• R/O
  • HTTP
  • SSH
  • HTTPS

grid-chef-repo: コミット

Grid環境構築用のChefリポジトリです。


コミットメタ情報

リビジョン5777dbf03d097fc9edcf5736711597d363cc2bf3 (tree)
日時2018-08-13 10:22:39
作者whitestar <whitestar@user...>
コミッターwhitestar

ログメッセージ

add SECRET_HASHING_PASSWORD env. variable support.

変更サマリ

差分

--- a/cookbooks/screwdriver/attributes/default.rb
+++ b/cookbooks/screwdriver/attributes/default.rb
@@ -76,6 +76,19 @@ default['screwdriver']['password_vault_item'] = {
7676 #'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password"
7777 =end
7878 }
79+# A password used for hashing user/pipeline access tokens. Needs to be minimum 32 characters
80+default['screwdriver']['hashing_password_vault_item'] = {
81+=begin
82+ 'vault' => 'screwdriver',
83+ 'name' => 'hashing_password',
84+ # single password or nested hash password path delimited by slash
85+ 'env_context' => false,
86+ 'key' => 'password', # real hash path: "/password"
87+ # or nested hash password path delimited by slash
88+ #'env_context' => true,
89+ #'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password"
90+=end
91+}
7992 default['screwdriver']['db_username_vault_item'] = {
8093 =begin
8194 'vault' => 'screwdriver',
--- a/cookbooks/screwdriver/recipes/docker-compose.rb
+++ b/cookbooks/screwdriver/recipes/docker-compose.rb
@@ -2,7 +2,7 @@
22 # Cookbook Name:: screwdriver
33 # Recipe:: docker-compose
44 #
5-# Copyright 2017, whitestar
5+# Copyright 2017-2018, whitestar
66 #
77 # Licensed under the Apache License, Version 2.0 (the "License");
88 # you may not use this file except in compliance with the License.
@@ -69,9 +69,8 @@ if File.exist?(api_config_file)
6969 api_config_local = YAML.load_file(api_config_file)
7070 end
7171
72-env_local = nil
72+env_local = {}
7373 if File.exist?(env_file)
74- env_local = {}
7574 File.open(env_file) do |file|
7675 file.each_line do |line|
7776 env_local[$1] = $2 if line =~ /^([^=]*)=(.*)$/
@@ -149,7 +148,7 @@ else
149148 jwt_private_key = api_config_local['auth']['jwtPrivateKey']
150149 jwt_public_key = api_config_local['auth']['jwtPublicKey']
151150 log 'JWT key pair is preserved from the local config/api-local.yaml file.'
152- # if !env_local.nil? && !env_local['SECRET_JWT_PRIVATE_KEY'].nil? && !jwt_private_key_reset
151+ # if !env_local['SECRET_JWT_PRIVATE_KEY'].nil? && !jwt_private_key_reset
153152 # # 3. preserve it from the local .env file.
154153 # # Note: Docker env file format does not support backslash escaped string yet.
155154 # eval "jwt_private_key = %Q(#{env_local['SECRET_JWT_PRIVATE_KEY']})"
@@ -189,6 +188,13 @@ unless password_vault_item.empty?
189188 api_envs['SECRET_PASSWORD'] = '${SECRET_PASSWORD}'
190189 end
191190
191+hashing_password = nil
192+# for backward compatibility
193+hashing_password = env_local['SECRET_PASSWORD'] if env_local['SECRET_HASHING_PASSWORD'].nil? && !env_local['SECRET_PASSWORD'].nil?
194+hashing_password_vault_item = node['screwdriver']['hashing_password_vault_item']
195+hashing_password = get_vault_item_value(hashing_password_vault_item) unless hashing_password_vault_item.empty?
196+api_envs['SECRET_HASHING_PASSWORD'] = '${SECRET_HASHING_PASSWORD}' unless hashing_password.nil?
197+
192198 node['screwdriver']['api']['scms_vault_items'].each {|scm, props|
193199 props.each {|prop, vault_item|
194200 unless vault_item.empty?
@@ -222,21 +228,21 @@ end
222228 =end
223229
224230 db_username = nil
225-db_username = env_local['DB_USERNAME'] if !env_local.nil? && !env_local['DB_USERNAME'].nil?
