reincarnate moloryb
All checks were successful
gitea.arg.rip/deployment/pipeline/head This commit looks good
All checks were successful
gitea.arg.rip/deployment/pipeline/head This commit looks good
"jenkins@moloryb.lan: Permission denied (publickey,password)."
This commit is contained in:
parent
ac0675df94
commit
348817a74d
@ -7,12 +7,11 @@ pipeline {
|
|||||||
booleanParam(name: 'database', description: "service has a database", defaultValue: true)
|
booleanParam(name: 'database', description: "service has a database", defaultValue: true)
|
||||||
}
|
}
|
||||||
environment {
|
environment {
|
||||||
//pw_linuxserviceaccount=""
|
SUDOER_ALLOCES = credentials('a674f816-2b35-4d60-ba60-7b66e86f3c5c')
|
||||||
//pw_productiondatabase=""
|
SUDOER_MOLORYB = credentials('1f3b965e-bcc0-4074-99f2-b64dddbf7de7')
|
||||||
//pw_developmentdatabase=""
|
SUDOERSSHID = '2c48e1a9-22b2-455c-9959-6b29e86d3fb5'
|
||||||
//SUDOER=credentials('') //going to be set based on target host
|
SUDOERSSH = credentials('2c48e1a9-22b2-455c-9959-6b29e86d3fb5')
|
||||||
SUDOERSSH=credentials('2c48e1a9-22b2-455c-9959-6b29e86d3fb5')
|
JENKINS = credentials('68391381-e095-4b47-b956-d23055b0808e')
|
||||||
JENKINS=credentials('68391381-e095-4b47-b956-d23055b0808e')
|
|
||||||
GITEATOKEN = credentials('d0e86441-2157-405f-8539-a9a9010c6ecf')
|
GITEATOKEN = credentials('d0e86441-2157-405f-8539-a9a9010c6ecf')
|
||||||
}
|
}
|
||||||
stages {
|
stages {
|
||||||
@ -28,9 +27,11 @@ pipeline {
|
|||||||
|
|
||||||
switch (targetHost) {
|
switch (targetHost) {
|
||||||
case "alloces.lan":
|
case "alloces.lan":
|
||||||
SUDOER=credentials('a674f816-2b35-4d60-ba60-7b66e86f3c5c')
|
SUDOER_USR = SUDOER_ALLOCES_USR
|
||||||
|
SUDOER_PSW = SUDOER_ALLOCES_PSW
|
||||||
case "moloryb.lan":
|
case "moloryb.lan":
|
||||||
SUDOER=credentials('1f3b965e-bcc0-4074-99f2-b64dddbf7de7')
|
SUDOER_USR=SUDOER_MOLORYB_USR
|
||||||
|
SUDOER_PSW=SUDOER_MOLORYB_PSW
|
||||||
break
|
break
|
||||||
default:
|
default:
|
||||||
error("target host not recognized. btw: yes .lan, all lowercase.")
|
error("target host not recognized. btw: yes .lan, all lowercase.")
|
||||||
@ -132,6 +133,7 @@ pipeline {
|
|||||||
}'
|
}'
|
||||||
sed -i 's/productiondatabase_connectionString=creds/productiondatabase_connectionString=credentials('\$databasecredsid')/\' Jenkinsfile
|
sed -i 's/productiondatabase_connectionString=creds/productiondatabase_connectionString=credentials('\$databasecredsid')/\' Jenkinsfile
|
||||||
|
|
||||||
|
rm cookies.txt
|
||||||
git add .
|
git add .
