up

ops/devops/console/build-console-image.sh

@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+# Build console container image with SBOM and optional attestations
+# Usage: ./build-console-image.sh [tag] [registry]
+# Example: ./build-console-image.sh 2025.10.0-edge ghcr.io/stellaops
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"
+
+TAG="${1:-$(date +%Y%m%dT%H%M%S)}"
+REGISTRY="${2:-registry.stella-ops.org/stellaops}"
+IMAGE_NAME="console"
+FULL_IMAGE="${REGISTRY}/${IMAGE_NAME}:${TAG}"
+
+# Freeze timestamps for reproducibility
+export SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-1704067200}
+
+echo "==> Building console image: ${FULL_IMAGE}"
+
+# Build using the existing Dockerfile.console
+docker build \
+  --file "${REPO_ROOT}/ops/devops/docker/Dockerfile.console" \
+  --build-arg APP_DIR=src/Web/StellaOps.Web \
+  --build-arg APP_PORT=8080 \
+  --tag "${FULL_IMAGE}" \
+  --label "org.opencontainers.image.created=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+  --label "org.opencontainers.image.revision=$(git -C "${REPO_ROOT}" rev-parse HEAD 2>/dev/null || echo 'unknown')" \
+  --label "org.opencontainers.image.source=https://github.com/stellaops/stellaops" \
+  --label "org.opencontainers.image.title=StellaOps Console" \
+  --label "org.opencontainers.image.description=StellaOps Angular Console (non-root nginx)" \
+  "${REPO_ROOT}"
+
+# Get digest
+DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "${FULL_IMAGE}" 2>/dev/null || echo "${FULL_IMAGE}")
+
+echo "==> Image built: ${FULL_IMAGE}"
+echo "==> Digest: ${DIGEST}"
+
+# Output metadata for CI
+mkdir -p "${SCRIPT_DIR}/../artifacts/console"
+cat > "${SCRIPT_DIR}/../artifacts/console/build-metadata.json" <<EOF
+{
+  "image": "${FULL_IMAGE}",
+  "digest": "${DIGEST}",
+  "tag": "${TAG}",
+  "registry": "${REGISTRY}",
+  "buildTime": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
+  "gitCommit": "$(git -C "${REPO_ROOT}" rev-parse HEAD 2>/dev/null || echo 'unknown')",
+  "sourceDateEpoch": "${SOURCE_DATE_EPOCH}"
+}
+EOF
+
+echo "==> Build metadata written to ops/devops/artifacts/console/build-metadata.json"
+
+# Generate SBOM if syft is available
+if command -v syft &>/dev/null; then
+  echo "==> Generating SBOM..."
+  syft "${FULL_IMAGE}" -o spdx-json > "${SCRIPT_DIR}/../artifacts/console/console.spdx.json"
+  syft "${FULL_IMAGE}" -o cyclonedx-json > "${SCRIPT_DIR}/../artifacts/console/console.cdx.json"
+  echo "==> SBOMs written to ops/devops/artifacts/console/"
+else
+  echo "==> Skipping SBOM generation (syft not found)"
+fi
+
+# Sign and attest if cosign is available and key is set
+if command -v cosign &>/dev/null; then
+  if [[ -n "${COSIGN_KEY:-}" ]]; then
+    echo "==> Signing image with cosign..."
+    cosign sign --key "${COSIGN_KEY}" "${FULL_IMAGE}"
+
+    if [[ -f "${SCRIPT_DIR}/../artifacts/console/console.spdx.json" ]]; then
+      echo "==> Attesting SBOM..."
+      cosign attest --predicate "${SCRIPT_DIR}/../artifacts/console/console.spdx.json" \
+        --type spdx --key "${COSIGN_KEY}" "${FULL_IMAGE}"
+    fi
+    echo "==> Image signed and attested"
+  else
+    echo "==> Skipping signing (COSIGN_KEY not set)"
+  fi
+else
+  echo "==> Skipping signing (cosign not found)"
+fi
+
+echo "==> Console image build complete"
+echo "    Image: ${FULL_IMAGE}"

