260ZomlizFnzxG07L457iIxhtpGq27OeMtZVi8ySr4xxbEBW +ge1t3pqk5PzIR7s/qVkvlobTtU1QlwIDAQABAoICADaZoNnVTAbqdySEMIVv3W// +qAuvBBY845AgkfD6ivvR2VNsDEgGQeqMDh+RVgAHemeL0tbOW+a6FEFV/7i6emAx +FWx1MTxaQNd72PS00pX32Us9SWhlP9kVOoBqiKDDzfvcORTsgS+mXEulIEScso38 +Y1Y3MBZHhfRcce4B5UC4hogSzq5lEMyEKj7NuEVwAXDlj97itbMW0OuLBgQKbPYf +U7HaXkwtwGGnzzY+QL5UnD3g175ui6KVcWcOocz3dnD+wu0C7D+jatI9tySXT2di +UzpnJDpKcZgQEwqCopECH7lLY3JHccYHa3TfZdXFnYk+5Ip2tfOTNrWZO15mV6hg +MoNdi8uDKfjEt3esINiR869GrLX+8TXAc1vHR+FyPIAA2NU65GWCYAV+g837QqjJ ++2/RnkT8SAE2v5dqasp6R7TfL9CvkJUTwQvOrRE9JnBl1IeEsyVz/ddheh5dGZYI +L2BusYjqUA/D2n1k36WZW+axTn6NxWs7hzp9tRyGiVpktTFb6z98+J6kAEL9r+ZB +DK4iDSb5lWpyTCNQXe0ZYSuIkmq62dAIIvdCt69uCadp1Udfr8rbAQ2n/AzSk1hJ +NsWnyiNRWqL57jKzbCzqmSB0dzRkFrGej8oDApSab1co/paeVWz/HdaAGbTdBI0Y +GbF+3A0JuM+4ZbsGF1D1AoIBAQDUoIiOmnhOGC7YO/7FEmJuIXVm71mYhnTXeiXZ +tn/TDhOgaIIplPwooCcaREWrvKFYznhCqTc5EzCvS+HSBZRT/XGcZWVt4KbiGEWf +ftXpepCINk9KL7W38IyEly5jzRBh9ZeNqN6oLY2omhIViN5mgK/dzRHS4N4+/5/7 +dqc4a7B8mu57mEOoiOEh6z0nb+0AyTObWXwCc7y31kpda4NdXwsTdXjA+hn/IJQn +naVMogO2rgrUwLDCBAV0FELQ4fvHmQhpoT9IPM8TQM7t3ZhfrJIttU86i2VsEkXi +t76MAAuXPBQQghAuStyvFsyXT72Z1Z3pn++f0Dm0p+WgxI7lAoIBAQDC1V/NtNp/ +NZLEUEnDVdhaqyoQ9G35/wHJK5/TD8Tyh35Uokrw1G/XGfvoqQUdMQGBsa9X1u3s +90NEchm3GbP/LbA6Imka58XhiHBUw+dsbVaSz7ebHYgFqUaiLAJxEJjbhPqg90ii +drFk3GrW2YEFad4wrkaifad3SWtVEQbei+BlAiS5BbIVGPWjBhgCW6+B5LZMuyGp +58/TJm4J0ZoVemOB4Q531NW8g3cUCltPk4kkDAGMtoAQpZrMelI/83CSPy2XHehJ +tEe0ZPlhzRkWhnMY2ykDbbc/ZW0OR2zFdxDNAJzB7Am/RCE37v6a7U/6cfzSiyBF +wtpNl1IELu3LAoIBAQDSIqlyzcSx4YKCX6ClIUs37kc56LiSXeehgO1hYdSoQBQz +hrWE5OHkQIsEkY6NcInA26TMtLGH7ahCxmqyBqOV8jdSyn7YfZpQfo5oV5CPA3tN +subfuZEM7WXiMAs/xM05Et+pt8f9S6/hfgr7T14EzY+BVAcWcvgSKM3yVkxjHUK5 +kuC4Mz5ClKxyuiqhDCOdkDs5f9FoFvveb6Dk/LlCEQlAPOuPRF1m38qr8EgKGWA0 +LYM0yg6mYBUHqHJ0P7J2i45d3mdNPBOmwnj/ae4KN+Hr3HEludgNW23H57IgaHcM +CusFeZUGOyQowg6GR99o5k3/Mvo95irxmLD/FuLlAoIBAQCqcCSN/D8D92a764yL +n6ZTstZq3Jj0kHsMc+gtp+bfT15ZRVwPj5eC8U0oe+toXP13amv8iJ28pZWn47TR +M1/9xAcc5AtUKRs3L7csv+/ML14DskhpHo1mfm224o8EP8OojYz+kTRuQyzuEdA4 +wS8YAEQKC/ronMmKFaUaVnnO50hWtGhRn0TpJduEUIliTribBevf9ff9/TcV/NFY +L47+aQFxleKlO3/6mHrsAh9c3rCi4wncAa7IYUaox/z5yslYdoI4Z0ZUa6wqiAaM +4vGmfdlkDhyzzh/3CpA7ZIont//vhjCbiBQCyOPSXXVHLIDBk0PbHzANNubn548s +76y/AoIBADAE/XSuXiAxTy3jzUnPkw9GTxA3gFMDkRGlsPvAMoJ3H0Y9ow/kgwuB +lULGKfchp8Aqq1t156fiN8hXA0Ojz8egKwuzrrZih2Z373tEmOfBhe1wIbDGwbhY +7j5cOPmNEg2CPorI6yzeVDlEylM4yKzQqxgs09eNDHk8GCkdeHe7Lay5ChCmAohg +3xcz9f/Jsy+Ntn6CDzJPk8FmFOpFokLvHctmA94kjNfj781kwotkP/cSqfY1S+AJ +gxvUAkYupB+8XLLmD1I3C3aTRdA6NtwX6JlI1DKKHWsuNK8+kA8piSF5ECgDCFz7 +1MtPh2jZeC2RldWjRlBsY1fVC9SQF4k= +-----END