acme-dns/RenewalJenkinsfile

JENKINS_PASS = ''
ENDDATE = ''
NEW_ENDDATE = ''
BACKUP_FILE = ''
CONFIG_DIR = ''
COMMAND = ''
pipeline {
    agent {
        label "swarm"
    }
    environment {
        CLUSTER_NAME_OPEN='iru-swarm1-open.infoclinica.lan'
        CLUSTER_NAME_PROD='iru-swarm.infoclinica.lan'
        CLUSTER_NAME_DEV='dev-iru-swarm.infoclinica.lan'
        DOCKER_CERT_PATH='/run/secrets/swarm'
        IMAGE_NAME='registry.infoclinica.ru:5000/acme-dns:1.3'
        JENKINS_MAIL='jenkins.dev@sdsys.ru'
        SMTP_SERVER='mail.sdsys.ru'
        RECIPIENT_MAIL_BOX='admin@sdsys.ru'
        PKI_GIT_SUBDIR='iru'
        PKI_GIT_NAME='pki'
        DOMAIN='infoclinica.ru'
        PKI_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/pki.git'
        STACK-DEPLOY_GIT_URL='ssh://git@git.sdsys.ru:8022/iru/stack-deploy.git'
        STACK-DEPLOY_GIT_NAME='stack-deploy'
    }
    parameters {
        string(
            name: "mailto",
            defaultValue: "admin@sdsys.ru",
            description: "Email which has to be notified."
        )
    }
    stages {
      stage("Calculate Variables) {
        steps {
          script {
            ENDDATE = sh (script: "$(echo | openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 2>/dev/null | openssl x509 -noout -enddate)", returnStdout: true).trim()
            CONFIG_DIR = PKI_GIT_NAME + '/' + PKI_GIT_SUBDIR + '/wildcard/letsencrypt'
            BACKUP_FILE = PKI_GIT_NAME + '/' + PKI_GIT_SUBDIR + '/wildcard/acme-dns/' + DOMAIN + '.dump.gz'
            COMMAND = PKI_GIT_NAME + '/' + PKI_GIT_SUBDIR + '/wildcard/acme-dns/' + 'renewal.sh'
            withCredentials([usernamePassword(credentialsId: 'jenkins', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
              JENKINS_PASS = PASSWORD
            }
          }
        }
      }
      stage("Run Renewal") {
        steps {
          withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
            sh """set +x
                  DOCKER_HOST=tcp://${CLUSTER_NAME_OPEN}:2376 DOCKER_TLS_VERIFY=1 docker run -t --rm -e TZ=Europe/Moscow \
                    -e DOMAIN=${DOMAIN} -e CONFIG_DIR=${CONFIG_DIR} -e BACKUP_FILE=${BACKUP_FILE} \
                    -e JENKINS_MAIL_PASS=${JENKINS_PASS} -e JENKINS_MAIL_USER=${JENKINS_MAIL} \
                    -e git_url=${PKI_GIT_URL} -e SMTP_SERVER=${SMTP_SERVER} -e RECIPIENT_MAIL_BOX=${RECIPIENT_MAIL_BOX} \
                    -e "SSHKEY=`cat ${GIT_SSH_KEY}`" -p 53:53/udp -p 53:53/tcp ${IMAGE_NAME} \
                    /${COMMAND}
               """
          }
        }
      }
      stage("Update secret in CLUSTERS") {
        steps {
          script {
            git_clone(PKI_GIT_URL)
            git_clone(STACK-DEPLOY_GIT_URL)
            withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
              sh """GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
                      git clone ${PKI_GIT_URL}
                    GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
                      git clone ${STACK-DEPLOY_GIT_URL}
                 """
            }
            def NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim()
            if (ENDDATE != NEW_ENDDATE) {
              echo "Update docker secret in ${CLUSTER_NAME_PROD}"
              def NODE_IP = sh (script: "DOCKER_HOST=tcp://${CLUSTER_NAME_PROD}:2376 DOCKER_TLS_VERIFY=1 docker node inspect self -f '{{.Status.Addr}}'" , returnStdout: true).trim()
              update_secret(NODE_IP, STACK-DEPLOY_GIT_NAME, DOMAIN, CONFIG_DIR)
              echo "Update docker secret in ${CLUSTER_NAME_DEV}"
              NODE_IP = sh (script: "DOCKER_HOST=tcp://${CLUSTER_NAME_DEV}:2376 DOCKER_TLS_VERIFY=1 docker node inspect self -f '{{.Status.Addr}}'" , returnStdout: true).trim()
              update_secret(NODE_IP, STACK-DEPLOY_GIT_NAME, DOMAIN, CONFIG_DIR)
            }
          }
        }
      }
    
  }
  post {
    always {
      echo "CleaningUp work directory"
      deleteDir()
    }
    success {
      mail charset: 'UTF-8',
           subject: "Jenkins build SUCCESS",
           mimeType: 'text/html',
           to: "${mailto}",
           body: "<b>ATTENTION!!!</b> <b><br> Jenkins job successed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>Renewal certs and keys</b> <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
    }
    failure {
      mail charset: 'UTF-8',
           subject: "Jenkins build ERROR",
           mimeType: 'text/html',
           to: "${mailto}",
           body: "<b>ATTENTION!!!</b> <b><br> Jenkins job failed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
    }
  }
}
def git_clone(String REPO) {
        withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
          sh """GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
                git clone ${REPO}
             """
        }
}
def update_secret(String NODE_IP, String STACK-DEPLOY_GIT_NAME, String DOMAIN, String CONFIG_DIR) {
        sh """export DOCKER_HOST=tcp://${NODE_IP}:2376 DOCKER_TLS_VERIFY=1
              docker service rm infrastructure_registry
              docker secret rm infoclinica_full
              docker secret create infoclinica_full ${CONFIG_DIR}/archive/${DOMAIN}/${DOMAIN}.full-bundle
              cd ${STACK-DEPLOY_GIT_NAME}
              ./infrastructure.sh
           """
}