stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
ea1d58a89baf3b2d351a0fded1a711e0c05ce8c5
git.stella-ops.org/ops/devops/graph-indexer/release-plan.md
StellaOps Bot 44171930ff
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
feat: Add UI benchmark driver and scenarios for graph interactions 
- Introduced `ui_bench_driver.mjs` to read scenarios and fixture manifest, generating a deterministic run plan.
- Created `ui_bench_plan.md` outlining the purpose, scope, and next steps for the benchmark.
- Added `ui_bench_scenarios.json` containing various scenarios for graph UI interactions.
- Implemented tests for CLI commands, ensuring bundle verification and telemetry defaults.
- Developed schemas for orchestrator components, including replay manifests and event envelopes.
- Added mock API for risk management, including listing and statistics functionalities.
- Implemented models for risk profiles and query options to support the new API.
2025-12-02 01:28:17 +02:00

1.9 KiB
Raw Blame History

Graph Indexer Release/Offline Bundle Plan (DEVOPS-GRAPH-INDEX-28-010-REL)

Goals

  • Publish signed Helm/Compose bundles for Graph Indexer with offline parity.
  • Provide SBOM + attestations for images/charts and reproducible artefacts for air-gap kits.

Artefacts

  • Helm chart + values overrides (offline/airgap).
  • Docker/OCI images (indexer, api) pinned by digest.
  • SBOMs (SPDX JSON) for images and chart.
  • Cosign attestations for images and chart tarball.
  • Offline bundle: tarball containing images (oras layout), charts, values, SBOMs, attestations, and SHA256SUMS.

Pipeline outline

  1. Build images (indexer + api) with SBOM generation (syft), tag and record digests.
  2. Sign images with cosign key (KMS for online; file key for offline bundle) and produce attestations.
  3. Chart package: render chart, package to .tgz, generate SBOM for chart, sign with cosign.
  4. Compose export: render Compose file with pinned digests and non-root users.
  5. Bundle: assemble offline tarball:
    • images/ oras layout with signed images
    • charts/graph-indexer.tgz + signature
    • compose/graph-indexer.yml (pinned digests)
    • sboms/ for images + chart
    • attestations/ (cosign bundles)
    • SHA256SUMS and SHA256SUMS.sig
  6. Verify step: pipeline stage runs cosign verify, sha256sum --check, and helm template smoke render with airgap values.
  7. Publish: upload to artefact store + offline kit; write manifest with hashes/versions.

Security/hardening

  • Non-root images, read-only rootfs, drop NET_RAW, seccomp default.
  • Telemetry disabled; no registry pulls at runtime.
  • mTLS between indexer and dependencies (documented values).

Evidence to capture

  • Image digests, SBOM hashes, cosign verification logs.
  • Bundle SHA256SUMS and signed manifest.
  • Helm/Compose render outputs (short).

Owners

  • DevOps Guild (build/pipeline)
  • Graph Indexer Guild (chart/values)
  • Platform Security (signing policy)