up

deploy/helm/stellaops/templates/console.yaml

@@ -0,0 +1,108 @@
+{{- if .Values.console.enabled }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "stellaops.fullname" . }}-console
+  labels:
+    app.kubernetes.io/component: console
+    {{- include "stellaops.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.console.replicas | default 1 }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: console
+      {{- include "stellaops.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: console
+        {{- include "stellaops.selectorLabels" . | nindent 8 }}
+    spec:
+      securityContext:
+        {{- toYaml .Values.console.securityContext | nindent 8 }}
+      containers:
+        - name: console
+          image: {{ .Values.console.image }}
+          imagePullPolicy: {{ .Values.global.image.pullPolicy | default "IfNotPresent" }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.console.port | default 8080 }}
+              protocol: TCP
+          securityContext:
+            {{- toYaml .Values.console.containerSecurityContext | nindent 12 }}
+          livenessProbe:
+            {{- toYaml .Values.console.livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .Values.console.readinessProbe | nindent 12 }}
+          resources:
+            {{- toYaml .Values.console.resources | nindent 12 }}
+          volumeMounts:
+            {{- toYaml .Values.console.volumeMounts | nindent 12 }}
+          env:
+            - name: APP_PORT
+              value: "{{ .Values.console.port | default 8080 }}"
+      volumes:
+        {{- toYaml .Values.console.volumes | nindent 8 }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "stellaops.fullname" . }}-console
+  labels:
+    app.kubernetes.io/component: console
+    {{- include "stellaops.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.console.service.type | default "ClusterIP" }}
+  ports:
+    - port: {{ .Values.console.service.port | default 80 }}
+      targetPort: {{ .Values.console.service.targetPort | default 8080 }}
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/component: console
+    {{- include "stellaops.selectorLabels" . | nindent 4 }}
+{{- if .Values.console.ingress.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "stellaops.fullname" . }}-console
+  labels:
+    app.kubernetes.io/component: console
+    {{- include "stellaops.labels" . | nindent 4 }}
+  {{- with .Values.console.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.console.ingress.className }}
+  ingressClassName: {{ .Values.console.ingress.className }}
+  {{- end }}
+  {{- if .Values.console.ingress.tls }}
+  tls:
+    {{- range .Values.console.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.console.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType | default "Prefix" }}
+            backend:
+              service:
+                name: {{ include "stellaops.fullname" $ }}-console
+                port:
+                  name: http
+          {{- end }}
+    {{- end }}
+{{- end }}
+{{- end }}

deploy/helm/stellaops/values-console.yaml

@@ -0,0 +1,84 @@
+# Console (Angular SPA) values overlay
+# Use: helm install stellaops . -f values-console.yaml
+
+console:
+  enabled: true
+  image: registry.stella-ops.org/stellaops/console:2025.10.0-edge
+  replicas: 1
+  port: 8080
+
+  # Backend API URL injected via config.json at startup
+  apiBaseUrl: ""
+  # Authority URL for OAuth/OIDC
+  authorityUrl: ""
+  # Tenant header name
+  tenantHeader: "X-StellaOps-Tenant"
+
+  # Resource limits (nginx is lightweight)
+  resources:
+    limits:
+      cpu: "200m"
+      memory: "128Mi"
+    requests:
+      cpu: "50m"
+      memory: "64Mi"
+
+  # Service configuration
+  service:
+    type: ClusterIP
+    port: 80
+    targetPort: 8080
+
+  # Ingress configuration (enable for external access)
+  ingress:
+    enabled: false
+    className: nginx
+    annotations:
+      nginx.ingress.kubernetes.io/proxy-body-size: "10m"
+    hosts:
+      - host: console.local
+        paths:
+          - path: /
+            pathType: Prefix
+    tls: []
+
+  # Health probes
+  livenessProbe:
+    httpGet:
+      path: /
+      port: 8080
+    initialDelaySeconds: 10
+    periodSeconds: 30
+  readinessProbe:
+    httpGet:
+      path: /
+      port: 8080
+    initialDelaySeconds: 5
+    periodSeconds: 10
+
+  # Pod security context (non-root per DOCKER-44-001)
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 101
+    runAsGroup: 101
+    fsGroup: 101
+
+  # Container security context
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
+
+  # Volume mounts for nginx temp directories (RO rootfs)
+  volumeMounts:
+    - name: nginx-cache
+      mountPath: /var/cache/nginx
+    - name: nginx-run
+      mountPath: /var/run
+  volumes:
+    - name: nginx-cache
+      emptyDir: {}
+    - name: nginx-run
+      emptyDir: {}

deploy/helm/stellaops/values-exporter.yaml

@@ -0,0 +1,58 @@
+# Exporter (Export Center) values overlay
+# Use: helm install stellaops . -f values-exporter.yaml
+
+exporter:
+  enabled: true
+  image: registry.stella-ops.org/stellaops/exporter:2025.10.0-edge
+  replicas: 1
+  port: 8080
+
+  # Export configuration
+  storage:
+    # Object store for export artifacts
+    endpoint: ""
+    bucket: "stellaops-exports"
+    region: ""
+
+  # Retention policy
+  retention:
+    defaultDays: 30
+    maxDays: 365
+
+  resources:
+    limits:
+      cpu: "500m"
+      memory: "512Mi"
+    requests:
+      cpu: "100m"
+      memory: "256Mi"
+
+  service:
+    type: ClusterIP
+    port: 8080
+
+  livenessProbe:
+    httpGet:
+      path: /health/liveness
+      port: 8080
+    initialDelaySeconds: 10
+    periodSeconds: 30
+
+  readinessProbe:
+    httpGet:
+      path: /health/readiness
+      port: 8080
+    initialDelaySeconds: 5
+    periodSeconds: 10
+
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 10001
+    runAsGroup: 10001
+
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL

deploy/helm/stellaops/values-ledger.yaml

@@ -0,0 +1,59 @@
+# Ledger (Findings Ledger) values overlay
+# Use: helm install stellaops . -f values-ledger.yaml
+
+ledger:
+  enabled: true
+  image: registry.stella-ops.org/stellaops/findings-ledger:2025.10.0-edge
+  replicas: 1
+  port: 8080
+
+  # Database configuration
+  postgres:
+    host: ""
+    port: 5432
+    database: "stellaops_ledger"
+    schema: "findings"
+    # Connection string override (takes precedence)
+    connectionString: ""
+
+  # Tenant isolation
+  multiTenant: true
+  defaultTenant: "default"
+
+  resources:
+    limits:
+      cpu: "1000m"
+      memory: "1Gi"
+    requests:
+      cpu: "200m"
+      memory: "512Mi"
+
+  service:
+    type: ClusterIP
+    port: 8080
+
+  livenessProbe:
+    httpGet:
+      path: /health/liveness
+      port: 8080
+    initialDelaySeconds: 15
+    periodSeconds: 30
+
+  readinessProbe:
+    httpGet:
+      path: /health/readiness
+      port: 8080
+    initialDelaySeconds: 10
+    periodSeconds: 10
+
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 10001
+    runAsGroup: 10001
+
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL