-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdeploy_concourse.sh
More file actions
executable file
·286 lines (265 loc) · 9.41 KB
/
deploy_concourse.sh
File metadata and controls
executable file
·286 lines (265 loc) · 9.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
#!/bin/bash
#############################################################
#
# Creates a bosh2 Concourse deployment.
# Assumes that following environment variables are set
# export BOSH_CLIENT=admin
# export BOSH_CLIENT_SECRET=`bosh2 int creds.yml --path /admin_password`
# export BOSH_ENVIRONMENT=bootstrap
# Optional integrations with github for authentciation and vault.
# This script expects the bosh2 director to be targeted.
#
# Arguments:
# -i <ip addresss> Concourse Fully Qualified Domain Name / IP
# -u <url> External Concourse URL
# --iaas <iaas> iaas to use vsphere/aws/azure/google, default to vsphere - required to download stemcell
# --tsa-signing-key - tsa signing key
# --host-private-key - host private key
# --host-public-key - host public key
# --worker-private-key - worker private key
# --worker-public-key - worker public key
#
# Optional Arguments:
# -d <directory> Directory to house the files related to a given deployment, will default to "deployment"
# -p <password> basic auth password, will default to "admin" if not specified
# -n <name> deployment name, will default to "concourse"
# --manifest <manifest> manifest file name, will default to concourse_stub.yml
#
#
# -v <vault integration> true/false defaults to false
# -a <address> Vault Address
# -r <token> Vault root token
# --vault-insecure-skip-verify = true/false
#
# -g <github integration> true/false, defaults to false
# -c <client_id> github client id
# -s <client_secret> github client secret
# -o <org> github org
# -t <team> github team, will default to "all"
#
# --web-public-ip - optional, default value parsed from value of "-u" option
#############################################################
set -e
function usage() {
cat <<EOF
USAGE:
deploy_concourse.sh -i <ip addresss/fqdn> -u <concourse url> [-d <deployment directory>] \
[-n <deployment name>] [-p <concourse admin password>] [-v <vault integration true/false> \
-a <vault address> -r <vault root token] [-g <github integration true/false> \
-c <github client id> -s <github client secret> -o <github org> [-t <github team>]] \
--iaas <iaas> --tsa-signing-key <tsa-signing-key-file> --manifest <manifest-file> \
--host-private-key <host-private-key-file> --host-public-key <host-public-key-file> \
--worker-private-key <worker-private-key-file> --worker-public-key <worker-public-key-file> \
--web-public-ip <--web-public-ip>
EOF
}
CONCOURSE_FQDN=""
CONCOURSE_EXTERNAL_URL=""
CONCOURSE_PASSWORD="admin"
# directory where files related to this deployment will go.
DEPLOYMENT_DIR="deployment"
#vault integration
VAULT_INTEGRATION=false
VAULT_ADDR=""
VAULT_ROOT_TOKEN=""
#github integration
GITHUB_INTEGRATION=false
GITHUB_CLIENT_ID=""
GITHUB_CLIENT_SECRET=""
GITHUB_ORG=""
GITHUB_TEAM="all" #default to all
MANIFEST="concourse_stub.yml"
DEPLOYMENT_NAME="concourse-gold"