PRIVATE KEY----- diff --git a/ops/deploy/telemetry/certs/collector.crt b/ops/deploy/telemetry/certs/collector.crt new file mode 100644 index 000000000..fe5242004 --- /dev/null +++ b/ops/deploy/telemetry/certs/collector.crt @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFmjCCA4KgAwIBAgIURlzXP0kww1npXz/oCffRcM5B7QAwDQYJKoZIhvcNAQEL +BQAwJTEjMCEGA1UEAwwaU3RlbGxhT3BzIERldiBUZWxlbWV0cnkgQ0EwHhcNMjUx +MTA1MTMxNDE2WhcNMjYxMTA1MTMxNDE2WjAjMSEwHwYDVQQDDBhzdGVsbGFvcHMt +b3RlbC1jb2xsZWN0b3IwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCp +TfZtIbS3A0gvYJY6MkHDW2TBD43+ooDqFFfxNsJTokmAT4InKRtX5ZXHS+Cpamg7 +g+Inre4U4nJ3gj9drGOonSyFi6MbEeYKhu7tRDqm6ryDfZ8AoMddwc8hasA4sajf +e+PEHvtZFQliCoR83gQa+GHn3y8OSqYoAkeS9cNbK2dPNXjeDLGpQletXuGNtHOZ +K2J67mhVIacDms8Vc7Up1beJ4Xg4w0XG1WW3sjkQk0KABtAWDv3nYZbF5q0XE3tD +lqGfg1pdZHARuZc8WqCURjjOFZIZyqKo26JBAtKYylUR2bhrrafYIaw3HgUSj+qO +m1Xe69P3JXnLLn3/A60S0URDBrVsY3ijXMhvcJV7QIIuGJYahe1J+o4cqtODJOiX +w8BlEIf5uypo4bNoTxgE7dODST963DncM3VOS6xI+Cn79P1XkWi0VXRruB+RwDCe +heXX1XHFrO/uvn/bZP66UiBx4sFA84NTqS9j3boQ/SH5ccEnmDvJ1EyhyDhQGgyl +n/kgOwU0w6j514aexw5eJ/pLAr8o620pBUItgxXK12oaIceGrM3nDAaraXFYfsIF +xF9V5WDqhtJ4IRJv4eAxUsWYVPgJ0uEYJ1C2eTh5YPktaBiHhCYBpDPSQBy1EJYi +av4n8reI1gW9sO0t4zHcTZISnZzVbXH4eC7vG/dVuQIDAQABo4HDMIHAMDQGA1Ud +EQQtMCuCGHN0ZWxsYW9wcy1vdGVsLWNvbGxlY3RvcoIJbG9jYWxob3N0hwR/AAAB +MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUcCTexBYq +9yCbUmHps6G/lIOIctkwSgYDVR0jBEMwQaEppCcwJTEjMCEGA1UEAwwaU3RlbGxh +T3BzIERldiBUZWxlbWV0cnkgQ0GCFDKF9uZOnv4aZOLZaMxkCQRXh8WaMA0GCSqG +SIb3DQEBCwUAA4ICAQBqtaI8No1BDaScO6/QCKbrsbFYxj/a7o9MwYoIgIldpIeB +YTN4EbRg8AqqkOcndRFQcX+T7bFIijL0gya4mF3/lY1jIHi/RLLfWSqrrLue00vR +GaXgiNMU34kJIXdv+sB/46Q3MdTdTLNmF+Y03sBqFIDuBFwUl6GHHZQ93kIeIlSc +m3Vrb5OAz2dbMwe6EW17hDQ48kyzmWqlp5AfCZml5Oj15JMixYzWB1wvUlgQ58kV +M7aG8tpUwp6WqpBLpx6zaYcqnb4GvJxFJVPJMdjrB7b8sIi4awGLijrcVdgcDjNo +1+gfqLca200m88hMa0bGui4LQtcGJxDJLDdE3Ud3isSvDVv62HWUu9YO2DMa3e8e +FG21zOWTPx/XlOOGonHdULQFETpySU78Xx6ql6lzmLoHDGGrktUTZxXqhKbflTmm +B3gfujICGW92pF/6dlc2euuk7DaeG7jWmoYvymEi2bkEcY83KiYwqrJzXpb79TE/ +NmbCVocTbdmDV+oDP5qmJhFzBhb2aQjp8Ufxt8eZ6PTTtUS46vZCJuKQEQcezsRD +G2+YAMshbjNMNA7pv755ykOaZT9vTBSpv7vF2XiiIpXtijXnzthVkOxW96jgubpd +Sh1DCq2QnuIXRTjsQi9uZqQ1nifxkuYRxEtFb5wvJ8UBwzZRdqP037yaIkQ0MA== +-----END CERTIFICATE----- diff --git a/ops/deploy/telemetry/certs/collector.key b/ops/deploy/telemetry/certs/collector.key new file mode 100644 index 000000000..e248a5f40 --- /dev/null +++ b/ops/deploy/telemetry/certs/collector.