OFFICERenewalWildcardJenkinsfile 7.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172
  1. JENKINS_PASS = ''
  2. ENDDATE = ''
  3. NEW_ENDDATE = ''
  4. BACKUP_FILE = ''
  5. CONFIG_DIR = ''
  6. COMMAND = ''
  7. TARGET_HOSTS_APACHE = [ 'sugar', 'owncloud' ]
  8. pipeline {
  9. agent {
  10. label "swarm"
  11. }
  12. environment {
  13. REGISTRY_OFFICE='registry.sdsys.ru'
  14. CLUSTER_OFFICE='swarm.sdsys.ru'
  15. DOCKER_CERT_PATH='/run/secrets/swarm'
  16. IMAGE_NAME='registry.infoclinica.ru:5000/acme-dns:1.5'
  17. JENKINS_MAIL='jenkins.dev@sdsys.ru'
  18. SMTP_SERVER='mail.sdsys.ru'
  19. RECIPIENT_MAIL_BOX='admin@sdsys.ru'
  20. PKI_GIT_NAME='pki'
  21. DOMAIN='sdsys.ru'
  22. PKI_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/pki.git'
  23. SWARM_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/swarm.git'
  24. SWARM_GIT_NAME='swarm'
  25. }
  26. parameters {
  27. string(
  28. name: "mailto",
  29. defaultValue: "admin@sdsys.ru",
  30. description: "Email which has to be notified."
  31. )
  32. }
  33. stages {
  34. stage("Calculate Variables") {
  35. steps {
  36. script {
  37. ENDDATE = sh (script: "echo|openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  38. CONFIG_DIR = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/letsencrypt'
  39. BACKUP_FILE = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + DOMAIN + '.dump.gz'
  40. COMMAND = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'renewal.sh'
  41. withCredentials([usernamePassword(credentialsId: 'jenkins', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
  42. JENKINS_USER = USERNAME
  43. JENKINS_PASS = PASSWORD
  44. }
  45. }
  46. }
  47. }
  48. /* stage("Run Renewal") {
  49. steps {
  50. withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  51. sh """set +x
  52. docker run -t --rm -e TZ=Europe/Moscow \
  53. -e DOMAIN=${DOMAIN} -e CONFIG_DIR=${CONFIG_DIR} -e BACKUP_FILE=${BACKUP_FILE} \
  54. -e JENKINS_MAIL=${JENKINS_MAIL} -e JENKINS_MAIL_USER=${JENKINS_USER} -e JENKINS_MAIL_PASS=${JENKINS_PASS} \
  55. -e git_url=${PKI_GIT_URL} -e SMTP_SERVER=${SMTP_SERVER} -e RECIPIENT_MAIL_BOX=${RECIPIENT_MAIL_BOX} \
  56. -e "SSHKEY=`cat ${GIT_SSH_KEY}`" -p 5353:53/udp -p 5353:53/tcp ${IMAGE_NAME} \
  57. /${COMMAND}
  58. """
  59. }
  60. }
  61. }
  62. *//* stage("Update docker secret in SWARM cluster") {
  63. steps {
  64. script {
  65. ENDDATE = sh (script: "echo|openssl s_client -servername ${REGISTRY_OFFICE} -connect ${REGISTRY_OFFICE}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  66. if (ENDDATE != NEW_ENDDATE) {
  67. git_clone(PKI_GIT_URL)
  68. git_clone(SWARM_GIT_URL)
  69. echo "Update docker secret in ${CLUSTER_OFFICE}"
  70. NODE_IP = sh (script: "DOCKER_HOST=tcp://${CLUSTER_OFFICE}:2376 DOCKER_TLS_VERIFY=1 docker node inspect self -f '{{.Status.Addr}}'" , returnStdout: true).trim()
  71. update_secret(NODE_IP, SWARM_GIT_NAME, DOMAIN, CONFIG_DIR)
  72. }
  73. }
  74. }
  75. }
  76. */ stage("Update certificate and key") {
  77. steps {
  78. script {
  79. // Следующие 2 строчки после тестирования необходимо убрать, так как репозитории клонируются в 2 stage
  80. git_clone(PKI_GIT_URL)
  81. git_clone(SWARM_GIT_URL)
  82. NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim()
  83. TARGET_HOSTS_APACHE.each { item ->
  84. ENDDATE = sh (script: "echo|openssl s_client -servername ${item}.${DOMAIN} -connect ${item}.${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  85. if (ENDDATE != NEW_ENDDATE) {
  86. echo "Update certificate and key for ${item}"
