The document explains how you can set up Apache DevLake securely.
First of all, there are 4 services included in the deployment:
mysql
is supported, you may use it or any other compatible DBS like cloud-based systems. You should follow the document from the database to make it secure.grafana
service. devlake
itself doesn‘t support User Management of any kind, so we don’t recommend that you expose its port to the outside world.devlake
to do the work. You may set up an automated blueprint
to collect data. config-ui
supports Basic Authentication
, by simply set up the Environment Variable ADMIN_USER
and ADMIN_PASS
for the container. There are commented lines in config-ui.environment
section in our docker-compose.yml
file for your convenience. In General, we suggest that you reduce the Attack Surface as small as possible.ports
if you don't need to access the database directlyports
section. If you want to call the API directly, do it via config-ui/api
endpoint.ports
for people to browse the dashboards. However, you may want to set up the User Management, and a read-only database account for grafana
ports
with Basic Authentication
is sufficient for Internal Deployment, you may choose to remove the ports
and use techniques like k8s port-forwarding
or expose-port-when-needed
to enhance the security. Keep in mind config-ui is NOT designed to be used by many people, and it shouldn't be. Do NOT grant access if NOT necessary.THIS IS DANGEROUS, DON'T DO IT. If you insist, here are some suggestions you may follow, please consult Security Advisor before everything:
HTTPS
for the transportation.k8s
, otherwise, set up HTTPS
for the transportation.Security is complicated, all suggestions listed above are based on what we learned so far. Apache Devlake makes no guarantee of any kind, please consult your Security Advisor before applying.
If you run into any problem, please check the Troubleshooting or create an issue