2 # Cookbook Name:: screwdriver
5 # Copyright 2017, whitestar
7 # Licensed under the Apache License, Version 2.0 (the "License");
8 # you may not use this file except in compliance with the License.
9 # You may obtain a copy of the License at
11 # http://www.apache.org/licenses/LICENSE-2.0
13 # Unless required by applicable law or agreed to in writing, software
14 # distributed under the License is distributed on an "AS IS" BASIS,
15 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 # See the License for the specific language governing permissions and
17 # limitations under the License.
20 default['screwdriver']['with_ssl_cert_cookbook'] = false
21 # If ['screwdriver']['with_ssl_cert_cookbook'] is true,
22 # node['screwdriver']['docker-compose']['config']
23 # are overridden by the following 'common_name' attributes.
24 default['screwdriver']['ssl_cert']['ca_names'] = []
25 default['screwdriver']['ssl_cert']['common_name'] = node['fqdn']
26 cn = node['screwdriver']['ssl_cert']['common_name']
27 cn = node['ipaddress'] if cn.nil? || cn.empty?
29 default['screwdriver']['jwt_private_key_vault_item'] = {
31 'vault' => 'screwdriver',
32 'name' => 'jwt_private_key',
33 # single password or nested hash password path delimited by slash
34 'env_context' => false,
35 'key' => 'private', # real hash path: "/password"
36 # or nested hash password path delimited by slash
37 #'env_context' => true,
38 #'key' => 'hash/path/to/private', # real hash path: "/#{node.chef_environment}/hash/path/to/private"
41 default['screwdriver']['jwt_public_key_vault_item'] = {
43 'vault' => 'screwdriver',
44 'name' => 'jwt_public_key',
45 # single password or nested hash password path delimited by slash
46 'env_context' => false,
47 'key' => 'public', # real hash path: "/password"
48 # or nested hash password path delimited by slash
49 #'env_context' => true,
50 #'key' => 'hash/path/to/public', # real hash path: "/#{node.chef_environment}/hash/path/to/public"
53 # A password used for encrypting session data. Needs to be minimum 32 characters
54 default['screwdriver']['cookie_password_vault_item'] = {
56 'vault' => 'screwdriver',
57 'name' => 'cookie_password',
58 # single password or nested hash password path delimited by slash
59 'env_context' => false,
60 'key' => 'password', # real hash path: "/password"
61 # or nested hash password path delimited by slash
62 #'env_context' => true,
63 #'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password"
66 # A password used for encrypting stored secrets. Needs to be minimum 32 characters
67 default['screwdriver']['password_vault_item'] = {
69 'vault' => 'screwdriver',
71 # single password or nested hash password path delimited by slash
72 'env_context' => false,
73 'key' => 'password', # real hash path: "/password"
74 # or nested hash password path delimited by slash
75 #'env_context' => true,
76 #'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password"
79 default['screwdriver']['db_username_vault_item'] = {
81 'vault' => 'screwdriver',
82 'name' => 'db_username',
83 # single usernaem or nested hash username path delimited by slash
84 'env_context' => false,
85 'key' => 'username', # real hash path: "/username"
86 # or nested hash password path delimited by slash
87 #'env_context' => true,
88 #'key' => 'hash/path/to/username', # real hash path: "/#{node.chef_environment}/hash/path/to/username"
91 default['screwdriver']['db_password_vault_item'] = {
93 'vault' => 'screwdriver',
94 'name' => 'db_password',
95 # single password or nested hash password path delimited by slash
96 'env_context' => false,
97 'key' => 'password', # real hash path: "/password"
98 # or nested hash password path delimited by slash
99 #'env_context' => true,
100 #'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password"
103 default['screwdriver']['db_root_password_vault_item'] = {
105 'vault' => 'screwdriver',
106 'name' => 'db_root_password',
107 # single password or nested hash password path delimited by slash
108 'env_context' => false,
109 'key' => 'password', # real hash path: "/password"
110 # or nested hash password path delimited by slash
111 #'env_context' => true,
112 #'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password"
116 force_override['screwdriver']['ui']['tls_setup_mode'] = 'reverseproxy'
117 # These hash objects are expanded to a `/config/local.yaml` file in each Docker container.
118 default['screwdriver']['api']['config'] = {
126 'plugin' => 'docker',
130 'socketPath' => '/var/run/docker.sock',
132 'launchVersion' => 'stable',
139 'scm_a' => { # id and display name
140 'plugin' => 'github',
142 # These 3 secrets should be set by the following `['screwdriver']['api']['scms_vault_items']` attribute.
