acme-dns/OFFICERenewalWildcardJenkinsfile

JENKINS_PASS = ''
ENDDATE = ''
NEW_ENDDATE = ''
BACKUP_FILE = ''
CONFIG_DIR = ''
COMMAND = ''
TARGET_HOSTS_APACHE = [ 'sugar', 'owncloud' ]
pipeline {
  agent {
    label "swarm"
  }
  environment {
    REGISTRY_OFFICE='registry.sdsys.ru'
    CLUSTER_OFFICE='swarm.sdsys.ru'
    DOCKER_CERT_PATH='/run/secrets/swarm'
    IMAGE_NAME='registry.infoclinica.ru:5000/acme-dns:1.5'
    JENKINS_MAIL='jenkins.dev@sdsys.ru'
    SMTP_SERVER='mail.sdsys.ru'
    RECIPIENT_MAIL_BOX='admin@sdsys.ru'
    PKI_GIT_NAME='pki'
    DOMAIN='sdsys.ru'
    PKI_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/pki.git'
    SWARM_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/swarm.git'
    SWARM_GIT_NAME='swarm'
  }
  parameters {
    string(
      name: "mailto",
      defaultValue: "admin@sdsys.ru",
      description: "Email which has to be notified."
    )
  }
  stages {
    stage("Calculate Variables") {
      steps {
        script {
          ENDDATE = sh (script: "echo|openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
          CONFIG_DIR = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/letsencrypt'
          BACKUP_FILE = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + DOMAIN + '.dump.gz'
          COMMAND = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'renewal.sh'
          withCredentials([usernamePassword(credentialsId: 'jenkins', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
            JENKINS_USER = USERNAME
            JENKINS_PASS = PASSWORD
          }
        }
      }
    }
/*    stage("Run Renewal") {
      steps {
        withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
          sh """set +x
                docker run -t --rm -e TZ=Europe/Moscow \
                  -e DOMAIN=${DOMAIN} -e CONFIG_DIR=${CONFIG_DIR} -e BACKUP_FILE=${BACKUP_FILE} \
                  -e JENKINS_MAIL=${JENKINS_MAIL} -e JENKINS_MAIL_USER=${JENKINS_USER} -e JENKINS_MAIL_PASS=${JENKINS_PASS} \
                  -e git_url=${PKI_GIT_URL} -e SMTP_SERVER=${SMTP_SERVER} -e RECIPIENT_MAIL_BOX=${RECIPIENT_MAIL_BOX} \
                  -e "SSHKEY=`cat ${GIT_SSH_KEY}`" -p 5353:53/udp -p 5353:53/tcp ${IMAGE_NAME} \
                  /${COMMAND}
             """
        }
      }
    }
*//*    stage("Update docker secret in SWARM cluster") {
      steps {
        script {
          ENDDATE = sh (script: "echo|openssl s_client -servername ${REGISTRY_OFFICE} -connect ${REGISTRY_OFFICE}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
          if (ENDDATE != NEW_ENDDATE) {
            git_clone(PKI_GIT_URL)
            git_clone(SWARM_GIT_URL)
            echo "Update docker secret in ${CLUSTER_OFFICE}"
            NODE_IP = sh (script: "DOCKER_HOST=tcp://${CLUSTER_OFFICE}:2376 DOCKER_TLS_VERIFY=1 docker node inspect self -f '{{.Status.Addr}}'" , returnStdout: true).trim()
            update_secret(NODE_IP, SWARM_GIT_NAME, DOMAIN, CONFIG_DIR)
          }
        }
      }
    }
*/    stage("Update certificate and key") {
      steps {
        script {
// Следующие 2 строчки после тестирования необходимо убрать, так как репозитории клонируются в предыдущем шаге
          git_clone(PKI_GIT_URL)
          git_clone(SWARM_GIT_URL)
//          withCredentials([sshUserPrivateKey(credentialsId: 'ansible', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
//            sh "ssh -i ${GIT_SSH_KEY} ansible@pbx.sdsys.ru"
//          }
          NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim()
          TARGET_HOSTS_APACHE.each { item -> 
            ENDDATE = sh (script: "echo|openssl s_client -servername ${item}.${DOMAIN} -connect ${item}.${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
