# syntax=docker/dockerfile:1.4 # StellaOps Regional Crypto Profile # Selects regional cryptographic configuration at build time # ============================================================================ # Build Arguments # ============================================================================ ARG CRYPTO_PROFILE=international ARG BASE_IMAGE=stellaops/platform:latest ARG SERVICE_NAME=authority # ============================================================================ # Regional Crypto Profile Layer # ============================================================================ FROM ${BASE_IMAGE} AS regional-profile # Copy regional cryptographic configuration ARG CRYPTO_PROFILE COPY etc/appsettings.crypto.${CRYPTO_PROFILE}.yaml /app/etc/appsettings.crypto.yaml COPY etc/crypto-plugins-manifest.json /app/etc/crypto-plugins-manifest.json # Set environment variable for runtime verification ENV STELLAOPS_CRYPTO_PROFILE=${CRYPTO_PROFILE} ENV STELLAOPS_CRYPTO_CONFIG_PATH=/app/etc/appsettings.crypto.yaml ENV STELLAOPS_CRYPTO_MANIFEST_PATH=/app/etc/crypto-plugins-manifest.json # Add labels for metadata LABEL com.stellaops.crypto.profile="${CRYPTO_PROFILE}" LABEL com.stellaops.crypto.config="/app/etc/appsettings.crypto.${CRYPTO_PROFILE}.yaml" LABEL com.stellaops.crypto.runtime-selection="true" # ============================================================================ # Service-Specific Regional Images # ============================================================================ # Authority with Regional Crypto FROM regional-profile AS authority WORKDIR /app/authority ENTRYPOINT ["dotnet", "StellaOps.Authority.WebService.dll"] # Signer with Regional Crypto FROM regional-profile AS signer WORKDIR /app/signer ENTRYPOINT ["dotnet", "StellaOps.Signer.WebService.dll"] # Attestor with Regional Crypto FROM regional-profile AS attestor WORKDIR /app/attestor ENTRYPOINT ["dotnet", "StellaOps.Attestor.WebService.dll"] # Concelier with Regional Crypto FROM regional-profile AS concelier WORKDIR /app/concelier ENTRYPOINT ["dotnet", "StellaOps.Concelier.WebService.dll"] # Scanner with Regional Crypto FROM regional-profile AS scanner WORKDIR /app/scanner ENTRYPOINT ["dotnet", "StellaOps.Scanner.WebService.dll"] # Excititor with Regional Crypto FROM regional-profile AS excititor WORKDIR /app/excititor ENTRYPOINT ["dotnet", "StellaOps.Excititor.WebService.dll"] # Policy with Regional Crypto FROM regional-profile AS policy WORKDIR /app/policy ENTRYPOINT ["dotnet", "StellaOps.Policy.WebService.dll"] # Scheduler with Regional Crypto FROM regional-profile AS scheduler WORKDIR /app/scheduler ENTRYPOINT ["dotnet", "StellaOps.Scheduler.WebService.dll"] # Notify with Regional Crypto FROM regional-profile AS notify WORKDIR /app/notify ENTRYPOINT ["dotnet", "StellaOps.Notify.WebService.dll"] # Zastava with Regional Crypto FROM regional-profile AS zastava WORKDIR /app/zastava ENTRYPOINT ["dotnet", "StellaOps.Zastava.WebService.dll"] # Gateway with Regional Crypto FROM regional-profile AS gateway WORKDIR /app/gateway ENTRYPOINT ["dotnet", "StellaOps.Gateway.WebService.dll"] # AirGap Importer with Regional Crypto FROM regional-profile AS airgap-importer WORKDIR /app/airgap-importer ENTRYPOINT ["dotnet", "StellaOps.AirGap.Importer.dll"] # AirGap Exporter with Regional Crypto FROM regional-profile AS airgap-exporter WORKDIR /app/airgap-exporter ENTRYPOINT ["dotnet", "StellaOps.AirGap.Exporter.dll"] # CLI with Regional Crypto FROM regional-profile AS cli WORKDIR /app/cli ENTRYPOINT ["dotnet", "StellaOps.Cli.dll"] # ============================================================================ # Build Instructions # ============================================================================ # Build international profile (default): # docker build -f deploy/docker/Dockerfile.crypto-profile \ # --build-arg CRYPTO_PROFILE=international \ # --target authority \ # -t stellaops/authority:international . # # Build Russia (GOST) profile: # docker build -f deploy/docker/Dockerfile.crypto-profile \ # --build-arg CRYPTO_PROFILE=russia \ # --target scanner \ # -t stellaops/scanner:russia . # # Build EU (eIDAS) profile: # docker build -f deploy/docker/Dockerfile.crypto-profile \ # --build-arg CRYPTO_PROFILE=eu \ # --target signer \ # -t stellaops/signer:eu . # # Build China (SM) profile: # docker build -f deploy/docker/Dockerfile.crypto-profile \ # --build-arg CRYPTO_PROFILE=china \ # --target attestor \ # -t stellaops/attestor:china . # # ============================================================================ # Regional Profile Descriptions # ============================================================================ # international: Default NIST algorithms (ES256, RS256, SHA-256) # Uses offline-verification plugin # Jurisdiction: world # # russia: GOST R 34.10-2012, GOST R 34.11-2012 # Uses CryptoPro CSP plugin # Jurisdiction: russia # Requires: CryptoPro CSP SDK # # eu: eIDAS-compliant qualified trust services # Uses eIDAS plugin with qualified certificates # Jurisdiction: eu # Requires: eIDAS trust service provider integration # # china: SM2, SM3, SM4 algorithms # Uses SM crypto plugin # Jurisdiction: china # Requires: GmSSL or BouncyCastle SM extensions # # ============================================================================ # Runtime Configuration # ============================================================================ # The crypto provider is selected at runtime based on: # 1. STELLAOPS_CRYPTO_PROFILE environment variable # 2. /app/etc/appsettings.crypto.yaml configuration file # 3. /app/etc/crypto-plugins-manifest.json plugin metadata # # Plugin loading sequence: # 1. Application starts # 2. CryptoPluginLoader reads /app/etc/appsettings.crypto.yaml # 3. Loads enabled plugins from manifest # 4. Validates platform compatibility # 5. Validates jurisdiction compliance # 6. Registers providers with DI container # 7. Application uses ICryptoProvider abstraction # # No cryptographic code is executed until runtime plugin selection completes.