This repository has been archived by the owner on Oct 6, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 167
Production Deployment
Tony Cai edited this page Jun 4, 2017
·
28 revisions
Deploying goldfish for production takes only a couple of minutes
Steps:
- Prepare vault (only needs to be done once)
- Generate a SecretID from AppRole (needs to be done every deployment of goldfish)
- Download release versions of goldfish to a host machine, and deploy
- Just like vault, the host machine's swap should be disabled
- All ssh access should be disabled. Upgrades and fixes can be done by redeploying goldfish
# goldfish repo contain goldfish policy
go get github.com/caiyeon/goldfish
# transit backend and approle auth backend need to be enabled
vault mount transit
vault auth-enable approle
# see the policy file for details
vault policy-write goldfish $GOPATH/src/github.com/caiyeon/goldfish/vagrant/policies/goldfish.hcl
vault write auth/approle/role/goldfish role_name=goldfish secret_id_ttl=5m token_ttl=480h \
token_max_ttl=720h secret_id_num_uses=1 policies=default,goldfish
vault write auth/approle/role/goldfish/role-id role_id=goldfish
# initialize transit key, since goldfish policy is not authorized to do so
vault write -f transit/keys/goldfish
# production goldfish needs a generic secret endpoint to hot reload settings from. See below for explanations
vault write secret/goldfish DefaultSecretPath="secret/" TransitBackend="transit" \
UserTransitKey="usertransit" ServerTransitKey="goldfish" BulletinPath="secret/bulletins/"
# jq is a very useful tool for interpreting json on the fly
sudo apt-get install -y jq
vault write -f -wrap-ttl=20m -format=json auth/approle/role/goldfish/secret-id | jq -r .wrap_info.token
# on the host, disable swap for security
sudo swapoff -a
# IMPORTANT: don't forget to also disable ssh access!
# download executable and public.zip of desired release version
GOLDFISH_VERSION=v0.3.0
curl -L -o goldfish https://github.com/Caiyeon/goldfish/releases/download/$GOLDFISH_VERSION/goldfish-linux-amd64
curl -L -o public.zip https://github.com/Caiyeon/goldfish/releases/download/$GOLDFISH_VERSION/public.zip
unzip public.zip
# launch the server (detached from shell by nohup)
nohup sudo ./goldfish \
-goldfish_addr ":443" -cert_file /path/to/certificate.crt -key_file /path/to/privatekey.pem \
-vault_addr $VAULT_ADDR -vault_token $VAULT_TOKEN \
-approle_path auth/approle/login -role_id goldfish \
-config_path secret/goldfish &
# if you have systemd knowledge, goldfish would be better off as a system service
Note: it is highly recommended that you download the release versions. But if you must, compiling goldfish from source is easy too.
go get github.com/caiyeon/goldfish
# the server executable can be easily cross-compiled
env GOOS=linux GOARCH=amd64 go build -v github.com/caiyeon/goldfish
# The static folder can be built and zipped up
cd $GOPATH/src/github.com/caiyeon/goldfish/frontend
# download node modules
sudo npm install -g cross-env
npm install
npm run build
# static files are generated in goldfish/public
zip -r -X public.zip ../public
# on the host, disable swap for security
sudo swapoff -a
# IMPORTANT: don't forget to also disable ssh access!
# unzip the frontend static folder
unzip public.zip
# launch the server (detached from shell by nohup)
nohup sudo ./goldfish \
-goldfish_addr ":443" -cert_file /path/to/certificate.crt -key_file /path/to/privatekey.pem \
-vault_addr $VAULT_ADDR -vault_token $VAULT_TOKEN \
-approle_path auth/approle/login -role_id goldfish \
-config_path secret/goldfish &
# if you have systemd knowledge, goldfish would be better off as a system service
For more details on launch configurations, see here
For more details on run-time configurations, see here