# limitations under the License.
#
+require 'securerandom'
+
doc_url = 'https://hub.docker.com/r/screwdrivercd/screwdriver/'
::Chef::Recipe.send(:include, SSLCert::Helper)
#include_recipe 'platform_utils::kernel_user_namespace'
include_recipe 'docker-grid::compose'
+default_executor = {
+ 'plugin' => 'docker',
+ 'docker' => {
+ 'options' => {
+ 'docker' => {
+ 'socketPath' => '/var/run/docker.sock',
+ },
+ 'launchVersion' => 'stable',
+ },
+ },
+}
+
app_dir = node['screwdriver']['docker-compose']['app_dir']
bin_dir = node['screwdriver']['docker-compose']['bin_dir']
config_dir = node['screwdriver']['docker-compose']['config_dir']
api_port = (elms.size == 2 ? elms[0] : elms[1]) if elms.last == api_in_port
}
end
-api_vols.push("#{data_dir}:/sd-data:rw")
+
+override_api_config['executor'] = default_executor if override_api_config['executor'].empty?
+
+[
+ 'jwt_private_key_vault_item',
+ 'jwt_public_key_vault_item',
+ 'cookie_password_vault_item',
+ 'password_vault_item',
+].each {|vault_item|
+ # for backward compatibility.
+ if node['screwdriver'][vault_item].empty? && !node['screwdriver']['docker-compose'][vault_item].empty?
+ node.force_override['screwdriver'][vault_item] = node['screwdriver']['docker-compose'][vault_item].to_hash
+ end
+}
jwt_private_key_reset = node['screwdriver']['docker-compose']['jwt_private_key_reset']
jwt_private_key = nil
jwt_public_key = nil
-jwt_private_key_vault_item = node['screwdriver']['docker-compose']['jwt_private_key_vault_item']
-jwt_public_key_vault_item = node['screwdriver']['docker-compose']['jwt_public_key_vault_item']
+jwt_private_key_vault_item = node['screwdriver']['jwt_private_key_vault_item']
+jwt_public_key_vault_item = node['screwdriver']['jwt_public_key_vault_item']
if !jwt_private_key_vault_item.empty?
# 1. from Chef Vault (recommended).
#api_envs['SECRET_JWT_PUBLIC_KEY'] = jwt_public_key # NG
cookie_password = nil
-cookie_password_vault_item = node['screwdriver']['docker-compose']['cookie_password_vault_item']
+cookie_password_vault_item = node['screwdriver']['cookie_password_vault_item']
unless cookie_password_vault_item.empty?
cookie_password = get_vault_item_value(cookie_password_vault_item)
api_envs['SECRET_COOKIE_PASSWORD'] = '${SECRET_COOKIE_PASSWORD}'
end
password = nil
-password_vault_item = node['screwdriver']['docker-compose']['password_vault_item']
+password_vault_item = node['screwdriver']['password_vault_item']
unless password_vault_item.empty?
password = get_vault_item_value(password_vault_item)
api_envs['SECRET_PASSWORD'] = '${SECRET_PASSWORD}'
end
+node['screwdriver']['api']['scms_vault_items'].each {|scm, props|
+ props.each {|prop, vault_item|
+ unless vault_item.empty?
+ secret = get_vault_item_value(vault_item)
+ override_api_config['scms'][scm]['config'][prop] = secret
+ end
+ }
+}
+=begin
+# **DEPRECATED!!**
oauth_client_id = nil
oauth_client_id_vault_item = node['screwdriver']['docker-compose']['oauth_client_id_vault_item']
unless oauth_client_id_vault_item.empty?
webhook_github_secret = get_vault_item_value(webhook_github_secret_vault_item)
api_envs['WEBHOOK_GITHUB_SECRET'] = '${WEBHOOK_GITHUB_SECRET}'
end
+=end
+
+db_username = nil
+db_username = env_local['DATASTORE_SEQUELIZE_USERNAME'] if !env_local.nil? && !env_local['DATASTORE_SEQUELIZE_USERNAME'].nil?
+db_username_vault_item = node['screwdriver']['db_username_vault_item']
+db_username = get_vault_item_value(db_username_vault_item) unless db_username_vault_item.empty?
+db_username = 'sd-admin' if db_username.nil?
+api_envs['DATASTORE_SEQUELIZE_USERNAME'] = '${DB_USERNAME}'
+
+db_password = nil
+db_password = env_local['DATASTORE_SEQUELIZE_PASSWORD'] if !env_local.nil? && !env_local['DATASTORE_SEQUELIZE_PASSWORD'].nil?
+db_password_vault_item = node['screwdriver']['db_password_vault_item']
+db_password = get_vault_item_value(db_password_vault_item) unless db_password_vault_item.empty?