143 'oauthClientId' => 'YOU-PROBABLY-WANT-SOMETHING-HERE', # The client id used for OAuth with github. GitHub OAuth (https://developer.github.com/v3/oauth/)
144 'oauthClientSecret' => 'AGAIN-SOMETHING-HERE-IS-USEFUL', # The client secret used for OAuth with github
145 'secret' => 'SUPER-SECRET-SIGNING-THING', # Secret to add to GitHub webhooks so that we can validate them
146 'gheHost' => 'github.screwdriver.cd', # [Optional] GitHub enterprise host
147 'username' => 'sd-buildbot', # [Optional] Username for code checkout
148 'email' => 'dev-null@screwdriver.cd', # [Optional] Email for code checkout
149 'privateRepo' => false, # [Optional] Set to true to support private repo; will need read and write access to public and private repos (https://developer.github.com/v3/oauth/#scopes)
152 'scm_b' => { # id and display name
153 'plugin' => 'bitbucket',
155 'oauthClientId' => 'YOUR-APP-KEY',
156 'oauthClientSecret' => 'YOUR-APP-SECRET',
162 default['screwdriver']['api']['scms_vault_items'] = {
166 'vault' => 'screwdriver',
168 # single oauthClientId or nested hash oauthClientId path delimited by slash
169 'env_context' => false,
170 'key' => 'oauthClientId', # real hash path: "/oauthClientId", Note: do not use `id`, which is preserved by Chef Vault.
171 # or nested hash id path delimited by slash
172 #'env_context' => true,
173 #'key' => 'hash/path/to/oauthClientId', # real hash path: "/#{node.chef_environment}/hash/path/to/oauthClientId"
175 'oauthClientSecret' => {
176 'vault' => 'screwdriver',
178 # single oauthClientSecret or nested hash oauthClientSecret path delimited by slash
179 'env_context' => false,
180 'key' => 'oauthClientSecret', # real hash path: "/oauthClientSecret"
181 # or nested hash secret path delimited by slash
182 #'env_context' => true,
183 #'key' => 'hash/path/to/oauthClientSecret', # real hash path: "/#{node.chef_environment}/hash/path/to/oauthClientSecret"
187 'vault' => 'screwdriver',
189 # single secret or nested hash secret path delimited by slash
190 'env_context' => false,
191 'key' => 'secret', # real hash path: "/secret"
192 # or nested hash password path delimited by slash
193 #'env_context' => true,
194 #'key' => 'hash/path/to/secret', # real hash path: "/#{node.chef_environment}/hash/path/to/secret"
204 default['screwdriver']['store']['config'] = {
212 force_override['screwdriver']['docker-compose']['import_ca'] = false
213 default['screwdriver']['docker-compose']['app_dir'] = "#{node['docker-grid']['compose']['app_dir']}/screwdriver"
214 default['screwdriver']['docker-compose']['bin_dir'] = "#{node['screwdriver']['docker-compose']['app_dir']}/bin"
215 default['screwdriver']['docker-compose']['config_dir'] = "#{node['screwdriver']['docker-compose']['app_dir']}/config"
216 default['screwdriver']['docker-compose']['data_dir'] = "#{node['screwdriver']['docker-compose']['app_dir']}/data"
217 default['screwdriver']['docker-compose']['etc_dir'] = "#{node['screwdriver']['docker-compose']['app_dir']}/etc"
218 default['screwdriver']['docker-compose']['jwt_private_key_reset'] = false
220 # **DEPRECATED**: use ['screwdriver']['(jwt|cookie|password)_*_vault_item'] attributes.
221 default['screwdriver']['docker-compose']['jwt_private_key_vault_item'] = {}
222 default['screwdriver']['docker-compose']['jwt_public_key_vault_item'] = {}
223 default['screwdriver']['docker-compose']['cookie_password_vault_item'] = {}
224 default['screwdriver']['docker-compose']['password_vault_item'] = {}
226 # **DEPRECATED**: use the above `['screwdriver']['api']['scms_vault_items']` attribute.
227 default['screwdriver']['docker-compose']['oauth_client_id_vault_item'] = {
229 'vault' => 'screwdriver',
230 'name' => 'oauth_client_id',
231 # single cid or nested hash cid path delimited by slash
232 'env_context' => false,
233 'key' => 'cid', # real hash path: "/cid", Note: do not use `id`, which is preserved by Chef Vault.
