Thanks Andrew! I only have one concern really, and that is: * how to configure the gocd server so that agents know the canonical URL/endpoints * do you point the agents to 8154 port?
I think I have most of the answers here: https://docs.go.cd/current/installation/configuring_server_details.html https://docs.go.cd/current/installation/configure_proxy.html#agents-and-custom-ssl-ports Keep in mind that the agents must still be able to connect to the SSL port > of the server (8154 by default), bypassing the proxy. The Go server itself > needs to terminate the TLS connections of the agents, because they each use > TLS client certificates to authenticate themselves to the server. If you > have a firewall between your agents and your server, you must allow > incoming traffic on the Go server SSL port, not just on the proxy server > SSL port. > > The initial communication of the agent to the server happens over HTTP, > and this can go via the proxy, but afterwards all traffic will go directly > via a TLS connection to the Go server (in fact, configuring the agent with > the the SSL port instead of the HTTP port of the server will give an error > for this initial connection). ie: * in the server config, point out the URL pointing to the proxy * in the agents, it should be OK (according to above docs) to specify the proxy's IP address/hostname in GO_SERVER - but How the heck will the agent discover the non-proxied HTTPS port if one configures the proxied HTTPS URL in the above server config? / Fredrik 2016-11-21 8:47 GMT+01:00 Andrew van Rooyen <[email protected]>: > I'm pretty much doing this. > > Nginx config for my TLS frontend: > > server { >> listen 80; >> listen [::]:80 ipv6only=on; >> rewrite ^ https://$server_name$request_uri? permanent; >> } >> >> server { >> listen 443 ssl; >> server_name localhost go-server.company.lan go.company.com; >> ssl on; >> ssl_certificate /etc/ssl/local/<>.crt; >> ssl_certificate_key /etc/ssl/local/<>.key; >> >> location / { >> proxy_pass http://localhost:8153; >> >> proxy_set_header Host $host; >> proxy_set_header X-Real-IP $remote_addr; >> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >> proxy_set_header X-Forwarded-Host $host; >> proxy_set_header X-Forwarded-Proto $scheme; >> } >> } > > > > This happens to be running on the machine itself (for various reasons), > but you could easily set that up with an nginx docker container. > You might have to change localhost on the proxy_pass line to the name of > the go-server container. > > Here's my go-server Dockerfile: > > > >> FROM gocd/gocd-server:16.10.0 >> # Setup plugins >> WORKDIR /go-plugins/external >> RUN curl -1 -L -O https://github.com/gocd-contrib/gocd-oauth-login/ >> releases/download/v1.2/google-oauth-login-1.2.jar >> RUN curl -1 -L -O https://github.com/gocd-contrib/xunit-converter-task/ >> releases/download/1.1/xunit-converter-task-1.1.jar >> RUN curl -1 -L -O https://github.com/tomzo/gocd- >> yaml-config-plugin/releases/download/0.1.0/yaml-config-plugin-0.1.0.jar >> RUN curl -1 -L -O https://github.com/gocd-contrib/script-executor-task/ >> releases/download/0.2/script-executor-0.2.jar >> RUN curl -1 -L -O https://github.com/Vincit/gocd-slack-task/releases/ >> download/v1.3/gocd-slack-task-1.3.jar >> >> # Make sure the server can talk to bitbucket >> # /var/go is a VOLUME, so set these up via a proxy dir >> COPY resource/ssh/* /ssh-keys/ >> # Make sure that the mounted directories are writable >> COPY resource/98_copy_into_volumes.sh resource/99_chown.sh >> /etc/my_init.d/ >> WORKDIR /etc/go > > > > This is where it gets interesting. You can't COPY or ADD things into > volumes, so I take advantage of the fact that the image I'm using is based > on phusion/baseimage. > Here are the two files which are copied into /etc/my_init.d/ > > 98_copy_into_volumes.sh: > > #!/bin/bash >> # Copy the plugins >> cp -av /go-plugins/* /var/lib/go-server/plugins >> # Copy the config files >> cp -av /go-config/{.??,}* /etc/go/ >> # Copy the ssh keys >> cp -av /ssh-keys /var/go/.ssh >> chown -R go:go /var/go/.ssh >> chmod 700 /var/go/.ssh >> chmod 400 /var/go/.ssh/* > > > 99_chown.sh: > > #!/bin/bash >> chown -R go:go /etc/go /var/go /var/lib/go-* > > > > The order these are run is important, hence the 98 and 99. > You asked about persisting logs, db etc. The following is already in the > gocd base image: > >> VOLUME ["/var/lib/go-server", "/var/log/go-server", "/etc/go", >> "/go-addons", "/var/go"] > > > This pretty much covers all the use cases you wanted. The source for their > dockerfile is here: https://github.com/gocd/gocd- > docker/blob/master/phusion/server/Dockerfile > > I tie this all together using docker-compose. Here's a chunk of my compose > file: > > --- >> version: '2' >> services: >> go-server: >> image: registry.company.com/ci/go-server >> build: >> context: . >> dockerfile: Dockerfile.go-server >> ports: >> - "8153:8153" >> - "8154:8154" >> volumes: >> - ~/volumes/go:/etc/go >> - ~/volumes/go-server:/var/lib/go-server >> python: >> image: registry.company.com/ci/python >> build: >> context: . >> dockerfile: Dockerfile.python >> volumes: >> - /var/run/docker.sock:/var/run/docker.sock >> environment: >> AGENT_RESOURCES: python > > > That has the config for my server and 'python' agent. I have a folder on > the host (~/volumes/go-server) where the db, artifacts etc are stored > persistently. > > > I know this reply is all over the place - feel free to ask more specific > questions about my setup if it helps. > > > On Saturday, November 19, 2016 at 12:14:44 PM UTC+2, Fredrik Wendt wrote: >> >> Hi, >> >> I looked at this a long time ago, and spent an unexpected amount of time >> trying to get the cert into the keystore, etc. In the end, I gave up and >> ran it all on a non-public VPN with no security at all. I would now like to >> get this done properly, but all documentation almost assumes manual, >> snowflaky installations of GoCD. I think GoCD should provide a good >> reference of fully automated GoCD server installation and setup - >> Infrastructure as Code is not a new concept, and is typically one you want >> to exercise when doing Continuous De* anyway, so ... eating your own dog >> food. >> >> Unfortunately, I didn't document all the steps I took. After eventually >> giving up on running GoCD server I remember trying to put nginx as a TLS >> frontend in front of the server, since that provided better TLS scoring, >> both for security and interoperability (support combinations of ciphers and >> versions found in the wild). I wonder if anyone is doing this, with their >> own custom certificates, and spin it up with Docker? >> >> So something like: >> >> gocd-server: >> image: gocd/gocd-server >> volumes: >> - logs, db, pipeline-config, artifacts >> tls-frontend: >> build: nginx+certs >> ports: >> - 80 >> - 443 >> >> I'm looking to have the pipeline-config, database (with history of runs >> etc), and artifacts survive a restart and upgrade. >> >> I wouldn't mind running all agents and gocd server on the VPN, ie agents >> don't need to go through a public IP address. I do want humans to access >> GoCD publicly though, so nginx putting TLS in front of 8153 would work just >> fine. I'm not sure if one can create a configuration where agents would >> find the vpn endpoint(s). >> >> Any pointers would be highly appreciated. >> >> / Fredrik >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "go-cd" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/go-cd/9dBuLWlgis0/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- cell: +46 702 778511 skype: fredrikwendt -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
