Trang chủ Khám phá Trợ giúp
Đăng nhập
sdsys
/
acme-dns
6
0
Fork 0
Các tập tin Các vấn đề 0 Yêu cầu kéo về 0 Wiki
Tree: b9cfd6d688
Branches Tags
acme-dns
/
OFFICERenewalWildcardJenkinsfile

OFFICERenewalWildcardJenkinsfile 8.3 KB
Lịch sử Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181 
  1. JENKINS_PASS = ''
    2. 

  2. ENDDATE = ''
    3. 

  3. NEW_ENDDATE = ''
    4. 

  4. BACKUP_FILE = ''
    5. 

  5. CONFIG_DIR = ''
    6. 

  6. COMMAND = ''
    7. 

  7. TARGET_HOSTS_APACHE = [ 'sugar', 'owncloud' ]
    8. 

  8. TARGET_HOSTS_PROXMOX = [ 'kvm-test' ]
    9. 

  9. pipeline {
    10. 

  10.   agent {
    11. 

  11.     label "swarm"
    12. 

  12.   }
    13. 

  13.   environment {
    14. 

  14.     REGISTRY_OFFICE='registry.sdsys.ru'
    15. 

  15.     CLUSTER_OFFICE='swarm.sdsys.ru'
    16. 

  16.     DOCKER_CERT_PATH='/run/secrets/swarm'
    17. 

  17.     IMAGE_NAME='registry.infoclinica.ru:5000/acme-dns:1.5'
    18. 

  18.     JENKINS_MAIL='jenkins.dev@sdsys.ru'
    19. 

  19.     SMTP_SERVER='mail.sdsys.ru'
    20. 

  20.     RECIPIENT_MAIL_BOX='admin@sdsys.ru'
    21. 

  21.     PKI_GIT_NAME='pki'
    22. 

  22.     DOMAIN='sdsys.ru'
    23. 

  23.     PKI_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/pki.git'
    24. 

  24.     SWARM_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/swarm.git'
    25. 

  25.     SWARM_GIT_NAME='swarm'
    26. 

  26.   }
    27. 

  27.   parameters {
    28. 

  28.     string(
    29. 

  29.       name: "mailto",
    30. 

  30.       defaultValue: "admin@sdsys.ru",
    31. 

  31.       description: "Email which has to be notified."
    32. 

  32.     )
    33. 

  33.   }
    34. 

  34.   stages {
    35. 

  35.     stage("Calculate Variables") {
    36. 

  36.       steps {
    37. 

  37.         script {
    38. 

  38.           ENDDATE = sh (script: "echo|openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
    39. 

  39.           CONFIG_DIR = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/letsencrypt'
    40. 

  40.           BACKUP_FILE = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + DOMAIN + '.dump.gz'
    41. 

  41.           COMMAND = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'renewal.sh'
    42. 

  42.           withCredentials([usernamePassword(credentialsId: 'jenkins', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
    43. 

  43.             JENKINS_USER = USERNAME
    44. 

  44.             JENKINS_PASS = PASSWORD
    45. 

  45.           }
    46. 

  46.         }
    47. 

  47.       }
    48. 

  48.     }
    49. 

  49. /*    stage("Run Renewal") {
    50. 

  50.       steps {
    51. 

  51.         withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
    52. 

  52.           sh """set +x
    53. 

  53.                 docker run -t --rm -e TZ=Europe/Moscow \
    54. 

  54.                   -e DOMAIN=${DOMAIN} -e CONFIG_DIR=${CONFIG_DIR} -e BACKUP_FILE=${BACKUP_FILE} \
    55. 

  55.                   -e JENKINS_MAIL=${JENKINS_MAIL} -e JENKINS_MAIL_USER=${JENKINS_USER} -e JENKINS_MAIL_PASS=${JENKINS_PASS} \
    56. 

  56.                   -e git_url=${PKI_GIT_URL} -e SMTP_SERVER=${SMTP_SERVER} -e RECIPIENT_MAIL_BOX=${RECIPIENT_MAIL_BOX} \
    57. 

