ba4c935182
- Added support for bootstrap providers in AuthorityIdentityProviderRegistry. - Introduced a new property for bootstrap providers and updated AggregateCapabilities. - Updated relevant methods to handle bootstrap capabilities during provider registration. feat: Introduce Sealed Mode Status in OpenIddict Handlers - Added SealedModeStatusProperty to AuthorityOpenIddictConstants. - Enhanced ValidateClientCredentialsHandler, ValidatePasswordGrantHandler, and ValidateRefreshTokenGrantHandler to validate sealed mode evidence. - Implemented logic to handle airgap seal confirmation requirements. feat: Update Program Configuration for Sealed Mode - Registered IAuthoritySealedModeEvidenceValidator in Program.cs. - Added logging for bootstrap capabilities in identity provider plugins. - Implemented checks for bootstrap support in API endpoints. chore: Update Tasks and Documentation - Marked AUTH-MTLS-11-002 as DONE in TASKS.md. - Updated documentation to reflect changes in sealed mode and bootstrap capabilities. fix: Improve CLI Command Handlers Output - Enhanced output formatting for command responses and prompts in CommandHandlers.cs. feat: Extend Advisory AI Models - Added Response property to AdvisoryPipelineOutputModel for better output handling. fix: Adjust Concelier Web Service Authentication - Improved JWT token handling in Concelier Web Service to ensure proper token extraction and logging. test: Enhance Web Service Endpoints Tests - Added detailed logging for authentication failures in WebServiceEndpointsTests. - Enabled PII logging for better debugging of authentication issues. feat: Introduce Air-Gap Configuration Options - Added AuthorityAirGapOptions and AuthoritySealedModeOptions to StellaOpsAuthorityOptions. - Implemented validation logic for air-gap configurations to ensure proper setup.
314 lines
12 KiB
YAML
314 lines
12 KiB
YAML
x-release-labels: &release-labels
|
|
com.stellaops.release.version: "2025.09.2-airgap"
|
|
com.stellaops.release.channel: "airgap"
|
|
com.stellaops.profile: "airgap"
|
|
|
|
networks:
|
|
stellaops:
|
|
driver: bridge
|
|
|
|
volumes:
|
|
mongo-data:
|
|
minio-data:
|
|
rustfs-data:
|
|
concelier-jobs:
|
|
nats-data:
|
|
|
|
services:
|
|
mongo:
|
|
image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
|
|
command: ["mongod", "--bind_ip_all"]
|
|
restart: unless-stopped
|
|
environment:
|
|
MONGO_INITDB_ROOT_USERNAME: "${MONGO_INITDB_ROOT_USERNAME}"
|
|
MONGO_INITDB_ROOT_PASSWORD: "${MONGO_INITDB_ROOT_PASSWORD}"
|
|
volumes:
|
|
- mongo-data:/data/db
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
minio:
|
|
image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
|
|
command: ["server", "/data", "--console-address", ":9001"]
|
|
restart: unless-stopped
|
|
environment:
|
|
MINIO_ROOT_USER: "${MINIO_ROOT_USER}"
|
|
MINIO_ROOT_PASSWORD: "${MINIO_ROOT_PASSWORD}"
|
|
volumes:
|
|
- minio-data:/data
|
|
ports:
|
|
- "${MINIO_CONSOLE_PORT:-29001}:9001"
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
rustfs:
|
|
image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
|
|
command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
|
|
restart: unless-stopped
|
|
environment:
|
|
RUSTFS__LOG__LEVEL: info
|
|
RUSTFS__STORAGE__PATH: /data
|
|
volumes:
|
|
- rustfs-data:/data
|
|
ports:
|
|
- "${RUSTFS_HTTP_PORT:-8080}:8080"
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
nats:
|
|
image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
|
|
command:
|
|
- "-js"
|
|
- "-sd"
|
|
- /data
|
|
restart: unless-stopped
|
|
ports:
|
|
- "${NATS_CLIENT_PORT:-24222}:4222"
|
|
volumes:
|
|
- nats-data:/data
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
authority:
|
|
image: registry.stella-ops.org/stellaops/authority@sha256:5551a3269b7008cd5aceecf45df018c67459ed519557ccbe48b093b926a39bcc
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- mongo
|
|
environment:
|
|
STELLAOPS_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
|
|
STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
|
|
STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
|
|
STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
|
|
volumes:
|
|
- ../../etc/authority.yaml:/etc/authority.yaml:ro
