4 This cookbook sets up a Screwdriver CI/CD service by Docker Compose.
8 - [Contents](#contents)
9 - [Requirements](#requirements)
10 - [platforms](#platforms)
11 - [packages](#packages)
12 - [cookbooks](#cookbooks)
13 - [Attributes](#attributes)
16 - [screwdriver::default](#screwdriverdefault)
17 - [screwdriver::docker-compose](#screwdriverdocker-compose)
18 - [Role Examples](#role-examples)
19 - [SSL server keys and certificates management by ssl_cert cookbook](#ssl-server-keys-and-certificates-management-by-ssl_cert-cookbook)
20 - [JWT private and public keys management by Chef Vault](#jwt-private-and-public-keys-management-by-chef-vault)
21 - [Cookie password management by Chef Vault](#cookie-password-management-by-chef-vault)
22 - [Secrets encryption password management by Chef Vault](#secrets-encryption-password-management-by-chef-vault)
23 - [Database username management (for MySQL, PostgreSQL,...) by Chef Vault](#database-username-management-for-mysql-postgresql-by-chef-vault)
24 - [Database password management (for MySQL, PostgreSQL,...) by Chef Vault](#database-password-management-for-mysql-postgresql-by-chef-vault)
25 - [Database root password management (for MySQL, PostgreSQL,...) by Chef Vault](#database-root-password-management-for-mysql-postgresql-by-chef-vault)
26 - [S3 (compatible) server access key management by Chef Vault](#s3-compatible-server-access-key-management-by-chef-vault)
27 - [OAuth client ID, secret and GitHub webhook secret management by Chef Vault](#oauth-client-id-secret-and-github-webhook-secret-management-by-chef-vault)
29 - [Database Initialization](#database-initialization)
30 - [License and Authors](#license-and-authors)
48 |Key|Type|Description, example|Default|
50 |`['screwdriver']['with_ssl_cert_cookbook']`|Boolean|See `attributes/default.rb`|`false`|
51 |`['screwdriver']['ssl_cert']['ca_names']`|Array|Internal CA names that are imported by the ssl_cert cookbook.|`[]`|
52 |`['screwdriver']['ssl_cert']['common_name']`|String|Server common name for TLS|`node['fqdn']`|
53 |`['screwdriver']['jwt_private_key_vault_item']`|Hash|Optional, Sets a JWT private key from Chef Vault. See `attributes/default.rb`|`{}`|
54 |`['screwdriver']['jwt_public_key_vault_item']`|Hash|Optional, Sets a JWT public key from Chef Vault. See `attributes/default.rb`|`{}`|
55 |`['screwdriver']['cookie_password_vault_item']`|Hash|Optional, Sets a session cookie password from Chef Vault. See `attributes/default.rb`|`{}`|
56 |`['screwdriver']['password_vault_item']`|Hash|Optional, Sets a password for secrets encryption from Chef Vault. See `attributes/default.rb`|`{}`|
57 |`['screwdriver']['db_username_vault_item']`|Hash|Optional, Sets a database username from Chef Vault. See `attributes/default.rb`|`{}`|
58 |`['screwdriver']['db_password_vault_item']`|Hash|Optional, Sets a database password from Chef Vault. See `attributes/default.rb`|`{}`|
59 |`['screwdriver']['db_root_password_vault_item']`|Hash|Optional, Sets a database password for the root user from Chef Vault. See `attributes/default.rb`|`{}`|
60 |`['screwdriver']['s3_access_key_id_vault_item']`|Hash|Optional, Sets a S3 access key id from Chef Vault. See `attributes/default.rb`|`{}`|
61 |`['screwdriver']['s3_access_key_secret_vault_item']`|Hash|Optional, Sets a S3 access key secret from Chef Vault. See `attributes/default.rb`|`{}`|
