浏览代码

add jenkinsfile for sdsys.ru

Tomishinets Vladimir 5 年之前
父节点
当前提交
a7ae7e32d7
共有 1 个文件被更改,包括 152 次插入0 次删除
  1. 152 0
      OFFICERenewalWildcardJenkinsfile

+ 152 - 0
OFFICERenewalWildcardJenkinsfile

@@ -0,0 +1,152 @@
+JENKINS_PASS = ''
+ENDDATE = ''
+NEW_ENDDATE = ''
+BACKUP_FILE = ''
+CONFIG_DIR = ''
+COMMAND = ''
+TARGET_HOSTS_APACHE = [ 'pbx', 'sugar', 'owncloud' ]
+pipeline {
+  agent {
+    label "swarm"
+  }
+  environment {
+    REGISTRY_OFFICE='registry.sdsys.ru'
+    CLUSTER_OFFICE='swarm.sdsys.ru'
+    DOCKER_CERT_PATH='/run/secrets/swarm'
+    IMAGE_NAME='registry.infoclinica.ru:5000/acme-dns:1.5'
+    JENKINS_MAIL='jenkins.dev@sdsys.ru'
+    SMTP_SERVER='mail.sdsys.ru'
+    RECIPIENT_MAIL_BOX='admin@sdsys.ru'
+    PKI_GIT_NAME='pki'
+    DOMAIN='sdsys.ru'
+    PKI_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/pki.git'
+    SWARM_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/swarm.git'
+    SWARM_GIT_NAME='swarm'
+  }
+  parameters {
+    string(
+      name: "mailto",
+      defaultValue: "admin@sdsys.ru",
+      description: "Email which has to be notified."
+    )
+  }
+  stages {
+    stage("Calculate Variables") {
+      steps {
+        script {
+          ENDDATE = sh (script: "echo|openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
+          CONFIG_DIR = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/letsencrypt'
+          BACKUP_FILE = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + DOMAIN + '.dump.gz'
+          COMMAND = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'renewal.sh'
+          withCredentials([usernamePassword(credentialsId: 'jenkins', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
+            JENKINS_USER = USERNAME
+            JENKINS_PASS = PASSWORD
+          }
+        }
+      }
+    }
+    stage("Run Renewal") {
+      steps {
+        withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
+          sh """set +x
+                docker run -t --rm -e TZ=Europe/Moscow \
+                  -e DOMAIN=${DOMAIN} -e CONFIG_DIR=${CONFIG_DIR} -e BACKUP_FILE=${BACKUP_FILE} \
+                  -e JENKINS_MAIL=${JENKINS_MAIL} -e JENKINS_MAIL_USER=${JENKINS_USER} -e JENKINS_MAIL_PASS=${JENKINS_PASS} \
+                  -e git_url=${PKI_GIT_URL} -e SMTP_SERVER=${SMTP_SERVER} -e RECIPIENT_MAIL_BOX=${RECIPIENT_MAIL_BOX} \
+                  -e "SSHKEY=`cat ${GIT_SSH_KEY}`" -p 53:53/udp -p 53:53/tcp ${IMAGE_NAME} \
+                  /${COMMAND}
+             """
+        }
+      }
+    }
+    stage("Update docker secret in SWARM cluster") {
+      steps {
+        script {
+          ENDDATE = sh (script: "echo|openssl s_client -servername ${REGISTRY_OFFICE} -connect ${REGISTRY_OFFICE}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
+          if (ENDDATE != NEW_ENDDATE) {
+            echo "Update docker secret in ${CLUSTER_OFFICE}"
+            NODE_IP = sh (script: "DOCKER_HOST=tcp://${CLUSTER_OFFICE}:2376 DOCKER_TLS_VERIFY=1 docker node inspect self -f '{{.Status.Addr}}'" , returnStdout: true).trim()
+            update_secret(NODE_IP, SWARM_GIT_NAME, DOMAIN, CONFIG_DIR)
+          }
+        }
+      }
+    }
+    stage("Update certificate and key") {
+      steps {
+        script {
+          git_clone(PKI_GIT_URL)
+          git_clone(SWARM_GIT_URL)
+          NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim()
+          TARGET_HOSTS_APACHE.each { item -> 
+            ENDDATE = sh (script: "echo|openssl s_client -servername ${item}.${DOMAIN} -connect ${item}.${DOMAIN} 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
+            if (ENDDATE != NEW_ENDDATE) {
+              echo "Update certificate and key for ${item}"
+              def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + apache + '.yml'
+              def TARGET_HOST = item + '.' + DOMAIN
+              update_sertificate(PLAYBOOK, CONFIG_DIR, TARGET_HOST)
+            }
+          }
+          ENDDATE = sh (script: "echo|openssl s_client -servername ${SMTP_SERVER} -connect ${SMTP_SERVER} 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
+          if (ENDDATE != NEW_ENDDATE) {
+            echo "Update certificate and key for ${SMTP_SERVER}"
+            sh "cat ${PKI_GIT_NAME}/${DOMAIN}/acme-dns/letsencrypt.ca.pem >> ${CONFIG_DIR}/live/${DOMAIN}/fullchain.pem"
+            def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + mail + '.yml'
+            update_sertificate(PLAYBOOK, CONFIG_DIR, SMTP_SERVER)
+          }
+        }
+      }
+    }
+  }
+  post {
+    always {
+      echo "CleaningUp work directory"
+      deleteDir()
+    }
+    success {
+      mail charset: 'UTF-8',
+           subject: "Jenkins build SUCCESS",
+           mimeType: 'text/html',
+           to: "${mailto}",
+           body: "<b>ATTENTION!!!</b> <b><br> Jenkins job successed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>Renewal certs and keys</b> <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
+    }
+    failure {
+      mail charset: 'UTF-8',
+           subject: "Jenkins build ERROR",
+           mimeType: 'text/html',
+           to: "${mailto}",
+           body: "<b>ATTENTION!!!</b> <b><br> Jenkins job failed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
+    }
+  }
+}
+def git_clone(String REPO) {
+      withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
+        sh """GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
+              git clone ${REPO}
+           """
+      }
+}
+def update_secret(String NODE_IP, String SWARM_GIT_NAME, String DOMAIN, String CONFIG_DIR) {
+      sh """export DOCKER_HOST=tcp://${NODE_IP}:2376 DOCKER_TLS_VERIFY=1
+            docker stack rm registry
+            docker stack rm proxy
+            docker secret rm sdsys_full
+            docker secret create sdsys_full ${CONFIG_DIR}/archive/${DOMAIN}/${DOMAIN}.full-bundle
+            sleep 10
+            docker stack deploy -c ${SWARM_GIT_NAME}/registry.yml registry
+            docker stack deploy -c ${SWARM_GIT_NAME}/proxy.yml proxy
+         """
+}
+def update_sertificate(String PLAYBOOK, String TARGET_DIR, String TARGET_HOST) {
+      withCredentials([sshUserPrivateKey(credentialsId: 'ansible', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
+        ansiColor('xterm') {
+          ansiblePlaybook(
+            credentialsId: '${GIT_SSH_KEY}',
+            playbook: '${PLAYBOOK}',
+            extraVars: [
+              target_dir: '${TARGET_DIR}',
+              target_host: '${TARGET_HOST}'
+            ],
+            colorized: true)
+        }
+      }
+}