greyn/deployment
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 1 Wiki Activity

passed linting
All checks were successful
gitea.arg.rip/deployment/pipeline/head This commit looks good
Details

Browse Source
This commit is contained in:
adam 2024-11-19 11:49:50 -05:00
parent 351b806c33
commit 22b5691d99
1 changed files with 100 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

197
scripts/1clickservice.groovy
View File

@ -4,7 +4,7 @@ pipeline {
string(name: 'servicename', description: "service name") string(name: 'servicename', description: "service name")
string(name: 'svcdesc', description: "service description") string(name: 'svcdesc', description: "service description")
string(name: 'targetHost', description: "system to live on", defaultValue: "alloces") string(name: 'targetHost', description: "system to live on", defaultValue: "alloces")
boolean(name: 'database', description: "service has a database", defaultValue: true) booleanParam(name: 'database', description: "service has a database", defaultValue: true)
} }
environment { environment {
pw_linuxserviceaccount="" pw_linuxserviceaccount=""
@ -26,19 +26,19 @@ pipeline {
} }
switch (targetHost) { switch (targetHost) {
case "alloces": case "alloces.lan":
SUDOER=credentials('a674f816-2b35-4d60-ba60-7b66e86f3c5c') SUDOER=credentials('a674f816-2b35-4d60-ba60-7b66e86f3c5c')
SUDOERSSH=credentials('2c48e1a9-22b2-455c-9959-6b29e86d3fb5') SUDOERSSH=credentials('2c48e1a9-22b2-455c-9959-6b29e86d3fb5')
break break
default: default:
error("target host not recognized. btw: no .lan, all lowercase.") error("target host not recognized. btw: yes .lan, all lowercase.")
} }
sh env.pw_linuxserviceaccount=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX) env.pw_linuxserviceaccount=sh(returnStdout: true, script: "mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
echo env.pw_linuxserviceaccount echo env.pw_linuxserviceaccount
sh env.pw_productiondatabase=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX) env.pw_productiondatabase=sh(returnStdout: true, script: "mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
echo env.pw_productiondatabase echo env.pw_productiondatabase
sh env.pw_developmentdatabase=$(mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX) env.pw_developmentdatabase=sh(returnStdout: true, script: "mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
echo env.pw_developmentdatabase echo env.pw_developmentdatabase
} }
} }
@ -82,7 +82,7 @@ pipeline {
while [ -z "$strRes" ]; while [ -z "$strRes" ];
do do
sleep 5; sleep 5;
strRes=$(curl -X GET -s -u ${env.JENKINS_USR}:${env.JENKINS_PSW} \ strRes=\$(curl -X GET -s -u ${env.JENKINS_USR}:${env.JENKINS_PSW} \
alloces.lan:8080/job/gitea.arg.rip/api/json | jq '.jobs.[] | select(.name=="${env.servicename}")') alloces.lan:8080/job/gitea.arg.rip/api/json | jq '.jobs.[] | select(.name=="${env.servicename}")')
done done
""" """
@ -92,99 +92,101 @@ pipeline {
git clone 'ssh://git@gitea.arg.rip:8022/greyn/${servicename}.git' git clone 'ssh://git@gitea.arg.rip:8022/greyn/${servicename}.git'
pushd ${servicename} pushd ${servicename}
dbstartline=$(sed -n '/---dbstart---]/=' Jenkinsfile) dbstartline=\$(sed -n '/---dbstart---]/=' Jenkinsfile)
dbendline=$(sed -n '/---dbend---/=' Jenkinsfile) dbendline=\$(sed -n '/---dbend---/=' Jenkinsfile)
""" """
if(params.database){ script { //there's no "if" "step" so any "if" must be in a "script" step
if(params.database){
sh """
sed -i -e '${dbstartline}d;${dbendline}d;' Jenkinsfile
databasecredsid=\$(uuidgen)
CRUMB=\$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
echo $CRUMB
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
--data-urlencode 'json={
"": "0",
"credentials": {
"scope": "GLOBAL",
"id": "$databasecredsid",
"secret": "Host=${targetHost};Database=${servicename};Username=${servicename};Password=${env.pw_productiondatabase};IncludeErrorDetail=true;",
"description": "database connection string",
"\$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
}
}'
sed -i 's/productiondatabase_connectionString=creds/productiondatabase_connectionString=credentials('$databasecredsid')/' Jenkinsfile
git add .
git commit -m "set up for database"
"""
}
else{
sh """
sed -i -e '${dbstartline},${dbendline}d;' Jenkinsfile
git add .
git commit -m "stripped database lines"
"""
}
sh """ sh """
sed -i -e '${dbstartline}d;${dbendline}d;' Jenkinsfile popd
databasecredsid=$(uuidgen) env.usernameCredsId=\$(uuidgen)
CRUMB=$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)') CRUMB=\$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
echo $CRUMB echo $CRUMB
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \ curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
--data-urlencode 'json={ --data-urlencode 'json={
"": "0", "": "0",
"credentials": { "credentials": {
"scope": "GLOBAL", "scope": "GLOBAL",
"id": "$databasecredsid", "id": "$env.usernameCredsId",
"secret": "Host=${targetHost};Database=${servicename};Username=${servicename};Password=${env.pw_productiondatabase};IncludeErrorDetail=true;", "username": "${servicename}",
"description": "database connection string", "password": "${env.pw_linuxserviceaccount}",
"$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl" "description": "service account login",
"\$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
} }
}' }'
sed -i 's/productiondatabase_connectionString=creds/productiondatabase_connectionString=credentials('$databasecredsid')/' Jenkinsfile
git add . certCredsId=\$(uuidgen)
git commit -m "set up for database"
