OFFICERenewalWildcardJenkinsfile 7.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172
  1. JENKINS_PASS = ''
  2. ENDDATE = ''
  3. NEW_ENDDATE = ''
  4. BACKUP_FILE = ''
  5. CONFIG_DIR = ''
  6. COMMAND = ''
  7. TARGET_HOSTS_APACHE = [ 'sugar', 'owncloud' ]
  8. pipeline {
  9. agent {
  10. label "swarm"
  11. }
  12. environment {
  13. REGISTRY_OFFICE='registry.sdsys.ru'
  14. CLUSTER_OFFICE='swarm.sdsys.ru'
  15. DOCKER_CERT_PATH='/run/secrets/swarm'
  16. IMAGE_NAME='registry.infoclinica.ru:5000/acme-dns:1.5'
  17. JENKINS_MAIL='jenkins.dev@sdsys.ru'
  18. SMTP_SERVER='mail.sdsys.ru'
  19. RECIPIENT_MAIL_BOX='admin@sdsys.ru'
  20. PKI_GIT_NAME='pki'
  21. DOMAIN='sdsys.ru'
  22. PKI_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/pki.git'
  23. SWARM_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/swarm.git'
  24. SWARM_GIT_NAME='swarm'
  25. }
  26. parameters {
  27. string(
  28. name: "mailto",
  29. defaultValue: "admin@sdsys.ru",
  30. description: "Email which has to be notified."
  31. )
  32. }
  33. stages {
  34. stage("Calculate Variables") {
  35. steps {
  36. script {
  37. ENDDATE = sh (script: "echo|openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  38. CONFIG_DIR = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/letsencrypt'
  39. BACKUP_FILE = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + DOMAIN + '.dump.gz'
  40. COMMAND = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'renewal.sh'
  41. withCredentials([usernamePassword(credentialsId: 'jenkins', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
  42. JENKINS_USER = USERNAME
  43. JENKINS_PASS = PASSWORD
  44. }
  45. }
  46. }
  47. }
  48. /* stage("Run Renewal") {
  49. steps {
  50. withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  51. sh """set +x
  52. docker run -t --rm -e TZ=Europe/Moscow \
  53. -e DOMAIN=${DOMAIN} -e CONFIG_DIR=${CONFIG_DIR} -e BACKUP_FILE=${BACKUP_FILE} \
  54. -e JENKINS_MAIL=${JENKINS_MAIL} -e JENKINS_MAIL_USER=${JENKINS_USER} -e JENKINS_MAIL_PASS=${JENKINS_PASS} \
  55. -e git_url=${PKI_GIT_URL} -e SMTP_SERVER=${SMTP_SERVER} -e RECIPIENT_MAIL_BOX=${RECIPIENT_MAIL_BOX} \
  56. -e "SSHKEY=`cat ${GIT_SSH_KEY}`" -p 5353:53/udp -p 5353:53/tcp ${IMAGE_NAME} \
  57. /${COMMAND}
  58. """
  59. }
  60. }
  61. }
  62. *//* stage("Update docker secret in SWARM cluster") {
  63. steps {
  64. script {
  65. ENDDATE = sh (script: "echo|openssl s_client -servername ${REGISTRY_OFFICE} -connect ${REGISTRY_OFFICE}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  66. if (ENDDATE != NEW_ENDDATE) {
  67. git_clone(PKI_GIT_URL)
  68. git_clone(SWARM_GIT_URL)
  69. echo "Update docker secret in ${CLUSTER_OFFICE}"
  70. NODE_IP = sh (script: "DOCKER_HOST=tcp://${CLUSTER_OFFICE}:2376 DOCKER_TLS_VERIFY=1 docker node inspect self -f '{{.Status.Addr}}'" , returnStdout: true).trim()
  71. update_secret(NODE_IP, SWARM_GIT_NAME, DOMAIN, CONFIG_DIR)
  72. }
  73. }
  74. }
  75. }
  76. */ stage("Update certificate and key") {
  77. steps {
  78. script {
  79. // Следующие 2 строчки после тестирования необходимо убрать, так как репозитории клонируются в предыдущем шаге
  80. git_clone(PKI_GIT_URL)
  81. git_clone(SWARM_GIT_URL)
  82. // withCredentials([sshUserPrivateKey(credentialsId: 'ansible', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  83. // sh "ssh -i ${GIT_SSH_KEY} ansible@pbx.sdsys.ru"
  84. // }
  85. NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim()
  86. TARGET_HOSTS_APACHE.each { item ->
