kite 0.0.8 → 0.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (50) hide show
  1. checksums.yaml +4 -4
  2. data/.travis.yml +2 -0
  3. data/CHANGELOG.md +28 -1
  4. data/README.md +33 -4
  5. data/kite.gemspec +2 -0
  6. data/lib/kite.rb +1 -0
  7. data/lib/kite/core.rb +2 -40
  8. data/lib/kite/generate.rb +43 -0
  9. data/lib/kite/helpers.rb +27 -0
  10. data/lib/kite/render.rb +23 -11
  11. data/lib/kite/version.rb +1 -1
  12. data/tpl/aws/README.md +21 -21
  13. data/tpl/aws/bin/base/bootstrap.sh +35 -0
  14. data/tpl/aws/bin/base/cleanup.sh.tt +19 -0
  15. data/tpl/aws/{set-env.sh.erb → bin/base/set-env.sh.tt} +0 -0
  16. data/tpl/aws/{setup-tunnel.sh.erb → bin/base/setup-tunnel.sh.tt} +0 -0
  17. data/tpl/aws/{bosh-install.sh.erb → bin/bosh-install.sh.tt} +2 -2
  18. data/tpl/{gcp/concourse-deploy.sh.erb → aws/bin/concourse-deploy.sh.tt} +0 -0
  19. data/tpl/aws/bin/vault-deploy.sh.tt +10 -0
  20. data/tpl/aws/{deployments/bosh/bosh_vars.yml.tt → bosh-vars.yml.erb} +0 -0
  21. data/tpl/aws/deployments/bosh/cloud-config.yml.tt +2 -1
  22. data/tpl/aws/deployments/concourse/{concourse.yml.erb → concourse.yml.tt} +7 -0
  23. data/tpl/aws/deployments/vault/vault.yml.erb +38 -0
  24. data/tpl/aws/docs/bosh.md +31 -0
  25. data/tpl/aws/docs/concourse.md +30 -0
  26. data/tpl/{gcp → aws/docs}/vault.md +13 -6
  27. data/tpl/aws/terraform/{main.tf → main.tf.tt} +1 -2
  28. data/tpl/aws/terraform/{network.tf → network.tf.tt} +40 -23
  29. data/tpl/aws/terraform/{terraform.tfvars.erb → terraform.tfvars.tt} +2 -0
  30. data/tpl/aws/terraform/variables.tf +8 -0
  31. data/tpl/gcp/README.md +10 -31
  32. data/tpl/gcp/bin/base/bootstrap.sh +35 -0
  33. data/tpl/gcp/bin/base/cleanup.sh.tt +20 -0
  34. data/tpl/gcp/{set-env.sh.erb → bin/base/set-env.sh.tt} +3 -1
  35. data/tpl/gcp/{setup-tunnel.sh.erb → bin/base/setup-tunnel.sh.tt} +3 -1
  36. data/tpl/gcp/{bosh-install.sh.erb → bin/bosh-install.sh.tt} +3 -2
  37. data/tpl/gcp/bin/concourse-deploy.sh.tt +11 -0
  38. data/tpl/gcp/{vault-deploy.sh.erb → bin/vault-deploy.sh.tt} +1 -1
  39. data/tpl/gcp/deployments/bosh/cloud-config.yml.tt +3 -2
  40. data/tpl/gcp/deployments/concourse/{concourse.yml.erb → concourse.yml.tt} +8 -0
  41. data/tpl/gcp/deployments/concourse/test/test-credentials.yml +3 -0
  42. data/tpl/gcp/deployments/concourse/test/test-pipeline.yml +24 -0
  43. data/tpl/gcp/deployments/nginx/nginx.yml.erb +62 -0
  44. data/tpl/gcp/deployments/vault/{vault.yml → vault.yml.erb} +1 -1
  45. data/tpl/gcp/docs/bosh.md +31 -0
  46. data/tpl/gcp/docs/concourse.md +30 -0
  47. data/tpl/gcp/docs/vault.md +33 -0
  48. data/tpl/skel/config/cloud.yml +2 -0
  49. metadata +62 -19
  50. data/tpl/aws/concourse-deploy.sh.erb +0 -17
@@ -0,0 +1,10 @@
1
+ #!/usr/bin/env bash
2
+
3
+ set -xe
4
+
5
+ # Upload necessary stemcells and releases
6
+ bosh -e <%= @values['bosh']['name'] %> upload-stemcell https://bosh.io/d/stemcells/bosh-aws-xen-hvm-ubuntu-trusty-go_agent
7
+ bosh -e <%= @values['bosh']['name'] %> upload-release https://bosh.io/d/github.com/cloudfoundry-community/vault-boshrelease
8
+
9
+ # Deploy Vault
10
+ bosh -e <%= @values['bosh']['name'] %> -d vault deploy deployments/vault/vault.yml
@@ -55,7 +55,8 @@ networks:
55
55
  - az: z1
56
56
  range: <%= @values['aws']['private_subnet']['network'] %>
57
57
  gateway: <%= @values['aws']['private_subnet']['gateway'] %>
58
- reserved: [<%= ip_range(@private_subnet, (1..10)) %>]
58
+ reserved: [<%= ip_range(@private_subnet, (1..10)) %>] # Reserved range for the gateway, BOSH Director etc
59
+ static: [<%= ip_range(@private_subnet, (11..13)) %>] # Static IP range for Vault, Concourse web panel, nginx etc
59
60
  dns: [<%= @private_subnet[8].to_s %>]
60
61
  cloud_properties: {subnet: <%= @tf_output['platform_subnet_id'] %>}
61
62
  - name: vip
@@ -26,6 +26,13 @@ instance_groups:
26
26
  basic_auth_password: <%= @values['concourse']['auth_password'] %>
27
27
  publicly_viewable: true
28
28
 
