# limitations under the License.
#
-# for ver. 3.x
-#source 'https://gpm00.grid.example.com:6280'
source 'https://supermarket.chef.io'
metadata
concourse-ci CHANGELOG
======================
+0.2.0
+-----
+- adds the `['concourse-ci']['docker-compose']['web_encryption_key_vault_item']` attribute (Concourse >= 3.1.0).
+ - Encryption support: see https://concourse.ci/encryption.html
+
0.1.9
-----
- improves CA certificates import feature.
- [concourse-ci::docker-compose](#concourse-cidocker-compose)
- [Role Examples](#role-examples)
- [SSL server keys and certificates management by ssl_cert cookbook](#ssl-server-keys-and-certificates-management-by-ssl_cert-cookbook)
+ - [Encryption key management by Chef Vault](#encryption-key-management-by-chef-vault)
- [OAuth client ID and secret management by Chef Vault](#oauth-client-id-and-secret-management-by-chef-vault)
- [License and Authors](#license-and-authors)
|`['concourse-ci']['docker-compose']['pgdata_dir']`|String|Path string or nil (unset, non-persistent).|`"#{node['concourse-ci']['docker-compose']['app_dir']}/database"`|
|`['concourse-ci']['docker-compose']['db_password_reset']`|String|Only available if the password is automatically generated by Chef.|`false`|
|`['concourse-ci']['docker-compose']['db_password_vault_item']`|Hash|See `attributes/default.rb`|`{}`|
+|`['concourse-ci']['docker-compose']['web_encryption_key_vault_item']`|Hash|See `attributes/default.rb`|`{}`|
|`['concourse-ci']['docker-compose']['web_password_reset']`|String|Only available if the password is automatically generated by Chef.|`false`|
|`['concourse-ci']['docker-compose']['web_password_vault_item']`|Hash|See `attributes/default.rb`|`{}`|
|`['concourse-ci']['docker-compose']['web_oauth_client_id_vault_item']`|Hash|See `attributes/default.rb`|`{}`|
)
```
+### Encryption key management by Chef Vault
+
+- create vault items.
+
+```text
+# a 16 or 32-byte random character sequence.
+$ cat ~/tmp/concourse_ekey.json
+{"ekey":"********************************"}
+
+$ knife vault create concourse web_encryption_key --json ~/tmp/concourse_ekey.json
+```
+
+- grant reference permission to the Concourse host
+
+```text
+$ knife vault update concourse web_encryption_key -S 'name:concourse-host.example.com'
+```
+
+- modify attributes
+
+```ruby
+override_attributes(
+ 'concourse-ci' => {
+ # ...
+ 'docker-compose' => {
+ 'web_encryption_key_vault_item' => {
+ 'vault' => 'concourse',
+ 'name' => 'web_encryption_key',
+ 'env_context' => false,
+ 'key' => 'ekey',
+ },
+ # ...
+ },
+ },
+)
+```
+
### OAuth client ID and secret management by Chef Vault
- create vault items.
Stove::RakeTask.new(:publish) do |t|
t.stove_opts = [
'--no-git',
+ '--log-level', 'info'
]
end
#'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password"
=end
}
+default['concourse-ci']['docker-compose']['web_encryption_key_vault_item'] = {
+=begin
+ 'vault' => 'concourse',
+ 'name' => 'encryption_key',
+ # single password or nested hash password path delimited by slash
+ 'env_context' => false,
+ 'key' => 'ekey', # real hash path: "/ekey"
+ # or nested hash password path delimited by slash
+ #'env_context' => true,
+ #'key' => 'hash/path/to/ekey', # real hash path: "/#{node.chef_environment}/hash/path/to/ekey"
+=end
+}
default['concourse-ci']['docker-compose']['web_password_reset'] = false
default['concourse-ci']['docker-compose']['web_password_vault_item'] = {
=begin
],
'environment' => {
#'CONCOURSE_TLS_BIND_PORT' => '8443', # activate HTTPS
+ # If the ['concourse-ci']['docker-compose']['web_encryption_key_vault_item'] attributes are specified.
+ # the following variable is set automatically,
+ #'CONCOURSE_ENCRYPTION_KEY' => '${CONCOURSE_ENCRYPTION_KEY}',
'CONCOURSE_BASIC_AUTH_USERNAME' => 'concourse',
# Note: You should use the `['concourse-ci']['docker-compose']['web_password_vault_item']` attribute.
'CONCOURSE_BASIC_AUTH_PASSWORD' => nil,
# OAuth for the default `main`` team
#'CONCOURSE_GENERIC_OAUTH_DISPLAY_NAME' => 'GitLab',
- # The following 2 variables are set automatically,
- # if the ['concourse-ci']['docker-compose']['web_oauth_client_(id|secret)_vault_item'] attributes are specified.
