|
@@ -0,0 +1,152 @@
|
|
|
+JENKINS_PASS = ''
|
|
|
+ENDDATE = ''
|
|
|
+NEW_ENDDATE = ''
|
|
|
+BACKUP_FILE = ''
|
|
|
+CONFIG_DIR = ''
|
|
|
+COMMAND = ''
|
|
|
+TARGET_HOSTS_APACHE = [ 'pbx', 'sugar', 'owncloud' ]
|
|
|
+pipeline {
|
|
|
+ agent {
|
|
|
+ label "swarm"
|
|
|
+ }
|
|
|
+ environment {
|
|
|
+ REGISTRY_OFFICE='registry.sdsys.ru'
|
|
|
+ CLUSTER_OFFICE='swarm.sdsys.ru'
|
|
|
+ DOCKER_CERT_PATH='/run/secrets/swarm'
|
|
|
+ IMAGE_NAME='registry.infoclinica.ru:5000/acme-dns:1.5'
|
|
|
+ JENKINS_MAIL='jenkins.dev@sdsys.ru'
|
|
|
+ SMTP_SERVER='mail.sdsys.ru'
|
|
|
+ RECIPIENT_MAIL_BOX='admin@sdsys.ru'
|
|
|
+ PKI_GIT_NAME='pki'
|
|
|
+ DOMAIN='sdsys.ru'
|
|
|
+ PKI_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/pki.git'
|
|
|
+ SWARM_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/swarm.git'
|
|
|
+ SWARM_GIT_NAME='swarm'
|
|
|
+ }
|
|
|
+ parameters {
|
|
|
+ string(
|
|
|
+ name: "mailto",
|
|
|
+ defaultValue: "admin@sdsys.ru",
|
|
|
+ description: "Email which has to be notified."
|
|
|
+ )
|
|
|
+ }
|
|
|
+ stages {
|
|
|
+ stage("Calculate Variables") {
|
|
|
+ steps {
|
|
|
+ script {
|
|
|
+ ENDDATE = sh (script: "echo|openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
|
|
|
+ CONFIG_DIR = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/letsencrypt'
|
|
|
+ BACKUP_FILE = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + DOMAIN + '.dump.gz'
|
|
|
+ COMMAND = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'renewal.sh'
|
|
|
+ withCredentials([usernamePassword(credentialsId: 'jenkins', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
|
|
|
+ JENKINS_USER = USERNAME
|
|
|
+ JENKINS_PASS = PASSWORD
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ stage("Run Renewal") {
|
|
|
+ steps {
|
|
|
+ withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
|
|
|
+ sh """set +x
|
|
|
+ docker run -t --rm -e TZ=Europe/Moscow \
|
|
|
+ -e DOMAIN=${DOMAIN} -e CONFIG_DIR=${CONFIG_DIR} -e BACKUP_FILE=${BACKUP_FILE} \
|
|
|
+ -e JENKINS_MAIL=${JENKINS_MAIL} -e JENKINS_MAIL_USER=${JENKINS_USER} -e JENKINS_MAIL_PASS=${JENKINS_PASS} \
|
|
|
+ -e git_url=${PKI_GIT_URL} -e SMTP_SERVER=${SMTP_SERVER} -e RECIPIENT_MAIL_BOX=${RECIPIENT_MAIL_BOX} \
|
|
|
+ -e "SSHKEY=`cat ${GIT_SSH_KEY}`" -p 53:53/udp -p 53:53/tcp ${IMAGE_NAME} \
|
|
|
+ /${COMMAND}
|
|
|
+ """
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ stage("Update docker secret in SWARM cluster") {
|
|
|
+ steps {
|
|
|
+ script {
|
|
|
+ ENDDATE = sh (script: "echo|openssl s_client -servername ${REGISTRY_OFFICE} -connect ${REGISTRY_OFFICE}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
|
|
|
+ if (ENDDATE != NEW_ENDDATE) {
|
|
|
+ echo "Update docker secret in ${CLUSTER_OFFICE}"
|
|
|
+ NODE_IP = sh (script: "DOCKER_HOST=tcp://${CLUSTER_OFFICE}:2376 DOCKER_TLS_VERIFY=1 docker node inspect self -f '{{.Status.Addr}}'" , returnStdout: true).trim()
|
|
|
+ update_secret(NODE_IP, SWARM_GIT_NAME, DOMAIN, CONFIG_DIR)
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ stage("Update certificate and key") {
|
|
|
+ steps {
|
|
|
+ script {
|
|
|
+ git_clone(PKI_GIT_URL)
|
|
|
+ git_clone(SWARM_GIT_URL)
