Skip to content

SoluReal/ansible-concourse

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

59 Commits
defaults
defaults
 
 
handlers
handlers
 
 
meta
meta
 
 
tasks
tasks
 
 
templates
templates
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

ansible-concourse

An Ansible role to manage Concourse CI.

Scope

This role understands how to manage a Concourse CI web (ATC/TSA) or worker service installation.

It:

  • (Optionally) creates a concourse user and group with which to run the daemon process.
  • (Optionally) formats and mounts a volume in which Concourse work is done.
  • Installs a systemd service called concourse-web and/or concourse-worker.
  • Fetches the Concourse binary tarball from the official site.
  • Creates a wrapper script that captures options passed into the binary executable.
  • Installs necessary ssh key files, provided through variables.
  • (Optionally) installs the Postgres database by using ansible-role-postgresql.

It does not:

  • Generate ssh key-pairs.
  • Manage any cloud infrastructure.

Installation

ansible-galaxy install solureal.concourse

Getting started

To install concourse you need a couple of keys. You can generate those with:

ssh-keygen -t rsa -b 4096 -m PEM -f ./session_signing_key
ssh-keygen -t rsa -b 4096 -m PEM -f ./tsa_host_key
ssh-keygen -t rsa -b 4096 -m PEM -f ./worker_key
rm session_signing_key.pub # this file is not needed by concourse
- hosts: atc
  roles:
    - role: solureal.concourse
      concourse_web: yes
      concourse_authorized_worker_keys:
        - "{{ worker_public_key }}"
      concourse_local_users:
        - name: admin
          password: my_bcrypted_password
      concourse_main_team_local_users:
        - admin
      concourse_external_url: http://concourse.example.com
      
      # Installs postgresql on atc node
      concourse_postgres_install: yes
      concourse_postgres_host: localhost
      concourse_postgres_port: 5432
      concourse_postgres_user: concourse
      concourse_postgres_password: concourse
      concourse_postgres_database: concourse

- hosts: workers
  roles:
    - role: solureal.concourse
      concourse_worker: yes
      concourse_tsa_host: my-atc
      concourse_tsa_public_key: "{{ host_pub_key }}"
      concourse_tsa_worker_key: "{{ worker_key }}"
      concourse_worker_env:
        CONCOURSE_GARDEN_NETWORK_POOL: 10.254.0.0/16
        CONCOURSE_GARDEN_MAX_CONTAINERS: 512
        CONCOURSE_GARDEN_DOCKER_REGISTRY: https://docker.my-private-registry.org

Role Variables

See defaults/main.yml for default values not specified below. Many of these variables map sensibly to options supplied to the concourse binary at launch time. Run concourse web -h or concourse worker -h for more detail.

Note: The vast majority of variables have sensible defaults and normally need not be defined, but exist for when control over related behaviour is needed.

Maintenance Variables

  • concourse_force_restart: Optional. Default: "no". Triggers a restart of the web and/or worker services regardless as to whether or not configuration has changed.

User Variables

  • concourse_manage_user: Optional. Default: "yes". Manage the system user to which file ownership is assigned.
  • concourse_user: Optional. The user that will own the Concourse install directory and the running process.
  • concourse_uid: Optional. The user ID.
  • concourse_group: Optional. The group that will own the Concourse install directory and the running process.
  • concourse_gid: Optional. The group ID.

Installation Variables

  • concourse_version: Optional. The version of Concourse to install.
  • concourse_install_prefix_dir: Optional. The prefix directory under which the Concourse installation directory will be placed. The Concourse tarball is also downloaded into this directory during installation.
  • concourse_install_dir: Optional. The directory path into which the Concourse tarball is extracted.
  • concourse_binary_path: Optional. The absolute path to the Concourse binary.
  • concourse_bin_dir: Optional. A directory in which the Concourse binary and related shell scripts live.
  • concourse_etc_dir: Optional. A directory in which Concourse-related generated or managed files are created.
  • concourse_archive_name: Optional. The file name of the Concourse release tarball to install.
  • concourse_archive_url: Optional. The URL at which the Concourse release tarball can be downloaded.
  • concourse_archive_checksum: Optional. The checksum of the Concourse release tarball used to validate the downloaded archive.
  • concourse_archive_os: Optional. The operating system for which to fetch the Concourse release tarball.
  • concourse_archive_fetch_timeout: Optional. The timeout in seconds for fetching the Concourse release tarball.
  • concourse_archive_delete_after_unarchive: Optional. Default: "yes". Delete the release tarball after it is unpacked.
  • concourse_binary_mode: Optional. The file mode of the Concourse binary.
  • concourse_etc_files_mode: Optional. The file mode of all files stored in concourse_etc_dir.

