From d9c423747f68cd575ab4e20830d805c3f5bf8475 Mon Sep 17 00:00:00 2001 From: whitestar Date: Sat, 25 Feb 2017 18:26:48 +0900 Subject: [PATCH] adds the `gitlab-grid::runner-docker-compose` recipe. --- cookbooks/gitlab-grid/CHANGELOG.md | 7 ++ cookbooks/gitlab-grid/README.md | 73 ++++++++++++++++++-- cookbooks/gitlab-grid/attributes/default.rb | 28 ++++++++ cookbooks/gitlab-grid/metadata.rb | 2 +- cookbooks/gitlab-grid/recipes/commons.rb | 28 +++++++- .../gitlab-grid/recipes/runner-docker-compose.rb | 77 ++++++++++++++++++++++ cookbooks/gitlab-grid/recipes/server.rb | 2 +- .../app/gitlab-runner/docker-compose.yml | 7 ++ nodes/local-gitlab-runner.json | 5 ++ roles/gitlab-runner.rb | 41 ++++++++++++ 10 files changed, 261 insertions(+), 9 deletions(-) create mode 100644 cookbooks/gitlab-grid/recipes/runner-docker-compose.rb create mode 100644 cookbooks/gitlab-grid/templates/default/opt/docker-compose/app/gitlab-runner/docker-compose.yml create mode 100644 nodes/local-gitlab-runner.json create mode 100644 roles/gitlab-runner.rb diff --git a/cookbooks/gitlab-grid/CHANGELOG.md b/cookbooks/gitlab-grid/CHANGELOG.md index 4cdea2f..2a9a404 100644 --- a/cookbooks/gitlab-grid/CHANGELOG.md +++ b/cookbooks/gitlab-grid/CHANGELOG.md @@ -1,5 +1,12 @@ # gitlab-grid CHANGELOG +0.1.2 +----- +- improves service management. +- adds the feature for container registry setup. +- adds the `['gitlab-grid']['ssl_cert']['registry']['reuse_gitlab_cn']` attribute. +- adds the `gitlab-grid::runner-docker-compose` recipe. + 0.1.1 ----- - improves the `gitlab-grid::server` recipe. diff --git a/cookbooks/gitlab-grid/README.md b/cookbooks/gitlab-grid/README.md index ef410cb..3363c3f 100644 --- a/cookbooks/gitlab-grid/README.md +++ b/cookbooks/gitlab-grid/README.md @@ -5,7 +5,6 @@ This cookbook sets up a GitLab server. ## Contents -- [Contents](#contents) - [Requirements](#requirements) - [platforms](#platforms) - [packages](#packages) @@ -15,7 +14,9 @@ This cookbook sets up a GitLab server. - [gitlab-grid::default](#gitlab-griddefault) - [gitlab-grid::server](#gitlab-gridserver) - [gitlab-grid::docker-compose (NOT supported yet)](#gitlab-griddocker-compose-not-supported-yet) + - [gitlab-grid::runner-docker-compose](#gitlab-gridrunner-docker-compose) - [Role Examples](#role-examples) + - [Internal CA certificates management by ssl_cert cookbook](#internal-ca-certificates-management-by-ssl_cert-cookbook) - [SSL server keys and certificates management by ssl_cert cookbook](#ssl-server-keys-and-certificates-management-by-ssl_cert-cookbook) - [License and Authors](#license-and-authors) @@ -31,10 +32,17 @@ This cookbook sets up a GitLab server. |Key|Type|Description, example|Default| |:--|:--|:--|:--| -|`['gitlab-grid']['with_ssl_cert_cookbook']`|Boolean|If this attribute is true, `node['gitlab-grid']['gitlab.rb']` are are overridden by the following `common_name` attributes.|`false`| +|`['gitlab-grid']['with_ssl_cert_cookbook']`|Boolean|If this attribute is true, CA certificate and server key pairs are deployed and the `node['gitlab-grid']['gitlab.rb']` settings are overridden by the following `common_name` attributes.|`false`| +|`['gitlab-grid']['ssl_cert']['ca_name']`|String|Internal CA name that signs server certificates.|`nil`| |`['gitlab-grid']['ssl_cert']['common_name']`|String|GitLab server common name for TLS|`node['fqdn']`| +|`['gitlab-grid']['ssl_cert']['registry']['reuse_gitlab_common_name']`|Boolean|Reuse GitLab domain (same common name) for TLS|`false`| +|`['gitlab-grid']['ssl_cert']['registry']['common_name']`|String|Container registry service's unique common name for TLS|`nil`| |`['gitlab-grid']['gitlab.rb']`|Hash|`gitlab.rb` configurations.