Владимир Томишинец 5 years ago
parent
commit
2da2203334
2 changed files with 125 additions and 1 deletions
  1. 1 1
      Dockerfile
  2. 124 0
      RenewalJenkinsfile

+ 1 - 1
Dockerfile

@@ -19,7 +19,7 @@ RUN mkdir -p /etc/acme-dns && mkdir -p /var/lib/acme-dns && mkdir /etc/letsencry
     && rm -rf ./config.cfg \
     && apk --no-cache add ca-certificates && update-ca-certificates \
     && apk --no-cache add curl sqlite bash git openssh-client \
-        openssl openssl-dev python3 python3-dev musl-dev sqlite gcc libffi-dev \
+        openssl openssl-dev python3 python3-dev musl-dev sqlite gcc libffi-dev figlet mail \
     && pip3 install certbot \
     && ln -sf /usr/bin/python3 /usr/bin/python \
     && curl -o /etc/letsencrypt/acme-dns-auth.py \

+ 124 - 0
RenewalJenkinsfile

@@ -0,0 +1,124 @@
+JENKINS_PASS = ''
+ENDDATE = ''
+NEW_ENDDATE = ''
+BACKUP_FILE = ''
+CONFIG_DIR = ''
+COMMAND = ''
+pipeline {
+    agent {
+        label "swarm"
+    }
+    environment {
+        CLUSTER_NAME_OPEN='iru-swarm1-open.infoclinica.lan'
+        CLUSTER_NAME_PROD='iru-swarm.infoclinica.lan'
+        CLUSTER_NAME_DEV='dev-iru-swarm.infoclinica.lan'
+        DOCKER_CERT_PATH='/run/secrets/swarm'
+        IMAGE_NAME='registry.infoclinica.ru:5000/acme-dns:1.3'
+        JENKINS_MAIL='jenkins.dev@sdsys.ru'
+        SMTP_SERVER='mail.sdsys.ru'
+        RECIPIENT_MAIL_BOX='admin@sdsys.ru'
+        PKI_GIT_SUBDIR='iru'
+        PKI_GIT_NAME='pki'
+        DOMAIN='infoclinica.ru'
+        PKI_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/pki.git'
+        STACK-DEPLOY_GIT_URL='ssh://git@git.sdsys.ru:8022/iru/stack-deploy.git'
+        STACK-DEPLOY_GIT_NAME='stack-deploy'
+    }
+    parameters {
+        string(
+            name: "mailto",
+            defaultValue: "admin@sdsys.ru",
+            description: "Email which has to be notified."
+        )
+    }
+    stages {
+      stage("Calculate Variables) {
+        steps {
+          script {
+            ENDDATE = sh (script: "$(echo | openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 2>/dev/null | openssl x509 -noout -enddate)", returnStdout: true).trim()
+            CONFIG_DIR = PKI_GIT_NAME + '/' + PKI_GIT_SUBDIR + '/wildcard/letsencrypt'
+            BACKUP_FILE = PKI_GIT_NAME + '/' + PKI_GIT_SUBDIR + '/wildcard/acme-dns/' + DOMAIN + '.dump.gz'
+            COMMAND = PKI_GIT_NAME + '/' + PKI_GIT_SUBDIR + '/wildcard/acme-dns/' + 'renewal.sh'
+            withCredentials([usernamePassword(credentialsId: 'jenkins', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
+              JENKINS_PASS = PASSWORD
+            }
+          }
+        }
+      }
+      stage("Run Renewal") {
+        steps {
+          withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
+            sh """set +x
+                  DOCKER_HOST=tcp://${CLUSTER_NAME_OPEN}:2376 DOCKER_TLS_VERIFY=1 docker run -t --rm -e TZ=Europe/Moscow \
+                    -e DOMAIN=${DOMAIN} -e CONFIG_DIR=${CONFIG_DIR} -e BACKUP_FILE=${BACKUP_FILE} \
+                    -e JENKINS_MAIL_PASS=${JENKINS_PASS} -e JENKINS_MAIL_USER=${JENKINS_MAIL} \
+                    -e git_url=${PKI_GIT_URL} -e SMTP_SERVER=${SMTP_SERVER} -e RECIPIENT_MAIL_BOX=${RECIPIENT_MAIL_BOX} \
+                    -e "SSHKEY=`cat ${GIT_SSH_KEY}`" -p 53:53/udp -p 53:53/tcp ${IMAGE_NAME} \
+                    /${COMMAND}
+               """
+          }
+        }
+      }
+      stage("Update secret in CLUSTERS") {
+        steps {
+          script {
+            git_clone(PKI_GIT_URL)
+            git_clone(STACK-DEPLOY_GIT_URL)
+            withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
+              sh """GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
+                      git clone ${PKI_GIT_URL}
+                    GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
+                      git clone ${STACK-DEPLOY_GIT_URL}
+                 """
+            }
+            def NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim()
+            if (ENDDATE != NEW_ENDDATE) {
+              echo "Update docker secret in ${CLUSTER_NAME_PROD}"
+              def NODE_IP = sh (script: "DOCKER_HOST=tcp://${CLUSTER_NAME_PROD}:2376 DOCKER_TLS_VERIFY=1 docker node inspect self -f '{{.Status.Addr}}'" , returnStdout: true).trim()
+              update_secret(NODE_IP, STACK-DEPLOY_GIT_NAME, DOMAIN, CONFIG_DIR)
+              echo "Update docker secret in ${CLUSTER_NAME_DEV}"
+              NODE_IP = sh (script: "DOCKER_HOST=tcp://${CLUSTER_NAME_DEV}:2376 DOCKER_TLS_VERIFY=1 docker node inspect self -f '{{.Status.Addr}}'" , returnStdout: true).trim()
+              update_secret(NODE_IP, STACK-DEPLOY_GIT_NAME, DOMAIN, CONFIG_DIR)
+            }
+          }
+        }
+      }
+    
+  }
+  post {
+    always {
+      echo "CleaningUp work directory"
+      deleteDir()
+    }
+    success {
+      mail charset: 'UTF-8',
+           subject: "Jenkins build SUCCESS",
+           mimeType: 'text/html',
+           to: "${mailto}",
+           body: "<b>ATTENTION!!!</b> <b><br> Jenkins job successed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>Renewal certs and keys</b> <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
+    }
+    failure {
+      mail charset: 'UTF-8',
+           subject: "Jenkins build ERROR",
+           mimeType: 'text/html',
+           to: "${mailto}",
+           body: "<b>ATTENTION!!!</b> <b><br> Jenkins job failed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
+    }
+  }
+}
+def git_clone(String REPO) {
+        withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
+          sh """GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
+                git clone ${REPO}
+             """
+        }
+}
+def update_secret(String NODE_IP, String STACK-DEPLOY_GIT_NAME, String DOMAIN, String CONFIG_DIR) {
+        sh """export DOCKER_HOST=tcp://${NODE_IP}:2376 DOCKER_TLS_VERIFY=1
+              docker service rm infrastructure_registry
+              docker secret rm infoclinica_full
+              docker secret create infoclinica_full ${CONFIG_DIR}/archive/${DOMAIN}/${DOMAIN}.full-bundle
+              cd ${STACK-DEPLOY_GIT_NAME}
+              ./infrastructure.sh
+           """
+}