OFFICERenewalWildcardJenkinsfile 8.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181
  1. JENKINS_PASS = ''
  2. ENDDATE = ''
  3. NEW_ENDDATE = ''
  4. BACKUP_FILE = ''
  5. CONFIG_DIR = ''
  6. COMMAND = ''
  7. TARGET_HOSTS_APACHE = [ 'sugar', 'owncloud' ]
  8. TARGET_HOST_PROXMOX = [ 'kvm-test' ]
  9. pipeline {
  10. agent {
  11. label "swarm"
  12. }
  13. environment {
  14. REGISTRY_OFFICE='registry.sdsys.ru'
  15. CLUSTER_OFFICE='swarm.sdsys.ru'
  16. DOCKER_CERT_PATH='/run/secrets/swarm'
  17. IMAGE_NAME='registry.infoclinica.ru:5000/acme-dns:1.5'
  18. JENKINS_MAIL='jenkins.dev@sdsys.ru'
  19. SMTP_SERVER='mail.sdsys.ru'
  20. RECIPIENT_MAIL_BOX='admin@sdsys.ru'
  21. PKI_GIT_NAME='pki'
  22. DOMAIN='sdsys.ru'
  23. PKI_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/pki.git'
  24. SWARM_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/swarm.git'
  25. SWARM_GIT_NAME='swarm'
  26. }
  27. parameters {
  28. string(
  29. name: "mailto",
  30. defaultValue: "admin@sdsys.ru",
  31. description: "Email which has to be notified."
  32. )
  33. }
  34. stages {
  35. stage("Calculate Variables") {
  36. steps {
  37. script {
  38. ENDDATE = sh (script: "echo|openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  39. CONFIG_DIR = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/letsencrypt'
  40. BACKUP_FILE = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + DOMAIN + '.dump.gz'
  41. COMMAND = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'renewal.sh'
  42. withCredentials([usernamePassword(credentialsId: 'jenkins', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
  43. JENKINS_USER = USERNAME
  44. JENKINS_PASS = PASSWORD
  45. }
  46. }
  47. }
  48. }
  49. /* stage("Run Renewal") {
  50. steps {
  51. withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  52. sh """set +x
  53. docker run -t --rm -e TZ=Europe/Moscow \
  54. -e DOMAIN=${DOMAIN} -e CONFIG_DIR=${CONFIG_DIR} -e BACKUP_FILE=${BACKUP_FILE} \
  55. -e JENKINS_MAIL=${JENKINS_MAIL} -e JENKINS_MAIL_USER=${JENKINS_USER} -e JENKINS_MAIL_PASS=${JENKINS_PASS} \
  56. -e git_url=${PKI_GIT_URL} -e SMTP_SERVER=${SMTP_SERVER} -e RECIPIENT_MAIL_BOX=${RECIPIENT_MAIL_BOX} \
  57. -e "SSHKEY=`cat ${GIT_SSH_KEY}`" -p 5353:53/udp -p 5353:53/tcp ${IMAGE_NAME} \
  58. /${COMMAND}
  59. """
  60. }
  61. }
  62. }
  63. *//* stage("Update docker secret in SWARM cluster") {
  64. steps {
  65. script {
  66. ENDDATE = sh (script: "echo|openssl s_client -servername ${REGISTRY_OFFICE} -connect ${REGISTRY_OFFICE}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  67. if (ENDDATE != NEW_ENDDATE) {
  68. git_clone(PKI_GIT_URL)
  69. git_clone(SWARM_GIT_URL)
  70. echo "Update docker secret in ${CLUSTER_OFFICE}"
  71. NODE_IP = sh (script: "DOCKER_HOST=tcp://${CLUSTER_OFFICE}:2376 DOCKER_TLS_VERIFY=1 docker node inspect self -f '{{.Status.Addr}}'" , returnStdout: true).trim()
  72. update_secret(NODE_IP, SWARM_GIT_NAME, DOMAIN, CONFIG_DIR)
  73. }
  74. }
  75. }
  76. }
  77. */ stage("Update certificate and key to Proxmox") {
  78. steps {
  79. script {
  80. // Следующие 2 строчки после тестирования необходимо убрать, так как репозитории клонируются в 2 stage
  81. git_clone(PKI_GIT_URL)
  82. git_clone(SWARM_GIT_URL)
  83. NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim()
  84. TARGET_HOSTS_PROXMOX.each { item ->
  85. ENDDATE = sh (script: "echo|openssl s_client -servername ${item}.${DOMAIN} -connect ${item}.${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  86. if (ENDDATE != NEW_ENDDATE) {
  87. echo "Update certificate and key for ${item}"
  88. def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'proxmox.yml'
  89. def TARGET_HOST = item + '.' + DOMAIN