Common Variables

  • concourse_service_enabled: Optional. Default: "yes". Manage a systemd service for a Concourse web and/or worker instance.
  • concourse_service_start: Optional. Default: "yes". Start the systemd service(s) for Concourse web and/or worker.
  • concourse_log_level: Optional. The minimum level of logs to see. [debug|info|error|fatal]
  • concourse_env_file: Optional. A file containing environment variables which is fed into the EnvironmentFile attribute of the systemd service unit file. This is useful for configuration managed outside of the playbook. If the configuration should be managed by the playbook, concourse_web_env and/or concourse_worker_env is the better choice.

Web Variables

  • concourse_web: Optional. Set to "yes" to install the Concourse ATC.
  • concourse_bind_ip: Optional. The IP address on which to listen to web traffic.
  • concourse_bind_port: Optional. The port on which to listen for HTTP traffic.
  • concourse_tls_bind_port: Optional. The port on which to listen for HTTPS traffic.
  • concourse_tls_certificate: Optional. The content of the TLS certificate to use for HTTPS termination.
  • concourse_tls_certificate_path: Optional. The remote file path of the TLS certificate to use for HTTPS termination. Normally, only concourse_tls_certificate needs to be defined.
  • concourse_tls_key: Optional. Optional. The content of the TLS key to use for HTTPS termination.
  • concourse_tls_key_path: Optional. The remote file path of the TLS key to use for HTTPS termination. Normally, only concourse_tls_key needs to be defined.
  • concourse_peer_address: Optional. The URL at which this ATC can be reached from other ATCs in the cluster.
  • concourse_external_url: Optional. The URL at which any ATC can be reached from the outside.
  • concourse_web_launcher_path: Optional. The path to the script that launches the Concourse web process.
  • concourse_web_launcher_mode: Optional. The file mode of the web launcher script.
  • concourse_cli_artifacts_dir: Optional. The value of the --cli-artifacts-dir option.
  • concourse_authorized_worker_keys_path: Optional. The path to the authorized worker keys file.
  • concourse_host_key_path: Optional. The path to the host key file.
  • concourse_session_signing_key: Required. The session signing key.
  • concourse_session_signing_key_path: Optional. The path to the session signing key file.
  • concourse_encryption_key: Optional. A 16 or 32 length key used to encrypt sensitive data before storing it in the database
  • concourse_old_encryption_key: Optional. An encryption key previously used. If provided without a new key, data is encrypted. If provided with a new key, data is re-encrypted.
  • concourse_host_key: Required. The host key.
  • concourse_authorized_worker_keys: Required. Concatenated authorized worker keys.
  • concourse_auth_duration: Optional. The length of time for which tokens are valid.
  • concourse_resource_checking_interval: Optional. Interval on which to check for new versions of resources.
  • concourse_base_resource_type_defaults: Optional. A hash of cluster-wide defaults for resource types.
  • concourse_base_resource_type_defaults_file: Optional. The path to the resource type defaults file.
  • concourse_web_options: Optional. Other non-managed options to pass to concourse.
  • concourse_web_env: Optional. A hash of environment variables made available to the concourse web process.

