cookbooks/screwdriver/recipes/docker-compose.rb

   1 #
   2 # Cookbook Name:: screwdriver
   3 # Recipe:: docker-compose
   4 #
   5 # Copyright 2017, whitestar
   6 #
   7 # Licensed under the Apache License, Version 2.0 (the "License");
   8 # you may not use this file except in compliance with the License.
   9 # You may obtain a copy of the License at
  10 #
  11 #     http://www.apache.org/licenses/LICENSE-2.0
  12 #
  13 # Unless required by applicable law or agreed to in writing, software
  14 # distributed under the License is distributed on an "AS IS" BASIS,
  15 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16 # See the License for the specific language governing permissions and
  17 # limitations under the License.
  18 #
  19
  20 require 'securerandom'
  21
  22 doc_url = 'https://hub.docker.com/r/screwdrivercd/screwdriver/'
  23
  24 ::Chef::Recipe.send(:include, SSLCert::Helper)
  25
  26 #include_recipe 'platform_utils::kernel_user_namespace'
  27 include_recipe 'docker-grid::compose'
  28
  29 default_executor = {
  30   'plugin' => 'docker',
  31   'docker' => {
  32     'options' => {
  33       'docker' => {
  34         'socketPath' => '/var/run/docker.sock',
  35       },
  36       'launchVersion' => 'stable',
  37     },
  38   },
  39 }
  40
  41 app_dir = node['screwdriver']['docker-compose']['app_dir']
  42 bin_dir = node['screwdriver']['docker-compose']['bin_dir']
  43 config_dir = node['screwdriver']['docker-compose']['config_dir']
  44 data_dir = node['screwdriver']['docker-compose']['data_dir']
  45 etc_dir = node['screwdriver']['docker-compose']['etc_dir']
  46
  47 [
  48   app_dir,
  49   bin_dir,
  50   config_dir,
  51   data_dir,
  52   "#{etc_dir}/nginx",
  53 ].each {|dir|
  54   resources(directory: dir) rescue directory dir do
  55     owner 'root'
  56     group 'root'
  57     mode '0755'
  58     recursive true
  59   end
  60 }
  61
  62 api_config_file = "#{config_dir}/api-local.yaml"
  63 env_file = "#{app_dir}/.env"
  64 config_file = "#{app_dir}/docker-compose.yml"
  65
  66 api_config_local = nil
  67 if File.exist?(api_config_file)
  68   require 'yaml'
  69   api_config_local = YAML.load_file(api_config_file)
  70 end
  71
  72 env_local = nil
  73 if File.exist?(env_file)
  74   env_local = {}
  75   File.open(env_file) do |file|
  76     file.each_line do |line|
  77       env_local[$1] = $2 if line =~ /^([^=]*)=(.*)$/
  78     end
  79   end
  80 end
  81
  82 =begin
  83 config_srvs_local = nil
  84 if File.exist?(config_file)
  85   require 'yaml'
  86   config_srvs_local = YAML.load_file(config_file)['services']
  87 end
  88 =end
  89
  90 # We use plain Hash objects instead of Chef attribute objects for containg secrets (JWT key pair).
  91 override_api_config = node['screwdriver']['api']['config'].to_hash
  92 override_store_config = node['screwdriver']['store']['config'].to_hash
  93 #override_api_config = node.override['screwdriver']['api']['config']      # NG
  94 #override_store_config = node.override['screwdriver']['store']['config']  # NG
  95
  96 config_srvs = node['screwdriver']['docker-compose']['config']['services']
  97 override_config_srvs = node.override['screwdriver']['docker-compose']['config']['services']
  98 force_override_config_srvs = node.force_override['screwdriver']['docker-compose']['config']['services']
  99
 100 # api
 101 api_envs_org = config_srvs['api']['environment']
 102 api_envs = {}
 103 api_vols = config_srvs['api']['volumes'].to_a
 104
 105 api_port = '9001'  # default
 106 api_in_port = api_envs_org['PORT']
 107 ports = config_srvs['api']['ports']
 108 if ports.empty?
