ExternalVendorCode/open-balena
1
0
Fork 0
mirror of https://github.com/balena-io/open-balena.git synced 2025-03-29 15:06:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

deploy-templates: Add katapult deploy templates

Browse Source 
Change-type: minor
Signed-off-by: Michael Angelos Simos <michalis@balena.io>
This commit is contained in:
Michael Angelos Simos 2018-11-08 23:01:05 +02:00
parent 3fcc2c4d6a
commit 32670ddea3
No known key found for this signature in database
GPG Key ID: B4AE9D0D94C81891
4 changed files with 413 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
deploy-templates/environments.yml Normal file
View File

@ -0,0 +1,6 @@
openbalena:
version: v1.0.0
docker-compose:
template: openbalena/v1.0.0/docker-compose/templates/docker-compose.tpl.yml
config-store: openbalena/v1.0.0/docker-compose/environment.env
archive-store: release

231
deploy-templates/openbalena/v1.0.0/docker-compose/config-manifest.yml Normal file
View File

@ -0,0 +1,231 @@
---
properties:
- OPENBALENA_PRODUCTION_MODE:
type: string
enum:
- 'true'
- 'false'
- OPENBALENA_COOKIE_SESSION_SECRET:
type: string
pattern: "^[0-9A-Za-z_]{16,64}$"
default:
eval: GENERATE_API_KEY({length: 32})
- OPENBALENA_HOST_NAME:
type: hostname
- OPENBALENA_JWT_SECRET:
type: string
pattern: "^[0-9A-Za-z_]{16,64}$"
default:
eval: GENERATE_API_KEY({length: 32})
- OPENBALENA_RESINOS_REGISTRY_CODE:
type: string
pattern: "^[0-9A-Za-z_]{16,64}$"
default:
eval: GENERATE_API_KEY({length: 32})
- OPENBALENA_ROOT_KEY:
type: string
default:
eval: base64(GENERATE_PRIVATE_KEY({bits: 4096}))
- OPENBALENA_CRT_KEY:
type: string
default:
eval: base64(GENERATE_PRIVATE_KEY({bits: 4096}))
- OPENBALENA_ROOT_CA:
type: string
default:
eval: >
base64(GENERATE_CA_CERT({
caAttrs: {
C: 'US',
L: 'Seattle',
O: 'Balena Ltd.',
OU: 'DevOps',
CN: 'global-ca.io',
ST: 'Washington'
},
caPrivateKeyPEM: base64decode(OPENBALENA_ROOT_KEY),
validFrom: '2015',
validTo: '2025',
bits: 4096
}))
- OPENBALENA_CRT:
type: string
default:
eval: >
base64(GENERATE_CERT({
certAttrs: {
C: 'US',
L: 'Seattle',
O: 'Balena Ltd.',
OU: 'DevOps',
CN: '*.' + OPENBALENA_HOST_NAME,
ST: 'Washington'
},
caCertPEM: base64decode(OPENBALENA_ROOT_CA),
caPrivateKeyPEM: base64decode(OPENBALENA_ROOT_KEY),
privateKeyPEM: base64decode(OPENBALENA_CRT_KEY),
validFrom: '2015',
validTo: '2025',
bits: 4096
}))
- OPENBALENA_TOKEN_AUTH_PUB:
type: string
- OPENBALENA_TOKEN_AUTH_KEY:
type: string
- OPENBALENA_TOKEN_AUTH_KID:
type: string
- OPENBALENA_TOKEN_AUTH_BUILDER_TOKEN:
type: string
pattern: "^[0-9A-Za-z_]{16,128}$"
default:
eval: GENERATE_API_KEY({length: 64})
- OPENBALENA_VPN_SERVER_KEY:
type: string
