stella-ops.org/git.stella-ops.org

Fork 0

Files

master d509c44411 release orchestrator pivot, architecture and planning

2026-01-10 22:37:22 +02:00

6.7 KiB

Raw Permalink Blame History

Release Orchestrator

Central release control plane for non-Kubernetes container estates.

Status: Planned (not yet implemented) Source: Full Architecture Specification

Purpose

The Release Orchestrator extends Stella Ops from a vulnerability scanning platform into Stella Ops Suite — a unified release control plane for non-Kubernetes container environments. It integrates:

Existing capabilities: SBOM generation, reachability-aware vulnerability analysis, VEX support, policy engine, evidence locker, deterministic replay
New capabilities: Environment management, release orchestration, promotion workflows, deployment execution, progressive delivery, audit-grade release governance

Scope

In Scope	Out of Scope
Non-K8s container deployments (Docker, Compose, ECS, Nomad)	Kubernetes deployments (use ArgoCD, Flux)
Release identity via OCI digests	Tag-based release identity
Plugin-extensible integrations	Hard-coded vendor integrations
SSH/WinRM + agent-based deployment	Cloud-native serverless deployments
L4/L7 traffic management via router plugins	Built-in service mesh

Documentation Structure

Design & Principles

Design Principles — Core principles and invariants
Key Decisions — Architectural decision record

Implementation

Implementation Guide — .NET 10 patterns and best practices
Test Structure — Test organization and guidelines

Module Architecture

Module Overview — All modules and themes
Integration Hub (INTHUB) — External integrations
Environment Manager (ENVMGR) — Environments and targets
Release Manager (RELMAN) — Release bundles and versions
Workflow Engine (WORKFL) — DAG execution
Promotion Manager (PROMOT) — Approvals and gates
Deploy Orchestrator (DEPLOY) — Deployment execution
Agents (AGENTS) — Deployment agents
Progressive Delivery (PROGDL) — A/B and canary
Release Evidence (RELEVI) — Evidence packets
Plugin System (PLUGIN) — Plugin infrastructure

Data Model

Database Schema — PostgreSQL schema specification
Entity Definitions — Entity descriptions

API Specification

API Overview — API design principles
Environment APIs — Environment endpoints
Release APIs — Release endpoints
Promotion APIs — Promotion endpoints
Workflow APIs — Workflow endpoints
Agent APIs — Agent endpoints
WebSocket APIs — Real-time endpoints

Workflow Engine

Template Structure — Workflow template specification
Execution State Machine — Workflow state machine
Promotion State Machine — Promotion state machine

Security

Security Overview — Security principles
Authentication & Authorization — AuthN/AuthZ
Agent Security — Agent security model
Threat Model — Threats and mitigations
Audit Trail — Audit logging

Integrations

Integration Overview — Integration types
Connector Interface — Connector specification
Webhook Architecture — Webhook handling
CI/CD Patterns — CI/CD integration patterns

Deployment

Deployment Overview — Architecture overview
Deployment Strategies — Deployment strategies
Agent-Based Deployment — Agent deployment
Agentless Deployment — SSH/WinRM deployment
Artifact Generation — Generated artifacts

Progressive Delivery

Progressive Overview — Progressive delivery architecture
A/B Releases — A/B release models
Canary Controller — Canary implementation
Router Plugins — Traffic routing plugins

UI/UX

Dashboard Specification — Dashboard screens
Workflow Editor — Workflow editor
Screen Reference — Key UI screens

Operations

Metrics — Metrics specification
Logging — Logging patterns
Tracing — Distributed tracing
Alerting — Alert rules

Implementation

Roadmap — Implementation phases
Resource Requirements — Sizing

Appendices

Glossary — Term definitions
Configuration Reference — Configuration options
Error Codes — API error codes
Evidence Schema — Evidence packet format

Quick Reference

Key Principles

Digest-first release identity — Releases are immutable OCI digests, not tags
Evidence for every decision — Every promotion/deployment produces sealed evidence
Pluggable everything, stable core — Integrations are plugins; core is stable
No feature gating — All plans include all features
Offline-first operation — Core works in air-gapped environments
Immutable generated artifacts — Every deployment generates stored artifacts

Platform Themes

Theme	Purpose
INTHUB	Integration hub — external system connections
ENVMGR	Environment management — environments, targets, agents
RELMAN	Release management — components, versions, releases
WORKFL	Workflow engine — DAG execution, steps
PROMOT	Promotion — approvals, gates, decisions
DEPLOY	Deployment — execution, artifacts, rollback
AGENTS	Agents — Docker, Compose, ECS, Nomad
PROGDL	Progressive delivery — A/B, canary
RELEVI	Evidence — packets, stickers, audit
PLUGIN	Plugins — registry, loader, SDK

6.7 KiB Raw Permalink Blame History

Release Orchestrator

Purpose

Scope

Documentation Structure

Design & Principles

Implementation

Module Architecture

Data Model

API Specification

Workflow Engine

Security

Integrations

Deployment

Progressive Delivery

UI/UX

Operations

Implementation

Appendices

Quick Reference

Key Principles

Platform Themes

6.7 KiB

Raw Permalink Blame History