+db_password = SecureRandom.urlsafe_base64(32) if db_password.nil?
+api_envs['DATASTORE_SEQUELIZE_PASSWORD'] = '${DB_PASSWORD}'
+
+db_root_password = nil
+db_root_password = env_local['DB_ROOT_PASSWORD'] if !env_local.nil? && !env_local['DB_ROOT_PASSWORD'].nil?
+db_root_password_vault_item = node['screwdriver']['db_root_password_vault_item']
+db_root_password = get_vault_item_value(db_root_password_vault_item) unless db_root_password_vault_item.empty?
+db_root_password = SecureRandom.urlsafe_base64(32) if db_root_password.nil?
+
+db_dialect = api_envs_org['DATASTORE_SEQUELIZE_DIALECT']
+case db_dialect
+when 'sqlite'
+ api_vols.push("#{data_dir}:/sd-data:rw")
+ api_envs['DATASTORE_SEQUELIZE_STORAGE'] = '/sd-data/storage.db'
+when 'mysql', 'postgres'
+ override_config_srvs['api']['links'] = ['db']
+ api_envs['DATASTORE_SEQUELIZE_HOST'] = 'db'
+end
+
+# db
+if db_dialect != 'sqlite'
+ #db_envs_org = config_srvs['db']['environment']
+ db_envs = {}
+ db_vols = config_srvs['db']['volumes'].to_a
+
+ case db_dialect
+ when 'mysql'
+ mysql_data_dir = "#{data_dir}/mysql"
+ resources(directory: mysql_data_dir) rescue directory mysql_data_dir do
+ owner 999
+ group 'root'
+ mode '0755'
+ recursive true
+ end
+
+ db_vols.push("#{mysql_data_dir}:/var/lib/mysql:rw")
+ db_envs['MYSQL_DATABASE'] = api_envs_org['DATASTORE_SEQUELIZE_DATABASE']
+ db_envs['MYSQL_USER'] = '${DB_USERNAME}' unless db_username.nil?
+ db_envs['MYSQL_PASSWORD'] = '${DB_PASSWORD}' unless db_password.nil?
+ db_envs['MYSQL_ROOT_PASSWORD'] = '${DB_ROOT_PASSWORD}' unless db_root_password.nil?
+ when 'postgres'
+ pg_data_dir = "#{data_dir}/postgres"
+ resources(directory: pg_data_dir) rescue directory pg_data_dir do
+ owner 'root'
+ group 'root'
+ mode '0755'
+ recursive true
+ end
+
+ db_vols.push("#{pg_data_dir}:/database:rw")
+ db_envs['POSTGRES_DB'] = api_envs_org['DATASTORE_SEQUELIZE_DATABASE']
+ db_envs['POSTGRES_USER'] = '${DB_USERNAME}' unless db_username.nil?
+ db_envs['POSTGRES_PASSWORD'] = '${DB_PASSWORD}' unless db_password.nil?
+ db_envs['PGDATA'] = '/database'
+ end
+end
# ui
#ui_envs_org = config_srvs['ui']['environment']
end
# store
+store_backend = node['screwdriver']['store']['backend']
store_envs_org = config_srvs['store']['environment']
store_envs = {}
store_vols = config_srvs['store']['volumes'].to_a
}
end
+s3_access_key_id = nil
+s3_access_key_id = env_local['S3_ACCESS_KEY_ID'] if !env_local.nil? && !env_local['S3_ACCESS_KEY_ID'].nil?
+s3_access_key_id_vault_item = node['screwdriver']['s3_access_key_id_vault_item']
+s3_access_key_id = get_vault_item_value(s3_access_key_id_vault_item) unless s3_access_key_id_vault_item.empty?
+s3_access_key_id = SecureRandom.urlsafe_base64(16) if s3_access_key_id.nil?
+store_envs['S3_ACCESS_KEY_ID'] = '${S3_ACCESS_KEY_ID}'
+
+s3_access_key_secret = nil
+s3_access_key_secret = env_local['S3_ACCESS_KEY_SECRET'] if !env_local.nil? && !env_local['S3_ACCESS_KEY_SECRET'].nil?
+s3_access_key_secret_vault_item = node['screwdriver']['s3_access_key_secret_vault_item']
+s3_access_key_secret = get_vault_item_value(s3_access_key_secret_vault_item) unless s3_access_key_secret_vault_item.empty?
+s3_access_key_secret = SecureRandom.urlsafe_base64(32) if s3_access_key_secret.nil?
+store_envs['S3_ACCESS_KEY_SECRET'] = '${S3_ACCESS_KEY_SECRET}'
+
+# S3 compatible server
+if !store_backend.nil? && !store_backend.empty?
