.chef/*.pem
.chef/encrypted_data_bag_secret
.chef/knife.rb
+clients/*
local-mode-cache
nodes/*tmp.json
nodes/*.test.json
--- /dev/null
+~FC001
\ No newline at end of file
--- /dev/null
+AllCops:
+ Exclude:
+ - vendor/**/*
+
+AlignParameters:
+ Enabled: false
+LineLength:
+ Enabled: false
+Lint/UnusedBlockArgument:
+ Enabled: false
+Metrics/AbcSize:
+ Enabled: false
+Style/BlockComments:
+ Enabled: false
+Style/BlockDelimiters:
+ Enabled: false
+Style/ExtraSpacing:
+ Enabled: false
+Style/FileName:
+ Enabled: false
+Style/LeadingCommentSpace:
+ Enabled: false
+Style/RescueModifier:
+ Enabled: false
+Style/SpaceBeforeFirstArg:
+ Enabled: false
+Style/SpaceInsideBlockBraces:
+ Enabled: false
+Style/SpaceInsidePercentLiteralDelimiters:
+ Enabled: false
+Style/TrailingCommaInLiteral:
+ EnforcedStyleForMultiline: consistent_comma
+Style/WordArray:
+ Enabled: false
+
+#Lint/ShadowingOuterLocalVariable:
+# Enabled: false
+#Metrics/MethodLength:
+# Max: 10
+#Metrics/ModuleLength:
+# Max: 100
+#Metrics/CyclomaticComplexity:
+# Max: 6
+#Metrics/PerceivedComplexity:
+# Max: 7
+#Style/AccessorMethodName:
+# Enabled: false
+#Style/MultilineOperationIndentation:
+# Enabled: false
+#Style/PerlBackrefs:
+# Enabled: false
--- /dev/null
+#
+# Copyright 2017 whitestar
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+source 'https://supermarket.chef.io'
+
+metadata
--- /dev/null
+# hc-vault CHANGELOG
+
+This file is used to list changes made in each version of the hc-vault cookbook.
+
+## 0.1.0
+- [your_name] - Initial release of hc-vault
+
+- - -
+Check the [Markdown Syntax Guide](http://daringfireball.net/projects/markdown/syntax) for help with Markdown.
+
+The [Github Flavored Markdown page](http://github.github.com/github-flavored-markdown/) describes the differences between markdown on github and standard markdown.
--- /dev/null
+source 'https://rubygems.org'
+
+# with Chef DK
+gem 'stove'
--- /dev/null
+hc-vault Cookbook
+=================
+
+This cookbook sets up a HashiCorp Vault service.
+
+## Contents
+
+
+## Requirements
+
+### platforms
+
+- Debian >= 9.0
+- Ubuntu >= 14.04
+- CentOS,RHEL >= 7.3
+
+### packages
+- none.
+
+## Attributes
+
+|Key|Type|Description, example|Default|
+|:--|:--|:--|:--|
+|`['hc-vault']['with_ssl_cert_cookbook']`|Boolean|If this attribute is true, `node['hc-vault']['docker-compose']['config']` are are overridden by the following `common_name` attributes.|`false`|
+|`['hc-vault']['ssl_cert']['common_name']`|String|Vault server common name for TLS|`node['fqdn']`|
+|`['hc-vault']['config']`|Hash|Vault configurations. This Hash is expanded to a `/vault/config/config.json` in Docker container.|See `attributes/default.rb`|
+|`['hc-vault']['docker-compose']['vault_owner']`|Integer|Vault owner UID (read only).|`100`|
+|`['hc-vault']['docker-compose']['vault_group']`|Integer|Vault group GID (read only).|`1000`|
+|`['hc-vault']['docker-compose']['app_dir']`|String||`"#{node['docker-grid']['compose']['app_dir']}/vault"`|
+|`['hc-vault']['docker-compose']['config_dir']`|String||`"#{node['hc-vault']['docker-compose']['app_dir']}/config"`|
+|`['hc-vault']['docker-compose']['file_dir']`|String|Default backend storage.|`"#{node['hc-vault']['docker-compose']['app_dir']}/file"`|
+|`['hc-vault']['docker-compose']['logs_dir']`|String||`"#{node['hc-vault']['docker-compose']['app_dir']}/logs"`|
+|`['hc-vault']['docker-compose']['certs_dir']`|String||`"#{node['hc-vault']['docker-compose']['app_dir']}/certs"`|
+|`['hc-vault']['docker-compose']['config']`|Hash|`docker-compose.yml` configurations.|See `attributes/default.rb`|
+
+## Usage
+
+### Recipes
+
+#### hc-vault::default
+
+This recipe does nothing.
