4 This cookbook sets up a Screwdriver CI/CD service by Docker Compose.
8 - [Requirements](#requirements)
9 - [platforms](#platforms)
10 - [packages](#packages)
11 - [cookbooks](#cookbooks)
12 - [Attributes](#attributes)
15 - [screwdriver::default](#screwdriverdefault)
16 - [screwdriver::docker-compose](#screwdriverdocker-compose)
17 - [Role Examples](#role-examples)
18 - [SSL server keys and certificates management by ssl_cert cookbook](#ssl-server-keys-and-certificates-management-by-ssl_cert-cookbook)
19 - [JWT private and public keys management by Chef Vault](#jwt-private-and-public-keys-management-by-chef-vault)
20 - [Cookie password management by Chef Vault](#cookie-password-management-by-chef-vault)
21 - [Secrets encryption password management by Chef Vault](#secrets-encryption-password-management-by-chef-vault)
22 - [OAuth client ID and secret management by Chef Vault](#oauth-client-id-and-secret-management-by-chef-vault)
23 - [GitHub webhook secret management by Chef Vault](#github-webhook-secret-management-by-chef-vault)
24 - [License and Authors](#license-and-authors)
42 |Key|Type|Description, example|Default|
44 |`['screwdriver']['with_ssl_cert_cookbook']`|Boolean|See `attributes/default.rb`|`false`|
45 |`['screwdriver']['ssl_cert']['ca_names']`|Array|Internal CA names that are imported by the ssl_cert cookbook.|`[]`|
46 |`['screwdriver']['ssl_cert']['common_name']`|String|Server common name for TLS|`node['fqdn']`|
47 |`['screwdriver']['jwt_private_key_vault_item']`|Hash|Optional, Sets a JWT private key from Chef Vault. See `attributes/default.rb`|`{}`|
48 |`['screwdriver']['jwt_public_key_vault_item']`|Hash|Optional, Sets a JWT public key from Chef Vault. See `attributes/default.rb`|`{}`|
49 |`['screwdriver']['cookie_password_vault_item']`|Hash|Optional, Sets a session cookie password from Chef Vault. See `attributes/default.rb`|`{}`|
50 |`['screwdriver']['password_vault_item']`|Hash|Optional, Sets a password for secrets encryption from Chef Vault. See `attributes/default.rb`|`{}`|
51 |`['screwdriver']['ui']['tls_setup_mode']`|String|`'reverseproxy'` only. Note: [_Add TLS support to UI docker container #377_](https://github.com/screwdriver-cd/screwdriver/issues/377)|`'reverseproxy'`|
52 |`['screwdriver']['api']['config']`|Hash|This hash object is expanded to a `/config/local.yaml` file in the API Docker container.|See `attributes/default.rb`|
53 |`['screwdriver']['api']['scms_vault_items']`|Hash|This hash contains Chef Vault item definitions of SCM's secrets.|See `attributes/default.rb`|
54 |`['screwdriver']['store']['config']`|Hash|This hash object is expanded to a `/config/local.yaml` file in the Store Docker container.|See `attributes/default.rb`|
55 |`['screwdriver']['docker-compose']['import_ca']`|Boolean|whether import internal CA certificates or not.|`false`|
56 |`['screwdriver']['docker-compose']['app_dir']`|String|Path string.|`"#{node['docker-grid']['compose']['app_dir']}/screwdriver"`|
57 |`['screwdriver']['docker-compose']['bin_dir']`|String|Path string.|`"#{node['screwdriver']['docker-compose']['app_dir']}/bin"`|
58 |`['screwdriver']['docker-compose']['config_dir']`|String|Path string.|`"#{node['screwdriver']['docker-compose']['app_dir']}/config"`|
59 |`['screwdriver']['docker-compose']['data_dir']`|String|Path string.|`"#{node['screwdriver']['docker-compose']['app_dir']}/data"`|
60 |`['screwdriver']['docker-compose']['etc_dir']`|String|Path string.|`"#{node['screwdriver']['docker-compose']['app_dir']}/etc"`|
