From d177d1f28e76055c85d54f35e17fb24f041e9619 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Tue, 22 Nov 2022 21:23:56 +0100 Subject: [PATCH] Install/configure Garage Add a garage cookbook that installs the garage binary distribution and creates the necessary configuration and system service. Also deploy two new VMs to act as storage nodes. refs #428 --- clients/garage-1.json | 4 + clients/garage-2.json | 4 + clients/garage-3.json | 4 + data_bags/credentials/garage.json | 17 +++ nodes/garage-1.json | 56 +++++++++ nodes/garage-2.json | 63 ++++++++++ nodes/garage-3.json | 63 ++++++++++ roles/garage_node.rb | 6 + .../kosmos_garage/.delivery/project.toml | 32 +++++ site-cookbooks/kosmos_garage/.gitignore | 25 ++++ site-cookbooks/kosmos_garage/Berksfile | 3 + site-cookbooks/kosmos_garage/CHANGELOG.md | 11 ++ site-cookbooks/kosmos_garage/LICENSE | 3 + site-cookbooks/kosmos_garage/README.md | 14 +++ .../kosmos_garage/attributes/default.rb | 9 ++ site-cookbooks/kosmos_garage/chefignore | 115 ++++++++++++++++++ .../kosmos_garage/environments/testing.json | 3 + site-cookbooks/kosmos_garage/kitchen.yml | 36 ++++++ site-cookbooks/kosmos_garage/metadata.rb | 11 ++ .../kosmos_garage/recipes/default.rb | 64 ++++++++++ .../kosmos_garage/recipes/firewall.rb | 36 ++++++ .../kosmos_garage/templates/garage.toml.erb | 26 ++++ .../default/data_bags/credentials/garage.json | 17 +++ .../test/integration/default/default_test.rb | 21 ++++ .../default/encrypted_data_bag_secret | 1 + 25 files changed, 644 insertions(+) create mode 100644 clients/garage-1.json create mode 100644 clients/garage-2.json create mode 100644 clients/garage-3.json create mode 100644 data_bags/credentials/garage.json create mode 100644 nodes/garage-1.json create mode 100644 nodes/garage-2.json create mode 100644 nodes/garage-3.json create mode 100644 roles/garage_node.rb create mode 100644 site-cookbooks/kosmos_garage/.delivery/project.toml create mode 100644 site-cookbooks/kosmos_garage/.gitignore create mode 100644 site-cookbooks/kosmos_garage/Berksfile create mode 100644 site-cookbooks/kosmos_garage/CHANGELOG.md create mode 100644 site-cookbooks/kosmos_garage/LICENSE create mode 100644 site-cookbooks/kosmos_garage/README.md create mode 100644 site-cookbooks/kosmos_garage/attributes/default.rb create mode 100644 site-cookbooks/kosmos_garage/chefignore create mode 100644 site-cookbooks/kosmos_garage/environments/testing.json create mode 100644 site-cookbooks/kosmos_garage/kitchen.yml create mode 100644 site-cookbooks/kosmos_garage/metadata.rb create mode 100644 site-cookbooks/kosmos_garage/recipes/default.rb create mode 100644 site-cookbooks/kosmos_garage/recipes/firewall.rb create mode 100644 site-cookbooks/kosmos_garage/templates/garage.toml.erb create mode 100644 site-cookbooks/kosmos_garage/test/integration/default/data_bags/credentials/garage.json create mode 100644 site-cookbooks/kosmos_garage/test/integration/default/default_test.rb create mode 100644 site-cookbooks/kosmos_garage/test/integration/default/encrypted_data_bag_secret diff --git a/clients/garage-1.json b/clients/garage-1.json new file mode 100644 index 0000000..bf9028e --- /dev/null +++ b/clients/garage-1.json @@ -0,0 +1,4 @@ +{ + "name": "garage-1", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9cshySZB1wzBIQTbJ9Wk\nn0eSV+pm77xGoAb3w3BqX0MyPAdKVKGBsHEsBDRSSi99fA2RWc9sKLILjJgJarcU\nzp92fLrQSXAE58+xHMKax7KZSQlcQx0L42hZw1+OLktJQp76Iw7mnzKhVT6BJRzl\nGDvfqJenCpWTYaRZFtnq59j+pGtC0tu3vRF92xH+iSVINT/Y2Zalq/fVIwUOo6EY\nM7mdQQHw/EJG7+ulh5P2kxJaAyaBjjfo4GMi2Tny/335nk4yTZZYKmYDsfaM+cLq\nda9VfgC8gtXkVVahuNoZ0SS0y5JkP6uHwNtv1NeW87b4xZJ4TPRUIkSc6o1cbX5m\n2wIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/clients/garage-2.json