How to Install Concourse CI on an ECS Instance and Encrypt All Traffic

Requirements

Procedure

Launch Alibaba Cloud ECS Instance

apt-get update -y

Install and Configure PostgreSQL

apt-get install postgresql postgresql-contrib -y
su - postgres
psqlpostgres=# create user concourse;
postgres=# ALTER USER concourse WITH ENCRYPTED password 'password';
postgres=# CREATE DATABASE concourse OWNER concourse;
postgres-# \q

Install Concourse CI

wget https://github.com/concourse/concourse/releases/download/v3.10.0/concourse_linux_amd64 -O /usr/bin/concourse
wget https://github.com/concourse/concourse/releases/download/v3.10.0/fly_linux_amd64 -O /usr/bin/fly
chmod 755 /usr/bin/concourse 
chmod 755 /usr/bin/fly
concourse -version
3.10.0fly -version
3.10.0

Create a Concourse Configuration

mkdir /opt/concourse
ssh-keygen -t rsa -q -N '' -f /opt/concourse/session_signing_key
ssh-keygen -t rsa -q -N '' -f /opt/concourse/tsa_host_key
ssh-keygen -t rsa -q -N '' -f /opt/concourse/worker_key
cp /opt/concourse/worker_key.pub /opt/concourse/authorized_worker_keys

Configure the Concourse Environment

nano /opt/concourse/web.env
CONCOURSE_SESSION_SIGNING_KEY=/opt/concourse/session_signing_key
CONCOURSE_TSA_HOST_KEY=/opt/concourse/tsa_host_key
CONCOURSE_TSA_AUTHORIZED_KEYS=/opt/concourse/authorized_worker_keys
CONCOURSE_POSTGRES_USER=concourse
CONCOURSE_POSTGRES_PASSWORD=password
CONCOURSE_POSTGRES_DATABASE=concourse
CONCOURSE_BASIC_AUTH_USERNAME=admin
CONCOURSE_BASIC_AUTH_PASSWORD=password
CONCOURSE_EXTERNAL_URL=http://172.20.10.6:8080
nano /opt/concourse/worker.env
CONCOURSE_WORK_DIR=/opt/concourse/worker
CONCOURSE_TSA_WORKER_PRIVATE_KEY=/opt/concourse/worker_key
CONCOURSE_TSA_PUBLIC_KEY=/opt/concourse/tsa_host_key.pub
CONCOURSE_TSA_HOST=127.0.0.1
chmod 600 /opt/concourse/worker.env
chmod 600 /opt/concourse/web.env

Create a Systemd Unit File for Concourse

adduser --system --group concourse
chown -R concourse:concourse /opt/concourse
nano /etc/systemd/system/concourse-web.service
[Unit]
Description=Concourse CI web server
[Service]
Type=simple
User=concourse
Group=concourse
Restart=on-failure
EnvironmentFile=/opt/concourse/web.env
ExecStart=/usr/bin/concourse web
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=concourse_web
[Install]
WantedBy=multi-user.target
nano /etc/systemd/system/concourse-worker.service
[Unit]
Description=Concourse CI worker process
[Service]
Type=simple
Restart=on-failure
EnvironmentFile=/opt/concourse/worker.env
ExecStart=/usr/bin/concourse worker
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=concourse_worker
[Install]
WantedBy=multi-user.target
systemctl start concourse-web
systemctl enable concourse-web
systemctl start concourse-worker
systemctl enable concourse-worker
systemctl status concourse-web
● concourse-web.service - Concourse CI web server
Loaded: loaded (/etc/systemd/system/concourse-web.service; disabled; vendor preset: enabled)
Active: active (running) since Sun 2018-11-11 20:41:54 IST; 7s ago
Main PID: 2527 (concourse)
CGroup: /system.slice/concourse-web.service
└─2527 /usr/bin/concourse web
Nov 11 20:41:54 Node2 systemd[1]: Started Concourse CI web server.
systemctl status concourse-worker
● concourse-worker.service - Concourse CI worker process
Loaded: loaded (/etc/systemd/system/concourse-worker.service; disabled; vendor preset: enabled)
Active: active (running) since Sun 2018-11-11 20:41:30 IST; 56s ago
Main PID: 2467 (concourse)
CGroup: /system.slice/concourse-worker.service
└─2467 /usr/bin/concourse worker
Nov 11 20:41:30 Node2 systemd[1]: Started Concourse CI worker process.
Nov 11 20:41:32 Node2 concourse_worker[2467]: {"timestamp":"1541949092.064973593","source":"worker","message":"worker.setup.unpacking","log_lev

Access Concourse Web UI

fly -t test-ci login -c http://172.20.10.6:8080
logging in to team 'main'username: admin
password:
target saved
fly -t test-ci logout

Secure Concourse CI

add-apt-repository ppa:certbot/certbot
apt-get update -y
apt-get install nginx certbot python-certbot-nginx -y
certbot --nginx -d alibabatest.com -d www.alibabatest.com
crontab -e
00 10 * * * /usr/bin/certbot renew --quiet
nano /etc/nginx/sites-available/concourse
server {
listen 80;
server_name alibabatest.com;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name alibabatest.com;
ssl_certificate /etc/letsencrypt/live/alibabatest.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/alibabatest.com/privkey.pem;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/concourse.access.log; location / { proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8080;
proxy_read_timeout 90;
proxy_redirect http://localhost:8080 https://alibabatest.com;
}
}
ln -s /etc/nginx/sites-available/concourse /etc/nginx/sites-enabled/concourse
nano /opt/concourse/web.env
CONCOURSE_EXTERNAL_URL=https://alibabatest.com
CONCOURSE_BIND_IP=127.0.0.1
CONCOURSE_BIND_PORT=8080
systemctl restart nginx
systemctl restart concourse-web
systemctl restart concourse-worker

Original Source

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store