61 |`['screwdriver']['docker-compose']['jwt_private_key_reset']`|Boolean|Only available if the JWT key pair is automatically generated by Chef.|`false`|
62 |`['screwdriver']['docker-compose']['jwt_private_key_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['jwt_private_key_vault_item']`. Optional, Sets a JWT private key from Chef Vault. See `attributes/default.rb`|`{}`|
63 |`['screwdriver']['docker-compose']['jwt_public_key_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['jwt_public_key_vault_item']`. Optional, Sets a JWT public key from Chef Vault. See `attributes/default.rb`|`{}`|
64 |`['screwdriver']['docker-compose']['cookie_password_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['cookie_password_vault_item']`. Optional, Sets a session cookie password from Chef Vault. See `attributes/default.rb`|`{}`|
65 |`['screwdriver']['docker-compose']['password_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['password_vault_item']`. Optional, Sets a password for secrets encryption from Chef Vault. See `attributes/default.rb`|`{}`|
66 |`['screwdriver']['docker-compose']['oauth_client_id_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['api']['scms_vault_items']`. Required, Sets a OAuth client ID for SCM from Chef Vault. See `attributes/default.rb`|`{}`|
67 |`['screwdriver']['docker-compose']['oauth_client_secret_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['api']['scms_vault_items']`. Required, Sets a OAuth secret for SCM from Chef Vault. See `attributes/default.rb`|`{}`|
68 |`['screwdriver']['docker-compose']['webhook_github_secret_vault_item']`|Hash|**DEPRECATED**: use `['screwdriver']['api']['scms_vault_items']`. Required for GitHub, Sets a secret for GitHub webhook from Chef Vault. See `attributes/default.rb`|`{}`|
69 |`['screwdriver']['docker-compose']['config']`|Hash|`docker-compose.yml` configurations.|See `attributes/default.rb`|
75 #### screwdriver::default
77 This recipe does nothing.
79 #### screwdriver::docker-compose
81 This recipe generates JWT key pair and a `docker-compose.yml` file for the Screwdriver CI/CD service.
85 - `roles/screwdriver.rb`
89 description 'screwdriver'
97 'recipe[screwdriver::docker-compose]',
105 'plugin' => 'docker',
109 'socketPath' => '/var/run/docker.sock',
111 'launchVersion' => 'stable',
117 'plugin' => 'github',
119 # OAuth Callback URL: "http://#{node['fqdn']}:9001/v4/auth/login/web"
120 'username' => 'ci-tool',
121 'email' => 'citool@mail.example.com',
122 'privateRepo' => false,
127 'scms_vault_items' => {
130 'vault' => 'screwdriver',
132 'env_context' => false,
133 'key' => 'oauthClientId', # real hash path: "/oauthClientId"
135 'oauthClientSecret' => {
136 'vault' => 'screwdriver',
138 'env_context' => false,
139 'key' => 'oauthClientSecret', # real hash path: "/oauthClientSecret"
142 'vault' => 'screwdriver',
144 'env_context' => false,
145 'key' => 'secret', # real hash path: "/secret"
150 'docker-compose' => {
158 'NODE_TLS_REJECT_UNAUTHORIZED' => '0', # for self-signed cetificates
159 # The following variables will be set by the screwdriver::docker-compose recipe automatically.
160 #'ECOSYSTEM_UI' => "http://#{node['fqdn']}:#{ui_port}",
161 #'ECOSYSTEM_STORE' => "http://#{node['fqdn']}:#{store_port}",
169 # These variables will be set by the screwdriver::docker-compose recipe automatically.
170 #'ECOSYSTEM_API' => "http://#{node['fqdn']}:#{api_port}",
171 #'ECOSYSTEM_STORE' => "http://#{node['fqdn']}:#{store_port}",
179 # This variable will be set by the screwdriver::docker-compose recipe automatically.
