Docs
circleci.com
Start Building for Free

Phase 1 - Prerequisites

2 weeks ago8 min read
Server v4.x
Server Admin
On This Page

CircleCI server v4.x is installed as a helm chart. The installation process is broken down into four phases. There is a validation step at the end of each phase, allowing you to confirm success before moving to the next phase. Depending on your requirements, phases 3 and 4 may include multiple steps. This installation guide assumes you have already read the CircleCI Server v4.x Overview.

1. Install required software

Download and install the following software before continuing:

ToolVersionUsed forNotes

Terraform

0.15.4 or greater

Infrastructure Management

kubectl

1.19 or greater

Kubernetes CLI

Helm

3.9.2 or greater

Kubernetes Package Management

Helm Diff

3.5.0 or greater

Helping with values.yaml changes and updates

Optional, but may help with troubleshooting between releases

Velero CLI

Latest

Backup and restore capability

See Velero’s supported providers documentation for further information.

AWS required software

GCP required software

  • gcloud and gsutil. You can install and set-up these tools up by installing Google Cloud SDK. For further information refer to the Google Cloud SDK docs.

S3 compatible storage required software

  • Install and configure MinIO CLI for your storage provider.

2. Create a Kubernetes cluster

CircleCI server installs into an existing Kubernetes cluster. The application uses a large number of resources. Depending on your usage, your Kubernetes cluster should meet the following requirements:

Number of daily active CircleCI usersMinimum NodesTotal CPUTotal RAMNIC speed

< 500

3

12 cores

32 GB

1 Gbps

500+

3

48 cores

240 GB

10 Gbps

Supported Kubernetes versions:

CircleCI VersionKubernetes Version

4.0.0

1.22 - 1.23

Creating a Kubernetes cluster is your responsibility. Please note:

  • You must have appropriate permissions to list, create, edit, and delete pods in your cluster. Run this command to verify your permissions:

    kubectl auth can-i <list|create|edit|delete> pods
  • There are no requirements regarding VPC setup or disk size for your cluster. It is recommended that you set up a new VPC rather than use an existing one.

EKS

You can learn more about creating an Amazon EKS cluster in the EKS docs. We recommend using eksctl to create your cluster, which creates a VPC and selects the proper security groups for you.

  1. Install and configure the AWS CLI for your AWS account.

  2. Install eksctl.

  3. Create your cluster by running the following (Cloud formation with eksctl and EKS can take more than 20 minutes to complete):

    eksctl create cluster --name=circleci-server --nodes 4 --node-type m5.xlarge
  4. Once the cluster has been created, you can use the following command to configure kubectl access:

    eksctl utils write-kubeconfig --cluster circleci-server

GKE

You can learn more about creating a GKE cluster in the GKE docs.

  1. Install and configure the GCP CLI for your GCP account. This includes creating a Google Project, which will be required to create a cluster within your project.

    Setting the default project id, compute zone and region will make running subsequent commands easier:

    gcloud config set project <PROJECT_ID>
    gcloud config set compute/zone <ZONE>
    gcloud config set compute/region <REGION>
  2. Create your cluster

    gcloud container clusters create circleci-server \
      --num-nodes 3 \
      --machine-type n1-standard-4 \
      --workload-pool=<PROJECT_ID>.svc.id.goog

    If you need to update your kube-context manually, you can by running the following:

    gcloud container clusters get-credentials circleci-server
  3. Install the GKE authentication plugin for kubectl:

    gcloud components install gke-gcloud-auth-plugin
  4. Verify your cluster:

    kubectl cluster-info
  5. Create a service account:

    gcloud iam service-accounts create <SERVICE_ACCOUNT_ID> --description="<DESCRIPTION>" \
      --display-name="<DISPLAY_NAME>"
  6. Retrieve credentials for the service account:

    gcloud iam service-accounts keys create <KEY_FILE> \
      --iam-account <SERVICE_ACCOUNT_ID>@<PROJECT_ID>.iam.gserviceaccount.com

Enable Workload Identity in GKE (optional)

Follow these steps if you already have a GKE cluster and need to enable Workload Identity on the cluster and the node pools.

