2 # Copyright 2017, whitestar
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
17 name 'devops-suite-with-ssl-on-docker'
18 description 'DevOps Suite with SSL on Docker'
24 # chef-solo or chef-client local mode
25 if $0.split.include?('chef-solo') || ($0.split.include?('chef-client') && ARGV.include?('-z'))
27 node = Ohai::System.new
30 host_cn = node['fqdn'] if host_cn.nil?
32 host_cn = 'devops.io.example.com' if host_cn.nil?
33 aptly_cn = host_cn # e.g. 'aptly.io.example.com'
34 athenz_cn = host_cn # e.g. 'athenz.io.example.com'
35 concourse_cn = host_cn # e.g. 'concourse.io.example.com'
36 concourse_port = '8443'
37 docker_reg_cn = host_cn # e.g. 'registry.docker.example.com'
38 docker_reg_port = '5000'
39 docker_reg_data_vol = '/opt/docker-compose/app/registry/data'
40 gitlab_cn = host_cn # e.g. 'gitlab.io.example.com'
41 gitlab_https_port = '443'
42 gitlab_reg_port = '5050'
43 jenkins_cn = host_cn # e.g. 'jenkins.io.example.com'
45 nexus_cn = host_cn # e.g. 'nexus.io.example.com'
46 screwdriver_cn = host_cn # e.g. 'screwdriver.io.example.com'
47 screwdriver_ui_port = '9000' # default: 9000
48 vault_cn = host_cn # e.g. 'vault.io.example.com'
49 dockerd_extra_opts = [
51 '--bip=192.168.100.1/24 --fixed-cidr=192.168.100.0/24',
52 #"--registry-mirror=https://#{docker_reg_cn}:#{docker_reg_port}",
61 common_names = nil if common_names.empty?
64 ldap_servers = <<-'EOS'
65 main: # 'main' is the GitLab 'provider ID' of this LDAP server
67 host: 'ldap.grid.example.com'
69 uid: 'uid' # 'sAMAccountName'
70 method: 'tls' # "tls" or "ssl" or "plain"
71 #bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
72 #password: '_the_password_of_the_bind_user'
73 active_directory: false
74 allow_username_or_email_login: false
75 block_auto_created_users: false
76 base: 'ou=Users,dc=grid,dc=example,dc=com'
79 username: ['uid', 'userid', 'sAMAccountName']
80 email: ['mail', 'email', 'userPrincipalName']
82 first_name: 'givenName'
89 #secondary: # 'secondary' is the GitLab 'provider ID' of second LDAP server
91 # host: '_your_ldap_server'
93 # uid: 'sAMAccountName'
94 # method: 'plain' # "tls" or "ssl" or "plain"
95 # bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
96 # password: '_the_password_of_the_bind_user'
97 # active_directory: true
98 # allow_username_or_email_login: false
99 # block_auto_created_users: false
103 # username: ['uid', 'userid', 'sAMAccountName']
104 # email: ['mail', 'email', 'userPrincipalName']
106 # first_name: 'givenName'
111 # sync_ssh_keys: false
115 'role[devops-suite-on-docker]',
116 'recipe[docker-grid::registry]',
121 #default_attributes()
128 'common_names' => common_names,
132 'skip_setup' => false,
133 'daemon_extra_options' => dockerd_extra_opts,
136 'skip_setup' => false,
139 'with_ssl_cert_cookbook' => with_ssl,
141 'common_name' => docker_reg_cn,
143 'docker-compose' => {
144 'host_data_volume' => docker_reg_data_vol,
148 "#{docker_reg_port}:5000",
151 #'REGISTRY_AUTH' => 'htpasswd',
152 #'REGISTRY_AUTH_HTPASSWD_PATH' => '/auth/.htpasswd',
