4 This cookbook sets up a Screwdriver CI/CD service by Docker Compose.
8 - [Requirements](#requirements)
9 - [platforms](#platforms)
10 - [packages](#packages)
11 - [cookbooks](#cookbooks)
12 - [Attributes](#attributes)
15 - [screwdriver::default](#screwdriverdefault)
16 - [screwdriver::docker-compose](#screwdriverdocker-compose)
17 - [Role Examples](#role-examples)
18 - [SSL server keys and certificates management by ssl_cert cookbook](#ssl-server-keys-and-certificates-management-by-ssl_cert-cookbook)
19 - [JWT private and public keys management by Chef Vault](#jwt-private-and-public-keys-management-by-chef-vault)
20 - [Cookie password management by Chef Vault](#cookie-password-management-by-chef-vault)
21 - [Secrets encryption password management by Chef Vault](#secrets-encryption-password-management-by-chef-vault)
22 - [OAuth client ID and secret management by Chef Vault](#oauth-client-id-and-secret-management-by-chef-vault)
23 - [GitHub webhook secret management by Chef Vault](#github-webhook-secret-management-by-chef-vault)
24 - [License and Authors](#license-and-authors)
42 |Key|Type|Description, example|Default|
44 |`['screwdriver']['with_ssl_cert_cookbook']`|Boolean|See `attributes/default.rb`|`false`|
45 |`['screwdriver']['ssl_cert']['ca_names']`|Array|Internal CA names that are imported by the ssl_cert cookbook.|`[]`|
46 |`['screwdriver']['ssl_cert']['common_name']`|String|Server common name for TLS|`node['fqdn']`|
47 |`['screwdriver']['ui']['tls_setup_mode']`|String|`'reverseproxy'` only. Note: [_Add TLS support to UI docker container #377_](https://github.com/screwdriver-cd/screwdriver/issues/377)|`'reverseproxy'`|
48 |`['screwdriver']['api']['config']`|Hash|This hash object is expanded to a `/config/local.yaml` file in the API Docker container.|See `attributes/default.rb`|
49 |`['screwdriver']['store']['config']`|Hash|This hash object is expanded to a `/config/local.yaml` file in the Store Docker container.|See `attributes/default.rb`|
50 |`['screwdriver']['docker-compose']['import_ca']`|Boolean|whether import internal CA certificates or not.|`false`|
51 |`['screwdriver']['docker-compose']['app_dir']`|String|Path string.|`"#{node['docker-grid']['compose']['app_dir']}/screwdriver"`|
52 |`['screwdriver']['docker-compose']['bin_dir']`|String|Path string.|`"#{node['screwdriver']['docker-compose']['app_dir']}/bin"`|
53 |`['screwdriver']['docker-compose']['config_dir']`|String|Path string.|`"#{node['screwdriver']['docker-compose']['app_dir']}/config"`|
54 |`['screwdriver']['docker-compose']['data_dir']`|String|Path string.|`"#{node['screwdriver']['docker-compose']['app_dir']}/data"`|
55 |`['screwdriver']['docker-compose']['etc_dir']`|String|Path string.|`"#{node['screwdriver']['docker-compose']['app_dir']}/etc"`|
56 |`['screwdriver']['docker-compose']['jwt_private_key_reset']`|Boolean|Only available if the JWT key pair is automatically generated by Chef.|`false`|
57 |`['screwdriver']['docker-compose']['jwt_private_key_vault_item']`|Hash|Optional, Sets a JWT private key from Chef Vault. See `attributes/default.rb`|`{}`|
58 |`['screwdriver']['docker-compose']['jwt_public_key_vault_item']`|Hash|Optional, Sets a JWT public key from Chef Vault. See `attributes/default.rb`|`{}`|
59 |`['screwdriver']['docker-compose']['cookie_password_vault_item']`|Hash|Optional, Sets a session cookie password from Chef Vault. See `attributes/default.rb`|`{}`|
60 |`['screwdriver']['docker-compose']['password_vault_item']`|Hash|Optional, Sets a password for secrets encryption from Chef Vault. See `attributes/default.rb`|`{}`|
61 |`['screwdriver']['docker-compose']['oauth_client_id_vault_item']`|Hash|Required, Sets a OAuth client ID for SCM from Chef Vault. See `attributes/default.rb`|`{}`|
62 |`['screwdriver']['docker-compose']['oauth_client_secret_vault_item']`|Hash|Required, Sets a OAuth secret for SCM from Chef Vault. See `attributes/default.rb`|`{}`|
63 |`['screwdriver']['docker-compose']['webhook_github_secret_vault_item']`|Hash|Required for GitHub, Sets a secret for GitHub webhook from Chef Vault. See `attributes/default.rb`|`{}`|
64 |`['screwdriver']['docker-compose']['config']`|Hash|`docker-compose.yml` configurations.|See `attributes/default.rb`|
