From cb47ab2be82a8e4e06e9a59424a3223864e6f434 Mon Sep 17 00:00:00 2001 From: Geoff Wilson Date: Tue, 26 Nov 2024 16:10:55 -0500 Subject: [PATCH] Discussion of dependencies and Vault token --- DEPLOYMENT.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/DEPLOYMENT.md b/DEPLOYMENT.md index 20c0b89..be8deed 100644 --- a/DEPLOYMENT.md +++ b/DEPLOYMENT.md @@ -12,6 +12,13 @@ docker run -p 3000:3000 astral:latest A dockerhub image will be available soon! +# Dependencies +Astral depends on Vault, Postges, AppRegistry, and an oidc +provider. These dependencies are supplied and configured in the +devcontainer, but in production will need to be specified in the +configuration. + +Each dependency has a group of configuration params. # Configuration Astral is configured in `config/astral.yml` -- all availble @@ -31,6 +38,20 @@ which environment var overrides are setup to use the `DB_` prefix. We recommend PostgreSQL for all deployments of Astral, but any Rails-supported database (sqlite, mysql, Oracle, etc) can be used. +## Vault Token and Root Certificate +Astral operates with wide but not complete permissions in Vault. These +can be seen in `app/lib/clients/vault/policy.rb` in the +`create_astral_policy` section. + +An initial bootstrap token is rotated to an `astral` token having only +this policy -- but the initial token needs the ability to create the +policy and the auth token. + +The root certificate path and PKI mount point are specified in the +`vault_root_ca_ref` and related configuration params. A self-signed +root cert can be created by Astral (`vault_create_root: true`), but +you will most likely want to point to a trusted root. + ## Database encryption The Astral database can be encrypted, if needed, but requires a bit of setup and careful retention of a master key. Note that there are potential performance impacts.