4 This cookbook sets up a Screwdriver CI/CD service by Docker Compose.
8 - [Requirements](#requirements)
9 - [platforms](#platforms)
10 - [packages](#packages)
11 - [cookbooks](#cookbooks)
12 - [Attributes](#attributes)
15 - [screwdriver::default](#screwdriverdefault)
16 - [screwdriver::docker-compose](#screwdriverdocker-compose)
17 - [Role Examples](#role-examples)
18 - [SSL server keys and certificates management by ssl_cert cookbook](#ssl-server-keys-and-certificates-management-by-ssl_cert-cookbook)
19 - [JWT private and public keys management by Chef Vault](#jwt-private-and-public-keys-management-by-chef-vault)
20 - [Cookie password management by Chef Vault](#cookie-password-management-by-chef-vault)
21 - [Secrets encryption password management by Chef Vault](#secrets-encryption-password-management-by-chef-vault)
22 - [Database username management (for MySQL, PostgreSQL,...) by Chef Vault](#database-username-management-for-mysql-postgresql-by-chef-vault)
23 - [Database password management (for MySQL, PostgreSQL,...) by Chef Vault](#database-password-management-for-mysql-postgresql-by-chef-vault)
24 - [Database root password management (for MySQL, PostgreSQL,...) by Chef Vault](#database-root-password-management-for-mysql-postgresql-by-chef-vault)
25 - [OAuth client ID, secret and GitHub webhook secret management by Chef Vault](#oauth-client-id-secret-and-github-webhook-secret-management-by-chef-vault)
27 - [Database Initialization](#database-initialization)
28 - [License and Authors](#license-and-authors)
46 |Key|Type|Description, example|Default|
48 |`['screwdriver']['with_ssl_cert_cookbook']`|Boolean|See `attributes/default.rb`|`false`|
49 |`['screwdriver']['ssl_cert']['ca_names']`|Array|Internal CA names that are imported by the ssl_cert cookbook.|`[]`|
50 |`['screwdriver']['ssl_cert']['common_name']`|String|Server common name for TLS|`node['fqdn']`|
51 |`['screwdriver']['jwt_private_key_vault_item']`|Hash|Optional, Sets a JWT private key from Chef Vault. See `attributes/default.rb`|`{}`|
52 |`['screwdriver']['jwt_public_key_vault_item']`|Hash|Optional, Sets a JWT public key from Chef Vault. See `attributes/default.rb`|`{}`|
53 |`['screwdriver']['cookie_password_vault_item']`|Hash|Optional, Sets a session cookie password from Chef Vault. See `attributes/default.rb`|`{}`|
54 |`['screwdriver']['password_vault_item']`|Hash|Optional, Sets a password for secrets encryption from Chef Vault. See `attributes/default.rb`|`{}`|
55 |`['screwdriver']['db_username_vault_item']`|Hash|Optional, Sets a database username from Chef Vault. See `attributes/default.rb`|`{}`|
56 |`['screwdriver']['db_password_vault_item']`|Hash|Optional, Sets a database password from Chef Vault. See `attributes/default.rb`|`{}`|
57 |`['screwdriver']['db_root_password_vault_item']`|Hash|Optional, Sets a database password for the root user from Chef Vault. See `attributes/default.rb`|`{}`|
58 |`['screwdriver']['ui']['tls_setup_mode']`|String|`'reverseproxy'` only. Note: [_Add TLS support to UI docker container #377_](https://github.com/screwdriver-cd/screwdriver/issues/377)|`'reverseproxy'`|
59 |`['screwdriver']['api']['config']`|Hash|This hash object is expanded to a `/config/local.yaml` file in the API Docker container.|See `attributes/default.rb`|
60 |`['screwdriver']['api']['scms_vault_items']`|Hash|This hash contains Chef Vault item definitions of SCM's secrets.|See `attributes/default.rb`|
61 |`['screwdriver']['store']['config']`|Hash|This hash object is expanded to a `/config/local.yaml` file in the Store Docker container.|See `attributes/default.rb`|
62 |`['screwdriver']['docker-compose']['import_ca']`|Boolean|whether import internal CA certificates or not.|`false`|
63 |`['screwdriver']['docker-compose']['app_dir']`|String|Path string.|`"#{node['docker-grid']['compose']['app_dir']}/screwdriver"`|
64 |`['screwdriver']['docker-compose']['bin_dir']`|String|Path string.|`"#{node['screwdriver']['docker-compose']['app_dir']}/bin"`|