+
+#### hc-vault::docker-compose
+
+This recipe generates a `docker-compose.yml` for the HashiCorp Vault service.
+
+### Role Examples
+
+- `roles/vault-on-docker.rb`
+
+```ruby
+name 'vault-on-docker'
+description 'Vault on Docker'
+
+vault_port = '8200'
+
+run_list(
+ 'role[docker]',
+ 'recipe[hc-vault::docker-compose]',
+)
+
+#env_run_lists()
+
+#default_attributes()
+
+override_attributes(
+ 'docker-grid' => {
+ 'engine' => {
+ 'skip_setup' => false,
+ },
+ 'compose' => {
+ 'skip_setup' => false,
+ },
+ },
+ 'hc-vault' => {
+ 'config' => {
+ #'default_lease_ttl' => '768h',
+ #'max_lease_ttl' => '768h',
+ },
+ 'docker-compose' => {
+ 'config' => {
+ # Version 2 docker-compose format
+ 'version' => '2',
+ 'services' => {
+ 'vault' => {
+ 'ports' => [
+ "#{vault_port}:8200",
+ ],
+ #'volumes' => [
+ # These volumes will be set by the hc-vault::docker-compose recipe automatically.
+ #"#{node['hc-vault']['docker-compose']['config_dir']}/config.json:/vault/config/config.json:ro",
+ #"#{node['hc-vault']['docker-compose']['file_dir']}:/vault/file:rw",
+ #"#{node['hc-vault']['docker-compose']['logs_dir']}:/vault/logs:rw",
+ #],
+ 'environment' => {
+ # use the ['hc-vault']['config'] attribute instead of this variable.
+ #'VAULT_LOCAL_CONFIG' => '', # expanded to /vault/config/local.json
+ },
+ },
+ },
+ },
+ },
+ },
+)
+```
+
+- `roles/vault-with-ssl-on-docker.rb`
+
+```ruby
+name 'vault-with-ssl-on-docker'
+description 'Vault setup with ssl_cert cookbook'
+
+vault_cn = 'vault.io.example.com'
+vault_port = '8200'
+
+run_list(
+ 'role[docker]',
+ 'recipe[hc-vault::docker-compose]',
+)
+
+#env_run_lists()
+
+#default_attributes()
+
+override_attributes(
+ 'docker-grid' => {
+ 'engine' => {
+ 'skip_setup' => false,
+ },
+ 'compose' => {
+ 'skip_setup' => false,
+ },
+ },
+ 'hc-vault' => {
+ 'with_ssl_cert_cookbook' => true,
+ 'ssl_cert' => {
+ 'common_name' => vault_cn,
+ },
+ 'config' => {
+ 'listener' => {
+ 'tcp' => {
+ # These configurations will be set by the hc-vault::docker-compose recipe automatically.
+ #'tls_disable' => false
+ #'tls_cert_file' => '/vault/server.crt',
+ #'tls_key_file' => '/vault/server.key',
+ },
+ },
+ #'default_lease_ttl' => '768h',
+ #'max_lease_ttl' => '768h',
+ },
+ 'docker-compose' => {
+ 'config' => {
+ # Version 2 docker-compose format
+ 'version' => '2',
+ 'services' => {
+ 'vault' => {
+ 'ports' => [
+ "#{vault_port}:8200",
+ ],
+ #'volumes' => [
+ # These volumes will be set by the hc-vault::docker-compose recipe automatically.
