Service Deployments

How to deploy the STUPS infrastructure service components.

Note

We will assume you are using a dedicated AWS account for the STUPS infrastructure components with the hosted zone stups.example.org. You may also deploy the STUPS infrastructure components into different accounts; please change the URLs according to your setup.

You will need the STUPS and AWS command line tools in order to install the STUPS infrastructure services:

$ sudo pip3 install --upgrade stups awscli

As the service components depend on each other, you will have to deploy them in a certain order:

  • the OAuth2 Provider is required (at least indirectly) by all other services, so set it up first
  • the Token Service is used by the Taupage base AMI
  • the Team Service is used by all services implementing team permissions (e.g. even and Pier One)
  • the User Service is required by the “even” SSH access granting service
  • even allows SSH access for troubleshooting, so deploy it before the remaining services
  • Pier One is used to store all Docker images, so deploy it next
  • TODO: when to bootstrap “mint” and OAuth2 credentials?

OAuth2 Provider

Setting up the OAuth2 provider is highly vendor specific, please refer to your OAuth2 provider’s manual.

We provide a mock OAuth2 authorization server.

Token Service

The Token Service is a proxy to allow getting OAuth2 access tokens without client credentials.

TODO

We provide a simple mock Token Service.

Try out the Token Service with Zign:

$ zign token

Team Service

The Team Service allows getting team membership information. This is used by various components to restrict access to the user’s own team(s).

We provide a simple mock Team Service.

Try out the Team Service with curl:

$ tok=$(zign token uid)
$ curl -H "Authorization: Bearer $tok" https://team-service.stups.example.org/teams
[{..}, ..]
$ curl -H "Authorization: Bearer $tok" https://team-service.stups.example.org/user/jdoe
[{..}, ..]

User Service

The User Service acts as a SSH public key provider for the “even” SSH access granting service.

You can setup your own SSH public key provider by running a HTTP service which allows downloading OpenSSH public keys (suitably formatted for the authorized_keys file) by a simple GET request to an URL containing the user’s ID (e.g. /users/{user}/ssh).

Try out the SSH public key endpoint with an existing user:

$ tok=$(zign token uid)
$ curl -H "Authorization: Bearer $tok" https://user-service.stups.example.org/employees/jdoe/ssh
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAA..

even

The even service allows getting SSH access to any team server.

Create a new internal PostgreSQL cluster in RDS and create the “even” database.

Create the necessary security groups and IAM role by running “senza init”:

$ senza init even.yaml # we will overwrite even.yaml later anyway

Copy example Senza definition YAML and change the URLs to point to your IAM services.

$ wget -O even.yaml https://raw.githubusercontent.com/zalando-stups/even/master/example-senza-definition.yaml
$ vim even.yaml

Create a new KMS key for “even” and give the app-even IAM role permissions to use the KMS key. Encrypt the private SSH key of the “granting-service” Taupage user with KMS and put the cipher text (prefixed with “aws:kms:”) into even.yaml.

$ privkey=$(cat ~/.ssh/ssh-access-granting-service) # use the key generated when building Taupage
$ aws kms encrypt --key-id 123 --plaintext "$privkey" # encrypt with KMS

Deploy.

$ senza create even.yaml 1 $LATEST_VER

Try out the SSH granting service with Più.

Pier One

Pier One is STUPS’ Docker registry.

Create a new S3 bucket (e.g. exampleorg-stups-pierone-eu-west-1) to store the Docker images in.

Create a new internal PostgreSQL cluster in RDS with its own app-pierone-db security group and create the “pierone” database.

Create the necessary security groups and IAM role by running “senza init”:

$ senza init pierone.yaml # we will overwrite pierone.yaml later anyway

Give the app-pierone security access to the RDS database (app-pierone-db security group).

Copy the example Senza definition YAML and change the bucket name and DB_SUBNAME.

$ wget -O pierone.yaml https://raw.githubusercontent.com/zalando-stups/pierone/master/example-senza-definition.yaml
$ vim pierone.yaml

Give the IAM role app-pierone write access to your S3 bucket. The IAM policy might look like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowStoringDockerImages",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::exampleorg-stups-pierone-eu-west-1",
                "arn:aws:s3:::exampleorg-stups-pierone-eu-west-1/*"
            ]
        }
    ]
}

Deploy.

$ senza create pierone.yaml 1 $LATEST_VER

Try pushing a Docker image.

$ pierone login
$ docker pull busybox
$ docker tag busybox pierone.stups.example.org/myteam/busybox:0.1
$ docker push pierone.stups.example.org/myteam/busybox:0.1

Kio

Kio is STUPS’ application registry.

Create a new internal PostgreSQL cluster in RDS and create the “kio” database.

Copy the example Senza definition YAML and change the DB_SUBNAME and URLs.

$ wget -O kio.yaml https://raw.githubusercontent.com/zalando-stups/kio/master/example-senza-definition.yaml
$ vim kio.yaml

essentials

TODO

mint Storage

TODO

mint Worker

TODO

YOUR TURN

YOUR TURN is STUPS’ developer console. It is a pure Javascript application including a very small backend. Currently it depends on the following STUPS services:

  • Kio
  • Twintip
  • mint
  • essentials
  • Pier One
  • fullstop.

You also need:

  • an IAM solution that issues OAuth2 access tokens
  • a team service

(See also the STUPS mocks for these.)

Copy the example Senza definition YAML and change the environment variables accordingly.

$ wget -O yourturn.yaml https://raw.githubusercontent.com/zalando-stups/yourturn/master/example-senza.yaml
$ vim yourturn.yaml

fullstop.

TODO