4 This cookbook sets up a Concourse CI service by Docker Compose.
8 - [Requirements](#requirements)
9 - [platforms](#platforms)
10 - [packages](#packages)
11 - [cookbooks](#cookbooks)
12 - [Attributes](#attributes)
15 - [concourse-ci::default](#concourse-cidefault)
16 - [concourse-ci::fly](#concourse-cifly)
17 - [concourse-ci::docker-compose](#concourse-cidocker-compose)
18 - [Role Examples](#role-examples)
19 - [SSL server keys and certificates management by ssl_cert cookbook](#ssl-server-keys-and-certificates-management-by-ssl_cert-cookbook)
20 - [Encryption key management by Chef Vault](#encryption-key-management-by-chef-vault)
21 - [OAuth client ID and secret management by Chef Vault](#oauth-client-id-and-secret-management-by-chef-vault)
22 - [License and Authors](#license-and-authors)
38 |Key|Type|Description, example|Default|
40 |`['concourse-ci']['fly']['version']`|String||`'3.3.4'`|
41 |`['concourse-ci']['fly']['release_url']`|String||`"https://github.com/concourse/concourse/releases/download/v#{node['concourse-ci']['fly']['version']}/fly_linux_amd64"`|
42 |`['concourse-ci']['fly']['release_checksum']`|String||`nil`|
43 |`['concourse-ci']['fly']['auto_upgrade']`|Boolean||`false`|
44 |`['concourse-ci']['fly']['install_path']`|String||`'/usr/local/bin/fly'`|
45 |`['concourse-ci']['with_ssl_cert_cookbook']`|Boolean|See `attributes/default.rb`|`false`|
46 |`['concourse-ci']['ssl_cert']['ca_names']`|Array|Internal CA names that are imported by the ssl_cert cookbook.|`[]`|
47 |`['concourse-ci']['ssl_cert']['common_name']`|String|Server common name for TLS|`node['fqdn']`|
48 |`['concourse-ci']['docker-image']['entrypoint']`|String|Concourse Docker image's entrypoint setting to import an internal CA certificate.|`'/usr/local/bin/dumb-init /usr/local/bin/concourse'`|
49 |`['concourse-ci']['docker-compose']['import_ca']`|Boolean|whether import internal CA certificates or not.|`false`|
50 |`['concourse-ci']['docker-compose']['app_dir']`|String||`"#{node['docker-grid']['compose']['app_dir']}/concourse"`|
51 |`['concourse-ci']['docker-compose']['pgdata_dir']`|String|Path string or nil (unset).|`"#{node['concourse-ci']['docker-compose']['app_dir']}/database"`|
52 |`['concourse-ci']['docker-compose']['web_keys_dir']`|String|Path string.|`"#{node['concourse-ci']['docker-compose']['app_dir']}/keys/web"`|
53 |`['concourse-ci']['docker-compose']['worker_keys_dir']`|String|Path string.|`"#{node['concourse-ci']['docker-compose']['app_dir']}/keys/worker"`|
54 |`['concourse-ci']['docker-compose']['pgdata_dir']`|String|Path string or nil (unset, non-persistent).|`"#{node['concourse-ci']['docker-compose']['app_dir']}/database"`|
55 |`['concourse-ci']['docker-compose']['db_password_reset']`|String|Only available if the password is automatically generated by Chef.|`false`|
56 |`['concourse-ci']['docker-compose']['db_password_vault_item']`|Hash|See `attributes/default.rb`|`{}`|
57 |`['concourse-ci']['docker-compose']['web_encryption_key_vault_item']`|Hash|See `attributes/default.rb`|`{}`|
58 |`['concourse-ci']['docker-compose']['web_password_reset']`|String|Only available if the password is automatically generated by Chef.|`false`|
59 |`['concourse-ci']['docker-compose']['web_password_vault_item']`|Hash|See `attributes/default.rb`|`{}`|
60 |`['concourse-ci']['docker-compose']['web_oauth_client_id_vault_item']`|Hash|See `attributes/default.rb`|`{}`|
61 |`['concourse-ci']['docker-compose']['web_oauth_client_secret_vault_item']`|Hash|See `attributes/default.rb`|`{}`|
62 |`['concourse-ci']['docker-compose']['ssh_keys_reset']`|String|Resets all SSH keys forcely.|`false`|
63 |`['concourse-ci']['docker-compose']['config_format_version']`|String|`docker-compose.yml` format version. `'1'` or `'2'`|`'1'`|
64 |`['concourse-ci']['docker-compose']['config']`|Hash|`docker-compose.yml` configurations.|See `attributes/default.rb`|
70 #### concourse-ci::default
72 This recipe does nothing.
74 #### concourse-ci::fly
76 This recipe installs the `fly` CLI and the `fly_prune_workers` command.
78 #### concourse-ci::docker-compose
80 This recipe generates SSH keys of each node and a `docker-compose.yml` file for the Concourse CI service.
84 - `roles/concourse.rb`
88 description 'Concourse'
92 'recipe[concourse-ci::docker-compose]',
95 image = 'concourse/concourse:latest'
100 'docker-compose' => {
101 # Version 1 docker-compose format (default)
109 # # These volumes will be set by the concourse-ci::docker-compose recipe automatically.