62 |`['screwdriver']['ui']['tls_setup_mode']`|String|`'reverseproxy'` only. Note: [_Add TLS support to UI docker container #377_](https://github.com/screwdriver-cd/screwdriver/issues/377)|`'reverseproxy'`|
63 |`['screwdriver']['api']['config']`|Hash|This hash object is expanded to a `/config/local.yaml` file in the API Docker container.|See `attributes/default.rb`|
64 |`['screwdriver']['api']['scms_vault_items']`|Hash|This hash contains Chef Vault item definitions of SCM's secrets.|See `attributes/default.rb`|
65 |`['screwdriver']['store']['backend']`|String|`nil` (in memory) or `'minio'`.|`nil`|
66 |`['screwdriver']['store']['config']`|Hash|This hash object is expanded to a `/config/local.yaml` file in the Store Docker container.|See `attributes/default.rb`|
67 |`['screwdriver']['docker-compose']['import_ca']`|Boolean|whether import internal CA certificates or not.|`false`|
68 |`['screwdriver']['docker-compose']['app_dir']`|String|Path string.|`"#{node['docker-grid']['compose']['app_dir']}/screwdriver"`|
69 |`['screwdriver']['docker-compose']['bin_dir']`|String|Path string.|`"#{node['screwdriver']['docker-compose']['app_dir']}/bin"`|
70 |`['screwdriver']['docker-compose']['config_dir']`|String|Path string.|`"#{node['screwdriver']['docker-compose']['app_dir']}/config"`|
71 |`['screwdriver']['docker-compose']['data_dir']`|String|Path string.|`"#{node['screwdriver']['docker-compose']['app_dir']}/data"`|
72 |`['screwdriver']['docker-compose']['etc_dir']`|String|Path string.|`"#{node['screwdriver']['docker-compose']['app_dir']}/etc"`|
73 |`['screwdriver']['docker-compose']['jwt_private_key_reset']`|Boolean|Only available if the JWT key pair is automatically generated by Chef.|`false`|
74 |`['screwdriver']['docker-compose']['jwt_private_key_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['jwt_private_key_vault_item']`. Optional, Sets a JWT private key from Chef Vault. See `attributes/default.rb`|`{}`|
75 |`['screwdriver']['docker-compose']['jwt_public_key_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['jwt_public_key_vault_item']`. Optional, Sets a JWT public key from Chef Vault. See `attributes/default.rb`|`{}`|
76 |`['screwdriver']['docker-compose']['cookie_password_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['cookie_password_vault_item']`. Optional, Sets a session cookie password from Chef Vault. See `attributes/default.rb`|`{}`|
77 |`['screwdriver']['docker-compose']['password_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['password_vault_item']`. Optional, Sets a password for secrets encryption from Chef Vault. See `attributes/default.rb`|`{}`|
78 |`['screwdriver']['docker-compose']['oauth_client_id_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['api']['scms_vault_items']`. Required, Sets a OAuth client ID for SCM from Chef Vault. See `attributes/default.rb`|`{}`|
79 |`['screwdriver']['docker-compose']['oauth_client_secret_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['api']['scms_vault_items']`. Required, Sets a OAuth secret for SCM from Chef Vault. See `attributes/default.rb`|`{}`|
80 |`['screwdriver']['docker-compose']['webhook_github_secret_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['api']['scms_vault_items']`. Required for GitHub, Sets a secret for GitHub webhook from Chef Vault. See `attributes/default.rb`|`{}`|
81 |`['screwdriver']['docker-compose']['config']`|Hash|`docker-compose.yml` configurations.|See `attributes/default.rb`|
