From 73350b9e8244188146f26bbf66396ec65fc5b873 Mon Sep 17 00:00:00 2001 From: whitestar Date: Sat, 1 Jul 2017 10:05:30 +0900 Subject: [PATCH] adds the ['concourse-ci']['docker-compose']['web_encryption_key_vault_item'] attribute (Encryption support: Concourse >= 3.1.0). --- cookbooks/concourse-ci/Berksfile | 2 -- cookbooks/concourse-ci/CHANGELOG.md | 5 +++ cookbooks/concourse-ci/README.md | 39 ++++++++++++++++++++++ cookbooks/concourse-ci/Rakefile | 1 + cookbooks/concourse-ci/attributes/default.rb | 19 +++++++++-- cookbooks/concourse-ci/concourse.yml | 27 ++++++++------- cookbooks/concourse-ci/fly-vars.yml | 3 ++ cookbooks/concourse-ci/metadata.rb | 2 +- cookbooks/concourse-ci/recipes/docker-compose.rb | 8 +++++ .../default/opt/docker-compose/app/concourse/.env | 3 ++ 10 files changed, 92 insertions(+), 17 deletions(-) create mode 100644 cookbooks/concourse-ci/fly-vars.yml diff --git a/cookbooks/concourse-ci/Berksfile b/cookbooks/concourse-ci/Berksfile index 7e6ac6c..9da25d9 100644 --- a/cookbooks/concourse-ci/Berksfile +++ b/cookbooks/concourse-ci/Berksfile @@ -14,8 +14,6 @@ # limitations under the License. # -# for ver. 3.x -#source 'https://gpm00.grid.example.com:6280' source 'https://supermarket.chef.io' metadata diff --git a/cookbooks/concourse-ci/CHANGELOG.md b/cookbooks/concourse-ci/CHANGELOG.md index bbb04a0..4c682dc 100644 --- a/cookbooks/concourse-ci/CHANGELOG.md +++ b/cookbooks/concourse-ci/CHANGELOG.md @@ -1,6 +1,11 @@ concourse-ci CHANGELOG ====================== +0.2.0 +----- +- adds the `['concourse-ci']['docker-compose']['web_encryption_key_vault_item']` attribute (Concourse >= 3.1.0). + - Encryption support: see https://concourse.ci/encryption.html + 0.1.9 ----- - improves CA certificates import feature. diff --git a/cookbooks/concourse-ci/README.md b/cookbooks/concourse-ci/README.md index b4b230a..9efce69 100644 --- a/cookbooks/concourse-ci/README.md +++ b/cookbooks/concourse-ci/README.md @@ -17,6 +17,7 @@ This cookbook sets up a Concourse CI service by Docker Compose. - [concourse-ci::docker-compose](#concourse-cidocker-compose) - [Role Examples](#role-examples) - [SSL server keys and certificates management by ssl_cert cookbook](#ssl-server-keys-and-certificates-management-by-ssl_cert-cookbook) + - [Encryption key management by Chef Vault](#encryption-key-management-by-chef-vault) - [OAuth client ID and secret management by Chef Vault](#oauth-client-id-and-secret-management-by-chef-vault) - [License and Authors](#license-and-authors) @@ -53,6 +54,7 @@ This cookbook sets up a Concourse CI service by Docker Compose. |`['concourse-ci']['docker-compose']['pgdata_dir']`|String|Path string or nil (unset, non-persistent).|`"#{node['concourse-ci']['docker-compose']['app_dir']}/database"`| |`['concourse-ci']['docker-compose']['db_password_reset']`|String|Only available if the password is automatically generated by Chef.|`false`| |`['concourse-ci']['docker-compose']['db_password_vault_item']`|Hash|See `attributes/default.rb`|`{}`| +|`['concourse-ci']['docker-compose']['web_encryption_key_vault_item']`|Hash|See `attributes/default.rb`|`{}`| |`['concourse-ci']['docker-compose']['web_password_reset']`|String|Only available if the password is automatically generated by Chef.|`false`| |`['concourse-ci']['docker-compose']['web_password_vault_item']`|Hash|See `attributes/default.rb`|`{}`| |`['concourse-ci']['docker-compose']['web_oauth_client_id_vault_item']`|Hash|See `attributes/default.rb`|`{}`| @@ -313,6 +315,43 @@ override_attributes( ) ``` +### Encryption key management by Chef Vault + +- create vault items. + +```text +# a 16 or 32-byte random character sequence. +$ cat ~/tmp/concourse_ekey.json +{"ekey":"********************************"} + +$ knife vault create concourse web_encryption_key --json ~/tmp/concourse_ekey.json +``` + +- grant reference permission