+ #"#{node['hc-vault']['docker-compose']['config_dir']}/config.json:/vault/config/config.json:ro",
+ #"#{node['hc-vault']['docker-compose']['file_dir']}:/vault/file:rw",
+ #"#{node['hc-vault']['docker-compose']['logs_dir']}:/vault/logs:rw",
+ #"#{server_cert_path(node['hc-vault']['ssl_cert']['common_name'])}:/vault/server.crt:ro",
+ #"#{node['hc-vault']['docker-compose']['certs_dir']}/server.key:/vault/server.key:ro",
+ #],
+ 'environment' => {
+ # use the ['hc-vault']['config'] attribute instead of this variable.
+ #'VAULT_LOCAL_CONFIG' => '', # expanded to /vault/config/local.json
+ },
+ },
+ },
+ },
+ },
+ },
+ 'ssl_cert' => {
+ 'common_names' => [
+ vault_cn,
+ ],
+ }
+)
+```
+
+### SSL server keys and certificates management by `ssl_cert` cookbook
+
+- create chef-vault items.
+
+```text
+$ ruby -rjson -e 'puts JSON.generate({"private" => File.read("vault.io.example.com.prod.key")})' \
+> > ~/tmp/vault.io.example.com.prod.key.json
+
+$ ruby -rjson -e 'puts JSON.generate({"public" => File.read("vault.io.example.com.prod.crt")})' \
+> > ~/tmp/vault.io.example.com.prod.crt.json
+
+$ cd $CHEF_REPO
+
+$ knife vault create ssl_server_keys vault.io.example.com.prod \
+> --json ~/tmp/vault.io.example.com.prod.key.json
+
+$ knife vault create ssl_server_certs vault.io.example.com.prod \
+> --json ~/tmp/vault.io.example.com.prod.crt.json
+```
+
+- grant reference permission to the Vault host
+
+```text
+$ knife vault update ssl_server_keys vault.io.example.com.prod -S 'name:vault-host.example.com'
+$ knife vault update ssl_server_certs vault.io.example.com.prod -S 'name:vault-host.example.com'
+```
+
+- modify run_list and attributes
+
+```ruby
+run_list(
+ 'recipe[hc-vault::docker-compose]',
+)
+
+override_attributes(
+ 'ssl_cert' => {
+ 'common_names' => [
+ 'vault.io.example.com',
+ ],
+ },
+ 'hc-vault' => {
+ 'with_ssl_cert_cookbook' => true,
+ 'ssl_cert' => {
+ 'common_name' => 'vault.io.example.com',
+ },
+ # ...
+ },
+)
+```
+
+## License and Authors
+
+- Author:: whitestar at osdn.jp
+
+```text
+Copyright 2017, whitestar
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+```
--- /dev/null
+require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
+require 'foodcritic'
+require 'stove/rake_task'
+
+namespace :style do
+ desc 'Run Ruby style checks'
+ RuboCop::RakeTask.new(:ruby) do |t|
+ t.options = [
+ '--auto-gen-config', # creates .rubocop_todo.yml
+ ]
+ end
+
+ desc 'Run Chef style checks'
+ FoodCritic::Rake::LintTask.new(:chef) do |t|
+ t.options = {
+ fail_tags: ['any'],
+ }
+ end
+end
+
+desc 'Run all style checks'
+task style: ['style:chef', 'style:ruby']
+
+desc 'Run ChefSpec examples'
+RSpec::Core::RakeTask.new(:spec)
+
+desc 'Publish cookbook'
+Stove::RakeTask.new(:publish) do |t|
+ t.stove_opts = [
+ # `--username` and `--key` are set in ~/.stove typically.
+ #'--username', 'somebody',
+ #'--key', '~/chef/chef.io.example.com/somebody.pem',
+ #'--endpoint', 'https://supermarket.io.example.com/api/v1', # default: supermarket.chef.io
+ #'--no-ssl-verify',
+ '--no-git',
+ '--log-level', 'info',
+ ]
+end
+
+task default: ['style', 'spec']
--- /dev/null
+#
+# Cookbook Name:: hc-vault
+# Attributes:: default
+#
+# Copyright 2017, whitestar
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+default['hc-vault']['with_ssl_cert_cookbook'] = false
+# If ['hc-vault']['with_ssl_cert_cookbook'] is true,
+# node['hc-vault']['docker-compose']['config']
+# are overridden by the following 'common_name' attributes.
