OFFICERenewalWildcardJenkinsfile 8.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181
  1. JENKINS_PASS = ''
  2. ENDDATE = ''
  3. NEW_ENDDATE = ''
  4. BACKUP_FILE = ''
  5. CONFIG_DIR = ''
  6. COMMAND = ''
  7. TARGET_HOSTS_APACHE = [ 'sugar', 'owncloud' ]
  8. TARGET_HOSTS_PROXMOX = [ 'kvm-test', 'kvm1', 'kvm2', 'kvm3', 'kvm4', 'kvm5', 'kvm6', 'kvm7' ]
  9. pipeline {
  10. agent {
  11. label "swarm"
  12. }
  13. environment {
  14. REGISTRY_OFFICE='registry.sdsys.ru'
  15. CLUSTER_OFFICE='swarm.sdsys.ru'
  16. DOCKER_CERT_PATH='/run/secrets/swarm'
  17. IMAGE_NAME='registry.infoclinica.ru:5000/acme-dns:1.5'
  18. JENKINS_MAIL='jenkins.dev@sdsys.ru'
  19. SMTP_SERVER='mail.sdsys.ru'
  20. RECIPIENT_MAIL_BOX='admin@sdsys.ru'
  21. PKI_GIT_NAME='pki'
  22. DOMAIN='sdsys.ru'
  23. PKI_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/pki.git'
  24. SWARM_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/swarm.git'
  25. SWARM_GIT_NAME='swarm'
  26. }
  27. parameters {
  28. string(
  29. name: "mailto",
  30. defaultValue: "admin@sdsys.ru",
  31. description: "Email which has to be notified."
  32. )
  33. }
  34. stages {
  35. stage("Calculate Variables") {
  36. steps {
  37. script {
  38. ENDDATE = sh (script: "echo|openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  39. CONFIG_DIR = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/letsencrypt'
  40. BACKUP_FILE = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + DOMAIN + '.dump.gz'
  41. COMMAND = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'renewal.sh'
  42. withCredentials([usernamePassword(credentialsId: 'jenkins', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
  43. JENKINS_USER = USERNAME
  44. JENKINS_PASS = PASSWORD
  45. }
  46. }
  47. }
  48. }
  49. stage("Run Renewal") {
  50. steps {
  51. withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  52. sh """set +x
  53. docker run -t --rm -e TZ=Europe/Moscow \
  54. -e DOMAIN=${DOMAIN} -e CONFIG_DIR=${CONFIG_DIR} -e BACKUP_FILE=${BACKUP_FILE} \
  55. -e JENKINS_MAIL=${JENKINS_MAIL} -e JENKINS_MAIL_USER=${JENKINS_USER} -e JENKINS_MAIL_PASS=${JENKINS_PASS} \
  56. -e git_url=${PKI_GIT_URL} -e SMTP_SERVER=${SMTP_SERVER} -e RECIPIENT_MAIL_BOX=${RECIPIENT_MAIL_BOX} \
  57. -e "SSHKEY=`cat ${GIT_SSH_KEY}`" -p 5353:53/udp -p 5353:53/tcp ${IMAGE_NAME} \
  58. /${COMMAND}
  59. """
  60. }
  61. }
  62. }
  63. stage("Update docker secret in SWARM cluster") {
  64. steps {
  65. script {
  66. git_clone(PKI_GIT_URL)
  67. git_clone(SWARM_GIT_URL)
  68. ENDDATE = sh (script: "echo|openssl s_client -servername ${REGISTRY_OFFICE} -connect ${REGISTRY_OFFICE}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  69. if (ENDDATE != NEW_ENDDATE) {
  70. echo "Update docker secret in ${CLUSTER_OFFICE}"
  71. NODE_IP = sh (script: "DOCKER_HOST=tcp://${CLUSTER_OFFICE}:2376 DOCKER_TLS_VERIFY=1 docker node inspect self -f '{{.Status.Addr}}'" , returnStdout: true).trim()
  72. update_secret(NODE_IP, SWARM_GIT_NAME, DOMAIN, CONFIG_DIR)
  73. }
  74. }
  75. }
  76. }
  77. stage("Update certificate and key to Proxmox") {
  78. steps {
  79. script {
  80. NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim()
  81. TARGET_HOSTS_PROXMOX.each { item ->
  82. ENDDATE = sh (script: "echo|openssl s_client -servername ${item}.${DOMAIN} -connect ${item}.${DOMAIN}:8006 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  83. if (ENDDATE != NEW_ENDDATE) {
  84. echo "Update certificate and key for ${item}"
  85. def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'proxmox.yml'
  86. def TARGET_HOST = item + '.' + DOMAIN