default:
eval: base64(GENERATE_PRIVATE_KEY({bits: 4096}))
- OPENBALENA_VPN_SERVER_CRT:
type: string
default:
eval: >
base64(GENERATE_CERT({
caAttrs: {
C: 'US',
L: 'Seattle',
O: 'Balena Ltd.',
OU: 'DevOps',
CN: 'vpn-ca.' + OPENBALENA_HOST_NAME,
ST: 'Washington'
},
caCertPEM: base64decode(OPENBALENA_ROOT_CA),
caPrivateKeyPEM: base64decode(OPENBALENA_ROOT_KEY),
privateKeyPEM: base64decode(OPENBALENA_VPN_SERVER_KEY),
validFrom: '2015',
validTo: '2025'
}))
- OPENBALENA_VPN_SERVER_DH:
type: string
default:
eval: base64(GENERATE_DH_PARAM())
- OPENBALENA_VPN_SERVICE_API_KEY:
type: string
pattern: "^[0-9A-Za-z_]{16,64}$"
default:
eval: GENERATE_API_KEY({length: 32})
- OPENBALENA_API_VPN_SERVICE_API_KEY:
type: string
pattern: "^[0-9A-Za-z_]{16,64}$"
default:
eval: GENERATE_API_KEY({length: 32})
- OPENBALENA_REGISTRY_SECRET_KEY:
type: string
pattern: "^[0-9A-Za-z_]{16,64}$"
default:
eval: GENERATE_API_KEY({length: 32})
- OPENBALENA_VPN_CONFIG:
type: string
default:
eval: |-
base64(`
client
remote vpn.` + OPENBALENA_HOST_NAME + `443
resolv-retry infinite
remote-cert-tls server
ca /etc/openvpn/ca.crt
auth-user-pass /var/volatile/vpn-auth
auth-retry none
script-security 2
up /etc/openvpn-misc/upscript.sh
up-restart
down /etc/openvpn-misc/downscript.sh
comp-lzo
dev resin-vpn
dev-type tun
proto tcp
nobind
persist-key
persist-tun
verb 3
user openvpn
group openvpn
`)
- OPENBALENA_SUPERUSER_EMAIL:
type: email
- OPENBALENA_SUPERUSER_PASSWORD:
type: string
- OPENBALENA_SSH_AUTHORIZED_KEYS:
type: string
- OPENBALENA_HAPROXY_CONFIG:
type: string
default:
eval: |
`
{
"api": {
"backend": [
{
"url": "http://api:80"
}
],
"frontend": [
{
"protocol": "https",
"domain": "` + OPENBALENA_HOST_NAME + `",
"subdomain": "api",
"port": "443",
"crt": "` + escape(base64decode(OPENBALENA_CRT) + base64decode(OPENBALENA_CRT_KEY) + base64decode(OPENBALENA_ROOT_CA)) + `"
}
]
},
"registry": {
"backend": [
{
"url": "http://registry:80"
}
],
"frontend": [
{
"protocol": "https",
"domain": "` + OPENBALENA_HOST_NAME + `",
"subdomain": "registry",
"port": "443",
"crt": "` + escape(base64decode(OPENBALENA_CRT) + base64decode(OPENBALENA_CRT_KEY) + base64decode(OPENBALENA_ROOT_CA)) + `"
}
]
},
"s3": {
"backend": [
{
"url": "http://s3:80"
}
],
"frontend": [
{
"protocol": "https",
"domain": "` + OPENBALENA_HOST_NAME + `",
"subdomain": "s3",
"port": "443",
"crt": "` + escape(base64decode(OPENBALENA_CRT) + base64decode(OPENBALENA_CRT_KEY) + base64decode(OPENBALENA_ROOT_CA)) + `"
}
]
},
"vpn": {
"backend": [
{
"url": "tcp://vpn:443"
}
],
"frontend": [
{
"protocol": "tcp",
"domain": "` + OPENBALENA_HOST_NAME + `",
"subdomain": "vpn",
"port": "443"
}
]
}
}
`