+default['hc-vault']['ssl_cert']['common_name'] = node['fqdn']
+
+# This Hash is expanded to a `/vault/config/config.json` in Docker container.
+# see https://www.vaultproject.io/docs/configuration/index.html
+default['hc-vault']['config'] = {
+ 'listener' => {
+ 'tcp' => {
+ 'address' => '0.0.0.0:8200',
+ # These configurations will be set by the hc-vault::docker-compose recipe automatically.
+ 'tls_disable' => true, # default: false
+ #'tls_cert_file' => '/vault/server.crt',
+ #'tls_key_file' => '/vault/server.key',
+ },
+ },
+ 'backend' => {
+ 'file' => {
+ 'path' => '/vault/file',
+ },
+ },
+ 'default_lease_ttl' => '768h',
+ 'max_lease_ttl' => '768h',
+}
+
+force_override['hc-vault']['docker-compose']['vault_owner'] = 100
+force_override['hc-vault']['docker-compose']['vault_group'] = 1000
+default['hc-vault']['docker-compose']['app_dir'] = "#{node['docker-grid']['compose']['app_dir']}/vault"
+default['hc-vault']['docker-compose']['config_dir'] = "#{node['hc-vault']['docker-compose']['app_dir']}/config"
+default['hc-vault']['docker-compose']['file_dir'] = "#{node['hc-vault']['docker-compose']['app_dir']}/file"
+default['hc-vault']['docker-compose']['logs_dir'] = "#{node['hc-vault']['docker-compose']['app_dir']}/logs"
+default['hc-vault']['docker-compose']['certs_dir'] = "#{node['hc-vault']['docker-compose']['app_dir']}/certs"
+
+force_override['hc-vault']['docker-compose']['config_format_version'] = '2'
+version_2_config = {
+ # Version 2 docker-compose format
+ 'version' => '2',
+ 'services' => {
+ 'vault' => {
+ 'cap_add' => [
+ 'IPC_LOCK',
+ ],
+ 'restart' => 'always',
+ 'image' => 'vault:latest',
+ 'command' => 'server',
+ 'ports' => [
+ #'8200:8200',
+ ],
+ 'volumes' => [
+ # These volumes will be set by the hc-vault::docker-compose recipe automatically.
+ #"#{node['hc-vault']['docker-compose']['config_dir']}/config.json:/vault/config/config.json:ro",
+ #"#{node['hc-vault']['docker-compose']['file_dir']}:/vault/file:rw",
+ #"#{node['hc-vault']['docker-compose']['logs_dir']}:/vault/logs:rw",
+ #"#{server_cert_path(node['hc-vault']['ssl_cert']['common_name'])}:/vault/server.crt:ro",
+ #"#{node['hc-vault']['docker-compose']['certs_dir']}/server.key:/vault/server.key:ro",
+ ],
+ 'environment' => {
+ # use the ['hc-vault']['config'] attribute instead of this variable.
+ #'VAULT_LOCAL_CONFIG' => '', # expanded to /vault/config/local.json
+ },
+ },
+ },
+}
+
+default['hc-vault']['docker-compose']['config'] = version_2_config
--- /dev/null
+---
+# $ fly -t target sp -p hc-vault-cookbook -c concourse.yml -l fly-vars.yml -l ~/sec/credentials-prod.yml
+resources:
+- name: src-git
+ type: git
+ source:
+ uri: ((git-id-osdn))@git.osdn.net:/gitroot/metasearch/grid-chef-repo.git
+ branch: master
+ paths:
+ - cookbooks/((cookbook-name))
+ private_key: ((git-private-key))
+ git_user: ((git-user-osdn))
+ #check_every: 1h # default: 1m
+- name: chefdk-cache
+ type: docker-image
+ source:
+ repository: chef/chefdk
+ tag: ((chefdk-version))
+ # ((param)) style: fly >= 3.2.0
+ registry_mirror: https://((registry-mirror-domain)) # e.g. https://registry.docker.example.com:5000
+ ca_certs:
+ - domain: ((registry-mirror-domain)) # e.g. registry.docker.example.com:5000
+ cert: ((docker-reg-ca-cert))
+ check_every: 12h # default: 1m
+
+jobs:
+- name: test-cookbook
+ plan:
+ - aggregate:
+ - get: src-git
+ params:
+ depth: 5
+ trigger: true
+ - get: chefdk-cache
+ - task: ci-build
+ image: chefdk-cache
+ params:
+ http_proxy: ((http-proxy)) # e.g. http://proxy.example.com:3128
+ #HTTP_PROXY: ((http-proxy))
+ config:
+ platform: linux
+ #image_resource:
+ # type: docker-image
+ # source:
+ # repository: chef/chefdk
+ # tag: ((chefdk-version))
+ # NG, setting disable