+ # If the ['concourse-ci']['docker-compose']['web_oauth_client_(id|secret)_vault_item'] attributes are specified.
+ # the following 2 variables are set automatically,
#'CONCOURSE_GENERIC_OAUTH_CLIENT_ID' => '${CONCOURSE_GENERIC_OAUTH_CLIENT_ID}',
#'CONCOURSE_GENERIC_OAUTH_CLIENT_SECRET' => '${CONCOURSE_GENERIC_OAUTH_CLIENT_SECRET}',
#'CONCOURSE_GENERIC_OAUTH_AUTH_URL' => 'https://gitlab.io.example.com/oauth/authorize',
---
-# $ fly -t target sp -p concourse-ci-cookbook -c concourse.yml -l ~/credentials.yml
+# $ fly -t target sp -p concourse-ci-cookbook -c concourse.yml -l fly-vars.yml -l ~/credentials.yml
resources:
- name: src-git
type: git
source:
uri: git://git.osdn.net/gitroot/metasearch/grid-chef-repo.git
branch: master
+ paths:
+ - cookbooks/((cookbook-name))
- name: chefdk-cache
type: docker-image
source:
repository: chef/chefdk
- tag: 0.17.17
- registry_mirror: {{registry-mirror}} # e.g. https://registry.docker.example.com:5000
+ tag: ((chefdk-version))
+ # ((param)) style: fly >= 3.2.0
+ registry_mirror: https://((registry-mirror-domain)) # e.g. https://registry.docker.example.com:5000
ca_certs:
- - domain: {{registry-mirror-domain}} # e.g. registry.docker.example.com:5000
- cert: {{docker-reg-ca-cert}}
+ - domain: ((registry-mirror-domain)) # e.g. registry.docker.example.com:5000
+ cert: ((docker-reg-ca-cert))
jobs:
- name: build-cookbook
plan:
- get: src-git
- trigger: false
+ trigger: true
- get: chefdk-cache
- task: ci-build
image: chefdk-cache
# type: docker-image
# source:
# repository: chef/chefdk
- # tag: 0.17.17
+ # tag: ((chefdk-version))
# NG, setting disable
- #registry_mirror: {{registry-mirror}}
+ #registry_mirror: https://((registry-mirror-domain))
#ca_certs:
- #- domain: {{registry-mirror-domain}}
- # cert: {{docker-reg-ca-cert}}
+ #- domain: ((registry-mirror-domain))
+ # cert: ((docker-reg-ca-cert))
inputs:
- name: src-git
run:
- #dir: ./src-git/cookbooks/concourse-ci
+ #dir: ./src-git/cookbooks/((cookbook-name))
#path: rake
path: /bin/bash
args:
- -c
- |
- cd ./src-git/cookbooks/concourse-ci
+ cd ./src-git/cookbooks/((cookbook-name))
bundle install
rake
--- /dev/null
+---
+cookbook-name: concourse-ci
+chefdk-version: 0.17.17
license 'Apache 2.0'
description 'Installs/Configures Concourse CI by Docker Compose'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version '0.1.9'
+version '0.2.0'
source_url 'http://scm.osdn.jp/gitroot/metasearch/grid-chef-repo.git'
issues_url 'https://osdn.jp/projects/metasearch/ticket'
web_vols.push("#{node['concourse-ci']['docker-compose']['web_keys_dir']}:/concourse-keys")
+encryption_key = nil
+encryption_key_vault_item = node['concourse-ci']['docker-compose']['web_encryption_key_vault_item']
+unless encryption_key_vault_item.empty?
+ encryption_key = get_vault_item_value(encryption_key_vault_item)
+ web_envs['CONCOURSE_ENCRYPTION_KEY'] = '${CONCOURSE_ENCRYPTION_KEY}'
+end
+
web_password_reset = node['concourse-ci']['docker-compose']['web_password_reset']
basic_auth_passwd = nil
web_password_vault_item = node['concourse-ci']['docker-compose']['web_password_vault_item']
variables(
# secrets
db_passwd: db_passwd,
+ encryption_key: encryption_key,
basic_auth_passwd: basic_auth_passwd,
oauth_client_id: oauth_client_id,
oauth_client_secret: oauth_client_secret
# - Do not use variable reference.
-%>
POSTGRES_PASSWORD=<%= @db_passwd %>
+<% unless @encryption_key.nil? %>
+CONCOURSE_ENCRYPTION_KEY=<%= @encryption_key %>
+<% end %>
CONCOURSE_BASIC_AUTH_PASSWORD=<%= @basic_auth_passwd %>
<% unless @oauth_client_id.nil? %>
CONCOURSE_GENERIC_OAUTH_CLIENT_ID=<%= @oauth_client_id %>
OSDN Git Service