 109   override_config_srvs['api']['ports'] = ["#{api_port}:#{api_in_port}"]
 110 else
 111   ports.each {|port|
 112     elms = port.split(':')
 113     api_port = (elms.size == 2 ? elms[0] : elms[1]) if elms.last == api_in_port
 114   }
 115 end
 116
 117 override_api_config['executor'] = default_executor if override_api_config['executor'].empty?
 118
 119 [
 120   'jwt_private_key_vault_item',
 121   'jwt_public_key_vault_item',
 122   'cookie_password_vault_item',
 123   'password_vault_item',
 124 ].each {|vault_item|
 125   # for backward compatibility.
 126   if node['screwdriver'][vault_item].empty? && !node['screwdriver']['docker-compose'][vault_item].empty?
 127     node.force_override['screwdriver'][vault_item] = node['screwdriver']['docker-compose'][vault_item].to_hash
 128   end
 129 }
 130
 131 jwt_private_key_reset = node['screwdriver']['docker-compose']['jwt_private_key_reset']
 132 jwt_private_key = nil
 133 jwt_public_key  = nil
 134 jwt_private_key_vault_item = node['screwdriver']['jwt_private_key_vault_item']
 135 jwt_public_key_vault_item  = node['screwdriver']['jwt_public_key_vault_item']
 136
 137 if !jwt_private_key_vault_item.empty?
 138   # 1. from Chef Vault (recommended).
 139   jwt_private_key = get_vault_item_value(jwt_private_key_vault_item)
 140   jwt_public_key  = get_vault_item_value(jwt_public_key_vault_item)
 141   log 'JWT key pair has been loaded from Chef Vault.'
 142 else
 143   # 2. from Chef attribute (NOT recommended).
 144   jwt_private_key = api_envs_org['SECRET_JWT_PRIVATE_KEY']
 145   jwt_public_key  = api_envs_org['SECRET_JWT_PUBLIC_KEY']
 146   if jwt_private_key.nil? || jwt_private_key.empty?
 147     if !api_config_local.nil? && !api_config_local['auth']['jwtPrivateKey'].nil? && !jwt_private_key_reset
 148       # 3. preserve it from the local config/api-local.yaml file.
 149       jwt_private_key = api_config_local['auth']['jwtPrivateKey']
 150       jwt_public_key  = api_config_local['auth']['jwtPublicKey']
 151       log 'JWT key pair is preserved from the local config/api-local.yaml file.'
 152     # if !env_local.nil? && !env_local['SECRET_JWT_PRIVATE_KEY'].nil? && !jwt_private_key_reset
 153     #   # 3. preserve it from the local .env file.
 154     #   # Note: Docker env file format does not support backslash escaped string yet.
 155     #   eval "jwt_private_key = %Q(#{env_local['SECRET_JWT_PRIVATE_KEY']})"
 156     #   eval "jwt_public_key  = %Q(#{env_local['SECRET_JWT_PUBLIC_KEY']})"
 157     #   log 'JWT key pair is preserved from the local .env file.'
 158     else
 159       # 4. auto generate.
 160       require 'openssl'
 161       rsa = OpenSSL::PKey::RSA.generate(2048)
 162       jwt_private_key = rsa.export
 163       jwt_public_key  = rsa.public_key.export
 164       log 'JWT key pair has been generated.'
 165     end
 166   end
 167 end
 168
 169 override_api_config['auth']['jwtPrivateKey'] = jwt_private_key
 170 override_api_config['auth']['jwtPublicKey'] = jwt_public_key
 171 # Note: prevent Chef from logging JWT key attribute values. (=> template variables)
 172 # However Docker env file format does not support multi-line value and backslash escaped string yet.
 173 #api_envs['SECRET_JWT_PRIVATE_KEY'] = '${SECRET_JWT_PRIVATE_KEY}'  # Useless
 174 #api_envs['SECRET_JWT_PUBLIC_KEY']  = '${SECRET_JWT_PUBLIC_KEY}'   # Useless
 175 #api_envs['SECRET_JWT_PRIVATE_KEY'] = jwt_private_key  # NG
 176 #api_envs['SECRET_JWT_PUBLIC_KEY']  = jwt_public_key   # NG
 177
 178 cookie_password = nil
 179 cookie_password_vault_item = node['screwdriver']['cookie_password_vault_item']
 180 unless cookie_password_vault_item.empty?