+ #registry_mirror: https://((registry-mirror-domain))
+ #ca_certs:
+ #- domain: ((registry-mirror-domain))
+ # cert: ((docker-reg-ca-cert))
+ inputs:
+ - name: src-git
+ run:
+ #dir: ./src-git/cookbooks/((cookbook-name))
+ #path: rake
+ path: /bin/bash
+ args:
+ - -c
+ - |
+ cd ./src-git/cookbooks/((cookbook-name))
+ bundle install
+ rake
+- name: publish-cookbook
+ plan:
+ - aggregate:
+ - get: src-git
+ params:
+ depth: 5
+ trigger: false
+ passed: [test-cookbook]
+ - get: chefdk-cache
+ passed: [test-cookbook]
+ - task: publish
+ image: chefdk-cache
+ params:
+ http_proxy: ((http-proxy))
+ chef_username: ((chef-username))
+ chef_client_key: ((chef-client-key))
+ config:
+ platform: linux
+ inputs:
+ - name: src-git
+ run:
+ path: /bin/bash
+ args:
+ - -c
+ - |
+ echo '{"username":"((chef-username))","key":"/root/chef-client-key.pem"}' > /root/.stove
+ echo "$chef_client_key" > /root/chef-client-key.pem
+ cd ./src-git/cookbooks/((cookbook-name))
+ bundle install
+ rake publish
+ - put: src-git
+ params:
+ repository: src-git
+ tag_prefix: ((cookbook-name))-
+ tag: src-git/cookbooks/((cookbook-name))/version
+ only_tag: true
+ annotate: ../src-git/cookbooks/((cookbook-name))/version
--- /dev/null
+---
+cookbook-name: gitlab-grid
+chefdk-version: 1.4.3
--- /dev/null
+name 'hc-vault'
+maintainer 'whitestar'
+maintainer_email ''
+license 'Apache 2.0'
+description 'Installs/Configures HashiCorp Vault'
+long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
+version IO.read(File.join(File.dirname(__FILE__), 'version')).chomp
+source_url 'http://scm.osdn.jp/gitroot/metasearch/grid-chef-repo.git'
+issues_url 'https://osdn.jp/projects/metasearch/ticket'
+
+chef_version '>= 12'
+%w( centos redhat ).each do |os|
+ supports os, '>= 7.0'
+end
+supports 'debian', '>= 8.0'
+supports 'ubuntu', '>= 14.04'
+
+depends 'docker-grid', '>= 0.4.0'
+depends 'platform_utils', '>= 0.4.4'
+depends 'ssl_cert', '>= 0.3.9'
--- /dev/null
+#
+# Cookbook Name:: hc-vault
+# Recipe:: default
+#
+# Copyright 2017, whitestar
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
--- /dev/null
+#
+# Cookbook Name:: hc-vault
+# Recipe:: docker-compose
+#
+# Copyright 2017, whitestar
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+doc_url = 'https://hub.docker.com/_/vault/'
+
+include_recipe 'platform_utils::kernel_user_namespace'
+include_recipe 'docker-grid::compose'
+
+vault_owner = node['hc-vault']['docker-compose']['vault_owner']
+vault_group = node['hc-vault']['docker-compose']['vault_group']
+app_dir = node['hc-vault']['docker-compose']['app_dir']
+config_dir = node['hc-vault']['docker-compose']['config_dir']
+file_dir = node['hc-vault']['docker-compose']['file_dir']
+logs_dir = node['hc-vault']['docker-compose']['logs_dir']
+certs_dir = node['hc-vault']['docker-compose']['certs_dir']
+
+[
+ app_dir,
+ config_dir,
+ certs_dir,
+].each {|dir|
+ resources(directory: dir) rescue directory dir do
+ owner 'root'
+ group 'root'
+ mode '0755'
+ recursive true
+ end
+}
+
+[
+ file_dir,
+ logs_dir,
+].each {|dir|
+ resources(directory: dir) rescue directory dir do
+ owner vault_owner
+ group vault_group
+ mode '0755'
+ recursive true
+ end
+}
+
+override_vault_config = node.override['hc-vault']['config']
+config_srvs = node['hc-vault']['docker-compose']['config']['services']
+override_config_srvs = node.override['hc-vault']['docker-compose']['config']['services']
+#force_override_config_srvs = node.force_override['hc-vault']['docker-compose']['config']['services']
+#vault_envs_org = config_srvs['vault']['environment']
+#vault_envs = {}
+vault_vols = config_srvs['vault']['volumes'].to_a
+
+ports = config_srvs['vault']['ports']
+override_config_srvs['vault']['ports'] = ['8200:8200'] if ports.empty?
