• R/O
  • HTTP
  • SSH
  • HTTPS

grid-chef-repo: コミット

Grid環境構築用のChefリポジトリです。


コミットメタ情報

リビジョン66211de922dc94c832178c6e72ccde6c5ed15885 (tree)
日時2018-08-23 09:45:33
作者whitestar <whitestar@user...>
コミッターwhitestar

ログメッセージ

add secrets generator for SECRET_{COOKIE_HASHING_}PASSWORD env. variables.

変更サマリ

差分

--- a/cookbooks/screwdriver/CHANGELOG.md
+++ b/cookbooks/screwdriver/CHANGELOG.md
@@ -6,6 +6,7 @@
66 - add secrets generator for DB and Object Storage setup.
77 - add `SECRET_HASHING_PASSWORD` env. variable support.
88 - add `['screwdriver']['docker-compose']['network_mode_bridge']` attribute.
9+- add secrets generator for `SECRET_{COOKIE_,,HASHING_}PASSWORD` env. variables.
910
1011 0.6.0
1112 -----
--- a/cookbooks/screwdriver/recipes/docker-compose.rb
+++ b/cookbooks/screwdriver/recipes/docker-compose.rb
@@ -163,24 +163,26 @@ override_api_config['auth']['jwtPublicKey'] = jwt_public_key
163163
164164 cookie_password = nil
165165 cookie_password_vault_item = node['screwdriver']['cookie_password_vault_item']
166-unless cookie_password_vault_item.empty?
167- cookie_password = get_vault_item_value(cookie_password_vault_item)
168- api_envs['SECRET_COOKIE_PASSWORD'] = '${SECRET_COOKIE_PASSWORD}'
169-end
166+cookie_password = get_vault_item_value(cookie_password_vault_item) unless cookie_password_vault_item.empty?
167+cookie_password = env_local['SECRET_COOKIE_PASSWORD'] if cookie_password.nil? && !env_local['SECRET_COOKIE_PASSWORD'].nil?
168+cookie_password = SecureRandom.urlsafe_base64(32) if cookie_password.nil?
169+api_envs['SECRET_COOKIE_PASSWORD'] = '${SECRET_COOKIE_PASSWORD}'
170170
171171 password = nil
172172 password_vault_item = node['screwdriver']['password_vault_item']
173-unless password_vault_item.empty?
174- password = get_vault_item_value(password_vault_item)
175- api_envs['SECRET_PASSWORD'] = '${SECRET_PASSWORD}'
176-end
173+password = get_vault_item_value(password_vault_item) unless password_vault_item.empty?
174+password = env_local['SECRET_PASSWORD'] if password.nil? && !env_local['SECRET_PASSWORD'].nil?
175+password = SecureRandom.urlsafe_base64(32) if password.nil?
176+api_envs['SECRET_PASSWORD'] = '${SECRET_PASSWORD}'
177177
178178 hashing_password = nil
179179 # for backward compatibility
180180 hashing_password = env_local['SECRET_PASSWORD'] if env_local['SECRET_HASHING_PASSWORD'].nil? && !env_local['SECRET_PASSWORD'].nil?
181181 hashing_password_vault_item = node['screwdriver']['hashing_password_vault_item']
182182 hashing_password = get_vault_item_value(hashing_password_vault_item) unless hashing_password_vault_item.empty?
183-api_envs['SECRET_HASHING_PASSWORD'] = '${SECRET_HASHING_PASSWORD}' unless hashing_password.nil?
183+hashing_password = env_local['SECRET_HASHING_PASSWORD'] if hashing_password.nil? && !env_local['SECRET_HASHING_PASSWORD'].nil?
184+hashing_password = SecureRandom.urlsafe_base64(32) if hashing_password.nil?
185+api_envs['SECRET_HASHING_PASSWORD'] = '${SECRET_HASHING_PASSWORD}'
184186
185187 node['screwdriver']['api']['scms_vault_items'].each {|scm, props|
186188 props.each {|prop, vault_item|
@@ -215,24 +217,25 @@ end
215217 =end
216218
