From 88419c8985ef334592f282f35766587262eed333 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 13 Dec 2024 17:01:31 -0500 Subject: [PATCH] cert id --- scripts/1clickservice.groovy | 82 ++++++++++++++---------------------- scripts/databases.sh | 5 --- scripts/serviceaccount.sh | 2 +- 3 files changed, 33 insertions(+), 56 deletions(-) diff --git a/scripts/1clickservice.groovy b/scripts/1clickservice.groovy index 1924520..7db94bc 100644 --- a/scripts/1clickservice.groovy +++ b/scripts/1clickservice.groovy @@ -4,7 +4,6 @@ pipeline { string(name: 'servicename', description: "service name") string(name: 'svcdesc', description: "service description") string(name: 'targetHost', description: "system to live on", defaultValue: "moloryb.lan") - booleanParam(name: 'database', description: "service has a database", defaultValue: true) } environment { SUDOER_ALLOCES = credentials('a674f816-2b35-4d60-ba60-7b66e86f3c5c') @@ -16,7 +15,7 @@ pipeline { GITEA_USR='jenkins' } stages { - stage("environment setup") { + stage("environment setup") { //my environment, here. steps { script { if (servicename.isEmpty()) { @@ -124,52 +123,37 @@ pipeline { git -c core.sshCommand="ssh -i '$PK'\" clone ssh://git@gitea.arg.rip:8022/greyn/${servicename}.git #fyi, future me: pushd is useless here, it pops out. Like it's loading a script and exiting. """ - script { //there's no "if" "step" so any "if" must be in a "script" step - if(database){ - sh """#!/bin/bash + script { + sh """#!/bin/bash - pushd ${servicename} - dbstartline=\$(sed -n '/---dbstart---/=' Jenkinsfile) - dbendline=\$(sed -n '/---dbend---/=' Jenkinsfile) - echo \"yes db.\" - - sed -i \"\${dbstartline}d;\${dbendline}d\" Jenkinsfile + pushd ${servicename} - databasecredsid=\$(uuidgen) - httpBasicAuth=\"http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/\" - echo \"\${httpBasicAuth}\" - urlGetData=\"crumbIssuer/api/xml?xpath=concat(//crumbRequestField,\\":\\",//crumb)\" - - CRUMB=\$(curl -s -c cookies.txt \"\${httpBasicAuth}\${urlGetData}\") - echo "crumb anyway. \$CRUMB" - curl -H \$CRUMB -X POST \"http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/_/createCredentials\" \ - --data-urlencode 'json={ - "": "0", - "credentials": { - "scope": "GLOBAL", - "id": "'"\$databasecredsid"'", - "secret": "Host=${targetHost};Database=${servicename};Username=${servicename};Password=${env.pw_productiondatabase};IncludeErrorDetail=true;", - "description": "database connection string", - "\$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl" - } - }' - credsStr="productiondatabase_connectionString=credentials(\\"\$databasecredsid\\")" - sed -i "s/productiondatabase_connectionString=creds/\$credsStr/" Jenkinsfile + databasecredsid=\$(uuidgen) + httpBasicAuth=\"http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/\" + echo \"\${httpBasicAuth}\" + urlGetData=\"crumbIssuer/api/xml?xpath=concat(//crumbRequestField,\\":\\",//crumb)\" + + CRUMB=\$(curl -s -c cookies.txt \"\${httpBasicAuth}\${urlGetData}\") + echo "crumb anyway. \$CRUMB" + curl -H \$CRUMB -X POST \"http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/job/gitea.arg.rip/job/${servicename}/credentials/store/folder/domain/_/createCredentials\" \ + --data-urlencode 'json={ + "": "0", + "credentials": { + "scope": "GLOBAL", + "id": "'"\$databasecredsid"'", + "secret": "Host=${targetHost};Database=${servicename};Username=${servicename};Password=${env.pw_productiondatabase};IncludeErrorDetail=true;", + "description": "database connection string", + "\$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl" + } + }' + credsStr="productiondatabase_connectionString=credentials(\\"\$databasecredsid\\")" + sed -i "s/productiondatabase_connectionString=creds/\$credsStr/" Jenkinsfile - rm cookies.txt - git add . - git commit -m \"set up for database\" - """ - } - else{ - sh """#!