How to Install Concourse CI on an ECS Instance and Encrypt All Traffic

By Hitesh Jethva, Alibaba Cloud Community Blog author. The Blog is a community-driven platform whose main aim is to demonstrate Alibaba Cloud’s technical capabilities, brand message, and thought leadership through relevant and compelling content.

Concourse CI is a modern, flexible continuous integration platform that allows developers to merge modified code into a shared repository multiple times. After each merge, automatic builds and tests are performed to detect problems in the code that helps the developers to find and resolve the errors quickly.

In this tutorial, we will learn how to install and encrypt Concourse CI on an Alibaba Cloud Elastic Compute Service (ECS) instance installed with Ubuntu 16.04.

Requirements

  • A newly created ECS instance installed with Ubuntu 16.04.
  • The static IP address 192.168.43.193 is set up for your instance.
  • A root password is set up for your instance.

Procedure

To install and secure Concourse CI on an ECS instance, complete all of the following steps:

Launch Alibaba Cloud ECS Instance

First, log on to the Alibaba Cloud ECS Console. Then, create a new ECS instance, choose Ubuntu 16.04 as the operating system and make sure it is with at least 2GB RAM. Next, connect to your ECS instance and log on as the root user.

After you log on to your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.

Install and Configure PostgreSQL

Concourse uses PostgreSQL to store its pipeline data. So you will need to install PostgreSQL server to your system. You can install it by using the following command:

When the installation is complete, log on to PostgreSQL user by running the following command:

Next, switch to the PostgreSQL shell and create a user and database for Concourse with the following command:

Exit from the PostgreSQL shell by running the following command:

Install Concourse CI

Download the latest version of the Concourse binary to the /usr/bin directory by using the following command:

Then, download the latest version of the fly binary to the /usr/bin directory with the following command:

Give execute permission to the downloaded binary:

Last, check the version of the Concourse and fly:

The following is output:

The output of this last command is as follows:

Create a Concourse Configuration

Create a Concourse configuration directory to store all of the relevant files:

Next, you will need to create three separate keys: 1) Keys for the worker, 2) keys for the TSA, and 3) session signing keys to sign tokens so that each can communicate securely with one another.

You can generate the required keys with the following command:

Authorize the workers’ public key by copying its contents to the authorized_worker_keys file.

Configure the Concourse Environment

You will need to create an environment variable file for Concourse to read a value from configuration file natively. You can create a new environment file for Concourse web with the folloiwing command:

Add the following lines:

Save and close the file. Then, create an environment file for the worker with the following command:

Add the following lines:

Save and close the file. Then, give permissions to the environment file with the following command:

Create a Systemd Unit File for Concourse

You will need to create a systemd file for concourse to manage concourse web and concourse worker service. First, create a new user to run web process. This user should match the PostgreSQL user which you have created earlier:

Give this user ownership over /opt/concourse directory:

Next, create a new systemd service file for the Concourse web service:

Add the following lines:

Save and close the file. Then, create a new service file for the Concourse worker service:

Add the following lines:

Save and close the file. Then, start the concourse web and worker service and enable them to start on boot time with the following command:

You can check the status of both service with the following command:

The output is as follows:

Check the status of Concourse Worker by running the following command:

The output is as follows:

Access Concourse Web UI

Concourse is now up and listening on port 8080. It’s time to access Concourse through web browser and command line.

Open your web browser and type the URL http://172.20.10.6:8080. You will be redirected to the Concourse CI page:

Next, click on the login button. You will be asked to select your team in the following page:

Then, click on the main button. You will be redirected to the Concourse CI login page:

Provide your username and password which you have provided in the environment file. Then, click on the loginbutton. You will be redirected to the Concourse CI dashboard:

You can also connect the Concourse CI using Fly with the following command:

You will be asked to provide username and password as shown below:

You can also log out from the server with the following command:

Secure Concourse CI

Concourse CI is now installed and configured. But, all the information sent through the web UI to the Concourse server are not secured and connection is not encrypted. We recommend to setup Nginx as a reverse proxy with a Let’s Encrypt free SSL.

To do so, you will need to install Certbot to obtain an SSL certificate and Nginx to your system.

First, add the Certbot repository by running the following command:

Next, update the repository and install Certbot, Certbot’s Nginx package and Nginx with the following command:

Next, you will need to obtain certificates from Let’s Encrypt CA. You can generate the SSL certificates with the following command:

You will be asked to enter an email address and agree to the terms of service. After the process is complete, your certificates are downloaded and stored in the /etc/letsencrypt/live/alibabatest.com/ directory.

By default, Let’s Encrypt certificates expire in 90 days, so you will need to set a cron job to renew all the certificates automatically.

You can do this by running the following command:

Add the following lines:

Save and close the file when you are finished.

Next, you will need to create an Nginx virtual host file for Concourse to redirect all the request coming on port 8080 to port 80. You can do this by running the following command:

Add the following lines:

Save and close the file. Then, enable Nginx virtual host by running the following command:

Next, you will also need to modify Concourse web environment file:

Make the following changes:

When finished, save and close the file.

Then, restart Nginx, Concourse web and Concourse worker service with the following command:

All the traffic between Concourse CI and the browser are now secured with SSL encryption.

You can now access Concourse CI by visiting the address https://alibabatest.com

Original Source

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store