110 # #"#{node['concourse-ci']['docker-compose']['web_keys_dir']}:/concourse-keys",
113 'CONCOURSE_EXTERNAL_URL' => "http://192.168.1.3:#{port}",
114 #'CONCOURSE_RESOURCE_CHECKING_INTERVAL' => '1m', # default
117 'concourse-worker' => {
120 # # These volumes will be set by the concourse-ci::docker-compose recipe automatically.
121 # #"#{node['concourse-ci']['docker-compose']['worker_keys_dir']}:/concourse-keys",
126 # Version 2 docker-compose format
127 'config_format_version' => '2',
136 # # These volumes will be set by the concourse-ci::docker-compose recipe automatically.
137 # #"#{node['concourse-ci']['docker-compose']['web_keys_dir']}:/concourse-keys",
140 'CONCOURSE_EXTERNAL_URL' => "http://192.168.1.3:#{port}",
141 #'CONCOURSE_RESOURCE_CHECKING_INTERVAL' => '1m', # default
144 'concourse-worker' => {
147 # # These volumes will be set by the concourse-ci::docker-compose recipe automatically.
148 # #"#{node['concourse-ci']['docker-compose']['worker_keys_dir']}:/concourse-keys",
159 - `roles/concourse-with-ssl.rb`
162 name 'concourse-with-ssl'
163 description 'Concourse with SSL'
166 #'recipe[ssl_cert::server_key_pairs]', # concourse-ci cookbook < 0.2.2
168 'recipe[concourse-ci::docker-compose]',
171 image = 'concourse/concourse:2.6.0'
173 cn = 'concourse.io.example.com'
178 # cn, # concourse-ci cookbook < 0.2.3
182 'with_ssl_cert_cookbook' => true,
186 'docker-compose' => {
188 # Version 1 docker-compose format
195 'CONCOURSE_EXTERNAL_URL' => "https://192.168.1.3:#{port}",
196 'CONCOURSE_TLS_BIND_PORT' => '8443', # activate HTTPS
197 # These environments will be set by the concourse-ci::docker-compose recipe automatically.
198 #'CONCOURSE_TLS_CERT' => '/root/server.crt',
199 #'CONCOURSE_TLS_KEY' => '/root/server.key',
202 # # These volumes will be set by the concourse-ci::docker-compose recipe automatically.
203 # #"#{node['concourse-ci']['docker-compose']['web_keys_dir']}:/concourse-keys",
204 # #"#{server_cert_path(node['concourse-ci']['ssl_cert']['common_name'])}:/root/server.crt:ro",
205 # #"#{server_key_path(node['concourse-ci']['ssl_cert']['common_name'])}:/root/server.key:ro",
208 'concourse-worker' => {
211 # # These volumes will be set by the concourse-ci::docker-compose recipe automatically.
212 # #"#{node['concourse-ci']['docker-compose']['worker_keys_dir']}:/concourse-keys",
221 - `roles/concourse-with-oauth.rb`
224 name 'concourse-with-oauth'
225 description 'Concourse with OAuth'
228 #'recipe[ssl_cert::ca_certs]', # concourse-ci cookbook < 0.2.2
229 'recipe[ssl_cert::server_key_pairs]',
231 'recipe[concourse-ci::docker-compose]',
234 image = 'concourse/concourse:latest'
237 cn = 'concourse.io.example.com'
238 gitlab_cn = 'gitlab.io.example.com'
243 # ca_name, # concourse-ci cookbook < 0.2.3
246 # cn, # concourse-ci cookbook < 0.2.3
250 'with_ssl_cert_cookbook' => true,
257 'docker-compose' => {
259 'web_oauth_client_id_vault_item' => {
260 'vault' => 'concourse',
261 'name' => 'web_oauth_client_id',
262 'env_context' => false,
265 'web_oauth_client_secret_vault_item' => {
266 'vault' => 'concourse',
267 'name' => 'web_oauth_client_secret',
268 'env_context' => false,
272 # Version 1 docker-compose format
279 'CONCOURSE_TLS_BIND_PORT' => '8443',
280 'CONCOURSE_EXTERNAL_URL' => "https://#{cn}:#{port}",
281 # OAuth for the default `main`` team
282 'CONCOURSE_GENERIC_OAUTH_DISPLAY_NAME' => 'GitLab',
283 # The following 2 variables are set automatically,
284 # if the ['concourse-ci']['docker-compose']['web_oauth_client_(id|secret)_vault_item'] attributes are specified.
