ansible_concourse

ansible-concourse

Build Status

An Ansible role to manage Concourse CI.

Scope

This role understands how to manage a Concourse CI web (ATC/TSA) or worker service installation.

It:

  • (Optionally) creates a concourse user and group with which to run the daemon process.
  • (Optionally) formats and mounts a volume in which Concourse work is done.
  • Installs a systemd service called concourse-web and/or concourse-worker.
  • Fetches the Concourse binary tarball from the official site.
  • Creates a wrapper script that captures options passed into the binary executable.
  • Installs necessary ssh key files, provided through variables.

It does not:

  • Generate ssh key-pairs.
  • Manage the Postgres database.
  • Manage any cloud infrastructure.

Installation

ansible-galaxy install pellegrino.concourse

Branches

  • master: Concourse 7.x (7.1.0)
  • support/6.x: Concourse 6.x
  • support/5.x: Concourse 5.x
  • support/4.x: Concourse 4.x
  • support/3.x: Concourse 3.x

Note: Concourse makes backwards-incompatible command option changes within major versions, so these branches will likely not support early minor or patch revisions of a major version. The latest version used in testing is shown in brackets.

Role Variables

See defaults/main.yml for default values not specified below. Many of these variables map sensibly to options supplied to the concourse binary at launch time. Run concourse web -h or concourse worker -h for more detail.

Note: The vast majority of variables have sensible defaults and normally need not be defined, but exist for when control over related behaviour is needed. See examples for a minimal configuration set.

Maintenance Variables

  • concourse_force_restart: Optional. Default: "no". Triggers a restart of the web and/or worker services regardless as to whether or not configuration has changed.

User Variables

  • concourse_manage_user: Optional. Default: "yes". Manage the system user to which file ownership is assigned.
  • concourse_user: Optional. The user that will own the Concourse install directory and the running process.
  • concourse_uid: Optional. The user ID.
  • concourse_group: Optional. The group that will own the Concourse install directory and the running process.
  • concourse_gid: Optional. The group ID.

Installation Variables

  • concourse_version: Optional. The version of Concourse to install.
  • concourse_install_prefix_dir: Optional. The prefix directory under which the Concourse installation directory will be placed. The Concourse tarball is also downloaded into this directory during installation.
  • concourse_install_dir: Optional. The directory path into which the Concourse tarball is extracted.
  • concourse_binary_path: Optional. The absolute path to the Concourse binary.
  • concourse_bin_dir: Optional. A directory in which the Concourse binary and related shell scripts live.
  • concourse_etc_dir: Optional. A directory in which Concourse-related generated or managed files are created.
  • concourse_archive_name: Optional. The file name of the Concourse release tarball to install.
  • concourse_archive_url: Optional. The URL at which the Concourse release tarball can be downloaded.
  • concourse_archive_checksum: Optional. The checksum of the Concourse release tarball used to validate the downloaded archive.
  • concourse_archive_os: Optional. The operating system for which to fetch the Concourse release tarball.
  • concourse_archive_arch: Optional. The system architecture for which to fetch the Concourse release tarball.
  • concourse_archive_fetch_timeout: Optional. The timeout in seconds for fetching the Concourse release tarball.
  • concourse_archive_delete_after_unarchive: Optional. Default: "yes". Delete the release tarball after it is unpacked.
  • concourse_binary_mode: Optional. The file mode of the Concourse binary.
  • concourse_etc_files_mode: Optional. The file mode of all files stored in concourse_etc_dir.

Common Variables

  • concourse_service_enabled: Optional. Default: "yes". Manage a systemd service for a Concourse web and/or worker instance.
  • concourse_service_start: Optional. Default: "yes". Start the systemd service(s) for Concourse web and/or worker.
  • concourse_log_level: Optional. The minimum level of logs to see. [debug|info|error|fatal]
  • concourse_env_file: Optional. A file containing environment variables which is fed into the EnvironmentFile attribute of the systemd service unit file. This is useful for configuration managed outside of the playbook. If the configuration should be managed by the playbook, concourse_web_env and/or concourse_worker_env is the better choice.