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCpTfZtIbS3A0gv +YJY6MkHDW2TBD43+ooDqFFfxNsJTokmAT4InKRtX5ZXHS+Cpamg7g+Inre4U4nJ3 +gj9drGOonSyFi6MbEeYKhu7tRDqm6ryDfZ8AoMddwc8hasA4sajfe+PEHvtZFQli +CoR83gQa+GHn3y8OSqYoAkeS9cNbK2dPNXjeDLGpQletXuGNtHOZK2J67mhVIacD +ms8Vc7Up1beJ4Xg4w0XG1WW3sjkQk0KABtAWDv3nYZbF5q0XE3tDlqGfg1pdZHAR +uZc8WqCURjjOFZIZyqKo26JBAtKYylUR2bhrrafYIaw3HgUSj+qOm1Xe69P3JXnL +Ln3/A60S0URDBrVsY3ijXMhvcJV7QIIuGJYahe1J+o4cqtODJOiXw8BlEIf5uypo +4bNoTxgE7dODST963DncM3VOS6xI+Cn79P1XkWi0VXRruB+RwDCeheXX1XHFrO/u +vn/bZP66UiBx4sFA84NTqS9j3boQ/SH5ccEnmDvJ1EyhyDhQGgyln/kgOwU0w6j5 +14aexw5eJ/pLAr8o620pBUItgxXK12oaIceGrM3nDAaraXFYfsIFxF9V5WDqhtJ4 +IRJv4eAxUsWYVPgJ0uEYJ1C2eTh5YPktaBiHhCYBpDPSQBy1EJYiav4n8reI1gW9 +sO0t4zHcTZISnZzVbXH4eC7vG/dVuQIDAQABAoICABuXZZAufI2Q3tw9wO3WD+qf +A+IEv27em+TKEPTyKCRKH/Flw7/PDrI567lxj7j8auU8Hoi560GDEAWS9/GzrQAn +MUDIW3oHZjaT++81/dsDCVrih52qFiOc+L0o8Q+sQGm/foSRSgQgDgnozeOtqPye +OxJ3SGtrVf3SNUjpfX9nqOv7Omnxpqh/c9uAyYB3BpnRPLjtDprFI7tOKO6Fj2I0 +frddQ+L4S/BWCcAwruUZIq7LrXDS26UwPcqdx9qpZZ7Dty5QUVNEEZGJ7fA7kszn +Ts2jLU6/u9eKB7zRkXGuE8QXd9swj1iFUFQhM9FtG9xGy21LgJ1YAavPtV/wgO16 +wwjkmHTpe4Nnub6kaIxKhuTE9exflIEo/dUn434glnUxHN9chH53FwM0zPVPUMLW +7sffBEGIneYCmlWZXsQqYDWiBEupUneeN0C0lVsscr5RqmkhT1q5uGVvlGpCjPfE +gANqstRUIzp0PyCNAbb4MGu9S3jtaOtci08DsRyNEO2hfoOlqMHcksCpJxH0bQPw +0pG1ToC6K6Rn7RzEbYH03mv3NC5gQ2zHR6WlfeWSJWzLQIreBcnAGk2GievJasuc +lZetXZ61CXh+wXjgf7156zLnQUw6HTI9HRwTOcX4QjpMH59zU3Tp+A83bLGAdroz +TGb9gbwilmMzS7CYOCabAoIBAQDWhJNSQVzJHwDqL3YA7jpbCRZNoOVuUnNNkgXi +qg97Ylpto92j9t/l2+gYEHLIrM6kBGP6KJyJ7Lsx6mnOPNQ1PuxMEv2CBhPAU/a6 +ENFJH99MRe4+AT8igl/yqBsL71VoHvvUpG2/0uAVRsHGxmzj/960t1P2fuQZ7nbF +XI0+n2gnh2PAoEJgb7THO1+/3k4j2Jekjkm+DRet3gns4U95ww+KLToDeyJKudMP +9qOL6HEue04FWwtjb/j6w3Oi8IxULopfdzQEyj86mC1OCkHpZWaGkiuKxnMGkvUY +rgEolx79UJp+I2soHlDRpRhPcv6yZtaHCHMk5HnGBGaTFeonAoIBAQDKCykm+v5o +HPKtiJUxyPYEBFhhawfTqvnTg9JJEC0blySZSGSKO1ct/f8ShaeJICZSA/p8Tbtp +767ds2Uphf99dZPLhzxug8oqCWmryGir8V2BibK7wLmFVObrJlZYn4wwG6lCd3+u +2ie6joC+5UKecGBsQhB930AUZyq8SnrQdiC7zjFk8caTlAjR7upVgcOJA9vOdMyD +Zx/v0jAJofmEZrNm+m/WTkX9lXLfsTXsoU2GgbIHY14qAsklPkJb2kaJL3dye2eL +VODOFt/RJoXzEqkc19R972j6I9l3fgOjWC0pcLrLN2kQNpDyH5EMmnPzVglJy7mI +1jjAEhyUtA0fAoIBAHqrw6dFE287mIVS8LMliB9o+eUYfjrxUVhpiY4N296d5sJN +88AAvBaxA29HcKxLDbwDeryiHqpMwtuPhkPWyy9LtUrnjSqemQrhuPS8C0I6xLHU +R6ITimwMjBuygAz6Jyfsl+wIv23zhAsGtGccL0bOmidTsuMBuyUNFcRU4byO4bvB +E40i1/JXztQjouSQlrSu9kC20Xqp+AGIOLrKOW2S2z8UD9nPv1NmIkk9rFakbJy9 +DGfJoaCSdpnHzUe/MTAukRh4jTm0AiZawYWgHgL+5ntL+TRZuYtn3FrpnmX8zU7k +mgRJ8sw1UdghBd7hDr8sSb9cWKQfN3fCKnowDP8CggEBAL/YayH1UB5h5li6iRf1 +vww/aABQleT5wzCBSepQbtR05q6Zm8XZ5MTqGgpnWJaPLXPRDUZ8tMk5amxfDF6q +OtfRDh5C8jHp98uElo8jw6gIjoYSzuESddZRsNZ116VdEcsYaNaRC29m/DRbXYpl +vKUfBZ+l92zd0EXPVDfn7MgGcryBZEt6e9jjxqA4YNACYD24qT1XkF3xTNT2WuC6 +qWd78TuF7y2pszG/d41KAm8HFsryWa5EP0Ra0s4HWRFIqJNYu+27ma0mUjO+apV5 +I9WT0Xpuwfk2nBJweezJfgDbGD7yKJwPqDZZ6bXOHXe/LPxQpI8q36g76TUPvY3B +jXcCggEAYOPrBzSX8PEYeFQXL7kI+vf+llZzsf5diZyk8hZ/TTD3auvaM5hZqeI5 +CLnSJOrEaCbyZlN8ytGuZCP4v6k1e11ekRjdUBBgRnmIxL0zQyTHiVb6GFuR/s+S +c3OxV8vMuuZgm9/fUVcgjeeKD1opSI51aCghJh+KuDBQbMYBH1BOrX3ZfZmgWzcn +vmTkCv1xdWhMuO6yuvobudaqkJHdOmivjD+ZOUEGvqKKg8sBIY2r5tW8qqHvlgES +GkeH66C+UKMAAjEUwLU4RyLNiuBzt6UQZ9hLsdtyyrnGZ6fuSOK/AvtoYbfr3RCZ +uYZljgYrmHZpQPucWwwmGNsDx+casg== +-----END PRIVATE KEY----- diff --git a/ops/devops/TASKS.md b/ops/devops/TASKS.md index 1631f69c6..7978b9d24 100644 --- a/ops/devops/TASKS.md +++ b/ops/devops/TASKS.md @@ -17,6 +17,8 @@ > Blocked: guard coverage suites and exporter hooks pending in Concelier/Excititor (CONCELIER-WEB-AOC-19-003, EXCITITOR-WEB-AOC-19-003). | DEVOPS-AOC-19-101 | TODO (2025-10-28) | DevOps Guild, Concelier Storage Guild | CONCELIER-STORE-AOC-19-002 | Draft supersedes backfill rollout (freeze window, dry-run steps, rollback) once advisory_raw idempotency index passes staging verification. | Runbook committed in `docs/deploy/containers.md` + Offline Kit notes, staging rehearsal scheduled with dependencies captured in SPRINTS. | | DEVOPS-OBS-50-002 | DONE (2025-11-05) | DevOps Guild, Security Guild | DEVOPS-OBS-50-001, TELEMETRY-OBS-51-002 | Stand up multi-tenant storage backends (Prometheus, Tempo/Jaeger, Loki) with retention policies, tenant isolation, and redaction guard rails. Integrate with Authority scopes for read paths. | Storage stack deployed with auth; retention configured; integration tests verify tenant isolation; runbook drafted. | +> 2025-11-05: Collector now exports to Tempo/Loki with tenant headers; tenant isolation smoke + CI integration landed. +| DEVOPS-OBS-50-003 | DONE (2025-11-05) | DevOps Guild | DEVOPS-OBS-50-002 | Automate telemetry tenant-isolation smoke in CI (compose stack + OTLP checks). | Build pipeline runs `tenant_isolation_smoke.py`; cleanup guards registered. | > Coordination started with Observability Guild (2025-10-26) to schedule staging rollout and provision service accounts. Staging bootstrap commands and secret names documented in `docs/modules/telemetry/operations/storage.md`. > 2025-10-30: Added static validator `ops/devops/telemetry/validate_storage_stack.py` and updated storage runbook to require it alongside TLS/tenant setup. | DEVOPS-OBS-51-001 | TODO | DevOps Guild, Observability Guild | WEB-OBS-51-001, DEVOPS-OBS-50-001 | Implement SLO