stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
25254e3831dbc3e9625f23a0ba43296101b4a821
git.stella-ops.org/ops/devops/airgap/verify-egress-block.sh
StellaOps Bot 17d45a6d30
Some checks failed
Airgap Sealed CI Smoke / sealed-smoke (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
feat: Implement Filesystem and MongoDB provenance writers for PackRun execution context 
- Added `FilesystemPackRunProvenanceWriter` to write provenance manifests to the filesystem.
- Introduced `MongoPackRunArtifactReader` to read artifacts from MongoDB.
- Created `MongoPackRunProvenanceWriter` to store provenance manifests in MongoDB.
- Developed unit tests for filesystem and MongoDB provenance writers.
- Established `ITimelineEventStore` and `ITimelineIngestionService` interfaces for timeline event handling.
- Implemented `TimelineIngestionService` to validate and persist timeline events with hashing.
- Created PostgreSQL schema and migration scripts for timeline indexing.
- Added dependency injection support for timeline indexer services.
- Developed tests for timeline ingestion and schema validation.
2025-11-30 15:38:14 +02:00

89 lines
2.4 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# Verification harness for sealed-mode egress: Docker/Compose or Kubernetes.
# Examples:
# ./verify-egress-block.sh docker stella_default out/airgap-probe.json
# ./verify-egress-block.sh k8s default out/k8s-probe.json
set -euo pipefail
mode=${1:-}
context=${2:-}
out=${3:-}
if [[ -z "$mode" || -z "$context" || -z "$out" ]]; then
echo "Usage: $0 <docker|k8s> <network|namespace> <output.json> [target ...]" >&2
exit 2
fi
shift 3
TARGETS=($@)
ROOT=$(cd "$(dirname "$0")/../.." && pwd)
PROBE_PY="$ROOT/ops/devops/sealed-mode-ci/egress_probe.py"
case "$mode" in
docker)
network="$context"
python3 "$PROBE_PY" --network "$network" --output "$out" "${TARGETS[@]}"
;;
k8s|kubernetes)
ns="$context"
targets=("${TARGETS[@]}")
if [[ ${#targets[@]} -eq 0 ]]; then
targets=("https://example.com" "https://www.cloudflare.com" "https://releases.stella-ops.org/healthz")
fi
image="curlimages/curl:8.6.0"
tmpfile=$(mktemp)
cat > "$tmpfile" <<MANIFEST
apiVersion: v1
kind: Pod
metadata:
name: sealed-egress-probe
namespace: ${ns}
labels:
sealed: "true"
stellaops.dev/purpose: sealed-mode
spec:
restartPolicy: Never
containers:
- name: curl
image: ${image}
command: ["/bin/sh","-c"]
args:
- >
set -euo pipefail;
rc=0;
for url in ${targets[@]}; do
echo "PROBE $url";
if curl -fsS --max-time 8 "$url"; then
echo "UNEXPECTED_SUCCESS $url";
rc=1;
else
echo "BLOCKED $url";
fi;
done;
exit $rc;
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
MANIFEST
kubectl apply -f "$tmpfile" >/dev/null
kubectl wait --for=condition=Ready pod/sealed-egress-probe -n "$ns" --timeout=30s >/dev/null 2>&1 || true
set +e
kubectl logs -n "$ns" sealed-egress-probe > "$out.log" 2>&1
kubectl wait --for=condition=Succeeded pod/sealed-egress-probe -n "$ns" --timeout=60s
pod_rc=$?
kubectl get pod/sealed-egress-probe -n "$ns" -o json > "$out"
kubectl delete pod/sealed-egress-probe -n "$ns" >/dev/null 2>&1 || true
set -e
if [[ $pod_rc -ne 0 ]]; then
echo "Egress check failed; see $out and $out.log" >&2
exit 1
fi
;;
*)
echo "Unknown mode: $mode" >&2
exit 2
;;
esac
echo "Egress verification complete → $out"
Reference in New Issue View Git Blame Copy Permalink