65 |`['screwdriver']['docker-compose']['config_dir']`|String|Path string.|`"#{node['screwdriver']['docker-compose']['app_dir']}/config"`|
66 |`['screwdriver']['docker-compose']['data_dir']`|String|Path string.|`"#{node['screwdriver']['docker-compose']['app_dir']}/data"`|
67 |`['screwdriver']['docker-compose']['etc_dir']`|String|Path string.|`"#{node['screwdriver']['docker-compose']['app_dir']}/etc"`|
68 |`['screwdriver']['docker-compose']['jwt_private_key_reset']`|Boolean|Only available if the JWT key pair is automatically generated by Chef.|`false`|
69 |`['screwdriver']['docker-compose']['jwt_private_key_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['jwt_private_key_vault_item']`. Optional, Sets a JWT private key from Chef Vault. See `attributes/default.rb`|`{}`|
70 |`['screwdriver']['docker-compose']['jwt_public_key_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['jwt_public_key_vault_item']`. Optional, Sets a JWT public key from Chef Vault. See `attributes/default.rb`|`{}`|
71 |`['screwdriver']['docker-compose']['cookie_password_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['cookie_password_vault_item']`. Optional, Sets a session cookie password from Chef Vault. See `attributes/default.rb`|`{}`|
72 |`['screwdriver']['docker-compose']['password_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['password_vault_item']`. Optional, Sets a password for secrets encryption from Chef Vault. See `attributes/default.rb`|`{}`|
73 |`['screwdriver']['docker-compose']['oauth_client_id_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['api']['scms_vault_items']`. Required, Sets a OAuth client ID for SCM from Chef Vault. See `attributes/default.rb`|`{}`|
74 |`['screwdriver']['docker-compose']['oauth_client_secret_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['api']['scms_vault_items']`. Required, Sets a OAuth secret for SCM from Chef Vault. See `attributes/default.rb`|`{}`|
75 |`['screwdriver']['docker-compose']['webhook_github_secret_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['api']['scms_vault_items']`. Required for GitHub, Sets a secret for GitHub webhook from Chef Vault. See `attributes/default.rb`|`{}`|
76 |`['screwdriver']['docker-compose']['config']`|Hash|`docker-compose.yml` configurations.|See `attributes/default.rb`|
82 #### screwdriver::default
84 This recipe does nothing.
86 #### screwdriver::docker-compose
88 This recipe generates JWT key pair and a `docker-compose.yml` file for the Screwdriver CI/CD service.
92 - `roles/screwdriver.rb`
96 description 'screwdriver'
104 'recipe[screwdriver::docker-compose]',
112 'plugin' => 'docker',
116 'socketPath' => '/var/run/docker.sock',
118 'launchVersion' => 'stable',
124 'plugin' => 'github',
126 # OAuth Callback URL: "http://#{node['fqdn']}:9001/v4/auth/login/web"
127 'username' => 'ci-tool',
128 'email' => 'citool@mail.example.com',
129 'privateRepo' => false,
134 'scms_vault_items' => {
137 'vault' => 'screwdriver',
139 'env_context' => false,
140 'key' => 'oauthClientId', # real hash path: "/oauthClientId"
142 'oauthClientSecret' => {
143 'vault' => 'screwdriver',
145 'env_context' => false,
146 'key' => 'oauthClientSecret', # real hash path: "/oauthClientSecret"
149 'vault' => 'screwdriver',
151 'env_context' => false,
152 'key' => 'secret', # real hash path: "/secret"
157 'docker-compose' => {
165 'NODE_TLS_REJECT_UNAUTHORIZED' => '0', # for self-signed cetificates
166 # The following variables will be set by the screwdriver::docker-compose recipe automatically.
167 #'ECOSYSTEM_UI' => "http://#{node['fqdn']}:#{ui_port}",
168 #'ECOSYSTEM_STORE' => "http://#{node['fqdn']}:#{store_port}",
176 # These variables will be set by the screwdriver::docker-compose recipe automatically.
177 #'ECOSYSTEM_API' => "http://#{node['fqdn']}:#{api_port}",
178 #'ECOSYSTEM_STORE' => "http://#{node['fqdn']}:#{store_port}",
186 # This variable will be set by the screwdriver::docker-compose recipe automatically.