29
+ vault:
30
+ auth:
31
+ backend: token
32
+ client_token: "your Vault root token here"
33
+ path_prefix: /concourse
34
+ url: "http://<%= @private_subnet[11] %>:8200" # assuming Vault is deployed first
35
+
29
36
  postgresql_database: &atc_db atc
30
37
 
31
38
  - name: tsa
@@ -0,0 +1,38 @@
1
+ ---
2
+ name: vault
3
+
4
+ releases:
5
+ - name: vault
6
+ version: latest
7
+
8
+ instance_groups:
9
+ - name: vault
10
+ instances: 1
11
+ vm_type: default
12
+ azs: [z1]
13
+ stemcell: trusty
14
+ networks:
15
+ - name: platform_net
16
+ static_ips: [<%= @private_subnet[11] %>]
17
+
18
+ jobs:
19
+ - name: vault
20
+ release: vault
21
+ properties:
22
+ vault:
23
+ ha:
24
+ redirect: ~
25
+ storage:
26
+ use_file: true
27
+
28
+ update:
29
+ canaries: 1
30
+ max_in_flight: 1
31
+ serial: false
32
+ canary_watch_time: 1000-60000
33
+ update_watch_time: 1000-60000
34
+
35
+ stemcells:
36
+ - alias: trusty
37
+ name: bosh-aws-xen-hvm-ubuntu-trusty-go_agent
38
+ version: latest
@@ -0,0 +1,31 @@
1
+ #### [Back](../README.md)
2
+
3
+ ## BOSH
4
+
5
+ ### Prerequisites
6
+
7
+ - Terraform IaC applied
8
+ - [BOSH CLI v2](https://bosh.io/docs/cli-v2.html#install) installed
9
+
10
+ ### Setup
11
+
12
+ Render bosh deployment
13
+ ```
14
+ kite render manifest bosh --cloud=gcp
15
+ ```
16
+
17
+ Setup tunnel
18
+ ```
19
+ . bin/setup-tunnel.sh
20
+ ```
21
+
22
+ Install BOSH
23
+ ```
24
+ ./bin/bosh-install.sh
25
+ ```
26
+
27
+ Connect to the Director
28
+ ```
29
+ . bin/set-env.sh
30
+
31
+ ```
@@ -0,0 +1,30 @@
1
+ #### [Back](../README.md)
2
+
3
+ ## Concourse
4
+
5
+ ### Prerequisites
6
+
7
+ - Vault [deployed and initialized](vault.md)
8
+
9
+ ### Setup
10
+
11
+ Fill out the "token" field in `deployments/concourse/concourse.yml` with root token received from `vault init`.
12
+
13
+ Deploy Concourse
14
+ ```
15
+ ./bin/concourse-deploy.sh
16
+ ```
17
+
18
+ ### Test
19
+
20
+ To run a test Concourse job:
21
+
22
+ - Go to test folder: `cd deployments/concourse/test`
23
+ - Fill out `test-credentials.yml`
24
+ - Add necessary secrets to your Vault(see [docs/vault.md](docs/vault.md))
25
+ - Download the `fly` client from Concourse web panel and add it to your PATH: `mv *path_to_fly* /usr/local/bin`
26
+ - Login to Concourse using the `fly` client: `fly -t ci --concourse-url *concourse-url*`
27
+ - Create a test pipeline with `fly set-pipeline -t ci -c test-pipeline.yml -p test --load-vars-from test-credentials.yml -n`
28
+ - Unpause pipeline: `fly unpause-pipeline -t ci -p test`
29
+ - Trigger and unpause the test job: `fly trigger-job -t ci -j test/test-publish`
30
+ - See the results on Concourse web panel or use: `fly watch -p test -j test/test-publish`
@@ -1,6 +1,8 @@
1
- # Vault usage
1
+ #### [Back](../README.md)
2
2
 