  87. def TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
  88. update_sertificate(PLAYBOOK, TARGET_DIR, TARGET_HOST, DOMAIN)
  89. }
  90. }
  91. }
  92. }
  93. }
  94. stage("Update certificate and key APACHE-HOSTS") {
  95. steps {
  96. script {
  97. NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim()
  98. TARGET_HOSTS_APACHE.each { item ->
  99. ENDDATE = sh (script: "echo|openssl s_client -servername ${item}.${DOMAIN} -connect ${item}.${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  100. if (ENDDATE != NEW_ENDDATE) {
  101. echo "Update certificate and key for ${item}"
  102. def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'apache.yml'
  103. def TARGET_HOST = item + '.' + DOMAIN
  104. def TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
  105. update_sertificate(PLAYBOOK, TARGET_DIR, TARGET_HOST, DOMAIN)
  106. }
  107. }
  108. }
  109. }
  110. }
  111. stage("Update certificate and key to ZIMBRA") {
  112. steps {
  113. script {
  114. ENDDATE = sh (script: "echo|openssl s_client -servername ${SMTP_SERVER} -connect ${SMTP_SERVER}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  115. if (ENDDATE != NEW_ENDDATE) {
  116. echo "Update certificate and key for ${SMTP_SERVER}"
  117. sh "cat ${PKI_GIT_NAME}/${DOMAIN}/wildcard/acme-dns/letsencrypt.ca.pem >> ${CONFIG_DIR}/live/${DOMAIN}/fullchain.pem"
  118. PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'mail.yml'
  119. TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
  120. update_sertificate(PLAYBOOK, TARGET_DIR, SMTP_SERVER, DOMAIN)
  121. }
  122. }
  123. }
  124. }
  125. }
  126. post {
  127. always {
  128. echo "CleaningUp work directory"
  129. deleteDir()
  130. }
  131. success {
  132. mail charset: 'UTF-8',
  133. subject: "Jenkins build SUCCESS",
  134. mimeType: 'text/html',
  135. to: "${mailto}",
  136. body: "<b>ATTENTION!!!</b> <b><br> Jenkins job successed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>Renewal certs and keys</b> <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
  137. }
  138. failure {
  139. mail charset: 'UTF-8',
  140. subject: "Jenkins build ERROR",
  141. mimeType: 'text/html',
  142. to: "${mailto}",
  143. body: "<b>ATTENTION!!!</b> <b><br> Jenkins job failed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
  144. }
  145. }
  146. }
  147. def git_clone(String REPO) {
  148. withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  149. sh """GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
  150. git clone ${REPO}
  151. """
  152. }
  153. }
  154. def update_secret(String NODE_IP, String SWARM_GIT_NAME, String DOMAIN, String CONFIG_DIR) {
  155. sh """export DOCKER_HOST=tcp://${NODE_IP}:2376 DOCKER_TLS_VERIFY=1
  156. docker stack rm registry
  157. docker stack rm proxy
  158. docker secret rm sdsys_full
  159. docker secret create sdsys_full ${CONFIG_DIR}/archive/${DOMAIN}/${DOMAIN}.full-bundle
  160. sleep 10
  161. docker stack deploy -c ${SWARM_GIT_NAME}/registry.yml registry
  162. docker stack deploy -c ${SWARM_GIT_NAME}/proxy.yml proxy
  163. """
  164. }
  165. def update_sertificate(String PLAYBOOK, String TARGET_DIR, String TARGET_HOST, String DOMAIN) {
  166. withCredentials([sshUserPrivateKey(credentialsId: 'ansible', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  167. ansiColor('xterm') {
  168. ansiblePlaybook(
  169. credentialsId: 'ansible',
  170. playbook: PLAYBOOK,
  171. disableHostKeyChecking: true,
  172. extraVars: [
  173. TARGET_DIR: TARGET_DIR,
  174. TARGET_HOST: TARGET_HOST,
  175. DOMAIN: DOMAIN
  176. ],
  177. // extras: '-vvv',
  178. colorized: true)
  179. }
  180. }
  181. }