2 # Cookbook Name:: screwdriver
5 # Copyright 2017-2018, whitestar
7 # Licensed under the Apache License, Version 2.0 (the "License");
8 # you may not use this file except in compliance with the License.
9 # You may obtain a copy of the License at
11 # http://www.apache.org/licenses/LICENSE-2.0
13 # Unless required by applicable law or agreed to in writing, software
14 # distributed under the License is distributed on an "AS IS" BASIS,
15 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 # See the License for the specific language governing permissions and
17 # limitations under the License.
20 default['screwdriver']['with_ssl_cert_cookbook'] = false
21 # If ['screwdriver']['with_ssl_cert_cookbook'] is true,
22 # node['screwdriver']['docker-compose']['config']
23 # are overridden by the following 'common_name' attributes.
24 default['screwdriver']['ssl_cert']['ca_names'] = []
25 default['screwdriver']['ssl_cert']['common_name'] = node['fqdn']
26 cn = node['screwdriver']['ssl_cert']['common_name']
27 cn = node['ipaddress'] if cn.nil? || cn.empty?
29 default['screwdriver']['jwt_private_key_vault_item'] = {
31 'vault' => 'screwdriver',
32 'name' => 'jwt_private_key',
33 # single secret or nested hash secret path delimited by slash
34 'env_context' => false,
35 'key' => 'private', # real hash path: "/private"
36 # or nested hash secret path delimited by slash
37 #'env_context' => true,
38 #'key' => 'hash/path/to/private', # real hash path: "/#{node.chef_environment}/hash/path/to/private"
41 default['screwdriver']['jwt_public_key_vault_item'] = {
43 'vault' => 'screwdriver',
44 'name' => 'jwt_public_key',
45 # single secret or nested hash secret path delimited by slash
46 'env_context' => false,
47 'key' => 'public', # real hash path: "/public"
48 # or nested hash secret path delimited by slash
49 #'env_context' => true,
50 #'key' => 'hash/path/to/public', # real hash path: "/#{node.chef_environment}/hash/path/to/public"
53 # A password used for encrypting session data. Needs to be minimum 32 characters
54 default['screwdriver']['cookie_password_vault_item'] = {
56 'vault' => 'screwdriver',
57 'name' => 'cookie_password',
58 # single password or nested hash password path delimited by slash
59 'env_context' => false,
60 'key' => 'password', # real hash path: "/password"
61 # or nested hash password path delimited by slash
62 #'env_context' => true,
63 #'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password"
66 # A password used for encrypting stored secrets. Needs to be minimum 32 characters
67 default['screwdriver']['password_vault_item'] = {
69 'vault' => 'screwdriver',
71 # single password or nested hash password path delimited by slash
72 'env_context' => false,
73 'key' => 'password', # real hash path: "/password"
74 # or nested hash password path delimited by slash
75 #'env_context' => true,
76 #'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password"
79 # A password used for hashing user/pipeline access tokens. Needs to be minimum 32 characters
80 default['screwdriver']['hashing_password_vault_item'] = {
82 'vault' => 'screwdriver',
83 'name' => 'hashing_password',
84 # single password or nested hash password path delimited by slash
85 'env_context' => false,
86 'key' => 'password', # real hash path: "/password"
87 # or nested hash password path delimited by slash
88 #'env_context' => true,
89 #'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password"
92 default['screwdriver']['db_username_vault_item'] = {
94 'vault' => 'screwdriver',
95 'name' => 'db_username',
96 # single usernaem or nested hash username path delimited by slash
97 'env_context' => false,
98 'key' => 'username', # real hash path: "/username"
99 # or nested hash username path delimited by slash
100 #'env_context' => true,
101 #'key' => 'hash/path/to/username', # real hash path: "/#{node.chef_environment}/hash/path/to/username"
104 default['screwdriver']['db_password_vault_item'] = {
