0de92144d2
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
mock-dev-release / package-mock-release (push) Has been cancelled
- Added ConsoleExportClient for managing export requests and responses. - Introduced ConsoleExportRequest and ConsoleExportResponse models. - Implemented methods for creating and retrieving exports with appropriate headers. feat(crypto): Add Software SM2/SM3 Cryptography Provider - Implemented SmSoftCryptoProvider for software-only SM2/SM3 cryptography. - Added support for signing and verification using SM2 algorithm. - Included hashing functionality with SM3 algorithm. - Configured options for loading keys from files and environment gate checks. test(crypto): Add unit tests for SmSoftCryptoProvider - Created comprehensive tests for signing, verifying, and hashing functionalities. - Ensured correct behavior for key management and error handling. feat(api): Enhance Console Export Models - Expanded ConsoleExport models to include detailed status and event types. - Added support for various export formats and notification options. test(time): Implement TimeAnchorPolicyService tests - Developed tests for TimeAnchorPolicyService to validate time anchors. - Covered scenarios for anchor validation, drift calculation, and policy enforcement.
285 lines
10 KiB
YAML
285 lines
10 KiB
YAML
global:
|
|
release:
|
|
version: ""
|
|
channel: ""
|
|
manifestSha256: ""
|
|
profile: ""
|
|
image:
|
|
pullPolicy: IfNotPresent
|
|
labels: {}
|
|
|
|
migrations:
|
|
enabled: false
|
|
jobs: []
|
|
|
|
networkPolicy:
|
|
enabled: false
|
|
ingressPort: 80
|
|
egressPort: 443
|
|
ingressNamespaces: {}
|
|
ingressPods: {}
|
|
egressNamespaces: {}
|
|
egressPods: {}
|
|
|
|
ingress:
|
|
enabled: false
|
|
className: nginx
|
|
annotations: {}
|
|
hosts: []
|
|
tls: []
|
|
|
|
externalSecrets:
|
|
enabled: false
|
|
secrets: []
|
|
|
|
prometheus:
|
|
enabled: false
|
|
path: /metrics
|
|
port: 8080
|
|
scheme: http
|
|
|
|
hpa:
|
|
enabled: false
|
|
minReplicas: 1
|
|
maxReplicas: 3
|
|
cpu:
|
|
targetPercentage: 75
|
|
memory:
|
|
targetPercentage: null
|
|
|
|
# Surface.Env configuration for Scanner/Zastava components
|
|
# See docs/modules/scanner/design/surface-env.md for details
|
|
surface:
|
|
# Surface.FS storage configuration
|
|
fs:
|
|
# Base URI for Surface.FS / RustFS / S3-compatible store (required)
|
|
endpoint: ""
|
|
# Bucket/container for manifests and artefacts
|
|
bucket: "surface-cache"
|
|
# Optional region for S3-compatible stores (AWS/GCS)
|
|
region: ""
|
|
# Local cache configuration
|
|
cache:
|
|
# Local directory for warm caches
|
|
root: "/var/lib/stellaops/surface"
|
|
# Soft limit for on-disk cache usage in MB (64-262144)
|
|
quotaMb: 4096
|
|
# Enable manifest prefetch threads
|
|
prefetchEnabled: false
|
|
# Tenant configuration
|
|
tenant: "default"
|
|
# Comma-separated feature switches
|
|
features: ""
|
|
