Grid環境構築用のChefリポジトリです。
Revisión | 7e823972b95c4ab5c66a5ba4e23d2c2caf88bb44 (tree) |
---|---|
Tiempo | 2017-07-25 22:17:19 |
Autor | whitestar <whitestar@user...> |
Commiter | whitestar |
adds a reverse proxy (nginx) service to the nexus-grid::docker-compose recipe.
@@ -1,5 +1,10 @@ | ||
1 | 1 | # nexus-grid CHANGELOG |
2 | 2 | |
3 | +0.1.1 | |
4 | +----- | |
5 | +- adds a reverse proxy (nginx) service to the `nexus-grid::docker-compose` recipe. | |
6 | +- adds the SSL configuration feature by reverse proxy. | |
7 | + | |
3 | 8 | 0.1.0 |
4 | 9 | ----- |
5 | 10 | - Initial release of nexus-gird |
@@ -15,6 +15,7 @@ This cookbook sets up a Sonatype Nexus Repository Manager by Docker Compose. | ||
15 | 15 | - [nexus-grid::default](#nexus-griddefault) |
16 | 16 | - [nexus-grid::docker-compose](#nexus-griddocker-compose) |
17 | 17 | - [Role Examples](#role-examples) |
18 | + - [SSL server keys and certificates management by ssl_cert cookbook](#ssl-server-keys-and-certificates-management-by-ssl_cert-cookbook) | |
18 | 19 | - [License and Authors](#license-and-authors) |
19 | 20 | |
20 | 21 | ## Requirements |
@@ -36,7 +37,10 @@ This cookbook sets up a Sonatype Nexus Repository Manager by Docker Compose. | ||
36 | 37 | |
37 | 38 | |Key|Type|Description, example|Default| |
38 | 39 | |:--|:--|:--|:--| |
40 | +|`['nexus-grid']['with_ssl_cert_cookbook']`|Boolean|Activates TLS configurations by the `ssl_cert` cookbook. See `attributes/default.rb`|`false`| | |
41 | +|`['nexus-grid']['ssl_cert']['common_name']`|String|Server common name for TLS|`node['fqdn']`| | |
39 | 42 | |`['nexus-grid']['docker-compose']['app_dir']`|String||`"#{node['docker-grid']['compose']['app_dir']}/nexus"`| |
43 | +|`['nexus-grid']['docker-compose']['etc_dir']`|String||`"#{node['nexus-grid']['docker-compose']['app_dir']}/etc"`| | |
40 | 44 | |`['nexus-grid']['docker-compose']['data_dir']`|String|Path string or nil (unset).|`"#{node['nexus-grid']['docker-compose']['app_dir']}/data"`| |
41 | 45 | |`['nexus-grid']['docker-compose']['config']`|Hash|`docker-compose.yml` configurations.|See `attributes/default.rb`| |
42 | 46 |
@@ -70,25 +74,91 @@ port = '8081' | ||
70 | 74 | |
71 | 75 | override_attributes( |
72 | 76 | 'nexus-grid' => { |
73 | - #'https_enabled' => true, # not supported yet. | |
74 | 77 | 'docker-compose' => { |
75 | 78 | 'config' => { |
76 | 79 | 'version' => '2', |
77 | 80 | 'services' => { |
81 | + 'reverseproxy' => { | |
82 | + 'ports' => [ | |
83 | + "#{port}:8081", | |
84 | + ], | |
85 | + 'volumes' => [ | |
86 | + # This volume will be set by the nexus-grid::docker-compose recipe automatically. | |
87 | + #"#{node['nexus-grid']['docker-compose']['etc_dir']}/nginx/nginx.conf:/etc/nginx/nginx.conf:ro", | |
88 | + ], | |
89 | + }, | |
78 | 90 | 'nexus' => { |
79 | 91 | 'restart' => 'always', |
80 | 92 | 'image' => image, |
93 | + 'volumes' => [ | |
94 | + # This volume will be set by the nexus-grid::docker-compose recipe automatically. | |
95 | + #"#{node['nexus-grid']['docker-compose']['data_dir']}:/nexus-data", | |
96 | + ], | |
97 | + 'environment' => { | |
98 | + #'JAVA_MAX_HEAP' => '1200m', # passed as -Xmx. Defaults to 1200m. | |
99 | + #'JAVA_MIN_HEAP' => '1200m', # passed as -Xms. Defaults to 1200m. | |
100 | + #'EXTRA_JAVA_OPTS' => '', # Additional options can be passed to the JVM via this variable. | |