106 'vault' => 'screwdriver',
107 'name' => 'db_password',
108 # single password or nested hash password path delimited by slash
109 'env_context' => false,
110 'key' => 'password', # real hash path: "/password"
111 # or nested hash password path delimited by slash
112 #'env_context' => true,
113 #'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password"
116 default['screwdriver']['db_root_password_vault_item'] = {
118 'vault' => 'screwdriver',
119 'name' => 'db_root_password',
120 # single password or nested hash password path delimited by slash
121 'env_context' => false,
122 'key' => 'password', # real hash path: "/password"
123 # or nested hash password path delimited by slash
124 #'env_context' => true,
125 #'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password"
128 default['screwdriver']['s3_access_key_id_vault_item'] = {
130 'vault' => 'screwdriver',
131 'name' => 's3_access_key',
132 # single key id or nested hash key id path delimited by slash
133 'env_context' => false,
134 'key' => 'kid', # real hash path: "/kid"
135 # or nested hash key id path delimited by slash
136 #'env_context' => true,
137 #'key' => 'hash/path/to/kid', # real hash path: "/#{node.chef_environment}/hash/path/to/kid"
140 default['screwdriver']['s3_access_key_secret_vault_item'] = {
142 'vault' => 'screwdriver',
143 'name' => 's3_access_key',
144 # single secret or nested hash secret path delimited by slash
145 'env_context' => false,
146 'key' => 'secret', # real hash path: "/secret"
147 # or nested hash secret path delimited by slash
148 #'env_context' => true,
149 #'key' => 'hash/path/to/secret', # real hash path: "/#{node.chef_environment}/hash/path/to/secret"
153 force_override['screwdriver']['ui']['tls_setup_mode'] = 'reverseproxy'
154 # These hash objects are expanded to a `/config/local.yaml` file in each Docker container.
155 default['screwdriver']['api']['config'] = {
161 'plugin' => 'docker',
165 'socketPath' => '/var/run/docker.sock',
167 'launchVersion' => 'latest',
171 # TODO: implement default settings
173 'enabled' => 'false', # EXECUTOR_QUEUE_ENABLED
175 # Configuration of the redis instance containing resque
176 'redisConnection' => {
177 'host' => 'QUEUE_REDIS_HOST',
178 'port' => 'QUEUE_REDIS_PORT',
180 'password' => 'QUEUE_REDIS_PASSWORD',
181 'tls' => 'QUEUE_REDIS_TLS_ENABLED',
183 'database' => 'QUEUE_REDIS_DATABASE',
191 'scm_a' => { # id and display name
192 'plugin' => 'github',
193 # access https://github.com/settings/developers to get an OAuth key.
195 # These 3 secrets should be set by the following `['screwdriver']['api']['scms_vault_items']` attribute.
196 'oauthClientId' => 'YOU-PROBABLY-WANT-SOMETHING-HERE', # The client id used for OAuth with github. GitHub OAuth (https://developer.github.com/v3/oauth/)
197 'oauthClientSecret' => 'AGAIN-SOMETHING-HERE-IS-USEFUL', # The client secret used for OAuth with github
198 'secret' => 'SUPER-SECRET-SIGNING-THING', # Secret to add to GitHub webhooks so that we can validate them
199 'gheHost' => 'github.screwdriver.cd', # [Optional] GitHub enterprise host
200 'username' => 'sd-buildbot', # [Optional] Username for code checkout
201 'email' => 'dev-null@screwdriver.cd', # [Optional] Email for code checkout
202 'privateRepo' => false, # [Optional] Set to true to support private repo; will need read and write access to public and private repos (https://developer.github.com/v3/oauth/#scopes)
205 'scm_b' => { # id and display name
206 'plugin' => 'bitbucket',
207 # access https://bitbucket.org/account/user/<name>/api to get an OAuth key.
209 'oauthClientId' => 'YOUR-APP-KEY',
210 'oauthClientSecret' => 'YOUR-APP-SECRET',
216 default['screwdriver']['api']['scms_vault_items'] = {
220 'vault' => 'screwdriver',
222 # single oauthClientId or nested hash oauthClientId path delimited by slash
223 'env_context' => false,
224 'key' => 'oauthClientId', # real hash path: "/oauthClientId", Note: do not use `id`, which is preserved by Chef Vault.
