passed linting
All checks were successful
gitea.arg.rip/deployment/pipeline/head This commit looks good
All checks were successful
gitea.arg.rip/deployment/pipeline/head This commit looks good
This commit is contained in:
parent
351b806c33
commit
22b5691d99
@ -4,7 +4,7 @@ pipeline {
|
|||||||
string(name: 'servicename', description: "service name")
|
string(name: 'servicename', description: "service name")
|
||||||
string(name: 'svcdesc', description: "service description")
|
string(name: 'svcdesc', description: "service description")
|
||||||
string(name: 'targetHost', description: "system to live on", defaultValue: "alloces")
|
string(name: 'targetHost', description: "system to live on", defaultValue: "alloces")
|
||||||
boolean(name: 'database', description: "service has a database", defaultValue: true)
|
booleanParam(name: 'database', description: "service has a database", defaultValue: true)
|
||||||
}
|
}
|
||||||
environment {
|
environment {
|
||||||
pw_linuxserviceaccount=""
|
pw_linuxserviceaccount=""
|
||||||
@ -26,19 +26,19 @@ pipeline {
|
|||||||
}
|
}
|
||||||
|
|
||||||
switch (targetHost) {
|
switch (targetHost) {
|
||||||
case "alloces":
|
case "alloces.lan":
|
||||||
SUDOER=credentials('a674f816-2b35-4d60-ba60-7b66e86f3c5c')
|
SUDOER=credentials('a674f816-2b35-4d60-ba60-7b66e86f3c5c')
|
||||||
SUDOERSSH=credentials('2c48e1a9-22b2-455c-9959-6b29e86d3fb5')
|
SUDOERSSH=credentials('2c48e1a9-22b2-455c-9959-6b29e86d3fb5')
|
||||||
break
|
break
|
||||||
default:
|
default:
|
||||||
error("target host not recognized. btw: no .lan, all lowercase.")
|
error("target host not recognized. btw: yes .lan, all lowercase.")
|
||||||
}
|
}
|
||||||
|
|
||||||
sh env.pw_linuxserviceaccount=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
|
env.pw_linuxserviceaccount=sh(returnStdout: true, script: "mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
|
||||||
echo env.pw_linuxserviceaccount
|
echo env.pw_linuxserviceaccount
|
||||||
sh env.pw_productiondatabase=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
|
env.pw_productiondatabase=sh(returnStdout: true, script: "mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
|
||||||
echo env.pw_productiondatabase
|
echo env.pw_productiondatabase
|
||||||
sh env.pw_developmentdatabase=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
|
env.pw_developmentdatabase=sh(returnStdout: true, script: "mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
|
||||||
echo env.pw_developmentdatabase
|
echo env.pw_developmentdatabase
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -82,7 +82,7 @@ pipeline {
|
|||||||
while [ -z "$strRes" ];
|
while [ -z "$strRes" ];
|
||||||
do
|
do
|
||||||
sleep 5;
|
sleep 5;
|
||||||
strRes=$(curl -X GET -s -u ${env.JENKINS_USR}:${env.JENKINS_PSW} \
|
strRes=\$(curl -X GET -s -u ${env.JENKINS_USR}:${env.JENKINS_PSW} \
|
||||||
alloces.lan:8080/job/gitea.arg.rip/api/json | jq '.jobs.[] | select(.name=="${env.servicename}")')
|
alloces.lan:8080/job/gitea.arg.rip/api/json | jq '.jobs.[] | select(.name=="${env.servicename}")')
|
||||||
done
|
done
|
||||||
"""
|
"""
|
||||||
@ -92,99 +92,101 @@ pipeline {
|
|||||||
