Jenkinsfile_keygen 8.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221
  1. pipeline {
  2. agent {
  3. label "swarm"
  4. }
  5. environment {
  6. DOCKER_REGISTRY='dev-registry.infoclinica.ru:5000'
  7. DOCKER_IMAGE='iru/ovpn-rsa'
  8. SERVICE_NAME="ovpn-rsa_server"
  9. PKI_GIT_URL='ssh://git@git.sdsys.ru:8022/iru/openvpn-pki.git'
  10. PKI_GIT_NAME='openvpn-pki'
  11. OVPN_GIT_URL='ssh://git@git.sdsys.ru:8022/iru/openvpn.git'
  12. OVPN_GIT_DIR='openvpn'
  13. JENKINS_MAIL='jenkins.dev@sdsys.ru'
  14. SMTP_SERVER='mail.sdsys.ru'
  15. DOCKER_CERT_PATH='/run/secrets/swarm'
  16. CLUSTER_NAME='iru-swarm1-open.infoclinica.ru'
  17. COMMAND=''
  18. branch='master'
  19. }
  20. parameters {
  21. /* string(
  22. name: "branch",
  23. defaultValue: "master",
  24. description: "Which branch to use"
  25. )
  26. */
  27. choice (
  28. choices: 'keygen\nrevoke',
  29. description: 'Whats the action?',
  30. name: 'TASK_ACTION')
  31. choice (
  32. choices: 'client\nadmin',
  33. description: 'Whats the mode?',
  34. name: 'MODE')
  35. string(
  36. name: "client_mail",
  37. defaultValue: "admin@sdsys.ru",
  38. description: "Email which has to be recieved certs and key"
  39. )
  40. string(
  41. name: "key_name",
  42. defaultValue: "test",
  43. description: "The names for generation keys and certs."
  44. )
  45. string(
  46. name: "mailto",
  47. defaultValue: "admin@sdsys.ru",
  48. description: "Email which has to be notified."
  49. )
  50. }
  51. stages {
  52. stage("Pull PKI repo") {
  53. steps {
  54. withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  55. sh '''GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
  56. git clone ${PKI_GIT_URL}
  57. cd ${WORKSPACE}/${PKI_GIT_NAME} && git checkout ${branch}
  58. '''
  59. }
  60. }
  61. }
  62. stage("Generate Keys and Certs or Revoke") {
  63. steps {
  64. script {
  65. def cert = "${WORKSPACE}/${PKI_GIT_NAME}/open/easy-rsa/client_keys/sds-${key_name}.zip"
  66. switch (TASK_ACTION) {
  67. case 'keygen':
  68. if (fileExists(cert)) {
  69. currentBuild.result = 'ABORTED'
  70. error ("Cert already exist!!!")
  71. return
  72. }
  73. COMMAND ="keygen.sh"
  74. break
  75. case 'revoke':
  76. if (!fileExists(cert)) {
  77. currentBuild.result = 'ABORTED'
  78. error ("Cert doesn't exist!!!")
  79. return
  80. }
  81. COMMAND ="revoke.sh"
  82. break
  83. }
  84. echo "Running ${DOCKER_REGISTRY}/${DOCKER_IMAGE}:latest."
  85. withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  86. sh """set +x
  87. docker pull $DOCKER_REGISTRY/$DOCKER_IMAGE:latest
  88. docker run -i --rm -e TZ=Europe/Moscow -e mode=keygen -e "SSHKEY=`cat ${GIT_SSH_KEY}`" \
  89. -e git_url=${PKI_GIT_URL} -e git_dir=${PKI_GIT_NAME} \
  90. $DOCKER_REGISTRY/$DOCKER_IMAGE:latest /tmp/$COMMAND $key_name $branch
  91. """
  92. }
  93. }
  94. }
  95. }
  96. stage("Pull new version of REPOs") {
  97. steps {
  98. script {
  99. echo "Delete old repo version"
  100. sh 'rm -rf ${WORKSPACE}/${PKI_GIT_NAME} && rm -rf ${WORKSPACE}/${OVPN_GIT_DIR}'
  101. withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  102. sh '''GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
  103. git clone ${OVPN_GIT_URL}
  104. cd ${WORKSPACE}/${OVPN_GIT_DIR} && git checkout ${branch} && cd ${WORKSPACE}
  105. GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
  106. git clone ${PKI_GIT_URL}
  107. cd ${WORKSPACE}/${PKI_GIT_NAME} && git checkout ${branch}
  108. '''
  109. }
  110. }
  111. }
  112. }
  113. stage("Generate configs") {
  114. when {
  115. expression { params.TASK_ACTION == 'keygen' }
  116. }
  117. steps {
  118. script {
  119. switch (MODE) {
  120. case 'client':
  121. file = "${WORKSPACE}/${OVPN_GIT_DIR}/ip_client.txt"
  122. break
  123. case 'admin':
  124. file = "${WORKSPACE}/${OVPN_GIT_DIR}/ip_admin.txt"
  125. break
  126. }
  127. string ip = readFile(file)
  128. split = ip.tokenize(".")