8
deploy-templates/openbalena/v1.0.0/docker-compose/environment.env Normal file
View File

@ -0,0 +1,8 @@
OPENBALENA_HOST_NAME=openbalena.local
OPENBALENA_PRODUCTION_MODE='false'
OPENBALENA_TOKEN_AUTH_PUB='LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJoRENDQVN1Z0F3SUJBZ0lKQUk2RjE2bksyRWZ0TUFvR0NDcUdTTTQ5QkFNQ01COHhIVEFiQmdOVkJBTU0KRkdGd2FTNXZjR1Z1WW1Gc1pXNWhMbXh2WTJGc01CNFhEVEU0TVRFd09ERXdNelExTWxvWERUSXdNVEV3TnpFdwpNelExTWxvd0h6RWRNQnNHQTFVRUF3d1VZWEJwTG05d1pXNWlZV3hsYm1FdWJHOWpZV3d3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFUeVpMSzZaU01CSFlVTGZyTHUrWkZsYjhnL0NWZHpyT3Y4ODd4OUppNVYKR3NxVXE3dUpiTjBvRDFmRnlCTERCZVlNTXRjQXZaaVAxRTQyaTNEd0RUVnlvMUF3VGpBZEJnTlZIUTRFRmdRVQpZbXVKbWxISXphc3pHS2IvK2swLzNsSnF6Y3d3SHdZRFZSMGpCQmd3Rm9BVVltdUptbEhJemFzekdLYi8razAvCjNsSnF6Y3d3REFZRFZSMFRCQVV3QXdFQi96QUtCZ2dxaGtqT1BRUURBZ05IQURCRUFpQk1DK3hiVm1nUU5KU0sKZDlSNU8yOGEvRjczUjBoNCtLd1ZvMjFpVVFSWWdnSWdmZVQ0VTN6Mi81OVZ4dVVkakxDSzFRcGlkMkluUWxwYQpzUVVkaC9JR3M2Yz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo='
OPENBALENA_TOKEN_AUTH_KEY='LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSVBaTUptbkd5akZKU2YzdWlHTjVxL3k1M3hEeUFOeDVMc0lpOFNZMjM1cUNvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFOG1TeXVtVWpBUjJGQzM2eTd2bVJaVy9JUHdsWGM2enIvUE84ZlNZdVZScktsS3U3aVd6ZApLQTlYeGNnU3d3WG1ERExYQUwyWWo5Uk9Ob3R3OEEwMWNnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo='
OPENBALENA_TOKEN_AUTH_KID='SkVGWTpHWVI0OllTQjc6N01FTTpTNFJCOjI3SUU6RjJDQzpVRktVOlJaS1k6Slg3Rjo3QVlJOldCTDU='
OPENBALENA_SUPERUSER_EMAIL='admin@openbalena.local'
OPENBALENA_SUPERUSER_PASSWORD='password'
OPENBALENA_SSH_AUTHORIZED_KEYS='AAAAB3NzaC1yc2EAAAADAQABAAABAQDabNCnNF/gRdkDOOJDpOfdEpKAvGdLsY3uMBgzHm41ut7aJVmtaUTNxZ9vXH9RI/OJ1O91oAvnypu8WsFIot5RDhH5HLmF4LX0j5CGYYC0a38h8yFBr6kUWP3PhvJh+wVZ7nWO6oTwGSKybnmlhSkxDErEVshPD/GQoN9Ka5OSMQuhbpqKBBUt+rseTz/O7r4WU1031mIjKVZjf8E1oSkeQZ5dxHp1fI75KtdvcXRq68pHIjVvZo+SFf6tRikxOeQOjD8Pe73SOein1SK6wnIeCGbau4jDni5vT9O257O1YhyHYmSE7YPhqIm/6scyHn713punXgbsqbXFjacRsGD/'

168
deploy-templates/openbalena/v1.0.0/docker-compose/templates/docker-compose.tpl.yml Normal file
View File