|
|
- ../../etc/authority.plugins:/app/etc/authority.plugins:ro
|
|
ports:
|
|
- "${AUTHORITY_PORT:-8440}:8440"
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
signer:
|
|
image: registry.stella-ops.org/stellaops/signer@sha256:ddbbd664a42846cea6b40fca6465bc679b30f72851158f300d01a8571c5478fc
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- authority
|
|
environment:
|
|
SIGNER__AUTHORITY__BASEURL: "https://authority:8440"
|
|
SIGNER__POE__INTROSPECTURL: "${SIGNER_POE_INTROSPECT_URL}"
|
|
SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
|
|
ports:
|
|
- "${SIGNER_PORT:-8441}:8441"
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
attestor:
|
|
image: registry.stella-ops.org/stellaops/attestor@sha256:1ff0a3124d66d3a2702d8e421df40fbd98cc75cb605d95510598ebbae1433c50
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- signer
|
|
environment:
|
|
ATTESTOR__SIGNER__BASEURL: "https://signer:8441"
|
|
ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
|
|
ports:
|
|
- "${ATTESTOR_PORT:-8442}:8442"
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
issuer-directory:
|
|
image: registry.stella-ops.org/stellaops/issuer-directory-web:2025.10.0-edge
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- mongo
|
|
- authority
|
|
environment:
|
|
ISSUERDIRECTORY__CONFIG: "/etc/issuer-directory.yaml"
|
|
ISSUERDIRECTORY__AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
|
|
ISSUERDIRECTORY__AUTHORITY__BASEURL: "https://authority:8440"
|
|
ISSUERDIRECTORY__MONGO__CONNECTIONSTRING: "${ISSUER_DIRECTORY_MONGO_CONNECTION_STRING}"
|
|
ISSUERDIRECTORY__SEEDCSAFPUBLISHERS: "${ISSUER_DIRECTORY_SEED_CSAF:-true}"
|
|
volumes:
|
|
- ../../etc/issuer-directory.yaml:/etc/issuer-directory.yaml:ro
|
|
ports:
|
|
- "${ISSUER_DIRECTORY_PORT:-8447}:8080"
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
concelier:
|
|
image: registry.stella-ops.org/stellaops/concelier@sha256:29e2e1a0972707e092cbd3d370701341f9fec2aa9316fb5d8100480f2a1c76b5
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- mongo
|
|
- minio
|
|
environment:
|
|
CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
|
|
CONCELIER__STORAGE__S3__ENDPOINT: "http://minio:9000"
|
|
CONCELIER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
|
|
CONCELIER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
|
|
CONCELIER__AUTHORITY__BASEURL: "https://authority:8440"
|
|
CONCELIER__AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
|
|
CONCELIER__AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "${AUTHORITY_OFFLINE_CACHE_TOLERANCE:-00:30:00}"
|
|
volumes:
|
|
- concelier-jobs:/var/lib/concelier/jobs
|
|
ports:
|
|
- "${CONCELIER_PORT:-8445}:8445"
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
scanner-web:
|
|
image: registry.stella-ops.org/stellaops/scanner-web@sha256:3df8ca21878126758203c1a0444e39fd97f77ddacf04a69685cda9f1e5e94718
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- concelier
|
|
- rustfs
|
|
- nats
|
|
environment:
|
|
SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
|
|
SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
|
|
SCANNER__ARTIFACTSTORE__ENDPOINT: "http://rustfs:8080/api/v1"
|
|
SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
|
|
SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
|
|
SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
|
|
SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-false}"
|
|
SCANNER__EVENTS__DRIVER: "${SCANNER_EVENTS_DRIVER:-redis}"
|
|
SCANNER__EVENTS__DSN: "${SCANNER_EVENTS_DSN:-}"
|
|
SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}"
|
|
SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}"
|
|
SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}"
|
|
ports:
|
|
- "${SCANNER_WEB_PORT:-8444}:8444"
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
scanner-worker:
|
|
image: registry.stella-ops.org/stellaops/scanner-worker@sha256:eea5d6cfe7835950c5ec7a735a651f2f0d727d3e470cf9027a4a402ea89c4fb5
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- scanner-web
|
|
- rustfs
|
|
- nats
|
|
environment:
|
|
SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
|
|
SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
|
|