225 # or nested hash id path delimited by slash
226 #'env_context' => true,
227 #'key' => 'hash/path/to/oauthClientId', # real hash path: "/#{node.chef_environment}/hash/path/to/oauthClientId"
229 'oauthClientSecret' => {
230 'vault' => 'screwdriver',
232 # single oauthClientSecret or nested hash oauthClientSecret path delimited by slash
233 'env_context' => false,
234 'key' => 'oauthClientSecret', # real hash path: "/oauthClientSecret"
235 # or nested hash secret path delimited by slash
236 #'env_context' => true,
237 #'key' => 'hash/path/to/oauthClientSecret', # real hash path: "/#{node.chef_environment}/hash/path/to/oauthClientSecret"
241 'vault' => 'screwdriver',
243 # single secret or nested hash secret path delimited by slash
244 'env_context' => false,
245 'key' => 'secret', # real hash path: "/secret"
246 # or nested hash password path delimited by slash
247 #'env_context' => true,
248 #'key' => 'hash/path/to/secret', # real hash path: "/#{node.chef_environment}/hash/path/to/secret"
258 default['screwdriver']['store']['backend'] = nil # or 'minio'
259 default['screwdriver']['store']['config'] = {
270 'secretAccessKey' => '****************************************',
271 'region' => 'us-east-1',
272 'bucket' => 'screwdriver',
273 'endpoint' => 'http://s3:9000/screwdriver',
274 'signatureVersion' => 'v4',
281 force_override['screwdriver']['docker-compose']['import_ca'] = false
282 default['screwdriver']['docker-compose']['autopilot'] = {
284 'log_dir' => '/var/log',
285 'wait_time' => '180s',
286 'docker-compose_opts' => '--no-ansi',
287 #'docker-compose_opts' => '', # for the old docker-compose
289 default['screwdriver']['docker-compose']['app_dir'] = "#{node['docker-grid']['compose']['app_dir']}/screwdriver"
290 default['screwdriver']['docker-compose']['bin_dir'] = "#{node['screwdriver']['docker-compose']['app_dir']}/bin"
291 default['screwdriver']['docker-compose']['config_dir'] = "#{node['screwdriver']['docker-compose']['app_dir']}/config"
292 default['screwdriver']['docker-compose']['data_dir'] = "#{node['screwdriver']['docker-compose']['app_dir']}/data"
293 default['screwdriver']['docker-compose']['etc_dir'] = "#{node['screwdriver']['docker-compose']['app_dir']}/etc"
294 default['screwdriver']['docker-compose']['network_mode_bridge'] = false
295 default['screwdriver']['docker-compose']['jwt_private_key_reset'] = false
297 # **DEPRECATED**: use ['screwdriver']['(jwt|cookie|password)_*_vault_item'] attributes.
298 default['screwdriver']['docker-compose']['jwt_private_key_vault_item'] = {}
299 default['screwdriver']['docker-compose']['jwt_public_key_vault_item'] = {}
300 default['screwdriver']['docker-compose']['cookie_password_vault_item'] = {}
301 default['screwdriver']['docker-compose']['password_vault_item'] = {}
303 # **DEPRECATED**: use the above `['screwdriver']['api']['scms_vault_items']` attribute.
304 default['screwdriver']['docker-compose']['oauth_client_id_vault_item'] = {
306 'vault' => 'screwdriver',
307 'name' => 'oauth_client_id',
308 # single cid or nested hash cid path delimited by slash
309 'env_context' => false,
310 'key' => 'cid', # real hash path: "/cid", Note: do not use `id`, which is preserved by Chef Vault.
311 # or nested hash id path delimited by slash
312 #'env_context' => true,
313 #'key' => 'hash/path/to/cid', # real hash path: "/#{node.chef_environment}/hash/path/to/cid"
316 # **DEPRECATED**: use the above `['screwdriver']['api']['scms_vault_items']` attribute.