|See `attributes/default.rb`| -|`['gitlab-grid']['gitlab.rb_extra_config_str']`|String|`gitlab.rb` exstra configuration string (source code in Ruby).|`nil`| +|`['gitlab-grid']['gitlab.rb_extra_config_str']`|String|`gitlab.rb` extra configuration string (source code in Ruby).|`nil`| +|`['gitlab-grid']['runner-docker-compose']['import_ca']`|Boolean|Import an internal CA certificate to a gitlab-runner container or not.|`false`| +|`['gitlab-grid']['runner-docker-compose']['app_dir']`|String||`"#{node['docker-grid']['compose']['app_dir']}/gitlab-runner"`| +|`['gitlab-grid']['runner-docker-compose']['etc_dir']`|String||`"#{node['gitlab-grid']['runner-docker-compose']['app_dir']}/etc"`| +|`['gitlab-grid']['runner-docker-compose']['config']`|Hash|`docker-compose.yml` configurations.|See `attributes/default.rb`| ## Usage @@ -50,7 +58,11 @@ This recipe sets up a GitLab server. #### gitlab-grid::docker-compose (NOT supported yet) -This recipe generates a docker-compose.yml for the GitLab server. +This recipe generates a `docker-compose.yml` for the GitLab server. + +#### gitlab-grid::runner-docker-compose + +This recipe generates a `docker-compose.yml` for the gitlab-runner. ### Role Examples @@ -72,6 +84,7 @@ gitlab_cn = 'gitlab.io.example.com' override_attributes( 'gitlab-grid' => { + # See https://docs.gitlab.com/omnibus/settings/configuration.html 'gitlab.rb' => { 'external_url' => "http://#{gitlab_cn}", 'gitlab_rails' => { @@ -111,7 +124,7 @@ override_attributes( 'common_name' => gitlab_cn, }, 'gitlab.rb' => { - 'external_url' => "http://#{gitlab_cn}", + 'external_url' => "https://#{gitlab_cn}", 'gitlab_rails' => { 'time_zone' => 'Asia/Tokyo', }, @@ -123,6 +136,56 @@ override_attributes( ) ``` +- `roles/gitlab-runner.rb` + +```ruby +name 'gitlab-runner' +description 'GitLab-runner' + +run_list( + #'recipe[ssl_cert::ca_certs]', + 'role[docker]', + 'recipe[gitlab-grid::runner-docker-compose]', +) + +#env_run_lists() + +#default_attributes() + +ca_name = 'grid_ca' # Internal CA + +override_attributes( + 'ssl_cert' => { + 'ca_names' => [ + ca_name, + ], + }, + 'gitlab-grid' => { + #'with_ssl_cert_cookbook' => true, + 'ssl_cert' => { + 'ca_name' => ca_name, + }, + 'runner-docker-compose' => { + #'import_ca' => true, + 'config' => { + 'services' => { + 'runner' => { + 'volumes' => [ + # for Docker executor + '/var/run/docker.sock:/var/run/docker.sock', + ], + }, + }, + }, + }, + }, +) +``` + +### Internal CA certificates management by ssl_cert cookbook + +See https://supermarket.chef.io/cookbooks/ssl_cert + ### SSL server keys and certificates management by ssl_cert cookbook - create vault items. diff --git a/cookbooks/gitlab-grid/attributes/default.rb b/cookbooks/gitlab-grid/attributes/default.rb index defc886..a497884 100644 --- a/cookbooks/gitlab-grid/attributes/default.rb +++ b/cookbooks/gitlab-grid/attributes/default.rb @@ -20,9 +20,16 @@ default['gitlab-grid']['with_ssl_cert_cookbook'] = false # If ['gitlab-grid']['with_ssl_cert_cookbook'] is true, # node['gitlab-grid']['gitlab.rb'] are overridden by the following 'common_name' attributes. +default['gitlab-grid']['ssl_cert']['ca_name'] = nil default['gitlab-grid']['ssl_cert']['common_name'] = node['fqdn'] +default['gitlab-grid']['ssl_cert']['registry'] = { + # Container Registry + 'reuse_gitlab_common_name' => false, + 'common_name' => nil, +} default['gitlab-grid']['gitlab.rb'] = { 'external_url' => "http://#{node['fqdn']}", + #'registry_external_url' => "https://#{node['fqdn']}:5000", 