4042fc2184
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
release-manifest-verify / verify (push) Has been cancelled
- Implement comprehensive tests for PackRunAttestationService, covering attestation generation, verification, and event emission. - Add tests for SealedInstallEnforcer to validate sealed install requirements and enforcement logic. - Introduce a MonacoLoaderService stub for testing purposes to prevent Monaco workers/styles from loading during Karma runs.
625 lines
16 KiB
JSON
625 lines
16 KiB
JSON
{
|
|
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
"$id": "https://stella-ops.org/schemas/deployment-service-list.schema.json",
|
|
"title": "StellaOps Deployment Service List Schema",
|
|
"description": "Schema for deployment service list, compose configuration, and version pins. Unblocks COMPOSE-44-001 through 45-003 (7 tasks).",
|
|
"type": "object",
|
|
"definitions": {
|
|
"ServiceDefinition": {
|
|
"type": "object",
|
|
"description": "Service definition for deployment",
|
|
"required": ["service_id", "name", "image", "version"],
|
|
"properties": {
|
|
"service_id": {
|
|
"type": "string",
|
|
"pattern": "^[a-z][a-z0-9-]*$",
|
|
"description": "Unique service identifier (kebab-case)"
|
|
},
|
|
"name": {
|
|
"type": "string",
|
|
"description": "Human-readable service name"
|
|
},
|
|
"description": {
|
|
"type": "string"
|
|
},
|
|
"image": {
|
|
"type": "string",
|
|
"description": "Container image (without tag)"
|
|
},
|
|
"version": {
|
|
"type": "string",
|
|
"pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+(-[a-z0-9.]+)?$",
|
|
"description": "Service version (semver)"
|
|
},
|
|
"digest": {
|
|
"type": "string",
|
|
"pattern": "^sha256:[a-f0-9]{64}$",
|
|
"description": "Image digest for pinning"
|
|
},
|
|
"port": {
|
|
"type": "integer",
|
|
"minimum": 1,
|
|
"maximum": 65535,
|
|
"description": "Primary service port"
|
|
},
|
|
"health_check": {
|
|
"$ref": "#/definitions/HealthCheck"
|
|
},
|
|
"dependencies": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"description": "Service IDs this service depends on"
|
|
},
|
|
"environment": {
|
|
"type": "object",
|
|
"additionalProperties": {
|
|
"$ref": "#/definitions/EnvVarDefinition"
|
|
}
|
|
},
|
|
"volumes": {
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/definitions/VolumeMount"
|
|
}
|
|
},
|
|
"secrets": {
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/definitions/SecretReference"
|
|
}
|
|
},
|
|
"resources": {
|
|
"$ref": "#/definitions/ResourceLimits"
|
|
},
|
|
"replicas": {
|
|
"$ref": "#/definitions/ReplicaConfig"
|
|
},
|
|
"labels": {
|
|
"type": "object",
|
|
"additionalProperties": {
|
|
"type": "string"
|
|
}
|
|
},
|
|
"annotations": {
|
|
"type": "object",
|
|
"additionalProperties": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"HealthCheck": {
|
|
"type": "object",
|
|
"description": "Health check configuration",
|
|
"properties": {
|
|
"endpoint": {
|
|
"type": "string",
|
|
"default": "/health"
|
|
},
|
|
"port": {
|
|
"type": "integer"
|
|
},
|
|
"interval_seconds": {
|
|
"type": "integer",
|
|
"default": 30
|
|
},
|
|
"timeout_seconds": {
|
|
"type": "integer",
|
|
"default": 10
|
|
},
|
|
"retries": {
|
|
"type": "integer",
|
|
"default": 3
|
|
},
|
|
"start_period_seconds": {
|
|
"type": "integer",
|
|
"default": 60
|
|
}
|
|
}
|
|
},
|
|
"EnvVarDefinition": {
|
|
"type": "object",
|
|