Web Variables

  • concourse_web: Optional. Set to "yes" to install the Concourse ATC.
  • concourse_bind_ip: Optional. The IP address on which to listen to web traffic.
  • concourse_bind_port: Optional. The port on which to listen for HTTP traffic.
  • concourse_tls_bind_port: Optional. The port on which to listen for HTTPS traffic.
  • concourse_tls_certificate: Optional. The content of the TLS certificate to use for HTTPS termination.
  • concourse_tls_certificate_path: Optional. The remote file path of the TLS certificate to use for HTTPS termination. Normally, only concourse_tls_certificate needs to be defined.
  • concourse_tls_key: Optional. Optional. The content of the TLS key to use for HTTPS termination.
  • concourse_tls_key_path: Optional. The remote file path of the TLS key to use for HTTPS termination. Normally, only concourse_tls_key needs to be defined.
  • concourse_peer_address: Optional. The URL at which this ATC can be reached from other ATCs in the cluster.
  • concourse_external_url: Optional. The URL at which any ATC can be reached from the outside.
  • concourse_vault_url: Optional. The URL at which the vault server can be reached, if using the vault credential manager.
  • concourse_vault_client_token: Optional. The vault periodic token. Required if vault_url is defined.
  • concourse_web_launcher_path: Optional. The path to the script that launches the Concourse web process.
  • concourse_web_launcher_mode: Optional. The file mode of the web launcher script.
  • concourse_cli_artifacts_dir: Optional. The value of the --cli-artifacts-dir option.
  • concourse_authorized_worker_keys_path: Optional. The path to the authorized worker keys file.
  • concourse_host_key_path: Optional. The path to the host key file.
  • concourse_session_signing_key: Required. The session signing key.
  • concourse_session_signing_key_path: Optional. The path to the session signing key file.
  • concourse_encryption_key: Optional. A 16 or 32 length key used to encrypt sensitive data before storing it in the database
  • concourse_old_encryption_key: Optional. An encryption key previously used. If provided without a new key, data is encrypted. If provided with a new key, data is re-encrypted.
  • concourse_host_key: Required. The host key.
  • concourse_authorized_worker_keys: Required. Concatenated authorized worker keys.
  • concourse_auth_duration: Optional. The length of time for which tokens are valid.
  • concourse_resource_checking_interval: Optional. Interval on which to check for new versions of resources.
  • concourse_base_resource_type_defaults: Optional. A hash of cluster-wide defaults for resource types.
  • concourse_base_resource_type_defaults_file: Optional. The path to the resource type defaults file.
  • concourse_web_options: Optional. Other non-managed options to pass to concourse.
  • concourse_web_env_vars: Optional. A dictionary of environment variables to set when the web node runs

Web PostgreSQL Variables

  • concourse_postgres_host: Optional. The Postgres host to connect to.
  • concourse_postgres_port: Optional. The Postgres port to connect to.
  • concourse_postgres_socket: Optional. The path to a Unix domain socket to connect to.
  • concourse_postgres_user: Optional. The Postgres user to sign in as.
  • concourse_postgres_password: Optional. The Postgres user's password.
  • concourse_postgres_ssl_mode: Optional. Whether or not to use SSL with the Postgres connection.
  • concourse_postgres_ca_cert: Optional. The Postgres CA cert file location.
  • concourse_postgres_client_cert: Optional. The Postgres client cert file location.
  • concourse_postgres_client_key: Optional. The Postgres client key file location.
  • concourse_postgres_connect_timeout: Optional. The Postgres dialing timeout.
  • concourse_postgres_database: Optional. The Postgres database name.

Web Local Authentication Variables

  • concourse_local_users: Optional. A list of concourse user credentials that are added as local users. Entries are objects having name and password fields (see example). Passwords can be plain text or bcrypted.
  • concourse_main_team_local_users: Optional. List of whitelisted local concourse users (of the supplied local user list).

Web GitHub Authentication Variables

  • concourse_github_client_id: Optional. GitHub client ID.
  • concourse_github_client_secret: Optional. GitHub client secret.
  • concourse_main_team_github_users: Optional. List of whitelisted GitHub users.
  • concourse_main_team_github_orgs: Optional. List of whitelisted GitHub orgs.
  • concourse_main_team_github_teams: Optional. List of whitelisted GitHub teams formatted as "org:team".

Web Other Authentication Methods

Unsupported. Do it yer dang self by supplying concourse web command options with the concourse_web_options variable.