87 #### screwdriver::default
89 This recipe does nothing.
91 #### screwdriver::docker-compose
93 This recipe generates JWT key pair and a `docker-compose.yml` file for the Screwdriver CI/CD service.
97 - `roles/screwdriver.rb`
101 description 'screwdriver'
109 'recipe[screwdriver::docker-compose]',
117 'plugin' => 'docker',
121 'socketPath' => '/var/run/docker.sock',
123 'launchVersion' => 'stable',
129 'plugin' => 'github',
131 # OAuth Callback URL: "http://#{node['fqdn']}:9001/v4/auth/login/web"
132 'username' => 'ci-tool',
133 'email' => 'citool@mail.example.com',
134 'privateRepo' => false,
139 'scms_vault_items' => {
142 'vault' => 'screwdriver',
144 'env_context' => false,
145 'key' => 'oauthClientId', # real hash path: "/oauthClientId"
147 'oauthClientSecret' => {
148 'vault' => 'screwdriver',
150 'env_context' => false,
151 'key' => 'oauthClientSecret', # real hash path: "/oauthClientSecret"
154 'vault' => 'screwdriver',
156 'env_context' => false,
157 'key' => 'secret', # real hash path: "/secret"
162 'docker-compose' => {
170 'NODE_TLS_REJECT_UNAUTHORIZED' => '0', # for self-signed cetificates
171 # The following variables will be set by the screwdriver::docker-compose recipe automatically.
172 #'ECOSYSTEM_UI' => "http://#{node['fqdn']}:#{ui_port}",
173 #'ECOSYSTEM_STORE' => "http://#{node['fqdn']}:#{store_port}",
181 # These variables will be set by the screwdriver::docker-compose recipe automatically.
182 #'ECOSYSTEM_API' => "http://#{node['fqdn']}:#{api_port}",
183 #'ECOSYSTEM_STORE' => "http://#{node['fqdn']}:#{store_port}",
191 # This variable will be set by the screwdriver::docker-compose recipe automatically.
192 #'ECOSYSTEM_UI' => "http://#{node['fqdn']}:#{ui_port}",
202 - `roles/screwdriver-with-ssl.rb`
205 name 'screwdriver-with-ssl'
206 description 'screwdriver with SSL'
208 cn = 'screwdriver.io.example.com'
215 'recipe[screwdriver::docker-compose]',
221 # cn, # screwdriver cookbook < 0.2.2
225 'with_ssl_cert_cookbook' => true,
232 'plugin' => 'docker',
236 'socketPath' => '/var/run/docker.sock',
238 'launchVersion' => 'stable',
244 'plugin' => 'github',
246 # OAuth Callback URL: "http://#{node['fqdn']}:9001/v4/auth/login/web"
247 'username' => 'ci-tool',
248 'email' => 'citool@mail.example.com',
249 'privateRepo' => false,
254 'scms_vault_items' => {
257 'vault' => 'screwdriver',
259 'env_context' => false,
260 'key' => 'oauthClientId', # real hash path: "/oauthClientId"
262 'oauthClientSecret' => {
263 'vault' => 'screwdriver',
265 'env_context' => false,
266 'key' => 'oauthClientSecret', # real hash path: "/oauthClientSecret"
269 'vault' => 'screwdriver',
271 'env_context' => false,
272 'key' => 'secret', # real hash path: "/secret"
277 'docker-compose' => {
292 'NODE_TLS_REJECT_UNAUTHORIZED' => '0', # for self-signed cetificates
293 # The following variables will be set by the screwdriver::docker-compose recipe automatically.
294 #'ECOSYSTEM_UI' => "http://#{node['fqdn']}:#{ui_port}",
295 #'ECOSYSTEM_STORE' => "http://#{node['fqdn']}:#{store_port}",
303 # These variables will be set by the screwdriver::docker-compose recipe automatically.
304 #'ECOSYSTEM_API' => "http://#{node['fqdn']}:#{api_port}",
305 #'ECOSYSTEM_STORE' => "http://#{node['fqdn']}:#{store_port}",
313 # These variables will be set by the screwdriver::docker-compose recipe automatically.
314 #'ECOSYSTEM_UI' => "http://#{node['fqdn']}:#{ui_port}",
324 ### SSL server keys and certificates management by ssl_cert cookbook
326 - create vault items.