101 | + }, | |
102 | + }, | |
103 | + }, | |
104 | + }, | |
105 | + }, | |
106 | + }, | |
107 | +) | |
108 | +``` | |
109 | + | |
110 | +- `roles/nexus-with-ssl.rb` | |
111 | + | |
112 | +```ruby | |
113 | +name 'nexus-with-ssl' | |
114 | +description 'Nexus with SSL by reverse proxy (nginx)' | |
115 | + | |
116 | +run_list( | |
117 | + 'recipe[ssl_cert::server_key_pairs]', | |
118 | + 'role[docker]', | |
119 | + 'recipe[nexus-grid::docker-compose]', | |
120 | +) | |
121 | + | |
122 | +image = 'sonatype/nexus3' | |
123 | +port = '8081' | |
124 | +cn = 'nexus.io.example.com' | |
125 | + | |
126 | +override_attributes( | |
127 | + 'ssl_cert' => { | |
128 | + 'common_names' => [ | |
129 | + cn, | |
130 | + ], | |
131 | + }, | |
132 | + 'nexus-grid' => { | |
133 | + 'with_ssl_cert_cookbook' => true, | |
134 | + 'ssl_cert' => { | |
135 | + 'common_name' => cn, | |
136 | + }, | |
137 | + 'docker-compose' => { | |
138 | + 'config' => { | |
139 | + 'version' => '2', | |
140 | + 'services' => { | |
141 | + 'reverseproxy' => { | |
81 | 142 | 'ports' => [ |
82 | 143 | "#{port}:8081", |
83 | 144 | ], |
84 | 145 | 'volumes' => [ |
146 | + # These volumes will be set by the nexus-grid::docker-compose recipe automatically. | |
147 | + #"#{node['nexus-grid']['docker-compose']['etc_dir']}/nginx/nginx.conf:/etc/nginx/nginx.conf:ro", | |
148 | + # and server key pair volume conf. | |
149 | + ], | |
150 | + }, | |
151 | + 'nexus' => { | |
152 | + 'restart' => 'always', | |
153 | + 'image' => image, | |
154 | + 'volumes' => [ | |
85 | 155 | # This volume will be set by the nexus-grid::docker-compose recipe automatically. |
86 | 156 | #"#{node['nexus-grid']['docker-compose']['data_dir']}:/nexus-data", |
87 | 157 | ], |
88 | 158 | 'environment' => { |
89 | - #JAVA_MAX_HEAP => '1200m', # passed as -Xmx. Defaults to 1200m. | |
90 | - #JAVA_MIN_HEAP => '1200m', # passed as -Xms. Defaults to 1200m. | |
91 | - #EXTRA_JAVA_OPTS => '', # Additional options can be passed to the JVM via this variable. | |
159 | + #'JAVA_MAX_HEAP' => '1200m', # passed as -Xmx. Defaults to 1200m. | |
160 | + #'JAVA_MIN_HEAP' => '1200m', # passed as -Xms. Defaults to 1200m. | |
161 | + #'EXTRA_JAVA_OPTS' => '', # Additional options can be passed to the JVM via this variable. | |
92 | 162 | }, |
93 | 163 | }, |
94 | 164 | }, |
@@ -98,6 +168,57 @@ override_attributes( | ||
98 | 168 | ) |
99 | 169 | ``` |
100 | 170 | |
171 | +### SSL server keys and certificates management by the `ssl_cert` cookbook | |
172 | + | |
173 | +- create vault items. | |
174 | + | |
175 | +```text | |
176 | +$ ruby -rjson -e 'puts JSON.generate({"private" => File.read("nexus.io.example.com.prod.key")})' \ | |
177 | +> > ~/tmp/nexus.io.example.com.prod.key.json | |
178 | + | |
179 | +$ ruby -rjson -e 'puts JSON.generate({"public" => File.read("nexus.io.example.com.prod.crt")})' \ | |
180 | +> > ~/tmp/nexus.io.example.com.prod.crt.json | |
181 | + | |
182 | +$ cd $CHEF_REPO_PATH | |
183 | + | |
184 | +$ knife vault create ssl_server_keys nexus.io.example.com.prod \ | |
185 | +> --json ~/tmp/nexus.io.example.com.prod.key.json | |
186 | + | |
187 | +$ knife vault create ssl_server_certs nexus.io.example.com.prod \ | |
188 | +> --json ~/tmp/nexus.io.example.com.prod.crt.json | |
189 | +``` | |
