global: release: version: "" channel: "" manifestSha256: "" profile: "" image: pullPolicy: IfNotPresent labels: {} migrations: enabled: false jobs: [] networkPolicy: enabled: false ingressPort: 80 egressPort: 443 ingressNamespaces: {} ingressPods: {} egressNamespaces: {} egressPods: {} ingress: enabled: false className: nginx annotations: {} hosts: [] tls: [] externalSecrets: enabled: false secrets: [] # Surface.Env configuration for Scanner/Zastava components # See docs/modules/scanner/design/surface-env.md for details surface: # Surface.FS storage configuration fs: # Base URI for Surface.FS / RustFS / S3-compatible store (required) endpoint: "" # Bucket/container for manifests and artefacts bucket: "surface-cache" # Optional region for S3-compatible stores (AWS/GCS) region: "" # Local cache configuration cache: # Local directory for warm caches root: "/var/lib/stellaops/surface" # Soft limit for on-disk cache usage in MB (64-262144) quotaMb: 4096 # Enable manifest prefetch threads prefetchEnabled: false # Tenant configuration tenant: "default" # Comma-separated feature switches features: "" # TLS configuration for client authentication tls: # Path to PEM/PKCS#12 certificate file certPath: "" # Optional private key path when cert/key stored separately keyPath: "" # Secret name containing TLS cert/key secretName: "" # Secrets provider configuration secrets: # Provider ID: kubernetes, file, inline provider: "kubernetes" # Kubernetes namespace for secrets provider namespace: "" # Path or base for file provider root: "" # Optional fallback provider ID fallbackProvider: "" # Allow inline secrets (disable in production) allowInline: false telemetry: collector: enabled: false replicas: 1 image: otel/opentelemetry-collector:0.105.0 requireClientCert: true defaultTenant: unknown logLevel: info tls: secretName: "" certPath: /etc/otel/tls/tls.crt keyPath: /etc/otel/tls/tls.key caPath: /etc/otel/tls/ca.crt items: - key: tls.crt path: tls.crt - key: tls.key path: tls.key - key: ca.crt path: ca.crt service: grpcPort: 4317 httpPort: 4318 metricsPort: 9464 resources: {} configMaps: # Surface.Env environment variables for Scanner/Zastava components surface-env: data: SCANNER_SURFACE_FS_ENDPOINT: "{{ .Values.surface.fs.endpoint }}" SCANNER_SURFACE_FS_BUCKET: "{{ .Values.surface.fs.bucket }}" SCANNER_SURFACE_FS_REGION: "{{ .Values.surface.fs.region }}" SCANNER_SURFACE_CACHE_ROOT: "{{ .Values.surface.cache.root }}" SCANNER_SURFACE_CACHE_QUOTA_MB: "{{ .Values.surface.cache.quotaMb }}" SCANNER_SURFACE_PREFETCH_ENABLED: "{{ .Values.surface.cache.prefetchEnabled }}" SCANNER_SURFACE_TENANT: "{{ .Values.surface.tenant }}" SCANNER_SURFACE_FEATURES: "{{ .Values.surface.features }}" SCANNER_SURFACE_TLS_CERT_PATH: "{{ .Values.surface.tls.certPath }}" SCANNER_SURFACE_TLS_KEY_PATH: "{{ .Values.surface.tls.keyPath }}" SCANNER_SURFACE_SECRETS_PROVIDER: "{{ .Values.surface.secrets.provider }}" SCANNER_SURFACE_SECRETS_NAMESPACE: "{{ .Values.surface.secrets.namespace }}" SCANNER_SURFACE_SECRETS_ROOT: "{{ .Values.surface.secrets.root }}" SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER: "{{ .Values.surface.secrets.fallbackProvider }}" SCANNER_SURFACE_SECRETS_ALLOW_INLINE: "{{ .Values.surface.secrets.allowInline }}" # Zastava consumers inherit Scanner defaults but can be overridden via ZASTAVA_* envs ZASTAVA_SURFACE_FS_ENDPOINT: "{{ .Values.surface.fs.endpoint }}" ZASTAVA_SURFACE_FS_BUCKET: "{{ .Values.surface.fs.bucket }}" ZASTAVA_SURFACE_FS_REGION: "{{ .Values.surface.fs.region }}" ZASTAVA_SURFACE_CACHE_ROOT: "{{ .Values.surface.cache.root }}" ZASTAVA_SURFACE_CACHE_QUOTA_MB: "{{ .Values.surface.cache.quotaMb }}" ZASTAVA_SURFACE_PREFETCH_ENABLED: "{{ .Values.surface.cache.prefetchEnabled }}" ZASTAVA_SURFACE_TENANT: "{{ .Values.surface.tenant }}" ZASTAVA_SURFACE_FEATURES: "{{ .Values.surface.features }}" ZASTAVA_SURFACE_TLS_CERT_PATH: "{{ .Values.surface.tls.certPath }}" ZASTAVA_SURFACE_TLS_KEY_PATH: "{{ .Values.surface.tls.keyPath }}" ZASTAVA_SURFACE_SECRETS_PROVIDER: "{{ .Values.surface.secrets.provider }}" ZASTAVA_SURFACE_SECRETS_NAMESPACE: "{{ .Values.surface.secrets.namespace }}" ZASTAVA_SURFACE_SECRETS_ROOT: "{{ .Values.surface.secrets.root }}" ZASTAVA_SURFACE_SECRETS_FALLBACK_PROVIDER: "{{ .Values.surface.secrets.fallbackProvider }}" ZASTAVA_SURFACE_SECRETS_ALLOW_INLINE: "{{ .Values.surface.secrets.allowInline }}" issuer-directory-config: data: issuer-directory.yaml: | IssuerDirectory: telemetry: minimumLogLevel: Information authority: enabled: true issuer: https://authority.svc.cluster.local/realms/stellaops requireHttpsMetadata: true audiences: - stellaops-platform readScope: issuer-directory:read writeScope: issuer-directory:write adminScope: issuer-directory:admin tenantHeader: X-StellaOps-Tenant seedCsafPublishers: true csafSeedPath: data/csaf-publishers.json Mongo: connectionString: mongodb://mongo:27017 database: issuer-directory issuersCollection: issuers issuerKeysCollection: issuer_keys issuerTrustCollection: issuer_trust_overrides auditCollection: issuer_audit policy-engine-activation: data: STELLAOPS_POLICY_ENGINE__ACTIVATION__FORCETWOPERSONAPPROVAL: "false" STELLAOPS_POLICY_ENGINE__ACTIVATION__DEFAULTREQUIRESTWOPERSONAPPROVAL: "false" STELLAOPS_POLICY_ENGINE__ACTIVATION__EMITAUDITLOGS: "true" services: issuer-directory: image: registry.stella-ops.org/stellaops/issuer-directory-web:2025.10.0-edge replicas: 1 configMounts: - name: issuer-directory-config configMap: issuer-directory-config mountPath: /etc/issuer-directory.yaml subPath: issuer-directory.yaml envFrom: - secretRef: name: issuer-directory-secrets env: ISSUERDIRECTORY__CONFIG: /etc/issuer-directory.yaml ISSUERDIRECTORY__AUTHORITY__BASEURL: https://authority:8440 ISSUERDIRECTORY__SEEDCSAFPUBLISHERS: "true" ports: - containerPort: 8080 service: port: 8080 readinessProbe: httpGet: path: /health/live port: 8080 initialDelaySeconds: 5 periodSeconds: 10 livenessProbe: httpGet: path: /health/live port: 8080 initialDelaySeconds: 10 periodSeconds: 20 scheduler-worker: image: registry.stella-ops.org/stellaops/scheduler-worker:2025.10.0-edge replicas: 1 command: - dotnet - StellaOps.Scheduler.Worker.Host.dll env: SCHEDULER__QUEUE__KIND: Nats SCHEDULER__QUEUE__NATS__URL: nats://nats:4222 SCHEDULER__STORAGE__CONNECTIONSTRING: mongodb://scheduler-mongo:27017 SCHEDULER__STORAGE__DATABASE: stellaops_scheduler SCHEDULER__WORKER__RUNNER__SCANNER__BASEADDRESS: http://scanner-web:8444 advisory-ai-web: image: registry.stella-ops.org/stellaops/advisory-ai-web:2025.10.0-edge service: port: 8448 env: ADVISORYAI__AdvisoryAI__SbomBaseAddress: http://scanner-web:8444 ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: /var/lib/advisory-ai/queue ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: /var/lib/advisory-ai/plans ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: /var/lib/advisory-ai/outputs ADVISORYAI__AdvisoryAI__Inference__Mode: Local ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: "" ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: "" volumeMounts: - name: advisory-ai-data mountPath: /var/lib/advisory-ai volumeClaims: - name: advisory-ai-data claimName: stellaops-advisory-ai-data advisory-ai-worker: image: registry.stella-ops.org/stellaops/advisory-ai-worker:2025.10.0-edge env: ADVISORYAI__AdvisoryAI__SbomBaseAddress: http://scanner-web:8444 ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: /var/lib/advisory-ai/queue ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: /var/lib/advisory-ai/plans ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: /var/lib/advisory-ai/outputs ADVISORYAI__AdvisoryAI__Inference__Mode: Local ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: "" ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: "" volumeMounts: - name: advisory-ai-data mountPath: /var/lib/advisory-ai volumeClaims: - name: advisory-ai-data claimName: stellaops-advisory-ai-data