'gitlab_rails' => { 'time_zone' => 'UTC', }, @@ -65,3 +72,24 @@ external_url 'http://gitlab.io.example.com' }, }, } + +default['gitlab-grid']['runner-docker-compose']['import_ca'] = false +default['gitlab-grid']['runner-docker-compose']['app_dir'] = "#{node['docker-grid']['compose']['app_dir']}/gitlab-runner" +default['gitlab-grid']['runner-docker-compose']['etc_dir'] = "#{node['gitlab-grid']['runner-docker-compose']['app_dir']}/etc" +default['gitlab-grid']['runner-docker-compose']['config'] = { + # Version 2 docker-compose format + 'version' => '2', + 'services' => { + 'runner' => { + 'container_name' => 'gitlab-runner', + 'image' => 'gitlab/gitlab-runner:latest', + 'restart' => 'always', + #'environment' => { + #}, + 'volumes' => [ + #"#{node['gitlab-grid']['runner-docker-compose']['etc_dir']}:/etc/gitlab-runner", + #'/var/run/docker.sock:/var/run/docker.sock', + ], + }, + }, +} diff --git a/cookbooks/gitlab-grid/metadata.rb b/cookbooks/gitlab-grid/metadata.rb index a2da54a..842fbf7 100644 --- a/cookbooks/gitlab-grid/metadata.rb +++ b/cookbooks/gitlab-grid/metadata.rb @@ -5,7 +5,7 @@ maintainer_email '' license 'Apache 2.0' description 'Installs/Configures gitlab-grid' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '0.1.1' +version '0.1.2' source_url 'http://scm.osdn.jp/gitroot/metasearch/grid-chef-repo.git' issues_url 'https://osdn.jp/projects/metasearch/ticket' diff --git a/cookbooks/gitlab-grid/recipes/commons.rb b/cookbooks/gitlab-grid/recipes/commons.rb index 9385607..84685bd 100644 --- a/cookbooks/gitlab-grid/recipes/commons.rb +++ b/cookbooks/gitlab-grid/recipes/commons.rb @@ -23,8 +23,32 @@ force_override_config = node.force_override['gitlab-grid']['gitlab.rb'] if node['gitlab-grid']['with_ssl_cert_cookbook'] ::Chef::Recipe.send(:include, SSLCert::Helper) + # GitLab cn = node['gitlab-grid']['ssl_cert']['common_name'] + cert_path = server_cert_path(cn) + key_path = server_key_path(cn) force_override_config['external_url'] = config['external_url'].gsub('http://', 'https://') - force_override_config['nginx']['ssl_certificate'] = server_cert_path(cn) - force_override_config['nginx']['ssl_certificate_key'] = server_key_path(cn) + force_override_config['nginx']['ssl_certificate'] = cert_path + force_override_config['nginx']['ssl_certificate_key'] = key_path + + # GitLab Container Registry + unless config['registry_external_url'].nil? + force_override_config['registry_external_url'] = config['registry_external_url'].gsub('http://', 'https://') + end + + reg_cert_path = nil + reg_key_path = nil + if node['gitlab-grid']['ssl_cert']['registry']['reuse_gitlab_common_name'] + reg_cert_path = cert_path + reg_key_path = key_path + else + reg_cn = node['gitlab-grid']['ssl_cert']['registry']['common_name'] + unless reg_cn.nil? + reg_cert_path = server_cert_path(reg_cn) + reg_key_path = server_key_path(reg_cn) + end + end + + force_override_config['registry_nginx']['ssl_certificate'] = reg_cert_path unless reg_cert_path.nil? + force_override_config['registry_nginx']['ssl_certificate_key'] = reg_key_path unless reg_key_path.nil? end diff --git a/cookbooks/gitlab-grid/recipes/runner-docker-compose.rb b/cookbooks/gitlab-grid/recipes/runner-docker-compose.rb new file mode 100644 index 0000000..f6dff11 --- /dev/null +++ b/cookbooks/gitlab-grid/recipes/runner-docker-compose.rb @@ -0,0 +1,77 @@ +# +# Cookbook Name:: gitlab-grid +# Recipe:: runner-docker-compose +# +# Copyright 2017, whitestar +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +doc_url = 'https://github.com/ayufan/gitlab-ci-multi-runner/blob/master/docs/install/docker.md' + +include_recipe 