This repository deploys a Concourse cluster behind a Træfik reverse-proxy.
It is a distribution for infrastructure-as-code declarative description of a production-ready Concourse cluster, based on the Turbine Framework and the Turbine CLI.
Historically, this project is related to the former Concourse GBE Downstream, which is now deprecated. The main difference is that this Turbine project does not rely on any upstream distribution and is rather a standalone distribution instead, which simplifies its usage.
The Concourse Cluster from Easy Foundry has these charateristics:
-
CredHub for storing pipeline secrets
-
UAA for CredHub (not for autenticating users, contributions are welcome)
-
Separate instance groups for CredHub and UAA (allows independent scaling of those components)
-
Security: encryption all over the place
- Encryption of data a the database level
- HTTPS between all components
- No HTTP anywhere
-
Discovery (and failover) of components through BOSH DNS aliases (the current best practice, and most portable choice)
-
Sanity tests as post-deploy hook (this fixes a missing piece, because no smoke tests are shipped by the Concourse BOSH Release, unfortunately)
-
Scale horizontally for limited downtime during upgrades
-
Scale ATC (the web UI), CredHub, UAA and Concourse Worker to 2 instances, for limited downtime when upgrading the Concourse cluster
-
Keep Postgres to 1 instance (because the standard and basic Postgres BOSH Release we use doesn't implement leader-follower replication, nor failover, which BTW are not trivial matters)
-
-
Add the ATCs behind a Træfik reverse-proxy
-
With circuit breaking: whenever those 2 ATCs produce more than 50% network errors, then a “Service Unavailable” error message is displayed by Træfik
-
With Dynamic Round Robin load-balancing between ATC nodes, in case only one of them performs bad compared to the other
-
With health checks, so that when an ATC node is shut down by BOSH during an upgrade, then no traffik is served to it anymore
-
-
Support BBR backups
-
Have inetrnal traffic between components not go through the front reverse-proxy and use BOSH DNS load-balancing instead
-
Have Credhub and UAA be reachable on ports 443
-
Resolve external fully-qualified DNS names to private cluster IPs internally, using BOSH DNS
-
Prerequisites:
- Direnv should be installed. Follow instructions from direnv.net.
- VirtualBox v5.2 should be installed. Contributions are welcome for supporting newer versions. We are using this Ansible Role for that.
git clone https://github.com/gstackio/concourse-turbine.git
cd concourse-turbine
direnv allow
git clone https://github.com/gstackio/turbine-cli.git .cache/turbine-cli
vim ddbox-bosh-env/conf/spec.yml # edit value for 'external_ip:'
vim ddbox-garden-env/conf/spec.yml # edit value for 'external_ip:'
TURBINE_ENVIRONMENT=ddbox-garden-env infra up
TURBINE_ENVIRONMENT=ddbox-bosh-env infra upgit pull
TURBINE_ENVIRONMENT=ddbox-garden-env infra up
TURBINE_ENVIRONMENT=ddbox-bosh-env infra up
infra recover -y traefik concourse harbor
infra converge --dry-run traefik
infra converge -y concourse harbor traefikPruning stale workers is required once in a while.
fly -t gk-plat-ops workers | tail +3 | cut -d" " -f1 | xargs -n1 fly -t gk-plat-ops prune-worker -wPlease feel free to submit issues and pull requests.
Copyright © 2018-present, Benjamin Gandon, Gstack
Like BOSH and Turbine, this Turbine distrib is released under the terms of the Apache 2.0 license.