|
||||||
git commit -m \"set up for database\"
|
git commit -m \"set up for database\"
|
||||||
"""
|
"""
|
||||||
@ -146,18 +148,20 @@ pipeline {
|
|||||||
"""
|
"""
|
||||||
}
|
}
|
||||||
|
|
||||||
sh """
|
sh """#!/bin/bash
|
||||||
|
|
||||||
|
pushd ${servicename}
|
||||||
|
|
||||||
usernameCredsId=\$(uuidgen)
|
usernameCredsId=\$(uuidgen)
|
||||||
|
|
||||||
#CRUMB=\$(curl -c cookies.txt 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
|
CRUMB=\$(curl -c cookies.txt 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
|
||||||
#echo \$CRUMB
|
echo \$CRUMB
|
||||||
curl -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/_/createCredentials' \
|
curl -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/_/createCredentials' \
|
||||||
--data-urlencode 'json={
|
--data-urlencode 'json={
|
||||||
"": "0",
|
"": "0",
|
||||||
"credentials": {
|
"credentials": {
|
||||||
"scope": "GLOBAL",
|
"scope": "GLOBAL",
|
||||||
"id": "\$usernameCredsId",
|
"id": "'"\$usernameCredsId"'",
|
||||||
"username": "${servicename}",
|
"username": "${servicename}",
|
||||||
"password": "${env.pw_linuxserviceaccount}",
|
"password": "${env.pw_linuxserviceaccount}",
|
||||||
"description": "service account login",
|
"description": "service account login",
|
||||||
@ -167,18 +171,20 @@ pipeline {
|
|||||||
|
|
||||||
certCredsId=\$(uuidgen)
|
certCredsId=\$(uuidgen)
|
||||||
|
|
||||||
|
# you git cloned ${servicename}. that's why it "already exists".
|
||||||
ssh-keygen -t ed25519 -f "${servicename}" -N ""
|
ssh-keygen -t ed25519 -f "${servicename}-ssh" -N ""
|
||||||
privatekeycontent=\$(cat ${servicename}))
|
#chmod 600 \"${servicename}-ssh\"
|
||||||
pubkeycontent=\$(cat ${servicename}.pub))
|
#chmod 600 \"${servicename}-ssh.pub\"
|
||||||
#CRUMB=\$(curl -s -c cookies.txt 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
|
privatekeycontent=\$(cat ${servicename}-ssh)
|
||||||
#echo \$CRUMB
|
pubkeycontent=\$(cat ${servicename}-ssh.pub)
|
||||||
|
CRUMB=\$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
|
||||||
|
echo \$CRUMB
|
||||||
curl -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/_/createCredentials' \
|
curl -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/_/createCredentials' \
|
||||||
--data-urlencode 'json={
|
--data-urlencode 'json={
|
||||||
"": "0",
|
"": "0",
|
||||||
"credentials": {
|
"credentials": {
|
||||||
"scope": "GLOBAL",
|
"scope": "GLOBAL",
|
||||||
"id": "\$usernameCredsId",
|
"id": "'"\$usernameCredsId"'",
|
||||||
"username": "${servicename}",
|
"username": "${servicename}",
|
||||||
"password": "",
|
"password": "",
|
||||||
"privateKeySource": {
|
"privateKeySource": {
|
||||||
@ -197,10 +203,8 @@ pipeline {
|
|||||||
sed -i 's/linuxServiceAccount=creds/linuxServiceAccount=credentials('${env.usernameCredsId}')/' Jenkinsfile
|
sed -i 's/linuxServiceAccount=creds/linuxServiceAccount=credentials('${env.usernameCredsId}')/' Jenkinsfile
|
||||||
sed -i 's/targetHost=string/targetHost="${targetHost}"/' Jenkinsfile
|
sed -i 's/targetHost=string/targetHost="${targetHost}"/' Jenkinsfile
|
||||||
|
|
||||||
"""
|
rm cookies.txt
|
||||||
sh """
|
git -c core.sshCommand="ssh -i '$PK'\" push
|
||||||
git push
|
|
||||||
popd
|
|
||||||
"""
|
"""
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -209,19 +213,22 @@ pipeline {
|
|||||||
stage("service account"){
|
