OFFICERenewalWildcardJenkinsfile 7.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167
  1. JENKINS_PASS = ''
  2. ENDDATE = ''
  3. NEW_ENDDATE = ''
  4. BACKUP_FILE = ''
  5. CONFIG_DIR = ''
  6. COMMAND = ''
  7. // TARGET_HOSTS_APACHE = [ 'sugar', 'owncloud' ]
  8. TARGET_HOSTS_APACHE = [ 'sugar', 'pbx', 'zabbix3' ]
  9. TARGET_HOSTS_PROXMOX = [ 'kvm-test', 'kvm1', 'kvm2', 'kvm3', 'kvm4', 'kvm5', 'kvm6', 'kvm7' ]
  10. TARGET_HOSTS_PBS = [ 'pbs' ]
  11. //TARGET_HOSTS_PROXMOX = [ 'kvm4' ]
  12. pipeline {
  13. agent {
  14. label "swarm"
  15. }
  16. environment {
  17. REGISTRY_OFFICE='registry.sdsys.ru'
  18. CLUSTER_OFFICE='swarm.sdsys.ru'
  19. DOCKER_CERT_PATH='/run/secrets/swarm'
  20. IMAGE_NAME='registry.infoclinica.ru:5000/acme-dns:1.5'
  21. JENKINS_MAIL='jenkins.dev@sdsys.ru'
  22. SMTP_SERVER='mail.sdsys.ru'
  23. RECIPIENT_MAIL_BOX='admin@sdsys.ru'
  24. PKI_GIT_NAME='pki'
  25. DOMAIN='sdsys.ru'
  26. PKI_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/pki.git'
  27. SWARM_GIT_URL='ssh://git@git.sdsys.ru:8022/sdsys/swarm.git'
  28. SWARM_GIT_NAME='swarm'
  29. }
  30. parameters {
  31. string(
  32. name: "mailto",
  33. defaultValue: "admin@sdsys.ru",
  34. description: "Email which has to be notified."
  35. )
  36. }
  37. stages {
  38. stage("Calculate Variables") {
  39. steps {
  40. script {
  41. ENDDATE = sh (script: "echo|openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  42. CONFIG_DIR = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/letsencrypt'
  43. BACKUP_FILE = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + DOMAIN + '.dump.gz'
  44. COMMAND = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'renewal.sh'
  45. withCredentials([usernamePassword(credentialsId: 'jenkins', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
  46. JENKINS_USER = USERNAME
  47. JENKINS_PASS = PASSWORD
  48. }
  49. }
  50. }
  51. }
  52. stage("Run Renewal") {
  53. steps {
  54. withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
  55. sh """set +x
  56. docker run -t --rm -e TZ=Europe/Moscow \
  57. -e DOMAIN=${DOMAIN} -e CONFIG_DIR=${CONFIG_DIR} -e BACKUP_FILE=${BACKUP_FILE} \
  58. -e JENKINS_MAIL=${JENKINS_MAIL} -e JENKINS_MAIL_USER=${JENKINS_USER} -e JENKINS_MAIL_PASS=${JENKINS_PASS} \
  59. -e git_url=${PKI_GIT_URL} -e SMTP_SERVER=${SMTP_SERVER} -e RECIPIENT_MAIL_BOX=${RECIPIENT_MAIL_BOX} \
  60. -e "SSHKEY=`cat ${GIT_SSH_KEY}`" -p 5353:53/udp -p 5353:53/tcp ${IMAGE_NAME} \
  61. /${COMMAND}
  62. """
  63. }
  64. }
  65. }
  66. stage("Update docker secret in SWARM cluster") {
  67. steps {
  68. script {
  69. gitOps.clone(PKI_GIT_URL)
  70. gitOps.clone(SWARM_GIT_URL)
  71. NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim()
  72. ENDDATE = sh (script: "echo|openssl s_client -servername ${REGISTRY_OFFICE} -connect ${REGISTRY_OFFICE}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  73. if (ENDDATE != NEW_ENDDATE) {
  74. echo "Update docker secret in ${CLUSTER_OFFICE}"
  75. NODE_IP = sh (script: "DOCKER_HOST=tcp://${CLUSTER_OFFICE}:2376 DOCKER_TLS_VERIFY=1 docker node inspect self -f '{{.Status.Addr}}'" , returnStdout: true).trim()
  76. dockerWCrenewal.update_secret(NODE_IP, SWARM_GIT_NAME, DOMAIN, CONFIG_DIR)
  77. }
  78. }
  79. }
  80. }
  81. stage("Update certificate and key to Proxmox") {
  82. steps {
  83. script {
  84. NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim()
  85. TARGET_HOSTS_PROXMOX.each { item ->