180 #'ECOSYSTEM_UI' => "http://#{node['fqdn']}:#{ui_port}",
190 - `roles/screwdriver-with-ssl.rb`
193 name 'screwdriver-with-ssl'
194 description 'screwdriver with SSL'
196 cn = 'screwdriver.io.example.com'
203 'recipe[screwdriver::docker-compose]',
209 # cn, # screwdriver cookbook < 0.2.2
213 'with_ssl_cert_cookbook' => true,
220 'plugin' => 'docker',
224 'socketPath' => '/var/run/docker.sock',
226 'launchVersion' => 'stable',
232 'plugin' => 'github',
234 # OAuth Callback URL: "http://#{node['fqdn']}:9001/v4/auth/login/web"
235 'username' => 'ci-tool',
236 'email' => 'citool@mail.example.com',
237 'privateRepo' => false,
242 'scms_vault_items' => {
245 'vault' => 'screwdriver',
247 'env_context' => false,
248 'key' => 'oauthClientId', # real hash path: "/oauthClientId"
250 'oauthClientSecret' => {
251 'vault' => 'screwdriver',
253 'env_context' => false,
254 'key' => 'oauthClientSecret', # real hash path: "/oauthClientSecret"
257 'vault' => 'screwdriver',
259 'env_context' => false,
260 'key' => 'secret', # real hash path: "/secret"
265 'docker-compose' => {
280 'NODE_TLS_REJECT_UNAUTHORIZED' => '0', # for self-signed cetificates
281 # The following variables will be set by the screwdriver::docker-compose recipe automatically.
282 #'ECOSYSTEM_UI' => "http://#{node['fqdn']}:#{ui_port}",
283 #'ECOSYSTEM_STORE' => "http://#{node['fqdn']}:#{store_port}",
291 # These variables will be set by the screwdriver::docker-compose recipe automatically.
292 #'ECOSYSTEM_API' => "http://#{node['fqdn']}:#{api_port}",
293 #'ECOSYSTEM_STORE' => "http://#{node['fqdn']}:#{store_port}",
301 # These variables will be set by the screwdriver::docker-compose recipe automatically.
302 #'ECOSYSTEM_UI' => "http://#{node['fqdn']}:#{ui_port}",
312 ### SSL server keys and certificates management by ssl_cert cookbook
314 - create vault items.
317 $ ruby -rjson -e 'puts JSON.generate({"private" => File.read("screwdriver.io.example.com.prod.key")})' \
318 > > ~/tmp/screwdriver.io.example.com.prod.key.json
320 $ ruby -rjson -e 'puts JSON.generate({"public" => File.read("screwdriver.io.example.com.prod.crt")})' \
321 > > ~/tmp/screwdriver.io.example.com.prod.crt.json
325 $ knife vault create ssl_server_keys screwdriver.io.example.com.prod \
326 > --json ~/tmp/screwdriver.io.example.com.prod.key.json
328 $ knife vault create ssl_server_certs screwdriver.io.example.com.prod \
329 > --json ~/tmp/screwdriver.io.example.com.prod.crt.json
332 - grant reference permission to the screwdriver host
335 $ knife vault update ssl_server_keys screwdriver.io.example.com.prod -S 'name:screwdriver-host.example.com'
336 $ knife vault update ssl_server_certs screwdriver.io.example.com.prod -S 'name:screwdriver-host.example.com'
345 # 'screwdriver.io.example.com', # screwdriver cookbook < 0.2.2
349 'with_ssl_cert_cookbook' => true,
351 'common_name' => 'screwdriver.io.example.com',
358 ### JWT private and public keys management by Chef Vault
360 - create vault items.