  1. Enable Workload Identity on existing cluster:

      gcloud container clusters update "<CLUSTER_NAME>" \
        --workload-pool="<PROJECT_ID>.svc.id.goog"
  2. Get node pools of existing GKE cluster:

      gcloud container node-pools list --cluster "<CLUSTER_NAME>"
  3. Update existing node pools:

      gcloud container node-pools update "<NODEPOOL_NAME>" \
        --cluster="<CLUSTER_NAME>" \
        --workload-metadata="GKE_METADATA"

You must repeat Step 3 for all the existing node pools. Follow these links for steps to enable Workload Identity for your Kubernetes service accounts:

3. Create a new GitHub OAuth app

Registering and setting up a new GitHub OAuth app for CircleCI server allows for authorization control to your server installation using GitHub OAuth and for updates to GitHub projects/repos using build status information. The following steps apply for both GitHub.com and GitHub Enterprise.

  1. In your browser, navigate to your GitHub instance > User Settings > Developer Settings > OAuth Apps and click the New OAuth App button.

    Screenshot showing setting up a new OAuth app
    Figure 1. New GitHub OAuth App
  2. Complete the following fields, based on your planned installation:

    • Homepage URL: The URL of your planned CircleCI installation.

    • Authorization callback URL: The authorization callback URL is the URL of your planned CircleCI installation followed by /auth/github

  3. Once completed, you will be shown the Client ID. Select Generate a new Client Secret to generate a Client Secret for your new OAuth App. You will need these values when you configure CircleCI server.

    Screenshot showing GitHub Client ID
    Figure 2. Client ID and Secret

GitHub Enterprise

If using GitHub Enterprise, you also need a personal access token and the domain name of your GitHub Enterprise instance.

Create the defaultToken by navigating to User Settings > Developer Settings > Personal access tokens. The default token requires no scopes. You will need this value when you configure CircleCI server.

4. Frontend TLS certificates

By default, CircleCI server creates self-signed certificates to get you started. In production, you should supply a certificate from a trusted certificate authority. The Let’s Encrypt certificate authority, for example, can issue a free certificate using their certbot tool. The sections below cover using Google Cloud DNS and AWS Route 53.

Once you have created your certificates using one of the methods described below, you can use the following commands to retrieve the certificates later when you need them during this installation:

ls -l /etc/letsencrypt/live/<CIRCLECI_SERVER_DOMAIN>
cat /etc/letsencrypt/live/<CIRCLECI_SERVER_DOMAIN>/fullchain.pem
cat /etc/letsencrypt/live/<CIRCLECI_SERVER_DOMAIN>/privkey.pem

AWS Route 53

  1. If you are using AWS Route 53 for DNS, you need the certbot-route53 plugin installed. You can install the plugin with the following command:

    python3 -m pip install certbot-dns-route53
  2. Then execute this example to create a private key and certificate (including intermediate certificates) locally in /etc/letsencrypt/live/<CIRCLECI_SERVER_DOMAIN>:

    certbot certonly --dns-route53 -d "<CIRCLECI_SERVER_DOMAIN>" -d "app.<CIRCLECI_SERVER_DOMAIN>"

Google Cloud DNS

  1. If you host your DNS on Google Cloud, you need the certbot-dns-google plugin installed. You can install the plugin with the following command:

    python3 -m pip install certbot-dns-google
  2. The service account used to run certbot will need to have access to Cloud DNS in order to provision the necessary records used by Let’s Encrypt for domain validation.

    1. Create a custom role for certbot:

      gcloud iam roles create certbot --project=<PROJECT_ID> \
          --title="<TITLE>" --description="<DESCRIPTION>" \
          --permissions="dns.changes.create,dns.changes.get,dns.changes.list,dns.managedZones.get,dns.managedZones.list,dns.resourceRecordSets.create,dns.resourceRecordSets.delete,dns.resourceRecordSets.list,dns.resourceRecordSets.update" \
          --stage=ALPHA
    2. Bind the new role to the service account which we created earlier:

      gcloud projects add-iam-policy-binding <PROJECT_ID> \
          --member="serviceAccount:<SERVICE_ACCOUNT_ID>@<PROJECT_ID>.iam.gserviceaccount.com" \
          --role="<ROLE_NAME>"
  3. Finally, the following commands will provision a certification for your installation:

    certbot certonly --dns-google --dns-google-credentials <KEY_FILE> -d "<CIRCLECI_SERVER_DOMAIN>" -d "app.<CIRCLECI_SERVER_DOMAIN>"