Web PostgreSQL Variables

  • concourse_postgres_install: Optional. Install postgresql using ansible-role-postgresql.
  • concourse_postgres_host: Optional. The Postgres host to connect to.
  • concourse_postgres_port: Optional. The Postgres port to connect to.
  • concourse_postgres_socket: Optional. The path to a Unix domain socket to connect to.
  • concourse_postgres_user: Optional. The Postgres user to sign in as.
  • concourse_postgres_password: Optional. The Postgres user's password.
  • concourse_postgres_ssl_mode: Optional. Whether or not to use SSL with the Postgres connection.
  • concourse_postgres_ca_cert: Optional. The Postgres CA cert file location.
  • concourse_postgres_client_cert: Optional. The Postgres client cert file location.
  • concourse_postgres_client_key: Optional. The Postgres client key file location.
  • concourse_postgres_connect_timeout: Optional. The Postgres dialing timeout.
  • concourse_postgres_database: Optional. The Postgres database name.

Web Local Authentication Variables

  • concourse_local_users: Optional. A list of concourse user credentials that are added as local users. Entries are objects having name and password fields (see example). Passwords can be plain text or bcrypted.
  • concourse_main_team_local_users: Optional. List of whitelisted local concourse users (of the supplied local user list).

Web GitHub Authentication Variables

  • concourse_github_client_id: Optional. GitHub client ID.
  • concourse_github_client_secret: Optional. GitHub client secret.
  • concourse_main_team_github_users: Optional. List of whitelisted GitHub users.
  • concourse_main_team_github_orgs: Optional. List of whitelisted GitHub orgs.
  • concourse_main_team_github_teams: Optional. List of whitelisted GitHub teams formatted as "org:team".

Web Other Authentication Methods

Unsupported. Do it yer dang self by supplying concourse web command options with the concourse_web_options variable.

Worker Variables

  • concourse_worker: Optional. Set to "yes" to install a Concourse worker.
  • concourse_worker_launcher_path: Optional. The path to the script that launches the Concourse worker process.
  • concourse_worker_land_path: Optional. The path to the script that lands a worker.
  • concourse_worker_retire_path: Optional. The path to the script that retires a worker.
  • concourse_worker_binary_mode: Optional. The file mode of the worker launcher, land, and retire scripts.
  • concourse_worker_land_on_stop: Optional. Default: "no". Run concourse land-worker upon stopping the service.
  • concourse_worker_retire_on_stop: Optional. Default: "yes". Run concourse retire-worker upon stopping the service.
  • concourse_work_dir: Optional. The directory in which the worker does work.
  • concourse_tsa_public_key_path: Optional. The path to the tsa public key file.
  • concourse_tsa_worker_key_path: Optional. The path to the worker private key file.
  • concourse_tsa_host: Required. The value of the --tsa-host option.
  • concourse_tsa_public_key: Required. The tsa public key.
  • concourse_tsa_worker_key: Required. The tsa worker private key.
  • concourse_worker_tag: Optional. The value of the --tag option.
  • concourse_baggageclaim_driver: Optional. The driver to use for managing volumes.
  • concourse_worker_options: Optional. Other non-managed options to pass to concourse.
  • concourse_worker_env: Optional. A hash of environment variables made available to the concourse worker process.
  • concourse_manage_work_volume: Optional. Default: "no". Activate management of the work volume.
  • concourse_work_volume_device: Required when concourse_manage_work_volume is "yes". The device to mount as the work volume.
  • concourse_work_volume_fs_type: Optional. The filesystem type of the work volume. By default, this is calculated to be btrfs or ext4 based on the value of concourse_baggageclaim_driver.
  • concourse_work_volume_fs_opts: Optional. A list of options to be passed to mkfs command when creating the work volume filesystem.
  • concourse_work_volume_fs_force_create: Optional. Default: "no". If yes, allows to create a new work volume filesystem on a device that already has a filesystem.
  • concourse_work_volume_fs_resize: Optional. Default: "no". If yes, if the work volume block device and filesystem size differ, grow the filesystem into the space.
  • concourse_work_volume_mount_path: Optional. The directory to which the work volume will be mounted.
  • concourse_work_volume_mount_opts: Optional. Work volume mount options.

Credits

License

MIT © SoluReal

About

An ansible role to manage Concourse CI

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 76.8%
  • Jinja 14.4%
  • Dockerfile 8.8%