70 #### screwdriver::default
72 This recipe does nothing.
74 #### screwdriver::docker-compose
76 This recipe generates JWT key pair and a `docker-compose.yml` file for the Screwdriver CI/CD service.
80 - `roles/screwdriver.rb`
84 description 'screwdriver'
92 'recipe[screwdriver::docker-compose]',
98 'oauth_client_id_vault_item' => {
99 'vault' => 'screwdriver',
100 'name' => 'oauth_client_id',
101 'env_context' => false,
102 'key' => 'cid', # real hash path: "/cid"
104 'oauth_client_secret_vault_item' => {
105 'vault' => 'screwdriver',
106 'name' => 'oauth_client_secret',
107 'env_context' => false,
108 'key' => 'secret', # real hash path: "/secret"
117 'SCM_PLUGIN' => 'gitlab', # 'gitlab' or 'github' or 'bitbucket'
118 # OAuth Callback URL: "http://#{node['fqdn']}:9001/v4/auth/login/web"
119 'SCM_USERNAME' => 'ci-tool',
120 'SCM_EMAIL' => 'citool@mail.example.com',
121 #'WEBHOOK_GITHUB_SECRET' => 'SUPER-SECRET-SIGNING-THING',
122 'SCM_GITLAB_HOST' => 'gitlab.io.example.com',
123 'SCM_GITLAB_PROTOCOL' => 'https',
124 'NODE_TLS_REJECT_UNAUTHORIZED' => '0', # for self-signed cetificates
125 # The following variables will be set by the screwdriver::docker-compose recipe automatically.
126 #'SECRET_OAUTH_CLIENT_ID' => '${SECRET_OAUTH_CLIENT_ID}',
127 #'SECRET_OAUTH_CLIENT_SECRET' => '${SECRET_OAUTH_CLIENT_SECRET}',
128 #'SECRET_JWT_PRIVATE_KEY' => '${SECRET_JWT_PRIVATE_KEY}',
129 #'SECRET_JWT_PUBLIC_KEY' => '${SECRET_JWT_PUBLIC_KEY}',
130 #'ECOSYSTEM_UI' => "http://#{node['fqdn']}:#{ui_port}",
131 #'ECOSYSTEM_STORE' => "http://#{node['fqdn']}:#{store_port}",
139 # These variables will be set by the screwdriver::docker-compose recipe automatically.
140 #'ECOSYSTEM_API' => "http://#{node['fqdn']}:#{api_port}",
141 #'ECOSYSTEM_STORE' => "http://#{node['fqdn']}:#{store_port}",
149 # These variables will be set by the screwdriver::docker-compose recipe automatically.
150 #'ECOSYSTEM_UI' => "http://#{node['fqdn']}:#{ui_port}",
151 #'SECRET_JWT_PUBLIC_KEY' => '${SECRET_JWT_PUBLIC_KEY}',
161 - `roles/screwdriver-with-ssl.rb`
164 name 'screwdriver-with-ssl'
165 description 'screwdriver with SSL'
167 cn = 'screwdriver.io.example.com'
174 'recipe[screwdriver::docker-compose]',
184 'with_ssl_cert_cookbook' => true,
188 'docker-compose' => {
189 'oauth_client_id_vault_item' => {
190 'vault' => 'screwdriver',
191 'name' => 'oauth_client_id',
192 'env_context' => false,
193 'key' => 'cid', # real hash path: "/cid"
195 'oauth_client_secret_vault_item' => {
196 'vault' => 'screwdriver',
197 'name' => 'oauth_client_secret',
198 'env_context' => false,
199 'key' => 'secret', # real hash path: "/secret"
215 'SCM_PLUGIN' => 'gitlab', # 'gitlab' or 'github' or 'bitbucket'
216 # OAuth Callback URL: "http://#{node['fqdn']}:9001/v4/auth/login/web"
217 'SCM_USERNAME' => 'ci-tool',
218 'SCM_EMAIL' => 'citool@mail.example.com',
219 #'WEBHOOK_GITHUB_SECRET' => 'SUPER-SECRET-SIGNING-THING',
220 'SCM_GITLAB_HOST' => 'gitlab.io.example.com',
221 'SCM_GITLAB_PROTOCOL' => 'https',
222 'NODE_TLS_REJECT_UNAUTHORIZED' => '0', # for self-signed cetificates
223 # The following variables will be set by the screwdriver::docker-compose recipe automatically.
