stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
98e6b7658467263a0ca078806871631b5e9ecc83
git.stella-ops.org/ops/devops/graph-indexer/release-plan.md
StellaOps Bot 44171930ff
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
feat: Add UI benchmark driver and scenarios for graph interactions 
- Introduced `ui_bench_driver.mjs` to read scenarios and fixture manifest, generating a deterministic run plan.
- Created `ui_bench_plan.md` outlining the purpose, scope, and next steps for the benchmark.
- Added `ui_bench_scenarios.json` containing various scenarios for graph UI interactions.
- Implemented tests for CLI commands, ensuring bundle verification and telemetry defaults.
- Developed schemas for orchestrator components, including replay manifests and event envelopes.
- Added mock API for risk management, including listing and statistics functionalities.
- Implemented models for risk profiles and query options to support the new API.
2025-12-02 01:28:17 +02:00

43 lines
1.9 KiB
Markdown
Raw Blame History

# Graph Indexer Release/Offline Bundle Plan (DEVOPS-GRAPH-INDEX-28-010-REL)
## Goals
- Publish signed Helm/Compose bundles for Graph Indexer with offline parity.
- Provide SBOM + attestations for images/charts and reproducible artefacts for air-gap kits.
## Artefacts
- Helm chart + values overrides (offline/airgap).
- Docker/OCI images (indexer, api) pinned by digest.
- SBOMs (SPDX JSON) for images and chart.
- Cosign attestations for images and chart tarball.
- Offline bundle: tarball containing images (oras layout), charts, values, SBOMs, attestations, and `SHA256SUMS`.
## Pipeline outline
1) **Build** images (indexer + api) with SBOM generation (`syft`), tag and record digests.
2) **Sign** images with cosign key (KMS for online; file key for offline bundle) and produce attestations.
3) **Chart package**: render chart, package to `.tgz`, generate SBOM for chart, sign with cosign.
4) **Compose export**: render Compose file with pinned digests and non-root users.
5) **Bundle**: assemble offline tarball:
- `images/` oras layout with signed images
- `charts/graph-indexer.tgz` + signature
- `compose/graph-indexer.yml` (pinned digests)
- `sboms/` for images + chart
- `attestations/` (cosign bundles)
- `SHA256SUMS` and `SHA256SUMS.sig`
6) **Verify step**: pipeline stage runs `cosign verify`, `sha256sum --check`, and `helm template` smoke render with airgap values.
7) **Publish**: upload to artefact store + offline kit; write manifest with hashes/versions.
## Security/hardening
- Non-root images, read-only rootfs, drop NET_RAW, seccomp default.
- Telemetry disabled; no registry pulls at runtime.
- mTLS between indexer and dependencies (documented values).
## Evidence to capture
- Image digests, SBOM hashes, cosign verification logs.
- Bundle `SHA256SUMS` and signed manifest.
- Helm/Compose render outputs (short).
## Owners
- DevOps Guild (build/pipeline)
- Graph Indexer Guild (chart/values)
- Platform Security (signing policy)
Reference in New Issue View Git Blame Copy Permalink