# TLS configuration for client authentication
|
|
tls:
|
|
# Path to PEM/PKCS#12 certificate file
|
|
certPath: ""
|
|
# Optional private key path when cert/key stored separately
|
|
keyPath: ""
|
|
# Secret name containing TLS cert/key
|
|
secretName: ""
|
|
# Secrets provider configuration
|
|
secrets:
|
|
# Provider ID: kubernetes, file, inline
|
|
provider: "kubernetes"
|
|
# Kubernetes namespace for secrets provider
|
|
namespace: ""
|
|
# Path or base for file provider
|
|
root: ""
|
|
# Optional fallback provider ID
|
|
fallbackProvider: ""
|
|
# Allow inline secrets (disable in production)
|
|
allowInline: false
|
|
|
|
telemetry:
|
|
collector:
|
|
enabled: false
|
|
replicas: 1
|
|
image: otel/opentelemetry-collector:0.105.0
|
|
requireClientCert: true
|
|
defaultTenant: unknown
|
|
logLevel: info
|
|
tls:
|
|
secretName: ""
|
|
certPath: /etc/otel/tls/tls.crt
|
|
keyPath: /etc/otel/tls/tls.key
|
|
caPath: /etc/otel/tls/ca.crt
|
|
items:
|
|
- key: tls.crt
|
|
path: tls.crt
|
|
- key: tls.key
|
|
path: tls.key
|
|
- key: ca.crt
|
|
path: ca.crt
|
|
service:
|
|
grpcPort: 4317
|
|
httpPort: 4318
|
|
metricsPort: 9464
|
|
resources: {}
|
|
|
|
configMaps:
|
|
# Surface.Env environment variables for Scanner/Zastava components
|
|
surface-env:
|
|
data:
|
|
SCANNER_SURFACE_FS_ENDPOINT: "{{ .Values.surface.fs.endpoint }}"
|
|
SCANNER_SURFACE_FS_BUCKET: "{{ .Values.surface.fs.bucket }}"
|
|
SCANNER_SURFACE_FS_REGION: "{{ .Values.surface.fs.region }}"
|
|
SCANNER_SURFACE_CACHE_ROOT: "{{ .Values.surface.cache.root }}"
|
|
SCANNER_SURFACE_CACHE_QUOTA_MB: "{{ .Values.surface.cache.quotaMb }}"
|
|
SCANNER_SURFACE_PREFETCH_ENABLED: "{{ .Values.surface.cache.prefetchEnabled }}"
|
|
SCANNER_SURFACE_TENANT: "{{ .Values.surface.tenant }}"
|
|
SCANNER_SURFACE_FEATURES: "{{ .Values.surface.features }}"
|
|
SCANNER_SURFACE_TLS_CERT_PATH: "{{ .Values.surface.tls.certPath }}"
|
|
SCANNER_SURFACE_TLS_KEY_PATH: "{{ .Values.surface.tls.keyPath }}"
|
|
SCANNER_SURFACE_SECRETS_PROVIDER: "{{ .Values.surface.secrets.provider }}"
|
|
SCANNER_SURFACE_SECRETS_NAMESPACE: "{{ .Values.surface.secrets.namespace }}"
|
|
SCANNER_SURFACE_SECRETS_ROOT: "{{ .Values.surface.secrets.root }}"
|
|
SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER: "{{ .Values.surface.secrets.fallbackProvider }}"
|
|
SCANNER_SURFACE_SECRETS_ALLOW_INLINE: "{{ .Values.surface.secrets.allowInline }}"
|
|
# Zastava consumers inherit Scanner defaults but can be overridden via ZASTAVA_* envs
|
|
ZASTAVA_SURFACE_FS_ENDPOINT: "{{ .Values.surface.fs.endpoint }}"
|
|
ZASTAVA_SURFACE_FS_BUCKET: "{{ .Values.surface.fs.bucket }}"
|
|
ZASTAVA_SURFACE_FS_REGION: "{{ .Values.surface.fs.region }}"
|
|
ZASTAVA_SURFACE_CACHE_ROOT: "{{ .Values.surface.cache.root }}"
|
|
ZASTAVA_SURFACE_CACHE_QUOTA_MB: "{{ .Values.surface.cache.quotaMb }}"
|
|
ZASTAVA_SURFACE_PREFETCH_ENABLED: "{{ .Values.surface.cache.prefetchEnabled }}"
|
|
