Login into your Automate server and create a file called oauth.toml
bldr_signin_url
Is your builder FQDN. The URL should be http
if you have SSL disabled which may be the case for an evaluation.
IMPORTANT: don't forget the /
at the end of the URL you set for bldr_signin_url
To add - how to generate client ID & secret: The current example uses the "default" client_id and client_secret.
You can copy/paste from the following example & insert your values.
[session.v1.sys.service]
bldr_signin_url = "http://<BUILDER_FQDN_GOES_HERE>/"
bldr_client_id = "0123456789abcdef0123"
bldr_client_secret = "0123456789abcdef0123456789abcdef01234567"
Apply this configuration with the following command:
sudo chef-automate config patch oauth.toml
You should see something like this to confirm Automate's configuation was patched with the new OAuth configuration.
Updating deployment configuration
Applying deployment configuration
Started session-service
Success: Configuration patched
You’ll need to add Automate’s TLS certificate to Builder’s list of accepted certificates in addition to these configuration changes. Let's grab Automate's TLS certificate now. Your Automate's TLS cerificate will be named after the FQDN.
You can see what your cert is named with sudo ls /hab/svc/automate-load-balancer/data/
You may required elevated permissions to ls
this location
sudo ls /hab/svc/automate-load-balancer/data/
automate.example.com.cert automate.example.com.key
Now that we have the name of the .cert
we can cat
out the .cert
file. Copy the certificate & keep handy for later steps.
sudo cat /hab/svc/automate-load-balancer/data/automate.example.com.cert
-----BEGIN CERTIFICATE-----
MIIDfDCCAmSgAcasldkaf...
-----END CERTIFICATE-----
``
login to your on-prem-builder server & clone the on-prem-builder git repo and move into directory
git clone https://github.com/habitat-sh/on-prem-builder.git
cd on-prem-builder
4. configure builder for your environment by creating a bldr.env
file. Use the following template with your configuration values.
If SSL will be disabled you must keep APP_SSL_ENABLED=false
& APP_URL
must have http.
#!/bin/bash
# The endpoint, key and secret for your Minio instance (see README)
# Change these before the first install if needed
export MINIO_ENDPOINT=http://localhost:9000
export MINIO_BUCKET=habitat-builder-artifact-store.local
export MINIO_ACCESS_KEY=depot
export MINIO_SECRET_KEY=password
# The variables below are configured for Automate OAuth2 provider
# Whether SSL is enabled for the on-prem depot
export APP_SSL_ENABLED=false
# The URL for this instance of the on-prem depot
# IMPORTANT: If SSL is enabled, APP_URL should start be https
export APP_URL=http://<BLDR_FQDN_GOES_HERE>
# The OAUTH_PROVIDER values for Chef-Automate
export OAUTH_PROVIDER=chef-automate
export OAUTH_USERINFO_URL=https://<AUTOMATE_FQDN_GOES_HERE>/session/userinfo
export OAUTH_AUTHORIZE_URL=https://<AUTOMATE_FQDN_GOES_HERE>/session/new
export OAUTH_TOKEN_URL=https://<AUTOMATE_FQDN_GOES_HERE>/session/token
export OAUTH_SIGNUP_URL=https://<AUTOMATE_FQDN_GOES_HERE>
# The OAUTH_REDIRECT_URL is the registered OAuth2 redirect
# IMPORTANT: If SSL is enabled, the redirect URL should be https
# IMPORTANT: don't forget the `/` at the end of the URL
export OAUTH_REDIRECT_URL=http://<BLDR_FQDN_GOES_HERE>/
# The OAUTH_CLIENT_ID is the registered OAuth2 client id
export OAUTH_CLIENT_ID=0123456789abcdef0123
# The OAUTH_CLIENT_SECRET is the registerd OAuth2 client secret
export OAUTH_CLIENT_SECRET=0123456789abcdef0123456789abcdef01234567
# Modify these only if there is a specific need, otherwise leave as is
export BLDR_CHANNEL=on-prem-stable
export BLDR_ORIGIN=habitat
export HAB_BLDR_URL=https://bldr.habitat.sh
# Help us make Habitat better! Opt into analytics by changing the ANALYTICS_ENABLED
# setting below to true, then optionally provide your company name. (Analytics is
# disabled by default. See our privacy policy at https://www.habitat.sh/legal/privacy-policy/.)
export ANALYTICS_ENABLED=false
export ANALYTICS_COMPANY_NAME=""
sudo ./install.sh
You will be prompted to accept a few licenses
Do you accept the terms of this license? Answering yes will proceed with the installation. [y/N] y
Do you accept the 1 product license? [yes/No/quit] yes
After the install is complete confirm everything is running with hab svc status
sudo hab svc status
package type desired state elapsed (s) pid group
habitat/builder-memcached/7728/20180929144821 standalone up up 57 4186 builder-memcached.default
habitat/builder-api/8349/20190516173809 standalone up up 23 4237 builder-api.default
habitat/builder-datastore/7809/20181019215440 standalone up up 75 4161 builder-datastore.default
habitat/builder-api-proxy/8253/20190406055501 standalone up up 23 4271 builder-api-proxy.default
habitat/builder-minio/7764/20181006010221 standalone up up 57 4199 builder-minio.default
This can be done by adding Automate's cert to the top of builders cert.pem. You can find the exact path for your system by using the hab pkg path
command as shown in the exmaple.
Place the cert at the top of the cert chain.
sudo vi $(hab pkg path core/cacerts)/ssl/cert.pem
-----BEGIN CERTIFICATE-----
MIIDfDCCAmSgAcasldkaf...
-----END CERTIFICATE-----
GlobalSign Root CA
==================
-----BEGIN CERTIFICATE-----
Now re-run the install script & restart the services so builder picks up the the cert changes. If you make any configuration mistakes you''ll also need to re-run the install script & restart the services to pickup the corrections.
./install.sh
sudo systemctl restart hab-sup
You should now be able to Sign In
to your Builder server with any valid Automate credentials.
With Auth working you can now create a core origin, bootstrap/synchronize the core packages. As a note the bootstrap process will upload a snapshot of core packages, and the synchronization process will ensure you have the latest packages as of this day.
https://github.com/habitat-sh/on-prem-builder#create-an-origin