stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
8197588e74903f518073d0326dc7c4b5a6eb35bd
git.stella-ops.org/docs/technical/architecture/platform-topology.md
StellaOps Bot 9a08d10b89 docs consolidation
2025-12-24 12:38:14 +02:00

14 KiB
Raw Blame History

Platform topology (detailed)

This document provides a comprehensive view of StellaOps platform topology. For module-specific details (APIs, schemas, operations), see docs/modules/.

Component topology (quick reference)

CLIENT LAYER
├─ stella CLI                    → Gateway (JWT + DPoP auth)
├─ Web UI (Angular)              → Gateway (JWT + DPoP auth)
├─ CI/CD Pipelines               → Gateway (JWT + DPoP auth)
└─ Zastava Observer              → Scanner (runtime scans)

INFRASTRUCTURE (REQUIRED)
├─ PostgreSQL v16+               → Primary database (ALL services)
├─ Valkey v8.0                   → Cache, DPoP, queues, events
└─ RustFS                        → Object storage (S3 API)

INFRASTRUCTURE (OPTIONAL)
└─ NATS JetStream                → Alternative messaging (Valkey is default)

GATEWAY LAYER
└─ Gateway.WebService            → Auth, routing, rate limiting

AUTH & CRYPTO
├─ Authority                     → OAuth2/OIDC, OpTok issuance
├─ Signer                        → DSSE signing (FIPS/GOST/SM)
└─ Attestor                      → Rekor v2 transparency log

CORE ENGINES
├─ Scanner.WebService            → Scan orchestration
├─ Scanner.Worker                → Image analysis, SBOM generation
├─ Concelier.WebService          → Advisory ingestion (NVD, Red Hat, etc.)
├─ Excititor.WebService          → VEX ingestion + consensus
├─ Policy.Gateway                → OPA/Rego policy evaluation
├─ Scheduler.WebService          → Re-scan orchestration
├─ Notify.WebService             → Notification orchestration
├─ Notify.Worker                 → Slack/Teams/Email delivery
└─ Orchestrator.WebService       → DAG workflows, pack runs

SUPPORTING
└─ IssuerDirectory               → VEX issuer trust registry

Layers (tabular reference)

Layer Primary components Responsibility
Client CLI, Web UI, CI/CD pipelines, runtime observers Submit scan requests, query results, manage policy/tenancy.
Gateway Gateway.WebService Auth enforcement, tenant routing, rate limiting, request correlation, API routing.
Auth & crypto Authority, Signer, Attestor, IssuerDirectory Token issuance, signing, transparency/attestation workflows, issuer trust registry.
Core engines Scanner, Concelier, Excititor, Policy, Scheduler, Notify, Orchestrator Scanning, ingestion, verdicts, orchestration, notifications, exports.
Data plane PostgreSQL, Valkey, RustFS (S3), optional NATS Persistent state, queues/streams, artifact storage, optional alternative messaging.

Service categories (detailed)

Category Services Purpose
Gateway Gateway.WebService API routing, auth enforcement
Auth & Security Authority, Signer, Attestor OAuth2, signing, transparency
Scanning Scanner.Web, Scanner.Worker Container analysis, SBOM
Advisory Concelier.Web, Concelier.Worker Vulnerability ingestion
VEX Excititor.Web, Excititor.Worker Exploitability statements
Policy Policy.Gateway, Policy Engine OPA/Rego evaluation
Orchestration Scheduler, Orchestrator Job coordination
Notifications Notify.Web, Notify.Worker Delivery to Slack/Teams/Email

Layered architecture diagram

┌─────────────────────────────────────────────────────────────────────┐
│                      USER EXPERIENCE                                 │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐              │
│  │   Gateway    │  │  Web (UI)    │  │     CLI      │              │
│  │ (API Router) │  │ (Angular v17)│  │(Multi-plat)  │              │
│  └──────────────┘  └──────────────┘  └──────────────┘              │
└─────────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────────┐
│                   DATA & EXPORT                                      │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐              │
│  │ExportCenter  │  │EvidenceLocker│  │FindingsLedger│              │
│  │(SARIF/SBOM)  │  │(Artifacts)   │  │(Audit Trail) │              │
│  └──────────────┘  └──────────────┘  └──────────────┘              │
└─────────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────────┐
│                  EVENTS & NOTIFICATIONS                              │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐              │
│  │   Notify     │  │   Notifier   │  │TimelineIndex │              │
│  │(Slack/Teams) │  │  (Advanced)  │  │  (Events)    │              │
│  └──────────────┘  └──────────────┘  └──────────────┘              │
└─────────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────────┐
│                   ORCHESTRATION & WORKFLOW                           │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐              │
│  │ Scheduler    │  │ Orchestrator │  │ TaskRunner   │              │
│  │(Job Sched)   │  │(Coordinator) │  │(Executor)    │              │
│  └──────────────┘  └──────────────┘  └──────────────┘              │
└─────────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────────┐
│                      SCANNING & ANALYSIS                             │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐              │
│  │Scanner.Web   │  │Scanner.Worker│  │ AdvisoryAI   │              │
│  │(API/Control) │  │(Analyzers)   │  │(ML Analysis) │              │
│  └──────────────┘  └──────────────┘  └──────────────┘              │
│  ┌──────────────┐  ┌──────────────┐                                 │
│  │ RiskEngine   │  │    Policy    │                                 │
│  │  (Scoring)   │  │   (Engine)   │                                 │
│  └──────────────┘  └──────────────┘                                 │
└─────────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────────┐
│                    INGESTION & AGGREGATION                           │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐              │
│  │  Concelier   │  │   Excititor  │  │IssuerDirectry│              │
│  │(Advisories)  │  │    (VEX)     │  │(CSAF Pubshrs)│              │
│  └──────────────┘  └──────────────┘  └──────────────┘              │
└─────────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────────┐
│                     AUTHENTICATION & SIGNING                         │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐              │
│  │  Authority   │─▶│    Signer    │─▶│   Attestor   │              │
│  │ (OAuth2/OIDC)│  │(DSSE/PKIX)   │  │(in-toto/DSSE)│              │
│  └──────────────┘  └──────────────┘  └──────────────┘              │
└─────────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────────┐
│                        INFRASTRUCTURE LAYER                          │
│  ┌──────────────────┐  ┌──────────────────┐  ┌─────────────────┐   │
│  │   PostgreSQL     │  │     Valkey       │  │     RustFS      │   │
│  │   (v16+ ONLY)    │  │  (Redis-compat)  │  │  (S3-like API)  │   │
│  │                  │  │   - Caching      │  │  - Artifacts    │   │
│  │ All services use │  │   - DPoP nonces  │  │  - SBOMs        │   │
│  │ PostgreSQL for   │  │   - Event queues │  │  - Signatures   │   │
│  │ persistent data  │  │   - Rate limiting│  │                 │   │
│  └──────────────────┘  └──────────────────┘  └─────────────────┘   │
│                                                                      │
│  ┌──────────────────────────────────────────────────────────────┐   │
│  │ Optional: NATS JetStream (alternative transport for queues)  │   │
│  │           Only used if explicitly configured in appsettings  │   │
│  └──────────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────────┘

Notes

  • Module dossiers live under docs/modules/<module>/architecture.md.
  • Deployment defaults (ports, profile overlays, pinned digests) live under deploy/ (deploy/compose/, deploy/helm/, deploy/releases/).