319 lines
12 KiB
YAML
319 lines
12 KiB
YAML
global:
|
|
profile: airgap
|
|
release:
|
|
version: "2025.09.2-airgap"
|
|
channel: airgap
|
|
manifestSha256: "b787b833dddd73960c31338279daa0b0a0dce2ef32bd32ef1aaf953d66135f94"
|
|
image:
|
|
pullPolicy: IfNotPresent
|
|
labels:
|
|
stellaops.io/channel: airgap
|
|
|
|
migrations:
|
|
enabled: false
|
|
jobs: []
|
|
|
|
networkPolicy:
|
|
enabled: true
|
|
ingressPort: 8443
|
|
egressPort: 443
|
|
ingressNamespaces:
|
|
kubernetes.io/metadata.name: stellaops
|
|
egressNamespaces:
|
|
kubernetes.io/metadata.name: stellaops
|
|
|
|
ingress:
|
|
enabled: false
|
|
className: nginx
|
|
annotations: {}
|
|
hosts: []
|
|
tls: []
|
|
|
|
externalSecrets:
|
|
enabled: false
|
|
secrets: []
|
|
|
|
prometheus:
|
|
enabled: true
|
|
path: /metrics
|
|
port: 8080
|
|
scheme: http
|
|
|
|
hpa:
|
|
enabled: false
|
|
minReplicas: 1
|
|
maxReplicas: 3
|
|
cpu:
|
|
targetPercentage: 70
|
|
memory:
|
|
targetPercentage: 80
|
|
|
|
configMaps:
|
|
notify-config:
|
|
data:
|
|
notify.yaml: |
|
|
storage:
|
|
driver: postgres
|
|
connectionString: "Host=stellaops-postgres;Port=5432;Database=notify;Username=stellaops;Password=stellaops"
|
|
commandTimeoutSeconds: 60
|
|
|
|
authority:
|
|
enabled: true
|
|
issuer: "https://authority.stella-ops.org"
|
|
metadataAddress: "https://authority.stella-ops.org/.well-known/openid-configuration"
|
|
requireHttpsMetadata: true
|
|
allowAnonymousFallback: false
|
|
backchannelTimeoutSeconds: 30
|
|
tokenClockSkewSeconds: 60
|
|
audiences:
|
|
- notify
|
|
readScope: notify.read
|
|
adminScope: notify.admin
|
|
|
|
api:
|
|
basePath: "/api/v1/notify"
|
|
internalBasePath: "/internal/notify"
|
|
tenantHeader: "X-StellaOps-Tenant"
|
|
|
|
plugins:
|
|
baseDirectory: "/var/opt/stellaops"
|
|
directory: "plugins/notify"
|
|
searchPatterns:
|
|
- "StellaOps.Notify.Connectors.*.dll"
|
|
orderedPlugins:
|
|
- StellaOps.Notify.Connectors.Slack
|
|
- StellaOps.Notify.Connectors.Teams
|
|
- StellaOps.Notify.Connectors.Email
|
|
- StellaOps.Notify.Connectors.Webhook
|
|
|
|
telemetry:
|
|
enableRequestLogging: true
|
|
minimumLogLevel: Warning
|
|
policy-engine-activation:
|
|
data:
|
|
STELLAOPS_POLICY_ENGINE__ACTIVATION__FORCETWOPERSONAPPROVAL: "true"
|
|
STELLAOPS_POLICY_ENGINE__ACTIVATION__DEFAULTREQUIRESTWOPERSONAPPROVAL: "true"
|
|
STELLAOPS_POLICY_ENGINE__ACTIVATION__EMITAUDITLOGS: "true"
|
|
|
|
|
|
services:
|
|
authority:
|
|
image: registry.stella-ops.org/stellaops/authority@sha256:5551a3269b7008cd5aceecf45df018c67459ed519557ccbe48b093b926a39bcc
|
|
service:
|
|
port: 8440
|
|
env:
|
|
STELLAOPS_AUTHORITY__ISSUER: "https://stellaops-authority:8440"
|
|
STELLAOPS_AUTHORITY__STORAGE__DRIVER: "postgres"
|
|
STELLAOPS_AUTHORITY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=stellaops-postgres;Port=5432;Database=authority;Username=stellaops;Password=stellaops"
|
|
STELLAOPS_AUTHORITY__CACHE__REDIS__CONNECTIONSTRING: "stellaops-valkey:6379"
|
|
STELLAOPS_AUTHORITY__ALLOWANONYMOUSFALLBACK: "false"
|
|
signer:
|
|
