ansible-concourse

An Ansible role to manage Concourse CI.

Scope

This role understands how to manage a Concourse CI web (ATC/TSA) or worker service installation.

It:

• (Optionally) creates a concourse user and group with which to run the daemon process.
• (Optionally) formats and mounts a volume in which Concourse work is done.
• Installs a systemd service called concourse-web and/or concourse-worker.
• Fetches the Concourse binary tarball from the official site.
• Creates a wrapper script that captures options passed into the binary executable.
• Installs necessary ssh key files, provided through variables.
• (Optionally) installs the Postgres database by using ansible-role-postgresql.

It does not:

• Generate ssh key-pairs.
• Manage any cloud infrastructure.

Installation

ansible-galaxy install solureal.concourse

Getting started

To install concourse you need a couple of keys. You can generate those with:

ssh-keygen -t rsa -b 4096 -m PEM -f ./session_signing_key
ssh-keygen -t rsa -b 4096 -m PEM -f ./tsa_host_key
ssh-keygen -t rsa -b 4096 -m PEM -f ./worker_key
rm session_signing_key.pub # this file is not needed by concourse

- hosts: atc
  roles:
    - role: solureal.concourse
      concourse_web: true
      concourse_authorized_worker_keys:
        - "{{ worker_public_key }}"

      # Installs postgresql on atc node
      concourse_postgres_install: true
      concourse_postgres_host: localhost
      concourse_postgres_port: 5432
      concourse_postgres_user: concourse
      concourse_postgres_password: concourse
      concourse_postgres_database: concourse
      concourse_web_env:
        CONCOURSE_ENABLE_LETS_ENCRYPT: true
        CONCOURSE_TLS_BIND_PORT: 443
        CONCOURSE_EXTERNAL_URL: http://concourse.example.com

- hosts: workers
  roles:
    - role: solureal.concourse
      concourse_worker: true
      concourse_tsa_host: my-atc
      concourse_tsa_public_key: "{{ host_pub_key }}"
      concourse_tsa_worker_key: "{{ worker_key }}"
      concourse_worker_env:
        CONCOURSE_GARDEN_NETWORK_POOL: 10.254.0.0/16
        CONCOURSE_GARDEN_MAX_CONTAINERS: 512
        CONCOURSE_GARDEN_DOCKER_REGISTRY: https://docker.my-private-registry.org

Use the concourse_[web|worker]_env properties to pass environment variables to the concourse worker or web process. Most supported variables can be found in the concourse web documentation and concourse worker documentation.

Role Variables

See defaults/main.yml for default values not specified below. Many of these variables map sensibly to options supplied to the concourse binary at launch time. Run concourse web -h or concourse worker -h for more detail.

Note: The vast majority of variables have sensible defaults and normally need not be defined, but exist for when control over related behaviour is needed.

Maintenance Variables

• concourse_force_restart: Optional. Default: "no". Triggers a restart of the web and/or worker services regardless as to whether or not configuration has changed.

User Variables

• concourse_manage_user: Optional. Default: "yes". Manage the system user to which file ownership is assigned.
• concourse_user: Optional. The user that will own the Concourse install directory and the running process.
• concourse_uid: Optional. The user ID.
• concourse_group: Optional. The group that will own the Concourse install directory and the running process.
• concourse_gid: Optional. The group ID.

Installation Variables

• concourse_version: Optional. The version of Concourse to install.
• concourse_install_prefix_dir: Optional. The prefix directory under which the Concourse installation directory will be placed. The Concourse tarball is also downloaded into this directory during installation.
• concourse_install_dir: Optional. The directory path into which the Concourse tarball is extracted.
• concourse_binary_path: Optional. The absolute path to the Concourse binary.
• concourse_bin_dir: Optional. A directory in which the Concourse binary and related shell scripts live.
• concourse_etc_dir: Optional. A directory in which Concourse-related generated or managed files are created.
• concourse_archive_name: Optional. The file name of the Concourse release tarball to install.
• concourse_archive_url: Optional. The URL at which the Concourse release tarball can be downloaded.
• concourse_archive_checksum: Optional. The checksum of the Concourse release tarball used to validate the downloaded archive.
• concourse_archive_os: Optional. The operating system for which to fetch the Concourse release tarball.
• concourse_archive_fetch_timeout: Optional. The timeout in seconds for fetching the Concourse release tarball.
• concourse_archive_delete_after_unarchive: Optional. Default: "yes". Delete the release tarball after it is unpacked.
• concourse_binary_mode: Optional. The file mode of the Concourse binary.
• concourse_etc_files_mode: Optional. The file mode of all files stored in concourse_etc_dir.

Common Variables

• concourse_service_enabled: Optional. Default: "yes". Manage a systemd service for a Concourse web and/or worker instance.
• concourse_service_start: Optional. Default: "yes". Start the systemd service(s) for Concourse web and/or worker.
• concourse_log_level: Optional. The minimum level of logs to see. [debug|info|error|fatal]
• concourse_env_file: Optional. A file containing environment variables which is fed into the EnvironmentFile attribute of the systemd service unit file. This is useful for configuration managed outside of the playbook. If the configuration should be managed by the playbook, concourse_web_env and/or concourse_worker_env is the better choice.