187 #'ECOSYSTEM_UI' => "http://#{node['fqdn']}:#{ui_port}",
197 - `roles/screwdriver-with-ssl.rb`
200 name 'screwdriver-with-ssl'
201 description 'screwdriver with SSL'
203 cn = 'screwdriver.io.example.com'
210 'recipe[screwdriver::docker-compose]',
216 # cn, # screwdriver cookbook < 0.2.2
220 'with_ssl_cert_cookbook' => true,
227 'plugin' => 'docker',
231 'socketPath' => '/var/run/docker.sock',
233 'launchVersion' => 'stable',
239 'plugin' => 'github',
241 # OAuth Callback URL: "http://#{node['fqdn']}:9001/v4/auth/login/web"
242 'username' => 'ci-tool',
243 'email' => 'citool@mail.example.com',
244 'privateRepo' => false,
249 'scms_vault_items' => {
252 'vault' => 'screwdriver',
254 'env_context' => false,
255 'key' => 'oauthClientId', # real hash path: "/oauthClientId"
257 'oauthClientSecret' => {
258 'vault' => 'screwdriver',
260 'env_context' => false,
261 'key' => 'oauthClientSecret', # real hash path: "/oauthClientSecret"
264 'vault' => 'screwdriver',
266 'env_context' => false,
267 'key' => 'secret', # real hash path: "/secret"
272 'docker-compose' => {
287 'NODE_TLS_REJECT_UNAUTHORIZED' => '0', # for self-signed cetificates
288 # The following variables will be set by the screwdriver::docker-compose recipe automatically.
289 #'ECOSYSTEM_UI' => "http://#{node['fqdn']}:#{ui_port}",
290 #'ECOSYSTEM_STORE' => "http://#{node['fqdn']}:#{store_port}",
298 # These variables will be set by the screwdriver::docker-compose recipe automatically.
299 #'ECOSYSTEM_API' => "http://#{node['fqdn']}:#{api_port}",
300 #'ECOSYSTEM_STORE' => "http://#{node['fqdn']}:#{store_port}",
308 # These variables will be set by the screwdriver::docker-compose recipe automatically.
309 #'ECOSYSTEM_UI' => "http://#{node['fqdn']}:#{ui_port}",
319 ### SSL server keys and certificates management by ssl_cert cookbook
321 - create vault items.
324 $ ruby -rjson -e 'puts JSON.generate({"private" => File.read("screwdriver.io.example.com.prod.key")})' \
325 > > ~/sec/tmp/screwdriver.io.example.com.prod.key.json
327 $ ruby -rjson -e 'puts JSON.generate({"public" => File.read("screwdriver.io.example.com.prod.crt")})' \
328 > > ~/sec/tmp/screwdriver.io.example.com.prod.crt.json
332 $ knife vault create ssl_server_keys screwdriver.io.example.com.prod \
333 > --json ~/sec/tmp/screwdriver.io.example.com.prod.key.json
335 $ knife vault create ssl_server_certs screwdriver.io.example.com.prod \
336 > --json ~/sec/tmp/screwdriver.io.example.com.prod.crt.json
339 - grant reference permission to the screwdriver host
342 $ knife vault update ssl_server_keys screwdriver.io.example.com.prod -S 'name:screwdriver-host.example.com'
343 $ knife vault update ssl_server_certs screwdriver.io.example.com.prod -S 'name:screwdriver-host.example.com'
352 # 'screwdriver.io.example.com', # screwdriver cookbook < 0.2.2
356 'with_ssl_cert_cookbook' => true,
358 'common_name' => 'screwdriver.io.example.com',
365 ### JWT private and public keys management by Chef Vault
367 - create vault items.
370 $ ruby -rjson -e 'puts JSON.generate({"private" => File.read("screwdriver_jwt_private.key")})' \
371 > > ~/sec/tmp/screwdriver_jwt_private.key.json
373 $ ruby -rjson -e 'puts JSON.generate({"public" => File.read("screwdriver_jwt_public.key")})' \
374 > > ~/sec/tmp/screwdriver_jwt_public.key.json
378 $ knife vault create screwdriver jwt_private_key \
379 > --json ~/sec/tmp/screwdriver_jwt_private.key.json
381 $ knife vault create screwdriver screwdriver_jwt_public \
382 > --json ~/sec/tmp/screwdriver_jwt_public.key.json
385 - grant reference permission to the screwdriver host
388 $ knife vault update screwdriver jwt_private_key -S 'name:screwdriver-host.example.com'
389 $ knife vault update screwdriver jwt_public_key -S 'name:screwdriver-host.example.com'
398 'jwt_private_key_vault_item' => {
399 'vault' => 'screwdriver',
400 'name' => 'jwt_private_key',
401 'env_context' => false,
404 'jwt_public_key_vault_item' => {
405 'vault' => 'screwdriver',
406 'name' => 'jwt_public_key',
407 'env_context' => false,
415 ### Cookie password management by Chef Vault
417 - create vault items.
420 # A password used for encrypting session data. Needs to be minimum 32 characters
421 $ cat ~/sec/tmp/screwdriver_cookie_password.json
422 {"password":"********************************"}
425 $ knife vault create screwdriver cookie_password --json ~/sec/tmp/screwdriver_cookie_password.json
428 - grant reference permission to the screwdriver host
431 $ knife vault update screwdriver cookie_password -S 'name:screwdriver-host.example.com'
440 'cookie_password_vault_item' => {
441 'vault' => 'screwdriver',
442 'name' => 'cookie_password',
443 'env_context' => false,
451 ### Secrets encryption password management by Chef Vault
453 - create vault items.