153 #'REGISTRY_AUTH_HTPASSWD_REALM' => 'Registry Realm',
155 'REGISTRY_PROXY_REMOTEURL' => 'https://registry-1.docker.io',
166 'with_ssl_cert_cookbook' => with_ssl,
168 'common_name' => aptly_cn,
170 'docker-compose' => {
185 'with_ssl_cert_cookbook' => with_ssl,
190 'common_name' => concourse_cn,
192 'docker-compose' => {
193 'import_ca' => import_ca,
194 # 'web_encryption_key_vault_item' => {
195 # 'vault' => 'concourse',
196 # 'name' => 'web_encryption_key',
197 # 'env_context' => false,
198 # 'key' => 'ekey', # real hash path: "/ekey"
200 # 'web_oauth_client_id_vault_item' => {
201 # 'vault' => 'concourse',
202 # 'name' => 'web_oauth_client_id',
203 # 'env_context' => false,
204 # 'key' => 'cid', # real hash path: "/cid"
206 # 'web_oauth_client_secret_vault_item' => {
207 # 'vault' => 'concourse',
208 # 'name' => 'web_oauth_client_secret',
209 # 'env_context' => false,
210 # 'key' => 'secret', # real hash path: "/secret"
213 # Version 1 docker-compose format
218 "#{concourse_port}:8443",
221 'CONCOURSE_TLS_BIND_PORT' => '8443',
222 'CONCOURSE_EXTERNAL_URL' => "https://#{concourse_cn}:#{concourse_port}",
223 # OAuth for the default `main`` team
224 #'CONCOURSE_GENERIC_OAUTH_DISPLAY_NAME' => 'GitLab',
225 #'CONCOURSE_GENERIC_OAUTH_AUTH_URL' => "https://#{gitlab_cn}/oauth/authorize",
226 #'CONCOURSE_GENERIC_OAUTH_TOKEN_URL' => "https://#{gitlab_cn}/oauth/token",
229 'concourse-worker' => {
237 'with_ssl_cert_cookbook' => with_ssl,
239 'ca_name' => ca_name,
240 'common_name' => gitlab_cn,
242 'reuse_gitlab_common_name' => true,
244 #'reuse_gitlab_common_name' => false,
245 #'common_name' => registry_gitlab_cn,
249 'external_url' => "https://#{gitlab_cn}:#{gitlab_https_port}",
250 'registry_external_url' => "https://#{gitlab_cn}:#{gitlab_reg_port}", # not 5000 if same domain (common name)
252 #'ldap_enabled' => true,
253 #'ldap_servers' => YAML.load(ldap_servers),
256 'redirect_http_to_https' => true,
258 'registry_nginx' => {
259 'redirect_http_to_https' => true,
262 'docker-compose' => {
266 'hostname' => gitlab_cn,
268 "#{gitlab_https_port}:#{gitlab_https_port}",
269 "#{gitlab_reg_port}:#{gitlab_reg_port}",
275 'runner-docker-compose' => {
276 'import_ca' => import_ca,
280 'with_ssl_cert_cookbook' => with_ssl,
282 'common_name' => jenkins_cn,
284 'docker-compose' => {
289 "#{jenkins_port}:8083",
293 '--httpPort=-1 --httpsPort=8083',
294 # These options will be set by the jenkins-grid::docker-compose recipe automatically.
295 #'--httpsCertificate=/var/lib/jenkins/server.crt',
296 #'--httpsPrivateKey=/var/lib/jenkins/server.key',
305 'with_ssl_cert_cookbook' => with_ssl,
307 'common_name' => nexus_cn,
309 'docker-compose' => {
323 'with_ssl_cert_cookbook' => with_ssl,
325 'common_name' => screwdriver_cn,
327 'docker-compose' => {
332 "#{screwdriver_ui_port}:9000"
360 'with_ssl_cert_cookbook' => with_ssl,
362 'common_name' => vault_cn,
366 'docker-compose' => {
373 #'VAULT_LOCAL_CONFIG' => '', # expanded to /vault/config/local.json