IAAS=vsphere
VAULT_INSECURE_SKIP_VERIFY=true
# Parse the command argument list
# while getopts "h:i:u:d:v:a:r:g:c:s:o:t:n:p:" opt; do
# case "$opt" in
# h|\?)
# usage
# exit 0
# ;;
# i)
# CONCOURSE_FQDN=$OPTARG
# ;;
# u)
# CONCOURSE_EXTERNAL_URL=$OPTARG
# ;;
# d)
# DEPLOYMENT_DIR=$OPTARG
# ;;
# p)
# CONCOURSE_PASSWORD=$OPTARG
# ;;
# n)
# DEPLOYMENT_NAME=$OPTARG
# ;;
# v)
# if [ $OPTARG = true ] || [ $OPTARG = false ]; then
# VAULT_INTEGRATION=$OPTARG
# else
# echo "Unknown value for -v: $OPTARG. Options are true/false"
# exit 1
# fi
# ;;
# a)
# VAULT_ADDR=$OPTARG
# ;;
# r)
# VAULT_ROOT_TOKEN=$OPTARG
# ;;
# g)
# if [ $OPTARG = true ] || [ $OPTARG = false ]; then
# GITHUB_INTEGRATION=$OPTARG
# else
# echo "Unknown value for -v: $OPTARG. Options are true/false"
# exit 1
# fi
# ;;
# c)
# GITHUB_CLIENT_ID=$OPTARG
# ;;
# s)
# GITHUB_CLIENT_SECRET=$OPTARG
# ;;
# o)
# GITHUB_ORG=$OPTARG
# ;;
# t)
# GITHUB_TEAM=$OPTARG
# ;;
# *)
# echo "Unknown argument - $opt"
# #usage
# #exit 1
# ;;
# esac
# done
n=0;
for arg in $*; do
# (( n++ ))
let n=n+1
m=$(( n+1 ))
if [[ $arg == "-h" ]]; then
usage
exit 0
elif [[ $arg == "-i" ]]; then
CONCOURSE_FQDN=${!m}
elif [[ $arg == "-u" ]]; then
CONCOURSE_EXTERNAL_URL=${!m}
elif [[ $arg == "-d" ]]; then
DEPLOYMENT_DIR=${!m}
elif [[ $arg == "-p" ]]; then
CONCOURSE_PASSWORD=${!m}
elif [[ $arg == "-n" ]]; then
DEPLOYMENT_NAME=${!m}
elif [[ $arg == "-v" ]]; then
if [ ${!m} = true ] || [ ${!m} = false ]; then
VAULT_INTEGRATION=${!m}
else
echo "Unknown value for -v: ${!m}. Options are true/false"
exit 1
fi
elif [[ $arg == "-a" ]]; then
VAULT_ADDR=${!m}
elif [[ $arg == "-r" ]]; then
VAULT_ROOT_TOKEN=${!m}
elif [[ $arg == "-g" ]]; then
if [ ${!m} = true ] || [ ${!m} = false ]; then
GITHUB_INTEGRATION=${!m}
else
echo "Unknown value for -v: ${!m}. Options are true/false"
exit 1
fi
elif [[ $arg == "-c" ]]; then
GITHUB_CLIENT_ID=${!m}
elif [[ $arg == "-s" ]]; then
GITHUB_CLIENT_SECRET=${!m}
elif [[ $arg == "-o" ]]; then
GITHUB_ORG=${!m}
elif [[ $arg == "-t" ]]; then
GITHUB_TEAM=${!m}
elif [[ $arg == "--iaas" ]]; then
IAAS=${!m}
elif [[ $arg == "--manifest" ]]; then
MANIFEST=${!m}
elif [[ $arg == "--web-public-ip" ]]; then
WEB_PUBLIC_IP=${!m}
elif [[ $arg == "--vault-insecure-skip-verify" ]]; then
if [ ${!m} = true ] || [ ${!m} = false ]; then
VAULT_INSECURE_SKIP_VERIFY=${!m}
else
echo "Unknown value for -v: ${!m}. Options are true/false"
exit 1
fi
fi
done
# if web-public-ip is not provided, parse it from "-u"
if [ ! -z $WEB_PUBLIC_IP ]; then
# set WEB_PUBLIC_IP - to assign public ips to public clouds (aws)
arr=(${CONCOURSE_EXTERNAL_URL//\/\// }) # split with "\\" as delimiter
arr1=(${arr[1]//:/ }) # split with ":" as delimiter
WEB_PUBLIC_IP=${arr1[0]}
fi
#CONCOURSE_RELEASE=https://bosh.io/d/github.com/concourse/concourse
#GARDEN_RUNC_RELEASE=https://bosh.io/d/github.com/cloudfoundry/garden-runc-release