image: registry.stella-ops.org/stellaops/signer@sha256:ddbbd664a42846cea6b40fca6465bc679b30f72851158f300d01a8571c5478fc
|
|
service:
|
|
port: 8441
|
|
env:
|
|
SIGNER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
|
|
SIGNER__POE__INTROSPECTURL: "file:///offline/poe/introspect.json"
|
|
SIGNER__STORAGE__DRIVER: "postgres"
|
|
SIGNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=stellaops-postgres;Port=5432;Database=signer;Username=stellaops;Password=stellaops"
|
|
SIGNER__CACHE__REDIS__CONNECTIONSTRING: "stellaops-valkey:6379"
|
|
attestor:
|
|
image: registry.stella-ops.org/stellaops/attestor@sha256:1ff0a3124d66d3a2702d8e421df40fbd98cc75cb605d95510598ebbae1433c50
|
|
service:
|
|
port: 8442
|
|
env:
|
|
ATTESTOR__SIGNER__BASEURL: "https://stellaops-signer:8441"
|
|
ATTESTOR__STORAGE__DRIVER: "postgres"
|
|
ATTESTOR__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=stellaops-postgres;Port=5432;Database=attestor;Username=stellaops;Password=stellaops"
|
|
ATTESTOR__CACHE__REDIS__CONNECTIONSTRING: "stellaops-valkey:6379"
|
|
concelier:
|
|
image: registry.stella-ops.org/stellaops/concelier@sha256:29e2e1a0972707e092cbd3d370701341f9fec2aa9316fb5d8100480f2a1c76b5
|
|
service:
|
|
port: 8445
|
|
env:
|
|
CONCELIER__STORAGE__DRIVER: "postgres"
|
|
CONCELIER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=stellaops-postgres;Port=5432;Database=concelier;Username=stellaops;Password=stellaops"
|
|
CONCELIER__STORAGE__S3__ENDPOINT: "http://stellaops-rustfs:8080"
|
|
CONCELIER__CACHE__REDIS__CONNECTIONSTRING: "stellaops-valkey:6379"
|
|
CONCELIER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
|
|
CONCELIER__AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
|
|
CONCELIER__AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "00:45:00"
|
|
volumeMounts:
|
|
- name: concelier-jobs
|
|
mountPath: /var/lib/concelier/jobs
|
|
volumeClaims:
|
|
- name: concelier-jobs
|
|
claimName: stellaops-concelier-jobs
|
|
scanner-web:
|
|
image: registry.stella-ops.org/stellaops/scanner-web@sha256:3df8ca21878126758203c1a0444e39fd97f77ddacf04a69685cda9f1e5e94718
|
|
service:
|
|
port: 8444
|
|
env:
|
|
SCANNER__STORAGE__DRIVER: "postgres"
|
|
SCANNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=stellaops-postgres;Port=5432;Database=scanner;Username=stellaops;Password=stellaops"
|
|
SCANNER__CACHE__REDIS__CONNECTIONSTRING: "stellaops-valkey:6379"
|
|
SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
|
|
SCANNER__ARTIFACTSTORE__ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
|
|
SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
|
|
SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
|
|
SCANNER__QUEUE__BROKER: "valkey://stellaops-valkey:6379"
|
|
SCANNER__EVENTS__ENABLED: "false"
|
|
SCANNER__EVENTS__DRIVER: "valkey"
|
|
SCANNER__EVENTS__DSN: "stellaops-valkey:6379"
|
|
SCANNER__EVENTS__STREAM: "stella.events"
|
|
SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
|
|
SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
|
|
SCANNER__OFFLINEKIT__ENABLED: "false"
|
|
SCANNER__OFFLINEKIT__REQUIREDSSE: "true"
