ba4c935182
- Added support for bootstrap providers in AuthorityIdentityProviderRegistry. - Introduced a new property for bootstrap providers and updated AggregateCapabilities. - Updated relevant methods to handle bootstrap capabilities during provider registration. feat: Introduce Sealed Mode Status in OpenIddict Handlers - Added SealedModeStatusProperty to AuthorityOpenIddictConstants. - Enhanced ValidateClientCredentialsHandler, ValidatePasswordGrantHandler, and ValidateRefreshTokenGrantHandler to validate sealed mode evidence. - Implemented logic to handle airgap seal confirmation requirements. feat: Update Program Configuration for Sealed Mode - Registered IAuthoritySealedModeEvidenceValidator in Program.cs. - Added logging for bootstrap capabilities in identity provider plugins. - Implemented checks for bootstrap support in API endpoints. chore: Update Tasks and Documentation - Marked AUTH-MTLS-11-002 as DONE in TASKS.md. - Updated documentation to reflect changes in sealed mode and bootstrap capabilities. fix: Improve CLI Command Handlers Output - Enhanced output formatting for command responses and prompts in CommandHandlers.cs. feat: Extend Advisory AI Models - Added Response property to AdvisoryPipelineOutputModel for better output handling. fix: Adjust Concelier Web Service Authentication - Improved JWT token handling in Concelier Web Service to ensure proper token extraction and logging. test: Enhance Web Service Endpoints Tests - Added detailed logging for authentication failures in WebServiceEndpointsTests. - Enabled PII logging for better debugging of authentication issues. feat: Introduce Air-Gap Configuration Options - Added AuthorityAirGapOptions and AuthoritySealedModeOptions to StellaOpsAuthorityOptions. - Implemented validation logic for air-gap configurations to ensure proper setup.
268 lines
9.9 KiB
YAML
268 lines
9.9 KiB
YAML
global:
|
|
profile: dev
|
|
release:
|
|
version: "2025.10.0-edge"
|
|
channel: edge
|
|
manifestSha256: "822f82987529ea38d2321dbdd2ef6874a4062a117116a20861c26a8df1807beb"
|
|
image:
|
|
pullPolicy: IfNotPresent
|
|
labels:
|
|
stellaops.io/channel: edge
|
|
|
|
telemetry:
|
|
collector:
|
|
enabled: true
|
|
defaultTenant: dev
|
|
tls:
|
|
secretName: stellaops-otel-tls
|
|
|
|
configMaps:
|
|
notify-config:
|
|
data:
|
|
notify.yaml: |
|
|
storage:
|
|
driver: mongo
|
|
connectionString: "mongodb://notify-mongo.dev.svc.cluster.local:27017"
|
|
database: "stellaops_notify_dev"
|
|
commandTimeoutSeconds: 30
|
|
|
|
authority:
|
|
enabled: true
|
|
issuer: "https://authority.dev.stella-ops.local"
|
|
metadataAddress: "https://authority.dev.stella-ops.local/.well-known/openid-configuration"
|
|
requireHttpsMetadata: false
|
|
allowAnonymousFallback: false
|
|
backchannelTimeoutSeconds: 30
|
|
tokenClockSkewSeconds: 60
|
|
audiences:
|
|
- notify.dev
|
|
readScope: notify.read
|
|
adminScope: notify.admin
|
|
|
|
api:
|
|
basePath: "/api/v1/notify"
|
|
internalBasePath: "/internal/notify"
|
|
tenantHeader: "X-StellaOps-Tenant"
|
|
|
|
plugins:
|
|
baseDirectory: "../"
|
|
directory: "plugins/notify"
|
|
searchPatterns:
|
|
- "StellaOps.Notify.Connectors.*.dll"
|
|
orderedPlugins:
|
|
- StellaOps.Notify.Connectors.Slack
|
|
- StellaOps.Notify.Connectors.Teams
|
|
- StellaOps.Notify.Connectors.Email
|
|
- StellaOps.Notify.Connectors.Webhook
|
|
|
|
telemetry:
|
|
enableRequestLogging: true
|
|
minimumLogLevel: Debug
|
|
policy-engine-activation:
|
|
data:
|
|
STELLAOPS_POLICY_ENGINE__ACTIVATION__FORCETWOPERSONAPPROVAL: "false"
|
|
STELLAOPS_POLICY_ENGINE__ACTIVATION__DEFAULTREQUIRESTWOPERSONAPPROVAL: "false"
|
|
STELLAOPS_POLICY_ENGINE__ACTIVATION__EMITAUDITLOGS: "true"
|
|
services:
|
|
authority:
|
|