AWS Certificate Manager

Instead of provisioning your own TLS certificates, if you are setting up CircleCI Server in an AWS environment, you can have AWS provision TLS certificates using Certificate Manager.

aws acm request-certificate \
  --domain-name <CIRCLECI_SERVER_DOMAIN> \
  --subject-alternative-names app.<CIRCLECI_SERVER_DOMAIN> \
  --validation-method DNS \
  --idempotency-token circle

After running this command, navigate to the Certificate Manager AWS console and follow the wizard to provision the required DNS validation records with Route53. Take note of the ARN of the certificate once it is issued.

Upstream TLS termination

You may have a requirement to terminate TLS for CircleCI server outside the application. This is an alternate method to using ACM or supplying the certificate chain during Helm deployment. An example would be a proxy running in front of the CircleCI installation providing TLS termination for your domain name. In this case the CircleCI application acts as the backend for your load balancer or proxy.

CircleCI server listens on a number of ports which need to be configured depending how your are routing the traffic. See the list of port numbers below:

  • Frontend / API Gateway [TCP 80, 443]

  • VM service [TCP 3000]

  • Nomad server [TCP 4647]

  • Output processor [gRPC 8585]

Depending on your requirements you may choose to terminate TLS for only the frontend/api-gateway or provide TLS for services listening on all the ports.

5. Encryption/signing keys

The keysets generated in this section are used to encrypt and sign artifacts generated by CircleCI. You will need these values to configure server.

a. Artifact signing key

To generate an artifact signing key, run the following command:

docker run circleci/server-keysets:latest generate signing -a stdout

b. Encryption signing key

To generate an encryption signing key, run the following command:

docker run circleci/server-keysets:latest generate encryption -a stdout

6. Object storage and permissions

Server v4.x hosts build artifacts, test results, and other state object storage. The following storage options are supported:

While any S3 compatible object storage may work, we test and support AWS S3 and MinIO. For object storage providers that do not support the S3 API, such as Azure blob storage, we recommend using MinIO Gateway.

Follow the instructions below to create a bucket and access method for S3 or GCS.

S3 Storage

a. Create AWS S3 Bucket

aws s3api create-bucket \
    --bucket <YOUR_BUCKET_NAME> \
    --region <YOUR_REGION> \
    --create-bucket-configuration LocationConstraint=<YOUR_REGION>

b. Set up authentication

There are two ways to authenticate CircleCI with S3: IAM Roles for Service Accounts (IRSA), and IAM access keys. IRSA is the recommended method.

Google Cloud Storage

a. Create a GCP bucket

If your server installation runs in a GKE cluster, ensure that your current IAM user is cluster admin for this cluster, as RBAC (role-based access control) objects need to be created. More information can be found in the GKE documentation.

gsutil mb gs://circleci-server-bucket

b. Set up authentication

The recommended method for workload/pod authentication is to use Workload Identity. However, you may also use static credentials (json key file).

  1. Create a Service Account.

    gcloud iam service-accounts create circleci-storage --description="Service account for CircleCI object storage" --display-name="circleci-storage"
  2. Bind the objectAdmin role to the service account.

    gcloud projects add-iam-policy-binding <PROJECT_ID> \
        --member="serviceAccount:circleci-storage@<PROJECT_ID>.iam.gserviceaccount.com" \
        --role="roles/storage.objectAdmin" \
        --condition='expression=resource.name.startsWith("projects/_/buckets/circleci-server-bucket"),title=restrict_bucket'
  3. Either enable Workload Identity or use static credentials.


Help make this document better

This guide, as well as the rest of our docs, are open source and available on GitHub. We welcome your contributions.

Need support?

Our support engineers are available to help with service issues, billing, or account related questions, and can help troubleshoot build configurations. Contact our support engineers by opening a ticket.

You can also visit our support site to find support articles, community forums, and training resources.