#POSTGRES_RELEASE=http://bosh.io/d/github.com/cloudfoundry/postgres-release
if [ $IAAS == "vsphere" ]; then
STEMCELL=https://bosh.io/d/stemcells/bosh-vsphere-esxi-ubuntu-trusty-go_agent
elif [ $IAAS == "aws" ]; then
STEMCELL=https://bosh.io/d/stemcells/bosh-aws-xen-hvm-ubuntu-trusty-go_agent
elif [ $IAAS == "azure" ]; then
STEMCELL=https://bosh.io/d/stemcells/bosh-azure-hyperv-ubuntu-trusty-go_agent
elif [ $IAAS == "google" ]; then
STEMCELL=https://bosh.io/d/stemcells/bosh-google-kvm-ubuntu-trusty-go_agent
fi
mkdir -p $DEPLOYMENT_DIR
# Upload the releases and stemcell needed for the deployment.
echo $STEMCELL
#bosh2 ur $CONCOURSE_RELEASE
#bosh2 ur $POSTGRES_RELEASE
#bosh2 ur $GARDEN_RUNC_RELEASE
bosh2 us $STEMCELL
DEPLOY_ARGS=""
# Configure Vault
if [ $VAULT_INTEGRATION = true ]; then
echo "Setting up intergation with vault at $VAULT_ADDR"
export VAULT_ADDR=$VAULT_ADDR
export VAULT_SKIP_VERIFY=$VAULT_INSECURE_SKIP_VERIFY
vault auth $VAULT_ROOT_TOKEN
# turn off failing if command fails. /concourse may already be mounted. Not a big
# deal if it is, we just need to make sure it exists. This command fails if it is
# already mounted.
set +e
vault mount -path=/concourse -description="Secrets for concourse pipelines" generic
set -e
vault policy-write policy-concourse policy.hcl
TOKEN_CREATE_JSON=`vault token-create --policy=policy-concourse -period="600h" -format=json`
CLIENT_TOKEN=`echo $TOKEN_CREATE_JSON | jq -r .auth.client_token`
bosh2 interpolate $MANIFEST -o operations/vault-patch.yml > $DEPLOYMENT_DIR/concourse_stub_vault.yml
MANIFEST=$DEPLOYMENT_DIR/concourse_stub_vault.yml
DEPLOY_ARGS="$DEPLOY_ARGS -v vault-url=$VAULT_ADDR -v vault-token=$VAULT_ROOT_TOKEN -v insecure_skip_verify=$VAULT_INSECURE_SKIP_VERIFY"
fi
#Configure github authentication
if [ $GITHUB_INTEGRATION = true ]; then
echo "Setting up authentication with github org $GITHUB_ORG and team $GITHUB_TEAM"
bosh2 interpolate $MANIFEST -o operations/github-auth-patch.yml > $DEPLOYMENT_DIR/concourse_stub_github.yml
DEPLOY_ARGS="$DEPLOY_ARGS -v github_organization=$GITHUB_ORG -v github_team=$GITHUB_TEAM \
-v github_client_id=$GITHUB_CLIENT_ID -v github_client_secret=$GITHUB_CLIENT_SECRET"
MANIFEST="$DEPLOYMENT_DIR/concourse_stub_github.yml"
else
echo "Using basic authentication"
DEPLOY_ARGS="$DEPLOY_ARGS -v concourse_admin_password=$CONCOURSE_PASSWORD"
fi
echo "manifest = $MANIFEST"
# Deploy concourse
if [ $IAAS == "vsphere" ]; then
bosh2 -n -d $DEPLOYMENT_NAME deploy $MANIFEST --vars-store=$DEPLOYMENT_DIR/vars.yml \
-v deployment_name=$DEPLOYMENT_NAME -v internal_ip=$CONCOURSE_FQDN \
-v external_url=$CONCOURSE_EXTERNAL_URL $DEPLOY_ARGS
elif [ $IAAS == "aws" ]; then
bosh2 -n -d $DEPLOYMENT_NAME deploy $MANIFEST --vars-store=$DEPLOYMENT_DIR/vars.yml \
-v deployment_name=$DEPLOYMENT_NAME -v internal_ip=$CONCOURSE_FQDN \
-v external_url=$CONCOURSE_EXTERNAL_URL $DEPLOY_ARGS \
-v web_public_ip=$WEB_PUBLIC_IP
fi