#'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password"
=end
}
+# A password used for hashing user/pipeline access tokens. Needs to be minimum 32 characters
+default['screwdriver']['hashing_password_vault_item'] = {
+=begin
+ 'vault' => 'screwdriver',
+ 'name' => 'hashing_password',
+ # single password or nested hash password path delimited by slash
+ 'env_context' => false,
+ 'key' => 'password', # real hash path: "/password"
+ # or nested hash password path delimited by slash
+ #'env_context' => true,
+ #'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password"
+=end
+}
default['screwdriver']['db_username_vault_item'] = {
=begin
'vault' => 'screwdriver',
# Cookbook Name:: screwdriver
# Recipe:: docker-compose
#
-# Copyright 2017, whitestar
+# Copyright 2017-2018, whitestar
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
api_config_local = YAML.load_file(api_config_file)
end
-env_local = nil
+env_local = {}
if File.exist?(env_file)
- env_local = {}
File.open(env_file) do |file|
file.each_line do |line|
env_local[$1] = $2 if line =~ /^([^=]*)=(.*)$/
jwt_private_key = api_config_local['auth']['jwtPrivateKey']
jwt_public_key = api_config_local['auth']['jwtPublicKey']
log 'JWT key pair is preserved from the local config/api-local.yaml file.'
- # if !env_local.nil? && !env_local['SECRET_JWT_PRIVATE_KEY'].nil? && !jwt_private_key_reset
+ # if !env_local['SECRET_JWT_PRIVATE_KEY'].nil? && !jwt_private_key_reset
# # 3. preserve it from the local .env file.
# # Note: Docker env file format does not support backslash escaped string yet.
# eval "jwt_private_key = %Q(#{env_local['SECRET_JWT_PRIVATE_KEY']})"
api_envs['SECRET_PASSWORD'] = '${SECRET_PASSWORD}'
end
+hashing_password = nil
+# for backward compatibility
+hashing_password = env_local['SECRET_PASSWORD'] if env_local['SECRET_HASHING_PASSWORD'].nil? && !env_local['SECRET_PASSWORD'].nil?
+hashing_password_vault_item = node['screwdriver']['hashing_password_vault_item']
+hashing_password = get_vault_item_value(hashing_password_vault_item) unless hashing_password_vault_item.empty?
+api_envs['SECRET_HASHING_PASSWORD'] = '${SECRET_HASHING_PASSWORD}' unless hashing_password.nil?
+
node['screwdriver']['api']['scms_vault_items'].each {|scm, props|
props.each {|prop, vault_item|
unless vault_item.empty?
=end
db_username = nil
-db_username = env_local['DB_USERNAME'] if !env_local.nil? && !env_local['DB_USERNAME'].nil?
+db_username = env_local['DB_USERNAME'] unless env_local['DB_USERNAME'].nil?
db_username_vault_item = node['screwdriver']['db_username_vault_item']
db_username = get_vault_item_value(db_username_vault_item) unless db_username_vault_item.empty?
db_username = 'sd-admin' if db_username.nil?
api_envs['DATASTORE_SEQUELIZE_USERNAME'] = '${DB_USERNAME}'
db_password = nil
-db_password = env_local['DB_PASSWORD'] if !env_local.nil? && !env_local['DB_PASSWORD'].nil?
+db_password = env_local['DB_PASSWORD'] unless env_local['DB_PASSWORD'].nil?
db_password_vault_item = node['screwdriver']['db_password_vault_item']
db_password = get_vault_item_value(db_password_vault_item) unless db_password_vault_item.empty?
db_password = SecureRandom.urlsafe_base64(32) if db_password.nil?
api_envs['DATASTORE_SEQUELIZE_PASSWORD'] = '${DB_PASSWORD}'
db_root_password = nil
-db_root_password = env_local['DB_ROOT_PASSWORD'] if !env_local.nil? && !env_local['DB_ROOT_PASSWORD'].nil?
+db_root_password = env_local['DB_ROOT_PASSWORD'] unless env_local['DB_ROOT_PASSWORD'].nil?
db_root_password_vault_item = node['screwdriver']['db_root_password_vault_item']
db_root_password = get_vault_item_value(db_root_password_vault_item) unless db_root_password_vault_item.empty?
db_root_password = SecureRandom.urlsafe_base64(32) if db_root_password.nil?
end
s3_access_key_id = nil
-s3_access_key_id = env_local['S3_ACCESS_KEY_ID'] if !env_local.nil? && !env_local['S3_ACCESS_KEY_ID'].nil?
+s3_access_key_id = env_local['S3_ACCESS_KEY_ID'] unless env_local['S3_ACCESS_KEY_ID'].nil?
s3_access_key_id_vault_item = node['screwdriver']['s3_access_key_id_vault_item']
s3_access_key_id = get_vault_item_value(s3_access_key_id_vault_item) unless s3_access_key_id_vault_item.empty?
s3_access_key_id = SecureRandom.urlsafe_base64(16) if s3_access_key_id.nil?
store_envs['S3_ACCESS_KEY_ID'] = '${S3_ACCESS_KEY_ID}'
s3_access_key_secret = nil
-s3_access_key_secret = env_local['S3_ACCESS_KEY_SECRET'] if !env_local.nil? && !env_local['S3_ACCESS_KEY_SECRET'].nil?
+s3_access_key_secret = env_local['S3_ACCESS_KEY_SECRET'] unless env_local['S3_ACCESS_KEY_SECRET'].nil?
s3_access_key_secret_vault_item = node['screwdriver']['s3_access_key_secret_vault_item']
s3_access_key_secret = get_vault_item_value(s3_access_key_secret_vault_item) unless s3_access_key_secret_vault_item.empty?
s3_access_key_secret = SecureRandom.urlsafe_base64(32) if s3_access_key_secret.nil?
# secrets
cookie_password: cookie_password,
password: password,
+ hashing_password: hashing_password,
db_username: db_username,
db_password: db_password,
db_root_password: db_root_password,