224 #'SECRET_OAUTH_CLIENT_ID' => '${SECRET_OAUTH_CLIENT_ID}',
225 #'SECRET_OAUTH_CLIENT_SECRET' => '${SECRET_OAUTH_CLIENT_SECRET}',
226 #'SECRET_JWT_PRIVATE_KEY' => '${SECRET_JWT_PRIVATE_KEY}',
227 #'SECRET_JWT_PUBLIC_KEY' => '${SECRET_JWT_PUBLIC_KEY}',
228 #'ECOSYSTEM_UI' => "http://#{node['fqdn']}:#{ui_port}",
229 #'ECOSYSTEM_STORE' => "http://#{node['fqdn']}:#{store_port}",
237 # These variables will be set by the screwdriver::docker-compose recipe automatically.
238 #'ECOSYSTEM_API' => "http://#{node['fqdn']}:#{api_port}",
239 #'ECOSYSTEM_STORE' => "http://#{node['fqdn']}:#{store_port}",
247 # These variables will be set by the screwdriver::docker-compose recipe automatically.
248 #'ECOSYSTEM_UI' => "http://#{node['fqdn']}:#{ui_port}",
249 #'SECRET_JWT_PUBLIC_KEY' => '${SECRET_JWT_PUBLIC_KEY}',
259 ### SSL server keys and certificates management by ssl_cert cookbook
261 - create vault items.
264 $ ruby -rjson -e 'puts JSON.generate({"private" => File.read("screwdriver.io.example.com.prod.key")})' \
265 > > ~/tmp/screwdriver.io.example.com.prod.key.json
267 $ ruby -rjson -e 'puts JSON.generate({"public" => File.read("screwdriver.io.example.com.prod.crt")})' \
268 > > ~/tmp/screwdriver.io.example.com.prod.crt.json
272 $ knife vault create ssl_server_keys screwdriver.io.example.com.prod \
273 > --json ~/tmp/screwdriver.io.example.com.prod.key.json
275 $ knife vault create ssl_server_certs screwdriver.io.example.com.prod \
276 > --json ~/tmp/screwdriver.io.example.com.prod.crt.json
279 - grant reference permission to the screwdriver host
282 $ knife vault update ssl_server_keys screwdriver.io.example.com.prod -S 'name:screwdriver-host.example.com'
283 $ knife vault update ssl_server_certs screwdriver.io.example.com.prod -S 'name:screwdriver-host.example.com'
292 'screwdriver.io.example.com',
296 'with_ssl_cert_cookbook' => true,
298 'common_name' => 'screwdriver.io.example.com',
305 ### JWT private and public keys management by Chef Vault
307 - create vault items.
310 $ ruby -rjson -e 'puts JSON.generate({"private" => File.read("screwdriver_jwt_private.key")})' \
311 > > ~/sec/tmp/screwdriver_jwt_private.key.json
313 $ ruby -rjson -e 'puts JSON.generate({"public" => File.read("screwdriver_jwt_public.key")})' \
314 > > ~/sec/tmp/screwdriver_jwt_public.key.json
318 $ knife vault create screwdriver jwt_private_key \
319 > --json ~/sec/tmp/screwdriver_jwt_private.key.json
321 $ knife vault create screwdriver screwdriver_jwt_public \
322 > --json ~/sec/tmp/screwdriver_jwt_public.key.json
325 - grant reference permission to the screwdriver host
328 $ knife vault update screwdriver jwt_private_key -S 'name:screwdriver-host.example.com'
329 $ knife vault update screwdriver jwt_public_key -S 'name:screwdriver-host.example.com'
338 'docker-compose' => {
339 'jwt_private_key_vault_item' => {
340 'vault' => 'screwdriver',
341 'name' => 'jwt_private_key',
342 'env_context' => false,
345 'jwt_public_key_vault_item' => {
346 'vault' => 'screwdriver',
347 'name' => 'jwt_public_key',
348 'env_context' => false,
357 ### Cookie password management by Chef Vault
359 - create vault items.