evaluator service (burn rate calculators, webhook emitters), Grafana dashboards, and alert routing to Notifier. Provide Terraform/Helm automation. | Dashboards live; evaluator emits webhooks; alert runbook referenced; staging alert fired in test. | @@ -117,8 +119,8 @@ |----|--------|----------|------------|-------------|---------------| | DEVOPS-CLI-41-001 | TODO | DevOps Guild, DevEx/CLI Guild | CLI-CORE-41-001 | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums), parity matrix CI enforcement, and release artifact signing. | Build pipeline operational; SBOM/checksums published; parity gate failing on drift; docs updated. | | DEVOPS-CLI-42-001 | TODO | DevOps Guild | DEVOPS-CLI-41-001, CLI-PARITY-41-001 | Add CLI golden output tests, parity diff automation, pack run CI harness, and artifact cache for remote mode. | Golden tests running; parity diff automation in CI; pack run harness executes sample packs; documentation updated. | -| DEVOPS-CLI-43-001 | DOING (2025-10-27) | DevOps Guild | DEVOPS-CLI-42-001, TASKRUN-42-001 | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, and Task Pack chaos tests. | Release automation verified; SBOM signed; parity gate enforced; chaos tests documented. | -> 2025-10-27: Release pipeline now packages CLI multi-platform artefacts with SBOM/signature coverage and enforces the CLI parity gate (`ops/devops/check_cli_parity.py`). Task Pack chaos smoke still pending CLI pack command delivery. +| DEVOPS-CLI-43-001 | DONE (2025-11-05) | DevOps Guild | DEVOPS-CLI-42-001, TASKRUN-42-001 | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, and Task Pack chaos tests. | Release automation verified; SBOM signed; parity gate enforced; chaos tests documented. | +> 2025-11-05: Build/Test workflow now publishes CLI binaries for linux/mac/windows and runs CLI unit tests; release workflow gates on `check_cli_parity.py` and signs CLI SBOMs. Task Pack chaos smoke tracked under DEVOPS-CLI-43-002 pending Task Runner approvals GA. | DEVOPS-CLI-43-002 | TODO | DevOps Guild, Task Runner Guild | CLI-PACKS-43-001, TASKRUN-43-001 | Implement Task Pack chaos smoke in CI (random failure injection, resume, sealed-mode toggle) and publish evidence bundles for review. | Chaos smoke job runs nightly; failures alert Slack; evidence stored in `out/pack-chaos`; runbook updated. | | DEVOPS-CLI-43-003 | TODO | DevOps Guild, DevEx/CLI Guild | CLI-PARITY-41-001, CLI-PACKS-42-001 | Integrate CLI golden output/parity diff automation into release gating; export parity report artifact consumed by Console Downloads workspace. | `check_cli_parity.py` wired to compare parity matrix and CLI outputs; artifact uploaded; release fails on regressions. diff --git a/ops/devops/telemetry/__pycache__/package_offline_bundle.cpython-312.pyc b/ops/devops/telemetry/__pycache__/package_offline_bundle.cpython-312.pyc deleted file mode 100644 index 68c232d63ebaaf44c5f8535100dda18797527c06..