'docker-grid::compose' +#include_recipe 'gitlab-grid::commons' + +config = node['gitlab-grid']['runner-docker-compose']['config'] +override_config = node.override['gitlab-grid']['runner-docker-compose']['config'] +#force_override_config = node.force_override['gitlab-grid']['runner-docker-compose']['config'] +app_dir = node['gitlab-grid']['runner-docker-compose']['app_dir'] +etc_dir = node['gitlab-grid']['runner-docker-compose']['etc_dir'] +certs_dir = "#{etc_dir}/certs" + +#envs = {} +vols = config['services']['runner']['volumes'].to_a + +[ + app_dir, + etc_dir, + certs_dir, +].each {|dir| + resources(directory: dir) rescue directory dir do + owner 'root' + group 'root' + mode '0755' + recursive true + end +} + +vols.push("#{etc_dir}:/etc/gitlab-runner") + +if node['gitlab-grid']['with_ssl_cert_cookbook'] && node['gitlab-grid']['runner-docker-compose']['import_ca'] + ::Chef::Recipe.send(:include, SSLCert::Helper) + vols.push("#{ca_cert_path(node['gitlab-grid']['ssl_cert']['ca_name'])}:/etc/gitlab-runner/certs/ca.crt:ro") +end + +override_config['services']['runner']['volumes'] = vols unless vols.empty? + +[ + 'docker-compose.yml', +].each {|conf_file| + template "#{app_dir}/#{conf_file}" do + source "opt/docker-compose/app/gitlab-runner/#{conf_file}" + owner 'root' + group 'root' + mode '0644' + end +} + +log <<-"EOM" +Note: You must execute the following command manually. + See #{doc_url} + - Start: + $ cd #{app_dir} + $ docker-compose up -d + $ docker exec -it #{config['services']['runner']['container_name']} gitlab-runner register + - Stop + $ docker-compose down +EOM diff --git a/cookbooks/gitlab-grid/recipes/server.rb b/cookbooks/gitlab-grid/recipes/server.rb index ceedf46..43c791d 100644 --- a/cookbooks/gitlab-grid/recipes/server.rb +++ b/cookbooks/gitlab-grid/recipes/server.rb @@ -42,7 +42,7 @@ when 'rhel' } [ - 'sshd', + #'sshd', 'postfix', ].each {|srv| resources(service: srv) rescue service srv do diff --git a/cookbooks/gitlab-grid/templates/default/opt/docker-compose/app/gitlab-runner/docker-compose.yml b/cookbooks/gitlab-grid/templates/default/opt/docker-compose/app/gitlab-runner/docker-compose.yml new file mode 100644 index 0000000..bb70583 --- /dev/null +++ b/cookbooks/gitlab-grid/templates/default/opt/docker-compose/app/gitlab-runner/docker-compose.yml @@ -0,0 +1,7 @@ +<% +config = node['gitlab-grid']['runner-docker-compose']['config'].to_hash + +require 'yaml' +yaml_str = config.to_yaml +-%> +<%= yaml_str %> diff --git a/nodes/local-gitlab-runner.json b/nodes/local-gitlab-runner.json new file mode 100644 index 0000000..53bc50b --- /dev/null +++ b/nodes/local-gitlab-runner.json @@ -0,0 +1,5 @@ +{ + "run_list": [ + "role[gitlab-runner]" + ] +} diff --git a/roles/gitlab-runner.rb b/roles/gitlab-runner.rb new file mode 100644 index 0000000..ec2f31e --- /dev/null +++ b/roles/gitlab-runner.rb @@ -0,0 +1,41 @@ +name 'gitlab-runner' +description 'GitLab-runner' + +run_list( + #'recipe[ssl_cert::ca_certs]', + 'role[docker]', + 'recipe[gitlab-grid::runner-docker-compose]', +) + +#env_run_lists() + +#default_attributes() + +ca_name = 'grid_ca' # Internal CA + +override_attributes( + 'ssl_cert' => { + 'ca_names' => [ + ca_name, + ], + }, + 'gitlab-grid' => { + #'with_ssl_cert_cookbook' => true, + 'ssl_cert' => { + 'ca_name' => ca_name, + }, + 'runner-docker-compose' => { + #'import_ca' => true, + 'config' => { + 'services' => { + 'runner' => { + 'volumes' => [ + # for Docker executor + '/var/run/docker.sock:/var/run/docker.sock', + ], + }, + }, + }, + }, + }, +) -- 2.11.0