190 | + | |
191 | +- grant reference permission to the Concourse host | |
192 | + | |
193 | +```text | |
194 | +$ knife vault update ssl_server_keys nexus.io.example.com.prod -S 'name:nexus-host.example.com' | |
195 | +$ knife vault update ssl_server_certs nexus.io.example.com.prod -S 'name:nexus-host.example.com' | |
196 | +``` | |
197 | + | |
198 | +- modify run_list and attributes | |
199 | + | |
200 | +```ruby | |
201 | +run_list( | |
202 | + 'recipe[ssl_cert::server_key_pairs]', | |
203 | + 'recipe[nexus-grid::docker-compose]', | |
204 | +) | |
205 | + | |
206 | +override_attributes( | |
207 | + 'ssl_cert' => { | |
208 | + 'common_names' => [ | |
209 | + 'nexus.io.example.com', | |
210 | + ], | |
211 | + }, | |
212 | + 'nexus-grid' => { | |
213 | + 'with_ssl_cert_cookbook' => true, | |
214 | + 'ssl_cert' => { | |
215 | + 'common_name' => 'nexus.io.example.com', | |
216 | + }, | |
217 | + # ... | |
218 | + }, | |
219 | +) | |
220 | +``` | |
221 | + | |
101 | 222 | ## License and Authors |
102 | 223 | |
103 | 224 | - Author:: whitestar at osdn.jp |
@@ -17,16 +17,14 @@ | ||
17 | 17 | # limitations under the License. |
18 | 18 | # |
19 | 19 | |
20 | -# Not supported yet. | |
21 | -force_override['nexus-grid']['https_enabled'] = false | |
22 | -force_override['nexus-grid']['with_ssl_cert_cookbook'] = false | |
20 | +default['nexus-grid']['with_ssl_cert_cookbook'] = false | |
23 | 21 | # If ['nexus-grid']['with_ssl_cert_cookbook'] is true, |
24 | 22 | # node['nexus-grid']['docker-compose']['config'] |
25 | 23 | # are overridden by the following 'common_name' attributes. |
26 | -force_override['nexus-grid']['ssl_cert']['ca_names'] = [] | |
27 | -force_override['nexus-grid']['ssl_cert']['common_name'] = node['fqdn'] | |
24 | +default['nexus-grid']['ssl_cert']['common_name'] = node['fqdn'] | |
28 | 25 | |
29 | 26 | default['nexus-grid']['docker-compose']['app_dir'] = "#{node['docker-grid']['compose']['app_dir']}/nexus" |
27 | +default['nexus-grid']['docker-compose']['etc_dir'] = "#{node['nexus-grid']['docker-compose']['app_dir']}/etc" | |
30 | 28 | default['nexus-grid']['docker-compose']['data_dir'] = "#{node['nexus-grid']['docker-compose']['app_dir']}/data" |
31 | 29 | |
32 | 30 | force_override['nexus-grid']['docker-compose']['config_format_version'] = '2' |
@@ -34,10 +32,28 @@ version_2_config = { | ||
34 | 32 | # Version 2 docker-compose format |
35 | 33 | 'version' => '2', |
36 | 34 | 'services' => { |
35 | + 'reverseproxy' => { | |
36 | + 'depends_on' => [ | |
37 | + 'nexus', | |
38 | + ], | |
39 | + 'restart' => 'always', | |
40 | + 'image' => 'nginx:alpine', | |
41 | + 'expose' => [ | |
42 | + '8081', | |
43 | + ], | |
44 | + 'ports' => [ | |
45 | + #'8081:8081', # default | |
46 | + ], | |
47 | + 'volumes' => [ | |
48 | + # This volume will be set by the nexus-grid::docker-compose recipe automatically. | |
49 | + #"#{node['nexus-grid']['docker-compose']['etc_dir']}/nginx/nginx.conf:/etc/nginx/nginx.conf:ro", | |
50 | + ], | |
51 | + }, | |
37 | 52 | 'nexus' => { |
38 | 53 | 'restart' => 'always', |
39 | 54 | 'image' => 'sonatype/nexus3', |
40 | 55 | 'ports' => [ |
56 | + # Do not expose! | |
41 | 57 | #'8081:8081', |
42 | 58 | #'8443:8443', |
43 | 59 | ], |
@@ -46,9 +62,9 @@ version_2_config = { | ||
46 | 62 | #"#{node['nexus-grid']['docker-compose']['data_dir']}:/nexus-data", |
