2 # Cookbook Name:: screwdriver
5 # Copyright 2017, whitestar
7 # Licensed under the Apache License, Version 2.0 (the "License");
8 # you may not use this file except in compliance with the License.
9 # You may obtain a copy of the License at
11 # http://www.apache.org/licenses/LICENSE-2.0
13 # Unless required by applicable law or agreed to in writing, software
14 # distributed under the License is distributed on an "AS IS" BASIS,
15 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 # See the License for the specific language governing permissions and
17 # limitations under the License.
20 default['screwdriver']['with_ssl_cert_cookbook'] = false
21 # If ['screwdriver']['with_ssl_cert_cookbook'] is true,
22 # node['screwdriver']['docker-compose']['config']
23 # are overridden by the following 'common_name' attributes.
24 default['screwdriver']['ssl_cert']['ca_names'] = []
25 default['screwdriver']['ssl_cert']['common_name'] = node['fqdn']
26 cn = node['screwdriver']['ssl_cert']['common_name']
27 cn = node['ipaddress'] if cn.nil? || cn.empty?
29 default['screwdriver']['jwt_private_key_vault_item'] = {
31 'vault' => 'screwdriver',
32 'name' => 'jwt_private_key',
33 # single secret or nested hash secret path delimited by slash
34 'env_context' => false,
35 'key' => 'private', # real hash path: "/private"
36 # or nested hash secret path delimited by slash
37 #'env_context' => true,
38 #'key' => 'hash/path/to/private', # real hash path: "/#{node.chef_environment}/hash/path/to/private"
41 default['screwdriver']['jwt_public_key_vault_item'] = {
43 'vault' => 'screwdriver',
44 'name' => 'jwt_public_key',
45 # single secret or nested hash secret path delimited by slash
46 'env_context' => false,
47 'key' => 'public', # real hash path: "/public"
48 # or nested hash secret path delimited by slash
49 #'env_context' => true,
50 #'key' => 'hash/path/to/public', # real hash path: "/#{node.chef_environment}/hash/path/to/public"
53 # A password used for encrypting session data. Needs to be minimum 32 characters
54 default['screwdriver']['cookie_password_vault_item'] = {
56 'vault' => 'screwdriver',
57 'name' => 'cookie_password',
58 # single password or nested hash password path delimited by slash
59 'env_context' => false,
60 'key' => 'password', # real hash path: "/password"
61 # or nested hash password path delimited by slash
62 #'env_context' => true,
63 #'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password"
66 # A password used for encrypting stored secrets. Needs to be minimum 32 characters
67 default['screwdriver']['password_vault_item'] = {
69 'vault' => 'screwdriver',
71 # single password or nested hash password path delimited by slash
72 'env_context' => false,
73 'key' => 'password', # real hash path: "/password"
74 # or nested hash password path delimited by slash
75 #'env_context' => true,
76 #'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password"
79 default['screwdriver']['db_username_vault_item'] = {
81 'vault' => 'screwdriver',
82 'name' => 'db_username',
83 # single usernaem or nested hash username path delimited by slash
84 'env_context' => false,
85 'key' => 'username', # real hash path: "/username"
86 # or nested hash username path delimited by slash
87 #'env_context' => true,
88 #'key' => 'hash/path/to/username', # real hash path: "/#{node.chef_environment}/hash/path/to/username"
91 default['screwdriver']['db_password_vault_item'] = {
93 'vault' => 'screwdriver',
94 'name' => 'db_password',
95 # single password or nested hash password path delimited by slash
96 'env_context' => false,
97 'key' => 'password', # real hash path: "/password"
98 # or nested hash password path delimited by slash
99 #'env_context' => true,
100 #'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password"
103 default['screwdriver']['db_root_password_vault_item'] = {
105 'vault' => 'screwdriver',
106 'name' => 'db_root_password',
107 # single password or nested hash password path delimited by slash
108 'env_context' => false,
109 'key' => 'password', # real hash path: "/password"
110 # or nested hash password path delimited by slash
111 #'env_context' => true,
112 #'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password"
115 default['screwdriver']['s3_access_key_id_vault_item'] = {
117 'vault' => 'screwdriver',
118 'name' => 's3_access_key',
119 # single key id or nested hash key id path delimited by slash
120 'env_context' => false,
121 'key' => 'kid', # real hash path: "/kid"
122 # or nested hash key id path delimited by slash
123 #'env_context' => true,
124 #'key' => 'hash/path/to/kid', # real hash path: "/#{node.chef_environment}/hash/path/to/kid"
127 default['screwdriver']['s3_access_key_secret_vault_item'] = {
129 'vault' => 'screwdriver',
130 'name' => 's3_access_key',
131 # single secret or nested hash secret path delimited by slash
132 'env_context' => false,
133 'key' => 'secret', # real hash path: "/secret"
134 # or nested hash secret path delimited by slash
135 #'env_context' => true,
136 #'key' => 'hash/path/to/secret', # real hash path: "/#{node.chef_environment}/hash/path/to/secret"
140 force_override['screwdriver']['ui']['tls_setup_mode'] = 'reverseproxy'
141 # These hash objects are expanded to a `/config/local.yaml` file in each Docker container.
