stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
cfaea5efd942e5461dac7f070b0e8692dbbd729b
git.stella-ops.org/docs/40_ARCHITECTURE_OVERVIEW.md
master 0137856fdb Rename Feedser to Concelier
2025-10-18 20:46:16 +03:00

134 lines
5.1 KiB
Markdown
Executable File
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# StellaOps — HighLevel Architecture
<!--
Use constants injected at build:
{{ dotnet }} = "10 LTS"
{{ angular }} = "20"
-->
This document offers a birdseye view of how the major components interact,
why the system leans *monolithplusplugins*, and where extension points live.
> For a *timeline* of when features arrive, see the public
> [roadmap](/roadmap/) — no version details are repeated here.
---
## 0·Guiding principles
| Principle | Rationale |
|-----------|-----------|
| **SBOMfirst** | Scan existing CycloneDX/SPDX if present; fall back to layer unpack. |
| **Δprocessing** | Reanalyse only changed layers; reduces P95 warm path to\<5s. |
| **Allmanaged code** | Entire stack is 100% managed (.NET / TypeScript); no `unsafe` blocks or native extensions — eases review and reproducible builds. |
| **Restarttime plugins** | Avoids the attack surface of runtime DLL injection; still allows custom scanners & exporters. |
| **Sovereignbydesign** | No mandatory outbound traffic; Offline Kit distributes feeds. |
---
## 1·Module graph
```mermaid
graph TD
A(API Gateway)
B1(Scanner Core<br/>.NET latest LTS)
B2(Concelier service\n(vuln ingest/merge/export))
B3(Policy Engine OPA)
C1(Redis 7)
C2(MongoDB 7)
D(UI SPA<br/>Angular latest version)
A -->|gRPC| B1
B1 -->|async| B2
B1 -->|OPA| B3
B1 --> C1
B1 --> C2
A -->|REST/WS| D
````
---
## 2·Key components
| Component | Language / tech | Responsibility |
| ---------------------------- | --------------------- | ---------------------------------------------------- |
| **API Gateway** | ASP.NET Minimal API | Auth (JWT), quotas, request routing |
| **Scanner Core** | C# 12, Polly | Layer diffing, SBOM generation, vuln correlation |
| **Concelier (vulnerability ingest/merge/export service)** | C# source-gen workers | Consolidate NVD + regional CVE feeds into the canonical MongoDB store and drive JSON / Trivy DB exports |
| **Policy Engine** | OPA (Rego) | admission decisions, custom org rules |
| **Redis 7** | KeyDB compatible | LRU cache, quota counters |
| **MongoDB 7** | WiredTiger | SBOM & findings storage |
| **Angular {{ angular }} UI** | RxJS, Tailwind | Dashboard, reports, admin UX |
---
## 3·Plugin system
* Discovered once at startup from `/opt/stella/plugins/**`.
* Runs under Linux user `stellaplugin` (UID1001).
* Extension points:
* `ISbomMutator`
* `IVulnerabilityProvider`
* `IResultSink`
* Policy files (`*.rego`)
* Each DLL is SHA256 hashed; digest embedded in the run report for provenance.
Hotplugging is deferred until after v1.0 for security review.
---
## 4·Data & control flow
1. **Client** calls `/api/scan` with image reference.
2. **Gateway** enforces quota, forwards to **Scanner Core** via gRPC.
3. **Core**:
* Queries Redis for cached SBOM.
* If miss → pulls layers, generates SBOM.
* Executes plugins (mutators, additional scanners).
4. **Policy Engine** evaluates `scanResult` document.
5. **Findings** stored in MongoDB; WebSocket event notifies UI.
6. **ResultSink plugins** export to Slack, Splunk, JSON file, etc.
---
## 5·Security hardening
| Surface | Mitigation |
| ----------------- | ------------------------------------------------------------ |
| Container runtime | Distroless base, nonroot UID, seccomp + AppArmor |
| Plugin sandbox | Separate UID, SELinux profile, cgroup 1 CPU /256MiB |
| Supply chain | Cosign signatures, intoto SLSA Level3 (target) |
| Secrets | `Docker secrets` or K8s `Secret` mounts; never hardcoded |
| Quota abuse | Redis ratelimit gates (see `30_QUOTA_ENFORCEMENT_FLOW1.md`) |
---
## 6·Build & release pipeline (TL;DR)
* **Git commits** trigger CI → unit / integration / E2E tests.
* Successful merge to `main`:
* Build `.NET {{ dotnet }}` trimmed selfcontained binary.
* `docker build --sbom=spdx-json`.
* Sign image and tarball with Cosign.
* Attach SBOM + provenance; push to registry and download portal.
---
## 7·Future extraction path
Although the default deployment is a single container, each subservice can be
extracted:
* Concelier → standalone cron pod.
* Policy Engine → sidecar (OPA) with gRPC contract.
* ResultSink → queue worker (RabbitMQ or Azure Service Bus).
Interfaces are stable **as of v0.2 β**; extraction requires a recompilation
only, not a fork of the core.
---
*Last updated {{ "now" | date: "%Y%m%d" }} constants autoinjected.*
Reference in New Issue View Git Blame Copy Permalink