 181   cookie_password = get_vault_item_value(cookie_password_vault_item)
 182   api_envs['SECRET_COOKIE_PASSWORD'] = '${SECRET_COOKIE_PASSWORD}'
 183 end
 184
 185 password = nil
 186 password_vault_item = node['screwdriver']['password_vault_item']
 187 unless password_vault_item.empty?
 188   password = get_vault_item_value(password_vault_item)
 189   api_envs['SECRET_PASSWORD'] = '${SECRET_PASSWORD}'
 190 end
 191
 192 node['screwdriver']['api']['scms_vault_items'].each {|scm, props|
 193   props.each {|prop, vault_item|
 194     unless vault_item.empty?
 195       secret = get_vault_item_value(vault_item)
 196       override_api_config['scms'][scm]['config'][prop] = secret
 197     end
 198   }
 199 }
 200 =begin
 201 # **DEPRECATED!!**
 202 oauth_client_id = nil
 203 oauth_client_id_vault_item = node['screwdriver']['docker-compose']['oauth_client_id_vault_item']
 204 unless oauth_client_id_vault_item.empty?
 205   oauth_client_id = get_vault_item_value(oauth_client_id_vault_item)
 206   api_envs['SECRET_OAUTH_CLIENT_ID'] = '${SECRET_OAUTH_CLIENT_ID}'
 207 end
 208
 209 oauth_client_secret = nil
 210 oauth_client_secret_vault_item = node['screwdriver']['docker-compose']['oauth_client_secret_vault_item']
 211 unless oauth_client_secret_vault_item.empty?
 212   oauth_client_secret = get_vault_item_value(oauth_client_secret_vault_item)
 213   api_envs['SECRET_OAUTH_CLIENT_SECRET'] = '${SECRET_OAUTH_CLIENT_SECRET}'
 214 end
 215
 216 webhook_github_secret = nil
 217 webhook_github_secret_vault_item = node['screwdriver']['docker-compose']['webhook_github_secret_vault_item']
 218 unless webhook_github_secret_vault_item.empty?
 219   webhook_github_secret = get_vault_item_value(webhook_github_secret_vault_item)
 220   api_envs['WEBHOOK_GITHUB_SECRET'] = '${WEBHOOK_GITHUB_SECRET}'
 221 end
 222 =end
 223
 224 db_username = nil
 225 db_username = env_local['DATASTORE_SEQUELIZE_USERNAME'] if !env_local.nil? && !env_local['DATASTORE_SEQUELIZE_USERNAME'].nil?
 226 db_username_vault_item = node['screwdriver']['db_username_vault_item']
 227 db_username = get_vault_item_value(db_username_vault_item) unless db_username_vault_item.empty?
 228 db_username = 'sd-admin' if db_username.nil?
 229 api_envs['DATASTORE_SEQUELIZE_USERNAME'] = '${DB_USERNAME}'
 230
 231 db_password = nil
 232 db_password = env_local['DATASTORE_SEQUELIZE_PASSWORD'] if !env_local.nil? && !env_local['DATASTORE_SEQUELIZE_PASSWORD'].nil?
 233 db_password_vault_item = node['screwdriver']['db_password_vault_item']
 234 db_password = get_vault_item_value(db_password_vault_item) unless db_password_vault_item.empty?
 235 db_password = SecureRandom.urlsafe_base64(32) if db_password.nil?
 236 api_envs['DATASTORE_SEQUELIZE_PASSWORD'] = '${DB_PASSWORD}'
 237
 238 db_root_password = nil
 239 db_root_password = env_local['DB_ROOT_PASSWORD'] if !env_local.nil? && !env_local['DB_ROOT_PASSWORD'].nil?
 240 db_root_password_vault_item = node['screwdriver']['db_root_password_vault_item']
 241 db_root_password = get_vault_item_value(db_root_password_vault_item) unless db_root_password_vault_item.empty?
 242 db_root_password = SecureRandom.urlsafe_base64(32) if db_root_password.nil?
