CloudNebulaProject/barycenter
1
0
Fork 0
mirror of https://github.com/CloudNebulaProject/barycenter.git synced 2026-04-10 13:10:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
barycenter/DEPLOYMENT.md
Till Wegmueller c8b27bf196
feat: add deployment configurations for multiple platforms 
Add comprehensive deployment support for:
- Docker: Multi-stage Dockerfile with security hardening
- Docker Compose: Production-ready compose file with volume persistence
- Kubernetes: Complete Helm chart with configurable values, ingress, PVC
- Linux: systemd service unit with extensive security hardening
- FreeBSD: rc.d init script with proper daemon management
- illumos/Solaris: SMF manifest with service contract management

Each platform includes:
- Installation scripts/manifests
- Configuration examples
- Management instructions
- Security best practices
- Troubleshooting guides

The Helm chart provides:
- Configurable resources and autoscaling
- Security contexts and pod security
- Health checks (liveness/readiness probes)
- Ingress with TLS support
- Persistent volume claims
- Service account management

All deployments follow security best practices:
- Non-root user execution
- Minimal privileges
- Read-only root filesystems where applicable
- Resource limits
- Network policies

Added DEPLOYMENT.md with comprehensive deployment guide covering
all platforms, configuration options, and production checklist.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-29 15:30:46 +01:00

