# Zastava Deployment Runbook

> **Audience:** DevOps, Zastava Guild
>
> **Purpose:** Provide steps for deploying Zastava Observer + Webhook in connected and air-gapped clusters.

## 1. Prerequisites

- Kubernetes 1.26+ with admission registration permissions.
- Access to StellaOps Container Registry or offline bundle with Zastava images.
- Authority scopes and certificates configured for Zastava identities.
- Surface.FS cache endpoint (RustFS/S3) reachable from nodes.

## 2. Installation Steps

1. **Prepare namespace & secrets**
   - Create Kubernetes namespace (default `stellaops-runtime`).
   - Provision secrets (`zastava-mtls`, `zastava-op-token`, `surface-secrets`).
2. **Deploy Observer**
   - Apply Helm chart `helm/zastava` with values aligning to Surface.Env settings.
   - Confirm DaemonSet pods schedule on all nodes; check `/healthz` endpoints.
3. **Deploy Webhook**
   - Install ValidatingWebhookConfiguration with CA bundle and service reference.
   - Enable dry-run mode first, monitor logs, then switch `enforce=true` once validations pass.
4. **Configure policies**
   - Populate admission policies in Policy Engine; ensure tokens contain `runtime:read` scopes.
   - Update CLI/Console settings for runtime posture view.
5. **Observability**
   - Scrape metrics (`zastava_observer_*`, `zastava_webhook_*`).
   - Stream logs to central collector.

## 3. Air-Gapped Deployment Notes

- Use Offline Kit bundle (`offline/zastava/`) to load images and configuration.
- Validate Surface.FS bundles before enabling enforcement.
- Replace webhook CA with offline authority; document rotation schedule.

## 4. Validation

- Run `stella runtime policy test` against sample workloads.
- Trigger deployment denial for unsigned images; verify Notifier emits alerts.
- Check timeline events for observer telemetry.

## 5. References

- `docs/modules/zastava/architecture.md`
- `docs/modules/scanner/architecture.md`
- `docs/airgap/airgap-mode.md`
- `docs/forensics/timeline.md`