ssh-keygen -t ed25519 -f "${servicename}" -N ""
privatekeycontent=\$(cat ${servicename}))
pubkeycontent=\$(cat ${servicename}.pub))
CRUMB=\$(url -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
echo $CRUMB
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
--data-urlencode 'json={
"": "0",
"credentials": {
"scope": "GLOBAL",
"id": "$env.usernameCredsId",
"username": "${servicename}",
"password": "",
"privateKeySource": {
"stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource",
"privateKey": "$privatekeycontent",
},
"description": "${servicename}",
"stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
},
"description": "service account ssh",
"\$class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
}
}'
privatekeycontent=
sed -i 's/linuxServiceAccount=creds/linuxServiceAccount=credentials('${env.usernameCredsId}')/' Jenkinsfile
sed -i 's/targetHost=string/targetHost="${targetHost}"/' Jenkinsfile
""" """
}
else{
sh """ sh """
sed -i -e '${dbstartline},${dbendline}d;' Jenkinsfile git push
git add . popd
git commit -m "stripped database lines"
""" """
} }
sh """
popd
env.usernameCredsId=$(uuidgen)
CRUMB=$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
echo $CRUMB
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
--data-urlencode 'json={
"": "0",
"credentials": {
"scope": "GLOBAL",
"id": "$env.usernameCredsId",
"username": "${servicename}",
"password": "${env.pw_linuxserviceaccount}",
"description": "service account login",
"$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
}
}'
certCredsId=$(uuidgen)
ssh-keygen -t ed25519 -f "${servicename}" -N ""
privatekeycontent=$(cat ${servicename}))
pubkeycontent=$(cat ${servicename}.pub))
CRUMB=$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
echo $CRUMB
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
--data-urlencode 'json={
"": "0",
"credentials": {
"scope": "GLOBAL",
"id": "$env.usernameCredsId",
"username": "${servicename}",
"password": "",
"privateKeySource": {
"stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource",
"privateKey": "$privatekeycontent",
},
"description": "${servicename}",
"stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
},
"description": "service account ssh",
"$class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
}
}'
privatekeycontent=
sed -i 's/linuxServiceAccount=creds/linuxServiceAccount=credentials('${env.usernameCredsId}')/' Jenkinsfile
sed -i 's/targetHost=string/targetHost="${targetHost}"/' Jenkinsfile
"""
sh """
git push
popd
"""
} }
} }
} }
@ -193,7 +195,7 @@ pipeline {
script { script {
sshagent([SUDOERSSH]) sshagent([SUDOERSSH])
{ {
ssh $SUDOER_USR@${targetHost} username=${servicename} password=${env.pw_linuxserviceaccount} pubkeycontent=${env.pubkeycontent} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH' sh """ssh -tt ${SUDOER_USR}@${targetHost} username=${servicename} password=${env.pw_linuxserviceaccount} pubkeycontent=${env.pubkeycontent} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
useradd -m -s /bin/bash $username useradd -m -s /bin/bash $username
echo "$username:$password" | chpasswd echo "$username:$password" | chpasswd
loginctl enable-linger $username loginctl enable-linger $username
@ -204,6 +206,7 @@ pipeline {
popd popd
chown -R $username:$username .ssh chown -R $username:$username .ssh
ENDSSH ENDSSH
"""
} }
} }
} }
@ -216,7 +219,7 @@ pipeline {
script { script {
sshagent([SUDOERSSH]) sshagent([SUDOERSSH])
{ {
ssh SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH' sh """ssh -tt SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
sudo -u postgres psql && bash -s << 'ENDPSQL' sudo -u postgres psql && bash -s << 'ENDPSQL'
create database $servicename; create database $servicename;
create user $servicename with encrypted password '$pw_productiondatabase'; create user $servicename with encrypted password '$pw_productiondatabase';
@ -230,7 +233,7 @@ pipeline {
grant all privileges on database $service_dev to $service_dev; grant all privileges on database $service_dev to $service_dev;
ENDPSQL ENDPSQL
ENDSSH ENDSSH"""
} }
} }
} }
@ -240,24 +243,24 @@ pipeline {
sshagent([SUDOERSSH]) sshagent([SUDOERSSH])
{ {
sh 'scp $servicename.service $servicename@${targetHost}:~/.config/systemd/user/$servicename.service' sh 'scp $servicename.service $servicename@${targetHost}:~/.config/systemd/user/$servicename.service'
ssh SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH' sh """ssh -tt SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
sudo -u ${servicename} && bash -s << 'ENDASSERVICE' sudo -u ${servicename} && bash -s << 'ENDASSERVICE'
systemctl --user daemon-reload systemctl --user daemon-reload
systemctl --user enable $servicename.service systemctl --user enable $servicename.service
ENDASSERVICE ENDASSERVICE
ENDSSH ENDSSH"""
} }
} }
} }
post { }
failure { post {
matrixSendMessage hostname: 'https://greyn.club:8448', accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service failed :(' failure {
matrixSendMessage hostname: 'https://greyn.club:8448', accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service failed :('
}
success { }
matrixSendMessage hostname: 'https://greyn.club:8448', accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service success! go pick up the credentials!' success {
//TODO: archiveArtifacts the password data matrixSendMessage hostname: 'https://greyn.club:8448', accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service success! go pick up the credentials!'
} //TODO: archiveArtifacts the password data, then store them somewhere
} }
} }
} }