From 351b806c33fbefb312006966916acd426296aae7 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Nov 2024 02:07:51 -0500 Subject: [PATCH] hopefully it's ok that jenkins will be jenkinsing jenkins. down to 1 TODO! --- scripts/1clickservice.groovy | 189 +++++++++++++++++++++++++++-------- 1 file changed, 146 insertions(+), 43 deletions(-) diff --git a/scripts/1clickservice.groovy b/scripts/1clickservice.groovy index 6bce333..b744733 100644 --- a/scripts/1clickservice.groovy +++ b/scripts/1clickservice.groovy @@ -10,8 +10,9 @@ pipeline { pw_linuxserviceaccount="" pw_productiondatabase="" pw_developmentdatabase="" - SUDOER=credentials('') + SUDOER=credentials('') //going to be set based on target host SUDOERSSH=credentials('') + JENKINS=credentials('68391381-e095-4b47-b956-d23055b0808e') } stages { stage("environment setup") { @@ -26,8 +27,8 @@ pipeline { switch (targetHost) { case "alloces": - SUDOER=credentials('//TODO: its usually a uuid') - SUDOERSSH='//TODO: its usually a uuid' + SUDOER=credentials('a674f816-2b35-4d60-ba60-7b66e86f3c5c') + SUDOERSSH=credentials('2c48e1a9-22b2-455c-9959-6b29e86d3fb5') break default: error("target host not recognized. btw: no .lan, all lowercase.") @@ -54,35 +55,132 @@ pipeline { -H 'Authorization: token $GITEA_PSW' \ -H 'Content-Type: application/json' \ -d '{ - - "description": "${svcdesc}", - "git_content": true, - "git_hooks": true, - "labels": true, - "name": "${servicename}", - "owner": "greyn", - "private": false, - "protected_branch": true, - "topics": true, - "webhooks": true - }' + "description": "${svcdesc}", + "git_content": true, + "git_hooks": true, + "labels": true, + "name": "${servicename}", + "owner": "greyn", + "private": false, + "protected_branch": true, + "topics": true, + "webhooks": true + }' """ - //TODO: set up credentials for jenkins to checkout - sshagent(['credentiald-id-using-ssh-key']) { + } + } + stage("jenkins pipeline"){ + steps{ + sh """ + curl -X POST -L --user ${env.JENKINS_USR}:${env.JENKINS_PSW} \ + alloces.lan:8080/job/gitea.arg.rip/build + """ + + timeout(time: 5, unit: 'MINUTES') { + sh """ + strRes="" + while [ -z "$strRes" ]; + do + sleep 5; + strRes=$(curl -X GET -s -u ${env.JENKINS_USR}:${env.JENKINS_PSW} \ + alloces.lan:8080/job/gitea.arg.rip/api/json | jq '.jobs.[] | select(.name=="${env.servicename}")') + done + """ + } + sshagent(['f42347e9-e3b5-44af-a1af-c5e7b9775fee']) { sh """ git clone 'ssh://git@gitea.arg.rip:8022/greyn/${servicename}.git' pushd ${servicename} + + dbstartline=$(sed -n '/---dbstart---]/=' Jenkinsfile) + dbendline=$(sed -n '/---dbend---/=' Jenkinsfile) """ - } - if(!params.database){ - sh """ - #//TODO: strip database stuff. sed -i? - git add . - git commit -m "stripped database stuff" - """ - } + if(params.database){ + sh """ + sed -i -e '${dbstartline}d;${dbendline}d;' Jenkinsfile + + databasecredsid=$(uuidgen) + + CRUMB=$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)') + echo $CRUMB + curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \ + --data-urlencode 'json={ + "": "0", + "credentials": { + "scope": "GLOBAL", + "id": "$databasecredsid", + "secret": "Host=${targetHost};Database=${servicename};Username=${servicename};Password=${env.pw_productiondatabase};IncludeErrorDetail=true;", + "description": "database connection string", + "$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl" + } + }' + sed -i 's/productiondatabase_connectionString=creds/productiondatabase_connectionString=credentials('$databasecredsid')/' Jenkinsfile + + git add . + git commit -m "set up for database" + """ + } + else{ + sh """ + sed -i -e '${dbstartline},${dbendline}d;' Jenkinsfile + git add . + git commit -m "stripped database lines" + """ + } - sshagent(['credentiald-id-using-ssh-key']) { + sh """ + popd + + env.usernameCredsId=$(uuidgen) + + CRUMB=$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)') + echo $CRUMB + curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \ + --data-urlencode 'json={ + "": "0", + "credentials": { + "scope": "GLOBAL", + "id": "$env.usernameCredsId", + "username": "${servicename}", + "password": "${env.pw_linuxserviceaccount}", + "description": "service account login", + "$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl" + } + }' + + certCredsId=$(uuidgen) + + + ssh-keygen -t ed25519 -f "${servicename}" -N "" + privatekeycontent=$(cat ${servicename})) + pubkeycontent=$(cat ${servicename}.pub)) + CRUMB=$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)') + echo $CRUMB + curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \ + --data-urlencode 'json={ + "": "0", + "credentials": { + "scope": "GLOBAL", + "id": "$env.usernameCredsId", + "username": "${servicename}", + "password": "", + "privateKeySource": { + "stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource", + "privateKey": "$privatekeycontent", + }, + "description": "${servicename}", + "stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey" + }, + "description": "service account ssh", + "$class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey" + } + }' + privatekeycontent= + + sed -i 's/linuxServiceAccount=creds/linuxServiceAccount=credentials('${env.usernameCredsId}')/' Jenkinsfile + sed -i 's/targetHost=string/targetHost="${targetHost}"/' Jenkinsfile + + """ sh """ git push popd @@ -90,22 +188,21 @@ pipeline { } } } - stage("jenkins pipeline"){ - steps{ - //TODO: tell jenkins to scan greyn pipeline - //TODO: find this new service in jenkins - //TODO: add the shared secrets to jenkins - } - } stage("service account"){ steps{ script { sshagent([SUDOERSSH]) { - ssh $SUDOER_USR@${targetHost} username=${env.servicename} password=${env.pw_linuxserviceaccount} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH' + ssh $SUDOER_USR@${targetHost} username=${servicename} password=${env.pw_linuxserviceaccount} pubkeycontent=${env.pubkeycontent} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH' useradd -m -s /bin/bash $username echo "$username:$password" | chpasswd loginctl enable-linger $username + cd ~/home/$username + mkdir .ssh + pushd .ssh + echo $pubkeycontent > authorized_keys + popd + chown -R $username:$username .ssh ENDSSH } } @@ -140,20 +237,26 @@ pipeline { } stage("initial service setup"){ steps{ - //TODO: use ssh credentials we generated. maybe set up the dang pkey. - sh 'scp $servicename.service $servicename@${targetHost}:~/.config/systemd/user/$servicename.service' - ssh $servicename@${targetHost} servicename=$servicename password=${env.pw_linuxserviceaccount} 'bash -s' << 'ENDSSH' - systemctl --user daemon-reload - systemctl --user enable $servicename.service - ENDSSH + sshagent([SUDOERSSH]) + { + sh 'scp $servicename.service $servicename@${targetHost}:~/.config/systemd/user/$servicename.service' + ssh SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH' + sudo -u ${servicename} && bash -s << 'ENDASSERVICE' + systemctl --user daemon-reload + systemctl --user enable $servicename.service + ENDASSERVICE + ENDSSH + } } } post { - failure { - //TODO: post error + failure { + matrixSendMessage hostname: 'https://greyn.club:8448', accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service failed :(' + } success { - //TODO: post success. Especially, tell me to come get the passwords. FTP them somewhere? + matrixSendMessage hostname: 'https://greyn.club:8448', accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service success! go pick up the credentials!' + //TODO: archiveArtifacts the password data } } }