ZASTAVA_SURFACE_TENANT: "{{ .Values.surface.tenant }}"
|
|
ZASTAVA_SURFACE_FEATURES: "{{ .Values.surface.features }}"
|
|
ZASTAVA_SURFACE_TLS_CERT_PATH: "{{ .Values.surface.tls.certPath }}"
|
|
ZASTAVA_SURFACE_TLS_KEY_PATH: "{{ .Values.surface.tls.keyPath }}"
|
|
ZASTAVA_SURFACE_SECRETS_PROVIDER: "{{ .Values.surface.secrets.provider }}"
|
|
ZASTAVA_SURFACE_SECRETS_NAMESPACE: "{{ .Values.surface.secrets.namespace }}"
|
|
ZASTAVA_SURFACE_SECRETS_ROOT: "{{ .Values.surface.secrets.root }}"
|
|
ZASTAVA_SURFACE_SECRETS_FALLBACK_PROVIDER: "{{ .Values.surface.secrets.fallbackProvider }}"
|
|
ZASTAVA_SURFACE_SECRETS_ALLOW_INLINE: "{{ .Values.surface.secrets.allowInline }}"
|
|
|
|
issuer-directory-config:
|
|
data:
|
|
issuer-directory.yaml: |
|
|
IssuerDirectory:
|
|
telemetry:
|
|
minimumLogLevel: Information
|
|
authority:
|
|
enabled: true
|
|
issuer: https://authority.svc.cluster.local/realms/stellaops
|
|
requireHttpsMetadata: true
|
|
audiences:
|
|
- stellaops-platform
|
|
readScope: issuer-directory:read
|
|
writeScope: issuer-directory:write
|
|
adminScope: issuer-directory:admin
|
|
tenantHeader: X-StellaOps-Tenant
|
|
seedCsafPublishers: true
|
|
csafSeedPath: data/csaf-publishers.json
|
|
Mongo:
|
|
connectionString: mongodb://mongo:27017
|
|
database: issuer-directory
|
|
issuersCollection: issuers
|
|
issuerKeysCollection: issuer_keys
|
|
issuerTrustCollection: issuer_trust_overrides
|
|
auditCollection: issuer_audit
|
|
|
|
policy-engine-activation:
|
|
data:
|
|
STELLAOPS_POLICY_ENGINE__ACTIVATION__FORCETWOPERSONAPPROVAL: "false"
|
|
STELLAOPS_POLICY_ENGINE__ACTIVATION__DEFAULTREQUIRESTWOPERSONAPPROVAL: "false"
|
|
STELLAOPS_POLICY_ENGINE__ACTIVATION__EMITAUDITLOGS: "true"
|
|
|
|
services:
|
|
issuer-directory:
|
|
image: registry.stella-ops.org/stellaops/issuer-directory-web:2025.10.0-edge
|
|
replicas: 1
|
|
configMounts:
|
|
- name: issuer-directory-config
|
|
configMap: issuer-directory-config
|
|
mountPath: /etc/issuer-directory.yaml
|
|
subPath: issuer-directory.yaml
|
|
envFrom:
|
|
- secretRef:
|
|
name: issuer-directory-secrets
|
|
env:
|
|
ISSUERDIRECTORY__CONFIG: /etc/issuer-directory.yaml
|
|
ISSUERDIRECTORY__AUTHORITY__BASEURL: https://authority:8440
|
|
ISSUERDIRECTORY__SEEDCSAFPUBLISHERS: "true"
|
|
ports:
|
|
- containerPort: 8080
|
|
service:
|
|
port: 8080
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /health/live
|
|
port: 8080
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /health/live
|
|
port: 8080
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 20
|
|
scheduler-worker:
|
|
image: registry.stella-ops.org/stellaops/scheduler-worker:2025.10.0-edge
|
|
replicas: 1
|
|
command:
|
|
- dotnet
|
|
- StellaOps.Scheduler.Worker.Host.dll
|
|
env:
|
|
SCHEDULER__QUEUE__KIND: Nats
|
|
SCHEDULER__QUEUE__NATS__URL: nats://nats:4222
|
|
SCHEDULER__STORAGE__CONNECTIONSTRING: mongodb://scheduler-mongo:27017
|
|
SCHEDULER__STORAGE__DATABASE: stellaops_scheduler