//            if (ENDDATE != NEW_ENDDATE) {
              echo "Update certificate and key for ${item}"
              def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'apache.yml'
              def TARGET_HOST = item + '.' + DOMAIN
              def DOT_DOMAIN = '.' + DOMAIN
              def TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
              update_sertificate(PLAYBOOK, TARGET_DIR, TARGET_HOST, DOT_DOMAIN)
//              ap(PLAYBOOK, TARGET_DIR, TARGET_HOST, DOT_DOMAIN)
//            }
          }
/*          ENDDATE = sh (script: "echo|openssl s_client -servername ${SMTP_SERVER} -connect ${SMTP_SERVER} 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
          if (ENDDATE != NEW_ENDDATE) {
            echo "Update certificate and key for ${SMTP_SERVER}"
            sh "cat ${PKI_GIT_NAME}/${DOMAIN}/acme-dns/letsencrypt.ca.pem >> ${CONFIG_DIR}/live/${DOMAIN}/fullchain.pem"
            def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'mail.yml'
            update_sertificate(PLAYBOOK, CONFIG_DIR, SMTP_SERVER)
          }
*/        }
      }
    }
  }
  post {
    always {
      echo "CleaningUp work directory"
      deleteDir()
    }
    success {
      mail charset: 'UTF-8',
           subject: "Jenkins build SUCCESS",
           mimeType: 'text/html',
           to: "${mailto}",
           body: "<b>ATTENTION!!!</b> <b><br> Jenkins job successed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>Renewal certs and keys</b> <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
    }
    failure {
      mail charset: 'UTF-8',
           subject: "Jenkins build ERROR",
           mimeType: 'text/html',
           to: "${mailto}",
           body: "<b>ATTENTION!!!</b> <b><br> Jenkins job failed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
    }
  }
}
def git_clone(String REPO) {
      withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
        sh """GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
              git clone ${REPO}
           """
      }
}
def update_secret(String NODE_IP, String SWARM_GIT_NAME, String DOMAIN, String CONFIG_DIR) {
      sh """export DOCKER_HOST=tcp://${NODE_IP}:2376 DOCKER_TLS_VERIFY=1
            docker stack rm registry
            docker stack rm proxy
            docker secret rm sdsys_full
            docker secret create sdsys_full ${CONFIG_DIR}/archive/${DOMAIN}/${DOMAIN}.full-bundle
            sleep 10
            docker stack deploy -c ${SWARM_GIT_NAME}/registry.yml registry
            docker stack deploy -c ${SWARM_GIT_NAME}/proxy.yml proxy
         """
}
def update_sertificate(String PLAYBOOK, String TARGET_DIR, String TARGET_HOST, String DOMAIN) {
      withCredentials([sshUserPrivateKey(credentialsId: 'ansible', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
        ansiColor('xterm') {
          ansiblePlaybook(
            credentialsId: 'ansible',
            playbook: PLAYBOOK,
            disableHostKeyChecking: true,
            extraVars: [
              target_dir: TARGET_DIR,
              TARGET_HOST: TARGET_HOST,
              domain: DOMAIN
            ],
            extras: '-vvv',
            colorized: true)
        }
      }
}
def ap(String PLAYBOOK, String TARGET_DIR, String TARGET_HOST) {
      withCredentials([sshUserPrivateKey(credentialsId: 'ansible', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
        sh """ansible-playbook ${PLAYBOOK} --private-key \
                ${GIT_SSH_KEY} -u ansible -e target_dir=${TARGET_DIR} \
                -e TARGET_HOST=${TARGET_HOST} --ssh-common-args='-o StrictHostKeyChecking=no' -vvv
           """
      }
}