3
- ## Prerequisites
3
+ ## Vault
4
+
5
+ ### Prerequisites
4
6
 
5
7
  Before using Vault, you should have the client installed:
6
8
 
@@ -8,19 +10,24 @@ Before using Vault, you should have the client installed:
8
10
  - Unzip it and run `chmod +x vault && sudo mv vault /usr/local/bin/vault`
9
11
  - Check if the Vault is installed by running `vault -v`
10
12
 
11
- ## Deployment
13
+ ### Deployment
12
14
 
13
- To deploy Vault, use `bin/vault-deploy.sh`
15
+ To deploy Vault, use `./bin/vault-deploy.sh`
14
16
 
15
- ## Connection
17
+ ### Connection
16
18
 
17
19
  - Export your Vault's IP using `export VAULT_ADDR=*vault_ip*`
18
20
  - Run `vault init` to initialize the vault
19
21
  - Store the keys displayed after init
20
22
  - Unseal the vault by running `vault unseal` three times using three keys from the previous step
23
+ - Authenticate to the vault with `vault auth` using the root token you got from `vault init`
21
24
 
22
25
  [Optional]
23
26
  - Try to store a dummy secret: `vault write secret/handshake knock=knock`
24
27
  - Read it: `vault read secret/handshake`
25
28
 
26
- You're good to go!
29
+ ### Usage with Concourse
30
+
31
+ Before using Vault with Concourse you should mount a secrets backend with `vault mount -path=concourse kv`
32
+
33
+ To add new secrets accessible for Concourse use `vault write concourse/main/*secret_name* value="*secret_value*"`
@@ -16,8 +16,7 @@ resource "aws_instance" "bastion" {
16
16
  key_name = "${var.keypair_name}"
17
17
 
18
18
  vpc_security_group_ids = ["${aws_security_group.bastion_sg.id}"]
19
- subnet_id = "${aws_subnet.platform_dmz.id}"
20
-
19
+ subnet_id = <%= "\"#{conditional_subnet_id(@values)}\"" %>
21
20
  associate_public_ip_address = true
22
21
 
23
22
  tags {
@@ -1,3 +1,4 @@
1
+ <% if @values['aws']['vpc_id'].empty? %>
1
2
  # Create a VPC to launch our instances into
2
3
  resource "aws_vpc" "platform" {
3
4
  cidr_block = "${var.vpc_cidr_block}"
@@ -8,6 +9,18 @@ resource "aws_vpc" "platform" {
8
9
  }
9
10
  }
10
11
 
12
+ # DMZ subnet
13
+ resource "aws_subnet" "platform_dmz" {
14
+ vpc_id = "${aws_vpc.platform.id}"
15
+ availability_zone = "${var.availability_zone}"
16
+ cidr_block = "${var.public_subnet_cidr}"
17
+ map_public_ip_on_launch = false
18
+ tags {
19
+ Name = "${var.public_subnet_name}"
20
+ Component = "kite-platform"
21
+ }
22
+ }
23
+
11
24
  # Create an internet gateway to give our subnet access to the outside world
12
25
  resource "aws_internet_gateway" "platform" {
13
26
  vpc_id = "${aws_vpc.platform.id}"
@@ -17,9 +30,19 @@ resource "aws_internet_gateway" "platform" {
17
30
  }
18
31
  }
19
32
 
33
+ # Grant the VPC internet access on its main route table
34
+ resource "aws_route" "internet_access" {
35
+ route_table_id = "${aws_vpc.platform.main_route_table_id}"
36
+ destination_cidr_block = "0.0.0.0/0"
37
+ gateway_id = "${aws_internet_gateway.platform.id}"
38
+ }
39
+
40
+ <% end %>
41
+
42
+ <% if !@values['aws']['vpc_id'].empty? && @values['aws']['public_subnet']['id'].empty? %>
20
43
  # DMZ subnet
21
44
  resource "aws_subnet" "platform_dmz" {
22
- vpc_id = "${aws_vpc.platform.id}"
45
+ vpc_id = "${var.vpc_id}"
23
46
  availability_zone = "${var.availability_zone}"
24
47
  cidr_block = "${var.public_subnet_cidr}"
25
48
  map_public_ip_on_launch = false
@@ -28,10 +51,11 @@ resource "aws_subnet" "platform_dmz" {
28
51
  Component = "kite-platform"
29
52
  }
30
53
  }
54
+ <% end %>
31
55
 