363 $ ruby -rjson -e 'puts JSON.generate({"private" => File.read("screwdriver_jwt_private.key")})' \
364 > > ~/sec/tmp/screwdriver_jwt_private.key.json
366 $ ruby -rjson -e 'puts JSON.generate({"public" => File.read("screwdriver_jwt_public.key")})' \
367 > > ~/sec/tmp/screwdriver_jwt_public.key.json
371 $ knife vault create screwdriver jwt_private_key \
372 > --json ~/sec/tmp/screwdriver_jwt_private.key.json
374 $ knife vault create screwdriver screwdriver_jwt_public \
375 > --json ~/sec/tmp/screwdriver_jwt_public.key.json
378 - grant reference permission to the screwdriver host
381 $ knife vault update screwdriver jwt_private_key -S 'name:screwdriver-host.example.com'
382 $ knife vault update screwdriver jwt_public_key -S 'name:screwdriver-host.example.com'
391 'jwt_private_key_vault_item' => {
392 'vault' => 'screwdriver',
393 'name' => 'jwt_private_key',
394 'env_context' => false,
397 'jwt_public_key_vault_item' => {
398 'vault' => 'screwdriver',
399 'name' => 'jwt_public_key',
400 'env_context' => false,
408 ### Cookie password management by Chef Vault
410 - create vault items.
413 # A password used for encrypting session data. Needs to be minimum 32 characters
414 $ cat ~/tmp/screwdriver_cookie_password.json
415 {"password":"********************************"}
418 $ knife vault create screwdriver cookie_password --json ~/sec/tmp/screwdriver_cookie_password.json
421 - grant reference permission to the screwdriver host
424 $ knife vault update screwdriver cookie_password -S 'name:screwdriver-host.example.com'
433 'cookie_password_vault_item' => {
434 'vault' => 'screwdriver',
435 'name' => 'cookie_password',
436 'env_context' => false,
444 ### Secrets encryption password management by Chef Vault
446 - create vault items.
449 # A password used for encrypting stored secrets. Needs to be minimum 32 characters
450 $ cat ~/tmp/screwdriver_password.json
451 {"password":"********************************"}
454 $ knife vault create screwdriver password --json ~/sec/tmp/screwdriver_password.json
457 - grant reference permission to the screwdriver host
460 $ knife vault update screwdriver password -S 'name:screwdriver-host.example.com'
469 'password_vault_item' => {
470 'vault' => 'screwdriver',
471 'name' => 'password',
472 'env_context' => false,
480 ### OAuth client ID, secret and GitHub webhook secret management by Chef Vault
482 - create vault items.
485 $ cat ~/sec/tmp/screwdriver_github_secrets.json
487 "oauthClientId": "***************************************************************",
488 "oauthClientSecret": "***************************************************************",
489 "secret": "**************************"
496 $ knife vault create screwdriver github --json ~/sec/tmp/screwdriver_github_secrets.json
499 - grant reference permission to the screwdriver host
502 $ knife vault update screwdriver github -S 'name:screwdriver-host.example.com'
513 'scms_vault_items' => {
516 'vault' => 'screwdriver',
518 'env_context' => false,
519 'key' => 'oauthClientId', # real hash path: "/oauthClientId"
521 'oauthClientSecret' => {
522 'vault' => 'screwdriver',
524 'env_context' => false,
525 'key' => 'oauthClientSecret', # real hash path: "/oauthClientSecret"
528 'vault' => 'screwdriver',
530 'env_context' => false,
531 'key' => 'secret', # real hash path: "/secret"
541 ## License and Authors
543 - Author:: whitestar at osdn.jp
546 Copyright 2017, whitestar
548 Licensed under the Apache License, Version 2.0 (the "License");
549 you may not use this file except in compliance with the License.
550 You may obtain a copy of the License at
552 http://www.apache.org/licenses/LICENSE-2.0
554 Unless required by applicable law or agreed to in writing, software
555 distributed under the License is distributed on an "AS IS" BASIS,
556 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
557 See the License for the specific language governing permissions and
558 limitations under the License.