stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
96d52884e86650452c9c998d343469ea00fafdce
git.stella-ops.org/docs/13_RELEASE_ENGINEERING_PLAYBOOK.md
master 96d52884e8
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add Policy DSL Validator, Schema Exporter, and Simulation Smoke tools 
- Implemented PolicyDslValidator with command-line options for strict mode and JSON output.
- Created PolicySchemaExporter to generate JSON schemas for policy-related models.
- Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes.
- Added project files and necessary dependencies for each tool.
- Ensured proper error handling and usage instructions across tools.
2025-10-27 08:00:11 +02:00

12 KiB
Executable File
Raw Blame History

#13 · Release Engineering Playbook — StellaOps

A concise, automationfirst guide describing how source code on main becomes a verifiably signed, airgapfriendly release.
It is opinionated for offline usecases and supplychain security (SLSA ≥ level 2 today, aiming for level 3).

##0ReleasePhilosophy

  • Fast but fearless every commit on main must be releasable; broken builds break the build, not the team.
  • Reproducible anyone can rebuild byteidentical artefacts with a single make release offline.
  • Secure by default every artefact ships with a SBOM, Cosign signature and (future) Rekor log entry.
  • Offlinefirst all dependencies are vendored or mirrored into the internal registry; no Internet required at runtime.

##1Versioning & Branching

Branch Purpose Autopublish?
main Alwaysgreen development trunk nightly-* images
release/X.Y Stabilise a minor line stella:X.Y-rcN
Tags X.Y.Z = SemVer stella:X.Y.Z, OUK tarball, Helm chart
  • SemVer MAJOR for breaking API/CLI changes, MINOR for features, PATCH for fixes.
  • Release tags are signed (git tag -s) with the StellaOps GPG key (0x90C4…).

##2CI/CD Overview (GitLabCI + GitLab Runner)

graph LR
  A[push / MR] --> Lint
  Lint --> Unit
  Unit --> Build
  Build --> Test-Container
  Test-Container --> SBOM
  SBOM --> Sign
  Sign --> Publish
  Publish --> E2E
  Publish --> Notify

###Pipeline Stages

Stage Key tasks
Lint ESLint, golangcilint, hadolint, markdownlint.
Unit dotnet test, go test, Jest UI tests.
Quota unittests 🏷 Validate QuotaService logic: reset at UTC, 5s vs 60s waits, header correctness.
Build Multiarch container build (linux/amd64, linux/arm64) using BuildKit + --provenance 📌.
TestContainer Spin up compose file, run smoke APIs.
SBOM 📌 Invoke StellaOps.SBOMBuilder to generate SPDX JSON + attach .sbom label to image.
Sign Sign image with Cosign (cosign sign --key cosign.key).
Publish Push to registry.git.stella-ops.org.
E2E Kindbased Kubernetes test incl. Zastava DaemonSet; verify sub5s scan SLA.
Notify Report to Mattermost & GitLab Slack app.
OfflineToken Call JwtIssuer.Generate(exp=30d) → store client.jwt artefact → attach to OUK build context

All stages run in parallel where possible; max walltime <15min.

Implementation note. .gitea/workflows/release.yml executes ops/devops/release/build_release.py to build multi-arch images, attach CycloneDX SBOMs and SLSA provenance with Cosign, and emit out/release/release.yaml for downstream packaging (Helm, Compose, Offline Kit). The build-test-deploy workflow also runs python ops/devops/release/test_verify_release.py so release verifier regressions fail fast during every CI pass.

##3Container Image Strategy

Image Registry Tag Contents
backend stella/backend:{ver} ASP.NET API, plugin loader.
ui stella/ui:{ver} Prebuilt Angular SPA.
runner-trivy stella/runner-trivy:{ver} Trivy CLI + SPDX/CycloneDX 🛠.
runner-grype stella/runner-grype:{ver} Optional plugin scanner.
🏷️StellaOps.Registry 📌 stella/registry:{ver} Scratch image embedding Docker Registryv2 + Cosign policy controller.
🏷️StellaOps.MutePolicies 📌 stella/policies:{ver} Sidecar serving policy bundles.
🏷️StellaOps.Attestor 📌 stella/attestor:{ver} SLSA provenance & Rekor signer (future).

Images are --label org.opencontainers.image.source=git.stella-ops.ru and include SBOMs generated at build time.

##4📌Offline Update Kit (OUK) Build & Distribution

Purpose deliver updated CVE feeds & Trivy DB to airgapped clusters.