142 default['screwdriver']['api']['config'] = {
150 'plugin' => 'docker',
154 'socketPath' => '/var/run/docker.sock',
156 'launchVersion' => 'stable',
163 'scm_a' => { # id and display name
164 'plugin' => 'github',
166 # These 3 secrets should be set by the following `['screwdriver']['api']['scms_vault_items']` attribute.
167 'oauthClientId' => 'YOU-PROBABLY-WANT-SOMETHING-HERE', # The client id used for OAuth with github. GitHub OAuth (https://developer.github.com/v3/oauth/)
168 'oauthClientSecret' => 'AGAIN-SOMETHING-HERE-IS-USEFUL', # The client secret used for OAuth with github
169 'secret' => 'SUPER-SECRET-SIGNING-THING', # Secret to add to GitHub webhooks so that we can validate them
170 'gheHost' => 'github.screwdriver.cd', # [Optional] GitHub enterprise host
171 'username' => 'sd-buildbot', # [Optional] Username for code checkout
172 'email' => 'dev-null@screwdriver.cd', # [Optional] Email for code checkout
173 'privateRepo' => false, # [Optional] Set to true to support private repo; will need read and write access to public and private repos (https://developer.github.com/v3/oauth/#scopes)
176 'scm_b' => { # id and display name
177 'plugin' => 'bitbucket',
179 'oauthClientId' => 'YOUR-APP-KEY',
180 'oauthClientSecret' => 'YOUR-APP-SECRET',
186 default['screwdriver']['api']['scms_vault_items'] = {
190 'vault' => 'screwdriver',
192 # single oauthClientId or nested hash oauthClientId path delimited by slash
193 'env_context' => false,
194 'key' => 'oauthClientId', # real hash path: "/oauthClientId", Note: do not use `id`, which is preserved by Chef Vault.
195 # or nested hash id path delimited by slash
196 #'env_context' => true,
197 #'key' => 'hash/path/to/oauthClientId', # real hash path: "/#{node.chef_environment}/hash/path/to/oauthClientId"
199 'oauthClientSecret' => {
200 'vault' => 'screwdriver',
202 # single oauthClientSecret or nested hash oauthClientSecret path delimited by slash
203 'env_context' => false,
204 'key' => 'oauthClientSecret', # real hash path: "/oauthClientSecret"
205 # or nested hash secret path delimited by slash
206 #'env_context' => true,
207 #'key' => 'hash/path/to/oauthClientSecret', # real hash path: "/#{node.chef_environment}/hash/path/to/oauthClientSecret"
211 'vault' => 'screwdriver',
213 # single secret or nested hash secret path delimited by slash
214 'env_context' => false,
215 'key' => 'secret', # real hash path: "/secret"
216 # or nested hash password path delimited by slash
217 #'env_context' => true,
218 #'key' => 'hash/path/to/secret', # real hash path: "/#{node.chef_environment}/hash/path/to/secret"
228 default['screwdriver']['store']['backend'] = nil # or 'minio'
229 default['screwdriver']['store']['config'] = {
240 'secretAccessKey' => '****************************************',
241 'region' => 'us-east-1',
242 'bucket' => 'screwdriver',
243 'endpoint' => 'http://s3:9000/screwdriver',
244 'signatureVersion' => 'v4',
251 force_override['screwdriver']['docker-compose']['import_ca'] = false
252 default['screwdriver']['docker-compose']['app_dir'] = "#{node['docker-grid']['compose']['app_dir']}/screwdriver"
253 default['screwdriver']['docker-compose']['bin_dir'] = "#{node['screwdriver']['docker-compose']['app_dir']}/bin"
254 default['screwdriver']['docker-compose']['config_dir'] = "#{node['screwdriver']['docker-compose']['app_dir']}/config"
255 default['screwdriver']['docker-compose']['data_dir'] = "#{node['screwdriver']['docker-compose']['app_dir']}/data"
256 default['screwdriver']['docker-compose']['etc_dir'] = "#{node['screwdriver']['docker-compose']['app_dir']}/etc"
257 default['screwdriver']['docker-compose']['jwt_private_key_reset'] = false
259 # **DEPRECATED**: use ['screwdriver']['(jwt|cookie|password)_*_vault_item'] attributes.