285 #'CONCOURSE_GENERIC_OAUTH_CLIENT_ID' => '${CONCOURSE_GENERIC_OAUTH_CLIENT_ID}',
286 #'CONCOURSE_GENERIC_OAUTH_CLIENT_SECRET' => '${CONCOURSE_GENERIC_OAUTH_CLIENT_SECRET}',
287 'CONCOURSE_GENERIC_OAUTH_AUTH_URL' => "https://#{gitlab_cn}/oauth/authorize",
288 'CONCOURSE_GENERIC_OAUTH_TOKEN_URL' => "https://#{gitlab_cn}/oauth/token",
297 ### SSL server keys and certificates management by ssl_cert cookbook
299 - create vault items.
302 $ ruby -rjson -e 'puts JSON.generate({"private" => File.read("concourse.io.example.com.prod.key")})' \
303 > > ~/tmp/concourse.io.example.com.prod.key.json
305 $ ruby -rjson -e 'puts JSON.generate({"public" => File.read("concourse.io.example.com.prod.crt")})' \
306 > > ~/tmp/concourse.io.example.com.prod.crt.json
310 $ knife vault create ssl_server_keys concourse.io.example.com.prod \
311 > --json ~/tmp/concourse.io.example.com.prod.key.json
313 $ knife vault create ssl_server_certs concourse.io.example.com.prod \
314 > --json ~/tmp/concourse.io.example.com.prod.crt.json
317 - grant reference permission to the Concourse host
320 $ knife vault update ssl_server_keys concourse.io.example.com.prod -S 'name:concourse-host.example.com'
321 $ knife vault update ssl_server_certs concourse.io.example.com.prod -S 'name:concourse-host.example.com'
324 - modify run_list and attributes
328 #'recipe[ssl_cert::server_key_pairs]', # concourse-ci cookbook < 0.2.2
329 'recipe[concourse-ci::docker-compose]',
335 # 'concourse.io.example.com', # concourse-ci cookbook < 0.2.3
339 'with_ssl_cert_cookbook' => true,
341 'common_name' => 'concourse.io.example.com',
348 ### Encryption key management by Chef Vault
350 - create vault items.
353 # a 16 or 32-byte random character sequence.
354 $ cat ~/tmp/concourse_ekey.json
355 {"ekey":"********************************"}
357 $ knife vault create concourse web_encryption_key --json ~/tmp/concourse_ekey.json
360 - grant reference permission to the Concourse host
363 $ knife vault update concourse web_encryption_key -S 'name:concourse-host.example.com'
372 'docker-compose' => {
373 'web_encryption_key_vault_item' => {
374 'vault' => 'concourse',
375 'name' => 'web_encryption_key',
376 'env_context' => false,
385 ### OAuth client ID and secret management by Chef Vault
387 - create vault items.
390 $ cat ~/tmp/concourse_oauth_client_id.json
391 {"cid":"***************************************************************"}
392 $ cat ~/tmp/concourse_oauth_client_secret.json
393 {"secret":"***************************************************************"}
395 $ knife vault create concourse web_oauth_client_id --json ~/tmp/concourse_oauth_client_id.json
396 $ knife vault create concourse web_oauth_client_secret --json ~/tmp/concourse_oauth_client_secret.json
399 - grant reference permission to the Concourse host
402 $ knife vault update concourse web_oauth_client_id -S 'name:concourse-host.example.com'
403 $ knife vault update concourse web_oauth_client_secret -S 'name:concourse-host.example.com'
412 'docker-compose' => {
413 'web_oauth_client_id_vault_item' => {
414 'vault' => 'concourse',
415 'name' => 'web_oauth_client_id',
416 'env_context' => false,
419 'web_oauth_client_secret_vault_item' => {
420 'vault' => 'concourse',
421 'name' => 'web_oauth_client_secret',
422 'env_context' => false,
431 ## License and Authors
433 - Author:: whitestar at osdn.jp
436 Copyright 2017, whitestar
438 Licensed under the Apache License, Version 2.0 (the "License");
439 you may not use this file except in compliance with the License.
440 You may obtain a copy of the License at
442 http://www.apache.org/licenses/LICENSE-2.0
444 Unless required by applicable law or agreed to in writing, software
445 distributed under the License is distributed on an "AS IS" BASIS,
446 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
447 See the License for the specific language governing permissions and
448 limitations under the License.