317 default['screwdriver']['docker-compose']['oauth_client_secret_vault_item'] = {
319 'vault' => 'screwdriver',
320 'name' => 'oauth_client_secret',
321 # single secret or nested hash secret path delimited by slash
322 'env_context' => false,
323 'key' => 'secret', # real hash path: "/secret"
324 # or nested hash secret path delimited by slash
325 #'env_context' => true,
326 #'key' => 'hash/path/to/secret', # real hash path: "/#{node.chef_environment}/hash/path/to/secret"
329 # **DEPRECATED**: use the above `['screwdriver']['api']['scms_vault_items']` attribute.
330 default['screwdriver']['docker-compose']['webhook_github_secret_vault_item'] = {
332 'vault' => 'screwdriver',
333 'name' => 'webhook_github_secret',
334 # single password or nested hash password path delimited by slash
335 'env_context' => false,
336 'key' => 'secret', # real hash path: "/secret"
337 # or nested hash password path delimited by slash
338 #'env_context' => true,
339 #'key' => 'hash/path/to/secret', # real hash path: "/#{node.chef_environment}/hash/path/to/secret"
343 # ref: https://github.com/screwdriver-cd/screwdriver/blob/master/in-a-box.py
344 force_override['screwdriver']['docker-compose']['config_format_version'] = '2'
346 # Version 2 docker-compose format
349 # this service will be active if the `['screwdriver']['with_ssl_cert_cookbook']` attribute is true.
354 'restart' => 'always',
355 'image' => 'nginx:alpine',
360 #'9000:9000', # default
363 # This volume will be set by the screwdriver::docker-compose recipe automatically.
364 #"#{node['screwdriver']['docker-compose']['etc_dir']}/nginx/nginx.conf:/etc/nginx/nginx.conf:ro",
368 'image' => 'screwdrivercd/screwdriver:latest',
369 'command' => 'npm start', # the original command in the Dockerfile.
371 #'9001:80', # default
374 '/var/run/docker.sock:/var/run/docker.sock:rw',
375 # This volume will be set by the screwdriver::docker-compose recipe automatically.
376 #"#{node['screwdriver']['docker-compose']['data_dir']}:/sd-data:rw", # for sqlite
380 # http://docs.screwdriver.cd/cluster-management/configure-api
381 # https://github.com/screwdriver-cd/screwdriver/blob/master/config/custom-environment-variables.yaml
383 'URI' => "http://#{cn}:9001",
384 #'URI' => "http://#{node['ipaddress']}:9001", # unrecommended
385 # These vriables will be set by the screwdriver::docker-compose recipe automatically.
386 #'ECOSYSTEM_UI' => "http://#{cn}:9000", # Better
387 #'ECOSYSTEM_UI' => "http://#{node['ipaddress']}:9000", # unrecommended
388 #'ECOSYSTEM_UI' => 'http://ui', # NG: for an access from a client.
389 #'ECOSYSTEM_STORE' => "http://#{cn}:9002", # Better
390 #'ECOSYSTEM_STORE' => "http://#{node['ipaddress']}:9002", # unrecommended
391 #'ECOSYSTEM_STORE' => 'http://store',
392 'SECRET_WHITELIST' => '[]',
393 'SECRET_ADMINS' => '[]',
394 'DATASTORE_PLUGIN' => 'sequelize',
395 'DATASTORE_SEQUELIZE_DATABASE' => 'screwdriver',
396 'DATASTORE_SEQUELIZE_DIALECT' => 'sqlite',
397 # This variable will be set by the screwdriver::docker-compose recipe automatically.
398 #'DATASTORE_SEQUELIZE_STORAGE' => '/sd-data/storage.db',
400 #'DATASTORE_SEQUELIZE_DIALECT' => 'mysql',
401 # These variables will be set by the screwdriver::docker-compose recipe automatically.
402 #'DATASTORE_SEQUELIZE_USERNAME' => '${DB_USERNAME}',
403 #'DATASTORE_SEQUELIZE_PASSWORD' => '${DB_PASSWORD}',
404 #'DATASTORE_SEQUELIZE_HOST' => 'db',
405 # This variable will be set by the screwdriver::docker-compose recipe automatically.
