44171930ff
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
- Introduced `ui_bench_driver.mjs` to read scenarios and fixture manifest, generating a deterministic run plan. - Created `ui_bench_plan.md` outlining the purpose, scope, and next steps for the benchmark. - Added `ui_bench_scenarios.json` containing various scenarios for graph UI interactions. - Implemented tests for CLI commands, ensuring bundle verification and telemetry defaults. - Developed schemas for orchestrator components, including replay manifests and event envelopes. - Added mock API for risk management, including listing and statistics functionalities. - Implemented models for risk profiles and query options to support the new API.
58 lines
2.4 KiB
Markdown
58 lines
2.4 KiB
Markdown
# Transparency Log Witness Deployment Plan (DEVOPS-ATTEST-74-001)
|
|
|
|
## Goals
|
|
- Deploy and monitor a Sigstore-compatible witness for Rekor v1/v2 logs (and air-gap mirrors).
|
|
- Provide offline-ready configs and evidence (hashes, DSSE attestations) for bootstrap packs.
|
|
|
|
## Scope
|
|
- Environments: staging → prod (online), sealed/offline mirror (optional, read-only).
|
|
- Witness duties: verify inclusion proofs, publish checkpoints/signed STHs, expose metrics and health.
|
|
|
|
## Architecture
|
|
- Witness binary (sigstore/witness or equivalent) in a hardened container:
|
|
- Non-root user, read-only rootfs, seccomp/AppArmor defaults.
|
|
- TLS with mTLS between witness and collector; optional OIDC for admin endpoints.
|
|
- Inputs:
|
|
- Rekor base URL(s) + public keys.
|
|
- Mirror CAR path + signature (for air-gap).
|
|
- Outputs:
|
|
- Signed checkpoints (STH) rotated hourly; stored in object storage + DSSE manifest.
|
|
- Metrics: Prometheus `/metrics` endpoint (request latency, verify failures, checkpoint age).
|
|
- Logs: JSON, structured, no PII.
|
|
|
|
## Deployment steps
|
|
1) Build/pull witness image (pin digest); generate SBOM + cosign attestations.
|
|
2) Create config:
|
|
- `rekor_urls`: prod/staging
|
|
- `rekor_keys`: PEMs
|
|
- `checkpoint_interval`: 1h
|
|
- `mirror_path` (optional): `/data/rekor-mirror.car`
|
|
- `signer`: KMS ref or file key (sealed-mode uses file key from bootstrap pack)
|
|
3) Helm/Compose template:
|
|
- read-only rootfs, drop NET_RAW, memory/cpu limits
|
|
- PVC for checkpoints (`/var/lib/witness/checkpoints`)
|
|
- Service exposing HTTPS + `/metrics`
|
|
4) CI:
|
|
- Lint chart
|
|
- Run e2e: start Rekor test instance, run witness, verify checkpoint written, verify metrics non-zero.
|
|
- Publish image SBOM/attestations and chart checksums.
|
|
5) Monitoring/alerts:
|
|
- `witness_verify_failures_total` > 0 over 5m
|
|
- `witness_checkpoint_age_seconds` > 5400
|
|
- `witness_backfill_queue_depth` (if supported) above threshold
|
|
|
|
## Offline/air-gap mode
|
|
- Consume signed Rekor mirror (CAR + manifest) from bootstrap pack.
|
|
- Run witness in verify-only mode against mirror; disable outbound network.
|
|
- Emit checkpoints signed with offline key; store in mirror bundle for audit.
|
|
|
|
## Evidence to capture
|
|
- Image digest, SBOM hash, chart checksum.
|
|
- Signed checkpoint sample and DSSE manifest.
|
|
- CI e2e logs and metrics sample (scrape output).
|
|
|
|
## Owners
|
|
- Build/deploy: DevOps Guild
|
|
- Keys/config: Platform Security
|
|
- Observability: Observability Guild
|