stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
d519782a8f0b30f425c9b6ae0f316b19259972a2
git.stella-ops.org/docs/modules/export-center/prep/2025-11-20-export-airgap-56-002-prep.md
master d519782a8f
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
prep docs and service updates
2025-11-21 06:56:36 +00:00

2.3 KiB
Raw Blame History

Export AirGap Prep — PREP-EXPORT-AIRGAP-56-002

Status: Ready for implementation (2025-11-20) Owners: Exporter Service Guild · DevOps Guild Scope: Bootstrap pack (images + charts) packaging for air-gap deploys, dependent on 56-001 evidence/mirror bundle inputs.

Dependencies

  • Sealed bundle schema + advisory contents from 56-001 prep (docs/modules/export-center/prep/2025-11-20-export-airgap-56-001-prep.md).
  • Mirror/DevOps deployment expectations (values-airgap.yaml) to place bootstrap packs.

Packaging contract

  • Produce deterministic OCI archive bootstrap-pack-v1.tar containing:
    • charts/ Helm charts with pinned template timestamps (SOURCE_DATE_EPOCH=2025-01-01T00:00:00Z).
    • images/ directory with referenced container layers/blobs; manifest.json aligning with index.json (OCI image layout).
    • signatures/ optional DSSE/TUF metadata if provided by 56-001.
  • Tarball is gzip-compressed with mtime pinned to 2025-01-01T00:00:00Z, 0644 perms, uid/gid 0.
  • Checksums: bootstrap-pack-v1.tar.sha256 with sha256 bootstrap-pack-v1.tar exactly.

API/endpoints

  • POST /v1/exports/airgap/bootstrap → stages pack build; returns exportId and profile bootstrap.
  • GET /v1/exports/airgap/bootstrap/{exportId} → status + downloadUri, rootHash, artifactSha256.
  • GET /v1/exports/airgap/bootstrap/{exportId}/download → serves application/gzip tarball; ETag = SHA-256.
  • Auth scopes: export:write for POST; export:read for GET/Download.

Determinism & observability

  • Single build timestamp derived from SOURCE_DATE_EPOCH; no wall-clock elsewhere.
  • Structured logs {exportId, profile:"bootstrap", rootHash, artifactSha256}; metrics export.bootstrap.completed, export.bootstrap.duration_ms.

Acceptance criteria

  • Tarball is byte-stable across reruns for same inputs; checksum file matches.
  • Status/download endpoints documented with headers (ETag, Last-Modified, quota headers).
  • Bootstrap pack content references evidence/mirror bundles from 56-001 (by digest/URL) without re-signing.

Handoff

  • Implement pack build and endpoints in ExportCenter Worker/WebService; use same storage layout as evidence export (exports/{tenant}/{exportId}/bootstrap-pack-v1.tar).
  • Update Sprint 0162 Delivery Tracker entry P3 to DONE when contract is published.