I'm pretty much doing this.
Nginx config for my TLS frontend:
server {
> listen 80;
> listen [::]:80 ipv6only=on;
> rewrite ^ https://$server_name$request_uri? permanent;
> }
>
> server {
> listen 443 ssl;
> server_name localhost go-server.company.lan go.company.com;
> ssl on;
> ssl_certificate /etc/ssl/local/<>.crt;
> ssl_certificate_key /etc/ssl/local/<>.key;
>
> location / {
> proxy_pass http://localhost:8153;
>
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Host $host;
> proxy_set_header X-Forwarded-Proto $scheme;
> }
> }
This happens to be running on the machine itself (for various reasons), but
you could easily set that up with an nginx docker container.
You might have to change localhost on the proxy_pass line to the name of
the go-server container.
Here's my go-server Dockerfile:
> FROM gocd/gocd-server:16.10.0
> # Setup plugins
> WORKDIR /go-plugins/external
> RUN curl -1 -L -O
> https://github.com/gocd-contrib/gocd-oauth-login/releases/download/v1.2/google-oauth-login-1.2.jar
> RUN curl -1 -L -O
> https://github.com/gocd-contrib/xunit-converter-task/releases/download/1.1/xunit-converter-task-1.1.jar
> RUN curl -1 -L -O
> https://github.com/tomzo/gocd-yaml-config-plugin/releases/download/0.1.0/yaml-config-plugin-0.1.0.jar
> RUN curl -1 -L -O
> https://github.com/gocd-contrib/script-executor-task/releases/download/0.2/script-executor-0.2.jar
> RUN curl -1 -L -O
> https://github.com/Vincit/gocd-slack-task/releases/download/v1.3/gocd-slack-task-1.3.jar
>
> # Make sure the server can talk to bitbucket
> # /var/go is a VOLUME, so set these up via a proxy dir
> COPY resource/ssh/* /ssh-keys/
> # Make sure that the mounted directories are writable
> COPY resource/98_copy_into_volumes.sh resource/99_chown.sh /etc/my_init.d/
> WORKDIR /etc/go
This is where it gets interesting. You can't COPY or ADD things into
volumes, so I take advantage of the fact that the image I'm using is based
on phusion/baseimage.
Here are the two files which are copied into /etc/my_init.d/
98_copy_into_volumes.sh:
#!/bin/bash
> # Copy the plugins
> cp -av /go-plugins/* /var/lib/go-server/plugins
> # Copy the config files
> cp -av /go-config/{.??,}* /etc/go/
> # Copy the ssh keys
> cp -av /ssh-keys /var/go/.ssh
> chown -R go:go /var/go/.ssh
> chmod 700 /var/go/.ssh
> chmod 400 /var/go/.ssh/*
99_chown.sh:
#!/bin/bash
> chown -R go:go /etc/go /var/go /var/lib/go-*
The order these are run is important, hence the 98 and 99.
You asked about persisting logs, db etc. The following is already in the
gocd base image:
> VOLUME ["/var/lib/go-server", "/var/log/go-server", "/etc/go",
> "/go-addons", "/var/go"]
This pretty much covers all the use cases you wanted. The source for their
dockerfile is here:
https://github.com/gocd/gocd-docker/blob/master/phusion/server/Dockerfile
I tie this all together using docker-compose. Here's a chunk of my compose
file:
---
> version: '2'
> services:
> go-server:
> image: registry.company.com/ci/go-server
> build:
> context: .
> dockerfile: Dockerfile.go-server
> ports:
> - "8153:8153"
> - "8154:8154"
> volumes:
> - ~/volumes/go:/etc/go
> - ~/volumes/go-server:/var/lib/go-server
> python:
> image: registry.company.com/ci/python
> build:
> context: .
> dockerfile: Dockerfile.python
> volumes:
> - /var/run/docker.sock:/var/run/docker.sock
> environment:
> AGENT_RESOURCES: python
That has the config for my server and 'python' agent. I have a folder on
the host (~/volumes/go-server) where the db, artifacts etc are stored
persistently.
I know this reply is all over the place - feel free to ask more specific
questions about my setup if it helps.
On Saturday, November 19, 2016 at 12:14:44 PM UTC+2, Fredrik Wendt wrote:
>
> Hi,
>
> I looked at this a long time ago, and spent an unexpected amount of time
> trying to get the cert into the keystore, etc. In the end, I gave up and
> ran it all on a non-public VPN with no security at all. I would now like to
> get this done properly, but all documentation almost assumes manual,
> snowflaky installations of GoCD. I think GoCD should provide a good
> reference of fully automated GoCD server installation and setup -
> Infrastructure as Code is not a new concept, and is typically one you want
> to exercise when doing Continuous De* anyway, so ... eating your own dog
> food.
>
> Unfortunately, I didn't document all the steps I took. After eventually
> giving up on running GoCD server I remember trying to put nginx as a TLS
> frontend in front of the server, since that provided better TLS scoring,
> both for security and interoperability (support combinations of ciphers and
> versions found in the wild). I wonder if anyone is doing this, with their
> own custom certificates, and spin it up with Docker?
>
> So something like:
>
> gocd-server:
> image: gocd/gocd-server
> volumes:
> - logs, db, pipeline-config, artifacts
> tls-frontend:
> build: nginx+certs
> ports:
> - 80
> - 443
>
> I'm looking to have the pipeline-config, database (with history of runs
> etc), and artifacts survive a restart and upgrade.
>
> I wouldn't mind running all agents and gocd server on the VPN, ie agents
> don't need to go through a public IP address. I do want humans to access
> GoCD publicly though, so nginx putting TLS in front of 8153 would work just
> fine. I'm not sure if one can create a configuration where agents would
> find the vpn endpoint(s).
>
> Any pointers would be highly appreciated.
>
> / Fredrik
>
--
You received this message because you are subscribed to the Google Groups
"go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