 243
 244 db_dialect = api_envs_org['DATASTORE_SEQUELIZE_DIALECT']
 245 case db_dialect
 246 when 'sqlite'
 247   api_vols.push("#{data_dir}:/sd-data:rw")
 248   api_envs['DATASTORE_SEQUELIZE_STORAGE'] = '/sd-data/storage.db'
 249 when 'mysql', 'postgres'
 250   override_config_srvs['api']['links'] = ['db']
 251   api_envs['DATASTORE_SEQUELIZE_HOST'] = 'db'
 252 end
 253
 254 # db
 255 if db_dialect != 'sqlite'
 256   #db_envs_org = config_srvs['db']['environment']
 257   db_envs = {}
 258   db_vols = config_srvs['db']['volumes'].to_a
 259
 260   case db_dialect
 261   when 'mysql'
 262     mysql_data_dir = "#{data_dir}/mysql"
 263     resources(directory: mysql_data_dir) rescue directory mysql_data_dir do
 264       owner 999
 265       group 'root'
 266       mode '0755'
 267       recursive true
 268     end
 269
 270     db_vols.push("#{mysql_data_dir}:/var/lib/mysql:rw")
 271     db_envs['MYSQL_DATABASE'] = api_envs_org['DATASTORE_SEQUELIZE_DATABASE']
 272     db_envs['MYSQL_USER'] = '${DB_USERNAME}' unless db_username.nil?
 273     db_envs['MYSQL_PASSWORD'] = '${DB_PASSWORD}' unless db_password.nil?
 274     db_envs['MYSQL_ROOT_PASSWORD'] = '${DB_ROOT_PASSWORD}' unless db_root_password.nil?
 275   when 'postgres'
 276     pg_data_dir = "#{data_dir}/postgres"
 277     resources(directory: pg_data_dir) rescue directory pg_data_dir do
 278       owner 'root'
 279       group 'root'
 280       mode '0755'
 281       recursive true
 282     end
 283
 284     db_vols.push("#{pg_data_dir}:/database:rw")
 285     db_envs['POSTGRES_DB'] = api_envs_org['DATASTORE_SEQUELIZE_DATABASE']
 286     db_envs['POSTGRES_USER'] = '${DB_USERNAME}' unless db_username.nil?
 287     db_envs['POSTGRES_PASSWORD'] = '${DB_PASSWORD}' unless db_password.nil?
 288     db_envs['PGDATA'] = '/database'
 289   end
 290 end
 291
 292 # ui
 293 #ui_envs_org = config_srvs['ui']['environment']
 294 ui_envs = {}
 295 ui_vols = config_srvs['ui']['volumes'].to_a
 296
 297 ui_port = '9000'  # default
 298 ui_in_port = '80'
 299 ports = config_srvs['ui']['ports']
 300 if ports.empty?
 301   override_config_srvs['ui']['ports'] = ["#{ui_port}:#{ui_in_port}"]
 302 else
 303   ports.each {|port|
 304     elms = port.split(':')
 305     ui_port = (elms.size == 2 ? elms[0] : elms[1]) if elms.last == ui_in_port
 306   }
 307 end
 308
 309 # store
 310 store_backend = node['screwdriver']['store']['backend']
 311 store_envs_org = config_srvs['store']['environment']
 312 store_envs = {}
 313 store_vols = config_srvs['store']['volumes'].to_a
 314
 315 store_port = '9002'  # default
 316 store_in_port = store_envs_org['PORT']
 317 ports = config_srvs['store']['ports']
 318 if ports.empty?
 319   override_config_srvs['store']['ports'] = ["#{store_port}:#{store_in_port}"]
 320 else
 321   ports.each {|port|
 322     elms = port.split(':')
 323     store_port = (elms.size == 2 ? elms[0] : elms[1]) if elms.last == store_in_port
 324   }
 325 end
 326
 327 s3_access_key_id = nil
 328 s3_access_key_id = env_local['S3_ACCESS_KEY_ID'] if !env_local.nil? && !env_local['S3_ACCESS_KEY_ID'].nil?
 329 s3_access_key_id_vault_item = node['screwdriver']['s3_access_key_id_vault_item']
 330 s3_access_key_id = get_vault_item_value(s3_access_key_id_vault_item) unless s3_access_key_id_vault_item.empty?
