This repository has been archived by the owner on Oct 6, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 166
Production Deployment
Tony Cai edited this page Jul 7, 2017
·
28 revisions
Steps:
- Prepare vault (only needs to be done once)
- Generate a wrapped SecretID from AppRole
- Download goldfish binary to a host machine, and launch
As of v0.5.0, goldfish approle is recommended to be set periodic. See here for why
# goldfish repo contains goldfish policy
go get github.com/caiyeon/goldfish
# transit backend and approle auth backend need to be enabled
vault mount transit
vault auth-enable approle
# see the policy file for details
vault policy-write goldfish $GOPATH/src/github.com/caiyeon/goldfish/vagrant/policies/goldfish.hcl
vault write auth/approle/role/goldfish role_name=goldfish policies=default,goldfish secret_id_num_uses=1 secret_id_ttl=5m period=24h
vault write auth/approle/role/goldfish/role-id role_id=goldfish
# initialize transit key. This is not strictly required but is proper procedure
vault write -f transit/keys/goldfish
# production goldfish needs a generic secret endpoint to hot reload settings from. See Configuration page for details
vault write secret/goldfish DefaultSecretPath="secret/" TransitBackend="transit" \
UserTransitKey="usertransit" ServerTransitKey="goldfish" BulletinPath="secret/bulletins/"# jq is a very useful tool for interpreting json on the fly
sudo apt-get install -y jq
# Store this wrapped token! It'll be used in deployment below as $VAULT_TOKEN
vault write -f -wrap-ttl=20m -format=json auth/approle/role/goldfish/secret-id | jq -r .wrap_info.tokenThese instructions are for v0.5.0 and above
# on the host, disable swap for security
sudo swapoff -a
# IMPORTANT: don't forget to also disable ssh access!
# Download goldfish executable. Everything is packed inside.
GOLDFISH_VERSION=v0.5.0
curl -L -o goldfish https://github.com/Caiyeon/goldfish/releases/download/$GOLDFISH_VERSION/goldfish-linux-amd64
# provision a deployment config file (see repo config/sample.hcl for a full list of params)
cat <<EOF > config.hcl
listener "tcp" {
address = ":443" # listen on default https port
tls_cert_file = "path/to/cert"
tls_key_file = "path/to/key"
}
vault {
address = "https://vault.com:8200"
}
EOF
# launch the server (detached from shell by nohup) [Optional: write as systemd service]
# $VAULT_TOKEN is the wrapped token from step 2
nohup sudo ./goldfish -config=config.hcl -token=$VAULT_TOKEN# on the host, disable swap for security
sudo swapoff -a
# IMPORTANT: don't forget to also disable ssh access!
# download executable and public.zip of desired release version
GOLDFISH_VERSION=v0.4.1
curl -L -o goldfish https://github.com/Caiyeon/goldfish/releases/download/$GOLDFISH_VERSION/goldfish-linux-amd64
curl -L -o public.zip https://github.com/Caiyeon/goldfish/releases/download/$GOLDFISH_VERSION/public.zip
unzip public.zip
# provision a deployment config file (see repo config/sample.hcl for a full list)
cat <<EOF > config.hcl
listener "tcp" {
address = "goldfish.com"
tls_cert_file = "path/to/cert"
tls_key_file = "path/to/key"
}
vault {
address = "https://vault.com:8200"
}
EOF
# launch the server (detached from shell by nohup) [Optional: write as systemd service]
# $VAULT_TOKEN is the wrapped token from step 2
nohup sudo ./goldfish -config=config.hcl -token=$VAULT_TOKENIt is highly recommended that you download the release versions. Master is NOT guaranteed to maintain the same deployment procedures, so your deploy script could break at any time.
But if you must, checkout build.sh in the repo.
For more details on launch configurations, see here
For more details on run-time configurations, see here