"description": "Environment variable definition",
|
|
"properties": {
|
|
"description": {
|
|
"type": "string"
|
|
},
|
|
"required": {
|
|
"type": "boolean",
|
|
"default": false
|
|
},
|
|
"default": {
|
|
"type": "string"
|
|
},
|
|
"secret": {
|
|
"type": "boolean",
|
|
"default": false,
|
|
"description": "Whether this is a secret value"
|
|
},
|
|
"example": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
},
|
|
"VolumeMount": {
|
|
"type": "object",
|
|
"description": "Volume mount configuration",
|
|
"required": ["name", "mount_path"],
|
|
"properties": {
|
|
"name": {
|
|
"type": "string"
|
|
},
|
|
"mount_path": {
|
|
"type": "string"
|
|
},
|
|
"read_only": {
|
|
"type": "boolean",
|
|
"default": false
|
|
},
|
|
"type": {
|
|
"type": "string",
|
|
"enum": ["persistent", "ephemeral", "config", "secret"],
|
|
"default": "persistent"
|
|
},
|
|
"size": {
|
|
"type": "string",
|
|
"pattern": "^[0-9]+(Mi|Gi|Ti)$",
|
|
"description": "Volume size (e.g., 10Gi)"
|
|
}
|
|
}
|
|
},
|
|
"SecretReference": {
|
|
"type": "object",
|
|
"description": "Secret reference",
|
|
"required": ["name"],
|
|
"properties": {
|
|
"name": {
|
|
"type": "string"
|
|
},
|
|
"key": {
|
|
"type": "string"
|
|
},
|
|
"env_var": {
|
|
"type": "string",
|
|
"description": "Environment variable to inject secret"
|
|
},
|
|
"mount_path": {
|
|
"type": "string",
|
|
"description": "File path to mount secret"
|
|
}
|
|
}
|
|
},
|
|
"ResourceLimits": {
|
|
"type": "object",
|
|
"description": "Resource limits and requests",
|
|
"properties": {
|
|
"cpu_request": {
|
|
"type": "string",
|
|
"pattern": "^[0-9]+(m)?$",
|
|
"description": "CPU request (e.g., 100m, 1)"
|
|
},
|
|
"cpu_limit": {
|
|
"type": "string",
|
|
"pattern": "^[0-9]+(m)?$"
|
|
},
|
|
"memory_request": {
|
|
"type": "string",
|
|
"pattern": "^[0-9]+(Mi|Gi)$",
|
|
"description": "Memory request (e.g., 256Mi)"
|
|
},
|
|
"memory_limit": {
|
|
"type": "string",
|
|
"pattern": "^[0-9]+(Mi|Gi)$"
|
|
}
|
|
}
|
|
},
|
|
"ReplicaConfig": {
|
|
"type": "object",
|
|
"description": "Replica configuration",
|
|
"properties": {
|
|
"min": {
|
|
"type": "integer",
|
|
"minimum": 0,
|
|
"default": 1
|
|
},
|
|
"max": {
|
|
"type": "integer",
|
|
"minimum": 1,
|
|
"default": 1
|
|
},
|
|
"target_cpu_utilization": {
|
|
"type": "integer",
|
|
"minimum": 1,
|
|
"maximum": 100,
|
|
"description": "Target CPU utilization for autoscaling"
|
|
}
|
|
}
|
|
},
|
|
"DeploymentProfile": {
|
|
"type": "object",
|
|
"description": "Deployment profile (dev/staging/prod)",
|
|
"required": ["profile_id", "name"],
|
|
"properties": {
|
|
"profile_id": {
|
|
"type": "string",
|
|
"enum": ["dev", "staging", "production", "airgap"]
|
|
},
|
|
"name": {
|
|
"type": "string"
|
|
},
|
|
"description": {
|
|
"type": "string"
|
|
},
|
|
"service_overrides": {
|
|
"type": "object",
|
|
"additionalProperties": {
|
|
"$ref": "#/definitions/ServiceOverride"
|
|
}
|
|
},
|
|
"global_environment": {
|
|
"type": "object",
|
|
"additionalProperties": {
|
|
"type": "string"
|
|
}
|
|
},
|
|
"network_policy": {
|
|
"$ref": "#/definitions/NetworkPolicy"
|
|
},
|
|
"security_context": {
|
|
"$ref": "#/definitions/SecurityContext"
|
|
}
|
|
}
|
|
},
|
|
"ServiceOverride": {
|
|
"type": "object",
|
|
"description": "Service-specific overrides for a profile",
|
|
"properties": {
|
|
"enabled": {
|
|
"type": "boolean",
|
|
"default": true
|
|
},