  87. ENDDATE = sh (script: "echo|openssl s_client -servername ${item}.${DOMAIN} -connect ${item}.${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  88. // if (ENDDATE != NEW_ENDDATE) {
  89. echo "Update certificate and key for ${item}"
  90. def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'apache.yml'
  91. def TARGET_HOST = item + '.' + DOMAIN
  92. def DOT_DOMAIN = '.' + DOMAIN
  93. def TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
  94. update_sertificate(PLAYBOOK, TARGET_DIR, TARGET_HOST, DOT_DOMAIN)
  95. // ap(PLAYBOOK, TARGET_DIR, TARGET_HOST, DOT_DOMAIN)
  96. // }
  97. }
  98. /* ENDDATE = sh (script: "echo|openssl s_client -servername ${SMTP_SERVER} -connect ${SMTP_SERVER} 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  99. if (ENDDATE != NEW_ENDDATE) {
  100. echo "Update certificate and key for ${SMTP_SERVER}"
  101. sh "cat ${PKI_GIT_NAME}/${DOMAIN}/acme-dns/letsencrypt.ca.pem >> ${CONFIG_DIR}/live/${DOMAIN}/fullchain.pem"
  102. def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'mail.yml'
  103. update_sertificate(PLAYBOOK, CONFIG_DIR, SMTP_SERVER)
  104. }
  105. */ }
  106. }
  107. }
  108. }
  109. post {
  110. always {
  111. echo "CleaningUp work directory"
  112. deleteDir()
  113. }
  114. success {
  115. mail charset: 'UTF-8',
  116. subject: "Jenkins build SUCCESS",
  117. mimeType: 'text/html',
  118. to: "${mailto}",
  119. body: "<b>ATTENTION!!!</b> <b><br> Jenkins job successed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>Renewal certs and keys</b> <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
  120. }
  121. failure {
  122. mail charset: 'UTF-8',
  123. subject: "Jenkins build ERROR",
  124. mimeType: 'text/html',
  125. to: "${mailto}",
  126. body: "<b>ATTENTION!!!</b> <b><br> Jenkins job failed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
  127. }
  128. }
  129. }
  130. def git_clone(String REPO) {
  131. withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  132. sh """GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
  133. git clone ${REPO}
  134. """
  135. }
  136. }
  137. def update_secret(String NODE_IP, String SWARM_GIT_NAME, String DOMAIN, String CONFIG_DIR) {
  138. sh """export DOCKER_HOST=tcp://${NODE_IP}:2376 DOCKER_TLS_VERIFY=1
  139. docker stack rm registry
  140. docker stack rm proxy
  141. docker secret rm sdsys_full
  142. docker secret create sdsys_full ${CONFIG_DIR}/archive/${DOMAIN}/${DOMAIN}.full-bundle
  143. sleep 10
  144. docker stack deploy -c ${SWARM_GIT_NAME}/registry.yml registry
  145. docker stack deploy -c ${SWARM_GIT_NAME}/proxy.yml proxy
  146. """
  147. }
  148. def update_sertificate(String PLAYBOOK, String TARGET_DIR, String TARGET_HOST, String DOMAIN) {
  149. withCredentials([sshUserPrivateKey(credentialsId: 'ansible', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  150. ansiColor('xterm') {
  151. ansiblePlaybook(
  152. credentialsId: 'ansible',
  153. playbook: PLAYBOOK,
  154. disableHostKeyChecking: true,
  155. extraVars: [
  156. target_dir: TARGET_DIR,
  157. TARGET_HOST: TARGET_HOST,
  158. domain: DOMAIN
  159. ],
  160. extras: '-vvv',
  161. colorized: true)
  162. }
  163. }
  164. }
  165. def ap(String PLAYBOOK, String TARGET_DIR, String TARGET_HOST) {
  166. withCredentials([sshUserPrivateKey(credentialsId: 'ansible', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  167. sh """ansible-playbook ${PLAYBOOK} --private-key \
  168. ${GIT_SSH_KEY} -u ansible -e target_dir=${TARGET_DIR} \
  169. -e TARGET_HOST=${TARGET_HOST} --ssh-common-args='-o StrictHostKeyChecking=no' -vvv
  170. """
  171. }
  172. }