Reorg directory structure:

This makes the deploy directory cleaner by moving all
compose related file/directories into the compose directory.

Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>

deploy/compose/.env

@@ -0,0 +1,10 @@
+OSIE_DOWNLOAD_URL="https://tinkerbell-oss.s3.amazonaws.com/osie-uploads/osie-1790-23d78ea47f794d0e5c934b604579c26e5fce97f5.tar.gz"
+TINK_CLI_IMAGE="quay.io/tinkerbell/tink-cli:sha-8ea8a0e5"
+TINK_SERVER_IMAGE="quay.io/tinkerbell/tink:sha-8ea8a0e5"
+BOOTS_SERVER_IMAGE="quay.io/tinkerbell/boots:sha-94f43947"
+HEGEL_SERVER_IMAGE="quay.io/tinkerbell/hegel:sha-9f5da0a8"
+TINKERBELL_HARDWARE_MANIFEST="/manifests/hardware/hardware.json"
+TINKERBELL_TEMPLATE_MANIFEST="/manifests/template/ubuntu.yaml"
+TINKERBELL_HOST_IP=192.168.50.4
+TINKERBELL_CLIENT_IP=192.168.50.43
+TINKERBELL_CLIENT_MAC=08:00:27:9e:f5:3a

deploy/compose/docker-compose.yml

@@ -0,0 +1,293 @@
+services:
+  # TLS cert for tink-server and docker registry
+  tls-gen:
+    image: cfssl/cfssl
+    entrypoint: /code/tls/generate.sh
+    command: ["$TINKERBELL_HOST_IP"]
+    environment:
+      FACILITY: ${FACILITY:-onprem}
+    volumes:
+      - ${REPO_TOP_LEVEL:-.}:/code
+      - certs:/certs/${FACILITY:-onprem}:rw
+
+  # User creds for the registry
+  registry-auth:
+    image: httpd:2
+    entrypoint: htpasswd
+    working_dir: /auth
+    command:
+      [
+        "-Bbc",
+        ".htpasswd",
+        "${TINKERBELL_REGISTRY_USERNAME:-admin}",
+        "${TINKERBELL_REGISTRY_PASSWORD:-Admin1234}",
+      ]
+    volumes:
+      - auth:/auth:rw
+
+  # OSIE work
+  osie-work:
+    image: alpine
+    entrypoint: /scripts/lastmile.sh
+    command: ["${OSIE_DOWNLOAD_URL}", "/source", "/source", "/destination"]
+    volumes:
+      - ${REPO_TOP_LEVEL:-.}/osie:/scripts
+      - ${REPO_TOP_LEVEL:-.}/state/webroot/misc/osie/current:/source
+      - ${REPO_TOP_LEVEL:-.}/state/webroot/workflow:/destination
+
+  # Uploads images in /registry/registry_images.txt to the local registry
+  images-to-local-registry:
+    image: quay.io/containers/skopeo:latest
+    entrypoint: /registry/upload.sh
+    command:
+      [
+        "${TINKERBELL_REGISTRY_USERNAME:-admin}",
+        "${TINKERBELL_REGISTRY_PASSWORD:-Admin1234}",
+        "${TINKERBELL_HOST_IP}",
+        "/registry/registry_images.txt",
+      ]
+    volumes:
+      - ${REPO_TOP_LEVEL:-.}/registry:/registry
+    depends_on:
+      registry:
+        condition: service_healthy
+
+  # registry ca.crt download
+  registry-ca-crt-download:
+    image: alpine
+    entrypoint: wget
+    working_dir: /code
+    command: ["http://$TINKERBELL_HOST_IP:42114/cert", "-O", "ca.pem"]
+    volumes:
+      - ${REPO_TOP_LEVEL:-.}/state/webroot/workflow:/code
+    depends_on:
+      tink-server:
+        condition: service_healthy
+      db:
+        condition: service_healthy
+
+  # Create hardware, template, and workflow records in tink-server
+  create-tink-records:
+    image: ${TINK_CLI_IMAGE}
+    entrypoint: /manifests/apply_manifests.sh
+    command:
+      [
+        "$TINKERBELL_HARDWARE_MANIFEST",
+        "$TINKERBELL_TEMPLATE_MANIFEST",
+        "/manifests/workflow",
+        "$TINKERBELL_HOST_IP",
+        "$TINKERBELL_CLIENT_IP",
+        "$TINKERBELL_CLIENT_MAC",
+      ]
+    environment:
+      TINKERBELL_GRPC_AUTHORITY: tink-server:42113
+      TINKERBELL_CERT_URL: http://tink-server:42114/cert
+    volumes:
+      - ${REPO_TOP_LEVEL:-.}/manifests:/manifests
+    depends_on:
+      tink-server:
+        condition: service_healthy
+      db:
+        condition: service_healthy
+
+  # Setup ubuntu image
+  ubuntu-image-setup:
+    image: ubuntu
+    entrypoint: /scripts/setup_ubuntu.sh
+    command:
+      [
+        "https://cloud-images.ubuntu.com/daily/server/focal/current/focal-server-cloudimg-amd64.img",
+        "focal-server-cloudimg-amd64.img",
+        "/destination/focal-server-cloudimg-amd64.raw",
+      ]
+    volumes:
+      - ${REPO_TOP_LEVEL:-.}/ubuntu:/scripts
+      - ${REPO_TOP_LEVEL:-.}/state/webroot:/destination
+
+  tink-server:
+    image: ${TINK_SERVER_IMAGE}
+    restart: unless-stopped
+    environment:
+      FACILITY: ${FACILITY:-onprem}
+      PACKET_ENV: ${PACKET_ENV:-testing}
+      PACKET_VERSION: ${PACKET_VERSION:-ignored}
+      ROLLBAR_TOKEN: ${ROLLBAR_TOKEN:-ignored}
+      ROLLBAR_DISABLE: ${ROLLBAR_DISABLE:-1}
+      PGDATABASE: tinkerbell
+      PGHOST: db
+      PGPASSWORD: tinkerbell
+      PGPORT: 5432
+      PGSSLMODE: disable
+      PGUSER: tinkerbell
+      TINKERBELL_GRPC_AUTHORITY: :42113
+      TINKERBELL_HTTP_AUTHORITY: :42114
+      TINK_AUTH_USERNAME: ${TINKERBELL_TINK_USERNAME:-admin}
+      TINK_AUTH_PASSWORD: ${TINKERBELL_TINK_PASSWORD:-admin}
+    depends_on:
+      tink-server-migration:
+        condition: service_started
+      db:
+        condition: service_healthy
+      tls-gen:
+        condition: service_completed_successfully
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- 127.0.0.1:42114/cert"] # port needs to match TINKERBELL_HTTP_AUTHORITY
+      interval: 5s
+      timeout: 2s
+      retries: 30
+    volumes:
+      - certs:/certs/${FACILITY:-onprem}:rw
+    ports:
+      - 42113:42113/tcp
+      - 42114:42114/tcp
+
+  tink-server-migration:
+    image: ${TINK_SERVER_IMAGE}
+    restart: on-failure
+    environment:
+      ONLY_MIGRATION: "true"
+      FACILITY: ${FACILITY:-onprem}
+      PGDATABASE: tinkerbell
+      PGHOST: db
+      PGPASSWORD: tinkerbell
+      PGPORT: 5432
+      PGSSLMODE: disable
+      PGUSER: tinkerbell
+      TINKERBELL_GRPC_AUTHORITY: :42113
+      TINKERBELL_HTTP_AUTHORITY: :42114
+      TINK_AUTH_USERNAME: ${TINKERBELL_TINK_USERNAME:-admin}
+      TINK_AUTH_PASSWORD: ${TINKERBELL_TINK_PASSWORD:-admin}
+    depends_on:
+      db:
+        condition: service_healthy
+    volumes:
+      - certs:/certs/${FACILITY:-onprem}:rw
+
+  db:
+    image: postgres:10-alpine
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: tinkerbell
+      POSTGRES_PASSWORD: tinkerbell
+      POSTGRES_USER: tinkerbell
+    volumes:
+      - postgres_data:/var/lib/postgresql/data:rw
+    ports:
+      - 5432:5432
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U tinkerbell"]
+      interval: 1s
+      timeout: 1s
+      retries: 30
+
+  tink-cli:
+    image: ${TINK_CLI_IMAGE}
+    restart: unless-stopped
+    environment:
+      TINKERBELL_GRPC_AUTHORITY: tink-server:42113
+      TINKERBELL_CERT_URL: http://tink-server:42114/cert
+    depends_on:
+      tink-server:
+        condition: service_healthy
+      db:
+        condition: service_healthy
+
+  registry:
+    image: registry:2.7.1
+    restart: unless-stopped
+    network_mode: host
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "wget --no-check-certificate https://$TINKERBELL_HOST_IP -O -",
+        ]
+      interval: 5s
+      timeout: 1s
+      retries: 5
+    environment:
+      REGISTRY_AUTH: htpasswd
+      REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
+      REGISTRY_AUTH_HTPASSWD_PATH: /auth/.htpasswd
+      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/${FACILITY:-onprem}/bundle.pem
+      REGISTRY_HTTP_TLS_KEY: /certs/${FACILITY:-onprem}/server-key.pem
+      REGISTRY_HTTP_ADDR: $TINKERBELL_HOST_IP:443
+    volumes:
+      - certs:/certs/${FACILITY:-onprem}:ro
+      - auth:/auth:rw
+    depends_on:
+      tls-gen:
+        condition: service_completed_successfully
+      registry-auth:
+        condition: service_completed_successfully
+
+  boots:
+    image: ${BOOTS_SERVER_IMAGE}
+    restart: unless-stopped
+    command: -dhcp-addr 0.0.0.0:67 -tftp-addr $TINKERBELL_HOST_IP:69 -http-addr $TINKERBELL_HOST_IP:80 -log-level DEBUG
+    network_mode: host
+    environment:
+      API_AUTH_TOKEN: ${PACKET_API_AUTH_TOKEN:-ignored}
+      API_CONSUMER_TOKEN: ${PACKET_CONSUMER_TOKEN:-ignored}
+      FACILITY_CODE: ${FACILITY:-onprem}
+      PACKET_ENV: ${PACKET_ENV:-testing}
+      PACKET_VERSION: ${PACKET_VERSION:-ignored}
+      ROLLBAR_TOKEN: ${ROLLBAR_TOKEN:-ignored}
+      ROLLBAR_DISABLE: ${ROLLBAR_DISABLE:-1}
+      MIRROR_HOST: ${TINKERBELL_HOST_IP:-127.0.0.1}:8080
+      DNS_SERVERS: 8.8.8.8
+      PUBLIC_IP: $TINKERBELL_HOST_IP
+      BOOTP_BIND: $TINKERBELL_HOST_IP:67
+      HTTP_BIND: $TINKERBELL_HOST_IP:80
+      SYSLOG_BIND: $TINKERBELL_HOST_IP:514
+      TFTP_BIND: $TINKERBELL_HOST_IP:69
+      DOCKER_REGISTRY: $TINKERBELL_HOST_IP
+      REGISTRY_USERNAME: ${TINKERBELL_REGISTRY_USERNAME:-admin}
+      REGISTRY_PASSWORD: ${TINKERBELL_REGISTRY_PASSWORD:-Admin1234}
+      TINKERBELL_GRPC_AUTHORITY: $TINKERBELL_HOST_IP:42113
+      TINKERBELL_CERT_URL: http://$TINKERBELL_HOST_IP:42114/cert
+      DATA_MODEL_VERSION: 1
+    extra_hosts:
+      - "tink-server:$TINKERBELL_HOST_IP"
+    depends_on:
+      tink-server:
+        condition: service_healthy
+
+  osie-bootloader:
+    image: nginx:alpine
+    restart: unless-stopped
+    tty: true
+    user: root
+    ports:
+      - 8080:80/tcp
+    volumes:
+      - ${REPO_TOP_LEVEL:-.}/state/webroot:/usr/share/nginx/html/
+    depends_on:
+      osie-work:
+        condition: service_completed_successfully
+      ubuntu-image-setup:
+        condition: service_completed_successfully
+
+  hegel:
+    image: ${HEGEL_SERVER_IMAGE}
+    restart: unless-stopped
+    environment:
+      ROLLBAR_TOKEN: ${ROLLBAR_TOKEN-ignored}
+      ROLLBAR_DISABLE: 1
+      PACKET_ENV: testing
+      PACKET_VERSION: ${PACKET_VERSION:-ignored}
+      GRPC_PORT: 42115
+      HEGEL_FACILITY: ${FACILITY:-onprem}
+      HEGEL_USE_TLS: 0
+      TINKERBELL_GRPC_AUTHORITY: tink-server:42113
+      TINKERBELL_CERT_URL: http://tink-server:42114/cert
+      DATA_MODEL_VERSION: 1
+      CUSTOM_ENDPOINTS: '{"/metadata":""}'
+    depends_on:
+      tink-server:
+        condition: service_healthy
+
+volumes:
+  postgres_data:
+  certs:
+  auth:

deploy/compose/tls/ca-config.json

@@ -0,0 +1,24 @@
+{
+  "signing": {
+    "default": {
+      "expiry": "168h"
+    },
+    "profiles": {
+      "server": {
+        "expiry": "8760h",
+        "usages": [
+          "signing",
+          "key encipherment",
+          "server auth"
+        ]
+      },
+      "signing": {
+        "expiry": "8760h",
+        "usages": [
+          "signing",
+          "key encipherment"
+        ]
+      }
+    }
+  }
+}

deploy/compose/tls/csr.json

@@ -0,0 +1,21 @@
+{
+  "CN": "tinkerbell",
+  "hosts": [
+    "tinkerbell.registry",
+    "tinkerbell.tinkerbell",
+    "tinkerbell",
+    "tink-server",
+    "192.168.50.4",
+    "127.0.0.1",
+    "localhost"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "L": "@FACILITY@"
+    }
+  ]
+}

deploy/compose/tls/generate.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+set -xo pipefail
+
+# update_csr will add the sans_ip to the csr
+update_csr() {
+	local sans_ip="$1"
+	local csr_file="$2"
+	sed -i "/\"hosts\".*/a \    \"${sans_ip}\"," "${csr_file}"
+}
+
+# cleanup will remove unneeded files
+cleanup() {
+	rm -rf ca-key.pem ca.csr ca.pem server.csr server.pem
+}
+
+# gen will generate the key and bundle
+gen() {
+	local bundle_destination="$1"
+	local key_destination="$2"
+	cfssl gencert -initca /code/tls/csr.json | cfssljson -bare ca -
+	cfssl gencert -config /code/tls/ca-config.json -ca ca.pem -ca-key ca-key.pem -profile server /code/tls/csr.json | cfssljson -bare server
+	cat server.pem ca.pem >"${bundle_destination}"
+	mv server-key.pem "${key_destination}"
+}
+
+# main orchestrates the process
+main() {
+	local sans_ip="$1"
+	local csr_file="/code/tls/csr.json"
+	local bundle_file="/certs/${FACILITY:-onprem}/bundle.pem"
+	local server_key_file="/certs/${FACILITY:-onprem}/server-key.pem"
+
+	if ! grep -q "${sans_ip}" "${csr_file}"; then
+		update_csr "${sans_ip}" "${csr_file}"
+	else
+		echo "IP ${sans_ip} already in ${csr_file}"
+	fi
+	if [ ! -f "${bundle_file}" ] && [ ! -f "${server_key_file}" ]; then
+		gen "${bundle_file}" "${server_key_file}"
+	else
+		echo "Files [${bundle_file}, ${server_key_file}] already exist"
+	fi
+	cleanup
+}
+
+main "$1"