 331 s3_access_key_id = SecureRandom.urlsafe_base64(16) if s3_access_key_id.nil?
 332 store_envs['S3_ACCESS_KEY_ID'] = '${S3_ACCESS_KEY_ID}'
 333
 334 s3_access_key_secret = nil
 335 s3_access_key_secret = env_local['S3_ACCESS_KEY_SECRET'] if !env_local.nil? && !env_local['S3_ACCESS_KEY_SECRET'].nil?
 336 s3_access_key_secret_vault_item = node['screwdriver']['s3_access_key_secret_vault_item']
 337 s3_access_key_secret = get_vault_item_value(s3_access_key_secret_vault_item) unless s3_access_key_secret_vault_item.empty?
 338 s3_access_key_secret = SecureRandom.urlsafe_base64(32) if s3_access_key_secret.nil?
 339 store_envs['S3_ACCESS_KEY_SECRET'] = '${S3_ACCESS_KEY_SECRET}'
 340
 341 # S3 compatible server
 342 if !store_backend.nil? && !store_backend.empty?
 343   override_config_srvs['store']['links'] = ['screwdriver.s3']
 344   store_envs['STRATEGY'] = 's3'
 345   store_envs['S3_BUCKET'] = 'screwdriver'
 346
 347   #s3_envs_org = config_srvs['screwdriver.s3']['environment']
 348   s3_envs = {}
 349   s3_vols = config_srvs['screwdriver.s3']['volumes'].to_a
 350
 351   s3_port = '9010'  # default
 352   s3_in_port = '9000'
 353   ports = config_srvs['screwdriver.s3']['ports']
 354
 355   case store_backend
 356   when 'minio'
 357     store_envs['S3_REGION'] = 'us-east-1'
 358     store_envs['S3_ENDPOINT'] = "http://s3:#{s3_in_port}/screwdriver"  # for path style
 359     store_envs['S3_SIG_VER'] = 'v4'
 360
 361     if ports.empty?
 362       override_config_srvs['screwdriver.s3']['ports'] = ["#{s3_port}:#{s3_in_port}"]
 363     else
 364       ports.each {|port|
 365         elms = port.split(':')
 366         s3_port = (elms.size == 2 ? elms[0] : elms[1]) if elms.last == s3_in_port
 367       }
 368     end
 369
 370     minio_data_dir = "#{data_dir}/minio"
 371     resources(directory: minio_data_dir) rescue directory minio_data_dir do
 372       owner 'root'
 373       group 'root'
 374       mode '0755'
 375       recursive true
 376     end
 377
 378     s3_vols.push("#{minio_data_dir}:/export:rw")
 379     s3_envs['MINIO_ACCESS_KEY'] = '${S3_ACCESS_KEY_ID}' unless s3_access_key_id.nil?
 380     s3_envs['MINIO_SECRET_KEY'] = '${S3_ACCESS_KEY_SECRET}' unless s3_access_key_secret.nil?
 381   end
 382 end
 383
 384 override_store_config['auth']['jwtPublicKey'] = jwt_public_key
 385 # Note: prevent Chef from logging JWT key attribute value. (=> template variables)
 386 # However Docker env file format does not support multi-line value and backslash escaped string yet.
 387 #store_envs['SECRET_JWT_PUBLIC_KEY'] = '${SECRET_JWT_PUBLIC_KEY}'  # Useless
 388 #store_envs['SECRET_JWT_PUBLIC_KEY']  = jwt_public_key  # NG
 389
 390 api_uri = api_envs_org['URI']
 391 store_uri = store_envs_org['URI']
 392 ui_uri = api_uri.gsub(/:\d+/, ":#{ui_port}")  # based on the API URI.
 393
 394 if node['screwdriver']['with_ssl_cert_cookbook']
 395   cn = node['screwdriver']['ssl_cert']['common_name']
 396   append_server_ssl_cn(cn)
 397   include_recipe 'ssl_cert::server_key_pairs'
 398
 399   server_cert = server_cert_content(cn)
 400   server_key = server_key_content(cn)
 401
 402   api_uri = api_uri.gsub('http://', 'https://')
 403   store_uri = store_uri.gsub('http://', 'https://')
 404
 405   override_api_config['httpd']['tls'] = {}  # for FalseClass by default.