362 # A password used for encrypting session data. Needs to be minimum 32 characters
363 $ cat ~/tmp/screwdriver_cookie_password.json
364 {"password":"********************************"}
367 $ knife vault create screwdriver cookie_password --json ~/sec/tmp/screwdriver_cookie_password.json
370 - grant reference permission to the screwdriver host
373 $ knife vault update screwdriver cookie_password -S 'name:screwdriver-host.example.com'
382 'docker-compose' => {
383 'cookie_password_vault_item' => {
384 'vault' => 'screwdriver',
385 'name' => 'cookie_password',
386 'env_context' => false,
395 ### Secrets encryption password management by Chef Vault
397 - create vault items.
400 # A password used for encrypting stored secrets. Needs to be minimum 32 characters
401 $ cat ~/tmp/screwdriver_password.json
402 {"password":"********************************"}
405 $ knife vault create screwdriver password --json ~/sec/tmp/screwdriver_password.json
408 - grant reference permission to the screwdriver host
411 $ knife vault update screwdriver password -S 'name:screwdriver-host.example.com'
420 'docker-compose' => {
421 'password_vault_item' => {
422 'vault' => 'screwdriver',
423 'name' => 'password',
424 'env_context' => false,
433 ### OAuth client ID and secret management by Chef Vault
435 - create vault items.
438 $ cat ~/sec/tmp/screwdriver_oauth_client_id.json
439 {"cid":"***************************************************************"}
440 $ cat ~/sec/tmp/screwdriver_oauth_client_secret.json
441 {"secret":"***************************************************************"}
445 $ knife vault create screwdriver oauth_client_id --json ~/sec/tmp/screwdriver_oauth_client_id.json
446 $ knife vault create screwdriver oauth_client_secret --json ~/sec/tmp/screwdriver_oauth_client_secret.json
449 - grant reference permission to the screwdriver host
452 $ knife vault update screwdriver oauth_client_id -S 'name:screwdriver-host.example.com'
453 $ knife vault update screwdriver oauth_client_secret -S 'name:screwdriver-host.example.com'
462 'docker-compose' => {
463 'oauth_client_id_vault_item' => {
464 'vault' => 'screwdriver',
465 'name' => 'oauth_client_id',
466 'env_context' => false,
469 'oauth_client_secret_vault_item' => {
470 'vault' => 'screwdriver',
471 'name' => 'oauth_client_secret',
472 'env_context' => false,
481 ### GitHub webhook secret management by Chef Vault
483 - create vault items.
486 $ cat ~/tmp/screwdriver_webhook_github_secret.json
487 {"secret":"********************************"}
490 $ knife vault create screwdriver webhook_github_secret --json ~/sec/tmp/screwdriver_webhook_github_secret.json
493 - grant reference permission to the screwdriver host
496 $ knife vault update screwdriver webhook_github_secret -S 'name:screwdriver-host.example.com'
505 'docker-compose' => {
506 'webhook_github_secret_vault_item' => {
507 'vault' => 'screwdriver',
508 'name' => 'webhook_github_secret',
509 'env_context' => false,
518 ## License and Authors
520 - Author:: whitestar at osdn.jp
523 Copyright 2017, whitestar
525 Licensed under the Apache License, Version 2.0 (the "License");
526 you may not use this file except in compliance with the License.
527 You may obtain a copy of the License at
529 http://www.apache.org/licenses/LICENSE-2.0
531 Unless required by applicable law or agreed to in writing, software
532 distributed under the License is distributed on an "AS IS" BASIS,
533 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
534 See the License for the specific language governing permissions and
535 limitations under the License.