  87. def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'apache.yml'
  88. def TARGET_HOST = item + '.' + DOMAIN
  89. def TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
  90. update_sertificate(PLAYBOOK, TARGET_DIR, TARGET_HOST, DOMAIN)
  91. }
  92. }
  93. ENDDATE = sh (script: "echo|openssl s_client -servername ${SMTP_SERVER} -connect ${SMTP_SERVER}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  94. // if (ENDDATE != NEW_ENDDATE) {
  95. echo "Update certificate and key for ${SMTP_SERVER}"
  96. sh "cat ${PKI_GIT_NAME}/${DOMAIN}/wildcard/acme-dns/letsencrypt.ca.pem >> ${CONFIG_DIR}/live/${DOMAIN}/fullchain.pem"
  97. PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'mail.yml'
  98. ANSIBLE_CONFIG = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'ansible.cfg'
  99. sh 'cp -f ${ANSIBLE_CONFIG} ${WORKSPACE}'
  100. TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
  101. update_zimbra(PLAYBOOK, TARGET_DIR, SMTP_SERVER, DOMAIN)
  102. // update_sertificate(PLAYBOOK, TARGET_DIR, SMTP_SERVER, DOMAIN)
  103. // }
  104. }
  105. }
  106. }
  107. }
  108. post {
  109. always {
  110. echo "CleaningUp work directory"
  111. deleteDir()
  112. }
  113. success {
  114. mail charset: 'UTF-8',
  115. subject: "Jenkins build SUCCESS",
  116. mimeType: 'text/html',
  117. to: "${mailto}",
  118. body: "<b>ATTENTION!!!</b> <b><br> Jenkins job successed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>Renewal certs and keys</b> <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
  119. }
  120. failure {
  121. mail charset: 'UTF-8',
  122. subject: "Jenkins build ERROR",
  123. mimeType: 'text/html',
  124. to: "${mailto}",
  125. body: "<b>ATTENTION!!!</b> <b><br> Jenkins job failed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
  126. }
  127. }
  128. }
  129. def git_clone(String REPO) {
  130. withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  131. sh """GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
  132. git clone ${REPO}
  133. """
  134. }
  135. }
  136. def update_secret(String NODE_IP, String SWARM_GIT_NAME, String DOMAIN, String CONFIG_DIR) {
  137. sh """export DOCKER_HOST=tcp://${NODE_IP}:2376 DOCKER_TLS_VERIFY=1
  138. docker stack rm registry
  139. docker stack rm proxy
  140. docker secret rm sdsys_full
  141. docker secret create sdsys_full ${CONFIG_DIR}/archive/${DOMAIN}/${DOMAIN}.full-bundle
  142. sleep 10
  143. docker stack deploy -c ${SWARM_GIT_NAME}/registry.yml registry
  144. docker stack deploy -c ${SWARM_GIT_NAME}/proxy.yml proxy
  145. """
  146. }
  147. def update_sertificate(String PLAYBOOK, String TARGET_DIR, String TARGET_HOST, String DOMAIN) {
  148. withCredentials([sshUserPrivateKey(credentialsId: 'ansible', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  149. ansiColor('xterm') {
  150. ansiblePlaybook(
  151. credentialsId: 'ansible',
  152. playbook: PLAYBOOK,
  153. disableHostKeyChecking: true,
  154. extraVars: [
  155. TARGET_DIR: TARGET_DIR,
  156. TARGET_HOST: TARGET_HOST,
  157. DOMAIN: DOMAIN
  158. ],
  159. // extras: '-vvv',
  160. colorized: true)
  161. }
  162. }
  163. }
  164. def update_zimbra(String PLAYBOOK, String TARGET_DIR, String TARGET_HOST, String DOMAIN) {
  165. withCredentials([sshUserPrivateKey(credentialsId: 'ansible', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  166. sh """ansible-playbook --private-key ${GIT_SSH_KEY} ${PLAYBOOK} \
  167. -u ansible -e TARGET_DIR=${TARGET_DIR} \
  168. -e TARGET_HOST=${TARGET_HOST} -e DOMAIN=${DOMAIN} \
  169. --ssh-common-args='-o StrictHostKeyChecking=no'
  170. """
  171. }
  172. }