stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
25254e3831dbc3e9625f23a0ba43296101b4a821
git.stella-ops.org/ops/devops/airgap/README.md
StellaOps Bot 71e9a56cfd
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Airgap Sealed CI Smoke / sealed-smoke (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
feat: Add Scanner CI runner and related artifacts 
- Implemented `run-scanner-ci.sh` to build and run tests for the Scanner solution with a warmed NuGet cache.
- Created `excititor-vex-traces.json` dashboard for monitoring Excititor VEX observations.
- Added Docker Compose configuration for the OTLP span sink in `docker-compose.spansink.yml`.
- Configured OpenTelemetry collector in `otel-spansink.yaml` to receive and process traces.
- Developed `run-spansink.sh` script to run the OTLP span sink for Excititor traces.
- Introduced `FileSystemRiskBundleObjectStore` for storing risk bundle artifacts in the filesystem.
- Built `RiskBundleBuilder` for creating risk bundles with associated metadata and providers.
- Established `RiskBundleJob` to execute the risk bundle creation and storage process.
- Defined models for risk bundle inputs, entries, and manifests in `RiskBundleModels.cs`.
- Implemented signing functionality for risk bundle manifests with `HmacRiskBundleManifestSigner`.
- Created unit tests for `RiskBundleBuilder`, `RiskBundleJob`, and signing functionality to ensure correctness.
- Added filesystem artifact reader tests to validate manifest parsing and artifact listing.
- Included test manifests for egress scenarios in the task runner tests.
- Developed timeline query service tests to verify tenant and event ID handling.
2025-11-30 19:12:35 +02:00

1.5 KiB
Raw Blame History

Air-gap Egress Guard Rails

Artifacts supporting DEVOPS-AIRGAP-56-001:

  • k8s-deny-egress.yaml — NetworkPolicy template that denies all egress for pods labeled sealed=true, except optional in-cluster DNS when enabled.
  • compose-egress-guard.sh — Idempotent iptables guard for Docker/compose using the DOCKER-USER chain to drop all outbound traffic from a compose project network while allowing loopback and RFC1918 intra-cluster ranges.
  • verify-egress-block.sh — Verification harness that runs curl probes from Docker or Kubernetes and reports JSON results; exits non-zero if any target is reachable.
  • bundle_stage_import.py — Deterministic bundle staging helper: validates sha256 manifest, copies bundles to staging dir as <sha256>-<basename>, emits staging-report.json for evidence.
  • stage-bundle.sh — Thin wrapper around bundle_stage_import.py with positional args.
  • build_bootstrap_pack.py — Builds a Bootstrap Pack from images/charts/extras listed in a JSON config, writing bootstrap-manifest.json + checksums.sha256 deterministically.
  • build_bootstrap_pack.sh — Wrapper for the bootstrap pack builder.
  • build_mirror_bundle.py — Generates mirror bundle manifest + checksums with dual-control approvals; optional cosign signing. Outputs mirror-bundle-manifest.json, checksums.sha256, and optional signature/cert.

See also ops/devops/sealed-mode-ci/ for the full sealed-mode compose harness and egress_probe.py, which this verification script wraps.