+ override_config_srvs['store']['links'] = ['screwdriver.s3']
+ store_envs['STRATEGY'] = 's3'
+ store_envs['S3_BUCKET'] = 'screwdriver'
+
+ #s3_envs_org = config_srvs['screwdriver.s3']['environment']
+ s3_envs = {}
+ s3_vols = config_srvs['screwdriver.s3']['volumes'].to_a
+
+ s3_port = '9010' # default
+ s3_in_port = '9000'
+ ports = config_srvs['screwdriver.s3']['ports']
+
+ case store_backend
+ when 'minio'
+ store_envs['S3_REGION'] = 'us-east-1'
+ store_envs['S3_ENDPOINT'] = "http://s3:#{s3_in_port}/screwdriver" # for path style
+ store_envs['S3_SIG_VER'] = 'v4'
+
+ if ports.empty?
+ override_config_srvs['screwdriver.s3']['ports'] = ["#{s3_port}:#{s3_in_port}"]
+ else
+ ports.each {|port|
+ elms = port.split(':')
+ s3_port = (elms.size == 2 ? elms[0] : elms[1]) if elms.last == s3_in_port
+ }
+ end
+
+ minio_data_dir = "#{data_dir}/minio"
+ resources(directory: minio_data_dir) rescue directory minio_data_dir do
+ owner 'root'
+ group 'root'
+ mode '0755'
+ recursive true
+ end
+
+ s3_vols.push("#{minio_data_dir}:/export:rw")
+ s3_envs['MINIO_ACCESS_KEY'] = '${S3_ACCESS_KEY_ID}' unless s3_access_key_id.nil?
+ s3_envs['MINIO_SECRET_KEY'] = '${S3_ACCESS_KEY_SECRET}' unless s3_access_key_secret.nil?
+ end
+end
+
override_store_config['auth']['jwtPublicKey'] = jwt_public_key
# Note: prevent Chef from logging JWT key attribute value. (=> template variables)
# However Docker env file format does not support multi-line value and backslash escaped string yet.
force_override_config_srvs['api']['environment'] = api_envs unless api_envs.empty?
force_override_config_srvs['ui']['environment'] = ui_envs unless ui_envs.empty?
force_override_config_srvs['store']['environment'] = store_envs unless store_envs.empty?
+if db_dialect != 'sqlite'
+ force_override_config_srvs['db']['environment'] = db_envs unless db_envs.empty?
+end
+if !store_backend.nil? && !store_backend.empty?
+ force_override_config_srvs['screwdriver.s3']['environment'] = s3_envs unless s3_envs.empty?
+end
# reset vlumes array.
override_config_srvs['api']['volumes'] = api_vols unless api_vols.empty?
override_config_srvs['ui']['volumes'] = ui_vols unless ui_vols.empty?
override_config_srvs['store']['volumes'] = store_vols unless store_vols.empty?
+if db_dialect != 'sqlite'
+ override_config_srvs['db']['volumes'] = db_vols unless db_vols.empty?
+end
+if !store_backend.nil? && !store_backend.empty?
+ override_config_srvs['screwdriver.s3']['volumes'] = s3_vols unless s3_vols.empty?
+end
template env_file do
source 'opt/docker-compose/app/screwdriver/.env'
# prevent Chef from logging password attribute value.
variables(
# secrets
+ cookie_password: cookie_password,
+ password: password,
+ db_username: db_username,
+ db_password: db_password,
+ db_root_password: db_root_password,
+ s3_access_key_id: s3_access_key_id,
+ s3_access_key_secret: s3_access_key_secret,
+ # **DEPRECATED!!**
# JWT keys setting -> /config/local.yaml
#jwt_private_key: jwt_private_key,
#jwt_public_key: jwt_public_key,
- cookie_password: cookie_password,
- password: password,
- oauth_client_id: oauth_client_id,
- oauth_client_secret: oauth_client_secret,
- webhook_github_secret: webhook_github_secret
+ # SCM secrets setting -> /config/local.yaml
+ #oauth_client_id: oauth_client_id,
+ #oauth_client_secret: oauth_client_secret,
+ #webhook_github_secret: webhook_github_secret
)
end
mode '0644'
end
-log <<-"EOM"
+log 'screwdriver docker-compose post install message' do
+ message <<-"EOM"
Note: You must execute the following command manually.
- See #{doc_url}
- * Start:
- $ cd #{app_dir}
- $ sudo docker-compose up -d
- * Stop
- $ sudo docker-compose down
+ See #{doc_url}
+ * Start:
+ $ cd #{app_dir}
+ $ sudo docker-compose up -d
+ * Stop
+ $ sudo docker-compose down
EOM
+end