ops/devops/console/package-offline-bundle.sh

@@ -0,0 +1,131 @@
+#!/usr/bin/env bash
+# Package console for offline/airgap deployment
+# Usage: ./package-offline-bundle.sh [image] [output-dir]
+# Example: ./package-offline-bundle.sh registry.stella-ops.org/stellaops/console:2025.10.0 ./offline-bundle
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"
+
+IMAGE="${1:-registry.stella-ops.org/stellaops/console:latest}"
+OUTPUT_DIR="${2:-${SCRIPT_DIR}/../artifacts/console/offline-bundle}"
+BUNDLE_NAME="console-offline-$(date +%Y%m%dT%H%M%S)"
+
+# Freeze timestamps
+export SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-1704067200}
+
+echo "==> Creating offline bundle for: ${IMAGE}"
+mkdir -p "${OUTPUT_DIR}"
+
+# Save image as tarball
+IMAGE_TAR="${OUTPUT_DIR}/${BUNDLE_NAME}.tar"
+echo "==> Saving image to ${IMAGE_TAR}..."
+docker save "${IMAGE}" -o "${IMAGE_TAR}"
+
+# Calculate checksums
+echo "==> Generating checksums..."
+cd "${OUTPUT_DIR}"
+sha256sum "${BUNDLE_NAME}.tar" > "${BUNDLE_NAME}.tar.sha256"
+
+# Copy Helm values
+echo "==> Including Helm values overlay..."
+cp "${REPO_ROOT}/deploy/helm/stellaops/values-console.yaml" "${OUTPUT_DIR}/"
+
+# Copy Dockerfile for reference
+cp "${REPO_ROOT}/ops/devops/docker/Dockerfile.console" "${OUTPUT_DIR}/"
+
+# Generate SBOMs if syft available
+if command -v syft &>/dev/null; then
+  echo "==> Generating SBOMs..."
+  syft "${IMAGE}" -o spdx-json > "${OUTPUT_DIR}/${BUNDLE_NAME}.spdx.json"
+  syft "${IMAGE}" -o cyclonedx-json > "${OUTPUT_DIR}/${BUNDLE_NAME}.cdx.json"
+fi
+
+# Create manifest
+cat > "${OUTPUT_DIR}/manifest.json" <<EOF
+{
+  "bundle": "${BUNDLE_NAME}",
+  "image": "${IMAGE}",
+  "imageTarball": "${BUNDLE_NAME}.tar",
+  "checksumFile": "${BUNDLE_NAME}.tar.sha256",
+  "helmValues": "values-console.yaml",
+  "dockerfile": "Dockerfile.console",
+  "sbom": {
+    "spdx": "${BUNDLE_NAME}.spdx.json",
+    "cyclonedx": "${BUNDLE_NAME}.cdx.json"
+  },
+  "createdAt": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
+  "sourceDateEpoch": "${SOURCE_DATE_EPOCH}"
+}
+EOF
+
+# Create load script
+cat > "${OUTPUT_DIR}/load.sh" <<'LOAD'
+#!/usr/bin/env bash
+# Load console image into local Docker daemon
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+MANIFEST="${SCRIPT_DIR}/manifest.json"
+
+if [[ ! -f "${MANIFEST}" ]]; then
+  echo "ERROR: manifest.json not found" >&2
+  exit 1
+fi
+
+TARBALL=$(jq -r '.imageTarball' "${MANIFEST}")
+CHECKSUM_FILE=$(jq -r '.checksumFile' "${MANIFEST}")
+
+echo "==> Verifying checksum..."
+cd "${SCRIPT_DIR}"
+sha256sum -c "${CHECKSUM_FILE}"
+
+echo "==> Loading image..."
+docker load -i "${TARBALL}"
+
+IMAGE=$(jq -r '.image' "${MANIFEST}")
+echo "==> Image loaded: ${IMAGE}"
+LOAD
+chmod +x "${OUTPUT_DIR}/load.sh"
+
+# Create README
+cat > "${OUTPUT_DIR}/README.md" <<EOF
+# Console Offline Bundle
+
+This bundle contains the StellaOps Console container image and deployment assets
+for air-gapped environments.
+
+## Contents
+
+- \`${BUNDLE_NAME}.tar\` - Docker image tarball
+- \`${BUNDLE_NAME}.tar.sha256\` - SHA-256 checksum
+- \`values-console.yaml\` - Helm values overlay
+- \`Dockerfile.console\` - Reference Dockerfile
+- \`${BUNDLE_NAME}.spdx.json\` - SPDX SBOM (if generated)
+- \`${BUNDLE_NAME}.cdx.json\` - CycloneDX SBOM (if generated)
+- \`manifest.json\` - Bundle manifest
+- \`load.sh\` - Image load helper script
+
+## Usage
+
+1. Transfer this bundle to the air-gapped environment
+2. Verify checksums: \`sha256sum -c ${BUNDLE_NAME}.tar.sha256\`
+3. Load image: \`./load.sh\` or \`docker load -i ${BUNDLE_NAME}.tar\`
+4. Deploy with Helm: \`helm install stellaops ../stellaops -f values-console.yaml\`
+
+## Image Details
+
+- Image: \`${IMAGE}\`
+- Created: $(date -u +%Y-%m-%dT%H:%M:%SZ)
+- Non-root user: UID 101 (nginx-unprivileged)
+- Port: 8080
+
+## Verification
+
+The image runs as non-root and supports read-only root filesystem.
+Enable \`readOnlyRootFilesystem: true\` in your security context.
+EOF
+
+echo "==> Offline bundle created at: ${OUTPUT_DIR}"
+echo "==> Contents:"
+ls -la "${OUTPUT_DIR}"