  57.                   -e "SSHKEY=`cat ${GIT_SSH_KEY}`" -p 5353:53/udp -p 5353:53/tcp ${IMAGE_NAME} \
    58. 

  58.                   /${COMMAND}
    59. 

  59.              """
    60. 

  60.         }
    61. 

  61.       }
    62. 

  62.     }
    63. 

  63. *//*    stage("Update docker secret in SWARM cluster") {
    64. 

  64.       steps {
    65. 

  65.         script {
    66. 

  66.           ENDDATE = sh (script: "echo|openssl s_client -servername ${REGISTRY_OFFICE} -connect ${REGISTRY_OFFICE}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
    67. 

  67.           if (ENDDATE != NEW_ENDDATE) {
    68. 

  68.             git_clone(PKI_GIT_URL)
    69. 

  69.             git_clone(SWARM_GIT_URL)
    70. 

  70.             echo "Update docker secret in ${CLUSTER_OFFICE}"
    71. 

  71.             NODE_IP = sh (script: "DOCKER_HOST=tcp://${CLUSTER_OFFICE}:2376 DOCKER_TLS_VERIFY=1 docker node inspect self -f '{{.Status.Addr}}'" , returnStdout: true).trim()
    72. 

  72.             update_secret(NODE_IP, SWARM_GIT_NAME, DOMAIN, CONFIG_DIR)
    73. 

  73.           }
    74. 

  74.         }
    75. 

  75.       }
    76. 

  76.     }
    77. 

  77. */    stage("Update certificate and key to Proxmox") {
    78. 

  78.       steps {
    79. 

  79.         script {
    80. 

  80. // Следующие 2 строчки после тестирования необходимо убрать, так как репозитории клонируются в 2 stage
    81. 

  81.           git_clone(PKI_GIT_URL)
    82. 

  82.           git_clone(SWARM_GIT_URL)
    83. 

  83.           NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim()
    84. 

  84.           TARGET_HOSTS_PROXMOX.each { item -> 
    85. 

  85.             ENDDATE = sh (script: "echo|openssl s_client -servername ${item}.${DOMAIN} -connect ${item}.${DOMAIN}:8006 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
    86. 

  86.             if (ENDDATE != NEW_ENDDATE) {
    87. 

  87.               echo "Update certificate and key for ${item}"
    88. 

  88.               def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'proxmox.yml'
    89. 

  89.               def TARGET_HOST = item + '.' + DOMAIN
    90. 

  90.               def TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
    91. 

  91.               update_sertificate(PLAYBOOK, TARGET_DIR, TARGET_HOST, DOMAIN)
    92. 

  92.             }
    93. 

  93.           }
    94. 

  94.         }
    95. 

  95.       }
    96. 

  96.     }  
    97. 

  97. /*    stage("Update certificate and key") {
    98. 

  98.       steps {
    99. 

  99.         script {
    100. 

  100. // Следующие 2 строчки после тестирования необходимо убрать, так как репозитории клонируются в 2 stage
    101. 

  101.           git_clone(PKI_GIT_URL)
    102. 

  102.           git_clone(SWARM_GIT_URL)
    103. 

  103.           NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim()
    104. 

  104.           TARGET_HOSTS_APACHE.each { item -> 
    105. 

  105.             ENDDATE = sh (script: "echo|openssl s_client -servername ${item}.${DOMAIN} -connect ${item}.${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
    106. 

  106.             if (ENDDATE != NEW_ENDDATE) {
    107. 

  107.               echo "Update certificate and key for ${item}"
    108. 

  108.               def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'apache.yml'
    109. 

  109.               def TARGET_HOST = item + '.' + DOMAIN
    110. 

  110.               def TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
    111. 

  111.               update_sertificate(PLAYBOOK, TARGET_DIR, TARGET_HOST, DOMAIN)
    112. 

  112.             }
    113. 

  113.           }
    114. 

