From 32670ddea30444cbe2cb47174da1327ab6a8f4e4 Mon Sep 17 00:00:00 2001 From: Michael Angelos Simos Date: Thu, 8 Nov 2018 23:01:05 +0200 Subject: [PATCH] deploy-templates: Add katapult deploy templates Change-type: minor Signed-off-by: Michael Angelos Simos --- deploy-templates/environments.yml | 6 + .../v1.0.0/docker-compose/config-manifest.yml | 231 ++++++++++++++++++ .../v1.0.0/docker-compose/environment.env | 8 + .../templates/docker-compose.tpl.yml | 168 +++++++++++++ 4 files changed, 413 insertions(+) create mode 100644 deploy-templates/environments.yml create mode 100644 deploy-templates/openbalena/v1.0.0/docker-compose/config-manifest.yml create mode 100644 deploy-templates/openbalena/v1.0.0/docker-compose/environment.env create mode 100644 deploy-templates/openbalena/v1.0.0/docker-compose/templates/docker-compose.tpl.yml diff --git a/deploy-templates/environments.yml b/deploy-templates/environments.yml new file mode 100644 index 0000000..96e1a1d --- /dev/null +++ b/deploy-templates/environments.yml @@ -0,0 +1,6 @@ +openbalena: + version: v1.0.0 + docker-compose: + template: openbalena/v1.0.0/docker-compose/templates/docker-compose.tpl.yml + config-store: openbalena/v1.0.0/docker-compose/environment.env + archive-store: release diff --git a/deploy-templates/openbalena/v1.0.0/docker-compose/config-manifest.yml b/deploy-templates/openbalena/v1.0.0/docker-compose/config-manifest.yml new file mode 100644 index 0000000..b0d9b74 --- /dev/null +++ b/deploy-templates/openbalena/v1.0.0/docker-compose/config-manifest.yml @@ -0,0 +1,231 @@ +--- +properties: + - OPENBALENA_PRODUCTION_MODE: + type: string + enum: + - 'true' + - 'false' + - OPENBALENA_COOKIE_SESSION_SECRET: + type: string + pattern: "^[0-9A-Za-z_]{16,64}$" + default: + eval: GENERATE_API_KEY({length: 32}) + - OPENBALENA_HOST_NAME: + type: hostname + - OPENBALENA_JWT_SECRET: + type: string + pattern: "^[0-9A-Za-z_]{16,64}$" + default: + eval: GENERATE_API_KEY({length: 32}) + - OPENBALENA_RESINOS_REGISTRY_CODE: + type: string + pattern: "^[0-9A-Za-z_]{16,64}$" + default: + eval: GENERATE_API_KEY({length: 32}) + - OPENBALENA_ROOT_KEY: + type: string + default: + eval: base64(GENERATE_PRIVATE_KEY({bits: 4096})) + - OPENBALENA_CRT_KEY: + type: string + default: + eval: base64(GENERATE_PRIVATE_KEY({bits: 4096})) + - OPENBALENA_ROOT_CA: + type: string + default: + eval: > + base64(GENERATE_CA_CERT({ + caAttrs: { + C: 'US', + L: 'Seattle', + O: 'Balena Ltd.', + OU: 'DevOps', + CN: 'global-ca.io', + ST: 'Washington' + }, + caPrivateKeyPEM: base64decode(OPENBALENA_ROOT_KEY), + validFrom: '2015', + validTo: '2025', + bits: 4096 + })) + - OPENBALENA_CRT: + type: string + default: + eval: > + base64(GENERATE_CERT({ + certAttrs: { + C: 'US', + L: 'Seattle', + O: 'Balena Ltd.', + OU: 'DevOps', + CN: '*.' + OPENBALENA_HOST_NAME, + ST: 'Washington' + }, + caCertPEM: base64decode(OPENBALENA_ROOT_CA), + caPrivateKeyPEM: base64decode(OPENBALENA_ROOT_KEY), + privateKeyPEM: base64decode(OPENBALENA_CRT_KEY), + validFrom: '2015', + validTo: '2025', + bits: 4096 + })) + - OPENBALENA_TOKEN_AUTH_PUB: + type: string + - OPENBALENA_TOKEN_AUTH_KEY: + type: string + - OPENBALENA_TOKEN_AUTH_KID: + type: string + - OPENBALENA_TOKEN_AUTH_BUILDER_TOKEN: + type: string + pattern: "^[0-9A-Za-z_]{16,128}$" + default: + eval: GENERATE_API_KEY({length: 64}) + - OPENBALENA_VPN_SERVER_KEY: + type: string + default: + eval: base64(GENERATE_PRIVATE_KEY({bits: 4096})) + - OPENBALENA_VPN_SERVER_CRT: + type: string + default: + eval: > + base64(GENERATE_CERT({ + caAttrs: { + C: 'US', + L: 'Seattle', + O: 'Balena Ltd.', + OU: 'DevOps', + CN: 'vpn-ca.' + OPENBALENA_HOST_NAME, + ST: 'Washington' + }, + caCertPEM: base64decode(OPENBALENA_ROOT_CA), + caPrivateKeyPEM: base64decode(OPENBALENA_ROOT_KEY), + privateKeyPEM: base64decode(OPENBALENA_VPN_SERVER_KEY), + validFrom: '2015', + validTo: '2025' + })) + - OPENBALENA_VPN_SERVER_DH: + type: string + default: + eval: base64(GENERATE_DH_PARAM()) + + - OPENBALENA_VPN_SERVICE_API_KEY: + type: string + pattern: "^[0-9A-Za-z_]{16,64}$" + default: + eval: GENERATE_API_KEY({length: 32}) + - OPENBALENA_API_VPN_SERVICE_API_KEY: + type: string + pattern: "^[0-9A-Za-z_]{16,64}$" + default: + eval: GENERATE_API_KEY({length: 32}) + - OPENBALENA_REGISTRY_SECRET_KEY: + type: string + pattern: "^[0-9A-Za-z_]{16,64}$" + default: + eval: GENERATE_API_KEY({length: 32}) + - OPENBALENA_VPN_CONFIG: + type: string + default: + eval: |- + base64(` + client + remote vpn.` + OPENBALENA_HOST_NAME + `443 + resolv-retry infinite + + remote-cert-tls server + ca /etc/openvpn/ca.crt + auth-user-pass /var/volatile/vpn-auth + auth-retry none + script-security 2 + up /etc/openvpn-misc/upscript.sh + up-restart + down /etc/openvpn-misc/downscript.sh + + comp-lzo + dev resin-vpn + dev-type tun + proto tcp + nobind + + persist-key + persist-tun + verb 3 + user openvpn + group openvpn + `) + - OPENBALENA_SUPERUSER_EMAIL: + type: email + - OPENBALENA_SUPERUSER_PASSWORD: + type: string + - OPENBALENA_SSH_AUTHORIZED_KEYS: + type: string + - OPENBALENA_HAPROXY_CONFIG: + type: string + default: + eval: | + ` + { + "api": { + "backend": [ + { + "url": "http://api:80" + } + ], + "frontend": [ + { + "protocol": "https", + "domain": "` + OPENBALENA_HOST_NAME + `", + "subdomain": "api", + "port": "443", + "crt": "` + escape(base64decode(OPENBALENA_CRT) + base64decode(OPENBALENA_CRT_KEY) + base64decode(OPENBALENA_ROOT_CA)) + `" + } + ] + }, + "registry": { + "backend": [ + { + "url": "http://registry:80" + } + ], + "frontend": [ + { + "protocol": "https", + "domain": "` + OPENBALENA_HOST_NAME + `", + "subdomain": "registry", + "port": "443", + "crt": "` + escape(base64decode(OPENBALENA_CRT) + base64decode(OPENBALENA_CRT_KEY) + base64decode(OPENBALENA_ROOT_CA)) + `" + } + ] + }, + "s3": { + "backend": [ + { + "url": "http://s3:80" + } + ], + "frontend": [ + { + "protocol": "https", + "domain": "` + OPENBALENA_HOST_NAME + `", + "subdomain": "s3", + "port": "443", + "crt": "` + escape(base64decode(OPENBALENA_CRT) + base64decode(OPENBALENA_CRT_KEY) + base64decode(OPENBALENA_ROOT_CA)) + `" + } + ] + }, + "vpn": { + "backend": [ + { + "url": "tcp://vpn:443" + } + ], + "frontend": [ + { + "protocol": "tcp", + "domain": "` + OPENBALENA_HOST_NAME + `", + "subdomain": "vpn", + "port": "443" + } + ] + } + } + ` diff --git a/deploy-templates/openbalena/v1.0.0/docker-compose/environment.env b/deploy-templates/openbalena/v1.0.0/docker-compose/environment.env new file mode 100644 index 0000000..1479db9 --- /dev/null +++ b/deploy-templates/openbalena/v1.0.0/docker-compose/environment.env @@ -0,0 +1,8 @@ +OPENBALENA_HOST_NAME=openbalena.local +OPENBALENA_PRODUCTION_MODE='false' +OPENBALENA_TOKEN_AUTH_PUB='LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJoRENDQVN1Z0F3SUJBZ0lKQUk2RjE2bksyRWZ0TUFvR0NDcUdTTTQ5QkFNQ01COHhIVEFiQmdOVkJBTU0KRkdGd2FTNXZjR1Z1WW1Gc1pXNWhMbXh2WTJGc01CNFhEVEU0TVRFd09ERXdNelExTWxvWERUSXdNVEV3TnpFdwpNelExTWxvd0h6RWRNQnNHQTFVRUF3d1VZWEJwTG05d1pXNWlZV3hsYm1FdWJHOWpZV3d3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFUeVpMSzZaU01CSFlVTGZyTHUrWkZsYjhnL0NWZHpyT3Y4ODd4OUppNVYKR3NxVXE3dUpiTjBvRDFmRnlCTERCZVlNTXRjQXZaaVAxRTQyaTNEd0RUVnlvMUF3VGpBZEJnTlZIUTRFRmdRVQpZbXVKbWxISXphc3pHS2IvK2swLzNsSnF6Y3d3SHdZRFZSMGpCQmd3Rm9BVVltdUptbEhJemFzekdLYi8razAvCjNsSnF6Y3d3REFZRFZSMFRCQVV3QXdFQi96QUtCZ2dxaGtqT1BRUURBZ05IQURCRUFpQk1DK3hiVm1nUU5KU0sKZDlSNU8yOGEvRjczUjBoNCtLd1ZvMjFpVVFSWWdnSWdmZVQ0VTN6Mi81OVZ4dVVkakxDSzFRcGlkMkluUWxwYQpzUVVkaC9JR3M2Yz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=' +OPENBALENA_TOKEN_AUTH_KEY='LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSVBaTUptbkd5akZKU2YzdWlHTjVxL3k1M3hEeUFOeDVMc0lpOFNZMjM1cUNvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFOG1TeXVtVWpBUjJGQzM2eTd2bVJaVy9JUHdsWGM2enIvUE84ZlNZdVZScktsS3U3aVd6ZApLQTlYeGNnU3d3WG1ERExYQUwyWWo5Uk9Ob3R3OEEwMWNnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=' +OPENBALENA_TOKEN_AUTH_KID='SkVGWTpHWVI0OllTQjc6N01FTTpTNFJCOjI3SUU6RjJDQzpVRktVOlJaS1k6Slg3Rjo3QVlJOldCTDU=' +OPENBALENA_SUPERUSER_EMAIL='admin@openbalena.local' +OPENBALENA_SUPERUSER_PASSWORD='password' +OPENBALENA_SSH_AUTHORIZED_KEYS='AAAAB3NzaC1yc2EAAAADAQABAAABAQDabNCnNF/gRdkDOOJDpOfdEpKAvGdLsY3uMBgzHm41ut7aJVmtaUTNxZ9vXH9RI/OJ1O91oAvnypu8WsFIot5RDhH5HLmF4LX0j5CGYYC0a38h8yFBr6kUWP3PhvJh+wVZ7nWO6oTwGSKybnmlhSkxDErEVshPD/GQoN9Ka5OSMQuhbpqKBBUt+rseTz/O7r4WU1031mIjKVZjf8E1oSkeQZ5dxHp1fI75KtdvcXRq68pHIjVvZo+SFf6tRikxOeQOjD8Pe73SOein1SK6wnIeCGbau4jDni5vT9O257O1YhyHYmSE7YPhqIm/6scyHn713punXgbsqbXFjacRsGD/' diff --git a/deploy-templates/openbalena/v1.0.0/docker-compose/templates/docker-compose.tpl.yml b/deploy-templates/openbalena/v1.0.0/docker-compose/templates/docker-compose.tpl.yml new file mode 100644 index 0000000..6f16a48 --- /dev/null +++ b/deploy-templates/openbalena/v1.0.0/docker-compose/templates/docker-compose.tpl.yml @@ -0,0 +1,168 @@ +version: '2.1' + +volumes: + db: + registry: + s3: + redis: + +services: + api: + image: balena/open-balena-api:${OPENBALENA_API_VERSION_TAG:-master} + depends_on: + - db + - s3 + - redis + cap_add: + - SYS_ADMIN + - SYS_RESOURCE + tmpfs: + - /run + - /sys/fs/cgroup + security_opt: + - apparmor:unconfined + environment: + API_VPN_SERVICE_API_KEY: "{{{OPENBALENA_API_VPN_SERVICE_API_KEY}}}" + BALENA_ROOT_CA: "{{{OPENBALENA_ROOT_CA}}}" + CONFD_BACKEND: ENV + COOKIE_SESSION_SECRET: "{{{OPENBALENA_COOKIE_SESSION_SECRET}}}" + DB_HOST: db # << + DB_PASSWORD: docker + DB_PORT: 5432 + DB_USER: docker + DELTA_HOST: delta.{{{OPENBALENA_HOST_NAME}}} + DEVICE_CONFIG_OPENVPN_CONFIG: "{{{OPENBALENA_VPN_CONFIG}}}" + DEVICE_CONFIG_OPENVPN_CA: "{{{OPENBALENA_VPN_CA}}}" + DEVICE_CONFIG_SSH_AUTHORIZED_KEYS: "{{{OPENBALENA_SSH_AUTHORIZED_KEYS}}}" + HOST: api.{{{OPENBALENA_HOST_NAME}}} + IMAGE_MAKER_URL: img.{{{OPENBALENA_HOST_NAME}}} + IMAGE_STORAGE_BUCKET: resin-production-img-cloudformation + IMAGE_STORAGE_PREFIX: resinos + IMAGE_STORAGE_ENDPOINT: s3.amazonaws.com + JSON_WEB_TOKEN_EXPIRY_MINUTES: 10080 + JSON_WEB_TOKEN_SECRET: "{{{OPENBALENA_JWT_SECRET}}}" + MIXPANEL_TOKEN: __unused__ + PRODUCTION_MODE: '{{{OPENBALENA_PRODUCTION_MODE}}}' + PUBNUB_PUBLISH_KEY: __unused__ + PUBNUB_SUBSCRIBE_KEY: __unused__ + REDIS_HOST: redis + REDIS_PORT: 6379 + REGISTRY2_HOST: registry.{{{OPENBALENA_HOST_NAME}}} + REGISTRY_HOST: registry.{{{OPENBALENA_HOST_NAME}}} + SENTRY_DSN: + SUPERUSER_EMAIL: "{{{OPENBALENA_SUPERUSER_EMAIL}}}" + SUPERUSER_PASSWORD: "{{{OPENBALENA_SUPERUSER_PASSWORD}}}" + TOKEN_AUTH_BUILDER_TOKEN: "{{{OPENBALENA_TOKEN_AUTH_BUILDER_TOKEN}}}" + TOKEN_AUTH_CERT_ISSUER: api.{{{OPENBALENA_HOST_NAME}}} + TOKEN_AUTH_CERT_KEY: "{{{OPENBALENA_TOKEN_AUTH_KEY}}}" + TOKEN_AUTH_CERT_KID: "{{{OPENBALENA_TOKEN_AUTH_KID}}}" + TOKEN_AUTH_CERT_PUB: "{{{OPENBALENA_TOKEN_AUTH_PUB}}}" + TOKEN_AUTH_JWT_ALGO: 'ES256' + VPN_HOST: vpn.