47 | 63 | ], |
48 | 64 | 'environment' => { |
49 | - #JAVA_MAX_HEAP => '1200m', # passed as -Xmx. Defaults to 1200m. | |
50 | - #JAVA_MIN_HEAP => '1200m', # passed as -Xms. Defaults to 1200m. | |
51 | - #EXTRA_JAVA_OPTS => '', # Additional options can be passed to the JVM via this variable. | |
65 | + #'JAVA_MAX_HEAP' => '1200m', # passed as -Xmx. Defaults to 1200m. | |
66 | + #'JAVA_MIN_HEAP' => '1200m', # passed as -Xms. Defaults to 1200m. | |
67 | + #'EXTRA_JAVA_OPTS' => '', # Additional options can be passed to the JVM via this variable. | |
52 | 68 | }, |
53 | 69 | }, |
54 | 70 | }, |
@@ -17,20 +17,18 @@ | ||
17 | 17 | # limitations under the License. |
18 | 18 | # |
19 | 19 | |
20 | -::Chef::Recipe.send(:include, SSLCert::Helper) | |
21 | - | |
22 | 20 | doc_url = 'https://hub.docker.com/r/sonatype/nexus3/' |
23 | 21 | |
24 | 22 | include_recipe 'platform_utils::kernel_user_namespace' |
25 | 23 | include_recipe 'docker-grid::compose' |
26 | 24 | |
27 | 25 | app_dir = node['nexus-grid']['docker-compose']['app_dir'] |
26 | +etc_dir = node['nexus-grid']['docker-compose']['etc_dir'] | |
28 | 27 | data_dir = node['nexus-grid']['docker-compose']['data_dir'] |
29 | -#bin_dir = "#{app_dir}/bin" | |
30 | 28 | |
31 | 29 | [ |
32 | 30 | app_dir, |
33 | - #bin_dir, | |
31 | + "#{etc_dir}/nginx", | |
34 | 32 | ].each {|dir| |
35 | 33 | resources(directory: dir) rescue directory dir do |
36 | 34 | owner 'root' |
@@ -43,9 +41,23 @@ data_dir = node['nexus-grid']['docker-compose']['data_dir'] | ||
43 | 41 | config_srvs = node['nexus-grid']['docker-compose']['config']['services'] |
44 | 42 | override_config_srvs = node.override['nexus-grid']['docker-compose']['config']['services'] |
45 | 43 | #force_override_config_srvs = node.force_override['nexus-grid']['docker-compose']['config']['services'] |
46 | -#envs_org = config_srvs['nexus']['environment'] | |
47 | -#envs = {} | |
48 | -vols = config_srvs['nexus']['volumes'].to_a | |
44 | +#nexus_envs_org = config_srvs['nexus']['environment'] | |
45 | +#nexus_envs = {} | |
46 | +rproxy_vols = config_srvs['reverseproxy']['volumes'].to_a | |
47 | +nexus_vols = config_srvs['nexus']['volumes'].to_a | |
48 | + | |
49 | +ports = config_srvs['reverseproxy']['ports'] | |
50 | +override_config_srvs['reverseproxy']['ports'] = ['8081:8081'] if ports.empty? | |
51 | + | |
52 | +template "#{etc_dir}/nginx/nginx.conf" do | |
53 | + source 'opt/docker-compose/app/nexus/etc/nginx/nginx.conf' | |
54 | + owner 'root' | |
55 | + group 'root' | |
56 | + mode '0644' | |
57 | + action :create | |
58 | +end | |
59 | + | |
60 | +rproxy_vols.push("#{etc_dir}/nginx/nginx.conf:/etc/nginx/nginx.conf:ro") | |
49 | 61 | |
50 | 62 | # Data persistent |
51 | 63 | resources(directory: data_dir) rescue directory data_dir do |
@@ -55,21 +67,28 @@ resources(directory: data_dir) rescue directory data_dir do | ||
55 | 67 | recursive true |
56 | 68 | end if !data_dir.nil? && !data_dir.empty? |
57 | 69 | |
58 | -vols.push("#{data_dir}:/nexus-data") if !data_dir.nil? && !data_dir.empty? | |
70 | +nexus_vols.push("#{data_dir}:/nexus-data") if !data_dir.nil? && !data_dir.empty? | |
59 | 71 | |
60 | -ports = config_srvs['nexus']['ports'] | |
61 | -override_config_srvs['nexus']['ports'] = ['8081:8081'] if ports.empty? | |