image: registry.stella-ops.org/stellaops/authority@sha256:a8e8faec44a579aa5714e58be835f25575710430b1ad2ccd1282a018cd9ffcdd
|
|
service:
|
|
port: 8440
|
|
env:
|
|
STELLAOPS_AUTHORITY__ISSUER: "https://stellaops-authority:8440"
|
|
STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
|
|
STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
|
|
STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
|
|
signer:
|
|
image: registry.stella-ops.org/stellaops/signer@sha256:8bfef9a75783883d49fc18e3566553934e970b00ee090abee9cb110d2d5c3298
|
|
service:
|
|
port: 8441
|
|
env:
|
|
SIGNER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
|
|
SIGNER__POE__INTROSPECTURL: "https://licensing.svc.local/introspect"
|
|
SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
|
|
attestor:
|
|
image: registry.stella-ops.org/stellaops/attestor@sha256:5cc417948c029da01dccf36e4645d961a3f6d8de7e62fe98d845f07cd2282114
|
|
service:
|
|
port: 8442
|
|
env:
|
|
ATTESTOR__SIGNER__BASEURL: "https://stellaops-signer:8441"
|
|
ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
|
|
concelier:
|
|
image: registry.stella-ops.org/stellaops/concelier@sha256:dafef3954eb4b837e2c424dd2d23e1e4d60fa83794840fac9cd3dea1d43bd085
|
|
service:
|
|
port: 8445
|
|
env:
|
|
CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
|
|
CONCELIER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
|
|
CONCELIER__STORAGE__S3__ACCESSKEYID: "stellaops"
|
|
CONCELIER__STORAGE__S3__SECRETACCESSKEY: "dev-minio-secret"
|
|
CONCELIER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
|
|
volumeMounts:
|
|
- name: concelier-jobs
|
|
mountPath: /var/lib/concelier/jobs
|
|
volumes:
|
|
- name: concelier-jobs
|
|
emptyDir: {}
|
|
scanner-web:
|
|
image: registry.stella-ops.org/stellaops/scanner-web@sha256:e0dfdb087e330585a5953029fb4757f5abdf7610820a085bd61b457dbead9a11
|
|
service:
|
|
port: 8444
|
|
env:
|
|
SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
|
|
SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
|
|
SCANNER__ARTIFACTSTORE__ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
|
|
SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
|
|
SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
|
|
SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
|
|
SCANNER__EVENTS__ENABLED: "false"
|
|
SCANNER__EVENTS__DRIVER: "redis"
|
|
SCANNER__EVENTS__DSN: ""
|
|
SCANNER__EVENTS__STREAM: "stella.events"
|
|
SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
|
|
SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
|
|
SCANNER_SURFACE_FS_ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
|
|
SCANNER_SURFACE_CACHE_ROOT: "/var/lib/stellaops/surface"
|
|
SCANNER_SURFACE_SECRETS_PROVIDER: "inline"
|
|
SCANNER_SURFACE_SECRETS_ROOT: ""
|
|
scanner-worker:
|
|
image: registry.stella-ops.org/stellaops/scanner-worker@sha256:92dda42f6f64b2d9522104a5c9ffb61d37b34dd193132b68457a259748008f37
|
|
env:
|
|
SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
|
|
SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
|
|
SCANNER__ARTIFACTSTORE__ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
|
|
SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
|
|
SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
|
|
SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
|
|
SCANNER__EVENTS__ENABLED: "false"
|
|
SCANNER__EVENTS__DRIVER: "redis"
|
|
SCANNER__EVENTS__DSN: ""
|
|
SCANNER__EVENTS__STREAM: "stella.events"
|
|
SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
|
|
SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
|
|
SCANNER_SURFACE_FS_ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
|
|
SCANNER_SURFACE_CACHE_ROOT: "/var/lib/stellaops/surface"
|
|
SCANNER_SURFACE_SECRETS_PROVIDER: "inline"
|
|
SCANNER_SURFACE_SECRETS_ROOT: ""
|
|
notify-web:
|
|