|
|
|
+ NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim()
|
|
|
+ TARGET_HOSTS_APACHE.each { item ->
|
|
|
+ ENDDATE = sh (script: "echo|openssl s_client -servername ${item}.${DOMAIN} -connect ${item}.${DOMAIN} 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
|
|
|
+ if (ENDDATE != NEW_ENDDATE) {
|
|
|
+ echo "Update certificate and key for ${item}"
|
|
|
+ def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + apache + '.yml'
|
|
|
+ def TARGET_HOST = item + '.' + DOMAIN
|
|
|
+ update_sertificate(PLAYBOOK, CONFIG_DIR, TARGET_HOST)
|
|
|
+ }
|
|
|
+ }
|
|
|
+ ENDDATE = sh (script: "echo|openssl s_client -servername ${SMTP_SERVER} -connect ${SMTP_SERVER} 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
|
|
|
+ if (ENDDATE != NEW_ENDDATE) {
|
|
|
+ echo "Update certificate and key for ${SMTP_SERVER}"
|
|
|
+ sh "cat ${PKI_GIT_NAME}/${DOMAIN}/acme-dns/letsencrypt.ca.pem >> ${CONFIG_DIR}/live/${DOMAIN}/fullchain.pem"
|
|
|
+ def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + mail + '.yml'
|
|
|
+ update_sertificate(PLAYBOOK, CONFIG_DIR, SMTP_SERVER)
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ post {
|
|
|
+ always {
|
|
|
+ echo "CleaningUp work directory"
|
|
|
+ deleteDir()
|
|
|
+ }
|
|
|
+ success {
|
|
|
+ mail charset: 'UTF-8',
|
|
|
+ subject: "Jenkins build SUCCESS",
|
|
|
+ mimeType: 'text/html',
|
|
|
+ to: "${mailto}",
|
|
|
+ body: "<b>ATTENTION!!!</b> <b><br> Jenkins job successed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>Renewal certs and keys</b> <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
|
|
|
+ }
|
|
|
+ failure {
|
|
|
+ mail charset: 'UTF-8',
|
|
|
+ subject: "Jenkins build ERROR",
|
|
|
+ mimeType: 'text/html',
|
|
|
+ to: "${mailto}",
|
|
|
+ body: "<b>ATTENTION!!!</b> <b><br> Jenkins job failed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
|
|
|
+ }
|
|
|
+ }
|
|
|
+}
|
|
|
+def git_clone(String REPO) {
|
|
|
+ withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
|
|
|
+ sh """GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
|
|
|
+ git clone ${REPO}
|
|
|
+ """
|
|
|
+ }
|
|
|
+}
|
|
|
+def update_secret(String NODE_IP, String SWARM_GIT_NAME, String DOMAIN, String CONFIG_DIR) {
|
|
|
+ sh """export DOCKER_HOST=tcp://${NODE_IP}:2376 DOCKER_TLS_VERIFY=1
|
|
|
+ docker stack rm registry
|
|
|
+ docker stack rm proxy
|
|
|
+ docker secret rm sdsys_full
|
|
|
+ docker secret create sdsys_full ${CONFIG_DIR}/archive/${DOMAIN}/${DOMAIN}.full-bundle
|
|
|
+ sleep 10
|
|
|
+ docker stack deploy -c ${SWARM_GIT_NAME}/registry.yml registry
|
|
|
+ docker stack deploy -c ${SWARM_GIT_NAME}/proxy.yml proxy
|
|
|
+ """
|
|
|
+}
|
|
|
+def update_sertificate(String PLAYBOOK, String TARGET_DIR, String TARGET_HOST) {
|
|
|
+ withCredentials([sshUserPrivateKey(credentialsId: 'ansible', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
|
|
|
+ ansiColor('xterm') {
|
|
|
+ ansiblePlaybook(
|
|
|
+ credentialsId: '${GIT_SSH_KEY}',
|
|
|
+ playbook: '${PLAYBOOK}',
|
|
|
+ extraVars: [
|
|
|
+ target_dir: '${TARGET_DIR}',
|
|
|
+ target_host: '${TARGET_HOST}'
|
|
|
+ ],
|
|
|
+ colorized: true)
|
|
|
+ }
|
|
|
+ }
|
|
|
+}
|