{{{OPENBALENA_HOST_NAME}}} + VPN_PORT: 443 + VPN_SERVICE_API_KEY: "{{{OPENBALENA_VPN_SERVICE_API_KEY}}}" + registry: + image: balena/open-balena-registry:${OPENBALENA_REGISTRY_VERSION_TAG:-master} + depends_on: + - api + - s3 + - redis + volumes: + - registry:/data + cap_add: + - SYS_ADMIN + - SYS_RESOURCE + tmpfs: + - /run + - /sys/fs/cgroup + security_opt: + - apparmor:unconfined + environment: + API_TOKENAUTH_CRT: "{{{OPENBALENA_TOKEN_AUTH_PUB}}}" + BALENA_REGISTRY2_HOST: registry.{{{OPENBALENA_HOST_NAME}}} + BALENA_ROOT_CA: "{{{OPENBALENA_ROOT_CA}}}" + BALENA_TOKEN_AUTH_ISSUER: api.{{{OPENBALENA_HOST_NAME}}} + BALENA_TOKEN_AUTH_REALM: https://api.{{{OPENBALENA_HOST_NAME}}}/auth/v1/token + COMMON_REGION: + REGISTRY2_S3_BUCKET: + REGISTRY2_S3_KEY: + REGISTRY2_S3_SECRET: + REGISTRY2_SECRETKEY: "{{{OPENBALENA_REGISTRY_SECRET_KEY}}}" + REGISTRY2_STORAGEPATH: /data + + vpn: + image: balena/open-balena-vpn:${OPENBALENA_VPN_VERSION_TAG:-master} + depends_on: + - api + cap_add: + - SYS_ADMIN + - SYS_RESOURCE + - NET_ADMIN + tmpfs: + - /run + - /sys/fs/cgroup + security_opt: + - apparmor:unconfined + environment: + API_SERVICE_API_KEY: "{{{OPENBALENA_API_VPN_SERVICE_API_KEY}}}" + BALENA_API_HOST: api.{{{OPENBALENA_HOST_NAME}}} + BALENA_ROOT_CA: "{{{OPENBALENA_ROOT_CA}}}" + BALENA_VPN_PORT: 443 + PRODUCTION_MODE: '{{{OPEN_BALENA_PRODUCTION_MODE}}}' + RESIN_VPN_GATEWAY: 10.2.0.1 + SENTRY_DSN: + VPN_HAPROXY_USEPROXYPROTOCOL: 'true' + VPN_OPENVPN_CA_CRT: "{{{OPENBALENA_VPN_CA}}}" + VPN_OPENVPN_SERVER_CRT: "{{{OPENBALENA_VPN_SERVER_CRT}}}" + VPN_OPENVPN_SERVER_DH: "{{{OPENBALENA_VPN_SERVER_DH}}}" + VPN_OPENVPN_SERVER_KEY: "{{{OPENBALENA_VPN_SERVER_KEY}}}" + VPN_SERVICE_API_KEY: "{{{OPENBALENA_VPN_SERVICE_API_KEY}}}" + + db: + image: balena/open-balena-db:${OPENBALENA_DB_VERSION_TAG:-master} + volumes: + - db:/var/lib/postgresql/data + + s3: + image: balena/open-balena-s3:${OPENBALENA_S3_VERSION_TAG:-master} + volumes: + - s3:/export + cap_add: + - SYS_RESOURCE + - SYS_ADMIN + tmpfs: + - /run + - /sys/fs/cgroup + security_opt: + - apparmor:unconfined + + redis: + image: redis:alpine + volumes: + - redis:/data + cap_add: + - SYS_RESOURCE + - SYS_ADMIN + haproxy: + security_opt: + - seccomp:unconfined + image: balena/open-balena-haproxy:v1.0.1 + depends_on: + - api + - registry + - vpn + - db + - s3 + - redis + ports: + - "80:80" + - "443:443" + networks: + default: + aliases: + - api.{{{OPENBALENA_HOST_NAME}}} + - registry.{{{OPENBALENA_HOST_NAME}}} + - vpn.{{{OPENBALENA_HOST_NAME}}} + - s3.{{{OPENBALENA_HOST_NAME}}} + environment: + PROXY_CONFIG: '{{{OPENBALENA_HAPROXY_CONFIG}}}'