173 lines
6.2 KiB
Docker
173 lines
6.2 KiB
Docker
# syntax=docker/dockerfile:1.4
|
|
# StellaOps Regional Crypto Profile
|
|
# Selects regional cryptographic configuration at build time
|
|
|
|
# ============================================================================
|
|
# Build Arguments
|
|
# ============================================================================
|
|
ARG CRYPTO_PROFILE=international
|
|
ARG BASE_IMAGE=stellaops/platform:latest
|
|
ARG SERVICE_NAME=authority
|
|
|
|
# ============================================================================
|
|
# Regional Crypto Profile Layer
|
|
# ============================================================================
|
|
FROM ${BASE_IMAGE} AS regional-profile
|
|
|
|
# Copy regional cryptographic configuration
|
|
ARG CRYPTO_PROFILE
|
|
COPY etc/appsettings.crypto.${CRYPTO_PROFILE}.yaml /app/etc/appsettings.crypto.yaml
|
|
COPY etc/crypto-plugins-manifest.json /app/etc/crypto-plugins-manifest.json
|
|
|
|
# Set environment variable for runtime verification
|
|
ENV STELLAOPS_CRYPTO_PROFILE=${CRYPTO_PROFILE}
|
|
ENV STELLAOPS_CRYPTO_CONFIG_PATH=/app/etc/appsettings.crypto.yaml
|
|
ENV STELLAOPS_CRYPTO_MANIFEST_PATH=/app/etc/crypto-plugins-manifest.json
|
|
|
|
# Add labels for metadata
|
|
LABEL com.stellaops.crypto.profile="${CRYPTO_PROFILE}"
|
|
LABEL com.stellaops.crypto.config="/app/etc/appsettings.crypto.${CRYPTO_PROFILE}.yaml"
|
|
LABEL com.stellaops.crypto.runtime-selection="true"
|
|
|
|
# ============================================================================
|
|
# Service-Specific Regional Images
|
|
# ============================================================================
|
|
|
|
# Authority with Regional Crypto
|
|
FROM regional-profile AS authority
|
|
WORKDIR /app/authority
|
|
ENTRYPOINT ["dotnet", "StellaOps.Authority.WebService.dll"]
|
|
|
|
# Signer with Regional Crypto
|
|
FROM regional-profile AS signer
|
|
WORKDIR /app/signer
|
|
ENTRYPOINT ["dotnet", "StellaOps.Signer.WebService.dll"]
|
|
|
|
# Attestor with Regional Crypto
|
|
FROM regional-profile AS attestor
|
|
WORKDIR /app/attestor
|
|
ENTRYPOINT ["dotnet", "StellaOps.Attestor.WebService.dll"]
|
|
|
|
# Concelier with Regional Crypto
|
|
FROM regional-profile AS concelier
|
|
WORKDIR /app/concelier
|
|
ENTRYPOINT ["dotnet", "StellaOps.Concelier.WebService.dll"]
|
|
|
|
# Scanner with Regional Crypto
|
|
FROM regional-profile AS scanner
|
|
WORKDIR /app/scanner
|
|
ENTRYPOINT ["dotnet", "StellaOps.Scanner.WebService.dll"]
|
|
|
|
# Excititor with Regional Crypto
|
|
FROM regional-profile AS excititor
|
|
WORKDIR /app/excititor
|
|
ENTRYPOINT ["dotnet", "StellaOps.Excititor.WebService.dll"]
|
|
|
|
# Policy with Regional Crypto
|
|
FROM regional-profile AS policy
|
|
WORKDIR /app/policy
|
|
ENTRYPOINT ["dotnet", "StellaOps.Policy.WebService.dll"]
|
|
|
|
# Scheduler with Regional Crypto
|
|
FROM regional-profile AS scheduler
|
|
WORKDIR /app/scheduler
|
|
ENTRYPOINT ["dotnet", "StellaOps.Scheduler.WebService.dll"]
|
|
|
|
# Notify with Regional Crypto
|
|
FROM regional-profile AS notify
|
|
WORKDIR /app/notify
|
|
ENTRYPOINT ["dotnet", "StellaOps.Notify.WebService.dll"]
|
|
|
|
# Zastava with Regional Crypto
|
|
FROM regional-profile AS zastava
|
|
WORKDIR /app/zastava
|
|
ENTRYPOINT ["dotnet", "StellaOps.Zastava.WebService.dll"]
|
|
|
|
# Gateway with Regional Crypto
|