 406   override_api_config['httpd']['tls']['cert'] = server_cert
 407   override_api_config['httpd']['tls']['key'] = server_key
 408   api_envs['IS_HTTPS'] = 'true'
 409
 410   override_store_config['httpd']['tls'] = {}  # for FalseClass by default.
 411   override_store_config['httpd']['tls']['cert'] = server_cert
 412   override_store_config['httpd']['tls']['key'] = server_key
 413
 414   # Note: Screwdriver UI image does not support TLS settings yet.
 415   # https://github.com/screwdriver-cd/screwdriver/issues/377
 416
 417   if node['screwdriver']['ui']['tls_setup_mode'] == 'reverseproxy'
 418     rproxy_in_port = '9000'
 419     ports = config_srvs['reverseproxy']['ports']
 420     if ports.empty?
 421       override_config_srvs['reverseproxy']['ports'] = ["#{ui_port}:#{rproxy_in_port}"]
 422     else
 423       ports.each {|port|
 424         elms = port.split(':')
 425         ui_port = (elms.size == 2 ? elms[0] : elms[1]) if elms.last == rproxy_in_port
 426       }
 427     end
 428     ui_uri = api_uri.gsub(/:\d+/, ":#{ui_port}")  # based on the API URI.
 429     # do not expose UI service directly.
 430     node.rm('screwdriver', 'docker-compose', 'config', 'services', 'ui', 'ports')
 431
 432     rproxy_vols = config_srvs['reverseproxy']['volumes'].to_a
 433     rproxy_vols.push("#{etc_dir}/nginx/nginx.conf:/etc/nginx/nginx.conf:ro")
 434     # Nginx parent process owner is root.
 435     rproxy_vols.push("#{server_cert_path(cn)}:/root/server.crt:ro")
 436     rproxy_vols.push("#{server_key_path(cn)}:/root/server.key:ro")
 437     # reset vlumes array.
 438     override_config_srvs['reverseproxy']['volumes'] = rproxy_vols
 439
 440     template "#{etc_dir}/nginx/nginx.conf" do
 441       source 'opt/docker-compose/app/screwdriver/etc/nginx/nginx.conf'
 442       owner 'root'
 443       group 'root'
 444       mode '0644'
 445       action :create
 446     end
 447   else
 448     node.rm('screwdriver', 'docker-compose', 'config', 'services', 'reverseproxy')
 449     # TODO: in the future.
 450   end
 451 else
 452   node.rm('screwdriver', 'docker-compose', 'config', 'services', 'reverseproxy')
 453 end
 454
 455 # normalize URIs
 456 api_envs['URI'] = api_uri
 457 api_envs['ECOSYSTEM_STORE'] = store_uri
 458 api_envs['ECOSYSTEM_UI'] = ui_uri
 459
 460 ui_envs['ECOSYSTEM_API'] = api_uri
 461 ui_envs['ECOSYSTEM_STORE'] = store_uri
 462
 463 store_envs['URI'] = store_uri
 464 store_envs['ECOSYSTEM_UI'] = ui_uri
 465
 466 # Common
 467 if node['screwdriver']['docker-compose']['import_ca']
 468   node['screwdriver']['ssl_cert']['ca_names'].each {|ca_name|
 469     append_ca_name(ca_name)
 470     ca_cert_vol = "#{ca_cert_path(ca_name)}:/usr/share/ca-certificates/#{ca_name}.crt:ro"
 471     api_vols.push(ca_cert_vol)
 472     #ui_vols.push(ca_cert_vol)
 473   }
 474   include_recipe 'ssl_cert::ca_certs'
 475
 476   import_ca_script = '/usr/local/bin/screwdriver_import_ca'
 477   template "#{bin_dir}/screwdriver_import_ca" do
 478     source 'opt/docker-compose/app/screwdriver/bin/screwdriver_import_ca'
 479     owner 'root'
 480     group 'root'
 481     mode '0755'
 482     action :create
 483   end
 484   import_ca_script_vol = "#{bin_dir}/screwdriver_import_ca:#{import_ca_script}:ro"
 485   api_vols.push(import_ca_script_vol)
 486   #ui_vols.push(import_ca_script_vol)
 487
 488   api_command = config_srvs['api']['command']
 489   override_config_srvs['api']['command'] \
 490     = "/bin/sh -c \"#{import_ca_script} && #{api_command}\""
 491 end
 492
 493 [
 494   'api',
 495   'store',
 496 ].each {|srv|
 497   local_yaml_file = "#{config_dir}/#{srv}-local.yaml"
 498   srv_vols = nil
 499   srv_config = nil
 500   if srv == 'api'
 501     srv_vols = api_vols
 502     srv_config = override_api_config
 503   elsif srv == 'store'
 504     srv_vols = store_vols
 505     srv_config = override_store_config
 506   end
 507
 508   template local_yaml_file do
 509     source "opt/docker-compose/app/screwdriver/config/#{srv}-local.yaml"
 510     owner 'root'
 511     group 'root'
 512     mode '0600'
 513     sensitive true
 514     # prevent Chef from logging password attribute value.
