stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
69651212ec42ade25a9c7952b5655e9d4a5514c7
git.stella-ops.org/ops/devops/attestation/witness-plan.md
StellaOps Bot 44171930ff
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
feat: Add UI benchmark driver and scenarios for graph interactions 
- Introduced `ui_bench_driver.mjs` to read scenarios and fixture manifest, generating a deterministic run plan.
- Created `ui_bench_plan.md` outlining the purpose, scope, and next steps for the benchmark.
- Added `ui_bench_scenarios.json` containing various scenarios for graph UI interactions.
- Implemented tests for CLI commands, ensuring bundle verification and telemetry defaults.
- Developed schemas for orchestrator components, including replay manifests and event envelopes.
- Added mock API for risk management, including listing and statistics functionalities.
- Implemented models for risk profiles and query options to support the new API.
2025-12-02 01:28:17 +02:00

2.4 KiB
Raw Blame History

Transparency Log Witness Deployment Plan (DEVOPS-ATTEST-74-001)

Goals

  • Deploy and monitor a Sigstore-compatible witness for Rekor v1/v2 logs (and air-gap mirrors).
  • Provide offline-ready configs and evidence (hashes, DSSE attestations) for bootstrap packs.

Scope

  • Environments: staging → prod (online), sealed/offline mirror (optional, read-only).
  • Witness duties: verify inclusion proofs, publish checkpoints/signed STHs, expose metrics and health.

Architecture

  • Witness binary (sigstore/witness or equivalent) in a hardened container:
    • Non-root user, read-only rootfs, seccomp/AppArmor defaults.
    • TLS with mTLS between witness and collector; optional OIDC for admin endpoints.
  • Inputs:
    • Rekor base URL(s) + public keys.
    • Mirror CAR path + signature (for air-gap).
  • Outputs:
    • Signed checkpoints (STH) rotated hourly; stored in object storage + DSSE manifest.
    • Metrics: Prometheus /metrics endpoint (request latency, verify failures, checkpoint age).
    • Logs: JSON, structured, no PII.

Deployment steps

  1. Build/pull witness image (pin digest); generate SBOM + cosign attestations.
  2. Create config:
    • rekor_urls: prod/staging
    • rekor_keys: PEMs
    • checkpoint_interval: 1h
    • mirror_path (optional): /data/rekor-mirror.car
    • signer: KMS ref or file key (sealed-mode uses file key from bootstrap pack)
  3. Helm/Compose template:
    • read-only rootfs, drop NET_RAW, memory/cpu limits
    • PVC for checkpoints (/var/lib/witness/checkpoints)
    • Service exposing HTTPS + /metrics
  4. CI:
    • Lint chart
    • Run e2e: start Rekor test instance, run witness, verify checkpoint written, verify metrics non-zero.
    • Publish image SBOM/attestations and chart checksums.
  5. Monitoring/alerts:
    • witness_verify_failures_total > 0 over 5m
    • witness_checkpoint_age_seconds > 5400
    • witness_backfill_queue_depth (if supported) above threshold

Offline/air-gap mode

  • Consume signed Rekor mirror (CAR + manifest) from bootstrap pack.
  • Run witness in verify-only mode against mirror; disable outbound network.
  • Emit checkpoints signed with offline key; store in mirror bundle for audit.

Evidence to capture

  • Image digest, SBOM hash, chart checksum.
  • Signed checkpoint sample and DSSE manifest.
  • CI e2e logs and metrics sample (scrape output).

Owners

  • Build/deploy: DevOps Guild
  • Keys/config: Platform Security
  • Observability: Observability Guild