git.stella-ops.org/deploy/helm/stellaops/values.yaml

global:
  release:
    version: ""
    channel: ""
    manifestSha256: ""
  profile: ""
  image:
    pullPolicy: IfNotPresent
  labels: {}

telemetry:
  collector:
    enabled: false
    replicas: 1
    image: otel/opentelemetry-collector:0.105.0
    requireClientCert: true
    defaultTenant: unknown
    logLevel: info
    tls:
      secretName: ""
      certPath: /etc/otel/tls/tls.crt
      keyPath: /etc/otel/tls/tls.key
      caPath: /etc/otel/tls/ca.crt
      items:
        - key: tls.crt
          path: tls.crt
        - key: tls.key
          path: tls.key
        - key: ca.crt
          path: ca.crt
    service:
      grpcPort: 4317
      httpPort: 4318
      metricsPort: 9464
    resources: {}

configMaps:
  issuer-directory-config:
    data:
      issuer-directory.yaml: |
        IssuerDirectory:
          telemetry:
            minimumLogLevel: Information
          authority:
            enabled: true
            issuer: https://authority.svc.cluster.local/realms/stellaops
            requireHttpsMetadata: true
            audiences:
              - stellaops-platform
            readScope: issuer-directory:read
            writeScope: issuer-directory:write
            adminScope: issuer-directory:admin
          tenantHeader: X-StellaOps-Tenant
          seedCsafPublishers: true
          csafSeedPath: data/csaf-publishers.json
          Mongo:
            connectionString: mongodb://mongo:27017
            database: issuer-directory
            issuersCollection: issuers
            issuerKeysCollection: issuer_keys
            issuerTrustCollection: issuer_trust_overrides
            auditCollection: issuer_audit

  policy-engine-activation:
    data:
      STELLAOPS_POLICY_ENGINE__ACTIVATION__FORCETWOPERSONAPPROVAL: "false"
      STELLAOPS_POLICY_ENGINE__ACTIVATION__DEFAULTREQUIRESTWOPERSONAPPROVAL: "false"
      STELLAOPS_POLICY_ENGINE__ACTIVATION__EMITAUDITLOGS: "true"

services:
  issuer-directory:
    image: registry.stella-ops.org/stellaops/issuer-directory-web:2025.10.0-edge
    replicas: 1
    configMounts:
      - name: issuer-directory-config
        configMap: issuer-directory-config
        mountPath: /etc/issuer-directory.yaml
        subPath: issuer-directory.yaml
    envFrom:
      - secretRef:
          name: issuer-directory-secrets
    env:
      ISSUERDIRECTORY__CONFIG: /etc/issuer-directory.yaml
      ISSUERDIRECTORY__AUTHORITY__BASEURL: https://authority:8440
      ISSUERDIRECTORY__SEEDCSAFPUBLISHERS: "true"
    ports:
      - containerPort: 8080
    service:
      port: 8080
    readinessProbe:
      httpGet:
        path: /health/live
        port: 8080
      initialDelaySeconds: 5
      periodSeconds: 10
    livenessProbe:
      httpGet:
        path: /health/live
        port: 8080
      initialDelaySeconds: 10
      periodSeconds: 20
  scheduler-worker:
    image: registry.stella-ops.org/stellaops/scheduler-worker:2025.10.0-edge
    replicas: 1
    command:
      - dotnet
      - StellaOps.Scheduler.Worker.Host.dll
    env:
      SCHEDULER__QUEUE__KIND: Nats
      SCHEDULER__QUEUE__NATS__URL: nats://nats:4222
      SCHEDULER__STORAGE__CONNECTIONSTRING: mongodb://scheduler-mongo:27017
      SCHEDULER__STORAGE__DATABASE: stellaops_scheduler
      SCHEDULER__WORKER__RUNNER__SCANNER__BASEADDRESS: http://scanner-web:8444