@ -0,0 +1,168 @@
version: '2.1'
volumes:
db:
registry:
s3:
redis:
services:
api:
image: balena/open-balena-api:${OPENBALENA_API_VERSION_TAG:-master}
depends_on:
- db
- s3
- redis
cap_add:
- SYS_ADMIN
- SYS_RESOURCE
tmpfs:
- /run
- /sys/fs/cgroup
security_opt:
- apparmor:unconfined
environment:
API_VPN_SERVICE_API_KEY: "{{{OPENBALENA_API_VPN_SERVICE_API_KEY}}}"
BALENA_ROOT_CA: "{{{OPENBALENA_ROOT_CA}}}"
CONFD_BACKEND: ENV
COOKIE_SESSION_SECRET: "{{{OPENBALENA_COOKIE_SESSION_SECRET}}}"
DB_HOST: db # <<
DB_PASSWORD: docker
DB_PORT: 5432
DB_USER: docker
DELTA_HOST: delta.{{{OPENBALENA_HOST_NAME}}}
DEVICE_CONFIG_OPENVPN_CONFIG: "{{{OPENBALENA_VPN_CONFIG}}}"
DEVICE_CONFIG_OPENVPN_CA: "{{{OPENBALENA_VPN_CA}}}"
DEVICE_CONFIG_SSH_AUTHORIZED_KEYS: "{{{OPENBALENA_SSH_AUTHORIZED_KEYS}}}"
HOST: api.{{{OPENBALENA_HOST_NAME}}}
IMAGE_MAKER_URL: img.{{{OPENBALENA_HOST_NAME}}}
IMAGE_STORAGE_BUCKET: resin-production-img-cloudformation
IMAGE_STORAGE_PREFIX: resinos
IMAGE_STORAGE_ENDPOINT: s3.amazonaws.com
JSON_WEB_TOKEN_EXPIRY_MINUTES: 10080
JSON_WEB_TOKEN_SECRET: "{{{OPENBALENA_JWT_SECRET}}}"
MIXPANEL_TOKEN: __unused__
PRODUCTION_MODE: '{{{OPENBALENA_PRODUCTION_MODE}}}'
PUBNUB_PUBLISH_KEY: __unused__
PUBNUB_SUBSCRIBE_KEY: __unused__
REDIS_HOST: redis
REDIS_PORT: 6379
REGISTRY2_HOST: registry.{{{OPENBALENA_HOST_NAME}}}
REGISTRY_HOST: registry.{{{OPENBALENA_HOST_NAME}}}
SENTRY_DSN:
SUPERUSER_EMAIL: "{{{OPENBALENA_SUPERUSER_EMAIL}}}"
SUPERUSER_PASSWORD: "{{{OPENBALENA_SUPERUSER_PASSWORD}}}"
TOKEN_AUTH_BUILDER_TOKEN: "{{{OPENBALENA_TOKEN_AUTH_BUILDER_TOKEN}}}"
TOKEN_AUTH_CERT_ISSUER: api.{{{OPENBALENA_HOST_NAME}}}
TOKEN_AUTH_CERT_KEY: "{{{OPENBALENA_TOKEN_AUTH_KEY}}}"
TOKEN_AUTH_CERT_KID: "{{{OPENBALENA_TOKEN_AUTH_KID}}}"
TOKEN_AUTH_CERT_PUB: "{{{OPENBALENA_TOKEN_AUTH_PUB}}}"
TOKEN_AUTH_JWT_ALGO: 'ES256'
VPN_HOST: vpn.{{{OPENBALENA_HOST_NAME}}}
VPN_PORT: 443
VPN_SERVICE_API_KEY: "{{{OPENBALENA_VPN_SERVICE_API_KEY}}}"
registry:
image: balena/open-balena-registry:${OPENBALENA_REGISTRY_VERSION_TAG:-master}
depends_on:
- api
- s3
- redis
volumes:
- registry:/data
cap_add:
- SYS_ADMIN
- SYS_RESOURCE
tmpfs:
- /run
- /sys/fs/cgroup
security_opt:
- apparmor:unconfined
environment:
API_TOKENAUTH_CRT: "{{{OPENBALENA_TOKEN_AUTH_PUB}}}"
BALENA_REGISTRY2_HOST: registry.{{{OPENBALENA_HOST_NAME}}}
BALENA_ROOT_CA: "{{{OPENBALENA_ROOT_CA}}}"
BALENA_TOKEN_AUTH_ISSUER: api.{{{OPENBALENA_HOST_NAME}}}
BALENA_TOKEN_AUTH_REALM: https://api.{{{OPENBALENA_HOST_NAME}}}/auth/v1/token
COMMON_REGION:
REGISTRY2_S3_BUCKET:
REGISTRY2_S3_KEY:
REGISTRY2_S3_SECRET:
REGISTRY2_SECRETKEY: "{{{OPENBALENA_REGISTRY_SECRET_KEY}}}"
REGISTRY2_STORAGEPATH: /data
vpn:
image: balena/open-balena-vpn:${OPENBALENA_VPN_VERSION_TAG:-master}
depends_on:
- api
cap_add:
- SYS_ADMIN
- SYS_RESOURCE
- NET_ADMIN
tmpfs:
- /run
- /sys/fs/cgroup
security_opt:
- apparmor:unconfined
environment:
API_SERVICE_API_KEY: "{{{OPENBALENA_API_VPN_SERVICE_API_KEY}}}"
BALENA_API_HOST: api.{{{OPENBALENA_HOST_NAME}}}
BALENA_ROOT_CA: "{{{OPENBALENA_ROOT_CA}}}"
BALENA_VPN_PORT: 443
PRODUCTION_MODE: '{{{OPEN_BALENA_PRODUCTION_MODE}}}'
RESIN_VPN_GATEWAY: 10.2.0.1
SENTRY_DSN:
VPN_HAPROXY_USEPROXYPROTOCOL: 'true'
VPN_OPENVPN_CA_CRT: "{{{OPENBALENA_VPN_CA}}}"
VPN_OPENVPN_SERVER_CRT: "{{{OPENBALENA_VPN_SERVER_CRT}}}"
VPN_OPENVPN_SERVER_DH: "{{{OPENBALENA_VPN_SERVER_DH}}}"
VPN_OPENVPN_SERVER_KEY: "{{{OPENBALENA_VPN_SERVER_KEY}}}"
VPN_SERVICE_API_KEY: "{{{OPENBALENA_VPN_SERVICE_API_KEY}}}"
db:
image: balena/open-balena-db:${OPENBALENA_DB_VERSION_TAG:-master}
volumes:
- db:/var/lib/postgresql/data
s3:
image: balena/open-balena-s3:${OPENBALENA_S3_VERSION_TAG:-master}
volumes:
- s3:/export
cap_add:
- SYS_RESOURCE
- SYS_ADMIN
tmpfs:
- /run
- /sys/fs/cgroup
security_opt:
- apparmor:unconfined
redis:
image: redis:alpine
volumes:
- redis:/data
cap_add:
- SYS_RESOURCE
- SYS_ADMIN
haproxy:
security_opt:
- seccomp:unconfined
image: balena/open-balena-haproxy:v1.0.1
depends_on:
- api
- registry
- vpn
- db
- s3
- redis
ports:
- "80:80"
- "443:443"
networks:
default:
aliases:
- api.{{{OPENBALENA_HOST_NAME}}}
- registry.{{{OPENBALENA_HOST_NAME}}}
- vpn.{{{OPENBALENA_HOST_NAME}}}
- s3.{{{OPENBALENA_HOST_NAME}}}
environment:
PROXY_CONFIG: '{{{OPENBALENA_HAPROXY_CONFIG}}}'