329 $ ruby -rjson -e 'puts JSON.generate({"private" => File.read("screwdriver.io.example.com.prod.key")})' \
330 > > ~/sec/tmp/screwdriver.io.example.com.prod.key.json
332 $ ruby -rjson -e 'puts JSON.generate({"public" => File.read("screwdriver.io.example.com.prod.crt")})' \
333 > > ~/sec/tmp/screwdriver.io.example.com.prod.crt.json
337 $ knife vault create ssl_server_keys screwdriver.io.example.com.prod \
338 > --json ~/sec/tmp/screwdriver.io.example.com.prod.key.json
340 $ knife vault create ssl_server_certs screwdriver.io.example.com.prod \
341 > --json ~/sec/tmp/screwdriver.io.example.com.prod.crt.json
344 - grant reference permission to the screwdriver host
347 $ knife vault update ssl_server_keys screwdriver.io.example.com.prod -S 'name:screwdriver-host.example.com'
348 $ knife vault update ssl_server_certs screwdriver.io.example.com.prod -S 'name:screwdriver-host.example.com'
357 # 'screwdriver.io.example.com', # screwdriver cookbook < 0.2.2
361 'with_ssl_cert_cookbook' => true,
363 'common_name' => 'screwdriver.io.example.com',
370 ### JWT private and public keys management by Chef Vault
372 - create vault items.
375 $ ruby -rjson -e 'puts JSON.generate({"private" => File.read("screwdriver_jwt_private.key")})' \
376 > > ~/sec/tmp/screwdriver_jwt_private.key.json
378 $ ruby -rjson -e 'puts JSON.generate({"public" => File.read("screwdriver_jwt_public.key")})' \
379 > > ~/sec/tmp/screwdriver_jwt_public.key.json
383 $ knife vault create screwdriver jwt_private_key \
384 > --json ~/sec/tmp/screwdriver_jwt_private.key.json
386 $ knife vault create screwdriver screwdriver_jwt_public \
387 > --json ~/sec/tmp/screwdriver_jwt_public.key.json
390 - grant reference permission to the screwdriver host
393 $ knife vault update screwdriver jwt_private_key -S 'name:screwdriver-host.example.com'
394 $ knife vault update screwdriver jwt_public_key -S 'name:screwdriver-host.example.com'
403 'jwt_private_key_vault_item' => {
404 'vault' => 'screwdriver',
405 'name' => 'jwt_private_key',
406 'env_context' => false,
409 'jwt_public_key_vault_item' => {
410 'vault' => 'screwdriver',
411 'name' => 'jwt_public_key',
412 'env_context' => false,
420 ### Cookie password management by Chef Vault
422 - create vault items.
425 # A password used for encrypting session data. Needs to be minimum 32 characters
426 $ cat ~/sec/tmp/screwdriver_cookie_password.json
427 {"password":"********************************"}
430 $ knife vault create screwdriver cookie_password --json ~/sec/tmp/screwdriver_cookie_password.json
433 - grant reference permission to the screwdriver host
436 $ knife vault update screwdriver cookie_password -S 'name:screwdriver-host.example.com'
445 'cookie_password_vault_item' => {
446 'vault' => 'screwdriver',
447 'name' => 'cookie_password',
448 'env_context' => false,
456 ### Secrets encryption password management by Chef Vault
458 - create vault items.
461 # A password used for encrypting stored secrets. Needs to be minimum 32 characters
462 $ cat ~/sec/tmp/screwdriver_password.json
463 {"password":"********************************"}
466 $ knife vault create screwdriver password --json ~/sec/tmp/screwdriver_password.json
469 - grant reference permission to the screwdriver host
472 $ knife vault update screwdriver password -S 'name:screwdriver-host.example.com'
481 'password_vault_item' => {
482 'vault' => 'screwdriver',
483 'name' => 'password',
484 'env_context' => false,
492 ### Database username management (for MySQL, PostgreSQL,...) by Chef Vault
494 - create vault items.
497 $ cat ~/sec/tmp/screwdriver_db_username.json
498 {"username":"********************************"}
501 $ knife vault create screwdriver db_username --json ~/sec/tmp/screwdriver_db_username.json
504 - grant reference permission to the screwdriver host
507 $ knife vault update screwdriver db_username -S 'name:screwdriver-host.example.com'
516 'db_username_vault_item' => {
517 'vault' => 'screwdriver',
518 'name' => 'db_username',
519 'env_context' => false,
527 ### Database password management (for MySQL, PostgreSQL,...) by Chef Vault
529 - create vault items.
