CD/CD consolidation

devops/helm/stellaops/values-prod.yaml

@@ -0,0 +1,339 @@
+global:
+  profile: prod
+  release:
+    version: "2025.09.2"
+    channel: stable
+    manifestSha256: "dc3c8fe1ab83941c838ccc5a8a5862f7ddfa38c2078e580b5649db26554565b7"
+  image:
+    pullPolicy: IfNotPresent
+  labels:
+    stellaops.io/channel: stable
+    stellaops.io/profile: prod
+
+# Migration jobs for controlled rollouts (disabled by default)
+migrations:
+  enabled: false
+  jobs: []
+
+networkPolicy:
+  enabled: true
+  ingressPort: 8443
+  egressPort: 443
+  ingressNamespaces:
+    kubernetes.io/metadata.name: stellaops
+  egressNamespaces:
+    kubernetes.io/metadata.name: stellaops
+
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+  hosts:
+    - host: gateway.prod.stella-ops.org
+      path: /
+      servicePort: 80
+  tls:
+    - secretName: stellaops-prod-tls
+      hosts:
+        - gateway.prod.stella-ops.org
+
+externalSecrets:
+  enabled: true
+  secrets:
+    - name: core-secrets
+      storeRef:
+        name: stellaops-secret-store
+        kind: ClusterSecretStore
+      target:
+        name: stellaops-prod-core
+      data:
+        - key: STELLAOPS_AUTHORITY__JWT__SIGNINGKEY
+          remoteKey: prod/authority/jwt-signing-key
+        - key: STELLAOPS_SECRETS_ENCRYPTION_KEY
+          remoteKey: prod/core/secrets-encryption-key
+
+prometheus:
+  enabled: true
+  path: /metrics
+  port: 8080
+  scheme: http
+
+hpa:
+  enabled: true
+  minReplicas: 2
+  maxReplicas: 6
+  cpu:
+    targetPercentage: 70
+  memory:
+    targetPercentage: 75
+
+configMaps:
+  notify-config:
+    data:
+      notify.yaml: |
+        storage:
+          driver: mongo
+          connectionString: "mongodb://stellaops-mongo:27017"
+          database: "stellaops_notify_prod"
+          commandTimeoutSeconds: 45
+
+        authority:
+          enabled: true
+          issuer: "https://authority.prod.stella-ops.org"
+          metadataAddress: "https://authority.prod.stella-ops.org/.well-known/openid-configuration"
+          requireHttpsMetadata: true
+          allowAnonymousFallback: false
+          backchannelTimeoutSeconds: 30
+          tokenClockSkewSeconds: 60
+          audiences:
+            - notify
+          readScope: notify.read
+          adminScope: notify.admin
+
+        api:
+          basePath: "/api/v1/notify"
+          internalBasePath: "/internal/notify"
+          tenantHeader: "X-StellaOps-Tenant"
+
+        plugins:
+          baseDirectory: "/opt/stellaops"
+          directory: "plugins/notify"
+          searchPatterns:
+            - "StellaOps.Notify.Connectors.*.dll"
+          orderedPlugins:
+            - StellaOps.Notify.Connectors.Slack
+            - StellaOps.Notify.Connectors.Teams
+            - StellaOps.Notify.Connectors.Email
+            - StellaOps.Notify.Connectors.Webhook
+
+        telemetry:
+          enableRequestLogging: true
+          minimumLogLevel: Information
+  policy-engine-activation:
+    data:
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__FORCETWOPERSONAPPROVAL: "true"
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__DEFAULTREQUIRESTWOPERSONAPPROVAL: "true"
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__EMITAUDITLOGS: "true"
+services:
+  authority:
+    image: registry.stella-ops.org/stellaops/authority@sha256:b0348bad1d0b401cc3c71cb40ba034c8043b6c8874546f90d4783c9dbfcc0bf5
+    service:
+      port: 8440
+    env:
+      STELLAOPS_AUTHORITY__ISSUER: "https://authority.prod.stella-ops.org"
+      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
+      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-core
+  signer:
+    image: registry.stella-ops.org/stellaops/signer@sha256:8ad574e61f3a9e9bda8a58eb2700ae46813284e35a150b1137bc7c2b92ac0f2e
+    service:
+      port: 8441
+    env:
+      SIGNER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
+      SIGNER__POE__INTROSPECTURL: "https://licensing.prod.stella-ops.org/introspect"
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-core
+  attestor:
+    image: registry.stella-ops.org/stellaops/attestor@sha256:0534985f978b0b5d220d73c96fddd962cd9135f616811cbe3bff4666c5af568f
+    service:
+      port: 8442
+    env:
+      ATTESTOR__SIGNER__BASEURL: "https://stellaops-signer:8441"
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-core
+  concelier:
+    image: registry.stella-ops.org/stellaops/concelier@sha256:c58cdcaee1d266d68d498e41110a589dd204b487d37381096bd61ab345a867c5
+    service:
+      port: 8445
+    env:
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      CONCELIER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-core
+    volumeMounts:
+      - name: concelier-jobs
+        mountPath: /var/lib/concelier/jobs
+    volumeClaims:
+      - name: concelier-jobs
+        claimName: stellaops-concelier-jobs
+  scanner-web:
+    image: registry.stella-ops.org/stellaops/scanner-web@sha256:14b23448c3f9586a9156370b3e8c1991b61907efa666ca37dd3aaed1e79fe3b7
+    service:
+      port: 8444
+    env:
+      SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
+      SCANNER__ARTIFACTSTORE__ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
+      SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
+      SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+      SCANNER__EVENTS__ENABLED: "true"
+      SCANNER__EVENTS__DRIVER: "redis"
+      SCANNER__EVENTS__DSN: ""
+      SCANNER__EVENTS__STREAM: "stella.events"
+      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
+      SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
+      SCANNER__OFFLINEKIT__ENABLED: "false"
