2e70c9fdb6
Some checks failed
LNM Migration CI / build-runner (push) Has been cancelled
Ledger OpenAPI CI / deprecation-check (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Airgap Sealed CI Smoke / sealed-smoke (push) Has been cancelled
Ledger Packs CI / build-pack (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Ledger OpenAPI CI / validate-oas (push) Has been cancelled
Ledger OpenAPI CI / check-wellknown (push) Has been cancelled
Ledger Packs CI / verify-pack (push) Has been cancelled
LNM Migration CI / validate-metrics (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Air-gap Egress Guard Rails
Artifacts supporting DEVOPS-AIRGAP-56-001:
k8s-deny-egress.yaml— NetworkPolicy template that denies all egress for pods labeledsealed=true, except optional in-cluster DNS when enabled.compose-egress-guard.sh— Idempotent iptables guard for Docker/compose using theDOCKER-USERchain to drop all outbound traffic from a compose project network while allowing loopback and RFC1918 intra-cluster ranges.verify-egress-block.sh— Verification harness that runs curl probes from Docker or Kubernetes and reports JSON results; exits non-zero if any target is reachable.bundle_stage_import.py— Deterministic bundle staging helper: validates sha256 manifest, copies bundles to staging dir as<sha256>-<basename>, emitsstaging-report.jsonfor evidence.stage-bundle.sh— Thin wrapper aroundbundle_stage_import.pywith positional args.build_bootstrap_pack.py— Builds a Bootstrap Pack from images/charts/extras listed in a JSON config, writingbootstrap-manifest.json+checksums.sha256deterministically.build_bootstrap_pack.sh— Wrapper for the bootstrap pack builder.build_mirror_bundle.py— Generates mirror bundle manifest + checksums with dual-control approvals; optional cosign signing. Outputsmirror-bundle-manifest.json,checksums.sha256, and optional signature/cert.compose-syslog-smtp.yaml— Local SMTP (MailHog) + syslog-ng stack for sealed environments.health_syslog_smtp.sh— Brings up the syslog/SMTP stack via docker compose and performs health checks (MailHog API + syslog logger).compose-observability.yaml— Sealed-mode observability stack (Prometheus, Grafana, Tempo, Loki) with offline configs and healthchecks.health_observability.sh— Starts the observability stack and probes Prometheus/Grafana/Tempo/Loki readiness.compose-syslog-smtp.yaml+syslog-ng.conf— Local SMTP + syslog stack for sealed-mode notifications; run viascripts/devops/run-smtp-syslog.sh(health checkhealth_syslog_smtp.sh).observability-offline-compose.yml+otel-offline.yaml+promtail-config.yaml— Sealed-mode observability stack (Loki, Promtail, OTEL collector with file exporters) to satisfy DEVOPS-AIRGAP-58-002.compose-syslog-smtp.yaml— Local SMTP (MailHog) + syslog-ng stack for sealed environments.health_syslog_smtp.sh— Brings up the syslog/SMTP stack via docker compose and performs health checks (MailHog API + syslog logger).
See also ops/devops/sealed-mode-ci/ for the full sealed-mode compose harness and egress_probe.py, which this verification script wraps.