b/clients/garage-2.json new file mode 100644 index 0000000..8b43f12 --- /dev/null +++ b/clients/garage-2.json @@ -0,0 +1,4 @@ +{ + "name": "garage-2", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwuZbclnx/1Oas1+q5vUz\nsvCpTwKBrb3dah2YoZfZg0K15+MZshSyCZxo5T+SGp2OwhV65UptMJZbeyhVtzEp\ncN62G7exf65rNesXOL82PNQC6iInxNvyOgzdTOo7tdQ2ln/3QRpZOtUOB9PEkK17\nNmHfVIWKEc9YajRff5zE1LzSWulTNJ3D4GAIhsli//Rv45MhjyYoQKf1AXtqI72A\n2FE2YWXOjjSHJIPRfcUrmBOmEt/gkWySxGAs8Dg112vOC1ftk0KiQFWKVydMicIj\nyySQH1/neQFSq2HLNajDc9S2l7cjhPEjov7taS9LkXfPtnfN8ajEEP0S2MgZnf4N\ngwIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/clients/garage-3.json b/clients/garage-3.json new file mode 100644 index 0000000..49ea275 --- /dev/null +++ b/clients/garage-3.json @@ -0,0 +1,4 @@ +{ + "name": "garage-3", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtRSB8/ObjvQq6WuOVS/f\nypdX/2fLsUlt5tQ8GNuSY9rSM8gdvcXUvnPlxthZO4yvcPX85wmtBZX8fRJFdkJg\nYRCJbuVKO9sLTq8OUWXYpfU1q10FUhl034zxOMslpxVB6toirnk025vyq9jbuKP+\nYO+c40KZr67mgm0hveJfylayfiKP1HGm4HrV0maFivCgC8D+MPDDv75CsqRe5WSc\nh2CoauDJwVlhKZ92yq87ugGBhJJRUGOQZcfEvkUGj/HNAS6tuHl8YmVmhO8hBdee\nNto6RF54E1zB80R9oT/qitw23miEyUcHHVxhTR4tTWflZgd8l4wDOhX3Nf20xknu\nFQIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/data_bags/credentials/garage.json b/data_bags/credentials/garage.json new file mode 100644 index 0000000..7097d4b --- /dev/null +++ b/data_bags/credentials/garage.json @@ -0,0 +1,17 @@ +{ + "id": "garage", + "rpc_secret": { + "encrypted_data": "E3XtqLPuJXnRq6AIatVJe1+hoG236iRxz9s//qyYYgaBcvYRnBWwFSH/+cT9\n3bzZ+WE6lOqAPxYbj2riAPkdhdLbrR9tPipJNZyTncX5ByL510Q=\n", + "iv": "qBW1jUvUvHYPhjkn\n", + "auth_tag": "ao36nanF1pnAzmaoHwhJNQ==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "admin_token": { + "encrypted_data": "O0Cndl8n8/I1igGeMej46fSi9nje9CYGkLB/PfUhIxcZOkmRpvOnKSSn4B6l\nzC59xZmsEWT51hF4UmR1k2ATvWeLHdk24dWM/LK1Is16RmmlAeU=\n", + "iv": "kGTropuG44BUOJ7W\n", + "auth_tag": "/i9fVJ2iLcYSRZ5APe03qQ==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/nodes/garage-1.json b/nodes/garage-1.json new file mode 100644 index 0000000..c1ebd04 --- /dev/null +++ b/nodes/garage-1.json @@ -0,0 +1,56 @@ +{ + "name": "garage-1", + "normal": { + "knife_zero": { + "host": "10.1.1.102" + } + }, + "automatic": { + "fqdn": "garage-1", + "os": "linux", + "os_version": "5.4.0-132-generic", + "hostname": "garage-1", + "ipaddress": "192.168.122.41", + "roles": [ + "base", + "kvm_guest" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_kvm::guest", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.10.3", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.9.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai" + } + } + }, + "run_list": [ + "role[base]", + "role[kvm_guest]" + ] +} \ No newline at end of file diff --git a/nodes/garage-2.json b/nodes/garage-2.json new file mode 100644 index 0000000..ce31ec1 --- /dev/null +++ b/nodes/garage-2.json @@ -0,0 +1,63 @@ +{ + "name": "garage-2", + "normal": { + "knife_zero": { + "host": "10.1.1.40" + } + }, + "automatic": { + "fqdn": "garage-2", + "os": "linux", + "os_version": "5.4.0-132-generic", + "hostname": "garage-2", + "ipaddress": "192.168.122.241", + "roles": [ + "base", + "kvm_guest", + "garage_node" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_kvm::guest", + "kosmos_garage", + "kosmos_garage::default", + "kosmos_garage::firewall", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default", + "firewall::default", + "chef-sugar::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.10.3", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.9.