260 default['screwdriver']['docker-compose']['jwt_private_key_vault_item'] = {}
261 default['screwdriver']['docker-compose']['jwt_public_key_vault_item'] = {}
262 default['screwdriver']['docker-compose']['cookie_password_vault_item'] = {}
263 default['screwdriver']['docker-compose']['password_vault_item'] = {}
265 # **DEPRECATED**: use the above `['screwdriver']['api']['scms_vault_items']` attribute.
266 default['screwdriver']['docker-compose']['oauth_client_id_vault_item'] = {
268 'vault' => 'screwdriver',
269 'name' => 'oauth_client_id',
270 # single cid or nested hash cid path delimited by slash
271 'env_context' => false,
272 'key' => 'cid', # real hash path: "/cid", Note: do not use `id`, which is preserved by Chef Vault.
273 # or nested hash id path delimited by slash
274 #'env_context' => true,
275 #'key' => 'hash/path/to/cid', # real hash path: "/#{node.chef_environment}/hash/path/to/cid"
278 # **DEPRECATED**: use the above `['screwdriver']['api']['scms_vault_items']` attribute.
279 default['screwdriver']['docker-compose']['oauth_client_secret_vault_item'] = {
281 'vault' => 'screwdriver',
282 'name' => 'oauth_client_secret',
283 # single secret or nested hash secret path delimited by slash
284 'env_context' => false,
285 'key' => 'secret', # real hash path: "/secret"
286 # or nested hash secret path delimited by slash
287 #'env_context' => true,
288 #'key' => 'hash/path/to/secret', # real hash path: "/#{node.chef_environment}/hash/path/to/secret"
291 # **DEPRECATED**: use the above `['screwdriver']['api']['scms_vault_items']` attribute.
292 default['screwdriver']['docker-compose']['webhook_github_secret_vault_item'] = {
294 'vault' => 'screwdriver',
295 'name' => 'webhook_github_secret',
296 # single password or nested hash password path delimited by slash
297 'env_context' => false,
298 'key' => 'secret', # real hash path: "/secret"
299 # or nested hash password path delimited by slash
300 #'env_context' => true,
301 #'key' => 'hash/path/to/secret', # real hash path: "/#{node.chef_environment}/hash/path/to/secret"
305 # ref: https://github.com/screwdriver-cd/screwdriver/blob/master/in-a-box.py
306 force_override['screwdriver']['docker-compose']['config_format_version'] = '2'
308 # Version 2 docker-compose format
311 # this service will be active if the `['screwdriver']['with_ssl_cert_cookbook']` attribute is true.
316 'restart' => 'always',
317 'image' => 'nginx:alpine',
322 #'9000:9000', # default
325 # This volume will be set by the screwdriver::docker-compose recipe automatically.
326 #"#{node['screwdriver']['docker-compose']['etc_dir']}/nginx/nginx.conf:/etc/nginx/nginx.conf:ro",
330 'image' => 'screwdrivercd/screwdriver:latest',
331 'command' => 'npm start', # the original command in the Dockerfile.
333 #'9001:80', # default
336 '/var/run/docker.sock:/var/run/docker.sock:rw',
337 # This volume will be set by the screwdriver::docker-compose recipe automatically.
338 #"#{node['screwdriver']['docker-compose']['data_dir']}:/sd-data:rw", # for sqlite
342 # http://docs.screwdriver.cd/cluster-management/configure-api
343 # https://github.com/screwdriver-cd/screwdriver/blob/master/config/custom-environment-variables.yaml
345 'URI' => "http://#{cn}:9001",
346 #'URI' => "http://#{node['ipaddress']}:9001", # unrecommended
347 # These vriables will be set by the screwdriver::docker-compose recipe automatically.