to the Concourse host + +```text +$ knife vault update concourse web_encryption_key -S 'name:concourse-host.example.com' +``` + +- modify attributes + +```ruby +override_attributes( + 'concourse-ci' => { + # ... + 'docker-compose' => { + 'web_encryption_key_vault_item' => { + 'vault' => 'concourse', + 'name' => 'web_encryption_key', + 'env_context' => false, + 'key' => 'ekey', + }, + # ... + }, + }, +) +``` + ### OAuth client ID and secret management by Chef Vault - create vault items. diff --git a/cookbooks/concourse-ci/Rakefile b/cookbooks/concourse-ci/Rakefile index 01d55dd..ddbe0eb 100644 --- a/cookbooks/concourse-ci/Rakefile +++ b/cookbooks/concourse-ci/Rakefile @@ -25,6 +25,7 @@ desc 'Publish cookbook' Stove::RakeTask.new(:publish) do |t| t.stove_opts = [ '--no-git', + '--log-level', 'info' ] end diff --git a/cookbooks/concourse-ci/attributes/default.rb b/cookbooks/concourse-ci/attributes/default.rb index 113930e..26091c3 100644 --- a/cookbooks/concourse-ci/attributes/default.rb +++ b/cookbooks/concourse-ci/attributes/default.rb @@ -48,6 +48,18 @@ default['concourse-ci']['docker-compose']['db_password_vault_item'] = { #'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password" =end } +default['concourse-ci']['docker-compose']['web_encryption_key_vault_item'] = { +=begin + 'vault' => 'concourse', + 'name' => 'encryption_key', + # single password or nested hash password path delimited by slash + 'env_context' => false, + 'key' => 'ekey', # real hash path: "/ekey" + # or nested hash password path delimited by slash + #'env_context' => true, + #'key' => 'hash/path/to/ekey', # real hash path: "/#{node.chef_environment}/hash/path/to/ekey" +=end +} default['concourse-ci']['docker-compose']['web_password_reset'] = false default['concourse-ci']['docker-compose']['web_password_vault_item'] = { =begin @@ -121,13 +133,16 @@ version_1_config = { ], 'environment' => { #'CONCOURSE_TLS_BIND_PORT' => '8443', # activate HTTPS + # If the ['concourse-ci']['docker-compose']['web_encryption_key_vault_item'] attributes are specified. + # the following variable is set automatically, + #'CONCOURSE_ENCRYPTION_KEY' => '${CONCOURSE_ENCRYPTION_KEY}', 'CONCOURSE_BASIC_AUTH_USERNAME' => 'concourse', # Note: You should use the `['concourse-ci']['docker-compose']['web_password_vault_item']` attribute. 'CONCOURSE_BASIC_AUTH_PASSWORD' => nil, # OAuth for the default `main`` team #'CONCOURSE_GENERIC_OAUTH_DISPLAY_NAME' => 'GitLab', - # The following 2 variables are set automatically, - # if the ['concourse-ci']['docker-compose']['web_oauth_client_(id|secret)_vault_item'] attributes are specified. + # If the ['concourse-ci']['docker-compose']['web_oauth_client_(id|secret)_vault_item'] attributes are specified. + # the following 2 variables are set automatically, #'CONCOURSE_GENERIC_OAUTH_CLIENT_ID' => '${CONCOURSE_GENERIC_OAUTH_CLIENT_ID}', #'CONCOURSE_GENERIC_OAUTH_CLIENT_SECRET' => '${CONCOURSE_GENERIC_OAUTH_CLIENT_SECRET}', #'CONCOURSE_GENERIC_OAUTH_AUTH_URL' => 'https://gitlab.io.example.com/oauth/authorize', diff --git a/cookbooks/concourse-ci/concourse.yml b/cookbooks/concourse-ci/concourse.yml index 62265a1..e75441d 100644 --- a/cookbooks/concourse-ci/concourse.yml +++ b/cookbooks/concourse-ci/concourse.yml @@ -1,26 +1,29 @@ --- -# $ fly -t target sp -p concourse-ci-cookbook -c concourse.yml -l ~/credentials.yml +# $ fly -t target sp -p concourse-ci-cookbook -c concourse.yml -l fly-vars.yml -l ~/credentials.yml resources: - name: src-git type: git source: uri: git://git.osdn.net/gitroot/metasearch/grid-chef-repo.git branch: master + paths: + - cookbooks/((cookbook-name)) - name: chefdk-cache type: docker-image source: repository: chef/chefdk - tag: 0.17.17 - registry_mirror: {{registry-mirror}} # e.g. https://registry.docker.example.com:5000 + tag: ((chefdk-version)) + # ((param)) style: fly >= 3.2.0 + registry_mirror: https://((registry-mirror-domain)) # e.g. https://registry.docker.example.com:5000 ca_certs: - - domain: {{registry-mirror-domain}} # e.g. registry.docker.example.com:5000 - cert: {{docker-reg-ca-cert}} + - domain: ((registry-mirror-domain)) # e.g. registry.docker.example.com:5000 + cert: ((docker-reg-ca-cert)) jobs: - name: build-cookbook plan: - get: src-git - trigger: false + trigger: true - get: chefdk-cache - task: ci-build image: chefdk-cache @@ -31,23 +34,23 @@ jobs: # type: docker-image # source: # repository: chef/chefdk - # tag: 0.17.17 + # tag: ((chefdk-version)) # NG, setting disable - #registry_mirror: {{registry-mirror}} + #registry_mirror: https://((registry-mirror-domain)) #ca_certs: - #- domain: {{registry-mirror-domain}} - # cert: {{docker-reg-ca-cert}} + #- domain: ((registry-mirror-domain)) + # cert: ((docker-reg-ca-cert)) inputs: - name: src-git run: - #dir: ./src-git/cookbooks/concourse-ci + #dir: ./src-git/cookbooks/((cookbook-name)) #path: rake path: /bin/bash args: - -c - | - cd ./src-git/cookbooks/concourse-ci + cd ./src-git/cookbooks/((cookbook-name)) bundle install rake diff --git a/cookbooks/concourse-ci/fly-vars.yml b/cookbooks/concourse-ci/fly-vars.yml new file mode 100644 index 0000000..7e4703a --- /dev/null +++ b/cookbooks/concourse-ci/fly-vars.yml @@ -0,0 +1,3 @@ +--- +cookbook-name: concourse-ci +chefdk-version: 0.17.17 diff --git a/cookbooks/concourse-ci/metadata.rb b/cookbooks/concourse-ci/metadata.rb index 7065579..cefadb1 100644 --- a/cookbooks/concourse-ci/metadata.rb +++ b/cookbooks/concourse-ci/metadata.rb @@ -5,7 +5,7 @@ maintainer_email '' license 'Apache 2.0' description 'Installs/Configures Concourse CI by Docker Compose' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '0.1.9' +version '0.2.0' source_url 'http://scm.osdn.jp/gitroot/metasearch/grid-chef-repo.git' issues_url 'https://osdn.jp/projects/metasearch/ticket' diff --git a/cookbooks/concourse-ci/recipes/docker-compose.rb b/cookbooks/concourse-ci/recipes/docker-compose.rb index 6f60512..9d4afe2 100644 --- a/cookbooks/concourse-ci/recipes/docker-compose.rb +++ b/cookbooks/concourse-ci/recipes/docker-compose.rb @@ -154,6 +154,13 @@ override_config_srvs['concourse-web']['ports'] = ['8080:8080'] if web_ports.empt web_vols.push("#{node['concourse-ci']['docker-compose']['web_keys_dir']}:/concourse-keys") +encryption_key = nil +encryption_key_vault_item = node['concourse-ci']['docker-compose']['web_encryption_key_vault_item'] +unless encryption_key_vault_item.empty? + encryption_key = get_vault_item_value(encryption_key_vault_item) + web_envs['CONCOURSE_ENCRYPTION_KEY'] = '${CONCOURSE_ENCRYPTION_KEY}' +end + web_password_reset = node['concourse-ci']['docker-compose']['web_password_reset'] basic_auth_passwd = nil web_password_vault_item = node['concourse-ci']['docker-compose']['web_password_vault_item'] @@ -277,6 +284,7 @@ template env_file do variables( # secrets db_passwd: db_passwd, + encryption_key: encryption_key, basic_auth_passwd: basic_auth_passwd, oauth_client_id: oauth_client_id, oauth_client_secret: oauth_client_secret diff --git a/cookbooks/concourse-ci/templates/default/opt/docker-compose/app/concourse/.env b/cookbooks/concourse-ci/templates/default/opt/docker-compose/app/concourse/.env index 9284402..7a5028e 100644 --- a/cookbooks/concourse-ci/templates/default/opt/docker-compose/app/concourse/.env +++ b/cookbooks/concourse-ci/templates/default/opt/docker-compose/app/concourse/.env @@ -4,6 +4,9 @@ # - Do not use variable reference. -%> POSTGRES_PASSWORD=<%= @db_passwd %> +<% unless @encryption_key.nil? %> +CONCOURSE_ENCRYPTION_KEY=<%= @encryption_key %> +<% end %> CONCOURSE_BASIC_AUTH_PASSWORD=<%= @basic_auth_passwd %> <% unless @oauth_client_id.nil? %> CONCOURSE_GENERIC_OAUTH_CLIENT_ID=<%= @oauth_client_id %> -- 2.11.0