234 # or nested hash id path delimited by slash
235 #'env_context' => true,
236 #'key' => 'hash/path/to/cid', # real hash path: "/#{node.chef_environment}/hash/path/to/cid"
239 # **DEPRECATED**: use the above `['screwdriver']['api']['scms_vault_items']` attribute.
240 default['screwdriver']['docker-compose']['oauth_client_secret_vault_item'] = {
242 'vault' => 'screwdriver',
243 'name' => 'oauth_client_secret',
244 # single secret or nested hash secret path delimited by slash
245 'env_context' => false,
246 'key' => 'secret', # real hash path: "/secret"
247 # or nested hash secret path delimited by slash
248 #'env_context' => true,
249 #'key' => 'hash/path/to/secret', # real hash path: "/#{node.chef_environment}/hash/path/to/secret"
252 # **DEPRECATED**: use the above `['screwdriver']['api']['scms_vault_items']` attribute.
253 default['screwdriver']['docker-compose']['webhook_github_secret_vault_item'] = {
255 'vault' => 'screwdriver',
256 'name' => 'webhook_github_secret',
257 # single password or nested hash password path delimited by slash
258 'env_context' => false,
259 'key' => 'secret', # real hash path: "/secret"
260 # or nested hash password path delimited by slash
261 #'env_context' => true,
262 #'key' => 'hash/path/to/secret', # real hash path: "/#{node.chef_environment}/hash/path/to/secret"
266 # ref: https://github.com/screwdriver-cd/screwdriver/blob/master/in-a-box.py
267 force_override['screwdriver']['docker-compose']['config_format_version'] = '2'
269 # Version 2 docker-compose format
272 # this service will be active if the `['screwdriver']['with_ssl_cert_cookbook']` attribute is true.
277 'restart' => 'always',
278 'image' => 'nginx:alpine',
283 #'9000:9000', # default
286 # This volume will be set by the screwdriver::docker-compose recipe automatically.
287 #"#{node['screwdriver']['docker-compose']['etc_dir']}/nginx/nginx.conf:/etc/nginx/nginx.conf:ro",
291 'image' => 'screwdrivercd/screwdriver:latest',
292 'command' => 'npm start', # the original command in the Dockerfile.
294 #'9001:80', # default
297 '/var/run/docker.sock:/var/run/docker.sock:rw',
298 # This volume will be set by the screwdriver::docker-compose recipe automatically.
299 #"#{node['screwdriver']['docker-compose']['data_dir']}:/sd-data:rw", # for sqlite
303 # http://docs.screwdriver.cd/cluster-management/configure-api
304 # https://github.com/screwdriver-cd/screwdriver/blob/master/config/custom-environment-variables.yaml
306 'URI' => "http://#{cn}:9001",
307 #'URI' => "http://#{node['ipaddress']}:9001", # unrecommended
308 # These vriables will be set by the screwdriver::docker-compose recipe automatically.
309 #'ECOSYSTEM_UI' => "http://#{cn}:9000", # Better
310 #'ECOSYSTEM_UI' => "http://#{node['ipaddress']}:9000", # unrecommended
311 #'ECOSYSTEM_UI' => 'http://ui', # NG: for an access from a client.
312 #'ECOSYSTEM_STORE' => "http://#{cn}:9002", # Better
313 #'ECOSYSTEM_STORE' => "http://#{node['ipaddress']}:9002", # unrecommended
314 #'ECOSYSTEM_STORE' => 'http://store',
315 'SECRET_WHITELIST' => '[]',
316 'SECRET_ADMINS' => '[]',
317 'DATASTORE_PLUGIN' => 'sequelize',
318 'DATASTORE_SEQUELIZE_DATABASE' => 'screwdriver',
319 'DATASTORE_SEQUELIZE_DIALECT' => 'sqlite',
320 # This variable will be set by the screwdriver::docker-compose recipe automatically.
321 #'DATASTORE_SEQUELIZE_STORAGE' => '/sd-data/storage.db',
323 #'DATASTORE_SEQUELIZE_DIALECT' => 'mysql',
324 # These variables will be set by the screwdriver::docker-compose recipe automatically.
325 #'DATASTORE_SEQUELIZE_USERNAME' => '${DB_USERNAME}',
326 #'DATASTORE_SEQUELIZE_PASSWORD' => '${DB_PASSWORD}',
327 #'DATASTORE_SEQUELIZE_HOST' => 'db',
328 # This variable will be set by the screwdriver::docker-compose recipe automatically.