217219 db_username = nil
218-db_username = env_local['DB_USERNAME'] unless env_local['DB_USERNAME'].nil?
219220 db_username_vault_item = node['screwdriver']['db_username_vault_item']
220221 db_username = get_vault_item_value(db_username_vault_item) unless db_username_vault_item.empty?
222+db_username = env_local['DB_USERNAME'] if db_username.nil? && !env_local['DB_USERNAME'].nil?
221223 db_username = 'sd-admin' if db_username.nil?
222224 api_envs['DATASTORE_SEQUELIZE_USERNAME'] = '${DB_USERNAME}'
223225
224226 db_password = nil
225-db_password = env_local['DB_PASSWORD'] unless env_local['DB_PASSWORD'].nil?
226227 db_password_vault_item = node['screwdriver']['db_password_vault_item']
227228 db_password = get_vault_item_value(db_password_vault_item) unless db_password_vault_item.empty?
229+db_password = env_local['DB_PASSWORD'] if db_password.nil? && !env_local['DB_PASSWORD'].nil?
228230 db_password = SecureRandom.urlsafe_base64(32) if db_password.nil?
229231 api_envs['DATASTORE_SEQUELIZE_PASSWORD'] = '${DB_PASSWORD}'
230232
231233 db_root_password = nil
232-db_root_password = env_local['DB_ROOT_PASSWORD'] unless env_local['DB_ROOT_PASSWORD'].nil?
233234 db_root_password_vault_item = node['screwdriver']['db_root_password_vault_item']
234235 db_root_password = get_vault_item_value(db_root_password_vault_item) unless db_root_password_vault_item.empty?
236+db_root_password = env_local['DB_ROOT_PASSWORD'] if db_root_password.nil? && !env_local['DB_ROOT_PASSWORD'].nil?
235237 db_root_password = SecureRandom.urlsafe_base64(32) if db_root_password.nil?
238+# add this env. variable at the MySQL service setup
236239
237240 db_dialect = api_envs_org['DATASTORE_SEQUELIZE_DIALECT']
238241 case db_dialect
@@ -336,16 +339,16 @@ else
336339 end
337340
338341 s3_access_key_id = nil
339-s3_access_key_id = env_local['S3_ACCESS_KEY_ID'] unless env_local['S3_ACCESS_KEY_ID'].nil?
340342 s3_access_key_id_vault_item = node['screwdriver']['s3_access_key_id_vault_item']
341343 s3_access_key_id = get_vault_item_value(s3_access_key_id_vault_item) unless s3_access_key_id_vault_item.empty?
344+s3_access_key_id = env_local['S3_ACCESS_KEY_ID'] if s3_access_key_id.nil? && !env_local['S3_ACCESS_KEY_ID'].nil?
342345 s3_access_key_id = SecureRandom.urlsafe_base64(16) if s3_access_key_id.nil?
343346 store_envs['S3_ACCESS_KEY_ID'] = '${S3_ACCESS_KEY_ID}'
344347
345348 s3_access_key_secret = nil
346-s3_access_key_secret = env_local['S3_ACCESS_KEY_SECRET'] unless env_local['S3_ACCESS_KEY_SECRET'].nil?
347349 s3_access_key_secret_vault_item = node['screwdriver']['s3_access_key_secret_vault_item']
348350 s3_access_key_secret = get_vault_item_value(s3_access_key_secret_vault_item) unless s3_access_key_secret_vault_item.empty?
351+s3_access_key_secret = env_local['S3_ACCESS_KEY_SECRET'] if s3_access_key_secret.nil? && !env_local['S3_ACCESS_KEY_SECRET'].nil?
349352 s3_access_key_secret = SecureRandom.urlsafe_base64(32) if s3_access_key_secret.nil?
350353 store_envs['S3_ACCESS_KEY_SECRET'] = '${S3_ACCESS_KEY_SECRET}'
351354
--- a/cookbooks/screwdriver/version
+++ b/cookbooks/screwdriver/version
@@ -1 +1 @@
1-0.6.0
1+0.7.0
旧リポジトリブラウザで表示