stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
1d962ee6fc98ad8c53715bbff6d513246f5b1361
git.stella-ops.org/docs/modules/devops/runbooks/zastava-deployment.md
master 66cb6c4b8a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Add guild charters and task boards for various components 
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform.
- Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds.
- Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies.
- Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
2025-11-01 02:21:46 +02:00

50 lines
1.9 KiB
Markdown
Raw Blame History

# Zastava Deployment Runbook
> **Audience:** DevOps, Zastava Guild
>
> **Purpose:** Provide steps for deploying Zastava Observer + Webhook in connected and air-gapped clusters.
## 1. Prerequisites
- Kubernetes 1.26+ with admission registration permissions.
- Access to StellaOps Container Registry or offline bundle with Zastava images.
- Authority scopes and certificates configured for Zastava identities.
- Surface.FS cache endpoint (RustFS/S3) reachable from nodes.
## 2. Installation Steps
1. **Prepare namespace & secrets**
- Create Kubernetes namespace (default `stellaops-runtime`).
- Provision secrets (`zastava-mtls`, `zastava-op-token`, `surface-secrets`).
2. **Deploy Observer**
- Apply Helm chart `helm/zastava` with values aligning to Surface.Env settings.
- Confirm DaemonSet pods schedule on all nodes; check `/healthz` endpoints.
3. **Deploy Webhook**
- Install ValidatingWebhookConfiguration with CA bundle and service reference.
- Enable dry-run mode first, monitor logs, then switch `enforce=true` once validations pass.
4. **Configure policies**
- Populate admission policies in Policy Engine; ensure tokens contain `runtime:read` scopes.
- Update CLI/Console settings for runtime posture view.
5. **Observability**
- Scrape metrics (`zastava_observer_*`, `zastava_webhook_*`).
- Stream logs to central collector.
## 3. Air-Gapped Deployment Notes
- Use Offline Kit bundle (`offline/zastava/`) to load images and configuration.
- Validate Surface.FS bundles before enabling enforcement.
- Replace webhook CA with offline authority; document rotation schedule.
## 4. Validation
- Run `stella runtime policy test` against sample workloads.
- Trigger deployment denial for unsigned images; verify Notifier emits alerts.
- Check timeline events for observer telemetry.
## 5. References
- `docs/modules/zastava/architecture.md`
- `docs/modules/scanner/architecture.md`
- `docs/airgap/airgap-mode.md`
- `docs/forensics/timeline.md`
Reference in New Issue View Git Blame Copy Permalink