master
791e12baab
- Created SignerEndpointsTests to validate the SignDsse and VerifyReferrers endpoints. - Implemented StubBearerAuthenticationDefaults and StubBearerAuthenticationHandler for token-based authentication. - Developed ConcelierExporterClient for managing Trivy DB settings and export operations. - Added TrivyDbSettingsPageComponent for UI interactions with Trivy DB settings, including form handling and export triggering. - Implemented styles and HTML structure for Trivy DB settings page. - Created NotifySmokeCheck tool for validating Redis event streams and Notify deliveries.
Stella Ops Compose Profiles
These Compose bundles ship the minimum services required to exercise the scanner pipeline plus control-plane dependencies. Every profile is pinned to immutable image digests sourced from deploy/releases/*.yaml and is linted via docker compose config in CI.
Layout
| Path | Purpose |
|---|---|
docker-compose.dev.yaml |
Edge/nightly stack tuned for laptops and iterative work. |
docker-compose.stage.yaml |
Stable channel stack mirroring pre-production clusters. |
docker-compose.airgap.yaml |
Stable stack with air-gapped defaults (no outbound hostnames). |
docker-compose.mirror.yaml |
Managed mirror topology for *.stella-ops.org distribution (Concelier + Excititor + CDN gateway). |
env/*.env.example |
Seed .env files that document required secrets and ports per profile. |
Usage
cp env/dev.env.example dev.env
docker compose --env-file dev.env -f docker-compose.dev.yaml config
docker compose --env-file dev.env -f docker-compose.dev.yaml up -d
The stage and airgap variants behave the same way—swap the file names accordingly. All profiles expose 443/8443 for the UI and REST APIs, and they share a stellaops Docker network scoped to the compose project.
Scanner event stream settings
Scanner WebService can emit signed scanner.report.* events to Redis Streams when SCANNER__EVENTS__ENABLED=true. Each profile ships environment placeholders you can override in the .env file:
SCANNER_EVENTS_ENABLED– toggle emission on/off (defaults tofalse).SCANNER_EVENTS_DRIVER– currently onlyredisis supported.SCANNER_EVENTS_DSN– Redis endpoint; leave blank to reuse the queue DSN when it usesredis://.SCANNER_EVENTS_STREAM– stream name (stella.eventsby default).SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS– per-publish timeout window (defaults to5).SCANNER_EVENTS_MAX_STREAM_LENGTH– max stream length before Redis trims entries (defaults to10000).
Helm values mirror the same knobs under each service’s env map (see deploy/helm/stellaops/values-*.yaml).
Updating to a new release
- Import the new manifest into
deploy/releases/(seedeploy/README.md). - Update image digests in the relevant Compose file(s).
- Re-run
docker compose configto confirm the bundle is deterministic.
Keep digests synchronized between Compose, Helm, and the release manifest to preserve reproducibility guarantees. deploy/tools/validate-profiles.sh performs a quick audit.