master
5ce40d2eeb
- Added Program.cs to set up the web application with Serilog for logging, health check endpoints, and a placeholder admission endpoint. - Configured Kestrel server to use TLS 1.3 and handle client certificates appropriately. - Created StellaOps.Zastava.Webhook.csproj with necessary dependencies including Serilog and Polly. - Documented tasks in TASKS.md for the Zastava Webhook project, outlining current work and exit criteria for each task.
Stella Ops Compose Profiles
These Compose bundles ship the minimum services required to exercise the scanner pipeline plus control-plane dependencies. Every profile is pinned to immutable image digests sourced from deploy/releases/*.yaml and is linted via docker compose config in CI.
Layout
| Path | Purpose |
|---|---|
docker-compose.dev.yaml |
Edge/nightly stack tuned for laptops and iterative work. |
docker-compose.stage.yaml |
Stable channel stack mirroring pre-production clusters. |
docker-compose.airgap.yaml |
Stable stack with air-gapped defaults (no outbound hostnames). |
env/*.env.example |
Seed .env files that document required secrets and ports per profile. |
Usage
cp env/dev.env.example dev.env
docker compose --env-file dev.env -f docker-compose.dev.yaml config
docker compose --env-file dev.env -f docker-compose.dev.yaml up -d
The stage and airgap variants behave the same way—swap the file names accordingly. All profiles expose 443/8443 for the UI and REST APIs, and they share a stellaops Docker network scoped to the compose project.
Updating to a new release
- Import the new manifest into
deploy/releases/(seedeploy/README.md). - Update image digests in the relevant Compose file(s).
- Re-run
docker compose configto confirm the bundle is deterministic.
Keep digests synchronized between Compose, Helm, and the release manifest to preserve reproducibility guarantees. deploy/tools/validate-profiles.sh performs a quick audit.