/bin/bash - echo \"no db\" - pushd ${servicename} - sed -i '\${dbstartline},\${dbendline}d;' Jenkinsfile - git add . - git commit -m "stripped database lines" - """ - } + rm cookies.txt + git add . + git commit -m \"set up for database\" + """ + sh """#!/bin/bash @@ -192,10 +176,7 @@ pipeline { certCredsId=\$(uuidgen) - # you git cloned ${servicename}. that's why it "already exists". ssh-keygen -t ed25519 -f "${servicename}-ssh" -N "" - #chmod 600 \"${servicename}-ssh\" - #chmod 600 \"${servicename}-ssh.pub\" privatekeycontent=\$(cat ${servicename}-ssh) pubkeycontent=\$(cat ${servicename}-ssh.pub) CRUMB=\$(curl -s 'http://${env.JENKINS_USR}:${env.JENKINS_PSW}@alloces.lan:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)') @@ -205,7 +186,7 @@ pipeline { "": "0", "credentials": { "scope": "GLOBAL", - "id": "'"\$usernameCredsId"'", + "id": "'"\$certCredsId"'", "username": "${servicename}", "password": "", "privateKeySource": { @@ -224,7 +205,9 @@ pipeline { pushd ${servicename} linuxServiceAccountStr="linuxServiceAccount=credentials(\\"\$usernameCredsId\\")" + linuxServiceAccountIDStr="linuxServiceAccountID=\\"\$certCredsId\\"" sed -i "s/linuxServiceAccount=creds/\$linuxServiceAccountStr/" Jenkinsfile + sed -i "s/linuxServiceAccountID=string/\$linuxServiceAccountIDStr/" Jenkinsfile sed -i 's/targetHost=string/targetHost="${targetHost}"/' Jenkinsfile git add . git commit -m "linux account, service host" @@ -260,7 +243,6 @@ pipeline { } } stage("db init"){ - when { expression { return params.database } } steps { //i'm pretty sure "update" with nothing will init? //meaning we don't have to init, first update will init diff --git a/scripts/databases.sh b/scripts/databases.sh index 7751773..d133ff0 100644 --- a/scripts/databases.sh +++ b/scripts/databases.sh @@ -9,11 +9,6 @@ function restofscript(){ sudo -u postgres psql -c "create database $servicename;" sudo -u postgres psql -c "create user $servicename with encrypted password '$pw_productiondatabase';" sudo -u postgres psql -c "grant all privileges on database $servicename to $servicename;" - - sudo -u postgres psql -c "create database $service_dev;" - sudo -u postgres psql -c "create user $service_dev with encrypted password '$pw_developmentdatabase';" - sudo -u postgres psql -c "grant all privileges on database $service_dev to $service_dev;" - } echo "${SUDOER_PSW}" | sudo -S bash -c "$(declare -f restofscript); restofscript" diff --git a/scripts/serviceaccount.sh b/scripts/serviceaccount.sh index 13d8cb1..310450c 100644 --- a/scripts/serviceaccount.sh +++ b/scripts/serviceaccount.sh @@ -9,7 +9,7 @@ function restofscript(){ echo "${USERNAMETOADD}:${PASSWORDTOADD}" | chpasswd loginctl enable-linger ${USERNAMETOADD} mkdir /home/${USERNAMETOADD}/.ssh - touch /home/${USERNAMETOADD}/authorized_keys + touch /home/${USERNAMETOADD}/.ssh/authorized_keys cat ssh.pub >> /home/${USERNAMETOADD}/.ssh/authorized_keys chmod 600 /home/${USERNAMETOADD}/authorized_keys chown -R "${USERNAMETOADD}:${USERNAMETOADD}" /home/${USERNAMETOADD}/.ssh