 515     variables(
 516       config: srv_config
 517     )
 518   end
 519
 520   srv_vols.push("#{local_yaml_file}:/config/local.yaml:ro")
 521 }
 522
 523 # merge environment hash
 524 force_override_config_srvs['api']['environment'] = api_envs unless api_envs.empty?
 525 force_override_config_srvs['ui']['environment'] = ui_envs unless ui_envs.empty?
 526 force_override_config_srvs['store']['environment'] = store_envs unless store_envs.empty?
 527 if db_dialect != 'sqlite'
 528   force_override_config_srvs['db']['environment'] = db_envs unless db_envs.empty?
 529 end
 530 if !store_backend.nil? && !store_backend.empty?
 531   force_override_config_srvs['screwdriver.s3']['environment'] = s3_envs unless s3_envs.empty?
 532 end
 533 # reset vlumes array.
 534 override_config_srvs['api']['volumes'] = api_vols unless api_vols.empty?
 535 override_config_srvs['ui']['volumes'] = ui_vols unless ui_vols.empty?
 536 override_config_srvs['store']['volumes'] = store_vols unless store_vols.empty?
 537 if db_dialect != 'sqlite'
 538   override_config_srvs['db']['volumes'] = db_vols unless db_vols.empty?
 539 end
 540 if !store_backend.nil? && !store_backend.empty?
 541   override_config_srvs['screwdriver.s3']['volumes'] = s3_vols unless s3_vols.empty?
 542 end
 543
 544 template env_file do
 545   source 'opt/docker-compose/app/screwdriver/.env'
 546   owner 'root'
 547   group 'root'
 548   mode '0600'
 549   sensitive true
 550   # prevent Chef from logging password attribute value.
 551   variables(
 552     # secrets
 553     cookie_password: cookie_password,
 554     password: password,
 555     db_username: db_username,
 556     db_password: db_password,
 557     db_root_password: db_root_password,
 558     s3_access_key_id: s3_access_key_id,
 559     s3_access_key_secret: s3_access_key_secret,
 560     # **DEPRECATED!!**
 561     # JWT keys setting -> /config/local.yaml
 562     #jwt_private_key: jwt_private_key,
 563     #jwt_public_key: jwt_public_key,
 564     # SCM secrets setting -> /config/local.yaml
 565     #oauth_client_id: oauth_client_id,
 566     #oauth_client_secret: oauth_client_secret,
 567     #webhook_github_secret: webhook_github_secret
 568   )
 569 end
 570
 571 template config_file do
 572   source 'opt/docker-compose/app/screwdriver/docker-compose.yml'
 573   owner 'root'
 574   group 'root'
 575   mode '0644'
 576 end
 577
 578 log 'screwdriver docker-compose post install message' do
 579   message <<-"EOM"
 580 Note: You must execute the following command manually.
 581     See #{doc_url}
 582     * Start:
 583       $ cd #{app_dir}
 584       $ sudo docker-compose up -d
 585     * Stop
 586       $ sudo docker-compose down
 587 EOM
 588 end