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai" + } + } + }, + "run_list": [ + "role[base]", + "role[kvm_guest]", + "role[garage_node]" + ] +} \ No newline at end of file diff --git a/nodes/garage-3.json b/nodes/garage-3.json new file mode 100644 index 0000000..d0ef159 --- /dev/null +++ b/nodes/garage-3.json @@ -0,0 +1,63 @@ +{ + "name": "garage-3", + "normal": { + "knife_zero": { + "host": "10.1.1.39" + } + }, + "automatic": { + "fqdn": "garage-3", + "os": "linux", + "os_version": "5.4.0-132-generic", + "hostname": "garage-3", + "ipaddress": "192.168.122.191", + "roles": [ + "base", + "kvm_guest", + "garage_node" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_kvm::guest", + "kosmos_garage", + "kosmos_garage::default", + "kosmos_garage::firewall", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default", + "firewall::default", + "chef-sugar::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.10.3", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.9.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai" + } + } + }, + "run_list": [ + "role[base]", + "role[kvm_guest]", + "role[garage_node]" + ] +} \ No newline at end of file diff --git a/roles/garage_node.rb b/roles/garage_node.rb new file mode 100644 index 0000000..b1d2183 --- /dev/null +++ b/roles/garage_node.rb @@ -0,0 +1,6 @@ +name "garage_node" + +run_list %w( + kosmos_garage::default + kosmos_garage::firewall +) diff --git a/site-cookbooks/kosmos_garage/.delivery/project.toml b/site-cookbooks/kosmos_garage/.delivery/project.toml new file mode 100644 index 0000000..3496f78 --- /dev/null +++ b/site-cookbooks/kosmos_garage/.delivery/project.toml @@ -0,0 +1,32 @@ +# Delivery for Local Phases Execution +# +# This file allows you to execute test phases locally on a workstation or +# in a CI pipeline. The delivery-cli will read this file and execute the +# command(s) that are configured for each phase. You can customize them +# by just modifying the phase key on this file. +# +# By default these phases are configured for Cookbook Workflow only +# + +[local_phases] +unit = "echo skipping unit phase." +lint = "chef exec cookstyle" +# foodcritic has been deprecated in favor of cookstyle so we skip the syntax +# phase now. +syntax = "echo skipping syntax phase. Use lint phase instead." +provision = "chef exec kitchen create" +deploy = "chef exec kitchen converge" +smoke = "chef exec kitchen verify" +# The functional phase is optional, you can define it by uncommenting +# the line below and running the command: `delivery local functional` +# functional = "" +cleanup = "chef exec kitchen destroy" + +# Remote project.toml file +# +# Instead of the local phases above, you may specify a remote URI location for +# the `project.toml` file. This is useful for teams that wish to centrally +# manage the behavior of the `delivery local` command across many different +# projects. +# +# remote_file = "https://url/project.toml" \ No newline at end of file diff --git a/site-cookbooks/kosmos_garage/.gitignore b/site-cookbooks/kosmos_garage/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/site-cookbooks/kosmos_garage/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/site-cookbooks/kosmos_garage/Berksfile b/site-cookbooks/kosmos_garage/Berksfile new file mode 100644 index 0000000..34fea21 --- /dev/null +++ b/site-cookbooks/kosmos_garage/Berksfile @@ -0,0 +1,3 @@ +source 'https://supermarket.chef.io' + +metadata diff --git a/site-cookbooks/kosmos_garage/CHANGELOG.md b/site-cookbooks/kosmos_garage/CHANGELOG.md new