348 #'ECOSYSTEM_UI' => "http://#{cn}:9000", # Better
349 #'ECOSYSTEM_UI' => "http://#{node['ipaddress']}:9000", # unrecommended
350 #'ECOSYSTEM_UI' => 'http://ui', # NG: for an access from a client.
351 #'ECOSYSTEM_STORE' => "http://#{cn}:9002", # Better
352 #'ECOSYSTEM_STORE' => "http://#{node['ipaddress']}:9002", # unrecommended
353 #'ECOSYSTEM_STORE' => 'http://store',
354 'SECRET_WHITELIST' => '[]',
355 'SECRET_ADMINS' => '[]',
356 'DATASTORE_PLUGIN' => 'sequelize',
357 'DATASTORE_SEQUELIZE_DATABASE' => 'screwdriver',
358 'DATASTORE_SEQUELIZE_DIALECT' => 'sqlite',
359 # This variable will be set by the screwdriver::docker-compose recipe automatically.
360 #'DATASTORE_SEQUELIZE_STORAGE' => '/sd-data/storage.db',
362 #'DATASTORE_SEQUELIZE_DIALECT' => 'mysql',
363 # These variables will be set by the screwdriver::docker-compose recipe automatically.
364 #'DATASTORE_SEQUELIZE_USERNAME' => '${DB_USERNAME}',
365 #'DATASTORE_SEQUELIZE_PASSWORD' => '${DB_PASSWORD}',
366 #'DATASTORE_SEQUELIZE_HOST' => 'db',
367 # This variable will be set by the screwdriver::docker-compose recipe automatically.
368 #'IS_HTTPS' => 'false',
369 #'NODE_TLS_REJECT_UNAUTHORIZED' => '0', # workaround for self-signed cetificates
371 # **DEPRECATED**: use the `['screwdriver']['api']['config']['executor']` attribute.
372 'EXECUTOR_PLUGIN' => 'docker',
373 'EXECUTOR_DOCKER_DOCKER' => <<-'EOS',
375 "socketPath": "/var/run/docker.sock"
381 # **DEPRECATED**: Please use the above `['screwdriver']['api']['config']['scms']` attribute
382 # instead of `SCM_SETTINGS` env. variable.
383 # 'SCM_SETTINGS' => '{}',
385 # **DEPRECATED**: Non-Multiple SCMs setting format.
386 # - Note: Multiple SCMs not supported yet.
387 # https://github.com/screwdriver-cd/screwdriver/issues/365
388 # - OAuth Callback URL: "http://#{cn}:9001/v4/auth/login/web"
389 'SCM_PLUGIN' => 'github', # or 'gitlab' or 'bitbucket'
391 'SCM_USERNAME' => 'sd-buildbot',
392 'SCM_EMAIL' => 'dev-null@screwdriver.cd',
393 # The following variables will be set by the screwdriver::docker-compose recipe automatically.
394 'SECRET_OAUTH_CLIENT_ID' => '${SECRET_OAUTH_CLIENT_ID}',
395 'SECRET_OAUTH_CLIENT_SECRET' => '${SECRET_OAUTH_CLIENT_SECRET}',
397 'WEBHOOK_GITHUB_SECRET' => '${WEBHOOK_GITHUB_SECRET}', #'SUPER-SECRET-SIGNING-THING'
398 'SCM_GITHUB_GHE_HOST' => 'gitlab.io.example.com', # for GHE
399 'SCM_PRIVATE_REPO_SUPPORT' => 'false',
401 #'SCM_GITLAB_HOST' => 'gitlab.io.example.com',
402 #'SCM_GITLAB_PROTOCOL' => 'https',
409 'image' => 'screwdrivercd/ui:latest',
411 #'9000:80', # default
414 # These variables will be set by the screwdriver::docker-compose recipe automatically.
415 #'ECOSYSTEM_API' => 'http://api', # NG: for an access from a client.