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7173 zcmbtYS!^7~nXaC$p8Mh@QY1ySBwizOW@I^{BwB|lo{AKbk*HmW0zGL?H-|HvYpZ)C zaWYzP4F?w2T9DpNAOcx0m;*2a^Fa@JP@ZDtArHGRGdpxhwjC?7xj@A?05BlHLQP%37I;Ha?_mF8mEm~YnnD`t$ErEEsk1Z)@iG@mW$eA_GvqV z3`nv{jt}51v_y{SZFT)Y@gdSyJ*xLb<5B2LyCt`1O4|?;&01}t^>hv8Em}*wwI|!Y zC;Psq@-8$==e{{t>1ob5T`Rh!IHmM6THt9x$x!F!FY4&^riPRXpvoHJtu`a z_+*npa6t%3ydp)Vn52+JKA4C`rJ#}^ydcYxBJ*?5P0YmgWoo*JTWHhnpFVp#p2aAd6o-fTMfXrLI6X?^0#Nq4i3(=G$>#ScroJ5gg$*7=wiM_t4x40;%U#eeB1Q#R%Th{K_ zS3a*!?N(CBsC18h)L!1_^UbKPYj?(nZVm?qC&s6S$ER)wiz=;&wGnC-A!ZMd1HH{Y zMM`-#Lhs=~DGB`}CW9i}fk}82nUXr3Lx0aIrV_~%ut2h3Bnj3VWaR3WS!{WkI##={7?skmbz2_m${c~Cl#Ai8qt zE@$in_werp7Z?2|3vLE{s3qxP9K)Gu~Fn)RY@;g_v zxcLjymxf--RC3<$9Oz_UbaDe%Oowa4CJ;SE88n1en4lqqf`*w6kXS~6alK?1YR)25 zKn|3W91`Y9i&EB;Oj$eLH9YCUApM|626C*TCt!>XU#|~8MDLY#<4tA}cE!N|5%U0f z*zt7px5Bba&4Vr+yg(EH{h%WE^Jzmb@8ML-t>MXuz^#diDb*-F49kiPx26!aW(4qU zJfVyv09A(xNe~rB65+UqRXKXMvdSb?Q%q+s(<8&Z7Oxc`E=)xtpkX9|uY|hbFW-i0 z3GEzj|BZ8a?ZoEY=QTf@+3vlT>%I0-@6Z!@^_73PpLGr|jY9RY$ysn7&z`*WeCn5X ze{uK22l>kr*-MjI{@Z!yt*rUhE{n{r|N4wYt`SD2-qH732Ws$-9Z>DNJ?b98=9s;g z(4n^%f%afI?8e~BGnZSh)Eu^YSgJzF18?siE09aN-vVs!=?xYXF{Dnl@&yhP;~`$w}EvAoC)Y! z4+~T?k)ryeS(ufzUP=3lV&Vt_6oQcGqDjsIColZvhfsl(VAnQ2lEX)~acd5@u1`H1 z%Hq~7e6e70ue2_=t}d+iUK0^k}xyNILMt=Q5uCeFw7)688<|n|wN0rwu&+lCh?_lrrbNKs_rd9!!XU3LZ{_T-8P$vw)nMn+rb#h}T=|0|M|K zP^5>7iZ#h#RhxcS`n?);uvg9S8vTCvqkz7?l)6xMwZ5Quzedh=5XU$-&*(j$@P2N9p`c#=d$g6&t|ht z7e5@$;>Im}bH`SrEn8BN-4~nOPkOKS|g<4Xr zw1a_u#3|HBYeh7dWGTbFX%NvP?r*sVOa*x&wI#|*3q0!g@vvmLYMWBc=|KritmCRN zsJZ%S3-#u`v(dzCn)7-WC7Cu0(xTchIC1;>=y>4z5IC9Fr|t%(CT>6vPzW3Xh$mE5 zir-J4*V*t80zd==riM?%`N@H)vDZqG54bQ|OhLmVh&hV!L;7fOxcqv4P5_V+`+1L5 zLnUg?6e%vMhJ>t|;9X&o0GB10NG_^YIW?OkiJ&BdwIiuG;o*a*_FJjA5{^l_wW}S3 z2ul(tbuw+tV)0}P z7OeJ_)61t<{LB8lwT03&>~x)b%x3MUa_0731ILXr1#|6+bJ@8nueWau{>FUf&jnj6 zct~7;DL9+6EmL{to$S3gvgSAbQm{2_+q!eMZaNJMVft9#Gx?d6ZMl?pUjFdata;=w zyDXi1DYwHuU)Y)k+R=-4%e7PN3$K0PBKzXv5$ONQ<+|3!{;G|G{^9ob$C?gSwC}KJ zqM})wWzPr@l{pL*MMK5LRwNwsyKH9x8}WNAAY)NqHJ|?wd=-tNNi=U-Dq8jxZ?r09 z9j)kKggVa$N(91#gGDSSG(`LVVNZ_#*SpFo5z%$vT@45K1s+G)0)gFd(-7PyN^+2d zwV*z2_Ih>Wo<620AWFU@we@^=F^SL*CdLE4AyyWXl4>fBsu+UiWZJ05{GfJ_UjUOr zQc}9_HYkCXwJ5r#Da}tUYIQe}{w5VBl3dn)9ThwPA4c$BA=^Oiz){k6F9g0C22jj# z7BT0>@ZG?z;gR&YK^;3_jt6~}!1)PEd^h!G`XLsEApyFKRyW}<|0`4wPdOU49qlG?p`ab?