git clone 'ssh://git@gitea.arg.rip:8022/greyn/${servicename}.git'
|
git clone 'ssh://git@gitea.arg.rip:8022/greyn/${servicename}.git'
|
||||||
pushd ${servicename}
|
pushd ${servicename}
|
||||||
|
|
||||||
dbstartline=$(sed -n '/---dbstart---]/=' Jenkinsfile)
|
dbstartline=\$(sed -n '/---dbstart---]/=' Jenkinsfile)
|
||||||
dbendline=$(sed -n '/---dbend---/=' Jenkinsfile)
|
dbendline=\$(sed -n '/---dbend---/=' Jenkinsfile)
|
||||||
"""
|
"""
|
||||||
if(params.database){
|
script { //there's no "if" "step" so any "if" must be in a "script" step
|
||||||
|
if(params.database){
|
||||||
|
sh """
|
||||||
|
sed -i -e '${dbstartline}d;${dbendline}d;' Jenkinsfile
|
||||||
|
|
||||||
|
databasecredsid=\$(uuidgen)
|
||||||
|
|
||||||
|
CRUMB=\$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
|
||||||
|
echo $CRUMB
|
||||||
|
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
|
||||||
|
--data-urlencode 'json={
|
||||||
|
"": "0",
|
||||||
|
"credentials": {
|
||||||
|
"scope": "GLOBAL",
|
||||||
|
"id": "$databasecredsid",
|
||||||
|
"secret": "Host=${targetHost};Database=${servicename};Username=${servicename};Password=${env.pw_productiondatabase};IncludeErrorDetail=true;",
|
||||||
|
"description": "database connection string",
|
||||||
|
"\$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
|
||||||
|
}
|
||||||
|
}'
|
||||||
|
sed -i 's/productiondatabase_connectionString=creds/productiondatabase_connectionString=credentials('$databasecredsid')/' Jenkinsfile
|
||||||
|
|
||||||
|
git add .
|
||||||
|
git commit -m "set up for database"
|
||||||
|
"""
|
||||||
|
}
|
||||||
|
else{
|
||||||
|
sh """
|
||||||
|
sed -i -e '${dbstartline},${dbendline}d;' Jenkinsfile
|
||||||
|
git add .
|
||||||
|
git commit -m "stripped database lines"
|
||||||
|
"""
|
||||||
|
}
|
||||||
|
|
||||||
sh """
|
sh """
|
||||||
sed -i -e '${dbstartline}d;${dbendline}d;' Jenkinsfile
|
popd
|
||||||
|
|
||||||
databasecredsid=$(uuidgen)
|
env.usernameCredsId=\$(uuidgen)
|
||||||
|
|
||||||
CRUMB=$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
|
CRUMB=\$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
|
||||||
echo $CRUMB
|
echo $CRUMB
|
||||||
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
|
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
|
||||||
--data-urlencode 'json={
|
--data-urlencode 'json={
|
||||||
"": "0",
|
"": "0",
|
||||||
"credentials": {
|
"credentials": {
|
||||||
"scope": "GLOBAL",
|
"scope": "GLOBAL",
|
||||||
"id": "$databasecredsid",
|
"id": "$env.usernameCredsId",
|
||||||
"secret": "Host=${targetHost};Database=${servicename};Username=${servicename};Password=${env.pw_productiondatabase};IncludeErrorDetail=true;",
|
"username": "${servicename}",
|
||||||
"description": "database connection string",
|
"password": "${env.pw_linuxserviceaccount}",
|
||||||
"$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
|
"description": "service account login",
|
||||||
|
"\$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
|
||||||
}
|
}
|
||||||
}'
|
}'
|
||||||
sed -i 's/productiondatabase_connectionString=creds/productiondatabase_connectionString=credentials('$databasecredsid')/' Jenkinsfile
|
|
||||||
|
|
||||||
git add .
