diff --git a/README.md b/README.md index b98c484..495fb4f 100644 --- a/README.md +++ b/README.md @@ -73,10 +73,10 @@ For containerized deployment, build the Docker images: ```bash # Build Master Express (default port 3081) -npm run container:build +npm run container:build:master-bitgo-express # Build Advanced Wallet Manager (port 3080) -npm run container:build --build-arg PORT=3080 +npm run container:build:advanced-wallet-manager ``` ## Quick Start @@ -193,10 +193,14 @@ curl -k -X POST https://localhost:3081/ping/advancedWalletManager ```bash # For Master Express (default port 3081) -npm run container:build +npm run container:build:master-bitgo-express -# For Advanced Wallet Manager (port 3080) -npm run container:build --build-arg PORT=3080 +# For Advanced Wallet Manager (default port 3080) +npm run container:build:advanced-wallet-manager + +# Or specify custom ports +npm run container:build:master-bitgo-express -- --build-arg PORT=3081 +npm run container:build:advanced-wallet-manager -- --build-arg PORT=3082 ``` ### Run Containers @@ -216,7 +220,7 @@ podman run -d \ -e KMS_URL=host.containers.internal:3000 \ -e NODE_ENV=development \ -e CLIENT_CERT_ALLOW_SELF_SIGNED=true \ - bitgo-onprem-express + advanced-wallet-manager # View logs podman logs -f @@ -236,7 +240,7 @@ podman run -d \ -e ADVANCED_WALLET_MANAGER_URL=https://host.containers.internal:3080 \ -e AWM_SERVER_CA_CERT_PATH=/app/certs/advanced-wallet-manager-cert.pem \ -e CLIENT_CERT_ALLOW_SELF_SIGNED=true \ - bitgo-onprem-express + master-bitgo-express # View logs podman logs -f diff --git a/docker-compose.yml b/docker-compose.yml index e08ba91..ccb778a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,51 +3,116 @@ version: '3.8' services: # Service for advanced-wallet-manager (AWM) advanced-wallet-manager: - build: . # Build from the Dockerfile inside the repo + build: . # Build from the Dockerfile inside the repo container_name: advanced-wallet-manager networks: - - my-internal-network # Only part of the internal network + - my-internal-network # Only part of the internal network environment: - - ADVANCED_WALLET_MANAGER_PORT=3081 - - TLS_MODE=disabled - - ALLOW_SELF_SIGNED=true - - MTLS_REQUEST_CERT=false - - RECOVERY_MODE=true + # Application mode (required) - APP_MODE=advanced-wallet-manager - - KMS_URL=http://172.20.0.1:3000 + + # Network settings + - ADVANCED_WALLET_MANAGER_PORT=3080 - BIND=0.0.0.0 + - TIMEOUT=305000 + - KEEP_ALIVE_TIMEOUT=65000 + - HEADERS_TIMEOUT=66000 + + # TLS settings + - TLS_MODE=disabled + - CLIENT_CERT_ALLOW_SELF_SIGNED=true + + # KMS settings (required) + - KMS_URL=http://172.20.0.1:3000 # UPDATE TO YOUR OWN KMS URL + - KMS_SERVER_CERT_ALLOW_SELF_SIGNED=true + + # Optional KMS TLS settings (uncomment if using mTLS with KMS) + # - KMS_SERVER_CA_CERT_PATH=/path/to/kms-ca-cert.pem + # - KMS_CLIENT_TLS_KEY_PATH=/path/to/kms-client-key.pem + # - KMS_CLIENT_TLS_CERT_PATH=/path/to/kms-client-cert.pem + # - KMS_CLIENT_TLS_KEY= + # - KMS_CLIENT_TLS_CERT= + + # Optional server TLS settings (uncomment if using mTLS) + # - SERVER_TLS_KEY_PATH=/path/to/server-key.pem + # - SERVER_TLS_CERT_PATH=/path/to/server-cert.pem + # - SERVER_TLS_KEY= + # - SERVER_TLS_CERT= + # - MTLS_ALLOWED_CLIENT_FINGERPRINTS=ABC123,DEF456 + + # Logging and debug + - HTTP_LOGFILE=logs/http-access.log + - RECOVERY_MODE=true + - NODE_ENV=production + - LOG_LEVEL=info restart: always - ports: [] # No public ports exposed + ports: [] # No public ports exposed + volumes: + - ./logs:/app/logs # Mount logs directory # Service for master-bitgo-express (MBE) - both internal and publicly accessible master-bitgo-express: - build: . # Build from the Dockerfile inside the repo + build: . # Build from the Dockerfile inside the repo container_name: master-bitgo-express networks: - - my-internal-network # Connect to the internal network for internal communication - - my-public-network # Connect to the public network for external access + - my-internal-network # Connect to the internal network for internal communication + - my-public-network # Connect to the public network for external access environment: + # Application mode (required) - APP_MODE=master-express + + # Network settings + - MASTER_EXPRESS_PORT=3081 + - BIND=0.0.0.0 + - TIMEOUT=305000 + - KEEP_ALIVE_TIMEOUT=65000 + - HEADERS_TIMEOUT=66000 + + # BitGo API settings - BITGO_ENV=test - - TLS_KEY_PATH=test-ssl-key.pem - - TLS_CERT_PATH=test-ssl-cert.pem - - ADVANCED_WALLET_MANAGER_URL=http://advanced-wallet-manager:3081 - - ENCLAVED_EXPRESS_CERT=./test-ssl-cert.pem - - MTLS_REQUEST_CERT=false - - ALLOW_SELF_SIGNED=true + - BITGO_DISABLE_ENV_CHECK=true + - BITGO_AUTH_VERSION=2 + # - BITGO_CUSTOM_ROOT_URI=https://custom-bitgo-api.com + # - BITGO_CUSTOM_BITCOIN_NETWORK=testnet + + # Advanced Wallet Manager connection (required) + - ADVANCED_WALLET_MANAGER_URL=http://advanced-wallet-manager:3080 + - AWM_SERVER_CERT_ALLOW_SELF_SIGNED=true + + # Optional AWM TLS settings (uncomment if using mTLS with AWM) + # - AWM_SERVER_CA_CERT_PATH=/path/to/awm-ca-cert.pem + # - AWM_CLIENT_TLS_KEY_PATH=/path/to/awm-client-key.pem + # - AWM_CLIENT_TLS_CERT_PATH=/path/to/awm-client-cert.pem + # - AWM_CLIENT_TLS_KEY= + # - AWM_CLIENT_TLS_CERT= + + # TLS settings - TLS_MODE=disabled + - CLIENT_CERT_ALLOW_SELF_SIGNED=true + + # Optional server TLS settings (uncomment if using mTLS) + # - SERVER_TLS_KEY_PATH=/path/to/server-key.pem + # - SERVER_TLS_CERT_PATH=/path/to/server-cert.pem + # - SERVER_TLS_KEY= + # - SERVER_TLS_CERT= + # - MTLS_ALLOWED_CLIENT_FINGERPRINTS=ABC123,DEF456 + + # Logging and debug + - HTTP_LOGFILE=logs/http-access.log - RECOVERY_MODE=true - - MASTER_EXPRESS_PORT=3081 - - BIND=0.0.0.0 + - NODE_ENV=production + - LOG_LEVEL=info restart: always ports: - - "3081:3081" # Expose MBE publicly on port 3081 + - '3081:3081' # Expose MBE publicly on port 3081 + volumes: + - ./logs:/app/logs # Mount logs directory # Networks section networks: my-internal-network: - driver: bridge # Internal communication network, no access to the internet - internal: true # Ensures this network is not accessible from outside - + driver: bridge # Internal communication network, no access to the internet + internal: true # Ensures this network is not accessible from outside + my-public-network: - driver: bridge # Public network, allowing external access to MBE + driver: bridge # Public network, allowing external access to MBE diff --git a/package.json b/package.json index 47b2ff7..7438187 100644 --- a/package.json +++ b/package.json @@ -18,7 +18,8 @@ "lint:fix": "eslint --quiet --ignore-pattern scripts/bump-version.ts . --fix", "generate-test-ssl": "openssl req -x509 -newkey rsa:2048 -keyout demo.key -out demo.crt -days 365 -nodes -subj '/CN=localhost'", "generate:openapi:masterExpress": "npx @api-ts/openapi-generator --name @bitgo/master-bitgo-express ./src/api/master/routers/index.ts > masterBitgoExpress.json", - "container:build": "podman build -t bitgo-onprem-express .", + "container:build:master-bitgo-express": "podman build --build-arg PORT=3081 -t master-bitgo-express .", + "container:build:advanced-wallet-manager": "podman build --build-arg PORT=3080 -t advanced-wallet-manager .", "bump-versions": "ts-node scripts/bump-version.ts" }, "dependencies": {