Web Variables

• concourse_web: Optional. Set to "yes" to install the Concourse ATC.
• concourse_bind_ip: Optional. The IP address on which to listen to web traffic.
• concourse_bind_port: Optional. The port on which to listen for HTTP traffic.
• concourse_tls_bind_port: Optional. The port on which to listen for HTTPS traffic.
• concourse_tls_certificate: Optional. The content of the TLS certificate to use for HTTPS termination.
• concourse_tls_certificate_path: Optional. The remote file path of the TLS certificate to use for HTTPS termination. Normally, only concourse_tls_certificate needs to be defined.
• concourse_tls_key: Optional. Optional. The content of the TLS key to use for HTTPS termination.
• concourse_tls_key_path: Optional. The remote file path of the TLS key to use for HTTPS termination. Normally, only concourse_tls_key needs to be defined.
• concourse_web_launcher_path: Optional. The path to the script that launches the Concourse web process.
• concourse_web_launcher_mode: Optional. The file mode of the web launcher script.
• concourse_cli_artifacts_dir: Optional. The value of the --cli-artifacts-dir option.
• concourse_authorized_worker_keys_path: Optional. The path to the authorized worker keys file.
• concourse_host_key_path: Optional. The path to the host key file.
• concourse_session_signing_key: Required. The session signing key.
• concourse_session_signing_key_path: Optional. The path to the session signing key file.
• concourse_encryption_key: Optional. A 16 or 32 length key used to encrypt sensitive data before storing it in the database
• concourse_old_encryption_key: Optional. An encryption key previously used. If provided without a new key, data is encrypted. If provided with a new key, data is re-encrypted.
• concourse_host_key: Required. The host key.
• concourse_authorized_worker_keys: Required. Concatenated authorized worker keys.
• concourse_base_resource_type_defaults: Optional. A hash of cluster-wide defaults for resource types.
• concourse_base_resource_type_defaults_file: Optional. The path to the resource type defaults file.
• concourse_enable_global_resources: Optional. Use the experimental option to use global resources.
• concourse_web_env: Optional. A hash of environment variables made available to the concourse web process.

Authentication

To setup authentication, checkout the concouse auth documentation.

Set the required env variables in concourse_web_env. E.g. to configure local user auth:

  ...
  concourse_web_env:
    CONCOURSE_ADD_LOCAL_USER: myuser:mypass,anotheruser:anotherpass
    CONCOURSE_MAIN_TEAM_LOCAL_USER: myuser

Web PostgreSQL Variables

• concourse_postgres_install: Optional. Install postgresql using ansible-role-postgresql.
• concourse_postgres_host: Optional. The Postgres host to connect to.
• concourse_postgres_port: Optional. The Postgres port to connect to.
• concourse_postgres_socket: Optional. The path to a Unix domain socket to connect to.
• concourse_postgres_user: Optional. The Postgres user to sign in as.
• concourse_postgres_password: Optional. The Postgres user's password.
• concourse_postgres_ssl_mode: Optional. Whether or not to use SSL with the Postgres connection.
• concourse_postgres_ca_cert: Optional. The Postgres CA cert file location.
• concourse_postgres_client_cert: Optional. The Postgres client cert file location.
• concourse_postgres_client_key: Optional. The Postgres client key file location.
• concourse_postgres_connect_timeout: Optional. The Postgres dialing timeout.
• concourse_postgres_database: Optional. The Postgres database name.

Worker Variables

• concourse_worker: Optional. Set to "yes" to install a Concourse worker.
• concourse_worker_launcher_path: Optional. The path to the script that launches the Concourse worker process.
• concourse_worker_land_path: Optional. The path to the script that lands a worker.
• concourse_worker_retire_path: Optional. The path to the script that retires a worker.
• concourse_worker_binary_mode: Optional. The file mode of the worker launcher, land, and retire scripts.
• concourse_worker_land_on_stop: Optional. Default: "no". Run concourse land-worker upon stopping the service.
• concourse_worker_retire_on_stop: Optional. Default: "yes". Run concourse retire-worker upon stopping the service.
• concourse_work_dir: Optional. The directory in which the worker does work.
• concourse_tsa_public_key_path: Optional. The path to the tsa public key file.
• concourse_tsa_worker_key_path: Optional. The path to the worker private key file.
• concourse_tsa_host: Required. The value of the --tsa-host option.
• concourse_tsa_public_key: Required. The tsa public key.
• concourse_tsa_worker_key: Required. The tsa worker private key.
• concourse_baggageclaim_driver: Optional. The driver to use for managing volumes.
• concourse_worker_env: Optional. A hash of environment variables made available to the concourse worker process.
• concourse_manage_work_volume: Optional. Default: "no". Activate management of the work volume.
• concourse_work_volume_device: Required when concourse_manage_work_volume is "yes". The device to mount as the work volume.
• concourse_work_volume_fs_type: Optional. The filesystem type of the work volume. By default, this is calculated to be btrfs or ext4 based on the value of concourse_baggageclaim_driver.
• concourse_work_volume_fs_opts: Optional. A list of options to be passed to mkfs command when creating the work volume filesystem.
• concourse_work_volume_fs_force_create: Optional. Default: "no". If yes, allows to create a new work volume filesystem on a device that already has a filesystem.
• concourse_work_volume_fs_resize: Optional. Default: "no". If yes, if the work volume block device and filesystem size differ, grow the filesystem into the space.
• concourse_work_volume_mount_path: Optional. The directory to which the work volume will be mounted.
• concourse_work_volume_mount_opts: Optional. Work volume mount options.

Credits

• This project is a fork from: https://github.com/troykinsella/ansible-concourse

License

MIT © SoluReal