444 lines
8.7 KiB
Markdown
Raw Blame History

# Deployment Guide
This guide covers deploying Barycenter OpenID Connect Identity Provider on various platforms.
## Table of Contents
- [Docker](#docker)
- [Docker Compose](#docker-compose)
- [Kubernetes (Helm)](#kubernetes-helm)
- [Linux (systemd)](#linux-systemd)
- [FreeBSD](#freebsd)
- [illumos/Solaris](#illumossolaris)
- [Configuration](#configuration)
- [Security Considerations](#security-considerations)
---
## Docker
### Building the Image
```bash
docker build -t barycenter:latest .
```
### Running the Container
```bash
docker run -d \
--name barycenter \
-p 8080:8080 \
-v barycenter-data:/app/data \
-e RUST_LOG=info \
barycenter:latest
```
### Custom Configuration
Mount a custom config file:
```bash
docker run -d \
--name barycenter \
-p 8080:8080 \
-v ./config.toml:/app/config/config.toml:ro \
-v barycenter-data:/app/data \
barycenter:latest
```
---
## Docker Compose
### Quick Start
```bash
# Start the service
docker-compose up -d
# View logs
docker-compose logs -f
# Stop the service
docker-compose down
```
### Production Configuration
Edit `docker-compose.yml` to customize:
```yaml
environment:
- RUST_LOG=info
- CRABIDP__SERVER__PUBLIC_BASE_URL=https://idp.example.com
```
---
## Kubernetes (Helm)
### Prerequisites
- Kubernetes cluster (1.19+)
- Helm 3.x
- kubectl configured
### Installation
1. **Install the Helm chart:**
```bash
helm install barycenter ./deploy/helm/barycenter \
--create-namespace \
--namespace barycenter
```
2. **With custom values:**
```bash
helm install barycenter ./deploy/helm/barycenter \
--namespace barycenter \
--set ingress.enabled=true \
--set ingress.hosts[0].host=idp.example.com \
--set config.server.publicBaseUrl=https://idp.example.com
```
3. **Using a values file:**
Create `my-values.yaml`:
```yaml
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: idp.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: barycenter-tls
hosts:
- idp.example.com
config:
server:
publicBaseUrl: "https://idp.example.com"
persistence:
enabled: true
size: 20Gi
storageClass: fast-ssd
resources:
limits:
cpu: 2000m
memory: 1Gi
requests:
cpu: 200m
memory: 256Mi
```
Install with:
```bash
helm install barycenter ./deploy/helm/barycenter \
--namespace barycenter \
--values my-values.yaml
```
### Management
**Upgrade:**
```bash
helm upgrade barycenter ./deploy/helm/barycenter \
--namespace barycenter \
--values my-values.yaml
```
**Uninstall:**
```bash
helm uninstall barycenter --namespace barycenter
```
**Check status:**
```bash
helm status barycenter --namespace barycenter
kubectl get pods -n barycenter
```
---
## Linux (systemd)
### Installation
See detailed instructions in [`deploy/systemd/README.md`](deploy/systemd/README.md).
**Quick steps:**
1. Build and install binary:
```bash
cargo build --release
sudo cp target/release/barycenter /usr/local/bin/
```
2. Create user and directories:
```bash
sudo useradd -r -s /bin/false -d /var/lib/barycenter barycenter
sudo mkdir -p /etc/barycenter /var/lib/barycenter/data
sudo chown -R barycenter:barycenter /var/lib/barycenter
```
3. Install configuration:
```bash
sudo cp config.toml /etc/barycenter/
# Edit /etc/barycenter/config.toml to update paths
```
4. Install and start service:
```bash
sudo cp deploy/systemd/barycenter.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable --now barycenter
```
### Management
```bash
# Status
sudo systemctl status barycenter
# Logs
sudo journalctl -u barycenter -f
# Restart
sudo systemctl restart barycenter
```
---
## FreeBSD
### Installation
See detailed instructions in [`deploy/freebsd/README.md`](deploy/freebsd/README.md).
**Quick steps:**
1. Build and install:
```bash
cargo build --release
sudo install -m 755 target/release/barycenter /usr/local/bin/
```
2. Create user and directories:
```bash
sudo pw useradd barycenter -d /var/db/barycenter -s /usr/sbin/nologin
sudo mkdir -p /usr/local/etc/barycenter /var/db/barycenter/data
sudo chown -R barycenter:barycenter /var/db/barycenter
```
3. Install configuration:
```bash
sudo cp config.toml /usr/local/etc/barycenter/
# Edit /usr/local/etc/barycenter/config.toml
```
4. Install and enable service:
```bash
sudo install -m 755 deploy/freebsd/barycenter /usr/local/etc/rc.d/
echo 'barycenter_enable="YES"' | sudo tee -a /etc/rc.conf
sudo service barycenter start
```
---
## illumos/Solaris
### Installation
See detailed instructions in [`deploy/illumos/README.md`](deploy/illumos/README.md).
**Quick steps:**
1. Build and install:
```bash
cargo build --release
sudo mkdir -p /opt/barycenter/bin
sudo cp target/release/barycenter /opt/barycenter/bin/
```
2. Create user and directories:
```bash
sudo useradd -d /var/barycenter -s /usr/bin/false barycenter
sudo mkdir -p /etc/barycenter /var/barycenter/data
sudo chown -R barycenter:barycenter /var/barycenter
```
3. Install configuration:
```bash
sudo cp config.toml /etc/barycenter/
# Edit /etc/barycenter/config.toml
```
4. Import and enable SMF service:
```bash
sudo svccfg import deploy/illumos/barycenter.xml
sudo svcadm enable barycenter
```
---
## Configuration
### Environment Variables
All configuration can be overridden using environment variables with the `CRABIDP__` prefix:
```bash
# Override server settings
export CRABIDP__SERVER__PORT=9090
export CRABIDP__SERVER__PUBLIC_BASE_URL=https://idp.example.com
# Override database
export CRABIDP__DATABASE__URL=sqlite:///custom/path/db.sqlite
# Set logging
export RUST_LOG=debug
```
### Configuration File
The `config.toml` file structure:
```toml
[server]
host = "0.0.0.0"
port = 8080
public_base_url = "https://idp.example.com" # Required in production
[database]
url = "sqlite://crabidp.db?mode=rwc"
[keys]
jwks_path = "data/jwks.json"
private_key_path = "data/private_key.pem"
alg = "RS256"
[federation]
trust_anchors = []
```
### Production Checklist
- [ ] Set `public_base_url` to your actual domain
- [ ] Use HTTPS/TLS (via reverse proxy or ingress)
- [ ] Configure proper logging (`RUST_LOG=info`)
- [ ] Set up persistent storage for database and keys
- [ ] Configure backups for database and private keys
- [ ] Set appropriate file permissions (600 for keys, 640 for config)
- [ ] Run as non-root user
- [ ] Configure firewall rules
- [ ] Set up monitoring and health checks
- [ ] Review and apply security hardening settings
---
## Security Considerations
### TLS/HTTPS
Barycenter should always run behind a TLS-terminating reverse proxy or load balancer in production. Never expose it directly on HTTP.
**Options:**
- **Kubernetes:** Use Ingress with cert-manager for automatic TLS
- **Linux:** Use nginx, Caddy, or Traefik as reverse proxy
- **Cloud:** Use cloud load balancers (ALB, GCE LB, etc.)
### Reverse Proxy Example (nginx)
```nginx
server {
listen 443 ssl http2;
server_name idp.example.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
```
### File Permissions
```bash
# Configuration (readable by service, writable by root)
chmod 640 /etc/barycenter/config.toml
chown root:barycenter /etc/barycenter/config.toml
# Private key (readable only by service)
chmod 600 /var/lib/barycenter/data/private_key.pem
chown barycenter:barycenter /var/lib/barycenter/data/private_key.pem
# Data directory
chmod 750 /var/lib/barycenter
chown barycenter:barycenter /var/lib/barycenter
```
### Backup Strategy
**Critical files to backup:**
1. Private RSA key (`private_key.pem`)
2. Database (`crabidp.db`)
3. Configuration (`config.toml`)
**Backup script example:**
```bash
#!/bin/bash
BACKUP_DIR=/backup/barycenter/$(date +%Y%m%d)
mkdir -p $BACKUP_DIR
# Backup database
sqlite3 /var/lib/barycenter/crabidp.db ".backup '$BACKUP_DIR/crabidp.db'"
# Backup keys and config
cp /var/lib/barycenter/data/private_key.pem $BACKUP_DIR/
cp /etc/barycenter/config.toml $BACKUP_DIR/
# Encrypt and upload to remote storage
tar czf - $BACKUP_DIR | gpg -e -r admin@example.com | \
aws s3 cp - s3://backups/barycenter-$(date +%Y%m%d).tar.gz.gpg
```
### Monitoring
**Health check endpoint:**
```bash
curl http://localhost:8080/.well-known/openid-configuration
```
**Metrics to monitor:**
- HTTP response times
- Error rates (4xx, 5xx)
- Database connection status
- Disk usage (for SQLite file)
- Memory/CPU usage
---
## Support
For issues and questions:
- GitHub Issues: https://github.com/yourusername/barycenter/issues
- Documentation: See `README.md` and `CLAUDE.md`
Reference in a new issue View git blame Copy permalink