+
+template "#{config_dir}/config.json" do
+ source 'opt/docker-compose/app/vault/config/config.json'
+ owner 'root'
+ group 'root'
+ mode '0644'
+ action :create
+end
+
+vault_vols.push("#{config_dir}/config.json:/vault/config/config.json:ro")
+vault_vols.push("#{file_dir}:/vault/file:rw")
+vault_vols.push("#{logs_dir}:/vault/logs:rw")
+
+if node['hc-vault']['with_ssl_cert_cookbook']
+ include_recipe 'ssl_cert::server_key_pairs'
+ ::Chef::Recipe.send(:include, SSLCert::Helper)
+
+ cn = node['hc-vault']['ssl_cert']['common_name']
+ key_path = server_key_path(cn)
+
+ # Because the Vault owner is not root.
+ bash 'copy_ssl_server_key' do
+ code <<-EOH
+ cp #{key_path} #{certs_dir}/server.key
+ chown #{vault_owner} #{certs_dir}/server.key
+ chmod 600 #{certs_dir}/server.key
+ EOH
+ sensitive true
+ action :run
+ not_if "cmp #{key_path} #{certs_dir}/server.key"
+ #action :nothing
+ #subscribes :run, "file[#{key_path}]"
+ end
+
+ vault_vols.push("#{server_cert_path(cn)}:/vault/server.crt:ro")
+ vault_vols.push("#{certs_dir}/server.key:/vault/server.key:ro")
+ override_vault_config['listener']['tcp'] = {
+ 'tls_disable' => false,
+ 'tls_cert_file' => '/vault/server.crt',
+ 'tls_key_file' => '/vault/server.key',
+ }
+end
+
+# merge environment hash
+#force_override_config_srvs['vault']['environment'] = vault_envs unless vault_envs.empty?
+# reset vlumes array.
+override_config_srvs['vault']['volumes'] = vault_vols unless vault_vols.empty?
+
+config_file = "#{app_dir}/docker-compose.yml"
+template config_file do
+ source 'opt/docker-compose/app/vault/docker-compose.yml'
+ owner 'root'
+ group 'root'
+ mode '0644'
+end
+
+log <<-"EOM"
+Note: You must execute the following command manually.
+ See #{doc_url}
+ - Start:
+ $ cd #{app_dir}
+ $ docker-compose up -d
+ - Stop
+ $ docker-compose down
+EOM
--- /dev/null
+require_relative '../spec_helper'
+
+describe 'hc-vault::default' do
+ let(:chef_run) { ChefSpec::SoloRunner.new.converge(described_recipe) }
+
+ #it 'does something' do
+ # expect(chef_run).to do_something('...')