|
|
"replicas": {
|
|
"$ref": "#/definitions/ReplicaConfig"
|
|
},
|
|
"resources": {
|
|
"$ref": "#/definitions/ResourceLimits"
|
|
},
|
|
"environment": {
|
|
"type": "object",
|
|
"additionalProperties": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"NetworkPolicy": {
|
|
"type": "object",
|
|
"description": "Network policy configuration",
|
|
"properties": {
|
|
"egress_allowed": {
|
|
"type": "boolean",
|
|
"default": true
|
|
},
|
|
"allowed_external_hosts": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"description": "Allowed external hosts for egress"
|
|
},
|
|
"internal_only_services": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"description": "Services not exposed externally"
|
|
}
|
|
}
|
|
},
|
|
"SecurityContext": {
|
|
"type": "object",
|
|
"description": "Security context configuration",
|
|
"properties": {
|
|
"run_as_non_root": {
|
|
"type": "boolean",
|
|
"default": true
|
|
},
|
|
"read_only_root_filesystem": {
|
|
"type": "boolean",
|
|
"default": true
|
|
},
|
|
"drop_capabilities": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"default": ["ALL"]
|
|
},
|
|
"add_capabilities": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"ServiceList": {
|
|
"type": "object",
|
|
"description": "Complete service list for deployment",
|
|
"required": ["list_id", "version", "services"],
|
|
"properties": {
|
|
"list_id": {
|
|
"type": "string"
|
|
},
|
|
"version": {
|
|
"type": "string"
|
|
},
|
|
"updated_at": {
|
|
"type": "string",
|
|
"format": "date-time"
|
|
},
|
|
"services": {
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/definitions/ServiceDefinition"
|
|
}
|
|
},
|
|
"profiles": {
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/definitions/DeploymentProfile"
|
|
}
|
|
},
|
|
"dependencies": {
|
|
"$ref": "#/definitions/ExternalDependencies"
|
|
},
|
|
"observability": {
|
|
"$ref": "#/definitions/ObservabilityConfig"
|
|
}
|
|
}
|
|
},
|
|
"ExternalDependencies": {
|
|
"type": "object",
|
|
"description": "External dependencies (databases, queues, etc.)",
|
|
"properties": {
|
|
"mongodb": {
|
|
"$ref": "#/definitions/MongoDbConfig"
|
|
},
|
|
"postgres": {
|
|
"$ref": "#/definitions/PostgresConfig"
|
|
},
|
|
"redis": {
|
|
"$ref": "#/definitions/RedisConfig"
|
|
},
|
|
"rabbitmq": {
|
|
"$ref": "#/definitions/RabbitMqConfig"
|
|
},
|
|
"s3": {
|
|
"$ref": "#/definitions/S3Config"
|
|
}
|
|
}
|
|
},
|
|
"MongoDbConfig": {
|
|
"type": "object",
|
|
"properties": {
|
|
"enabled": {
|
|
"type": "boolean",
|
|
"default": true
|
|
},
|
|
"version": {
|
|
"type": "string",
|
|
"default": "7.0"
|
|
},
|
|
"replica_set": {
|
|
"type": "boolean",
|
|
"default": false
|
|
}
|
|
}
|
|
},
|
|
"PostgresConfig": {
|
|
"type": "object",
|
|
"properties": {
|
|
"enabled": {
|
|
"type": "boolean",
|
|
"default": true
|
|
},
|
|
"version": {
|
|
"type": "string",
|
|
"default": "16"
|
|
}
|
|
}
|
|
},
|
|
"RedisConfig": {
|
|
"type": "object",
|
|
"properties": {
|
|
"enabled": {
|
|
"type": "boolean",
|
|
"default": true
|
|
},
|
|
"version": {
|
|
"type": "string",
|
|
"default": "7"
|
|
},
|
|
"cluster": {
|
|
"type": "boolean",
|
|
"default": false
|
|
}
|
|
}
|
|
},
|
|
"RabbitMqConfig": {
|
|
"type": "object",
|
|
"properties": {
|
|
"enabled": {
|
|
"type": "boolean",
|
|
"default": true
|
|
},
|
|
"version": {
|
|
"type": "string",
|
|
"default": "3.13"
|
|
}
|
|
}
|
|
},
|
|
"S3Config": {
