end
end
+env_file = "#{app_dir}/.env"
config_file = "#{app_dir}/docker-compose.yml"
+
+env_local = nil
+if File.exist?(env_file)
+ env_local = {}
+ File.open(env_file) do |file|
+ file.each_line do |line|
+ env_local[$1] = $2 if line =~ /^(.*)=(.*)$/
+ end
+ end
+end
+
config_srvs_local = nil
if File.exist?(config_file)
require 'yaml'
db_envs = {}
db_vols = config_srvs['concourse-db']['volumes'].to_a
+db_password_reset = node['concourse-ci']['docker-compose']['db_password_reset']
db_passwd = nil
db_password_vault_item = node['concourse-ci']['docker-compose']['db_password_vault_item']
if !db_password_vault_item.empty?
- # 1.
+ # 1. from Chef Vault (recommended).
db_passwd = get_vault_item_value(db_password_vault_item)
else
- # 2.
+ # 2. from Chef attribute (NOT recommended).
db_passwd = db_envs_org['POSTGRES_PASSWORD']
if db_passwd.nil? || db_passwd.empty?
db_passwd = \
- if !config_srvs_local.nil? && !node['concourse-ci']['docker-compose']['db_password_reset']
- # 3.
+ if !config_srvs_local.nil? \
+ && config_srvs_local['concourse-db']['environment']['POSTGRES_PASSWORD'] != '${POSTGRES_PASSWORD}' \
+ && !db_password_reset
+ # 3. preserve it from the local docker-compose.yml file for backward compatibility.
config_srvs_local['concourse-db']['environment']['POSTGRES_PASSWORD']
+ elsif !env_local.nil? && !env_local['POSTGRES_PASSWORD'].nil? && !db_password_reset
+ # 4. preserve it from the local .env file.
+ env_local['POSTGRES_PASSWORD']
else
- # 4.
+ # 5. auto generate.
SecureRandom.hex # or urlsafe_base64
end
end
end
# prevent Chef from logging password attribute value. (=> template variables)
-#db_envs['POSTGRES_PASSWORD'] = db_passwd
+db_envs['POSTGRES_PASSWORD'] = '${POSTGRES_PASSWORD}'
db_vols.push("#{pgdata_dir}:#{db_envs_org['PGDATA']}") if !pgdata_dir.nil? && !pgdata_dir.empty?
web_ports = config_srvs['concourse-web']['ports']
override_config_srvs['concourse-web']['ports'] = ['8080:8080'] if web_ports.empty?
+web_password_reset = node['concourse-ci']['docker-compose']['web_password_reset']
basic_auth_passwd = nil
web_password_vault_item = node['concourse-ci']['docker-compose']['web_password_vault_item']
if !web_password_vault_item.empty?
- # 1.
+ # 1. from Chef Vault (recommended).
basic_auth_passwd = get_vault_item_value(web_password_vault_item)
else
- # 2.
+ # 2. from Chef attribute (NOT recommended).
basic_auth_passwd = web_envs_org['CONCOURSE_BASIC_AUTH_PASSWORD']
if basic_auth_passwd.nil? || basic_auth_passwd.empty?
basic_auth_passwd = \
- if !config_srvs_local.nil? && !node['concourse-ci']['docker-compose']['web_password_reset']
- # 3.
+ if !config_srvs_local.nil? \
+ && config_srvs_local['concourse-web']['environment']['CONCOURSE_BASIC_AUTH_PASSWORD'] != '${CONCOURSE_BASIC_AUTH_PASSWORD}' \
+ && !web_password_reset
+ # 3. preserve it from the local docker-compose.yml file for backward compatibility.
config_srvs_local['concourse-web']['environment']['CONCOURSE_BASIC_AUTH_PASSWORD']
+ elsif !env_local.nil? && !env_local['CONCOURSE_BASIC_AUTH_PASSWORD'].nil? && !web_password_reset
+ # 4. preserve it from the local .env file.
+ env_local['CONCOURSE_BASIC_AUTH_PASSWORD']
else
- # 4.
+ # 5. auto generate.
SecureRandom.hex # or urlsafe_base64
end
end
end
# prevent Chef from logging password attribute value. (=> template variables)
-#web_envs['CONCOURSE_BASIC_AUTH_PASSWORD'] = basic_auth_passwd
+web_envs['CONCOURSE_BASIC_AUTH_PASSWORD'] = '${CONCOURSE_BASIC_AUTH_PASSWORD}'
external_url = web_envs_org['CONCOURSE_EXTERNAL_URL']
web_envs['CONCOURSE_EXTERNAL_URL'] = "http://#{node['ipaddress']}:8080" if external_url.nil?
data_source = web_envs_org['CONCOURSE_POSTGRES_DATA_SOURCE']
-data_source = data_source.gsub(/<POSTGRES_PASSWORD>/, db_passwd)
-# prevent Chef from logging password attribute value. (=> template variables)
-#web_envs['CONCOURSE_POSTGRES_DATA_SOURCE'] = data_source
+# for backward compatibility.
+data_source = data_source.gsub(/<POSTGRES_PASSWORD>/, '${POSTGRES_PASSWORD}')
+web_envs['CONCOURSE_POSTGRES_DATA_SOURCE'] = data_source
if node['concourse-ci']['with_ssl_cert_cookbook']
::Chef::Recipe.send(:include, SSLCert::Helper)
# reset vlumes array.
override_config_srvs['concourse-web']['volumes'] = web_vols unless web_vols.empty?
-template config_file do
- source 'opt/docker-compose/app/concourse/docker-compose.yml'
+template env_file do
+ source 'opt/docker-compose/app/concourse/.env'
owner 'root'
group 'root'
mode '0600'
sensitive true
# prevent Chef from logging password attribute value.
variables(
+ # secrets
db_passwd: db_passwd,
- basic_auth_passwd: basic_auth_passwd,
- data_source: data_source
+ basic_auth_passwd: basic_auth_passwd
)
end
+template config_file do
+ source 'opt/docker-compose/app/concourse/docker-compose.yml'
+ owner 'root'
+ group 'root'
+ mode '0600'
+end
+
log <<-"EOM"
Note: You must execute the following command manually.
See #{doc_url}
OSDN Git Service