532 $ cat ~/sec/tmp/screwdriver_db_password.json
533 {"password":"********************************"}
536 $ knife vault create screwdriver db_password --json ~/sec/tmp/screwdriver_db_password.json
539 - grant reference permission to the screwdriver host
542 $ knife vault update screwdriver db_password -S 'name:screwdriver-host.example.com'
551 'db_password_vault_item' => {
552 'vault' => 'screwdriver',
553 'name' => 'db_password',
554 'env_context' => false,
562 ### Database root password management (for MySQL, PostgreSQL,...) by Chef Vault
564 - create vault items.
567 $ cat ~/sec/tmp/screwdriver_db_root_password.json
568 {"password":"********************************"}
571 $ knife vault create screwdriver db_root_password --json ~/sec/tmp/screwdriver_db_root_password.json
574 - grant reference permission to the screwdriver host
577 $ knife vault update screwdriver db_root_password -S 'name:screwdriver-host.example.com'
586 'db_root_password_vault_item' => {
587 'vault' => 'screwdriver',
588 'name' => 'db_root_password',
589 'env_context' => false,
597 ### S3 (compatible) server access key management by Chef Vault
599 - create vault items.
602 $ cat ~/sec/tmp/screwdriver_s3_access_key.json
604 "kid":"********************",
605 "secret":"****************************************"
609 $ knife vault create screwdriver s3_access_key --json ~/sec/tmp/screwdriver_s3_access_key.json
612 - grant reference permission to the screwdriver host
615 $ knife vault update screwdriver s3_access_key -S 'name:screwdriver-host.example.com'
624 's3_access_key_id_vault_item' => {
625 'vault' => 'screwdriver',
626 'name' => 's3_access_key',
627 'env_context' => false,
630 's3_access_key_secret_vault_item' => {
631 'vault' => 'screwdriver',
632 'name' => 's3_access_key',
633 'env_context' => false,
641 ### OAuth client ID, secret and GitHub webhook secret management by Chef Vault
643 - create vault items.
646 $ cat ~/sec/tmp/screwdriver_github_secrets.json
648 "oauthClientId": "***************************************************************",
649 "oauthClientSecret": "***************************************************************",
650 "secret": "**************************"
657 $ knife vault create screwdriver github --json ~/sec/tmp/screwdriver_github_secrets.json
660 - grant reference permission to the screwdriver host
663 $ knife vault update screwdriver github -S 'name:screwdriver-host.example.com'
674 'scms_vault_items' => {
677 'vault' => 'screwdriver',
679 'env_context' => false,
680 'key' => 'oauthClientId', # real hash path: "/oauthClientId"
682 'oauthClientSecret' => {
683 'vault' => 'screwdriver',
685 'env_context' => false,
686 'key' => 'oauthClientSecret', # real hash path: "/oauthClientSecret"
689 'vault' => 'screwdriver',
691 'env_context' => false,
692 'key' => 'secret', # real hash path: "/secret"
704 #### Database Initialization
706 If you use database other than sqlite, its database initialization will takes a few tens of seconds.
707 You should run a database container only at the beginning and then start the others.
710 $ sudo docker-compose up -d db
712 Creating network "screwdriver_default" with the default driver
713 Creating screwdriver_db_1 ... done
715 $ sudo docker-compose up -d
716 screwdriver_db_1 is up-to-date
717 Creating screwdriver_api_1 ... done
718 Creating screwdriver_ui_1 ... done
719 Creating screwdriver_store_1 ... done
722 ## License and Authors
724 - Author:: whitestar at osdn.jp
727 Copyright 2017, whitestar
729 Licensed under the Apache License, Version 2.0 (the "License");
730 you may not use this file except in compliance with the License.
731 You may obtain a copy of the License at
733 http://www.apache.org/licenses/LICENSE-2.0
735 Unless required by applicable law or agreed to in writing, software
736 distributed under the License is distributed on an "AS IS" BASIS,
737 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
738 See the License for the specific language governing permissions and
739 limitations under the License.