stage("service account"){
|
||||||
steps{
|
steps{
|
||||||
script {
|
script {
|
||||||
sshagent([SUDOERSSH])
|
withCredentials([sshUserPrivateKey(credentialsId: env.SUDOERSSHID, keyFileVariable: 'PK')])
|
||||||
{
|
{
|
||||||
sh """ssh -tt ${SUDOER_USR}@${targetHost} username=${servicename} password=${env.pw_linuxserviceaccount} pubkeycontent=${env.pubkeycontent} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
|
sh """#!/bin/bash
|
||||||
useradd -m -s /bin/bash \$username
|
ssh-keyscan -t ed25519 ${targetHost} >> ~/.ssh/known_hosts
|
||||||
echo "\$username:\$password" | chpasswd
|
|
||||||
loginctl enable-linger \$username
|
ssh -i \"${PK}\" -tt ${SUDOER_USR}@${targetHost} username=${servicename} password=${env.pw_linuxserviceaccount} pubkeycontent=${env.pubkeycontent} 'echo "${SUDOER_PSW}" | sudo -Sv && bash -s' << 'ENDSSH'
|
||||||
cd ~/home/\$username
|
useradd -m -s /bin/bash \$username
|
||||||
mkdir .ssh
|
echo "\$username:\$password" | chpasswd
|
||||||
pushd .ssh
|
loginctl enable-linger \$username
|
||||||
echo \$pubkeycontent > authorized_keys
|
cd ~/home/\$username
|
||||||
popd
|
mkdir .ssh
|
||||||
chown -R \$username:\$username .ssh
|
pushd .ssh
|
||||||
ENDSSH
|
echo \$pubkeycontent > authorized_keys
|
||||||
|
popd
|
||||||
|
chown -R \$username:\$username .ssh
|
||||||
|
ENDSSH
|
||||||
"""
|
"""
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -233,23 +240,27 @@ pipeline {
|
|||||||
//i'm pretty sure "update" with nothing will init?
|
//i'm pretty sure "update" with nothing will init?
|
||||||
//meaning we don't have to init, first update will init
|
//meaning we don't have to init, first update will init
|
||||||
script {
|
script {
|
||||||
sshagent([SUDOERSSH])
|
withCredentials([sshUserPrivateKey(credentialsId: env.SUDOERSSHID, keyFileVariable: 'PK')])
|
||||||
{
|
{
|
||||||
sh """ssh -tt SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
|
sh """#!/bin/bash
|
||||||
sudo -u postgres psql && bash -s << 'ENDPSQL'
|
ssh-keyscan -t ed25519 ${targetHost} >> ~/.ssh/known_hosts
|
||||||
create database $servicename;
|
|
||||||
create user $servicename with encrypted password '$pw_productiondatabase';
|
ssh -i \"${PK}\" -tt ${SUDOER_USR}@${targetHost} servicename=${servicename} pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
|
||||||
grant all privileges on database $servicename to $servicename;
|
sudo -u postgres psql && bash -s << 'ENDPSQL'
|
||||||
ENDPSQL
|
create database $servicename;
|
||||||
|
create user $servicename with encrypted password '$pw_productiondatabase';
|
||||||
service_dev="${servicename}_dev"
|
grant all privileges on database $servicename to $servicename;
|
||||||
sudo -u postgres psql && bash -s << 'ENDPSQL'
|
ENDPSQL
|
||||||
create database \$service_dev;
|
|
||||||
create user \$service_dev with encrypted password '\$pw_developmentdatabase';
|
service_dev="${servicename}_dev"
|
||||||
grant all privileges on database \$service_dev to \$service_dev;
|
sudo -u postgres psql && bash -s << 'ENDPSQL'
|
||||||
ENDPSQL
|
create database \$service_dev;
|
||||||
|
create user \$service_dev with encrypted password '\$pw_developmentdatabase';
|
||||||
ENDSSH"""
|
grant all privileges on database \$service_dev to \$service_dev;
|
||||||
|
ENDPSQL
|
||||||
|
|
||||||
|
ENDSSH
|
||||||
|
"""
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user