|
|
SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "true"
|
|
SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "/etc/stellaops/trust-roots"
|
|
SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "/var/lib/stellaops/rekor-snapshot"
|
|
SCANNER_SURFACE_FS_ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
|
|
SCANNER_SURFACE_CACHE_ROOT: "/var/lib/stellaops/surface"
|
|
SCANNER_SURFACE_SECRETS_PROVIDER: "file"
|
|
SCANNER_SURFACE_SECRETS_ROOT: "/etc/stellaops/secrets"
|
|
scanner-worker:
|
|
image: registry.stella-ops.org/stellaops/scanner-worker@sha256:eea5d6cfe7835950c5ec7a735a651f2f0d727d3e470cf9027a4a402ea89c4fb5
|
|
env:
|
|
SCANNER__STORAGE__DRIVER: "postgres"
|
|
SCANNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=stellaops-postgres;Port=5432;Database=scanner;Username=stellaops;Password=stellaops"
|
|
SCANNER__CACHE__REDIS__CONNECTIONSTRING: "stellaops-valkey:6379"
|
|
SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
|
|
SCANNER__ARTIFACTSTORE__ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
|
|
SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
|
|
SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
|
|
SCANNER__QUEUE__BROKER: "valkey://stellaops-valkey:6379"
|
|
SCANNER__EVENTS__ENABLED: "false"
|
|
SCANNER__EVENTS__DRIVER: "valkey"
|
|
SCANNER__EVENTS__DSN: "stellaops-valkey:6379"
|
|
SCANNER__EVENTS__STREAM: "stella.events"
|
|
SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
|
|
SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
|
|
SCANNER_SURFACE_FS_ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
|
|
SCANNER_SURFACE_CACHE_ROOT: "/var/lib/stellaops/surface"
|
|
SCANNER_SURFACE_SECRETS_PROVIDER: "file"
|
|
SCANNER_SURFACE_SECRETS_ROOT: "/etc/stellaops/secrets"
|
|
# Secret Detection Rules Bundle
|
|
SCANNER__FEATURES__EXPERIMENTAL__SECRETLEAKDETECTION: "false"
|
|
SCANNER__SECRETS__BUNDLEPATH: "/opt/stellaops/plugins/scanner/analyzers/secrets"
|
|
SCANNER__SECRETS__REQUIRESIGNATURE: "true"
|
|
volumeMounts:
|
|
- name: secrets-rules
|
|
mountPath: /opt/stellaops/plugins/scanner/analyzers/secrets
|
|
readOnly: true
|
|
volumeClaims:
|
|
- name: secrets-rules
|
|
claimName: stellaops-secrets-rules
|
|
notify-web:
|
|
image: registry.stella-ops.org/stellaops/notify-web:2025.09.2
|
|
service:
|
|
port: 8446
|
|
env:
|
|
DOTNET_ENVIRONMENT: Production
|
|
NOTIFY__QUEUE__DRIVER: "valkey"
|
|
NOTIFY__QUEUE__VALKEY__URL: "stellaops-valkey:6379"
|
|
configMounts:
|
|
- name: notify-config
|
|
mountPath: /app/etc/notify.yaml
|
|
subPath: notify.yaml
|
|
configMap: notify-config
|
|
excititor:
|
|
image: registry.stella-ops.org/stellaops/excititor@sha256:65c0ee13f773efe920d7181512349a09d363ab3f3e177d276136bd2742325a68
|
|
env:
|
|
EXCITITOR__CONCELIER__BASEURL: "https://stellaops-concelier:8445"
|
|
EXCITITOR__STORAGE__DRIVER: "postgres"
|
|
EXCITITOR__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=stellaops-postgres;Port=5432;Database=excititor;Username=stellaops;Password=stellaops"
|
|
advisory-ai-web:
|
|