32
56
  # Private subnet
33
57
  resource "aws_subnet" "platform_net" {
34
- vpc_id = "${aws_vpc.platform.id}"
58
+ vpc_id = <%= "\"#{conditional_vpc_id(@values)}\"" %>
35
59
  availability_zone = "${var.availability_zone}"
36
60
  cidr_block = "${var.private_subnet_cidr}"
37
61
  map_public_ip_on_launch = false
@@ -41,26 +65,9 @@ resource "aws_subnet" "platform_net" {
41
65
  }
42
66
  }
43
67
 
44
- # Allocate an Elastic IP for NAT gateway
45
- resource "aws_eip" "nat_ip" {
46
- }
47
-
48
- # Create a NAT gateway to forward the traffic for BOSH
49
- resource "aws_nat_gateway" "nat_gateway" {
50
- allocation_id = "${aws_eip.nat_ip.id}"
51
- subnet_id = "${aws_subnet.platform_dmz.id}"
52
- }
53
-
54
- # Grant the VPC internet access on its main route table
55
- resource "aws_route" "internet_access" {
56
- route_table_id = "${aws_vpc.platform.main_route_table_id}"
57
- destination_cidr_block = "0.0.0.0/0"
58
- gateway_id = "${aws_internet_gateway.platform.id}"
59
- }
60
-
61
68
  # Create a custom route table for the private subnet
62
69
  resource "aws_route_table" "private_route" {
63
- vpc_id = "${aws_vpc.platform.id}"
70
+ vpc_id = <%= "\"#{conditional_vpc_id(@values)}\"" %>
64
71
 
65
72
  route {
66
73
  cidr_block = "0.0.0.0/0"
@@ -73,6 +80,16 @@ resource "aws_route_table" "private_route" {
73
80
  }
74
81
  }
75
82
 
83
+ # Allocate an Elastic IP for NAT gateway
84
+ resource "aws_eip" "nat_ip" {
85
+ }
86
+
87
+ # Create a NAT gateway to forward the traffic for BOSH
88
+ resource "aws_nat_gateway" "nat_gateway" {
89
+ allocation_id = "${aws_eip.nat_ip.id}"
90
+ subnet_id = <%= "\"#{conditional_subnet_id(@values)}\"" %>
91
+ }
92
+
76
93
  # Associate custom route table with private subnet
77
94
  resource "aws_route_table_association" "private_route" {
78
95
  subnet_id = "${aws_subnet.platform_net.id}"
@@ -83,7 +100,7 @@ resource "aws_route_table_association" "private_route" {
83
100
  resource "aws_security_group" "bastion_sg" {
84
101
  name = "bastion_sg"
85
102
  description = "Bastion security group"
86
- vpc_id = "${aws_vpc.platform.id}"
103
+ vpc_id = <%= "\"#{conditional_vpc_id(@values)}\"" %>
87
104
  tags {
88
105
  Name = "bastion-sg"
89
106
  Component = "bosh-director"
@@ -110,7 +127,7 @@ resource "aws_security_group" "bastion_sg" {
110
127
  resource "aws_security_group" "bosh_sg" {
111
128
  name = "bosh_sg"
112
129
  description = "Default BOSH security group"
113
- vpc_id = "${aws_vpc.platform.id}"
130
+ vpc_id = <%= "\"#{conditional_vpc_id(@values)}\"" %>
114
131
  tags {
115
132
  Name = "bosh-sg"
116
133
  Component = "bosh-director"
@@ -169,7 +186,7 @@ resource "aws_security_group" "bosh_sg" {
169
186
  resource "aws_security_group" "concourse_sg" {
170
187
  name = "concourse-sg"
171
188
  description = "Concourse security group"
172
- vpc_id = "${aws_vpc.platform.id}"
189
+ vpc_id = <%= "\"#{conditional_vpc_id(@values)}\"" %>
173
190
  tags {
174
191
  Name = "concourse-sg"
175
192
  Component = "concourse"
@@ -7,8 +7,10 @@ availability_zone = "<%= @values['aws']['zone'] %>"
7
7
  # Network Config
8
8
  vpc_cidr_block = "<%= @values['aws']['vpc_cidr_block'] %>"
9
9
  vpc_name = "<%= @values['aws']['vpc_name'] %>"
10
+ vpc_id = "<%= @values['aws']['vpc_id'] %>"
10
11
  public_subnet_name = "<%= @values['aws']['public_subnet']['name'] %>"
11
12
  public_subnet_cidr = "<%= @values['aws']['public_subnet']['network'] %>"
13
+ public_subnet_id = "<%= @values['aws']['public_subnet']['id'] %>"
12
14
  private_subnet_name = "<%= @values['aws']['private_subnet']['name'] %>"
13
15
  private_subnet_cidr = "<%= @values['aws']['private_subnet']['network'] %>"
14
16
 