file mode 100644 index 0000000..f8c3afa --- /dev/null +++ b/site-cookbooks/kosmos_garage/CHANGELOG.md @@ -0,0 +1,11 @@ +# kosmos_garage CHANGELOG + +This file is used to list changes made in each version of the kosmos_garage cookbook. + +## 0.2.0 + +Add nginx recipe to configure public API access. + +## 0.1.0 + +Initial release. diff --git a/site-cookbooks/kosmos_garage/LICENSE b/site-cookbooks/kosmos_garage/LICENSE new file mode 100644 index 0000000..080dee9 --- /dev/null +++ b/site-cookbooks/kosmos_garage/LICENSE @@ -0,0 +1,3 @@ +Copyright 2021 The Authors + +All rights reserved, do not redistribute. diff --git a/site-cookbooks/kosmos_garage/README.md b/site-cookbooks/kosmos_garage/README.md new file mode 100644 index 0000000..aaf85cb --- /dev/null +++ b/site-cookbooks/kosmos_garage/README.md @@ -0,0 +1,14 @@ +# kosmos_garage + +Configures/deploys Garage + +## Integration tests + +With a Docker daemon running on your system, change to +`site-cookbooks/kosmos_garage/`, and use the following commands to create, +converge, and verify a local node: + + chef exec kitchen create + chef exec kitchen converge + chef exec kitchen verify + chef exec kitchen desroy diff --git a/site-cookbooks/kosmos_garage/attributes/default.rb b/site-cookbooks/kosmos_garage/attributes/default.rb new file mode 100644 index 0000000..c1c6b35 --- /dev/null +++ b/site-cookbooks/kosmos_garage/attributes/default.rb @@ -0,0 +1,9 @@ +node.default['garage']['version'] = '0.8.0' +node.default['garage']['checksum']['amd64'] = '66dd2ea1f677281a43e10eb619523b1b269f8fde9047ce8caa70958f3b13ca74' +node.default['garage']['s3_api_port'] = 3900 +node.default['garage']['rpc_port'] = 3901 +node.default['garage']['s3_web_port'] = 3902 +node.default['garage']['admin_port'] = 3903 +node.default['garage']['k2v_api_port'] = 3904 +node.default['garage']['s3_api_root_domain'] = '.s3.garage.kosmos.org' +node.default['garage']['s3_web_root_domain'] = '.web.garage.kosmos.org' diff --git a/site-cookbooks/kosmos_garage/chefignore b/site-cookbooks/kosmos_garage/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/site-cookbooks/kosmos_garage/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/site-cookbooks/kosmos_garage/environments/testing.json b/site-cookbooks/kosmos_garage/environments/testing.json new file mode 100644 index 0000000..0d3d5b3 --- /dev/null +++ b/site-cookbooks/kosmos_garage/environments/testing.json @@ -0,0 +1,3 @@ +{ + "name": "testing" +} \ No newline at end of file diff --git a/site-cookbooks/kosmos_garage/kitchen.yml b/site-cookbooks/kosmos_garage/kitchen.yml new file mode 100644 index 0000000..699bf10 --- /dev/null +++ b/site-cookbooks/kosmos_garage/kitchen.yml @@ -0,0 +1,36 @@ +--- +driver: + name: dokken + pull_platform_image: false + pull_chef_image: false + memory_limit: 2147483648 # 2GB + +transport: + name: dokken + +provisioner: + name: dokken + clean_dokken_sandbox: false + client_rb: + environment: testing + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + driver: + image: dokken/ubuntu-20.04 + privileged: true + pid_one_command: /usr/lib/systemd/systemd + +suites: + - name: garage + data_bags_path: "test/integration/default/data_bags" + encrypted_data_bag_secret_key_path: "test/integration/default/encrypted_data_bag_secret" + run_list: + - recipe[kosmos_garage::default] + verifier: + inspec_tests: + - test/integration/default + attributes: diff --git a/site-cookbooks/kosmos_garage/metadata.rb b/site-cookbooks/kosmos_garage/metadata.rb new file mode 100644 index 0000000..f1fde81 --- /dev/null +++ b/site-cookbooks/kosmos_garage/metadata.rb @@ -0,0 +1,11 @@ +name 