|
certCredsId=\$(uuidgen)
|
||||||
git commit -m "set up for database"
|
|
||||||
|
|
||||||
|
ssh-keygen -t ed25519 -f "${servicename}" -N ""
|
||||||
|
privatekeycontent=\$(cat ${servicename}))
|
||||||
|
pubkeycontent=\$(cat ${servicename}.pub))
|
||||||
|
CRUMB=\$(url -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
|
||||||
|
echo $CRUMB
|
||||||
|
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
|
||||||
|
--data-urlencode 'json={
|
||||||
|
"": "0",
|
||||||
|
"credentials": {
|
||||||
|
"scope": "GLOBAL",
|
||||||
|
"id": "$env.usernameCredsId",
|
||||||
|
"username": "${servicename}",
|
||||||
|
"password": "",
|
||||||
|
"privateKeySource": {
|
||||||
|
"stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource",
|
||||||
|
"privateKey": "$privatekeycontent",
|
||||||
|
},
|
||||||
|
"description": "${servicename}",
|
||||||
|
"stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
|
||||||
|
},
|
||||||
|
"description": "service account ssh",
|
||||||
|
"\$class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
|
||||||
|
}
|
||||||
|
}'
|
||||||
|
privatekeycontent=
|
||||||
|
|
||||||
|
sed -i 's/linuxServiceAccount=creds/linuxServiceAccount=credentials('${env.usernameCredsId}')/' Jenkinsfile
|
||||||
|
sed -i 's/targetHost=string/targetHost="${targetHost}"/' Jenkinsfile
|
||||||
|
|
||||||
"""
|
"""
|
||||||
}
|
|
||||||
else{
|
|
||||||
sh """
|
sh """
|
||||||
sed -i -e '${dbstartline},${dbendline}d;' Jenkinsfile
|
git push
|
||||||
git add .
|
popd
|
||||||
git commit -m "stripped database lines"
|
|
||||||
"""
|
"""
|
||||||
}
|
}
|
||||||
|
|
||||||
sh """
|
|
||||||
popd
|
|
||||||
|
|
||||||
env.usernameCredsId=$(uuidgen)
|
|
||||||
|
|
||||||
CRUMB=$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
|
|
||||||
echo $CRUMB
|
|
||||||
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
|
|
||||||
--data-urlencode 'json={
|
|
||||||
"": "0",
|
|
||||||
"credentials": {
|
|
||||||
"scope": "GLOBAL",
|
|
||||||
"id": "$env.usernameCredsId",
|
|
||||||
"username": "${servicename}",
|
|
||||||
"password": "${env.pw_linuxserviceaccount}",
|
|
||||||
"description": "service account login",
|
|
||||||
"$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
|
|
||||||
}
|
|
||||||
}'
|
|
||||||
|
|
||||||
certCredsId=$(uuidgen)
|
|
||||||
|
|
||||||
|
|
||||||
ssh-keygen -t ed25519 -f "${servicename}" -N ""
|
|
||||||
privatekeycontent=$(cat ${servicename}))
|
|
||||||
pubkeycontent=$(cat ${servicename}.pub))
|
|
||||||
CRUMB=$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
|
|
||||||
echo $CRUMB
|
|
||||||
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
|
|
||||||
--data-urlencode 'json={
|
|
||||||
"": "0",
|
|
||||||
"credentials": {
|
|
||||||
"scope": "GLOBAL",
|
|
||||||
"id": "$env.usernameCredsId",
|
|
||||||
"username": "${servicename}",
|
|
||||||
"password": "",
|
|
||||||
"privateKeySource": {
|
|
||||||
"stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource",
|
|
||||||
"privateKey": "$privatekeycontent",
|
|
||||||
},
|
|
||||||
"description": "${servicename}",
|
|
||||||
"stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
|
|
||||||
},
|
|
||||||
"description": "service account ssh",
|
|
||||||
"$class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
|
|
||||||
}
|
|
||||||
}'
|
|
||||||
privatekeycontent=
|
|
||||||
|
|
||||||
sed -i 's/linuxServiceAccount=creds/linuxServiceAccount=credentials('${env.usernameCredsId}')/' Jenkinsfile
|
|
||||||
sed -i 's/targetHost=string/targetHost="${targetHost}"/' Jenkinsfile
|
|
||||||
|
|
||||||
"""
|
|
||||||
sh """
|
|
||||||
git push
|
|
||||||
popd
|
|
||||||
"""
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -193,7 +195,7 @@ pipeline {
