diff --git a/README.md b/README.md index be1b82b..41b38a1 100644 --- a/README.md +++ b/README.md @@ -248,6 +248,56 @@ Notes: - The `:Z` option in volume mounts is specific to SELinux-enabled systems and ensures proper volume labeling - The logs directory will be created with appropriate permissions if it doesn't exist +## Docker Compose Deployment + +The application includes a Docker Compose configuration that runs both Advanced Wallet Manager (AWM) and Master BitGo Express (MBE) services with proper network isolation for enhanced security. + +### Architecture Overview + +The Docker Compose setup creates two isolated services: + +- **Advanced Wallet Manager (AWM)**: Runs in an isolated internal network with no external access for maximum security +- **Master BitGo Express (MBE)**: Connected to both internal network (for AWM communication) and public network (for external API access) +- **Network Isolation**: AWM is completely isolated from external networks and only accessible through MBE + +### Network Configuration + +The setup creates two distinct networks: + +1. **my-internal-network**: + - Internal bridge network with `internal: true` + - Used for secure AWM isolation and MBE-to-AWM communication + - No external internet access for security + +2. **my-public-network**: + - Public bridge network + - Used for external access to MBE APIs + - Connected to host networking + +### Prerequisites + +1. **Install Docker and Docker Compose** +2. **Ensure KMS service is running** on your host machine (typically on port 3000) + +### Quick Start + +1. **Start the services:** + +```bash +# Navigate to project directory +cd advanced-wallet + +# Start both services in background +docker-compose up -d +``` + +2. **Stop the services:** + +```bash +# Stop and remove containers +docker-compose down +``` + ## API Endpoints ### Advanced Wallet Manager (Port 3080) @@ -300,4 +350,3 @@ env | grep -E "(APP_MODE|KMS_URL|ADVANCED_WALLET_MANAGER|TLS_)" ## License MIT -``` diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..e08ba91 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,53 @@ +version: '3.8' + +services: + # Service for advanced-wallet-manager (AWM) + advanced-wallet-manager: + build: . # Build from the Dockerfile inside the repo + container_name: advanced-wallet-manager + networks: + - my-internal-network # Only part of the internal network + environment: + - ADVANCED_WALLET_MANAGER_PORT=3081 + - TLS_MODE=disabled + - ALLOW_SELF_SIGNED=true + - MTLS_REQUEST_CERT=false + - RECOVERY_MODE=true + - APP_MODE=advanced-wallet-manager + - KMS_URL=http://172.20.0.1:3000 + - BIND=0.0.0.0 + restart: always + ports: [] # No public ports exposed + + # Service for master-bitgo-express (MBE) - both internal and publicly accessible + master-bitgo-express: + build: . # Build from the Dockerfile inside the repo + container_name: master-bitgo-express + networks: + - my-internal-network # Connect to the internal network for internal communication + - my-public-network # Connect to the public network for external access + environment: + - APP_MODE=master-express + - BITGO_ENV=test + - TLS_KEY_PATH=test-ssl-key.pem + - TLS_CERT_PATH=test-ssl-cert.pem + - ADVANCED_WALLET_MANAGER_URL=http://advanced-wallet-manager:3081 + - ENCLAVED_EXPRESS_CERT=./test-ssl-cert.pem + - MTLS_REQUEST_CERT=false + - ALLOW_SELF_SIGNED=true + - TLS_MODE=disabled + - RECOVERY_MODE=true + - MASTER_EXPRESS_PORT=3081 + - BIND=0.0.0.0 + restart: always + ports: + - "3081:3081" # Expose MBE publicly on port 3081 + +# Networks section +networks: + my-internal-network: + driver: bridge # Internal communication network, no access to the internet + internal: true # Ensures this network is not accessible from outside + + my-public-network: + driver: bridge # Public network, allowing external access to MBE