406 #'IS_HTTPS' => 'false',
407 #'NODE_TLS_REJECT_UNAUTHORIZED' => '0', # workaround for self-signed cetificates
409 # **DEPRECATED**: use the `['screwdriver']['api']['config']['executor']` attribute.
410 'EXECUTOR_PLUGIN' => 'docker',
411 'EXECUTOR_DOCKER_DOCKER' => <<-'EOS',
413 "socketPath": "/var/run/docker.sock"
417 'EXECUTOR_QUEUE_ENABLED' => 'false',
418 #'QUEUE_REDIS_HOST' => 'queue',
420 #'QUEUE_REDIS_PORT' => '',
421 #'QUEUE_REDIS_PASSWORD' => '${REDIS_PASSWORD}'
422 #'QUEUE_REDIS_TLS_ENABLED' => '',
423 #'QUEUE_REDIS_DATABASE' => '',
426 # **DEPRECATED**: Please use the above `['screwdriver']['api']['config']['scms']` attribute
427 # instead of `SCM_SETTINGS` env. variable.
428 # 'SCM_SETTINGS' => '{}',
430 # **DEPRECATED**: Non-Multiple SCMs setting format.
431 # - Note: Multiple SCMs not supported yet.
432 # https://github.com/screwdriver-cd/screwdriver/issues/365
433 # - OAuth Callback URL: "http://#{cn}:9001/v4/auth/login"
434 'SCM_PLUGIN' => 'github', # or 'gitlab' or 'bitbucket'
436 'SCM_USERNAME' => 'sd-buildbot',
437 'SCM_EMAIL' => 'dev-null@screwdriver.cd',
438 # The following variables will be set by the screwdriver::docker-compose recipe automatically.
439 'SECRET_OAUTH_CLIENT_ID' => '${SECRET_OAUTH_CLIENT_ID}',
440 'SECRET_OAUTH_CLIENT_SECRET' => '${SECRET_OAUTH_CLIENT_SECRET}',
442 # access https://github.com/settings/developers to get an OAuth account.
443 'WEBHOOK_GITHUB_SECRET' => '${WEBHOOK_GITHUB_SECRET}', #'SUPER-SECRET-SIGNING-THING'
444 'SCM_GITHUB_GHE_HOST' => 'gitlab.io.example.com', # for GHE
445 'SCM_PRIVATE_REPO_SUPPORT' => 'false',
447 #'SCM_GITLAB_HOST' => 'gitlab.io.example.com',
448 #'SCM_GITLAB_PROTOCOL' => 'https',
455 'image' => 'screwdrivercd/ui:latest',
457 #'9000:80', # default
460 # These variables will be set by the screwdriver::docker-compose recipe automatically.
461 #'ECOSYSTEM_API' => 'http://api', # NG: for an access from a client.
462 #'ECOSYSTEM_API' => "http://#{cn}:9001", # Better
463 #'ECOSYSTEM_API' => "http://#{node['ipaddress']}:9001", # unrecommended
464 #'ECOSYSTEM_STORE' => 'http://store',
465 #'ECOSYSTEM_STORE' => "http://#{cn}:9002", # Better
466 #'ECOSYSTEM_STORE' => "http://#{node['ipaddress']}:9002", # unrecommended
470 'image' => 'screwdrivercd/store:latest',
472 #'9002:80', # default
475 # See https://github.com/screwdriver-cd/store/blob/master/config/custom-environment-variables.yaml
477 'URI' => "http://#{cn}:9002",
478 #'URI' => "http://#{node['ipaddress']}:9002", # unrecommended
479 # These variables will be set by the screwdriver::docker-compose recipe automatically.
480 #'ECOSYSTEM_UI' => "http://#{cn}:9000", # Better
481 #'ECOSYSTEM_UI' => "http://#{node['ipaddress']}:9000",
482 #'ECOSYSTEM_UI' => 'http://ui', # NG for an access from a client.
