JENKINS_PASS = ''
ENDDATE = ''
NEW_ENDDATE = ''
BACKUP_FILE = ''
CONFIG_DIR = ''
COMMAND = ''
TARGET_HOSTS_APACHE = [ 'sugar', 'owncloud' ]
TARGET_HOSTS_PROXMOX = [ 'kvm-test' ]
pipeline {
agent {
label "swarm"
}
environment {
REGISTRY_OFFICE='registry.sdsys.ru'
CLUSTER_OFFICE='swarm.sdsys.ru'
DOCKER_CERT_PATH='/run/secrets/swarm'
IMAGE_NAME='registry.infoclinica.ru:5000/acme-dns:1.5'
JENKINS_MAIL='jenkins.dev@sdsys.ru'
SMTP_SERVER='mail.sdsys.ru'
RECIPIENT_MAIL_BOX='admin@sdsys.ru'
PKI_GIT_NAME='pki'
DOMAIN='sdsys.ru'
PKI_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/pki.git'
SWARM_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/swarm.git'
SWARM_GIT_NAME='swarm'
}
parameters {
string(
name: "mailto",
defaultValue: "admin@sdsys.ru",
description: "Email which has to be notified."
)
}
stages {
stage("Calculate Variables") {
steps {
script {
ENDDATE = sh (script: "echo|openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
CONFIG_DIR = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/letsencrypt'
BACKUP_FILE = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + DOMAIN + '.dump.gz'
COMMAND = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'renewal.sh'
withCredentials([usernamePassword(credentialsId: 'jenkins', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
JENKINS_USER = USERNAME
JENKINS_PASS = PASSWORD
}
}
}
}
/* stage("Run Renewal") {
steps {
withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
sh """set +x
docker run -t --rm -e TZ=Europe/Moscow \
-e DOMAIN=${DOMAIN} -e CONFIG_DIR=${CONFIG_DIR} -e BACKUP_FILE=${BACKUP_FILE} \
-e JENKINS_MAIL=${JENKINS_MAIL} -e JENKINS_MAIL_USER=${JENKINS_USER} -e JENKINS_MAIL_PASS=${JENKINS_PASS} \
-e git_url=${PKI_GIT_URL} -e SMTP_SERVER=${SMTP_SERVER} -e RECIPIENT_MAIL_BOX=${RECIPIENT_MAIL_BOX} \
-e "SSHKEY=`cat ${GIT_SSH_KEY}`" -p 5353:53/udp -p 5353:53/tcp ${IMAGE_NAME} \
/${COMMAND}
"""
}
}
}
*//* stage("Update docker secret in SWARM cluster") {
steps {
script {
ENDDATE = sh (script: "echo|openssl s_client -servername ${REGISTRY_OFFICE} -connect ${REGISTRY_OFFICE}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
if (ENDDATE != NEW_ENDDATE) {
git_clone(PKI_GIT_URL)
git_clone(SWARM_GIT_URL)
echo "Update docker secret in ${CLUSTER_OFFICE}"
NODE_IP = sh (script: "DOCKER_HOST=tcp://${CLUSTER_OFFICE}:2376 DOCKER_TLS_VERIFY=1 docker node inspect self -f '{{.Status.Addr}}'" , returnStdout: true).trim()
update_secret(NODE_IP, SWARM_GIT_NAME, DOMAIN, CONFIG_DIR)
}
}
}
}
*/ stage("Update certificate and key to Proxmox") {
steps {
script {
// Следующие 2 строчки после тестирования необходимо убрать, так как репозитории клонируются в 2 stage
git_clone(PKI_GIT_URL)
git_clone(SWARM_GIT_URL)
NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim()
TARGET_HOSTS_PROXMOX.each { item ->
ENDDATE = sh (script: "echo|openssl s_client -servername ${item}.${DOMAIN} -connect ${item}.${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
if (ENDDATE != NEW_ENDDATE) {
echo "Update certificate and key for ${item}"
def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'proxmox.yml'
def TARGET_HOST = item + '.' + DOMAIN
def TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
update_sertificate(PLAYBOOK, TARGET_DIR, TARGET_HOST, DOMAIN)
}
}
}
}
}
/* stage("Update certificate and key") {
steps {
script {
// Следующие 2 строчки после тестирования необходимо убрать, так как репозитории клонируются в 2 stage
git_clone(PKI_GIT_URL)
git_clone(SWARM_GIT_URL)
NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim()
TARGET_HOSTS_APACHE.each { item ->
ENDDATE = sh (script: "echo|openssl s_client -servername ${item}.${DOMAIN} -connect ${item}.${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
if (ENDDATE != NEW_ENDDATE) {
echo "Update certificate and key for ${item}"
def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'apache.yml'
def TARGET_HOST = item + '.' + DOMAIN
def TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
update_sertificate(PLAYBOOK, TARGET_DIR, TARGET_HOST, DOMAIN)
}
}
ENDDATE = sh (script: "echo|openssl s_client -servername ${SMTP_SERVER} -connect ${SMTP_SERVER}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
if (ENDDATE != NEW_ENDDATE) {
echo "Update certificate and key for ${SMTP_SERVER}"
sh "cat ${PKI_GIT_NAME}/${DOMAIN}/wildcard/acme-dns/letsencrypt.ca.pem >> ${CONFIG_DIR}/live/${DOMAIN}/fullchain.pem"
PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'mail.yml'
TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
update_sertificate(PLAYBOOK, TARGET_DIR, SMTP_SERVER, DOMAIN)
}
}
}
}
*/ }
post {
always {
echo "CleaningUp work directory"
deleteDir()
}
success {
mail charset: 'UTF-8',
subject: "Jenkins build SUCCESS",
mimeType: 'text/html',
to: "${mailto}",
body: "<b>ATTENTION!!!</b> <b><br> Jenkins job successed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>Renewal certs and keys</b> <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
}
failure {
mail charset: 'UTF-8',
subject: "Jenkins build ERROR",
mimeType: 'text/html',
to: "${mailto}",
body: "<b>ATTENTION!!!</b> <b><br> Jenkins job failed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
}
}
}
def git_clone(String REPO) {
withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
sh """GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
git clone ${REPO}
"""
}
}
def update_secret(String NODE_IP, String SWARM_GIT_NAME, String DOMAIN, String CONFIG_DIR) {
sh """export DOCKER_HOST=tcp://${NODE_IP}:2376 DOCKER_TLS_VERIFY=1
docker stack rm registry
docker stack rm proxy
docker secret rm sdsys_full
docker secret create sdsys_full ${CONFIG_DIR}/archive/${DOMAIN}/${DOMAIN}.full-bundle
sleep 10
docker stack deploy -c ${SWARM_GIT_NAME}/registry.yml registry
docker stack deploy -c ${SWARM_GIT_NAME}/proxy.yml proxy
"""
}
def update_sertificate(String PLAYBOOK, String TARGET_DIR, String TARGET_HOST, String DOMAIN) {
withCredentials([sshUserPrivateKey(credentialsId: 'ansible', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
ansiColor('xterm') {
ansiblePlaybook(
credentialsId: 'ansible',
playbook: PLAYBOOK,
disableHostKeyChecking: true,
extraVars: [
TARGET_DIR: TARGET_DIR,
TARGET_HOST: TARGET_HOST,
DOMAIN: DOMAIN
],
// extras: '-vvv',
colorized: true)
}
}
}