329 #'IS_HTTPS' => 'false',
330 #'NODE_TLS_REJECT_UNAUTHORIZED' => '0', # workaround for self-signed cetificates
332 # **DEPRECATED**: use the `['screwdriver']['api']['config']['executor']` attribute.
333 'EXECUTOR_PLUGIN' => 'docker',
334 'EXECUTOR_DOCKER_DOCKER' => <<-'EOS',
336 "socketPath": "/var/run/docker.sock"
342 # **DEPRECATED**: Please use the above `['screwdriver']['api']['config']['scms']` attribute
343 # instead of `SCM_SETTINGS` env. variable.
344 # 'SCM_SETTINGS' => '{}',
346 # **DEPRECATED**: Non-Multiple SCMs setting format.
347 # - Note: Multiple SCMs not supported yet.
348 # https://github.com/screwdriver-cd/screwdriver/issues/365
349 # - OAuth Callback URL: "http://#{cn}:9001/v4/auth/login/web"
350 'SCM_PLUGIN' => 'github', # or 'gitlab' or 'bitbucket'
352 'SCM_USERNAME' => 'sd-buildbot',
353 'SCM_EMAIL' => 'dev-null@screwdriver.cd',
354 # The following variables will be set by the screwdriver::docker-compose recipe automatically.
355 'SECRET_OAUTH_CLIENT_ID' => '${SECRET_OAUTH_CLIENT_ID}',
356 'SECRET_OAUTH_CLIENT_SECRET' => '${SECRET_OAUTH_CLIENT_SECRET}',
358 'WEBHOOK_GITHUB_SECRET' => '${WEBHOOK_GITHUB_SECRET}', #'SUPER-SECRET-SIGNING-THING'
359 'SCM_GITHUB_GHE_HOST' => 'gitlab.io.example.com', # for GHE
360 'SCM_PRIVATE_REPO_SUPPORT' => 'false',
362 #'SCM_GITLAB_HOST' => 'gitlab.io.example.com',
363 #'SCM_GITLAB_PROTOCOL' => 'https',
370 'image' => 'screwdrivercd/ui:latest',
372 #'9000:80', # default
375 # These variables will be set by the screwdriver::docker-compose recipe automatically.
376 #'ECOSYSTEM_API' => 'http://api', # NG: for an access from a client.
377 #'ECOSYSTEM_API' => "http://#{cn}:9001", # Better
378 #'ECOSYSTEM_API' => "http://#{node['ipaddress']}:9001", # unrecommended
379 #'ECOSYSTEM_STORE' => 'http://store',
380 #'ECOSYSTEM_STORE' => "http://#{cn}:9002", # Better
381 #'ECOSYSTEM_STORE' => "http://#{node['ipaddress']}:9002", # unrecommended
385 'image' => 'screwdrivercd/store:latest',
387 #'9002:80', # default
390 # See https://github.com/screwdriver-cd/store/blob/master/config/custom-environment-variables.yaml
392 'URI' => "http://#{cn}:9002",
393 #'URI' => "http://#{node['ipaddress']}:9002", # unrecommended
394 #'STRATEGY' => 'memory',
395 # This variable will be set by the screwdriver::docker-compose recipe automatically.
396 #'ECOSYSTEM_UI' => "http://#{cn}:9000", # Better
397 #'ECOSYSTEM_UI' => "http://#{node['ipaddress']}:9000",
398 #'ECOSYSTEM_UI' => 'http://ui', # NG for an access from a client.
404 config_srvs = node['screwdriver']['docker-compose']['config']['services']
405 case config_srvs['api']['environment']['DATASTORE_SEQUELIZE_DIALECT']
407 version_2_config['services']['db'] = {
408 'image' => 'mysql:5',
410 # This variable will be set by the screwdriver::docker-compose recipe automatically.
411 #"#{node['screwdriver']['docker-compose']['data_dir']}/mysql:/var/lib/mysql:rw",
414 # These variables will be set by the screwdriver::docker-compose recipe automatically.
415 #'MYSQL_ROOT_PASSWORD' => '${DB_ROOT_PASSWORD}',
416 #'MYSQL_USER' => '${DB_USERNAME}',
417 #'MYSQL_PASSWORD' => '${DB_PASSWORD}',
418 #'MYSQL_DATABASE' => 'screwdriver',
423 default['screwdriver']['docker-compose']['config'] = version_2_config