|
|
SCHEDULER__WORKER__RUNNER__SCANNER__BASEADDRESS: http://scanner-web:8444
|
|
advisory-ai-web:
|
|
image: registry.stella-ops.org/stellaops/advisory-ai-web:2025.10.0-edge
|
|
service:
|
|
port: 8448
|
|
env:
|
|
ADVISORYAI__AdvisoryAI__SbomBaseAddress: http://scanner-web:8444
|
|
ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: /var/lib/advisory-ai/queue
|
|
ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: /var/lib/advisory-ai/plans
|
|
ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: /var/lib/advisory-ai/outputs
|
|
ADVISORYAI__AdvisoryAI__Inference__Mode: Local
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: ""
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: ""
|
|
volumeMounts:
|
|
- name: advisory-ai-data
|
|
mountPath: /var/lib/advisory-ai
|
|
volumeClaims:
|
|
- name: advisory-ai-data
|
|
claimName: stellaops-advisory-ai-data
|
|
advisory-ai-worker:
|
|
image: registry.stella-ops.org/stellaops/advisory-ai-worker:2025.10.0-edge
|
|
env:
|
|
ADVISORYAI__AdvisoryAI__SbomBaseAddress: http://scanner-web:8444
|
|
ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: /var/lib/advisory-ai/queue
|
|
ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: /var/lib/advisory-ai/plans
|
|
ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: /var/lib/advisory-ai/outputs
|
|
ADVISORYAI__AdvisoryAI__Inference__Mode: Local
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: ""
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: ""
|
|
volumeMounts:
|
|
- name: advisory-ai-data
|
|
mountPath: /var/lib/advisory-ai
|
|
volumeClaims:
|
|
- name: advisory-ai-data
|
|
claimName: stellaops-advisory-ai-data
|
|
|
|
mock:
|
|
enabled: false
|
|
orchestrator:
|
|
image: registry.stella-ops.org/stellaops/orchestrator@sha256:97f12856ce870bafd3328bda86833bcccbf56d255941d804966b5557f6610119
|
|
policyRegistry:
|
|
image: registry.stella-ops.org/stellaops/policy-registry@sha256:c6cad8055e9827ebcbebb6ad4d6866dce4b83a0a49b0a8a6500b736a5cb26fa7
|
|
packsRegistry:
|
|
image: registry.stella-ops.org/stellaops/packs-registry@sha256:1f5e9416c4dc608594ad6fad87c24d72134427f899c192b494e22b268499c791
|
|
taskRunner:
|
|
image: registry.stella-ops.org/stellaops/task-runner@sha256:eb5ad992b49a41554f41516be1a6afcfa6522faf2111c08ff2b3664ad2fc954b
|
|
vexLens:
|
|
image: registry.stella-ops.org/stellaops/vex-lens@sha256:b44e63ecfeebc345a70c073c1ce5ace709c58be0ffaad0e2862758aeee3092fb
|
|
issuerDirectory:
|
|
image: registry.stella-ops.org/stellaops/issuer-directory@sha256:67e8ef02c97d3156741e857756994888f30c373ace8e84886762edba9dc51914
|
|
findingsLedger:
|
|
image: registry.stella-ops.org/stellaops/findings-ledger@sha256:71d4c361ba8b2f8b69d652597bc3f2efc8a64f93fab854ce25272a88506df49c
|
|
vulnExplorerApi:
|
|
image: registry.stella-ops.org/stellaops/vuln-explorer-api@sha256:7fc7e43a05cbeb0106ce7d4d634612e83de6fdc119aaab754a71c1d60b82841d
|