AdvisoryHub Operations Manual¶
This manual is for the operator — the person who installs, configures, runs,
and maintains the AdvisoryHub service. It is the day-0-to-day-2 companion to the
end-user ../manual/ guides (which cover using the app) and to
../specification/architecture.md (which
explains how it is built and why). Where this manual and the code disagree,
the code wins; cross-references point you at the authoritative source.
It is documentation only: it tells you how to run AdvisoryHub with the tools
the repository already ships (Dockerfile, docker-compose.yml,
gunicorn.conf.py, the management commands). Production deployment is
platform-agnostic; for Kubernetes/OKD the repository ships a first-class
Helm chart, but nothing requires it.
1. What you are running¶
AdvisoryHub is a server-rendered Django application with an asynchronous task tier. A complete deployment is three application processes plus two backing stores, an identity provider, and one external Git repository:
| Component | What it is | Notes |
|---|---|---|
| web | Django served by gunicorn (config.wsgi) |
Stateless; scale horizontally behind a TLS-terminating reverse proxy. |
| worker | Celery worker (-A config) |
Runs publication, notifications, GHSA/PMI sync. |
| beat | Celery beat scheduler (-A config) |
Fires the periodic tasks. Run exactly one. |
| PostgreSQL | Primary datastore (required) | Append-only audit triggers and JSONB queries are Postgres-specific — SQLite/MySQL are not supported. |
| Valkey / Redis | Celery broker + result backend + cache | Valkey is Redis-wire-compatible; redis:// URLs work unchanged. |
| OIDC provider | Authentication + group membership | All identity flows from here; AdvisoryHub stores a mirror, never the authority. |
| Publication Git repo | External repo advisories are pushed to | Its own CI renders the public website. AdvisoryHub only writes to it. |
flowchart LR
U[Browsers]
GH[GitHub webhooks]
U --> LB[Reverse proxy / TLS]
GH --> LB
LB --> WEB[web - gunicorn]
BEAT[beat - Celery]
WK[worker - Celery]
WEB <--> PG[(PostgreSQL)]
WEB <--> VK[(Valkey / Redis)]
WEB <--> IDP[OIDC provider]
WK <--> PG
WK <--> VK
BEAT --> VK
WK --> PUB[(Publication Git repo)]
WK --> GHAPI[GitHub API]
WK -->|optional| LLM[LLM provider]
WEB -->|/metrics| PROM[Prometheus]
WK -->|exporter| PROM
The full architecture, pipelines, and rationale are in
../specification/architecture.md.
2. Prerequisites¶
- Python 3.14 (pinned in
.python-version) — for building the image / running management commands. - PostgreSQL (the dev stack uses 16) — reachable via
DATABASE_URL. - Valkey or Redis, run with
--maxmemory-policy noevictionso an eviction can never silently drop a broker message or a rate-limit/maintenance key. - An OIDC identity provider (Kanidm, Keycloak, Okta, Entra, …) where you can register a confidential client and model the admin and per-project security-team groups.
- A Git repository for publication output, reachable over SSH or HTTPS, with a deploy key or token that can push.
- An SMTP relay for notification email (dev uses the console backend).
- A TLS-terminating reverse proxy / load balancer in front of
web. - Optional: a GitHub App (for the GHSA integration), Eclipse API client credentials (for security-team roster sync), and an LLM provider (Anthropic API key, or any OpenAI-compatible endpoint, for duplicate detection) — all off by default.
3. Which page do I need?¶
| Page | Covers |
|---|---|
| installation.md | Local evaluation (docker-compose), the production first-run bootstrap sequence, and the container image. |
| configuration.md | The settings modules and the complete environment-variable reference. |
| running-in-production.md | Running web/worker/beat, reverse proxy & TLS, static files, health probes, the beat schedule, and the security-hardening checklist. |
| deploy-kubernetes.md | Deploying with the Helm chart (charts/advisoryhub/) on OKD/OpenShift or vanilla Kubernetes. |
| integrations.md | Wiring the OIDC provider, the publication Git repo (SSH/token), the optional GHSA GitHub App, and roster sync. |
| observability.md | Logging, Prometheus metrics, the bundled Grafana/alert assets, and Sentry. |
| maintenance.md | Backups & data integrity, upgrades, maintenance mode, the management-command reference, and data retention / GDPR. |
For the in-app administrator role (reviewing advisories, the Admin Console), see the end-user Administrator & Reviewer Guide — that is a different "admin" from the system operator this manual addresses.