  129. if (split[3].toInteger() >= 254) {
  130. currentBuild.result == 'FAILURE'
  131. error ("The last oktet => 254!!!")
  132. return
  133. } else {
  134. split[3] = (split[3].toInteger() + 1) + ""
  135. def newIp = split.join(".")
  136. string txt = split[3].toString()
  137. writeFile file: file, text: newIp
  138. def conf = "${WORKSPACE}/${OVPN_GIT_DIR}/${OVPN_GIT_DIR}/persist/ccd/${key_name}"
  139. writeFile file: conf, text: "ifconfig-push " + newIp + " 255.255.0.0"
  140. }
  141. withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  142. sh '''cd ${OVPN_GIT_DIR}
  143. echo "Add new config for ${key_name}" > ../commit.txt
  144. git add -A
  145. git config --global user.email "${JENKINS_MAIL}"
  146. git config --global user.name "Jenkins"
  147. git commit -F ../commit.txt
  148. GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
  149. git push origin ${branch}
  150. '''
  151. }
  152. }
  153. }
  154. }
  155. stage("Send key, certs and config with email") {
  156. when {
  157. expression { params.TASK_ACTION == 'keygen' }
  158. }
  159. steps {
  160. script {
  161. fileZip = "${WORKSPACE}/${PKI_GIT_NAME}/open/easy-rsa/client_keys/sds-${key_name}.zip"
  162. if ( !fileExists("${fileZip}")) {
  163. currentBuild.result == 'FAILURE'
  164. return
  165. } else {
  166. withEnv(["zip=${fileZip}"]) {
  167. withCredentials([usernamePassword(credentialsId: 'jenkins', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
  168. sh '''echo "Ваши ключ, сертификаты и конфигурационный файл для подключения к infoclinica.ru" | email -s "Your Certs and Key" \
  169. -f ${JENKINS_MAIL} \
  170. -r ${SMTP_SERVER} \
  171. -m login \
  172. -u ${USERNAME} \
  173. -i ${PASSWORD} \
  174. -a ${zip} \
  175. ${client_mail}
  176. '''
  177. }
  178. }
  179. }
  180. }
  181. }
  182. }
  183. stage("Update ccd-files and stonevpn.crl") {
  184. steps {
  185. script {
  186. def NODE = sh (script: "DOCKER_HOST=tcp://${CLUSTER_NAME}:2376 DOCKER_TLS_VERIFY=1 docker service ps \${SERVICE_NAME} --format '{{.Node}}' --filter desired-state=Running" , returnStdout: true).trim()
  187. sh "if [ -z ${NODE} ]; then echo '${SERVICE_NAME} does not running'; exit 1; fi"
  188. def container_id = sh (script: "DOCKER_HOST=tcp://${NODE}:2376 DOCKER_TLS_VERIFY=1 docker ps -q -f label=ru.sdsys.subcontainer=\${SERVICE_NAME}" , returnStdout: true).trim()
  189. sh "DOCKER_HOST=tcp://${NODE}:2376 DOCKER_TLS_VERIFY=1 docker cp ${WORKSPACE}/${OVPN_GIT_DIR}/${OVPN_GIT_DIR}/persist/ccd/ ${container_id}:/etc/${OVPN_GIT_DIR}/persist"
  190. sh "DOCKER_HOST=tcp://${NODE}:2376 DOCKER_TLS_VERIFY=1 docker cp ${WORKSPACE}/${PKI_GIT_NAME}/open/easy-rsa/keys/stonevpn.crl ${container_id}:/etc/${OVPN_GIT_DIR}/persist/stonevpn.crl"
  191. }
  192. }
  193. }
  194. }
  195. post {
  196. always {
  197. echo "CleaningUp work directory"
  198. deleteDir()
  199. }
  200. failure {
  201. mail charset: 'UTF-8',
  202. subject: "Jenkins build ERROR",
  203. mimeType: 'text/html',
  204. to: "${mailto}",
  205. body: "<b>ATTENTION!!!</b> <b><br> Jenkins job failed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
  206. }
  207. aborted {
  208. mail charset: 'UTF-8',
  209. subject: "Jenkins build ERROR",
  210. mimeType: 'text/html',
  211. to: "${client_mail}",
  212. body: "<b>ATTENTION!!!</b> <b><br> Jenkins job aborted.\n\n <b><br> The CNAME ${key_name} is already exists!\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
  213. }
  214. success{
  215. withCredentials([usernamePassword(credentialsId: 'admin', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
  216. sh "wget http://${USERNAME}:${PASSWORD}@dev-jenkins.sdsys.ru:8080/job/iru-bind/build?token=iru-bind -O -"
  217. }
  218. }
  219. }
  220. }