# ============================================================================= # SEALED CI - AIR-GAPPED TESTING ENVIRONMENT # ============================================================================= # Sealed/air-gapped CI environment for testing offline functionality. # All services run in isolated network with no external egress. # # Usage: # docker compose -f docker-compose.sealed-ci.yml up -d # ============================================================================= x-release-labels: &release-labels com.stellaops.profile: 'sealed-ci' com.stellaops.airgap.mode: 'sealed' networks: sealed-ci: driver: bridge volumes: sealed-postgres-data: sealed-valkey-data: services: postgres: image: docker.io/library/postgres@sha256:8e97b8526ed19304b144f7478bc9201646acf0723cdc6e4b19bc9eb34879a27e restart: unless-stopped environment: POSTGRES_USER: sealedci POSTGRES_PASSWORD: sealedci-secret POSTGRES_DB: stellaops volumes: - sealed-postgres-data:/var/lib/postgresql/data networks: - sealed-ci healthcheck: test: ["CMD-SHELL", "pg_isready -U sealedci -d stellaops"] interval: 10s timeout: 5s retries: 5 labels: *release-labels valkey: image: docker.io/valkey/valkey:9.0.1-alpine restart: unless-stopped command: ["valkey-server", "--appendonly", "yes"] volumes: - sealed-valkey-data:/data networks: - sealed-ci healthcheck: test: ["CMD", "valkey-cli", "ping"] interval: 10s timeout: 5s retries: 5 labels: *release-labels authority: image: registry.stella-ops.org/stellaops/authority@sha256:a8e8faec44a579aa5714e58be835f25575710430b1ad2ccd1282a018cd9ffcdd depends_on: postgres: condition: service_healthy valkey: condition: service_healthy restart: unless-stopped environment: ASPNETCORE_URLS: http://+:5088 STELLAOPS_AUTHORITY__ISSUER: http://authority.sealed-ci.local STELLAOPS_AUTHORITY__STORAGE__DRIVER: postgres STELLAOPS_AUTHORITY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=authority;Username=sealedci;Password=sealedci-secret" STELLAOPS_AUTHORITY__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379" STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: /app/plugins STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: /app/plugins STELLAOPS_AUTHORITY__SECURITY__SENDERCONSTRAINTS__DPOP__ENABLED: 'true' STELLAOPS_AUTHORITY__SECURITY__SENDERCONSTRAINTS__MTLS__ENABLED: 'true' STELLAOPS_AUTHORITY__AIRGAP__EGRESS__MODE: Sealed volumes: - ../services/sealed-mode-ci/authority.harness.yaml:/etc/authority.yaml:ro - ../services/sealed-mode-ci/plugins:/app/plugins:ro - ../../certificates:/certificates:ro ports: - '5088:5088' networks: - sealed-ci labels: *release-labels signer: image: registry.stella-ops.org/stellaops/signer@sha256:8bfef9a75783883d49fc18e3566553934e970b00ee090abee9cb110d2d5c3298 depends_on: - authority restart: unless-stopped environment: ASPNETCORE_URLS: http://+:6088 SIGNER__AUTHORITY__BASEURL: http://authority:5088 SIGNER__POE__INTROSPECTURL: http://authority:5088/device-code SIGNER__STORAGE__DRIVER: postgres SIGNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=signer;Username=sealedci;Password=sealedci-secret" SIGNER__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379" SIGNER__SEALED__MODE: Enabled ports: - '6088:6088' networks: - sealed-ci labels: *release-labels attestor: image: registry.stella-ops.org/stellaops/attestor@sha256:5cc417948c029da01dccf36e4645d961a3f6d8de7e62fe98d845f07cd2282114 depends_on: - signer restart: unless-stopped environment: ASPNETCORE_URLS: http://+:7088 ATTESTOR__SIGNER__BASEURL: http://signer:6088 ATTESTOR__STORAGE__DRIVER: postgres ATTESTOR__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=attestor;Username=sealedci;Password=sealedci-secret" ATTESTOR__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379" ATTESTOR__SEALED__MODE: Enabled ports: - '7088:7088' networks: - sealed-ci labels: *release-labels