image: registry.stella-ops.org/stellaops/notify-web:2025.10.0-edge
|
|
service:
|
|
port: 8446
|
|
env:
|
|
DOTNET_ENVIRONMENT: Development
|
|
configMounts:
|
|
- name: notify-config
|
|
mountPath: /app/etc/notify.yaml
|
|
subPath: notify.yaml
|
|
configMap: notify-config
|
|
excititor:
|
|
image: registry.stella-ops.org/stellaops/excititor@sha256:d9bd5cadf1eab427447ce3df7302c30ded837239771cc6433b9befb895054285
|
|
env:
|
|
EXCITITOR__CONCELIER__BASEURL: "https://stellaops-concelier:8445"
|
|
EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
|
|
advisory-ai-web:
|
|
image: registry.stella-ops.org/stellaops/advisory-ai-web:2025.10.0-edge
|
|
service:
|
|
port: 8448
|
|
env:
|
|
ADVISORYAI__AdvisoryAI__SbomBaseAddress: http://stellaops-scanner-web:8444
|
|
ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: /var/lib/advisory-ai/queue
|
|
ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: /var/lib/advisory-ai/plans
|
|
ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: /var/lib/advisory-ai/outputs
|
|
ADVISORYAI__AdvisoryAI__Inference__Mode: Local
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: ""
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: ""
|
|
volumeMounts:
|
|
- name: advisory-ai-data
|
|
mountPath: /var/lib/advisory-ai
|
|
volumeClaims:
|
|
- name: advisory-ai-data
|
|
claimName: stellaops-advisory-ai-data
|
|
advisory-ai-worker:
|
|
image: registry.stella-ops.org/stellaops/advisory-ai-worker:2025.10.0-edge
|
|
env:
|
|
ADVISORYAI__AdvisoryAI__SbomBaseAddress: http://stellaops-scanner-web:8444
|
|
ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: /var/lib/advisory-ai/queue
|
|
ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: /var/lib/advisory-ai/plans
|
|
ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: /var/lib/advisory-ai/outputs
|
|
ADVISORYAI__AdvisoryAI__Inference__Mode: Local
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: ""
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: ""
|
|
volumeMounts:
|
|
- name: advisory-ai-data
|
|
mountPath: /var/lib/advisory-ai
|
|
volumeClaims:
|
|
- name: advisory-ai-data
|
|
claimName: stellaops-advisory-ai-data
|
|
web-ui:
|
|
image: registry.stella-ops.org/stellaops/web-ui@sha256:38b225fa7767a5b94ebae4dae8696044126aac429415e93de514d5dd95748dcf
|
|
service:
|
|
port: 8443
|
|
env:
|
|
STELLAOPS_UI__BACKEND__BASEURL: "https://stellaops-scanner-web:8444"
|
|
mongo:
|
|
class: infrastructure
|
|
image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
|
|
service:
|
|
port: 27017
|
|
command:
|
|
- mongod
|
|
- --bind_ip_all
|
|
env:
|
|
MONGO_INITDB_ROOT_USERNAME: stellaops
|
|
MONGO_INITDB_ROOT_PASSWORD: stellaops
|
|
volumeMounts:
|
|
- name: mongo-data
|
|
mountPath: /data/db
|
|
volumes:
|
|
- name: mongo-data
|
|
emptyDir: {}
|
|
minio:
|
|
class: infrastructure
|
|
image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
|
|
service:
|
|
port: 9000
|
|
command:
|
|
- server
|
|
- /data
|
|
- --console-address
|
|
- :9001
|
|
env:
|
|
MINIO_ROOT_USER: stellaops
|
|
MINIO_ROOT_PASSWORD: dev-minio-secret
|
|
volumeMounts:
|
|
- name: minio-data
|
|
mountPath: /data
|
|
volumes:
|
|
- name: minio-data
|
|
emptyDir: {}
|
|
rustfs:
|
|
class: infrastructure
|
|
image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
|
|
service:
|
|
port: 8080
|
|
env:
|
|
RUSTFS__LOG__LEVEL: info
|
|
RUSTFS__STORAGE__PATH: /data
|
|
volumeMounts:
|
|
- name: rustfs-data
|
|
mountPath: /data
|
|
volumes:
|
|
- name: rustfs-data
|
|
emptyDir: {}
|
|
nats:
|
|
class: infrastructure
|
|
image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
|
|
service:
|
|
port: 4222
|
|
command:
|
|
- -js
|
|
- -sd
|
|
- /data
|
|
volumeMounts:
|
|
- name: nats-data
|
|
mountPath: /data
|
|
volumes:
|
|
- name: nats-data
|
|
emptyDir: {}
|