|
|||||||
script {
|
script {
|
||||||
sshagent([SUDOERSSH])
|
sshagent([SUDOERSSH])
|
||||||
{
|
{
|
||||||
ssh $SUDOER_USR@${targetHost} username=${servicename} password=${env.pw_linuxserviceaccount} pubkeycontent=${env.pubkeycontent} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
|
sh """ssh -tt ${SUDOER_USR}@${targetHost} username=${servicename} password=${env.pw_linuxserviceaccount} pubkeycontent=${env.pubkeycontent} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
|
||||||
useradd -m -s /bin/bash $username
|
useradd -m -s /bin/bash $username
|
||||||
echo "$username:$password" | chpasswd
|
echo "$username:$password" | chpasswd
|
||||||
loginctl enable-linger $username
|
loginctl enable-linger $username
|
||||||
@ -204,6 +206,7 @@ pipeline {
|
|||||||
popd
|
popd
|
||||||
chown -R $username:$username .ssh
|
chown -R $username:$username .ssh
|
||||||
ENDSSH
|
ENDSSH
|
||||||
|
"""
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -216,7 +219,7 @@ pipeline {
|
|||||||
script {
|
script {
|
||||||
sshagent([SUDOERSSH])
|
sshagent([SUDOERSSH])
|
||||||
{
|
{
|
||||||
ssh SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
|
sh """ssh -tt SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
|
||||||
sudo -u postgres psql && bash -s << 'ENDPSQL'
|
sudo -u postgres psql && bash -s << 'ENDPSQL'
|
||||||
create database $servicename;
|
create database $servicename;
|
||||||
create user $servicename with encrypted password '$pw_productiondatabase';
|
create user $servicename with encrypted password '$pw_productiondatabase';
|
||||||
@ -230,7 +233,7 @@ pipeline {
|
|||||||
grant all privileges on database $service_dev to $service_dev;
|
grant all privileges on database $service_dev to $service_dev;
|
||||||
ENDPSQL
|
ENDPSQL
|
||||||
|
|
||||||
ENDSSH
|
ENDSSH"""
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -240,24 +243,24 @@ pipeline {
|
|||||||
sshagent([SUDOERSSH])
|
sshagent([SUDOERSSH])
|
||||||
{
|
{
|
||||||
sh 'scp $servicename.service $servicename@${targetHost}:~/.config/systemd/user/$servicename.service'
|
sh 'scp $servicename.service $servicename@${targetHost}:~/.config/systemd/user/$servicename.service'
|
||||||
ssh SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
|
sh """ssh -tt SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
|
||||||
sudo -u ${servicename} && bash -s << 'ENDASSERVICE'
|
sudo -u ${servicename} && bash -s << 'ENDASSERVICE'
|
||||||
systemctl --user daemon-reload
|
systemctl --user daemon-reload
|
||||||
systemctl --user enable $servicename.service
|
systemctl --user enable $servicename.service
|
||||||
ENDASSERVICE
|
ENDASSERVICE
|
||||||
ENDSSH
|
ENDSSH"""
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
post {
|
}
|
||||||
failure {
|
post {
|
||||||
matrixSendMessage hostname: 'https://greyn.club:8448', accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service failed :('
|
failure {
|
||||||
|
matrixSendMessage hostname: 'https://greyn.club:8448', accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service failed :('
|
||||||
|
|
||||||
}
|
}
|
||||||
success {
|
success {
|
||||||
matrixSendMessage hostname: 'https://greyn.club:8448', accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service success! go pick up the credentials!'
|
matrixSendMessage hostname: 'https://greyn.club:8448', accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service success! go pick up the credentials!'
|
||||||
//TODO: archiveArtifacts the password data
|
//TODO: archiveArtifacts the password data, then store them somewhere
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
Loading…
Reference in New Issue
Block a user