+      SCANNER__OFFLINEKIT__REQUIREDSSE: "true"
+      SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "true"
+      SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "/etc/stellaops/trust-roots"
+      SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "/var/lib/stellaops/rekor-snapshot"
+      SCANNER_SURFACE_FS_ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
+      SCANNER_SURFACE_CACHE_ROOT: "/var/lib/stellaops/surface"
+      SCANNER_SURFACE_SECRETS_PROVIDER: "kubernetes"
+      SCANNER_SURFACE_SECRETS_ROOT: "stellaops/scanner"
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-core
+  scanner-worker:
+    image: registry.stella-ops.org/stellaops/scanner-worker@sha256:32e25e76386eb9ea8bee0a1ad546775db9a2df989fab61ac877e351881960dab
+    replicas: 3
+    env:
+      SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
+      SCANNER__ARTIFACTSTORE__ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
+      SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
+      SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+      SCANNER__EVENTS__ENABLED: "true"
+      SCANNER__EVENTS__DRIVER: "redis"
+      SCANNER__EVENTS__DSN: ""
+      SCANNER__EVENTS__STREAM: "stella.events"
+      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
+      SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
+      SCANNER_SURFACE_FS_ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
+      SCANNER_SURFACE_CACHE_ROOT: "/var/lib/stellaops/surface"
+      SCANNER_SURFACE_SECRETS_PROVIDER: "kubernetes"
+      SCANNER_SURFACE_SECRETS_ROOT: "stellaops/scanner"
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-core
+  notify-web:
+    image: registry.stella-ops.org/stellaops/notify-web:2025.09.2
+    service:
+      port: 8446
+    env:
+      DOTNET_ENVIRONMENT: Production
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-notify
+    configMounts:
+      - name: notify-config
+        mountPath: /app/etc/notify.yaml
+        subPath: notify.yaml
+        configMap: notify-config
+  excititor:
+    image: registry.stella-ops.org/stellaops/excititor@sha256:59022e2016aebcef5c856d163ae705755d3f81949d41195256e935ef40a627fa
+    env:
+      EXCITITOR__CONCELIER__BASEURL: "https://stellaops-concelier:8445"
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-core
+  advisory-ai-web:
+    image: registry.stella-ops.org/stellaops/advisory-ai-web:2025.09.2
+    service:
+      port: 8448
+    env:
+      ADVISORYAI__AdvisoryAI__SbomBaseAddress: https://stellaops-scanner-web:8444
+      ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: /var/lib/advisory-ai/queue
+      ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: /var/lib/advisory-ai/plans
+      ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: /var/lib/advisory-ai/outputs
+      ADVISORYAI__AdvisoryAI__Inference__Mode: Local
+      ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: ""
+      ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: ""
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-core
+    volumeMounts:
+      - name: advisory-ai-data
+        mountPath: /var/lib/advisory-ai
+    volumeClaims:
+      - name: advisory-ai-data
+        claimName: stellaops-advisory-ai-data
+  advisory-ai-worker:
+    image: registry.stella-ops.org/stellaops/advisory-ai-worker:2025.09.2
+    env:
+      ADVISORYAI__AdvisoryAI__SbomBaseAddress: https://stellaops-scanner-web:8444
+      ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: /var/lib/advisory-ai/queue
+      ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: /var/lib/advisory-ai/plans
+      ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: /var/lib/advisory-ai/outputs
+      ADVISORYAI__AdvisoryAI__Inference__Mode: Local
+      ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: ""
+      ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: ""
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-core
+    volumeMounts:
+      - name: advisory-ai-data
+        mountPath: /var/lib/advisory-ai
+    volumeClaims:
+      - name: advisory-ai-data
+        claimName: stellaops-advisory-ai-data
+  web-ui:
+    image: registry.stella-ops.org/stellaops/web-ui@sha256:10d924808c48e4353e3a241da62eb7aefe727a1d6dc830eb23a8e181013b3a23
+    service:
+      port: 8443
+    env:
+      STELLAOPS_UI__BACKEND__BASEURL: "https://stellaops-scanner-web:8444"
+  mongo:
+    class: infrastructure
+    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    service:
+      port: 27017
+    command:
+      - mongod
+      - --bind_ip_all
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-mongo
+    volumeMounts:
+      - name: mongo-data
+        mountPath: /data/db
+    volumeClaims:
+      - name: mongo-data
+        claimName: stellaops-mongo-data
+  minio:
+    class: infrastructure
+    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+    service:
+      port: 9000
+    command:
+      - server
+      - /data
+      - --console-address
+      - :9001
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-minio
+    volumeMounts:
+      - name: minio-data
+        mountPath: /data
+    volumeClaims:
+      - name: minio-data
+        claimName: stellaops-minio-data
+  rustfs:
+    class: infrastructure
+    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
+    service:
+      port: 8080
+    command:
+      - serve
+      - --listen
+      - 0.0.0.0:8080
+      - --root
+      - /data
+    env:
+      RUSTFS__LOG__LEVEL: info
+      RUSTFS__STORAGE__PATH: /data
+    volumeMounts:
+      - name: rustfs-data
+        mountPath: /data
+    volumeClaims:
+      - name: rustfs-data
+        claimName: stellaops-rustfs-data