###4.1CLI Tool

Go binary ouk lives in tools/ouk/.

ouk fetch \
  --nvd --osv \
  --trivy-db --date $(date -I) \
  --output ouk-$(date +%Y%m%d).tar.gz \
  --sign cosign.key

###4.2PipelineHook

  • Runs on first Friday each month (cron).
  • Generates tarball, signs it, uploads to GitLab Release asset.
  • SHA256 + signature published alongside.
  • Release job must emit out/release/debug/ with debug-manifest.json and .sha256 so ops/offline-kit/mirror_debug_store.py can mirror symbols into the Offline Kit (see DEVOPS-REL-17-004).

###4.3ActivationFlow (runtime)

  1. Admin uploads .tar.gz via UI → Settings → Offline Updates (OUK).
  2. Backend verifies Cosign signature & digest.
  3. Files extracted into var/lib/stella/db.
  4. Redis caches invalidated; Dashboard “Feed Age” ticks green.
  5. Audit event ouk_update stored.

4.4 Token Detail

client.jwt placed under /root/ inside the tarball. CI job fails if token expiry <29days (guard against stale caches).

##5Artifact Signing & Transparency

Artefact Signer Tool/Notes
Git tags GPG (0x90C4…) git tag -s
Containers Cosign key pair cosign sign
Helm Charts prov file helm package --sign
OUK tarballs Cosign cosign sign-blob
Debug store debug/debug-manifest.json hashed

Rekor integration is TODO once the internal Rekor mirror is online (StellaOpsAttestor) a postpublish job will submit transparency log entries.

##6Release Checklist

  1. CI pipeline green.
  2. Bump VERSION file.
  3. Tag git tag -s X.Y.Z -m "Release X.Y.Z" & push.
  4. GitLab CI autopublishes images & charts.
  5. Draft GitLab Release Notes using tools/release-notes-gen.
  6. Verify SBOM attachment with stella sbom verify stella/backend:X.Y.Z.
  7. Run the release verifier locally if CI isnt available (mirrors the workflow step):
    python ops/devops/release/test_verify_release.py
  8. Mirror the release debug store into the Offline Kit staging tree and re-check the manifest: 
    ./ops/offline-kit/mirror_debug_store.py \
  --release-dir out/release \
  --offline-kit-dir out/offline-kit
jq '.artifacts | length' out/offline-kit/debug/debug-manifest.json
readelf -n /app/... | grep -i 'Build ID'
    Validate that the hash from readelf matches the .build-id/<aa>/<rest>.debug path created by the script.
  9. Smoke-test OUK tarball in offline lab.
  10. Announce in #stella-release Mattermost channel.

##7Hotfix Procedure

  • Branch from latest tag → hotfix/X.Y.Z+1-hf1.
  • Apply minimal patch, add regression test.
  • CI pipeline (with reduced stages) must pass.
  • Tag X.Y.Z+1.
  • Publish only container + Helm chart; OUK not rebuilt.
  • Cherrypick back to main.

##8Deprecation & EndofLife Policy

Feature Deprecation notice Removal earliest
Legacy CSV policy import 20251001 20260401
Docker v1 Registry auth 20251201 20260601
Inimage Trivy DB 20251215 20260315

At least 6 months notice; removal requires major version bump.

##9📌NonCommercial Usage Rules (English canonical)

  1. Free for internal security assessments (company or personal).
  2. SaaS resale / rehosting prohibited without prior written consent (AGPL §13).
  3. If you distribute a fork with UI or backend modifications you must:
    • Publish the complete modified source code.
    • Retain the original StellaOps attribution in UI footer and CLI --version.
  4. All thirdparty dependencies remain under their respective licences (MIT, Apache2.0, ISC, BSD).
  5. Deployments in stateregulated or classified environments must obeyapplicable local regulations governing cryptography and software distribution.

##10Best Practices Snapshot 📌

  • SBOMperimage → attach at build time; store as OCI artifact for supplychain introspection.
  • Provenance flag (--provenance=true) in BuildKit fulfils SLSA 2 requirement.
  • Use multiarch, reproducible builds (SOURCE_DATE_EPOCH pins timestamps).
  • All pipelines enforce Signedoffby (DCO); CI fails if trailer missing.
  • cosign policy ensures only images signed by the project key run in production.

##11Contributing to Release Engineering

  • Fork & create MR to infra/release-*.
  • All infra changes require green integration-e2e-offline job.
  • Discuss larger infra migrations in #sig-release Mattermost; decisions recorded in ADR/ folder.

##12Change Log (highlevel)

Version Date Note
v2.1 20250715 Added OUK build/publish pipeline, internal registry image (StellaOps.Registry), noncommercial usage rules extraction, SBOM stage, BuildKit provenance.
v2.0 20250712 Initial opensourcing of Release Engineering guide.
v1.1 20250709 Fixed inner fencing; added retention policy
v1.0 20250709 Initial playbook

(End of Release Engineering Playbook v1.1)