hopefully it's ok that jenkins will be jenkinsing jenkins. down to 1 TODO!
All checks were successful
gitea.arg.rip/deployment/pipeline/head This commit looks good

This commit is contained in:
adam 2024-11-19 02:07:51 -05:00
parent c2575e696a
commit 351b806c33

View File

@ -10,8 +10,9 @@ pipeline {
pw_linuxserviceaccount=""
pw_productiondatabase=""
pw_developmentdatabase=""
SUDOER=credentials('')
SUDOER=credentials('') //going to be set based on target host
SUDOERSSH=credentials('')
JENKINS=credentials('68391381-e095-4b47-b956-d23055b0808e')
}
stages {
stage("environment setup") {
@ -26,8 +27,8 @@ pipeline {
switch (targetHost) {
case "alloces":
SUDOER=credentials('//TODO: its usually a uuid')
SUDOERSSH='//TODO: its usually a uuid'
SUDOER=credentials('a674f816-2b35-4d60-ba60-7b66e86f3c5c')
SUDOERSSH=credentials('2c48e1a9-22b2-455c-9959-6b29e86d3fb5')
break
default:
error("target host not recognized. btw: no .lan, all lowercase.")
@ -54,35 +55,132 @@ pipeline {
-H 'Authorization: token $GITEA_PSW' \
-H 'Content-Type: application/json' \
-d '{
"description": "${svcdesc}",
"git_content": true,
"git_hooks": true,
"labels": true,
"name": "${servicename}",
"owner": "greyn",
"private": false,
"protected_branch": true,
"topics": true,
"webhooks": true
}'
"description": "${svcdesc}",
"git_content": true,
"git_hooks": true,
"labels": true,
"name": "${servicename}",
"owner": "greyn",
"private": false,
"protected_branch": true,
"topics": true,
"webhooks": true
}'
"""
//TODO: set up credentials for jenkins to checkout
sshagent(['credentiald-id-using-ssh-key']) {
}
}
stage("jenkins pipeline"){
steps{
sh """
curl -X POST -L --user ${env.JENKINS_USR}:${env.JENKINS_PSW} \
alloces.lan:8080/job/gitea.arg.rip/build
"""
timeout(time: 5, unit: 'MINUTES') {
sh """
strRes=""
while [ -z "$strRes" ];
do
sleep 5;
strRes=$(curl -X GET -s -u ${env.JENKINS_USR}:${env.JENKINS_PSW} \
alloces.lan:8080/job/gitea.arg.rip/api/json | jq '.jobs.[] | select(.name=="${env.servicename}")')
done
"""
}
sshagent(['f42347e9-e3b5-44af-a1af-c5e7b9775fee']) {
sh """
git clone 'ssh://git@gitea.arg.rip:8022/greyn/${servicename}.git'
pushd ${servicename}
"""
}
if(!params.database){
sh """
#//TODO: strip database stuff. sed -i?
git add .
git commit -m "stripped database stuff"
"""
}
sshagent(['credentiald-id-using-ssh-key']) {
dbstartline=$(sed -n '/---dbstart---]/=' Jenkinsfile)
dbendline=$(sed -n '/---dbend---/=' Jenkinsfile)
"""
if(params.database){
sh """
sed -i -e '${dbstartline}d;${dbendline}d;' Jenkinsfile
databasecredsid=$(uuidgen)
CRUMB=$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
echo $CRUMB
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
--data-urlencode 'json={
"": "0",
"credentials": {
"scope": "GLOBAL",
"id": "$databasecredsid",
"secret": "Host=${targetHost};Database=${servicename};Username=${servicename};Password=${env.pw_productiondatabase};IncludeErrorDetail=true;",
"description": "database connection string",
"$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
}
}'
sed -i 's/productiondatabase_connectionString=creds/productiondatabase_connectionString=credentials('$databasecredsid')/' Jenkinsfile
git add .
git commit -m "set up for database"
"""
}
else{
sh """
sed -i -e '${dbstartline},${dbendline}d;' Jenkinsfile
git add .
git commit -m "stripped database lines"
"""
}
sh """
popd
env.usernameCredsId=$(uuidgen)
CRUMB=$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
echo $CRUMB
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
--data-urlencode 'json={
"": "0",
"credentials": {
"scope": "GLOBAL",
