stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
40e7f827da764e39ca67fc27a74813a98e9a38d2
git.stella-ops.org/docs/modules/devops/runbooks/zastava-deployment.md
master 66cb6c4b8a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Add guild charters and task boards for various components 
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform.
- Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds.
- Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies.
- Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
2025-11-01 02:21:46 +02:00

1.9 KiB
Raw Blame History

Zastava Deployment Runbook

Audience: DevOps, Zastava Guild

Purpose: Provide steps for deploying Zastava Observer + Webhook in connected and air-gapped clusters.

1. Prerequisites

  • Kubernetes 1.26+ with admission registration permissions.
  • Access to StellaOps Container Registry or offline bundle with Zastava images.
  • Authority scopes and certificates configured for Zastava identities.
  • Surface.FS cache endpoint (RustFS/S3) reachable from nodes.

2. Installation Steps

  1. Prepare namespace & secrets
    • Create Kubernetes namespace (default stellaops-runtime).
    • Provision secrets (zastava-mtls, zastava-op-token, surface-secrets).
  2. Deploy Observer
    • Apply Helm chart helm/zastava with values aligning to Surface.Env settings.
    • Confirm DaemonSet pods schedule on all nodes; check /healthz endpoints.
  3. Deploy Webhook
    • Install ValidatingWebhookConfiguration with CA bundle and service reference.
    • Enable dry-run mode first, monitor logs, then switch enforce=true once validations pass.
  4. Configure policies
    • Populate admission policies in Policy Engine; ensure tokens contain runtime:read scopes.
    • Update CLI/Console settings for runtime posture view.
  5. Observability
    • Scrape metrics (zastava_observer_*, zastava_webhook_*).
    • Stream logs to central collector.

3. Air-Gapped Deployment Notes

  • Use Offline Kit bundle (offline/zastava/) to load images and configuration.
  • Validate Surface.FS bundles before enabling enforcement.
  • Replace webhook CA with offline authority; document rotation schedule.

4. Validation

  • Run stella runtime policy test against sample workloads.
  • Trigger deployment denial for unsigned images; verify Notifier emits alerts.
  • Check timeline events for observer telemetry.

5. References

  • docs/modules/zastava/architecture.md
  • docs/modules/scanner/architecture.md
  • docs/airgap/airgap-mode.md
  • docs/forensics/timeline.md