Worker Variables

  • concourse_worker: Optional. Set to "yes" to install a Concourse worker.
  • concourse_worker_launcher_path: Optional. The path to the script that launches the Concourse worker process.
  • concourse_worker_land_path: Optional. The path to the script that lands a worker.
  • concourse_worker_retire_path: Optional. The path to the script that retires a worker.
  • concourse_worker_runtime: Optional. Default: "containerd". Can be set to either garden or containerd
  • concourse_worker_binary_mode: Optional. The file mode of the worker launcher, land, and retire scripts.
  • concourse_worker_land_on_stop: Optional. Default: "no". Run concourse land-worker upon stopping the service.
  • concourse_worker_retire_on_stop: Optional. Default: "yes". Run concourse retire-worker upon stopping the service.
  • concourse_work_dir: Optional. The directory in which the worker does work.
  • concourse_tsa_public_key_path: Optional. The path to the tsa public key file.
  • concourse_tsa_worker_key_path: Optional. The path to the worker private key file.
  • concourse_tsa_host: Required. The value of the --tsa-host option.
  • concourse_tsa_public_key: Required. The tsa public key.
  • concourse_tsa_worker_key: Required. The tsa worker private key.
  • concourse_worker_tag: Optional. The value of the --tag option.
  • concourse_baggageclaim_driver: Optional. The driver to use for managing volumes.
  • concourse_worker_options: Optional. Other non-managed options to pass to concourse.
  • concourse_worker_env_vars: Optional. A dictionary of environment variables to set when the worker node runs
  • concourse_manage_work_volume: Optional. Default: "no". Activate management of the work volume.
  • concourse_work_volume_device: Required when concourse_manage_work_volume is "yes". The device to mount as the work volume.
  • concourse_work_volume_fs_type: Optional. The filesystem type of the work volume. By default, this is calculated to be btrfs or ext4 based on the value of concourse_baggageclaim_driver.
  • concourse_work_volume_fs_opts: Optional. A list of options to be passed to mkfs command when creating the work volume filesystem.
  • concourse_work_volume_fs_force_create: Optional. Default: "no". If yes, allows to create a new work volume filesystem on a device that already has a filesystem.
  • concourse_work_volume_fs_resize: Optional. Default: "no". If yes, if the work volume block device and filesystem size differ, grow the filesystem into the space.
  • concourse_work_volume_mount_path: Optional. The directory to which the work volume will be mounted.
  • concourse_work_volume_mount_opts: Optional. Work volume mount options.

Containerd

Added a few extra flags for configuring containerd. Containerd is now the default in favor of Garden.

  • concourse_worker_containerd_dns_server: Optional. Default: "1.1.1.1".
  • concourse_worker_containerd_allow_host_access: Optional. Default: "false". If set to "true", it will allow containerd to access services running on the host.

Example Playbook

- hosts: atc
  roles:
  - role: troykinsella.concourse
    concourse_web: yes
    concourse_authorized_worker_keys:
    - "{{ worker_public_key }}"
    concourse_postgres_host: concoursedb.abc123.us-east-1.rds.amazonaws.com
    concourse_postgres_user: concourse
    concourse_postgres_password: changeme
    concourse_postgres_database: atc
    concourse_local_users:
    - name: admin
      password: my_bcrypted_password
    concourse_main_team_local_users:
    - admin
    concourse_external_url: http://concourse.example.com
    concourse_web_env_vars:
      CONCOURSE_SECRET_RETRY_ATTEMPTS: 5

- hosts: workers
  roles:
  - role: troykinsella.concourse
    concourse_worker: yes
    concourse_tsa_host: my-atc
    concourse_tsa_public_key: "{{ host_pub_key }}"
    concourse_tsa_worker_key: "{{ worker_key }}"
    concourse_worker_env_vars:
      CONCOURSE_GARDEN_NETWORK_POOL: 10.254.0.0/16
      CONCOURSE_GARDEN_MAX_CONTAINERS: 512
      CONCOURSE_GARDEN_DOCKER_REGISTRY: https://docker.my-private-registry.org

Testing

Prerequisites:

  • Install Docker

To run serverspec tests:

docker build .

Contributors

License

MIT © Troy Kinsella

About

Concourse CI. CI that scales with your project.

Install
ansible-galaxy install pellegrino/ansible-concourse
GitHub repository
License
mit
Downloads
37