SCANNER__ARTIFACTSTORE__ENDPOINT: "http://rustfs:8080/api/v1"
|
|
SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
|
|
SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
|
|
SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
scheduler-worker:
|
|
image: registry.stella-ops.org/stellaops/scheduler-worker:2025.10.0-edge
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- mongo
|
|
- nats
|
|
- scanner-web
|
|
command:
|
|
- "dotnet"
|
|
- "StellaOps.Scheduler.Worker.Host.dll"
|
|
environment:
|
|
SCHEDULER__QUEUE__KIND: "${SCHEDULER_QUEUE_KIND:-Nats}"
|
|
SCHEDULER__QUEUE__NATS__URL: "${SCHEDULER_QUEUE_NATS_URL:-nats://nats:4222}"
|
|
SCHEDULER__STORAGE__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
|
|
SCHEDULER__STORAGE__DATABASE: "${SCHEDULER_STORAGE_DATABASE:-stellaops_scheduler}"
|
|
SCHEDULER__WORKER__RUNNER__SCANNER__BASEADDRESS: "${SCHEDULER_SCANNER_BASEADDRESS:-http://scanner-web:8444}"
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
notify-web:
|
|
image: ${NOTIFY_WEB_IMAGE:-registry.stella-ops.org/stellaops/notify-web:2025.09.2}
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- mongo
|
|
- authority
|
|
environment:
|
|
DOTNET_ENVIRONMENT: Production
|
|
volumes:
|
|
- ../../etc/notify.airgap.yaml:/app/etc/notify.yaml:ro
|
|
ports:
|
|
- "${NOTIFY_WEB_PORT:-9446}:8446"
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
excititor:
|
|
image: registry.stella-ops.org/stellaops/excititor@sha256:65c0ee13f773efe920d7181512349a09d363ab3f3e177d276136bd2742325a68
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- concelier
|
|
environment:
|
|
EXCITITOR__CONCELIER__BASEURL: "https://concelier:8445"
|
|
EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
advisory-ai-web:
|
|
image: registry.stella-ops.org/stellaops/advisory-ai-web:2025.09.2-airgap
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- scanner-web
|
|
environment:
|
|
ADVISORYAI__AdvisoryAI__SbomBaseAddress: "${ADVISORY_AI_SBOM_BASEADDRESS:-http://scanner-web:8444}"
|
|
ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: "/var/lib/advisory-ai/queue"
|
|
ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: "/var/lib/advisory-ai/plans"
|
|
ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: "/var/lib/advisory-ai/outputs"
|
|
ADVISORYAI__AdvisoryAI__Inference__Mode: "${ADVISORY_AI_INFERENCE_MODE:-Local}"
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: "${ADVISORY_AI_REMOTE_BASEADDRESS:-}"
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: "${ADVISORY_AI_REMOTE_APIKEY:-}"
|
|
ports:
|
|
- "${ADVISORY_AI_WEB_PORT:-8448}:8448"
|
|
volumes:
|
|
- advisory-ai-queue:/var/lib/advisory-ai/queue
|
|
- advisory-ai-plans:/var/lib/advisory-ai/plans
|
|
- advisory-ai-outputs:/var/lib/advisory-ai/outputs
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
advisory-ai-worker:
|
|
image: registry.stella-ops.org/stellaops/advisory-ai-worker:2025.09.2-airgap
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- advisory-ai-web
|
|
environment:
|
|
ADVISORYAI__AdvisoryAI__SbomBaseAddress: "${ADVISORY_AI_SBOM_BASEADDRESS:-http://scanner-web:8444}"
|
|
ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: "/var/lib/advisory-ai/queue"
|
|
ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: "/var/lib/advisory-ai/plans"
|
|
ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: "/var/lib/advisory-ai/outputs"
|
|
ADVISORYAI__AdvisoryAI__Inference__Mode: "${ADVISORY_AI_INFERENCE_MODE:-Local}"
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: "${ADVISORY_AI_REMOTE_BASEADDRESS:-}"
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: "${ADVISORY_AI_REMOTE_APIKEY:-}"
|
|
volumes:
|
|
- advisory-ai-queue:/var/lib/advisory-ai/queue
|
|
- advisory-ai-plans:/var/lib/advisory-ai/plans
|
|
- advisory-ai-outputs:/var/lib/advisory-ai/outputs
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
web-ui:
|
|
image: registry.stella-ops.org/stellaops/web-ui@sha256:bee9668011ff414572131dc777faab4da24473fe12c230893f161cabee092a1d
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- scanner-web
|
|
environment:
|
|
STELLAOPS_UI__BACKEND__BASEURL: "https://scanner-web:8444"
|
|
ports:
|
|
- "${UI_PORT:-9443}:8443"
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|