$nxTen$#~F9+h_jVQ-8-(99mnvlNt?wmYpt3+QgFBn?%Jo; zcdbvI?>e)`{dxD99mmjDFl#&u@6urMbjZVk0NqVXb}_u3BH=yKH z8y#C{4kIc-Dim;0(I7ylryx`1)^tm8nX=Je$3r4k1`y+~T;|XE&Uy${U5`uGS{g5F zah7V-kykYV5+B~+`FzsKBI>LZy%ijT)H0#*@;veJdIPkY|&*{7_A^ zqGNr2eL8DBvxQ&z)MR^m@y*48*^zbnw#@#5xo-8wdj0#ye{}p=`}W!4+}YtR^TIxD#kiJGc}P1;nP@GGIzyr` zsN(TNT!N*((o$_$V*;bpP1O2Tqvop78!-P8%pu`3JY}R`Se&k++(`^74>Jy&z5~6N z?kFT??g9BsiJnrWYXSW=bKo0?$X$knAl(sNK@zmmHp+s)c#e^KFrZokfw>fw=0Jc@ zFeG-A4$4EQn9#3B1swQ@bTy1X-c~Th#Ph)bcyKd$sAE@ooFboc(0p z-o9<`&Dnc5zMZrCmn=Iq&1-jZH4tFtYR+U|oyyfrEjfRO%~?xF9(R6BJAHY4Uh53x z@inc}o5xM$(1vNb36kclzu)pJbCo||QEGkbO;)3{fQnfg7a zof&05Z#&AI`usv2E@9a?sc$Ws>9{ano<*9f6>LXkaX)fHX$?N|Bc;%hA diff --git a/ops/devops/telemetry/generate_dev_tls.sh b/ops/devops/telemetry/generate_dev_tls.sh index 8742af9bd..348a35166 100644 --- a/ops/devops/telemetry/generate_dev_tls.sh +++ b/ops/devops/telemetry/generate_dev_tls.sh @@ -1,77 +1,77 @@ -#!/usr/bin/env bash - -set -euo pipefail - -SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -CERT_DIR="${SCRIPT_DIR}/../../deploy/telemetry/certs" - -mkdir -p "${CERT_DIR}" - -CA_KEY="${CERT_DIR}/ca.key" -CA_CRT="${CERT_DIR}/ca.crt" -COL_KEY="${CERT_DIR}/collector.key" -COL_CSR="${CERT_DIR}/collector.csr" -COL_CRT="${CERT_DIR}/collector.crt" -CLIENT_KEY="${CERT_DIR}/client.key" -CLIENT_CSR="${CERT_DIR}/client.csr" -CLIENT_CRT="${CERT_DIR}/client.crt" - -echo "[*] Generating OpenTelemetry dev CA and certificates in ${CERT_DIR}" - -# Root CA -if [[ ! -f "${CA_KEY}" ]]; then - openssl genrsa -out "${CA_KEY}" 4096 >/dev/null 2>&1 -fi -openssl req -x509 -new -key "${CA_KEY}" -days 365 -sha256 \ - -out "${CA_CRT}" -subj "/CN=StellaOps Dev Telemetry CA" \ - -config <(cat <<'EOF' -[req] -distinguished_name = req_distinguished_name -prompt = no -[req_distinguished_name] -EOF -) >/dev/null 2>&1 - -# Collector certificate (server + client auth) -openssl req -new -nodes -newkey rsa:4096 \ - -keyout "${COL_KEY}" \ - -out "${COL_CSR}" \ - -subj "/CN=stellaops-otel-collector" >/dev/null 2>&1 - -openssl x509 -req -in "${COL_CSR}" -CA "${CA_CRT}" -CAkey "${CA_KEY}" \ - -CAcreateserial -out "${COL_CRT}" -days 365 -sha256 \ - -extensions v3_req -extfile <(cat <<'EOF' -[v3_req] -subjectAltName = @alt_names -extendedKeyUsage = serverAuth, clientAuth -[alt_names] -DNS.1 = stellaops-otel-collector -DNS.2 = localhost -IP.1 = 127.0.0.1 -EOF -) >/dev/null 2>&1 - -# Client certificate -openssl req -new -nodes -newkey rsa:4096 \ - -keyout "${CLIENT_KEY}" \ - -out "${CLIENT_CSR}" \ - -subj "/CN=stellaops-otel-client" >/dev/null 2>&1 - -openssl x509 -req -in "${CLIENT_CSR}" -CA "${CA_CRT}" -CAkey "${CA_KEY}" \ - -CAcreateserial -out "${CLIENT_CRT}" -days 365 -sha256 \ - -extensions v3_req -extfile <(cat <<'EOF' -[v3_req] -extendedKeyUsage = clientAuth -subjectAltName = @alt_names -[alt_names] -DNS.1 = stellaops-otel-client -DNS.2 = localhost -IP.1 = 127.0.0.1 -EOF -) >/dev/null 2>&1 - -rm -f "${COL_CSR}" "${CLIENT_CSR}" -rm -f "${CERT_DIR}/ca.srl" - -echo "[✓] Certificates ready:" -ls -1 "${CERT_DIR}" +#!/usr/bin/env bash + +set -euo pipefail + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +CERT_DIR="${SCRIPT_DIR}/../../deploy/telemetry/certs" + +mkdir -p "${CERT_DIR}" + +CA_KEY="${CERT_DIR}/ca.key" +CA_CRT="${CERT_DIR}/ca.crt" +COL_KEY="${CERT_DIR}/collector.key" +COL_CSR="${CERT_DIR}/collector.csr" +COL_CRT="${CERT_DIR}/collector.crt" +CLIENT_KEY="${CERT_DIR}/client.key" +CLIENT_CSR="${CERT_DIR}/client.csr" +CLIENT_CRT="${CERT_DIR}/client.crt" + +echo "[*] Generating OpenTelemetry dev CA and certificates in ${CERT_DIR}" + +# Root CA +if [[ ! -f "${CA_KEY}" ]]; then + openssl genrsa -out "${CA_KEY}" 4096 >/dev/null 2>&1 +fi +openssl req -x509 -new -key "${CA_KEY}" -days 365 -sha256 \ + -out "${CA_CRT}" -subj "/CN=StellaOps Dev Telemetry CA" \ + -config <(cat <<'EOF' +[req] +distinguished_name = req_distinguished_name +prompt = no +[req_distinguished_name] +EOF +) >/dev/null 2>&1 + +# Collector certificate (server + client auth) +openssl req -new -nodes -newkey rsa:4096 \ + -keyout "${COL_KEY}" \ + -out "${COL_CSR}" \ + -subj "/CN=stellaops-otel-collector" >/dev/null 2>&1 + +openssl x509 -req -in "${COL_CSR}" -CA "${CA_CRT}" -CAkey "${CA_KEY}" \ + -CAcreateserial -out "${COL_CRT}" -days 365 -sha256 \ + -extensions v3_req -extfile <(cat <<'EOF' +[v3_req] +subjectAltName = @alt_names +extendedKeyUsage = serverAuth, clientAuth +[alt_names] +DNS.1 = stellaops-otel-collector +DNS.2 = localhost +IP.1 = 127.0.0.1 +EOF +) >/dev/null 2>&1 + +# Client certificate +openssl req -new -nodes -newkey rsa:4096 \ + -keyout "${CLIENT_KEY}" \ + -out "${CLIENT_CSR}" \ + -subj "/CN=stellaops-otel-client" >/dev/null 2>&1 + +openssl x509 -req -in "${CLIENT_CSR}" -CA "${CA_CRT}" -CAkey "${CA_KEY}" \ + -CAcreateserial -out "${CLIENT_CRT}" -days 365 -sha256 \ + -extensions v3_req -extfile <(cat <<'EOF' +[v3_req] +extendedKeyUsage = clientAuth +subjectAltName = @alt_names +[alt_names] +DNS.1 = stellaops-otel-client +DNS.2 = localhost +IP.1 = 127.0.0.1 +EOF +) >/dev/null 2>&1 + +rm -f "${COL_CSR}" "${CLIENT_CSR}" +rm -f "${CERT_DIR}/ca.srl" + +echo "[✓] Certificates ready:" +ls -1 "${CERT_DIR}"