# StellaOps Console — Docker Install Recipes > **Audience:** Deployment Guild, Console Guild, platform operators. > **Scope:** Acquire the `stellaops/web-ui` image, run it with Compose or Helm, mirror it for air‑gapped environments, and keep parity with CLI workflows. This guide focuses on the new **StellaOps Console** container. Start with the general [Installation Guide](../21_INSTALL_GUIDE.md) for shared prerequisites (Docker, registry access, TLS) and use the steps below to layer in the console. --- ## 1 · Release artefacts | Artefact | Source | Verification | |----------|--------|--------------| | Console image | `registry.stella-ops.org/stellaops/web-ui@sha256:` | Listed in `deploy/releases/.yaml` (`yq '.services[] | select(.name=="web-ui") | .image'`). Signed with Cosign (`cosign verify --key https://stella-ops.org/keys/cosign.pub …`). | | Compose bundles | `deploy/compose/docker-compose.{dev,stage,prod,airgap}.yaml` | Each profile already includes a `web-ui` service pinned to the release digest. Run `docker compose --env-file -f docker-compose..yaml config` to confirm the digest matches the manifest. | | Helm values | `deploy/helm/stellaops/values-*.yaml` (`services.web-ui`) | CI lints the chart; use `helm template` to confirm the rendered Deployment/Service carry the expected digest and env vars. | | Offline artefact (preview) | Generated via `oras copy registry.stella-ops.org/stellaops/web-ui@sha256: oci-archive:stellaops-web-ui-.tar` | Record SHA-256 in the downloads manifest (`DOWNLOADS-CONSOLE-23-001`) and sign with Cosign before shipping in the Offline Kit. | > **Tip:** Keep Compose/Helm digests in sync with the release manifest to preserve determinism. `deploy/tools/validate-profiles.sh` performs a quick cross-check. --- ## 2 · Compose quickstart (connected host) 1. **Prepare workspace** ```bash mkdir stella-console && cd stella-console cp /path/to/repo/deploy/compose/env/dev.env.example .env ``` 2. **Add console configuration** – append the following to `.env` (adjust per environment): ```bash CONSOLE_PUBLIC_BASE_URL=https://console.dev.stella-ops.local CONSOLE_GATEWAY_BASE_URL=https://api.dev.stella-ops.local AUTHORITY_ISSUER=https://authority.dev.stella-ops.local AUTHORITY_CLIENT_ID=console-ui AUTHORITY_SCOPES="ui.read ui.admin findings:read advisory:read vex:read aoc:verify" AUTHORITY_DPOP_ENABLED=true ``` Optional extras from [`docs/deploy/console.md`](../deploy/console.md): ```bash CONSOLE_FEATURE_FLAGS=runs,downloads,policies CONSOLE_METRICS_ENABLED=true CONSOLE_LOG_LEVEL=Information ``` 3. **Verify bundle provenance** ```bash cosign verify-blob \ --key https://stella-ops.org/keys/cosign.pub \ --signature /path/to/repo/deploy/compose/docker-compose.dev.yaml.sig \ /path/to/repo/deploy/compose/docker-compose.dev.yaml ``` 4. **Launch infrastructure + console** ```bash docker compose --env-file .env -f /path/to/repo/deploy/compose/docker-compose.dev.yaml up -d mongo minio docker compose --env-file .env -f /path/to/repo/deploy/compose/docker-compose.dev.yaml up -d web-ui ``` The `web-ui` service exposes the console on port `8443` by default. Change the published port in the Compose file if you need to front it with an existing reverse proxy. 5. **Health check** ```bash curl -k https://console.dev.stella-ops.local/health/ready ``` Expect `{"status":"Ready"}`. If the response is `401`, confirm Authority credentials and scopes. --- ## 3 · Helm deployment (cluster) 1. **Create an overlay** (example `console-values.yaml`): ```yaml global: release: version: "2025.10.0-edge" services: web-ui: image: registry.stella-ops.org/stellaops/web-ui@sha256:38b225fa7767a5b94ebae4dae8696044126aac429415e93de514d5dd95748dcf service: port: 8443 env: CONSOLE_PUBLIC_BASE_URL: "https://console.dev.stella-ops.local" CONSOLE_GATEWAY_BASE_URL: "https://api.dev.stella-ops.local" AUTHORITY_ISSUER: "https://authority.dev.stella-ops.local" AUTHORITY_CLIENT_ID: "console-ui" AUTHORITY_SCOPES: "ui.read ui.admin findings:read advisory:read vex:read aoc:verify" AUTHORITY_DPOP_ENABLED: "true" CONSOLE_FEATURE_FLAGS: "runs,downloads,policies" CONSOLE_METRICS_ENABLED: "true" ``` 2. **Render and validate** ```bash helm template stella-console ./deploy/helm/stellaops -f console-values.yaml | \ grep -A2 'name: stellaops-web-ui' -A6 'image:' ``` 3. **Deploy** ```bash helm upgrade --install stella-console ./deploy/helm/stellaops \ -f deploy/helm/stellaops/values-dev.yaml \ -f console-values.yaml ``` 4. **Post-deploy checks** ```bash kubectl get pods -l app.kubernetes.io/name=stellaops-web-ui kubectl port-forward deploy/stellaops-web-ui 8443:8443 curl -k https://localhost:8443/health/ready ``` --- ## 4 · Offline packaging 1. **Mirror the image to an OCI archive** ```bash DIGEST=$(yq '.services[] | select(.name=="web-ui") | .image' deploy/releases/2025.10-edge.yaml | cut -d@ -f2) oras copy registry.stella-ops.org/stellaops/web-ui@${DIGEST} \ oci-archive:stellaops-web-ui-2025.10.0.tar shasum -a 256 stellaops-web-ui-2025.10.0.tar ``` 2. **Sign the archive** ```bash cosign sign-blob --key ~/keys/offline-kit.cosign \ --output-signature stellaops-web-ui-2025.10.0.tar.sig \ stellaops-web-ui-2025.10.0.tar ``` 3. **Load in the air-gap** ```bash docker load --input stellaops-web-ui-2025.10.0.tar docker tag stellaops/web-ui@${DIGEST} registry.airgap.local/stellaops/web-ui:2025.10.0 ``` 4. **Update the Offline Kit manifest** (once the downloads pipeline lands): ```bash jq '.artifacts.console.webUi = { "digest": "sha256:'"${DIGEST#sha256:}"'", "archive": "stellaops-web-ui-2025.10.0.tar", "signature": "stellaops-web-ui-2025.10.0.tar.sig" }' downloads/manifest.json > downloads/manifest.json.tmp mv downloads/manifest.json.tmp downloads/manifest.json ``` Re-run `stella offline kit import downloads/manifest.json` to validate signatures inside the air‑gapped environment. --- ## 5 · CLI parity Console operations map directly to scriptable workflows: | Action | CLI path | |--------|----------| | Fetch signed manifest entry | `stella downloads manifest show --artifact console/web-ui` *(CLI task `CONSOLE-DOC-23-502`, pending release)* | | Mirror digest to OCI archive | `stella downloads mirror --artifact console/web-ui --to oci-archive:stellaops-web-ui.tar` *(planned alongside CLI AOC parity)* | | Import offline kit | `stella offline kit import stellaops-web-ui-2025.10.0.tar` | | Validate console health | `stella console status --endpoint https://console.dev.stella-ops.local` *(planned; fallback to `curl` as shown above)* | Track progress for the CLI commands via `DOCS-CONSOLE-23-014` (CLI vs UI parity matrix). --- ## 6 · Compliance checklist - [ ] Image digest validated against the current release manifest. - [ ] Compose/Helm deployments verified with `docker compose config` / `helm template`. - [ ] Authority issuer, scopes, and DPoP settings documented and applied. - [ ] Offline archive mirrored, signed, and recorded in the downloads manifest. - [ ] CLI parity notes linked to the upcoming `docs/cli-vs-ui-parity.md` matrix. - [ ] References cross-checked with `docs/deploy/console.md` and `docs/security/console-security.md`. - [ ] Health checks documented for connected and air-gapped installs. --- ## 7 · References - `deploy/releases/.yaml` – Release manifest (digests, SBOM metadata). - `deploy/compose/README.md` – Compose profile overview. - `deploy/helm/stellaops/values-*.yaml` – Helm defaults per environment. - `/docs/deploy/console.md` – Detailed environment variables, CSP, health checks. - `/docs/security/console-security.md` – Auth flows, scopes, DPoP, monitoring. - `/docs/ui/downloads.md` – Downloads manifest workflow and offline parity guidance. --- *Last updated: 2025-10-28 (Sprint 23).*