JENKINS_PASS = '' ENDDATE = '' NEW_ENDDATE = '' BACKUP_FILE = '' CONFIG_DIR = '' COMMAND = '' TARGET_HOSTS_APACHE = [ 'sugar', 'owncloud' ] TARGET_HOSTS_PROXMOX = [ 'kvm-test', 'kvm1', 'kvm2', 'kvm3', 'kvm4', 'kvm5', 'kvm6', 'kvm7' ] pipeline { agent { label "swarm" } environment { REGISTRY_OFFICE='registry.sdsys.ru' CLUSTER_OFFICE='swarm.sdsys.ru' DOCKER_CERT_PATH='/run/secrets/swarm' IMAGE_NAME='registry.infoclinica.ru:5000/acme-dns:1.5' JENKINS_MAIL='jenkins.dev@sdsys.ru' SMTP_SERVER='mail.sdsys.ru' RECIPIENT_MAIL_BOX='admin@sdsys.ru' PKI_GIT_NAME='pki' DOMAIN='sdsys.ru' PKI_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/pki.git' SWARM_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/swarm.git' SWARM_GIT_NAME='swarm' } parameters { string( name: "mailto", defaultValue: "admin@sdsys.ru", description: "Email which has to be notified." ) } stages { stage("Calculate Variables") { steps { script { ENDDATE = sh (script: "echo|openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim() CONFIG_DIR = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/letsencrypt' BACKUP_FILE = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + DOMAIN + '.dump.gz' COMMAND = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'renewal.sh' withCredentials([usernamePassword(credentialsId: 'jenkins', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { JENKINS_USER = USERNAME JENKINS_PASS = PASSWORD } } } } stage("Run Renewal") { steps { withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) { sh """set +x docker run -t --rm -e TZ=Europe/Moscow \ -e DOMAIN=${DOMAIN} -e CONFIG_DIR=${CONFIG_DIR} -e BACKUP_FILE=${BACKUP_FILE} \ -e JENKINS_MAIL=${JENKINS_MAIL} -e JENKINS_MAIL_USER=${JENKINS_USER} -e JENKINS_MAIL_PASS=${JENKINS_PASS} \ -e git_url=${PKI_GIT_URL} -e SMTP_SERVER=${SMTP_SERVER} -e RECIPIENT_MAIL_BOX=${RECIPIENT_MAIL_BOX} \ -e "SSHKEY=`cat ${GIT_SSH_KEY}`" -p 5353:53/udp -p 5353:53/tcp ${IMAGE_NAME} \ /${COMMAND} """ } } } stage("Update docker secret in SWARM cluster") { steps { script { git_clone(PKI_GIT_URL) git_clone(SWARM_GIT_URL) NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim() ENDDATE = sh (script: "echo|openssl s_client -servername ${REGISTRY_OFFICE} -connect ${REGISTRY_OFFICE}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim() if (ENDDATE != NEW_ENDDATE) { echo "Update docker secret in ${CLUSTER_OFFICE}" NODE_IP = sh (script: "DOCKER_HOST=tcp://${CLUSTER_OFFICE}:2376 DOCKER_TLS_VERIFY=1 docker node inspect self -f '{{.Status.Addr}}'" , returnStdout: true).trim() update_secret(NODE_IP, SWARM_GIT_NAME, DOMAIN, CONFIG_DIR) } } } } stage("Update certificate and key to Proxmox") { steps { script { NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim() TARGET_HOSTS_PROXMOX.each { item -> ENDDATE = sh (script: "echo|openssl s_client -servername ${item}.${DOMAIN} -connect ${item}.${DOMAIN}:8006 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim() if (ENDDATE != NEW_ENDDATE) { echo "Update certificate and key for ${item}" def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'proxmox.yml' def TARGET_HOST = item + '.' + DOMAIN def TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR update_sertificate(PLAYBOOK, TARGET_DIR, TARGET_HOST, DOMAIN) } } } } } stage("Update certificate and key APACHE-HOSTS") { steps { script { NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim() TARGET_HOSTS_APACHE.each { item -> ENDDATE = sh (script: "echo|openssl s_client -servername ${item}.${DOMAIN} -connect ${item}.${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim() if (ENDDATE != NEW_ENDDATE) { echo "Update certificate and key for ${item}" def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'apache.yml' def TARGET_HOST = item + '.' + DOMAIN def TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR update_sertificate(PLAYBOOK, TARGET_DIR, TARGET_HOST, DOMAIN) } } } } } stage("Update certificate and key to ZIMBRA") { steps { script { ENDDATE = sh (script: "echo|openssl s_client -servername ${SMTP_SERVER} -connect ${SMTP_SERVER}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim() if (ENDDATE != NEW_ENDDATE) { echo "Update certificate and key for ${SMTP_SERVER}" sh "cat ${PKI_GIT_NAME}/${DOMAIN}/wildcard/acme-dns/letsencrypt.ca.pem >> ${CONFIG_DIR}/live/${DOMAIN}/fullchain.pem" PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'mail.yml' TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR update_sertificate(PLAYBOOK, TARGET_DIR, SMTP_SERVER, DOMAIN) } } } } } post { always { echo "CleaningUp work directory" deleteDir() } success { mail charset: 'UTF-8', subject: "Jenkins build SUCCESS", mimeType: 'text/html', to: "${mailto}", body: "ATTENTION!!!
Jenkins job successed.\n\n
Project Name:
${env.JOB_NAME}
Renewal certs and keys

\nBuild Number:
${env.BUILD_NUMBER}
\nURL Build:
${RUN_DISPLAY_URL}" } failure { mail charset: 'UTF-8', subject: "Jenkins build ERROR", mimeType: 'text/html', to: "${mailto}", body: "ATTENTION!!!
Jenkins job failed.\n\n
Project Name:
${env.JOB_NAME}
\nBuild Number:
${env.BUILD_NUMBER}
\nURL Build:
${RUN_DISPLAY_URL}" } } } def git_clone(String REPO) { withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) { sh """GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \ git clone ${REPO} """ } } def update_secret(String NODE_IP, String SWARM_GIT_NAME, String DOMAIN, String CONFIG_DIR) { sh """export DOCKER_HOST=tcp://${NODE_IP}:2376 DOCKER_TLS_VERIFY=1 docker stack rm registry docker stack rm proxy docker secret rm sdsys_full docker secret create sdsys_full ${CONFIG_DIR}/archive/${DOMAIN}/${DOMAIN}.full-bundle sleep 10 docker stack deploy -c ${SWARM_GIT_NAME}/registry.yml registry docker stack deploy -c ${SWARM_GIT_NAME}/proxy.yml proxy """ } def update_sertificate(String PLAYBOOK, String TARGET_DIR, String TARGET_HOST, String DOMAIN) { withCredentials([sshUserPrivateKey(credentialsId: 'ansible', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) { ansiColor('xterm') { ansiblePlaybook( credentialsId: 'ansible', playbook: PLAYBOOK, disableHostKeyChecking: true, extraVars: [ TARGET_DIR: TARGET_DIR, TARGET_HOST: TARGET_HOST, DOMAIN: DOMAIN ], // extras: '-vvv', colorized: true) } } }