|
|
"type": "object",
|
|
"properties": {
|
|
"enabled": {
|
|
"type": "boolean",
|
|
"default": true
|
|
},
|
|
"provider": {
|
|
"type": "string",
|
|
"enum": ["minio", "aws", "gcs", "azure"],
|
|
"default": "minio"
|
|
}
|
|
}
|
|
},
|
|
"ObservabilityConfig": {
|
|
"type": "object",
|
|
"description": "Observability stack configuration",
|
|
"properties": {
|
|
"metrics": {
|
|
"type": "object",
|
|
"properties": {
|
|
"enabled": {
|
|
"type": "boolean",
|
|
"default": true
|
|
},
|
|
"endpoint": {
|
|
"type": "string",
|
|
"default": "/metrics"
|
|
},
|
|
"port": {
|
|
"type": "integer",
|
|
"default": 9090
|
|
}
|
|
}
|
|
},
|
|
"tracing": {
|
|
"type": "object",
|
|
"properties": {
|
|
"enabled": {
|
|
"type": "boolean",
|
|
"default": true
|
|
},
|
|
"otlp_endpoint": {
|
|
"type": "string"
|
|
},
|
|
"sampling_rate": {
|
|
"type": "number",
|
|
"minimum": 0,
|
|
"maximum": 1,
|
|
"default": 0.1
|
|
}
|
|
}
|
|
},
|
|
"logging": {
|
|
"type": "object",
|
|
"properties": {
|
|
"level": {
|
|
"type": "string",
|
|
"enum": ["trace", "debug", "info", "warn", "error"],
|
|
"default": "info"
|
|
},
|
|
"format": {
|
|
"type": "string",
|
|
"enum": ["json", "text"],
|
|
"default": "json"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"properties": {
|
|
"service_list": {
|
|
"$ref": "#/definitions/ServiceList"
|
|
}
|
|
},
|
|
"examples": [
|
|
{
|
|
"service_list": {
|
|
"list_id": "stellaops-2025.10",
|
|
"version": "2025.10.0",
|
|
"updated_at": "2025-12-06T10:00:00Z",
|
|
"services": [
|
|
{
|
|
"service_id": "concelier",
|
|
"name": "Concelier",
|
|
"description": "Vulnerability advisory ingestion and merge engine",
|
|
"image": "ghcr.io/stellaops/concelier",
|
|
"version": "2025.10.0",
|
|
"digest": "sha256:abc123def456789012345678901234567890123456789012345678901234abcd",
|
|
"port": 8080,
|
|
"health_check": {
|
|
"endpoint": "/health",
|
|
"interval_seconds": 30
|
|
},
|
|
"dependencies": ["mongodb", "redis"],
|
|
"resources": {
|
|
"cpu_request": "100m",
|
|
"cpu_limit": "1000m",
|
|
"memory_request": "256Mi",
|
|
"memory_limit": "1Gi"
|
|
}
|
|
},
|
|
{
|
|
"service_id": "scanner",
|
|
"name": "Scanner",
|
|
"description": "Container scanning with SBOM generation",
|
|
"image": "ghcr.io/stellaops/scanner",
|
|
"version": "2025.10.0",
|
|
"port": 8081,
|
|
"dependencies": ["concelier", "s3"]
|
|
},
|
|
{
|
|
"service_id": "findings-ledger",
|
|
"name": "Findings Ledger",
|
|
"description": "Vulnerability findings storage",
|
|
"image": "ghcr.io/stellaops/findings-ledger",
|
|
"version": "2025.10.0",
|
|
"port": 8082,
|
|
"dependencies": ["postgres", "redis"]
|
|
}
|
|
],
|
|
"profiles": [
|
|
{
|
|
"profile_id": "dev",
|
|
"name": "Development",
|
|
"description": "Local development profile",
|
|
"global_environment": {
|
|
"ASPNETCORE_ENVIRONMENT": "Development",
|
|
"LOG_LEVEL": "Debug"
|
|
}
|
|
},
|
|
{
|
|
"profile_id": "production",
|
|
"name": "Production",
|
|
"description": "Production deployment profile",
|
|
"security_context": {
|
|
"run_as_non_root": true,
|
|
"read_only_root_filesystem": true,
|
|
"drop_capabilities": ["ALL"]
|
|
}
|
|
}
|
|
],
|
|
"dependencies": {
|
|
"mongodb": {
|
|
"enabled": true,
|
|
"version": "7.0"
|
|
},
|
|
"postgres": {
|
|
"enabled": true,
|
|
"version": "16"
|
|
},
|
|
"redis": {
|
|
"enabled": true,
|
|
"version": "7"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|