https://github.com/EugenMayer/concourseci-server-boilerplate

Concourse CI fast upstart boilerplate for test or production
https://github.com/EugenMayer/concourseci-server-boilerplate

concourse-ci continuous-integration docker ldap minio pipeline vault

Last synced: 2 months ago
JSON representation

Concourse CI fast upstart boilerplate for test or production

• Host: GitHub
• URL: https://github.com/EugenMayer/concourseci-server-boilerplate
• Owner: EugenMayer
• Archived: true
• Created: 2017-11-15T13:59:11.000Z (over 6 years ago)
• Default Branch: master
• Last Pushed: 2021-10-10T18:44:53.000Z (over 2 years ago)
• Last Synced: 2024-01-24T13:47:35.946Z (5 months ago)
• Topics: concourse-ci, continuous-integration, docker, ldap, minio, pipeline, vault
• Language: Shell
• Homepage:
• Size: 162 KB
• Stars: 20
• Watchers: 6
• Forks: 9
• Open Issues: 1
• Metadata Files:
  • Readme: README.md

Lists

• awesome-list - Concourse Boilerplate

README

        
# Status

- Concourse Version: 7.x

- Vault: 1.8.x

- Postgres: 11

- Auth: LDAP or Local

- Artifact-Storage: Minio S3 local storage

- Traefik as SSL-Offloader: 2.5+

## WAT

   

A boilerplate for you to quick-start a concourse stack with most of the features you would need in production.

It auto-configures `Concourse CI` and lets you configure most of the things using ENV variables for customization.

- [Concourse Configurator](https://github.com/EugenMayer/docker-image-concourse-configurator)

- [Vault](https://www.vaultproject.io/) (Secret Storage)

- [Minio](https://minio.io/) (S3 Artifact Storage)

- [LDAP](https://github.com/EugenMayer/docker-image-ldapexample) (Authentication)

- [Traefik](https://traefik.io/) (SSL Offloading)

It starts the whole stack with a simple

```console

docker-compose up

```

and lets you select the features you actually need in `.env`.

Use cases would be:

- Run Concourse CI in production

- Test concourse for or in your team

- test-drive upgrades of your concourse

- developing new pipelines before you deploy it to your production server, like this [concourse-app-release-lifecycle-example](https://github.com/kw-concourse-example/concourse-app-release-lifecycle-example)

## Usage

To just go for it:

`cp .env.local.sample .env`

```bash

docker-compose up

# or

./start.sh

```

Now you have the default setup. Access it using `http://localhost` (via traefik) with the user `included1`, password `included`

## Customizing

Copy the `.env.local.sample` to `.env` - now customize `.env`.

I. The default setup includes the following aspects

- `traefik` SSL offloading / reverse proxy (with disabled SSL by default)

- `vault` configured (as secret store), see `docker-compose-vault.yml`

- `minio` configured (as a s3 alike artifac storage store), see `docker-compose-minio.yml`

- `ldap` auth (an example ldap server is included, see `docker-compose-ldap-auth.yml` )

- local user auth `docker-compose-local-auth.yml`

- docker based workers `docker-compose-worker.yml`

- standalone workers (offsite) `docker-compose-worker-standalone.yml`

You can configure which aspects you want to pick by modifying `COMPOSE_FILE` in `.env`. So disable `vault` or `minio` or `ldap` as you please.

Please always consider to run your workers on a different machine / docker-engine then web in `production`.. they really kill each other.

I recommend running a standalone-worker on a non-docker engine VM in production (or several).

II. For the authentication, you have to pick at least `ldap` or `local` for auth

II. This will start a concourse server right up, including your aspects. The default is vault and ldap auth

    docker-compose up

    # or

    ./start.sh

## Examples

See examples including all the scripts to test your login, deploy test pipelines and pre-fill your vault for pipeline

testing

### Vault

See the `examples/run_3_vault_test.sh` script to see how consul con be setup and started with a vault based pipeline

`examples/vaults-based`

### Login / Credentials

The credentials for the first login depend on the auth type you have chose. Right now **Ldap** is the **default**

**Ldap**

When using the LDAP, potential users are listed here: https://github.com/EugenMayer/docker-image-ldapexample

- user: included1 / password: included1

See the [Concourse LDAP AUTH docs](https://concourse-ci.org/ldap-auth.html) if you want to lear more

**Local**

- user:admin / password: admin

See the [Concourse Local AUTH docs](https://concourse-ci.org/local-auth.html) if you want to learn more

### Access the WebUI

See "Login/Credentials" section for the login information, access the GUI :

    http://localhost

### Cli Configuration

Now install the cli

    # MacOS

    brew cask install fly

    # linux, e.g. arch AUR

    yay -S concourse-fly-bin

    # or download from the running concourse server

    # MacOS

    curl -o fly http://localhost/api/v1/cli?arch=amd64&platform=darwin

    # or Linux

    curl -o fly http://localhost/api/v1/cli?arch=amd64&platform=linux

now login with the cli against our local server

    fly -t test_main login -c http://localhost

    # see "Login/Credentials" for the login information

update fly

    fly -t test_main sync

Adjustments can be done by editing the .env file

### Create/Deploy a pipeline

push a pipeline to the main team / pipeline from `ci/pipline.yml`

    fly sp -t test_main configure -c ci/pipline.yml -p main --load-vars-from ../credentials.yml -n

## Minio s3 based storage

Having a proper artifact storage is basically a mandatory point with concourse-ci, maybe one of the key differences to other CI solutions

and for sure can be seen as a burden when you start concourse.

You can dodge it but you will regret it since concourse is stubborn in this regard - it will force it.

That is why Minio is included in this stack to provide an out of the box

s3 storage - locally. Without the hassle of s3 keys or similar.

**Be aware, Minio does not support object versioning, you will not be able to use `versioned_file: myapp.tgz` but only `regexp`**

To login, connect to

- http://localhost:9001

- user: minio

- password: changeme

You will need to create at leas one bucket to use it, obviously.

See https://github.com/kw-concourse-example/concourse-app-release-lifecycle-example for an example on how to use Minio

but basically its just the same as you would use AWS s3 - it's a "imitation"

## Intercept into a broken / running container

    fly -t test_main intercept -j /

so for example, assuming we have a job in pipeline `main` named `builder-image-build`

    fly -t test_main intercept -j main/builder-image-build

### Vault access and setting values

To adjust your vault or putting value into it, you should use the configurator container, which has the ability to talk to it

and set new values. Its pretty easy, just do

connect into the container

    docker-compose exec config bash

load credentials and server config

    source /vault/server/init_vars

set a value of your desire

    vault kv put secret/concourse/test value=test

or in short

    docker-compose exec config bash -l -c 'source /vault/server/init_vars && vault kv put secret/concourse/main/firstvalue value=foo'

## Advanced

### Vault: Testing client access

since the above is all done using the server token, you can try the client token too

    docker-compose exec config bash

    export VAULT_CLIENT_CERT=/vault/concourse/cert.pem

    export VAULT_CLIENT_KEY=/vault/concourse/key.pem

    export VAULT_ADDR=https://vault:8200

    export VAULT_CACERT=/vault/concourse/server.crt

    vault login -method=cert

    vault kv get secret/concourse/main/main/myvalue