From 2eac82a73c50945293a4796789b6009a51a82f98 Mon Sep 17 00:00:00 2001
From: Rustam Tagaev <rustam.tagaev@avroid.team>
Date: Thu, 7 Nov 2024 13:04:14 +0300
Subject: [PATCH] [DO-502] add_vault_restore_policy (!42)

Co-authored-by: Rustam Tagaev <rustam.tagaev@avroid.tech>
Reviewed-on: https://git.avroid.tech/DevOps/jenkins-pipelines/pulls/42
Reviewed-by: Denis Patrakeev <denis.patrakeev@avroid.team>
Reviewed-by: Aleksandr Vodyanov <aleksandr.vodyanov@avroid.team>
---
 .../vault_policies_and_roles_update.groovy    | 25 ++++++
 .../vault-policies-and-roles-update.groovy    | 77 +++++++++++++++++++
 pipelines/gitea-events/jobs-runner.groovy     | 18 ++++-
 3 files changed, 117 insertions(+), 3 deletions(-)
 create mode 100644 jobs-dsl/jobs/Automation/DevOps/vault_policies_and_roles_update.groovy
 create mode 100644 pipelines/Automation/DevOps/vault-policies-and-roles-update.groovy

diff --git a/jobs-dsl/jobs/Automation/DevOps/vault_policies_and_roles_update.groovy b/jobs-dsl/jobs/Automation/DevOps/vault_policies_and_roles_update.groovy
new file mode 100644
index 0000000..d7d7864
--- /dev/null
+++ b/jobs-dsl/jobs/Automation/DevOps/vault_policies_and_roles_update.groovy
@@ -0,0 +1,25 @@
+pipelineJob('Automation/DevOps/vault-policies-and-roles-update') {
+    logRotator {
+        numToKeep(10)
+        artifactNumToKeep(10)
+    }
+
+    properties {
+        disableConcurrentBuilds()
+    }
+
+   definition {
+        cpsScm {
+            scm {
+                git {
+                    remote {
+                        url("${JENKINS_GIT_REPOSITORY_URL}/DevOps/jenkins-pipelines.git")
+                        credentials("${JENKINS_GIT_CREDENTIALS_HTTP}")
+                    }
+                    branch('master')
+                }
+            }
+            scriptPath('pipelines/Automation/DevOps/vault-policies-and-roles-update.groovy')
+        }
+    }
+}
diff --git a/pipelines/Automation/DevOps/vault-policies-and-roles-update.groovy b/pipelines/Automation/DevOps/vault-policies-and-roles-update.groovy
new file mode 100644
index 0000000..aea7488
--- /dev/null
+++ b/pipelines/Automation/DevOps/vault-policies-and-roles-update.groovy
@@ -0,0 +1,77 @@
+@Library('shared-lib') _
+
+import tech.avroid.scm.Git
+import tech.avroid.jenkins.Notifications
+
+properties([
+    buildDiscarder(logRotator(artifactNumToKeepStr: '10',
+                              numToKeepStr: '10')),
+    disableConcurrentBuilds()
+])
+
+String recipient = "devops@avroid.team"
+String ansibleRepo = 'DevOps/ansible'
+
+List vaultType = ['policies', 'roles']
+List vaultHosts = [
+    [env: 'avroid_prod', host: 'vault.avroid.tech'],
+]
+
+podTemplate(workspaceVolume: hostPathWorkspaceVolume(hostPath: '/data'),
+            yaml: getPodTemplate('pythonBuild')){
+    node(POD_LABEL) {
+        container(name: 'python-build') {
+            try {
+                stage('Get repository') {
+                    Git git = new Git(this, "$env.JENKINS_GIT_CREDENTIALS_SSH")
+
+                    git.clone([urlRepo: "${env.JENKINS_GIT_REPOSITORY_SSH_URL}/${ansibleRepo}.git",
+                               branch: 'master'])
+                }
+
+                stage('Update roles policies') {
+                    withCredentials([[$class: 'VaultTokenCredentialBinding',
+                                    credentialsId: 'vault-role',
+                                    vaultAddr: "${env.JENKINS_VAULT_URL}"]]) {
+                        withEnv(["PATH=$PATH:/home/jenkins/.local/bin"]) {
+                            ansiColor('xterm') {
+                                sh 'pip install --user --pre -r requirements.txt'
+                                sh "sed -ie 's/vault_password_file.*//' ansible.cfg"
+                                vaultType.each { type ->
+                                    vaultHosts.each { host ->
+                                        ansiblePlaybook(
+                                            installation: 'ansible',
+                                            colorized: true,
+                                            playbook: "playbooks/cicd/vault-${type}-update.yaml",
+                                            extraVars: [
+                                                vault_host: host.host,
+                                                ansible_env: host.env
+                                            ],
+                                        )
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            } catch (err) {
+                errorMessage = err.getMessage()
+
+                println 'ERROR: ' + errorMessage
+
+                currentBuild.result = 'FAILURE'
+
+                String emailSubject = "${currentBuild.currentResult}. Pipeline task: ${currentBuild.fullDisplayName}"
+                Notifications.email(
+                    script: this,
+                    subject: emailSubject,
+                    errorString: errorMessage,
+                    recipientProviders: [],
+                    to: recipient
+                )
+            } finally {
+                cleanWs()
+            }
+        }
+    }
+}
diff --git a/pipelines/gitea-events/jobs-runner.groovy b/pipelines/gitea-events/jobs-runner.groovy
index 2c2a49d..28c19c1 100644
--- a/pipelines/gitea-events/jobs-runner.groovy
+++ b/pipelines/gitea-events/jobs-runner.groovy
@@ -15,8 +15,20 @@ properties([
 
 Map projects = [
     'DevOps/jenkins-pipelines': [
-        ['branches': [],
-         'jobs': [[job: 'jobs-dsl/jobs-dsl']]],
+        [
+         'branches': [],
+         'jobs': [
+            [job: 'jobs-dsl/jobs-dsl']
+          ]
+        ],
+    ],
+    'DevOps/ansible': [
+        [
+         'branches': [],
+         'jobs': [
+            [job: 'Automation/DevOps/vault-policies-and-roles-update']
+          ]
+        ],
     ]
 ]
 
@@ -24,7 +36,7 @@ podTemplate(workspaceVolume: hostPathWorkspaceVolume(hostPath: "/data"),
     yaml: """
       apiVersion: v1
       kind: Pod
-      spec:                
+      spec:
         containers:
         - name: linux
           image:  ${env.JENKINS_DOCKER_REGISTRY}/docker-hub-proxy/library/alpine:3.18.5