e923880694
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil. - Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt. feat: Implement ILockRepository interface and LockRepository class - Defined ILockRepository interface with methods for acquiring and releasing locks. - Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations. feat: Add SurfaceManifestPointer record for manifest pointers - Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest. feat: Create PolicySimulationInputLock and related validation logic - Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests. - Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements. test: Add unit tests for ReplayVerificationService and ReplayVerifier - Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios. - Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic. test: Implement PolicySimulationInputLockValidatorTests - Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions. chore: Add cosign key example and signing scripts - Included a placeholder cosign key example for development purposes. - Added a script for signing Signals artifacts using cosign with support for both v2 and v3. chore: Create script for uploading evidence to the evidence locker - Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.
55 lines
1.8 KiB
YAML
55 lines
1.8 KiB
YAML
# Notify WebService configuration — air-gapped bootstrap profile
|
|
#
|
|
# This template ships inside the Bootstrap Pack so operators can stage
|
|
# deterministic notifier settings without reaching external services. The
|
|
# values align with the docker-compose.airgap.yaml profile and the defaults
|
|
# produced by the Offline Kit builder. Update the connection string and
|
|
# Authority endpoints if your environment uses different hosts.
|
|
|
|
storage:
|
|
driver: postgres
|
|
|
|
postgres:
|
|
notify:
|
|
connectionString: "Host=postgres;Port=5432;Database=stellaops_notify_airgap;Username=stellaops;Password=airgap-password;Pooling=true;Maximum Pool Size=40;Minimum Pool Size=1"
|
|
commandTimeoutSeconds: 45
|
|
schemaName: notify
|
|
|
|
authority:
|
|
enabled: true
|
|
issuer: "https://authority.airgap.local"
|
|
metadataAddress: "https://authority.airgap.local/.well-known/openid-configuration"
|
|
requireHttpsMetadata: true
|
|
allowAnonymousFallback: false
|
|
backchannelTimeoutSeconds: 30
|
|
tokenClockSkewSeconds: 60
|
|
audiences:
|
|
- notify
|
|
viewerScope: notify.viewer
|
|
operatorScope: notify.operator
|
|
adminScope: notify.admin
|
|
|
|
api:
|
|
basePath: "/api/v1/notify"
|
|
internalBasePath: "/internal/notify"
|
|
tenantHeader: "X-StellaOps-Tenant"
|
|
|
|
plugins:
|
|
baseDirectory: "/opt/stellaops"
|
|
directory: "plugins/notify"
|
|
searchPatterns:
|
|
- "StellaOps.Notify.Connectors.*.dll"
|
|
orderedPlugins:
|
|
- StellaOps.Notify.Connectors.Email
|
|
- StellaOps.Notify.Connectors.Webhook
|
|
|
|
telemetry:
|
|
enableRequestLogging: true
|
|
minimumLogLevel: Information
|
|
|
|
# In sealed/air-gapped mode, outbound connectors are constrained by the
|
|
# shared EgressPolicy facade. Channels that point to loopback services (SMTP
|
|
# relay, syslog forwarder, file sink) are permitted; external webhooks are
|
|
# denied until the host is unsealed or allow-listed. Review
|
|
# docs/modules/notify/bootstrap-pack.md for the full bootstrap workflow.
|