+ #end
+end
--- /dev/null
+# Added by ChefSpec
+require 'chefspec'
+
+# Uncomment to use ChefSpec's Berkshelf extension
+# require 'chefspec/berkshelf'
+
+RSpec.configure do |config|
+ # Specify the path for Chef Solo to find cookbooks
+ # config.cookbook_path = '/var/cookbooks'
+
+ # Specify the path for Chef Solo to find roles
+ # config.role_path = '/var/roles'
+
+ # Specify the Chef log_level (default: :warn)
+ # config.log_level = :debug
+
+ # Specify the path to a local JSON file with Ohai data
+ # config.path = 'ohai.json'
+
+ # Specify the operating platform to mock Ohai data from
+ # config.platform = 'ubuntu'
+
+ # Specify the operating version to mock Ohai data from
+ # config.version = '12.04'
+end
--- /dev/null
+<%
+require 'json'
+json_str = JSON.pretty_generate(node['hc-vault']['config'].to_hash)
+-%>
+<%= json_str %>
--- /dev/null
+<%
+require 'yaml'
+yaml_str = node['hc-vault']['docker-compose']['config'].to_hash.to_yaml
+-%>
+<%= yaml_str %>
--- /dev/null
+{
+ "run_list": [
+ "role[vault-on-docker]"
+ ]
+}
jenkins_home_path = '/opt/docker-compose/app/jenkins/home'
nexus_ver = '3'
nexus_port = nexus_ver == '3' ? '8081' : '8071'
+vault_port = '8200' # default: 8200
run_list(
'role[docker]',
'role[gitlab-runner]',
'role[jenkins-on-docker]',
"role[nexus#{nexus_ver}-on-docker]",
+ 'role[vault-on-docker]',
)
#env_run_lists()
},
},
},
+ 'hc-vault' => {
+ 'config' => {
+ },
+ 'docker-compose' => {
+ 'config' => {
+ 'services' => {
+ 'vault' => {
+ 'ports' => [
+ "#{vault_port}:8200",
+ ],
+ 'environment' => {
+ #'VAULT_LOCAL_CONFIG' => '', # expanded to /vault/config/local.json
+ },
+ },
+ },
+ },
+ },
+ },
}
if network_mode_bridge
'nexus',
]
nexus_srvs['nexus']['network_mode'] = 'bridge'
+
+ vault_srvs = attrs['hc-vault']['docker-compose']['config']['services']
+ vault_srvs['vault']['network_mode'] = 'bridge'
end
#default_attributes()
jenkins_cn = host_cn # e.g. 'jenkins.io.example.com'
jenkins_port = '9083'
nexus_cn = host_cn # e.g. 'nexus.io.example.com'
+vault_cn = host_cn # e.g. 'vault.io.example.com'
dockerd_extra_opts = [
'-H fd://',
'--bip=192.168.100.1/24 --fixed-cidr=192.168.100.0/24',
},
},
},
+ 'hc-vault' => {
+ 'with_ssl_cert_cookbook' => with_ssl,
+ 'ssl_cert' => {
+ 'common_name' => vault_cn,
+ },
+ 'config' => {
+ },
+ 'docker-compose' => {
+ 'config' => {
+ 'services' => {
+ 'vault' => {
+ #'ports' => [
+ #],
+ 'environment' => {
+ #'VAULT_LOCAL_CONFIG' => '', # expanded to /vault/config/local.json
+ },
+ },
+ },
+ },
+ },
+ },
)
--- /dev/null
+#
+# Copyright 2017, whitestar
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name 'vault-on-docker'
+description 'vault on Docker'
+
+#vault_cn = 'vault.io.example.com' # default: node['fqdn']
+#vault_port = '8200' # default: 8200
+
+run_list(
+ 'role[docker]',
+ 'recipe[hc-vault::docker-compose]',
+)
+
+#env_run_lists()
+
+#default_attributes()
+
+override_attributes(
+ 'docker-grid' => {
+ 'engine' => {
+ 'skip_setup' => false,
+ },
+ 'compose' => {
+ 'skip_setup' => false,
+ },
+ },
+ 'hc-vault' => {
+ 'config' => {
+ #'default_lease_ttl' => '768h',
+ #'max_lease_ttl' => '768h',
+ },
+ 'docker-compose' => {
+ 'config' => {
+ 'services' => {
+ 'vault' => {
+ #'ports' => [
+ # "#{vault_port}:8200",
+ #],
+ 'environment' => {
+ #'VAULT_LOCAL_CONFIG' => '', # expanded to /vault/config/local.json
+ },
+ },
+ },
+ },
+ },
+ },
+)