  86. ENDDATE = sh (script: "echo|openssl s_client -servername ${item}.${DOMAIN} -connect ${item}.${DOMAIN}:8006 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  87. if (ENDDATE != NEW_ENDDATE) {
  88. echo "Update certificate and key for ${item}"
  89. def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'proxmox.yml'
  90. def TARGET_HOST = item + '.' + DOMAIN
  91. def TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
  92. dockerWCrenewal.update_sertificate(PLAYBOOK, TARGET_DIR, TARGET_HOST, DOMAIN)
  93. }
  94. }
  95. }
  96. }
  97. }
  98. stage("Update certificate and key to PBS") {
  99. steps {
  100. script {
  101. NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim()
  102. TARGET_HOSTS_PBS.each { item ->
  103. ENDDATE = sh (script: "echo|openssl s_client -servername ${item}.${DOMAIN} -connect ${item}.${DOMAIN}:8007 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  104. if (ENDDATE != NEW_ENDDATE) {
  105. echo "Update certificate and key for ${item}"
  106. def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'pbs.yml'
  107. def TARGET_HOST = item + '.' + DOMAIN
  108. def TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
  109. dockerWCrenewal.update_sertificate(PLAYBOOK, TARGET_DIR, TARGET_HOST, DOMAIN)
  110. }
  111. }
  112. }
  113. }
  114. }
  115. stage("Update certificate and key APACHE-HOSTS") {
  116. steps {
  117. script {
  118. NEW_ENDDATE = sh (script: "openssl x509 -enddate -noout -in ${CONFIG_DIR}/live/${DOMAIN}/cert.pem", returnStdout: true).trim()
  119. TARGET_HOSTS_APACHE.each { item ->
  120. ENDDATE = sh (script: "echo|openssl s_client -servername ${item}.${DOMAIN} -connect ${item}.${DOMAIN}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  121. if (ENDDATE != NEW_ENDDATE) {
  122. echo "Update certificate and key for ${item}"
  123. def PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'apache.yml'
  124. def TARGET_HOST = item + '.' + DOMAIN
  125. def TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
  126. dockerWCrenewal.update_sertificate(PLAYBOOK, TARGET_DIR, TARGET_HOST, DOMAIN)
  127. }
  128. }
  129. }
  130. }
  131. }
  132. stage("Update certificate and key to ZIMBRA") {
  133. steps {
  134. script {
  135. ENDDATE = sh (script: "echo|openssl s_client -servername ${SMTP_SERVER} -connect ${SMTP_SERVER}:443 2>/dev/null|openssl x509 -noout -enddate", returnStdout: true).trim()
  136. if (ENDDATE != NEW_ENDDATE) {
  137. echo "Update certificate and key for ${SMTP_SERVER}"
  138. sh "cat ${PKI_GIT_NAME}/${DOMAIN}/wildcard/acme-dns/letsencrypt.ca.pem >> ${CONFIG_DIR}/live/${DOMAIN}/fullchain.pem"
  139. PLAYBOOK = PKI_GIT_NAME + '/' + DOMAIN + '/wildcard/acme-dns/' + 'mail.yml'
  140. TARGET_DIR = WORKSPACE + '/' + CONFIG_DIR
  141. dockerWCrenewal.update_sertificate(PLAYBOOK, TARGET_DIR, SMTP_SERVER, DOMAIN)
  142. }
  143. }
  144. }
  145. }
  146. }
  147. post {
  148. always {
  149. echo "CleaningUp work directory"
  150. deleteDir()
  151. }
  152. success {
  153. mail charset: 'UTF-8',
  154. subject: "Jenkins build SUCCESS",
  155. mimeType: 'text/html',
  156. to: "${mailto}",
  157. body: "<b>ATTENTION!!!</b> <b><br> Jenkins job successed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>Renewal certs and keys</b> <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
  158. }
  159. failure {
  160. mail charset: 'UTF-8',
  161. subject: "Jenkins build ERROR",
  162. mimeType: 'text/html',
  163. to: "${mailto}",
  164. body: "<b>ATTENTION!!!</b> <b><br> Jenkins job failed.\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
  165. }
  166. }
  167. }