master
96d52884e8
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Implemented PolicyDslValidator with command-line options for strict mode and JSON output. - Created PolicySchemaExporter to generate JSON schemas for policy-related models. - Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes. - Added project files and necessary dependencies for each tool. - Ensured proper error handling and usage instructions across tools.
61 lines
3.1 KiB
Markdown
61 lines
3.1 KiB
Markdown
# StellaOps Authority Container Scaffold
|
||
|
||
This directory provides a distroless Dockerfile and `docker-compose` sample for bootstrapping the Authority service alongside MongoDB (required) and Redis (optional).
|
||
|
||
## Prerequisites
|
||
|
||
- Docker Engine 25+ and Compose V2
|
||
- .NET 10 preview SDK (only required when building locally outside of Compose)
|
||
- Populated Authority configuration at `etc/authority.yaml` and plugin manifests under `etc/authority.plugins/`
|
||
|
||
## Usage
|
||
|
||
```bash
|
||
# 1. Ensure configuration files exist (copied from etc/authority.yaml.sample, etc/authority.plugins/*.yaml)
|
||
# 2. Build and start the stack
|
||
docker compose -f ops/authority/docker-compose.authority.yaml up --build
|
||
```
|
||
|
||
`authority.yaml` is mounted read-only at `/etc/authority.yaml` inside the container. Plugin manifests are mounted to `/app/etc/authority.plugins`. Update the issuer URL plus any Mongo credentials in the compose file or via an `.env`.
|
||
|
||
To run with pre-built images, replace the `build:` block in the compose file with an `image:` reference.
|
||
|
||
## Volumes
|
||
|
||
- `mongo-data` – persists MongoDB state.
|
||
- `redis-data` – optional Redis persistence (enable the service before use).
|
||
- `authority-keys` – writable volume for Authority signing keys.
|
||
|
||
## Environment overrides
|
||
|
||
Key environment variables (mirroring `StellaOpsAuthorityOptions`):
|
||
|
||
| Variable | Description |
|
||
| --- | --- |
|
||
| `STELLAOPS_AUTHORITY__ISSUER` | Public issuer URL advertised by Authority |
|
||
| `STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0` | Primary plugin binaries directory inside the container |
|
||
| `STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY` | Path to plugin manifest directory |
|
||
|
||
For additional options, see `etc/authority.yaml.sample`.
|
||
|
||
> **Graph Explorer reminder:** When enabling Cartographer or Graph API components, update `etc/authority.yaml` so the `cartographer-service` client includes `properties.serviceIdentity: "cartographer"` and a tenant hint. Authority now rejects `graph:write` tokens that lack this marker, so existing deployments must apply the update before rolling out the new build.
|
||
|
||
## Key rotation automation (OPS3)
|
||
|
||
The `key-rotation.sh` helper wraps the `/internal/signing/rotate` endpoint delivered with CORE10. It can run in CI/CD once the new PEM key is staged on the Authority host volume.
|
||
|
||
```bash
|
||
AUTHORITY_BOOTSTRAP_KEY=$(cat ~/.secrets/authority-bootstrap.key) \
|
||
./key-rotation.sh \
|
||
--authority-url https://authority.stella-ops.local \
|
||
--key-id authority-signing-2025 \
|
||
--key-path ../certificates/authority-signing-2025.pem \
|
||
--meta rotatedBy=pipeline --meta changeTicket=OPS-1234
|
||
```
|
||
|
||
- `--key-path` should resolve from the Authority content root (same as `docs/11_AUTHORITY.md` SOP).
|
||
- Provide `--source`/`--provider` if the key loader differs from the default file-based provider.
|
||
- Pass `--dry-run` during rehearsals to inspect the JSON payload without invoking the API.
|
||
|
||
After rotation, export a fresh revocation bundle (`stellaops-cli auth revoke export`) so downstream mirrors consume signatures from the new `kid`. The canonical operational steps live in `docs/11_AUTHORITY.md` – make sure any local automation keeps that guide as source of truth.
|