231+db_username = env_local['DB_USERNAME'] unless env_local['DB_USERNAME'].nil?
226232 db_username_vault_item = node['screwdriver']['db_username_vault_item']
227233 db_username = get_vault_item_value(db_username_vault_item) unless db_username_vault_item.empty?
228234 db_username = 'sd-admin' if db_username.nil?
229235 api_envs['DATASTORE_SEQUELIZE_USERNAME'] = '${DB_USERNAME}'
230236
231237 db_password = nil
232-db_password = env_local['DB_PASSWORD'] if !env_local.nil? && !env_local['DB_PASSWORD'].nil?
238+db_password = env_local['DB_PASSWORD'] unless env_local['DB_PASSWORD'].nil?
233239 db_password_vault_item = node['screwdriver']['db_password_vault_item']
234240 db_password = get_vault_item_value(db_password_vault_item) unless db_password_vault_item.empty?
235241 db_password = SecureRandom.urlsafe_base64(32) if db_password.nil?
236242 api_envs['DATASTORE_SEQUELIZE_PASSWORD'] = '${DB_PASSWORD}'
237243
238244 db_root_password = nil
239-db_root_password = env_local['DB_ROOT_PASSWORD'] if !env_local.nil? && !env_local['DB_ROOT_PASSWORD'].nil?
245+db_root_password = env_local['DB_ROOT_PASSWORD'] unless env_local['DB_ROOT_PASSWORD'].nil?
240246 db_root_password_vault_item = node['screwdriver']['db_root_password_vault_item']
241247 db_root_password = get_vault_item_value(db_root_password_vault_item) unless db_root_password_vault_item.empty?
242248 db_root_password = SecureRandom.urlsafe_base64(32) if db_root_password.nil?
@@ -325,14 +331,14 @@ else
325331 end
326332
327333 s3_access_key_id = nil
328-s3_access_key_id = env_local['S3_ACCESS_KEY_ID'] if !env_local.nil? && !env_local['S3_ACCESS_KEY_ID'].nil?
334+s3_access_key_id = env_local['S3_ACCESS_KEY_ID'] unless env_local['S3_ACCESS_KEY_ID'].nil?
329335 s3_access_key_id_vault_item = node['screwdriver']['s3_access_key_id_vault_item']
330336 s3_access_key_id = get_vault_item_value(s3_access_key_id_vault_item) unless s3_access_key_id_vault_item.empty?
331337 s3_access_key_id = SecureRandom.urlsafe_base64(16) if s3_access_key_id.nil?
332338 store_envs['S3_ACCESS_KEY_ID'] = '${S3_ACCESS_KEY_ID}'
333339
334340 s3_access_key_secret = nil
335-s3_access_key_secret = env_local['S3_ACCESS_KEY_SECRET'] if !env_local.nil? && !env_local['S3_ACCESS_KEY_SECRET'].nil?
341+s3_access_key_secret = env_local['S3_ACCESS_KEY_SECRET'] unless env_local['S3_ACCESS_KEY_SECRET'].nil?
336342 s3_access_key_secret_vault_item = node['screwdriver']['s3_access_key_secret_vault_item']
337343 s3_access_key_secret = get_vault_item_value(s3_access_key_secret_vault_item) unless s3_access_key_secret_vault_item.empty?
338344 s3_access_key_secret = SecureRandom.urlsafe_base64(32) if s3_access_key_secret.nil?
@@ -552,6 +558,7 @@ template env_file do
552558 # secrets
553559 cookie_password: cookie_password,
554560 password: password,
561+ hashing_password: hashing_password,
555562 db_username: db_username,
556563 db_password: db_password,
557564 db_root_password: db_root_password,
--- a/cookbooks/screwdriver/templates/default/opt/docker-compose/app/screwdriver/.env
+++ b/cookbooks/screwdriver/templates/default/opt/docker-compose/app/screwdriver/.env
@@ -15,6 +15,9 @@ SECRET_COOKIE_PASSWORD=<%= @cookie_password %>
1515 <% unless @password.nil? %>
1616 SECRET_PASSWORD=<%= @password %>
1717 <% end %>
18+<% unless @hashing_password.nil? %>
19+SECRET_HASHING_PASSWORD=<%= @hashing_password %>
20+<% end %>
1821 <% unless @oauth_client_id.nil? %>
1922 SECRET_OAUTH_CLIENT_ID=<%= @oauth_client_id %>
2023 <% end %>
旧リポジトリブラウザで表示