@@ -36,10 +36,18 @@ variable "vpc_name" {
36
36
  type = "string"
37
37
  }
38
38
 
39
+ variable "vpc_id" {
40
+ type = "string"
41
+ }
42
+
39
43
  variable "public_subnet_cidr" {
40
44
  type = "string"
41
45
  }
42
46
 
47
+ variable "public_subnet_id" {
48
+ type = "string"
49
+ }
50
+
43
51
  variable "public_subnet_name" {
44
52
  type = "string"
45
53
  }
data/tpl/gcp/README.md CHANGED
@@ -1,6 +1,6 @@
1
1
  ## GCP Cloud
2
2
 
3
- ### Usage
3
+ ### Setup
4
4
 
5
5
  Set path to your service account credentials:
6
6
  ```
@@ -12,44 +12,23 @@ Apply terraform code
12
12
  pushd terraform && terraform init && terraform apply && popd
13
13
  ```
14
14
 
15
- Render bosh deployment
15
+ Render BOSH manifest and related files
16
16
  ```
17
- kite render manifest bosh --cloud=gcp
17
+ kite render manifest bosh --cloud gcp
18
18
  ```
19
19
 
20
- Setup tunnel
21
- ```
22
- . bin/setup-tunnel.sh
23
- ```
20
+ Prepare BOSH environment using instructions from [docs/bosh.md](docs/bosh.md)
24
21
 
25
- Install BOSH
26
- ```
27
- ./bin/bosh-install.sh
22
+ Render Vault deployment
28
23
  ```
29
-
30
- Connect to the Director
24
+ kite render manifest vault --cloud gcp
31
25
  ```
32
- . bin/set-env.sh
33
26
 
34
- ```
27
+ Follow instructions from [docs/vault.md](docs/vault.md) to deploy Vault
35
28
 
36
- Render concourse deployment
29
+ Render Concourse manifest
37
30
  ```
38
- kite render manifest concourse --cloud=gcp
31
+ kite render manifest concourse --cloud gcp
39
32
  ```
40
33
 
41
- Install concourse
42
- ```
43
- bosh -e bosh-1 update-cloud-config deployments/concourse/cloud-config.yml
44
-
45
- bosh -e bosh-1 upload-stemcell \
46
- https://bosh.io/d/stemcells/bosh-google-kvm-ubuntu-trusty-go_agent?v=3445.7
47
-
48
- bosh -e bosh-1 upload-release \
49
- https://github.com/concourse/concourse/releases/download/v3.4.1/concourse-3.4.1.tgz
50
-
51
- bosh -e bosh-1 upload-release \
52
- https://github.com/concourse/concourse/releases/download/v3.4.1/garden-runc-1.6.0.tgz
53
-
54
- bosh -e bosh-1 -d concourse deploy deployments/concourse/concourse.yml
55
- ```
34
+ Follow instructions from [docs/concourse.md](docs/concourse.md) to deploy Concourse
@@ -0,0 +1,35 @@
1
+ #!/usr/bin/env bash
2
+
3
+ set -xe
4
+
5
+ # Apply Terraform IaC
6
+ pushd terraform
7
+
8
+ terraform init
9
+ terraform apply
10
+
11
+ popd
12
+
13
+ # Set up an SSH tunnel to Bastion
14
+ . bin/setup-tunnel.sh
15
+
16
+ # Render BOSH manifest and related files
17
+ kite render manifest bosh --cloud gcp
18
+
19
+ # Deploy BOSH Director
20
+ ./bin/bosh-install.sh
21
+
22
+ # Set the needed environment variables
23
+ . bin/set-env.sh
24
+
25
+ # Render Vault manifest and related files
26
+ kite render manifest vault --cloud gcp
27
+
28
+ # Deploy Vault
29
+ ./bin/vault-deploy.sh
30
+
31
+ # Render Concourse manifest
32
+ kite render manifest concourse --cloud gcp
33
+
34
+ # Deploy Concourse
35
+ ./bin/concourse-deploy.sh