stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
189171c594fa33daad050bde95a10a29edb63ec6
git.stella-ops.org/docs/features/checked/devops/postgresql-backend-for-rekor-metadata.md
master 5bca406787 save checkpoint: save features
2026-02-12 10:27:23 +02:00

3.1 KiB
Raw Blame History

PostgreSQL Backend for Rekor Metadata

Module

devops

Status

VERIFIED

Description

PostgreSQL-based Rekor backend with checkpoint storage, submission queue tables, and VEX-Rekor linkage migration.

Implementation Details

  • Rekor Inclusion Proof Models: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/RekorInclusionProof.cs -- model for Rekor inclusion proof data including log index, root hash, tree size, and inclusion hashes.
  • Enhanced Rekor Proof Builder: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/EnhancedRekorProofBuilder.cs (with partials .Build.cs, .Validate.cs) -- builds and validates Rekor inclusion proofs, storing metadata for PostgreSQL persistence.
  • Pipeline Rekor Entry: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Pipeline/RekorEntry.cs -- pipeline model for Rekor transparency log entries.
  • Rekor Inclusion Verification: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/RekorInclusionVerificationStep.cs -- verification step that validates Rekor inclusion proofs against stored checkpoints.
  • Database Cluster Config: devops/database/postgres/cluster-production.yaml, cluster-staging.yaml -- PostgreSQL cluster definitions for CloudNativePG with Rekor metadata tables.
  • Database Pooler Config: devops/database/postgres/pooler-production.yaml, pooler-staging.yaml -- PgBouncer pooler configurations for Rekor query workloads.
  • Compose Configuration: devops/compose/docker-compose.stella-ops.yml -- includes PostgreSQL service configuration for the Rekor backend.

E2E Test Plan

  • Submit a DSSE attestation through the proof chain pipeline and verify the Rekor entry metadata (log index, root hash, tree size) is persisted to PostgreSQL
  • Query the stored Rekor checkpoint and verify it matches the transparency log state at submission time
  • Verify Rekor inclusion proof validation: retrieve a stored proof from PostgreSQL and run RekorInclusionVerificationStep to confirm it validates correctly
  • Verify the submission queue processes entries in order and marks them as submitted after successful Rekor log inclusion
  • Deploy the PostgreSQL cluster configuration and verify the database schema includes the required Rekor metadata tables

Verification

  • Verified on 2026-02-11 with run-001.
  • Tier 0 source checks passed for Rekor proof models/builders, verification step, and DevOps PostgreSQL assets.
  • Tier 1 build and focused behavioral test gates passed (57/57) across Rekor inclusion proof, receipt generation/verification, and verification-job integration suites.
  • Tier 2 behavioral checks passed by applying the initial PostgreSQL schema in Docker and validating required tables/indexes for proofchain.rekor_entries and attestor.rekor_submission_queue.
  • Evidence:
    • docs/qa/feature-checks/runs/devops/postgresql-backend-for-rekor-metadata/run-001/tier0-source-check.json
    • docs/qa/feature-checks/runs/devops/postgresql-backend-for-rekor-metadata/run-001/tier1-build-check.json
    • docs/qa/feature-checks/runs/devops/postgresql-backend-for-rekor-metadata/run-001/tier2-integration-check.json