Skip to content

Instantly share code, notes, and snippets.

@ericcalabretta
Created August 1, 2019 19:06
Show Gist options
  • Save ericcalabretta/1f6f51519c5d838310ccb3a11ad56787 to your computer and use it in GitHub Desktop.
Save ericcalabretta/1f6f51519c5d838310ccb3a11ad56787 to your computer and use it in GitHub Desktop.

Habitat On-Prem-Builder Depot authentication setup with Chef Automate

Step 1: create a new OAuth Application in Chef Automate

Login into your Automate server and create a file called oauth.toml

bldr_signin_url Is your builder FQDN. The URL should be http if you have SSL disabled which may be the case for an evaluation.

IMPORTANT: don't forget the / at the end of the URL you set for bldr_signin_url

To add - how to generate client ID & secret: The current example uses the "default" client_id and client_secret.

You can copy/paste from the following example & insert your values.

[session.v1.sys.service]
bldr_signin_url = "http://<BUILDER_FQDN_GOES_HERE>/"
bldr_client_id = "0123456789abcdef0123"
bldr_client_secret = "0123456789abcdef0123456789abcdef01234567"

Apply this configuration with the following command:

sudo chef-automate config patch oauth.toml

You should see something like this to confirm Automate's configuation was patched with the new OAuth configuration.

Updating deployment configuration

Applying deployment configuration
  Started session-service
Success: Configuration patched

Step 2. Copy Automate's TLS Certificate

You’ll need to add Automate’s TLS certificate to Builder’s list of accepted certificates in addition to these configuration changes. Let's grab Automate's TLS certificate now. Your Automate's TLS cerificate will be named after the FQDN.

You can see what your cert is named with sudo ls /hab/svc/automate-load-balancer/data/ You may required elevated permissions to ls this location

sudo ls /hab/svc/automate-load-balancer/data/
automate.example.com.cert  automate.example.com.key

Now that we have the name of the .cert we can cat out the .cert file. Copy the certificate & keep handy for later steps.

sudo cat /hab/svc/automate-load-balancer/data/automate.example.com.cert -----BEGIN CERTIFICATE----- MIIDfDCCAmSgAcasldkaf... -----END CERTIFICATE----- ``

3. clone repo to your Builder server

login to your on-prem-builder server & clone the on-prem-builder git repo and move into directory

git clone https://github.com/habitat-sh/on-prem-builder.git 
cd on-prem-builder

4. configure builder for your environment by creating a bldr.env file. Use the following template with your configuration values.

If SSL will be disabled you must keep APP_SSL_ENABLED=false & APP_URL must have http.

#!/bin/bash

# The endpoint, key and secret for your Minio instance (see README)
# Change these before the first install if needed
export MINIO_ENDPOINT=http://localhost:9000
export MINIO_BUCKET=habitat-builder-artifact-store.local
export MINIO_ACCESS_KEY=depot
export MINIO_SECRET_KEY=password

# The variables below are configured for Automate OAuth2 provider

# Whether SSL is enabled for the on-prem depot
export APP_SSL_ENABLED=false

# The URL for this instance of the on-prem depot
# IMPORTANT: If SSL is enabled, APP_URL should start be https
export APP_URL=http://<BLDR_FQDN_GOES_HERE>

# The OAUTH_PROVIDER values for Chef-Automate
export OAUTH_PROVIDER=chef-automate
export OAUTH_USERINFO_URL=https://<AUTOMATE_FQDN_GOES_HERE>/session/userinfo
export OAUTH_AUTHORIZE_URL=https://<AUTOMATE_FQDN_GOES_HERE>/session/new
export OAUTH_TOKEN_URL=https://<AUTOMATE_FQDN_GOES_HERE>/session/token
export OAUTH_SIGNUP_URL=https://<AUTOMATE_FQDN_GOES_HERE>

# The OAUTH_REDIRECT_URL is the registered OAuth2 redirect
# IMPORTANT: If SSL is enabled, the redirect URL should be https
# IMPORTANT: don't forget the `/` at the end of the URL
export OAUTH_REDIRECT_URL=http://<BLDR_FQDN_GOES_HERE>/

# The OAUTH_CLIENT_ID is the registered OAuth2 client id
export OAUTH_CLIENT_ID=0123456789abcdef0123

# The OAUTH_CLIENT_SECRET is the registerd OAuth2 client secret
export OAUTH_CLIENT_SECRET=0123456789abcdef0123456789abcdef01234567

# Modify these only if there is a specific need, otherwise leave as is
export BLDR_CHANNEL=on-prem-stable
export BLDR_ORIGIN=habitat
export HAB_BLDR_URL=https://bldr.habitat.sh

# Help us make Habitat better! Opt into analytics by changing the ANALYTICS_ENABLED
# setting below to true, then optionally provide your company name. (Analytics is
# disabled by default. See our privacy policy at https://www.habitat.sh/legal/privacy-policy/.)
export ANALYTICS_ENABLED=false
export ANALYTICS_COMPANY_NAME=""

5. Install bldr now by loading the install script

sudo ./install.sh

You will be prompted to accept a few licenses

Do you accept the terms of this license? Answering yes will proceed with the installation. [y/N] y Do you accept the 1 product license? [yes/No/quit] yes

After the install is complete confirm everything is running with hab svc status

sudo hab svc status
package                                        type        desired  state  elapsed (s)  pid   group
habitat/builder-memcached/7728/20180929144821  standalone  up       up     57           4186  builder-memcached.default
habitat/builder-api/8349/20190516173809        standalone  up       up     23           4237  builder-api.default
habitat/builder-datastore/7809/20181019215440  standalone  up       up     75           4161  builder-datastore.default
habitat/builder-api-proxy/8253/20190406055501  standalone  up       up     23           4271  builder-api-proxy.default
habitat/builder-minio/7764/20181006010221      standalone  up       up     57           4199  builder-minio.default

6. Add Automate's TLS certificate from Step 2, to your Builder instance's list of accepted certs.

This can be done by adding Automate's cert to the top of builders cert.pem. You can find the exact path for your system by using the hab pkg pathcommand as shown in the exmaple.

Place the cert at the top of the cert chain.

sudo vi $(hab pkg path core/cacerts)/ssl/cert.pem

-----BEGIN CERTIFICATE-----
MIIDfDCCAmSgAcasldkaf...
-----END CERTIFICATE-----

GlobalSign Root CA
==================
-----BEGIN CERTIFICATE-----

Now re-run the install script & restart the services so builder picks up the the cert changes. If you make any configuration mistakes you''ll also need to re-run the install script & restart the services to pickup the corrections.

./install.sh
sudo systemctl restart hab-sup

You should now be able to Sign In to your Builder server with any valid Automate credentials.

With Auth working you can now create a core origin, bootstrap/synchronize the core packages. As a note the bootstrap process will upload a snapshot of core packages, and the synchronization process will ensure you have the latest packages as of this day.

https://github.com/habitat-sh/on-prem-builder#create-an-origin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment