Getting Started with GoStint
Getting started with a Vagrant Development Environment
- Prereqs:
- Docker
- Vagrant
- Clone this project.
- Start up the vagrant docker instance:
gostint $ vagrant up
- SSH into the Vagrant instance:
gostint $ vagrant ssh vagrant@23e208f27e53:~$
- Change to the gostint src folder mapped into the container:
vagrant@23e208f27e53:~$ cd go/src/github.com/gbevan/gostint vagrant@23e208f27e53:~/go/src/github.com/gbevan/gostint$
- Start gostint using
godo
:vagrant@23e208f27e53:~/go/src/github.com/gbevan/gostint$ godo
(optional parameter
--watch
will restart if changes are detected)You should see a log similar to:
... 2018/07/29 15:37:39 Starting gostint service 2018/07/29 15:37:39 Dialing Mongodb 2018/07/29 15:37:39 Logging in to gostint db
The gostint server is now running with it’s api accessible at https://127.0.0.1:3232 (also the vault ui/api is exposed at https://127.0.0.1:8300)
- In another vagrant ssh window, you can run the BATs api tests:
gostint $ vagrant ssh vagrant@23e208f27e53:~$ cd go/src/github.com/gbevan/gostint vagrant@23e208f27e53:~$ godo test ...
The Vagrant container starts up the dev instance of MongodDB and Vault automatically.
Simple “Production” Deployment
Note: this is a work-in-progress…
This example is to demo a very simple prod deployment. Ideally in production each of the components would be configured for High Availability and Scalability.
- Start a MongoDB docker service - see the official
mongo image.
Configure:
mongo admin --eval "db.createUser({user: 'your_db_user', pwd: 'your_db_password', roles: [{role: 'root', db: 'admin'}]})"
- Start a Hashicorp Vault service - if deploying to a real production
environment then consider their reference architecture
guide, esp around hardening recommendations - for now you can use the official
vault docker image.
Configure vault for gostint:
export VAULT_ADDR="https://your_vault_host:8200" vault login your_root_token vault secrets enable database # Configure Vault's MongoDB Secret Engine for our DB instance # this requires privileged creds for the DB to allow Vault to issue ephemeral # creds to gostint. It is recommended to rotate your privileged creds in production. vault write database/config/gostint-mongodb \ plugin_name=mongodb-database-plugin \ allowed_roles="gostint-dbauth-role" \ connection_url="mongodb://:@your_db_host:27017/admin?ssl=false" \ username="your_db_user" \ password="your_db_password" vault write database/roles/gostint-dbauth-role \ db_name=gostint-mongodb \ creation_statements='{ "db": "gostint", "roles": [{ "role": "readWrite" }] }' \ default_ttl="10m" \ max_ttl="24h" # Create policy to access mongodb secret eng user/pass generator curl -s \ --request POST \ --header 'X-Vault-Token: your_root_token' \ --data '{"policy": "path \"database/creds/gostint-dbauth-role\" {\n capabilities = [\"read\"]\n}"}' \ ${VAULT_ADDR}/v1/sys/policy/gostint-mongodb-auth vault secrets enable transit vault write -f transit/keys/gostint # Enable Vault AppRole vault auth enable approle # Create policy to access kv secrets for approle curl -s \ --request POST \ --header 'X-Vault-Token: your_root_token' \ --data '{"policy": "path \"secret/*\" {\n capabilities = [\"read\"]\n}"}' \ ${VAULT_ADDR}/v1/sys/policy/gostint-approle-kv # Create policy to access transit decrypt gostint for approle curl -s \ --request POST \ --header 'X-Vault-Token: your_root_token' \ --data '{"policy": "path \"transit/decrypt/gostint\" {\n capabilities = [\"update\"]\n}"}' \ ${VAULT_ADDR}/v1/sys/policy/gostint-approle-transit-decrypt-gostint # Create named role for gostint vault write auth/approle/role/gostint-role \ secret_id_ttl=24h \ secret_id_num_uses=10000 \ token_num_uses=10 \ token_ttl=20m \ token_max_ttl=30m \ policies="gostint-approle-kv,gostint-approle-transit-decrypt-gostint"
- Start gostint:
This will need a
deployment_token_from_vault
issued from a privileged persona to allow this deployment to setup the required policies etc (dont forget to revoke tokens once you are finished with them).export VAULT_ADDR="https://your_vault_host:8200" # Request a MongoDB secret engine token for gostint to request an ephemeral # time-bound username/password pair. token=$(curl -s \ --request POST \ --header 'X-Vault-Token: deployment_token_from_vault' \ --data '{"policies": ["gostint-mongodb-auth"], "ttl": "10m", "num_uses": 2}' \ ${VAULT_ADDR}/v1/auth/token/create | jq .auth.client_token -r) # Get gostint's AppRole RoleId from the Vault roleid=`curl -s --header 'X-Vault-Token: deployment_token_from_vault' \ ${VAULT_ADDR}/v1/auth/approle/role/gostint-role/role-id | jq .data.role_id -r` # Run gostint docker run --init -d \ --name gostint -p 3232:3232 \ --privileged=true \ -v your_gostint_cfg/etc:/var/lib/gostint \ --volume /etc/localtime:/etc/localtime:ro \ --volume /etc/timezone:/etc/timezone:ro \ -e VAULT_ADDR="$VAULT_ADDR" \ -e GOSTINT_DBAUTH_TOKEN="$token" \ -e GOSTINT_ROLEID="$roleid" \ goethite/gostint:v?.?.?
Note:
--privileged=true
is currently required to allow docker-in-docker.your_gostint_cfg/etc
needs to contain your gostint instance’s TLS private key and certificate, namedkey.pem
andcert.pem
respectively.