stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
b97fc7685aa768aaeb7718db80a3e77b6b79c89e
git.stella-ops.org/docs/21_INSTALL_GUIDE.md
master b97fc7685a
Some checks failed
Build Test Deploy / authority-container (push) Has been cancelled
Details
Build Test Deploy / docs (push) Has been cancelled
Details
Build Test Deploy / deploy (push) Has been cancelled
Details
Build Test Deploy / build-test (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Initial commit (history squashed)
2025-10-11 23:28:35 +03:00

6.0 KiB
Executable File
Raw Blame History

StellaOps — Installation Guide (Docker &AirGap)

Status — public α not yet published.
The commands below will work as soon as the first image is tagged
registry.stella-ops.org/stella-ops/stella-ops:0.1.0-alpha
(target date: late2025). Track progress on the
roadmap.

0·Prerequisites

Item Minimum Notes
Linux Ubuntu22.04 LTS / Alma9 x8664 or arm64
CPU / RAM 2 vCPU / 2GiB Laptop baseline
Disk 10GiB SSD SBOM + vuln DB cache
Docker Engine25 + Composev2 docker -v
TLS OpenSSL 1.1 Selfsigned cert generated at first run

1·Connectedhost install (Docker Compose)

# 1. Make a working directory
mkdir stella && cd stella

# 2. Download the signed Compose bundle + example .env
curl -LO https://get.stella-ops.org/releases/latest/.env.example
curl -LO https://get.stella-ops.org/releases/latest/.env.example.sig
curl -LO https://get.stella-ops.org/releases/latest/docker-compose.infrastructure.yml
curl -LO https://get.stella-ops.org/releases/latest/docker-compose.infrastructure.yml.sig
curl -LO https://get.stella-ops.org/releases/latest/docker-compose.stella-ops.yml
curl -LO https://get.stella-ops.org/releases/latest/docker-compose.stella-ops.yml.sig

# 3. Verify provenance (Cosign public key is stable)
cosign verify-blob \
  --key https://stella-ops.org/keys/cosign.pub \
  --signature .env.example.sig \
  .env.example

cosign verify-blob \
  --key https://stella-ops.org/keys/cosign.pub \
  --signature docker-compose.infrastructure.yml.sig \
  docker-compose.infrastructure.yml

cosign verify-blob \
  --key https://stella-ops.org/keys/cosign.pub \
  --signature docker-compose.stella-ops.yml.sig \
  docker-compose.stella-ops.yml

# 4. Copy .env.example → .env and edit secrets
cp .env.example .env
$EDITOR .env

# 5. Launch databases (MongoDB + Redis)
docker compose --env-file .env -f docker-compose.infrastructure.yml up -d

# 6. Launch Stella Ops (first run pulls ~50MB merged vuln DB)
docker compose --env-file .env -f docker-compose.stella-ops.yml up -d

Default login: admin / changeme UI: https://<host>:8443 (selfsigned certificate)

Pinning bestpractice in production environments replace stella-ops:latest with the immutable digest printed by docker images --digests.

1.1·Feedser authority configuration

The Feedser container reads configuration from etc/feedser.yaml plus FEEDSER_ environment variables. To enable the new Authority integration:

  1. Add the following keys to .env (replace values for your environment):

    FEEDSER_AUTHORITY__ENABLED=true
FEEDSER_AUTHORITY__ALLOWANONYMOUSFALLBACK=true   # temporary rollout only
FEEDSER_AUTHORITY__ISSUER="https://authority.internal"
FEEDSER_AUTHORITY__AUDIENCES__0="api://feedser"
FEEDSER_AUTHORITY__REQUIREDSCOPES__0="feedser.jobs.trigger"
FEEDSER_AUTHORITY__CLIENTID="feedser-jobs"
FEEDSER_AUTHORITY__CLIENTSECRETFILE="/run/secrets/feedser_authority_client"
FEEDSER_AUTHORITY__BYPASSNETWORKS__0="127.0.0.1/32"
FEEDSER_AUTHORITY__BYPASSNETWORKS__1="::1/128"

    Store the client secret outside source control (Docker secrets, mounted file, or Kubernetes Secret). Feedser loads the secret during post-configuration, so the value never needs to appear in the YAML template.

  2. Redeploy Feedser:

    docker compose --env-file .env -f docker-compose.stella-ops.yml up -d feedser

  3. Tail the logs: docker compose logs -f feedser. Successful /jobs* calls now emit Feedser.Authorization.Audit entries listing subject, client ID, scopes, remote IP, and whether the bypass CIDR allowed the call. 401 denials always log bypassAllowed=false so unauthenticated cron jobs are easy to catch.

Enforcement deadline keep FEEDSER_AUTHORITY__ALLOWANONYMOUSFALLBACK=true only while validating the rollout. Set it to false (and restart Feedser) before 2025-12-31 UTC to require tokens in production.

2·Optional: request a free quota token

Anonymous installs allow {{ quota_anon }} scans per UTC day. Email token@stella-ops.org to receive a signed JWT that raises the limit to {{ quota_token }} scans/day. Insert it into .env:

STELLA_JWT="pastetokenhere"
docker compose --env-file .env -f docker-compose.stella-ops.yml \
  exec stella-ops stella set-jwt "$STELLA_JWT"

The UI shows a reminder at 200 scans and throttles above the limit but will never block your pipeline.

3·Airgapped install (Offline Update Kit)

When running on an isolated network use the Offline Update Kit (OUK):

# Download & verify on a connected host
curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-v0.1a.tgz
curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-v0.1a.tgz.sig

cosign verify-blob \
  --key https://stella-ops.org/keys/cosign.pub \
  --signature stella-ops-offline-kit-v0.1a.tgz.sig \
  stella-ops-offline-kit-v0.1a.tgz

# Transfer → airgap → import
docker compose --env-file .env -f docker-compose.stella-ops.yml \
  exec stella admin import-offline-usage-kit stella-ops-offline-kit-v0.1a.tgz

Import is atomic; no service downtime.

For details see the dedicated Offline Kit guide.

4·Next steps

  • 5min QuickStart: /quickstart/
  • CI recipes: docs/ci/20_CI_RECIPES.md
  • Plugin SDK: /plugins/

Generated {{ "now" | date: "%Y%m%d" }} — build tags inserted at render time.