'kosmos_garage' +maintainer 'Kosmos Developers' +maintainer_email 'ops@kosmos.org' +license 'MIT' +description 'Installs/configures Garage' +version '0.1.0' +chef_version '>= 15.0' +issues_url 'https://gitea.kosmos.org/kosmos/chef/issues' +source_url 'https://gitea.kosmos.org/kosmos/chef' + +depends 'firewall' diff --git a/site-cookbooks/kosmos_garage/recipes/default.rb b/site-cookbooks/kosmos_garage/recipes/default.rb new file mode 100644 index 0000000..0019bbe --- /dev/null +++ b/site-cookbooks/kosmos_garage/recipes/default.rb @@ -0,0 +1,64 @@ +# +# Cookbook:: kosmos_garage +# Recipe:: default +# + +remote_file 'garage' do + source "https://garagehq.deuxfleurs.fr/_releases/v#{node['garage']['version']}/x86_64-unknown-linux-musl/garage" + checksum node['garage']['checksum']['amd64'] + path '/usr/local/bin/garage' + mode '0755' + ssl_verify_mode :verify_none if node.chef_environment == 'testing' + notifies :restart, 'service[garage]', :delayed +end + +credentials = Chef::EncryptedDataBagItem.load('credentials', 'garage') + +template '/etc/garage.toml' do + source 'garage.toml.erb' + mode '0744' + variables metadata_dir: node['garage']['metadata_dir'] || '/var/lib/garage/meta', + data_dir: node['garage']['data_dir'] || '/var/lib/garage/data', + db_engine: node['garage']['db_engine'] || 'lmdb', + rpc_port: node['garage']['rpc_port'], + rpc_public_addr: "#{node.dig('knife_zero', 'host') || '127.0.0.1'}:#{node['garage']['rpc_port']}", + rpc_secret: credentials['rpc_secret'], + s3_region: node['garage']['s3_region'] || 'garage', + s3_api_port: node['garage']['s3_api_port'], + s3_api_root_domain: node['garage']['s3_api_root_domain'] || '.s3.garage.localhost', + s3_web_port: node['garage']['s3_web_port'], + s3_web_root_domain: node['garage']['s3_web_root_domain'] || '.web.garage.localhost', + k2v_api_port: node['garage']['k2v_api_port'], + admin_port: node['garage']['admin_port'], + admin_token: credentials['admin_token'] + notifies :restart, 'service[garage]', :delayed +end + +systemd_unit 'garage.service' do + content({ + Unit: { + Description: 'Garage Data Store', + Documentation: ['https://garagehq.deuxfleurs.fr/documentation/quick-start/'], + After: 'network-online.target', + Wants: 'network-online.target' + }, + Service: { + Environment: 'RUST_LOG=garage=info RUST_BACKTRACE=1', + ExecStart: '/usr/local/bin/garage server', + StateDirectory: 'garage', + DynamicUser: true, + ProtectHome: true, + NoNewPrivileges: true + }, + Install: { + WantedBy: 'multi-user.target' + } + }) + verify false + triggers_reload true + action [:create] +end + +service 'garage' do + action [:enable, :start] +end diff --git a/site-cookbooks/kosmos_garage/recipes/firewall.rb b/site-cookbooks/kosmos_garage/recipes/firewall.rb new file mode 100644 index 0000000..d67fa55 --- /dev/null +++ b/site-cookbooks/kosmos_garage/recipes/firewall.rb @@ -0,0 +1,36 @@ +include_recipe 'firewall' + +firewall_rule 'garage_s3_api' do + command :allow + protocol :tcp + source "10.1.1.0/24" + port node['garage']['s3_api_port'] +end + +firewall_rule 'garage_rpc' do + command :allow + protocol :tcp + source "10.1.1.0/24" + port node['garage']['rpc_port'] +end + +firewall_rule 'garage_s3_web' do + command :allow + protocol :tcp + source "10.1.1.0/24" + port node['garage']['s3_web_port'] +end + +firewall_rule 'garage_admin' do + command :allow + protocol :tcp + source "10.1.1.0/24" + port node['garage']['admin_port'] +end + +firewall_rule 'garage_k2v_api' do + command :allow + protocol :tcp + source "10.1.1.0/24" + port node['garage']['k2v_api_port'] +end diff --git a/site-cookbooks/kosmos_garage/templates/garage.toml.erb