  114.           ENDDATE = sh (script: "echo|openssl s_client -servername ${SMTP_SERVER} -connect ${SMTP_SERVER}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
    115. 

  115.           if (ENDDATE != NEW_ENDDATE) {
    116. 

  116.             echo "Update certificate and key for ${SMTP_SERVER}"
    117. 

  117.             sh "cat ${PKI_GIT_NAME}/${DOMAIN}/wildcard/acme-dns/letsencrypt.ca.pem >> ${CONFIG_DIR}/live/${DOMAIN}/fullchain.pem"
    118. 

  118.             PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'mail.yml'
    119. 

  119.             TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
    120. 

  120.             update_sertificate(PLAYBOOK, TARGET_DIR, SMTP_SERVER, DOMAIN)
    121. 

  121.           }
    122. 

  122.         }
    123. 

  123.       }
    124. 

  124.     }
    125. 

  125. */  }
    126. 

  126.   post {
    127. 

  127.     always {
    128. 

  128.       echo "CleaningUp work directory"
    129. 

  129.       deleteDir()
    130. 

  130.     }
    131. 

  131.     success {
    132. 

  132.       mail charset: 'UTF-8',
    133. 

  133.            subject: "Jenkins build SUCCESS",
    134. 

  134.            mimeType: 'text/html',
    135. 

  135.            to: "${mailto}",
    136. 

  136.            body: "<b>ATTENTION!!!</b> <b><br> Jenkins job successed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>Renewal certs and keys</b> <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
    137. 

  137.     }
    138. 

  138.     failure {
    139. 

  139.       mail charset: 'UTF-8',
    140. 

  140.            subject: "Jenkins build ERROR",
    141. 

  141.            mimeType: 'text/html',
    142. 

  142.            to: "${mailto}",
    143. 

  143.            body: "<b>ATTENTION!!!</b> <b><br> Jenkins job failed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
    144. 

  144.     }
    145. 

  145.   }
    146. 

  146. }
    147. 

  147. def git_clone(String REPO) {
    148. 

  148.       withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
    149. 

  149.         sh """GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
    150. 

  150.               git clone ${REPO}
    151. 

  151.            """
    152. 

  152.       }
    153. 

  153. }
    154. 

  154. def update_secret(String NODE_IP, String SWARM_GIT_NAME, String DOMAIN, String CONFIG_DIR) {
    155. 

  155.       sh """export DOCKER_HOST=tcp://${NODE_IP}:2376 DOCKER_TLS_VERIFY=1
    156. 

  156.             docker stack rm registry
    157. 

  157.             docker stack rm proxy
    158. 

  158.             docker secret rm sdsys_full
    159. 

  159.             docker secret create sdsys_full ${CONFIG_DIR}/archive/${DOMAIN}/${DOMAIN}.full-bundle
    160. 

  160.             sleep 10
    161. 

  161.             docker stack deploy -c ${SWARM_GIT_NAME}/registry.yml registry
    162. 

  162.             docker stack deploy -c ${SWARM_GIT_NAME}/proxy.yml proxy
    163. 

  163.          """
    164. 

  164. }
    165. 

  165. def update_sertificate(String PLAYBOOK, String TARGET_DIR, String TARGET_HOST, String DOMAIN) {
    166. 

  166.       withCredentials([sshUserPrivateKey(credentialsId: 'ansible', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
    167. 

  167.         ansiColor('xterm') {
    168. 

  168.           ansiblePlaybook(
    169. 

  169.             credentialsId: 'ansible',
    170. 

  170.             playbook: PLAYBOOK,
    171. 

  171.             disableHostKeyChecking: true,
    172. 

  172.             extraVars: [
    173. 

  173.               TARGET_DIR: TARGET_DIR,
    174. 

  174.               TARGET_HOST: TARGET_HOST,
    175. 

  175.               DOMAIN: DOMAIN
    176. 

  176.             ],
    177. 

  177. //            extras: '-vvv',
    178. 

  178.             colorized: true)
    179. 

  179.         }
    180. 

  180.       }
    181. 

  181. }
    182.