72 | +if node['nexus-grid']['with_ssl_cert_cookbook'] | |
73 | + ::Chef::Recipe.send(:include, SSLCert::Helper) | |
74 | + cn = node['nexus-grid']['ssl_cert']['common_name'] | |
75 | + # Nginx parent process owner is root. | |
76 | + rproxy_vols.push("#{server_cert_path(cn)}:/root/server.crt:ro") | |
77 | + rproxy_vols.push("#{server_key_path(cn)}:/root/server.key:ro") | |
78 | +end | |
62 | 79 | |
80 | +=begin | |
63 | 81 | if node['nexus-grid']['https_enabled'] |
64 | - etc_dir = "#{data_dir}/etc" | |
65 | - resources(directory: etc_dir) rescue directory etc_dir do | |
82 | + # TODO: TLS conf. for built-in jetty | |
83 | + data_etc_dir = "#{data_dir}/etc" | |
84 | + resources(directory: data_etc_dir) rescue directory data_etc_dir do | |
66 | 85 | owner 200 |
67 | 86 | group 200 |
68 | 87 | mode '0755' |
69 | 88 | recursive true |
70 | 89 | end |
71 | 90 | |
72 | - template "#{etc_dir}/nexus.properties" do | |
91 | + template "#{data_etc_dir}/nexus.properties" do | |
73 | 92 | source 'opt/docker-compose/app/nexus/data/etc/nexus.properties' |
74 | 93 | owner 200 |
75 | 94 | group 200 |
@@ -77,13 +96,16 @@ if node['nexus-grid']['https_enabled'] | ||
77 | 96 | action :create |
78 | 97 | end |
79 | 98 | |
80 | - override_config_srvs['nexus']['ports'] = ['8443:8443'] if ports.empty? | |
99 | + nexus_ports = config_srvs['nexus']['ports'] | |
100 | + override_config_srvs['nexus']['ports'] = ['8443:8443'] if nexus_ports.empty? | |
81 | 101 | end |
102 | +=end | |
82 | 103 | |
83 | 104 | # merge environment hash |
84 | -#force_override_config_srvs['nexus']['environment'] = envs unless envs.empty? | |
105 | +#force_override_config_srvs['nexus']['environment'] = nexus_envs unless nexus_envs.empty? | |
85 | 106 | # reset vlumes array. |
86 | -override_config_srvs['nexus']['volumes'] = vols unless vols.empty? | |
107 | +override_config_srvs['reverseproxy']['volumes'] = rproxy_vols unless rproxy_vols.empty? | |
108 | +override_config_srvs['nexus']['volumes'] = nexus_vols unless nexus_vols.empty? | |
87 | 109 | |
88 | 110 | config_file = "#{app_dir}/docker-compose.yml" |
89 | 111 | template config_file do |
@@ -0,0 +1,39 @@ | ||
1 | +<% | |
2 | +ssl_enabled = node['nexus-grid']['with_ssl_cert_cookbook'] | |
3 | +-%> | |
4 | +worker_processes 1; | |
5 | + | |
6 | +events { | |
7 | + worker_connections 1024; | |
8 | +} | |
9 | + | |
10 | +http { | |
11 | + sendfile on; | |
12 | + | |
13 | + upstream docker-nexus { | |
14 | + server nexus:8081; | |
15 | + } | |
16 | + | |
17 | + server { | |
18 | +<% if ssl_enabled %> | |
19 | + listen 8081 default ssl; | |
20 | + ssl on; | |
21 | + ssl_certificate /root/server.crt; | |
22 | + ssl_certificate_key /root/server.key; | |
23 | +<% else %> | |
24 | + listen 8081; | |
25 | +<% end %> | |
26 | + | |
27 | + location / { | |
28 | + proxy_pass http://docker-nexus; | |
29 | + proxy_redirect off; | |
30 | + proxy_set_header Host $http_host; # $host does not include the port number. | |
31 | + proxy_set_header X-Real-IP $remote_addr; | |
32 | +<% if ssl_enabled %> | |
33 | + proxy_set_header X-Forwarded-Proto https; | |
34 | +<% end %> | |
35 | + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
36 | + proxy_set_header X-Forwarded-Host $server_name; | |
37 | + } | |
38 | + } | |
39 | +} |
@@ -1 +1 @@ | ||
1 | -0.1.0 | |
1 | +0.1.1 |