b/site-cookbooks/kosmos_garage/templates/garage.toml.erb new file mode 100644 index 0000000..85bfc6a --- /dev/null +++ b/site-cookbooks/kosmos_garage/templates/garage.toml.erb @@ -0,0 +1,26 @@ +metadata_dir = "<%= @metadata_dir %>" +data_dir = "<%= @data_dir %>" +db_engine = "<%= @db_engine %>" + +replication_mode = "none" + +rpc_bind_addr = "[::]:<%= @rpc_port %>" +rpc_public_addr = "<%= @rpc_public_addr %>" +rpc_secret = "<%= @rpc_secret %>" + +[s3_api] +s3_region = "<%= @s3_region %>" +api_bind_addr = "[::]:<%= @s3_api_port %>" +root_domain = "<%= @s3_api_root_domain %>" + +[s3_web] +bind_addr = "[::]:<%= @s3_web_port %>" +root_domain = "<%= @s3_web_root_domain %>" +index = "index.html" + +[k2v_api] +api_bind_addr = "[::]:<%= @k2v_api_port %>" + +[admin] +api_bind_addr = "0.0.0.0:<%= @admin_port %>" +admin_token = "<%= @admin_token %>" diff --git a/site-cookbooks/kosmos_garage/test/integration/default/data_bags/credentials/garage.json b/site-cookbooks/kosmos_garage/test/integration/default/data_bags/credentials/garage.json new file mode 100644 index 0000000..ad71d47 --- /dev/null +++ b/site-cookbooks/kosmos_garage/test/integration/default/data_bags/credentials/garage.json @@ -0,0 +1,17 @@ +{ + "id": "garage", + "admin_token": { + "encrypted_data": "BYRysR7CokS4943A3QL4/bN4dDdBs7TWgzbuTntB7cBIJqpnUbu2sd9PNjxo\nSjGTlwdnUUlbmCJzPfQ8oKCINrs+yilH3XIyzb4x//3h9rzE+qI=\n", + "iv": "rwOuaLi2kwg2Uw9g\n", + "auth_tag": "68j6nGYan1DiQQKmmpPW9A==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "rpc_secret": { + "encrypted_data": "x9qfeSGGBkGsErJ1vQuQKTcNksPh3xnyM1V09CvecNewVHkmWeP03WE3gjJH\nzUWooHrDn2Gaci8Pi9VYHg6+Gsw/w/l6BhTWByd6k/251pNTRps=\n", + "iv": "/QiOCspNokU3QCDB\n", + "auth_tag": "MWkUnKEAEDduPLG0kWd8Bg==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/site-cookbooks/kosmos_garage/test/integration/default/default_test.rb b/site-cookbooks/kosmos_garage/test/integration/default/default_test.rb new file mode 100644 index 0000000..aea8367 --- /dev/null +++ b/site-cookbooks/kosmos_garage/test/integration/default/default_test.rb @@ -0,0 +1,21 @@ +# InSpec test for recipe kosmos_garage::garagej + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +describe file('/usr/local/bin/garage') do + it { should exist } + its('mode') { should cmp '00755' } +end + +describe service('garage') do + it { should be_enabled } + it { should be_installed } + it { should be_running } +end + +[3900, 3901, 3902, 3903, 3904].each do |port_number| + describe port(port_number) do + it { should be_listening } + end +end diff --git a/site-cookbooks/kosmos_garage/test/integration/default/encrypted_data_bag_secret b/site-cookbooks/kosmos_garage/test/integration/default/encrypted_data_bag_secret new file mode 100644 index 0000000..4bee0e9 --- /dev/null +++ b/site-cookbooks/kosmos_garage/test/integration/default/encrypted_data_bag_secret @@ -0,0 +1 @@ +I7L6DW2FOYGfZIVrXWN6aLYTswhHnDR7ZmdlGp5KeAlpEIjaB7IgPO3EAV/QxgzMaHJzBwDzThpp8PTAUXUH+9M5I+G06Y/F21cCkpe5mNOjiP9SukdggGbiZdMRxS//Ym511hqrWSpowF2yYwX6V/rprlWAc0EKzZWNDceC2g/sKdX725/TXz4mhouimr8GFnlCqPoBPpM8OFPQy2TMoK66IXjA6zW190FhpySsAWE+Evnjj1FtVjTrQBW8A00NVU5SH8APn21RLZGY/uk/acX9sKsa5XcUSU1MlKU5DZejLzu1Vf0DKoDAQpI9/JkQajOxhCC77buXWP83GL0Ru9w9eWq2rYQuDawRKZViHC5aFatPZFu0GvRq58WcbordxDtH+TZYoYEIIf32kCe0sNxbO8iAgMHD7HV8n21zHVps7nTD4HRbXvURA+fwOkQSxcxET3pS5AJDbVIJ6FHbn3MZj9MCv2miwAVCYcZ5Wt+dhmQxjYgZ8PUUlVvB+eCauY2m6J4+nEjg+yx15yvdnBOmEGmj+HQG+rdD+6mAbtK2Adwq2zoqkQbUKJNmyZAvHEkCLHmWswdV8kN2Eh35wlyG/9FBQ7WAlsvpwT8cjHvxwsh644EsBJPlmoBXT0I5Q5S6Gx6PDP/x/swO2VNgISWOLimPvUD1bI4ObIiVTWo= \ No newline at end of file