|
FROM regional-profile AS gateway
|
|
WORKDIR /app/gateway
|
|
ENTRYPOINT ["dotnet", "StellaOps.Gateway.WebService.dll"]
|
|
|
|
# AirGap Importer with Regional Crypto
|
|
FROM regional-profile AS airgap-importer
|
|
WORKDIR /app/airgap-importer
|
|
ENTRYPOINT ["dotnet", "StellaOps.AirGap.Importer.dll"]
|
|
|
|
# AirGap Exporter with Regional Crypto
|
|
FROM regional-profile AS airgap-exporter
|
|
WORKDIR /app/airgap-exporter
|
|
ENTRYPOINT ["dotnet", "StellaOps.AirGap.Exporter.dll"]
|
|
|
|
# CLI with Regional Crypto
|
|
FROM regional-profile AS cli
|
|
WORKDIR /app/cli
|
|
ENTRYPOINT ["dotnet", "StellaOps.Cli.dll"]
|
|
|
|
# ============================================================================
|
|
# Build Instructions
|
|
# ============================================================================
|
|
# Build international profile (default):
|
|
# docker build -f deploy/docker/Dockerfile.crypto-profile \
|
|
# --build-arg CRYPTO_PROFILE=international \
|
|
# --target authority \
|
|
# -t stellaops/authority:international .
|
|
#
|
|
# Build Russia (GOST) profile:
|
|
# docker build -f deploy/docker/Dockerfile.crypto-profile \
|
|
# --build-arg CRYPTO_PROFILE=russia \
|
|
# --target scanner \
|
|
# -t stellaops/scanner:russia .
|
|
#
|
|
# Build EU (eIDAS) profile:
|
|
# docker build -f deploy/docker/Dockerfile.crypto-profile \
|
|
# --build-arg CRYPTO_PROFILE=eu \
|
|
# --target signer \
|
|
# -t stellaops/signer:eu .
|
|
#
|
|
# Build China (SM) profile:
|
|
# docker build -f deploy/docker/Dockerfile.crypto-profile \
|
|
# --build-arg CRYPTO_PROFILE=china \
|
|
# --target attestor \
|
|
# -t stellaops/attestor:china .
|
|
#
|
|
# ============================================================================
|
|
# Regional Profile Descriptions
|
|
# ============================================================================
|
|
# international: Default NIST algorithms (ES256, RS256, SHA-256)
|
|
# Uses offline-verification plugin
|
|
# Jurisdiction: world
|
|
#
|
|
# russia: GOST R 34.10-2012, GOST R 34.11-2012
|
|
# Uses CryptoPro CSP plugin
|
|
# Jurisdiction: russia
|
|
# Requires: CryptoPro CSP SDK
|
|
#
|
|
# eu: eIDAS-compliant qualified trust services
|
|
# Uses eIDAS plugin with qualified certificates
|
|
# Jurisdiction: eu
|
|
# Requires: eIDAS trust service provider integration
|
|
#
|
|
# china: SM2, SM3, SM4 algorithms
|
|
# Uses SM crypto plugin
|
|
# Jurisdiction: china
|
|
# Requires: GmSSL or BouncyCastle SM extensions
|
|
#
|
|
# ============================================================================
|
|
# Runtime Configuration
|
|
# ============================================================================
|
|
# The crypto provider is selected at runtime based on:
|
|
# 1. STELLAOPS_CRYPTO_PROFILE environment variable
|
|
# 2. /app/etc/appsettings.crypto.yaml configuration file
|
|
# 3. /app/etc/crypto-plugins-manifest.json plugin metadata
|
|
#
|
|
# Plugin loading sequence:
|
|
# 1. Application starts
|
|
# 2. CryptoPluginLoader reads /app/etc/appsettings.crypto.yaml
|
|
# 3. Loads enabled plugins from manifest
|
|
# 4. Validates platform compatibility
|
|
# 5. Validates jurisdiction compliance
|
|
# 6. Registers providers with DI container
|
|
# 7. Application uses ICryptoProvider abstraction
|
|
#
|
|
# No cryptographic code is executed until runtime plugin selection completes.
|