483 #'STRATEGY' => 'memory', # default
486 # If node['screwdriver']['s3_access_key_{id,secret}_vault_item'] is set,
487 # these 2 variables will be set by the screwdriver::docker-compose recipe automatically.
488 #'S3_ACCESS_KEY_ID' => '${S3_ACCESS_KEY_ID}',
489 #'S3_ACCESS_KEY_SECRET' => '${S3_ACCESS_KEY_SECRET}',
490 #'S3_REGION' => 'us-east-1',
491 #'S3_BUCKET' => 'screwdriver',
493 # If node['screwdriver']['store']['backend'] is 'minio',
494 # these variables will be set by the screwdriver::docker-compose recipe automatically.
496 #'S3_ACCESS_KEY_ID' => '${S3_ACCESS_KEY_ID}',
497 #'S3_ACCESS_KEY_SECRET' => '${S3_ACCESS_KEY_SECRET}',
498 #'S3_REGION' => 'us-east-1',
499 #'S3_BUCKET' => 'screwdriver',
500 #'S3_ENDPOINT' => 'http://s3:9000/screwdriver', # tricky!! setting for the S3 virtual hosting style.
501 #'S3_SIG_VER' => 'v4',
503 # for S3 compatible server
511 config_srvs = node['screwdriver']['docker-compose']['config']['services']
512 case config_srvs['api']['environment']['DATASTORE_SEQUELIZE_DIALECT']
514 version_2_config['services']['db'] = {
515 'image' => 'mysql:5',
517 # This variable will be set by the screwdriver::docker-compose recipe automatically.
518 #"#{node['screwdriver']['docker-compose']['data_dir']}/mysql:/var/lib/mysql:rw",
521 # These variables will be set by the screwdriver::docker-compose recipe automatically.
522 #'MYSQL_ROOT_PASSWORD' => '${DB_ROOT_PASSWORD}',
523 #'MYSQL_USER' => '${DB_USERNAME}',
524 #'MYSQL_PASSWORD' => '${DB_PASSWORD}',
525 #'MYSQL_DATABASE' => 'screwdriver',
529 version_2_config['services']['db'] = {
530 'image' => 'postgres:9',
532 # This variable will be set by the screwdriver::docker-compose recipe automatically.
533 #"#{node['screwdriver']['docker-compose']['data_dir']}/postgres:/database:rw",
536 # These variables will be set by the screwdriver::docker-compose recipe automatically.
537 #'POSTGRES_USER' => '${DB_USERNAME}',
538 #'POSTGRES_PASSWORD' => '${DB_PASSWORD}',
539 #'POSTGRES_DB' => 'screwdriver',
540 #'PGDATA' => '/database',
545 executor_queue_enabled = config_srvs['api']['environment']['EXECUTOR_QUEUE_ENABLED'] == 'true' ? true : false
546 if executor_queue_enabled
547 version_2_config['services']['queue'] = {
548 'image' => 'redis:4',
550 # This variable will be set by the screwdriver::docker-compose recipe automatically.
554 # These variables will be set by the screwdriver::docker-compose recipe automatically.
560 # S3 compatible server
561 case node['screwdriver']['store']['backend']
563 version_2_config['services']['screwdriver.s3'] = {
564 'image' => 'minio/minio',
566 #'9010:9000', # default
568 'command' => 'server /export',
570 # This variable will be set by the screwdriver::docker-compose recipe automatically.
571 #"#{node['screwdriver']['docker-compose']['data_dir']}//minio:/export:rw",
574 # These variables will be set by the screwdriver::docker-compose recipe automatically.
575 #'MINIO_ACCESS_KEY' => '${S3_ACCESS_KEY_ID}',
576 #'MINIO_SECRET_KEY' => '${S3_ACCESS_KEY_SECRET}',
581 if node['screwdriver']['docker-compose']['network_mode_bridge']
582 version_2_config['services'].each_value {|srv_config|
583 srv_config['network_mode'] = 'bridge'
587 default['screwdriver']['docker-compose']['config'] = version_2_config