456 # A password used for encrypting stored secrets. Needs to be minimum 32 characters
457 $ cat ~/sec/tmp/screwdriver_password.json
458 {"password":"********************************"}
461 $ knife vault create screwdriver password --json ~/sec/tmp/screwdriver_password.json
464 - grant reference permission to the screwdriver host
467 $ knife vault update screwdriver password -S 'name:screwdriver-host.example.com'
476 'password_vault_item' => {
477 'vault' => 'screwdriver',
478 'name' => 'password',
479 'env_context' => false,
487 ### Database username management (for MySQL, PostgreSQL,...) by Chef Vault
489 - create vault items.
492 $ cat ~/sec/tmp/screwdriver_db_username.json
493 {"username":"********************************"}
496 $ knife vault create screwdriver db_username --json ~/sec/tmp/screwdriver_db_username.json
499 - grant reference permission to the screwdriver host
502 $ knife vault update screwdriver db_username -S 'name:screwdriver-host.example.com'
511 'db_username_vault_item' => {
512 'vault' => 'screwdriver',
513 'name' => 'db_username',
514 'env_context' => false,
522 ### Database password management (for MySQL, PostgreSQL,...) by Chef Vault
524 - create vault items.
527 $ cat ~/sec/tmp/screwdriver_db_password.json
528 {"password":"********************************"}
531 $ knife vault create screwdriver db_password --json ~/sec/tmp/screwdriver_db_password.json
534 - grant reference permission to the screwdriver host
537 $ knife vault update screwdriver db_password -S 'name:screwdriver-host.example.com'
546 'db_password_vault_item' => {
547 'vault' => 'screwdriver',
548 'name' => 'db_password',
549 'env_context' => false,
557 ### Database root password management (for MySQL, PostgreSQL,...) by Chef Vault
559 - create vault items.
562 $ cat ~/sec/tmp/screwdriver_db_root_password.json
563 {"password":"********************************"}
566 $ knife vault create screwdriver db_root_password --json ~/sec/tmp/screwdriver_db_root_password.json
569 - grant reference permission to the screwdriver host
572 $ knife vault update screwdriver db_root_password -S 'name:screwdriver-host.example.com'
581 'db_root_password_vault_item' => {
582 'vault' => 'screwdriver',
583 'name' => 'db_root_password',
584 'env_context' => false,
592 ### OAuth client ID, secret and GitHub webhook secret management by Chef Vault
594 - create vault items.
597 $ cat ~/sec/tmp/screwdriver_github_secrets.json
599 "oauthClientId": "***************************************************************",
600 "oauthClientSecret": "***************************************************************",
601 "secret": "**************************"
608 $ knife vault create screwdriver github --json ~/sec/tmp/screwdriver_github_secrets.json
611 - grant reference permission to the screwdriver host
614 $ knife vault update screwdriver github -S 'name:screwdriver-host.example.com'
625 'scms_vault_items' => {
628 'vault' => 'screwdriver',
630 'env_context' => false,
631 'key' => 'oauthClientId', # real hash path: "/oauthClientId"
633 'oauthClientSecret' => {
634 'vault' => 'screwdriver',
636 'env_context' => false,
637 'key' => 'oauthClientSecret', # real hash path: "/oauthClientSecret"
640 'vault' => 'screwdriver',
642 'env_context' => false,
643 'key' => 'secret', # real hash path: "/secret"
655 #### Database Initialization
657 If you use database other than sqlite, its database initialization will takes a few tens of seconds.
658 You should run a database container only at the beginning and then start the others.
660 $ sudo docker-compose up -d db
662 Creating network "screwdriver_default" with the default driver
663 Creating screwdriver_db_1 ... done
665 $ sudo docker-compose up -d
666 screwdriver_db_1 is up-to-date
667 Creating screwdriver_api_1 ... done
668 Creating screwdriver_ui_1 ... done
669 Creating screwdriver_store_1 ... done
672 ## License and Authors
674 - Author:: whitestar at osdn.jp
677 Copyright 2017, whitestar
679 Licensed under the Apache License, Version 2.0 (the "License");
680 you may not use this file except in compliance with the License.
681 You may obtain a copy of the License at
683 http://www.apache.org/licenses/LICENSE-2.0
685 Unless required by applicable law or agreed to in writing, software
686 distributed under the License is distributed on an "AS IS" BASIS,
687 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
688 See the License for the specific language governing permissions and
689 limitations under the License.