  90. def TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
  91. update_sertificate(PLAYBOOK, TARGET_DIR, TARGET_HOST, DOMAIN)
  92. }
  93. }
  94. }
  95. }
  96. }
  97. /* stage("Update certificate and key") {
  98. steps {
  99. script {
  100. // Следующие 2 строчки после тестирования необходимо убрать, так как репозитории клонируются в 2 stage
  101. git_clone(PKI_GIT_URL)
  102. git_clone(SWARM_GIT_URL)
  103. NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim()
  104. TARGET_HOSTS_APACHE.each { item ->
  105. ENDDATE = sh (script: "echo|openssl s_client -servername ${item}.${DOMAIN} -connect ${item}.${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  106. if (ENDDATE != NEW_ENDDATE) {
  107. echo "Update certificate and key for ${item}"
  108. def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'apache.yml'
  109. def TARGET_HOST = item + '.' + DOMAIN
  110. def TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
  111. update_sertificate(PLAYBOOK, TARGET_DIR, TARGET_HOST, DOMAIN)
  112. }
  113. }
  114. ENDDATE = sh (script: "echo|openssl s_client -servername ${SMTP_SERVER} -connect ${SMTP_SERVER}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  115. if (ENDDATE != NEW_ENDDATE) {
  116. echo "Update certificate and key for ${SMTP_SERVER}"
  117. sh "cat ${PKI_GIT_NAME}/${DOMAIN}/wildcard/acme-dns/letsencrypt.ca.pem >> ${CONFIG_DIR}/live/${DOMAIN}/fullchain.pem"
  118. PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'mail.yml'
  119. TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
  120. update_sertificate(PLAYBOOK, TARGET_DIR, SMTP_SERVER, DOMAIN)
  121. }
  122. }
  123. }
  124. }
  125. */ }
  126. post {
  127. always {
  128. echo "CleaningUp work directory"
  129. deleteDir()
  130. }
  131. success {
  132. mail charset: 'UTF-8',
  133. subject: "Jenkins build SUCCESS",
  134. mimeType: 'text/html',
  135. to: "${mailto}",
  136. body: "<b>ATTENTION!!!</b> <b><br> Jenkins job successed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>Renewal certs and keys</b> <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
  137. }
  138. failure {
  139. mail charset: 'UTF-8',
  140. subject: "Jenkins build ERROR",
  141. mimeType: 'text/html',
  142. to: "${mailto}",
  143. body: "<b>ATTENTION!!!</b> <b><br> Jenkins job failed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
  144. }
  145. }
  146. }
  147. def git_clone(String REPO) {
  148. withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  149. sh """GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
  150. git clone ${REPO}
  151. """
  152. }
  153. }
  154. def update_secret(String NODE_IP, String SWARM_GIT_NAME, String DOMAIN, String CONFIG_DIR) {
  155. sh """export DOCKER_HOST=tcp://${NODE_IP}:2376 DOCKER_TLS_VERIFY=1
  156. docker stack rm registry
  157. docker stack rm proxy
  158. docker secret rm sdsys_full
  159. docker secret create sdsys_full ${CONFIG_DIR}/archive/${DOMAIN}/${DOMAIN}.full-bundle
  160. sleep 10
  161. docker stack deploy -c ${SWARM_GIT_NAME}/registry.yml registry
  162. docker stack deploy -c ${SWARM_GIT_NAME}/proxy.yml proxy
  163. """
  164. }
  165. def update_sertificate(String PLAYBOOK, String TARGET_DIR, String TARGET_HOST, String DOMAIN) {
  166. withCredentials([sshUserPrivateKey(credentialsId: 'ansible', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  167. ansiColor('xterm') {
  168. ansiblePlaybook(
  169. credentialsId: 'ansible',
  170. playbook: PLAYBOOK,
  171. disableHostKeyChecking: true,
  172. extraVars: [
  173. TARGET_DIR: TARGET_DIR,
  174. TARGET_HOST: TARGET_HOST,
  175. DOMAIN: DOMAIN
  176. ],
  177. // extras: '-vvv',
  178. colorized: true)
  179. }
  180. }
  181. }