image: registry.stella-ops.org/stellaops/advisory-ai-web:2025.09.2-airgap
|
|
service:
|
|
port: 8448
|
|
env:
|
|
ADVISORYAI__AdvisoryAI__SbomBaseAddress: https://stellaops-scanner-web:8444
|
|
ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: /var/lib/advisory-ai/queue
|
|
ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: /var/lib/advisory-ai/plans
|
|
ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: /var/lib/advisory-ai/outputs
|
|
ADVISORYAI__AdvisoryAI__Inference__Mode: Local
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: ""
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: ""
|
|
volumeMounts:
|
|
- name: advisory-ai-data
|
|
mountPath: /var/lib/advisory-ai
|
|
volumeClaims:
|
|
- name: advisory-ai-data
|
|
claimName: stellaops-advisory-ai-data
|
|
advisory-ai-worker:
|
|
image: registry.stella-ops.org/stellaops/advisory-ai-worker:2025.09.2-airgap
|
|
env:
|
|
ADVISORYAI__AdvisoryAI__SbomBaseAddress: https://stellaops-scanner-web:8444
|
|
ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: /var/lib/advisory-ai/queue
|
|
ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: /var/lib/advisory-ai/plans
|
|
ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: /var/lib/advisory-ai/outputs
|
|
ADVISORYAI__AdvisoryAI__Inference__Mode: Local
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: ""
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: ""
|
|
volumeMounts:
|
|
- name: advisory-ai-data
|
|
mountPath: /var/lib/advisory-ai
|
|
volumeClaims:
|
|
- name: advisory-ai-data
|
|
claimName: stellaops-advisory-ai-data
|
|
web-ui:
|
|
image: registry.stella-ops.org/stellaops/web-ui@sha256:bee9668011ff414572131dc777faab4da24473fe12c230893f161cabee092a1d
|
|
service:
|
|
port: 9443
|
|
targetPort: 8443
|
|
env:
|
|
STELLAOPS_UI__BACKEND__BASEURL: "https://stellaops-scanner-web:8444"
|
|
|
|
# Infrastructure services
|
|
postgres:
|
|
class: infrastructure
|
|
image: docker.io/library/postgres@sha256:8e97b8526ed19304b144f7478bc9201646acf0723cdc6e4b19bc9eb34879a27e
|
|
service:
|
|
port: 5432
|
|
env:
|
|
POSTGRES_USER: stellaops
|
|
POSTGRES_PASSWORD: stellaops
|
|
POSTGRES_DB: stellaops
|
|
volumeMounts:
|
|
- name: postgres-data
|
|
mountPath: /var/lib/postgresql/data
|
|
volumeClaims:
|
|
- name: postgres-data
|
|
claimName: stellaops-postgres-data
|
|
valkey:
|
|
class: infrastructure
|
|
image: docker.io/valkey/valkey:9.0.1-alpine
|
|
service:
|
|
port: 6379
|
|
command:
|
|
- valkey-server
|
|
- --appendonly
|
|
- "yes"
|
|
volumeMounts:
|
|
- name: valkey-data
|
|
mountPath: /data
|
|
volumeClaims:
|
|
- name: valkey-data
|
|
claimName: stellaops-valkey-data
|
|
rustfs:
|
|
class: infrastructure
|
|
image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
|
|
service:
|
|
port: 8080
|
|
command:
|
|
- serve
|
|
- --listen
|
|
- 0.0.0.0:8080
|
|
- --root
|
|
- /data
|
|
env:
|
|
RUSTFS__LOG__LEVEL: info
|
|
RUSTFS__STORAGE__PATH: /data
|
|
volumeMounts:
|
|
- name: rustfs-data
|
|
mountPath: /data
|
|
volumeClaims:
|
|
- name: rustfs-data
|
|
claimName: stellaops-rustfs-data
|