416 #'ECOSYSTEM_API' => "http://#{cn}:9001", # Better
417 #'ECOSYSTEM_API' => "http://#{node['ipaddress']}:9001", # unrecommended
418 #'ECOSYSTEM_STORE' => 'http://store',
419 #'ECOSYSTEM_STORE' => "http://#{cn}:9002", # Better
420 #'ECOSYSTEM_STORE' => "http://#{node['ipaddress']}:9002", # unrecommended
424 'image' => 'screwdrivercd/store:latest',
426 #'9002:80', # default
429 # See https://github.com/screwdriver-cd/store/blob/master/config/custom-environment-variables.yaml
431 'URI' => "http://#{cn}:9002",
432 #'URI' => "http://#{node['ipaddress']}:9002", # unrecommended
433 # These variables will be set by the screwdriver::docker-compose recipe automatically.
434 #'ECOSYSTEM_UI' => "http://#{cn}:9000", # Better
435 #'ECOSYSTEM_UI' => "http://#{node['ipaddress']}:9000",
436 #'ECOSYSTEM_UI' => 'http://ui', # NG for an access from a client.
437 #'STRATEGY' => 'memory', # default
440 # If node['screwdriver']['s3_access_key_{id,secret}_vault_item'] is set,
441 # these 2 variables will be set by the screwdriver::docker-compose recipe automatically.
442 #'S3_ACCESS_KEY_ID' => '${S3_ACCESS_KEY_ID}',
443 #'S3_ACCESS_KEY_SECRET' => '${S3_ACCESS_KEY_SECRET}',
444 #'S3_REGION' => 'us-east-1',
445 #'S3_BUCKET' => 'screwdriver',
447 # If node['screwdriver']['store']['backend'] is 'minio',
448 # these variables will be set by the screwdriver::docker-compose recipe automatically.
450 #'S3_ACCESS_KEY_ID' => '${S3_ACCESS_KEY_ID}',
451 #'S3_ACCESS_KEY_SECRET' => '${S3_ACCESS_KEY_SECRET}',
452 #'S3_REGION' => 'us-east-1',
453 #'S3_BUCKET' => 'screwdriver',
454 #'S3_ENDPOINT' => 'http://s3:9000/screwdriver', # tricky!! setting for the S3 virtual hosting style.
455 #'S3_SIG_VER' => 'v4',
457 # for S3 compatible server
465 config_srvs = node['screwdriver']['docker-compose']['config']['services']
466 case config_srvs['api']['environment']['DATASTORE_SEQUELIZE_DIALECT']
468 version_2_config['services']['db'] = {
469 'image' => 'mysql:5',
471 # This variable will be set by the screwdriver::docker-compose recipe automatically.
472 #"#{node['screwdriver']['docker-compose']['data_dir']}/mysql:/var/lib/mysql:rw",
475 # These variables will be set by the screwdriver::docker-compose recipe automatically.
476 #'MYSQL_ROOT_PASSWORD' => '${DB_ROOT_PASSWORD}',
477 #'MYSQL_USER' => '${DB_USERNAME}',
478 #'MYSQL_PASSWORD' => '${DB_PASSWORD}',
479 #'MYSQL_DATABASE' => 'screwdriver',
483 version_2_config['services']['db'] = {
484 'image' => 'postgres:9',
486 # This variable will be set by the screwdriver::docker-compose recipe automatically.
487 #"#{node['screwdriver']['docker-compose']['data_dir']}/postgres:/database:rw",
490 # These variables will be set by the screwdriver::docker-compose recipe automatically.
491 #'POSTGRES_USER' => '${DB_USERNAME}',
492 #'POSTGRES_PASSWORD' => '${DB_PASSWORD}',
493 #'POSTGRES_DB' => 'screwdriver',
494 #'PGDATA' => '/database',
499 # S3 compatible server
500 case node['screwdriver']['store']['backend']
502 version_2_config['services']['screwdriver.s3'] = {
503 'image' => 'minio/minio',
505 #'9010:9000', # default
507 'command' => 'server /export',
509 # This variable will be set by the screwdriver::docker-compose recipe automatically.
510 #"#{node['screwdriver']['docker-compose']['data_dir']}//minio:/export:rw",
513 # These variables will be set by the screwdriver::docker-compose recipe automatically.
514 #'MINIO_ACCESS_KEY' => '${S3_ACCESS_KEY_ID}',
515 #'MINIO_SECRET_KEY' => '${S3_ACCESS_KEY_SECRET}',
520 default['screwdriver']['docker-compose']['config'] = version_2_config