stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

CD/CD consolidation

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-26 17:32:23 +02:00
parent a866eb6277
commit c786faae84
638 changed files with 3821 additions and 181 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
devops/services/graph-indexer/release-plan.md Normal file
View File

@@ -0,0 +1,42 @@
# Graph Indexer Release/Offline Bundle Plan (DEVOPS-GRAPH-INDEX-28-010-REL)
## Goals
- Publish signed Helm/Compose bundles for Graph Indexer with offline parity.
- Provide SBOM + attestations for images/charts and reproducible artefacts for air-gap kits.
## Artefacts
- Helm chart + values overrides (offline/airgap).
- Docker/OCI images (indexer, api) pinned by digest.
- SBOMs (SPDX JSON) for images and chart.
- Cosign attestations for images and chart tarball.
- Offline bundle: tarball containing images (oras layout), charts, values, SBOMs, attestations, and `SHA256SUMS`.
## Pipeline outline
1) **Build** images (indexer + api) with SBOM generation (`syft`), tag and record digests.
2) **Sign** images with cosign key (KMS for online; file key for offline bundle) and produce attestations.
3) **Chart package**: render chart, package to `.tgz`, generate SBOM for chart, sign with cosign.
4) **Compose export**: render Compose file with pinned digests and non-root users.
5) **Bundle**: assemble offline tarball:
- `images/` oras layout with signed images
- `charts/graph-indexer.tgz` + signature
- `compose/graph-indexer.yml` (pinned digests)
- `sboms/` for images + chart
- `attestations/` (cosign bundles)
- `SHA256SUMS` and `SHA256SUMS.sig`
6) **Verify step**: pipeline stage runs `cosign verify`, `sha256sum --check`, and `helm template` smoke render with airgap values.
7) **Publish**: upload to artefact store + offline kit; write manifest with hashes/versions.
## Security/hardening
- Non-root images, read-only rootfs, drop NET_RAW, seccomp default.
- Telemetry disabled; no registry pulls at runtime.
- mTLS between indexer and dependencies (documented values).
## Evidence to capture
- Image digests, SBOM hashes, cosign verification logs.
- Bundle `SHA256SUMS` and signed manifest.
- Helm/Compose render outputs (short).
## Owners
- DevOps Guild (build/pipeline)
- Graph Indexer Guild (chart/values)
- Platform Security (signing policy)