greyn/deployment
2
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases 3 Wiki Activity

reincarnate moloryb
All checks were successful
gitea.arg.rip/deployment/pipeline/head This commit looks good
Details

Browse Source 
"jenkins@moloryb.lan: Permission denied (publickey,password)."
This commit is contained in:
adam 2024-12-03 01:47:52 -05:00
parent ac0675df94
commit 348817a74d
1 changed files with 62 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
scripts/1clickservice.groovy
View File

@ -7,10 +7,9 @@ pipeline {
booleanParam(name: 'database', description: "service has a database", defaultValue: true)
}
environment {
//pw_linuxserviceaccount=""
//pw_productiondatabase=""
//pw_developmentdatabase=""
//SUDOER=credentials('') //going to be set based on target host
SUDOER_ALLOCES = credentials('a674f816-2b35-4d60-ba60-7b66e86f3c5c')
SUDOER_MOLORYB = credentials('1f3b965e-bcc0-4074-99f2-b64dddbf7de7')
SUDOERSSHID = '2c48e1a9-22b2-455c-9959-6b29e86d3fb5'
SUDOERSSH = credentials('2c48e1a9-22b2-455c-9959-6b29e86d3fb5')
JENKINS = credentials('68391381-e095-4b47-b956-d23055b0808e')
GITEATOKEN = credentials('d0e86441-2157-405f-8539-a9a9010c6ecf')
@ -28,9 +27,11 @@ pipeline {
switch (targetHost) {
case "alloces.lan":
SUDOER=credentials('a674f816-2b35-4d60-ba60-7b66e86f3c5c')
SUDOER_USR = SUDOER_ALLOCES_USR
SUDOER_PSW = SUDOER_ALLOCES_PSW
case "moloryb.lan":
SUDOER=credentials('1f3b965e-bcc0-4074-99f2-b64dddbf7de7')
SUDOER_USR=SUDOER_MOLORYB_USR
SUDOER_PSW=SUDOER_MOLORYB_PSW
break
default:
error("target host not recognized. btw: yes .lan, all lowercase.")
@ -132,6 +133,7 @@ pipeline {
}'
sed -i 's/productiondatabase_connectionString=creds/productiondatabase_connectionString=credentials('\$databasecredsid')/\' Jenkinsfile
rm cookies.txt
git add .
git commit -m \"set up for database\"
"""
@ -146,18 +148,20 @@ pipeline {
"""
}
sh """
sh """#!/bin/bash
pushd ${servicename}
usernameCredsId=\$(uuidgen)
#CRUMB=\$(curl -c cookies.txt 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
#echo \$CRUMB
CRUMB=\$(curl -c cookies.txt 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
echo \$CRUMB
curl -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/_/createCredentials' \
--data-urlencode 'json={
"": "0",
"credentials": {
"scope": "GLOBAL",
"id": "\$usernameCredsId",
"id": "'"\$usernameCredsId"'",
"username": "${servicename}",
"password": "${env.pw_linuxserviceaccount}",
"description": "service account login",
@ -167,18 +171,20 @@ pipeline {
certCredsId=\$(uuidgen)
ssh-keygen -t ed25519 -f "${servicename}" -N ""
privatekeycontent=\$(cat ${servicename}))
pubkeycontent=\$(cat ${servicename}.pub))
#CRUMB=\$(curl -s -c cookies.txt 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
#echo \$CRUMB
# you git cloned ${servicename}. that's why it "already exists".
ssh-keygen -t ed25519 -f "${servicename}-ssh" -N ""
#chmod 600 \"${servicename}-ssh\"
#chmod 600 \"${servicename}-ssh.pub\"
privatekeycontent=\$(cat ${servicename}-ssh)
pubkeycontent=\$(cat ${servicename}-ssh.pub)
CRUMB=\$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
echo \$CRUMB
curl -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/_/createCredentials' \
--data-urlencode 'json={
"": "0",
"credentials": {
"scope": "GLOBAL",
"id": "\$usernameCredsId",
"id": "'"\$usernameCredsId"'",
"username": "${servicename}",
"password": "",
"privateKeySource": {
@ -197,10 +203,8 @@ pipeline {
sed -i 's/linuxServiceAccount=creds/linuxServiceAccount=credentials('${env.usernameCredsId}')/' Jenkinsfile
sed -i 's/targetHost=string/targetHost="${targetHost}"/' Jenkinsfile
"""
sh """
git push
popd
rm cookies.txt
git -c core.sshCommand="ssh -i '$PK'\" push
"""
}
}
@ -209,9 +213,12 @@ pipeline {
stage("service account"){
steps{
script {
sshagent([SUDOERSSH])
withCredentials([sshUserPrivateKey(credentialsId: env.SUDOERSSHID, keyFileVariable: 'PK')])
{
sh """ssh -tt ${SUDOER_USR}@${targetHost} username=${servicename} password=${env.pw_linuxserviceaccount} pubkeycontent=${env.pubkeycontent} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
sh """#!/bin/bash
ssh-keyscan -t ed25519 ${targetHost} >> ~/.ssh/known_hosts
ssh -i \"${PK}\" -tt ${SUDOER_USR}@${targetHost} username=${servicename} password=${env.pw_linuxserviceaccount} pubkeycontent=${env.pubkeycontent} 'echo "${SUDOER_PSW}" | sudo -Sv && bash -s' << 'ENDSSH'
useradd -m -s /bin/bash \$username
echo "\$username:\$password" | chpasswd
loginctl enable-linger \$username
@ -233,9 +240,12 @@ pipeline {
//i'm pretty sure "update" with nothing will init?
//meaning we don't have to init, first update will init
script {
sshagent([SUDOERSSH])
withCredentials([sshUserPrivateKey(credentialsId: env.SUDOERSSHID, keyFileVariable: 'PK')])
{
sh """ssh -tt SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
sh """#!/bin/bash
ssh-keyscan -t ed25519 ${targetHost} >> ~/.ssh/known_hosts
ssh -i \"${PK}\" -tt ${SUDOER_USR}@${targetHost} servicename=${servicename} pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
sudo -u postgres psql && bash -s << 'ENDPSQL'
create database $servicename;
create user $servicename with encrypted password '$pw_productiondatabase';
@ -249,7 +259,8 @@ pipeline {
grant all privileges on database \$service_dev to \$service_dev;
ENDPSQL
ENDSSH"""
ENDSSH
"""
}
}
}