"id": "$env.usernameCredsId",
"username": "${servicename}",
"password": "${env.pw_linuxserviceaccount}",
"description": "service account login",
"$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
}
}'
certCredsId=$(uuidgen)
ssh-keygen -t ed25519 -f "${servicename}" -N ""
privatekeycontent=$(cat ${servicename}))
pubkeycontent=$(cat ${servicename}.pub))
CRUMB=$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
echo $CRUMB
curl -H $CRUMB -X POST 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/greyn%20services/createCredentials' \
--data-urlencode 'json={
"": "0",
"credentials": {
"scope": "GLOBAL",
"id": "$env.usernameCredsId",
"username": "${servicename}",
"password": "",
"privateKeySource": {
"stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource",
"privateKey": "$privatekeycontent",
},
"description": "${servicename}",
"stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
},
"description": "service account ssh",
"$class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
}
}'
privatekeycontent=
sed -i 's/linuxServiceAccount=creds/linuxServiceAccount=credentials('${env.usernameCredsId}')/' Jenkinsfile
sed -i 's/targetHost=string/targetHost="${targetHost}"/' Jenkinsfile
"""
sh """
git push
popd
@ -90,22 +188,21 @@ pipeline {
}
}
}
stage("jenkins pipeline"){
steps{
//TODO: tell jenkins to scan greyn pipeline
//TODO: find this new service in jenkins
//TODO: add the shared secrets to jenkins
}
}
stage("service account"){
steps{
script {
sshagent([SUDOERSSH])
{
ssh $SUDOER_USR@${targetHost} username=${env.servicename} password=${env.pw_linuxserviceaccount} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
ssh $SUDOER_USR@${targetHost} username=${servicename} password=${env.pw_linuxserviceaccount} pubkeycontent=${env.pubkeycontent} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
useradd -m -s /bin/bash $username
echo "$username:$password" | chpasswd
loginctl enable-linger $username
cd ~/home/$username
mkdir .ssh
pushd .ssh
echo $pubkeycontent > authorized_keys
popd
chown -R $username:$username .ssh
ENDSSH
}
}
@ -140,20 +237,26 @@ pipeline {
}
stage("initial service setup"){
steps{
//TODO: use ssh credentials we generated. maybe set up the dang pkey.
sh 'scp $servicename.service $servicename@${targetHost}:~/.config/systemd/user/$servicename.service'
ssh $servicename@${targetHost} servicename=$servicename password=${env.pw_linuxserviceaccount} 'bash -s' << 'ENDSSH'
systemctl --user daemon-reload
systemctl --user enable $servicename.service
ENDSSH
sshagent([SUDOERSSH])
{
sh 'scp $servicename.service $servicename@${targetHost}:~/.config/systemd/user/$servicename.service'
ssh SUDOER_USR@${targetHost} servicename=$servicename pw_productiondatabase=${env.pw_productiondatabase} pw_developmentdatabase=${env.pw_developmentdatabase} 'echo "$SUDOER_PSW" | sudo -Sv && bash -s' << 'ENDSSH'
sudo -u ${servicename} && bash -s << 'ENDASSERVICE'
systemctl --user daemon-reload
systemctl --user enable $servicename.service
ENDASSERVICE
ENDSSH
}
}
}
post {
failure {
//TODO: post error
matrixSendMessage hostname: 'https://greyn.club:8448', accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service failed :('
}
success {
//TODO: post success. Especially, tell me to come get the passwords. FTP them somewhere?
matrixSendMessage hostname: 'https://greyn.club:8448', accessTokenCredentialsId: '040b63d1-2f14-4692-badb-114bddd7c5a5', roomId: '!QmOCACetHdGDlNFsZP:greyn.club', body: '1-click service success! go pick up the credentials!'
//TODO: archiveArtifacts the password data
}
}
}