From 348817a74d0c485e26a7673344a63b1f3791d9c2 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 3 Dec 2024 01:47:52 -0500 Subject: [PATCH] reincarnate moloryb "jenkins@moloryb.lan: Permission denied (publickey,password)." --- scripts/1clickservice.groovy | 113 +++++++++++++++++++---------------- 1 file changed, 62 insertions(+), 51 deletions(-) diff --git a/scripts/1clickservice.groovy b/scripts/1clickservice.groovy index 7e3e511..8aed678 100644 --- a/scripts/1clickservice.groovy +++ b/scripts/1clickservice.groovy @@ -7,12 +7,11 @@ pipeline { booleanParam(name: 'database', description: "service has a database", defaultValue: true) } environment { - //pw_linuxserviceaccount="" - //pw_productiondatabase="" - //pw_developmentdatabase="" - //SUDOER=credentials('') //going to be set based on target host - SUDOERSSH=credentials('2c48e1a9-22b2-455c-9959-6b29e86d3fb5') - JENKINS=credentials('68391381-e095-4b47-b956-d23055b0808e') + SUDOER_ALLOCES = credentials('a674f816-2b35-4d60-ba60-7b66e86f3c5c') + SUDOER_MOLORYB = credentials('1f3b965e-bcc0-4074-99f2-b64dddbf7de7') + SUDOERSSHID = '2c48e1a9-22b2-455c-9959-6b29e86d3fb5' + SUDOERSSH = credentials('2c48e1a9-22b2-455c-9959-6b29e86d3fb5') + JENKINS = credentials('68391381-e095-4b47-b956-d23055b0808e') GITEATOKEN = credentials('d0e86441-2157-405f-8539-a9a9010c6ecf') } stages { @@ -28,9 +27,11 @@ pipeline { switch (targetHost) { case "alloces.lan": - SUDOER=credentials('a674f816-2b35-4d60-ba60-7b66e86f3c5c') + SUDOER_USR = SUDOER_ALLOCES_USR + SUDOER_PSW = SUDOER_ALLOCES_PSW case "moloryb.lan": - SUDOER=credentials('1f3b965e-bcc0-4074-99f2-b64dddbf7de7') + SUDOER_USR=SUDOER_MOLORYB_USR + SUDOER_PSW=SUDOER_MOLORYB_PSW break default: error("target host not recognized. btw: yes .lan, all lowercase.") @@ -132,6 +133,7 @@ pipeline { }' sed -i 's/productiondatabase_connectionString=creds/productiondatabase_connectionString=credentials('\$databasecredsid')/\' Jenkinsfile + rm cookies.txt git add . git commit -m \"set up for database\" """ @@ -146,18 +148,20 @@ pipeline { """ } - sh """ + sh """#!/bin/bash + + pushd ${servicename} usernameCredsId=\$(uuidgen) - #CRUMB=\$(curl -c cookies.txt 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)') - #echo \$CRUMB + CRUMB=\$(curl -c cookies.txt 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)') + echo \$CRUMB curl -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/_/createCredentials' \ --data-urlencode 'json={ "": "0", "credentials": { "scope": "GLOBAL", - "id": "\$usernameCredsId", + "id": "'"\$usernameCredsId"'", "username": "${servicename}", "password": "${env.pw_linuxserviceaccount}", "description": "service account login", @@ -167,18 +171,20 @@ pipeline { certCredsId=\$(uuidgen) - - ssh-keygen -t ed25519 -f "${servicename}" -N "" - privatekeycontent=\$(cat ${servicename})) - pubkeycontent=\$(cat ${servicename}.pub)) - #CRUMB=\$(curl -s -c cookies.txt 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)') - #echo \$CRUMB + # you git cloned ${servicename}. that's why it "already exists". + ssh-keygen -t ed25519 -f "${servicename}-ssh" -N "" + #chmod 600 \"${servicename}-ssh\" + #chmod 600 \"${servicename}-ssh.pub\" + privatekeycontent=\$(cat ${servicename}-ssh) + pubkeycontent=\$(cat ${servicename}-ssh.pub) + CRUMB=\$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)') + echo \$CRUMB curl -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/_/createCredentials' \ --data-urlencode 'json={ "": "0", "credentials": { "scope": "GLOBAL", - "id": "\$usernameCredsId", + "id": "'"\$usernameCredsId"'", "username": "${servicename}", "password": "", "privateKeySource": { @@ -197,10 +203,8 @@ pipeline { sed -i 's/linuxServiceAccount=creds/linuxServiceAccount=credentials('${env.usernameCredsId}')/' Jenkinsfile sed -i 's/targetHost=string/targetHost="${targetHost}"/' Jenkinsfile - """ - sh """ - git push - popd + rm cookies.txt + git -c core.sshCommand="ssh -i '$PK'\" push """ } } @@ -209,19 +213,22 @@ pipeline { stage("service account"){ steps{ script { - sshagent([SUDOERSSH]) + withCredentials([sshUserPrivateKey(credentialsId: env.SUDOERSSHID, keyFileVariable: 'PK')]) { - sh """ssh -tt ${SUDOER_USR}@${targetHost} username=${servicename} password=${env.pw_linuxserviceaccount} pubkeycontent=${env.pubkeycontent} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH' - useradd -m -s /bin/bash \$username - echo "\$username:\$password" | chpasswd - loginctl enable-linger \$username - cd ~/home/\$username - mkdir .ssh - pushd .ssh - echo \$pubkeycontent > authorized_keys - popd - chown -R \$username:\$username .ssh - ENDSSH + sh """#!/bin/bash + ssh-keyscan -t ed25519 ${targetHost} >> ~/.ssh/known_hosts + + ssh -i \"${PK}\" -tt ${SUDOER_USR}@${targetHost} username=${servicename} password=${env.pw_linuxserviceaccount} pubkeycontent=${env.pubkeycontent} 'echo "${SUDOER_PSW}" | sudo -Sv && bash -s' << 'ENDSSH' + useradd -m -s /bin/bash \$username + echo "\$username:\$password" | chpasswd + loginctl enable-linger \$username + cd ~/home/\$username + mkdir .ssh + pushd .ssh + echo \$pubkeycontent > authorized_keys + popd + chown -R \$username:\$username .ssh + ENDSSH """ } } @@ -233,23 +240,27 @@ pipeline { //i'm pretty sure "update" with nothing will init? //meaning we don't have to init, first update will init script { - sshagent([SUDOERSSH]) + withCredentials([sshUserPrivateKey(credentialsId: env.SUDOERSSHID, keyFileVariable: 'PK')]) { - sh """ssh -tt SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH' - sudo -u postgres psql && bash -s << 'ENDPSQL' - create database $servicename; - create user $servicename with encrypted password '$pw_productiondatabase'; - grant all privileges on database $servicename to $servicename; - ENDPSQL - - service_dev="${servicename}_dev" - sudo -u postgres psql && bash -s << 'ENDPSQL' - create database \$service_dev; - create user \$service_dev with encrypted password '\$pw_developmentdatabase'; - grant all privileges on database \$service_dev to \$service_dev; - ENDPSQL - - ENDSSH""" + sh """#!/bin/bash + ssh-keyscan -t ed25519 ${targetHost} >> ~/.ssh/known_hosts + + ssh -i \"${PK}\" -tt ${SUDOER_USR}@${targetHost} servicename=${servicename} pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH' + sudo -u postgres psql && bash -s << 'ENDPSQL' + create database $servicename; + create user $servicename with encrypted password '$pw_productiondatabase'; + grant all privileges on database $servicename to $servicename; + ENDPSQL + + service_dev="${servicename}_dev" + sudo -u postgres psql && bash -s << 'ENDPSQL' + create database \$service_dev; + create user \$service_dev with encrypted password '\$pw_developmentdatabase'; + grant all privileges on database \$service_dev to \$service_dev; + ENDPSQL + + ENDSSH + """ } } }