Avroid/jenkins-pipelines
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[DO-502] add_vault_restore_policy (!42)

Browse Source 
Co-authored-by: Rustam Tagaev <rustam.tagaev@avroid.tech>
Reviewed-on: https://git.avroid.tech/DevOps/jenkins-pipelines/pulls/42
Reviewed-by: Denis Patrakeev <denis.patrakeev@avroid.team>
Reviewed-by: Aleksandr Vodyanov <aleksandr.vodyanov@avroid.team>
This commit is contained in:
Rustam Tagaev
2024-11-07 13:04:14 +03:00
parent 321dc6dfc1
commit 2eac82a73c
3 changed files with 117 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
jobs-dsl/jobs/Automation/DevOps/vault_policies_and_roles_update.groovy Normal file
View File

@@ -0,0 +1,25 @@
pipelineJob('Automation/DevOps/vault-policies-and-roles-update') {
logRotator {
numToKeep(10)
artifactNumToKeep(10)
}
properties {
disableConcurrentBuilds()
}
definition {
cpsScm {
scm {
git {
remote {
url("${JENKINS_GIT_REPOSITORY_URL}/DevOps/jenkins-pipelines.git")
credentials("${JENKINS_GIT_CREDENTIALS_HTTP}")
}
branch('master')
}
}
scriptPath('pipelines/Automation/DevOps/vault-policies-and-roles-update.groovy')
}
}
}

77
pipelines/Automation/DevOps/vault-policies-and-roles-update.groovy Normal file
View File

@@ -0,0 +1,77 @@
@Library('shared-lib') _
import tech.avroid.scm.Git
import tech.avroid.jenkins.Notifications
properties([
buildDiscarder(logRotator(artifactNumToKeepStr: '10',
numToKeepStr: '10')),
disableConcurrentBuilds()
])
String recipient = "devops@avroid.team"
String ansibleRepo = 'DevOps/ansible'
List vaultType = ['policies', 'roles']
List vaultHosts = [
[env: 'avroid_prod', host: 'vault.avroid.tech'],
]
podTemplate(workspaceVolume: hostPathWorkspaceVolume(hostPath: '/data'),
yaml: getPodTemplate('pythonBuild')){
node(POD_LABEL) {
container(name: 'python-build') {
try {
stage('Get repository') {
Git git = new Git(this, "$env.JENKINS_GIT_CREDENTIALS_SSH")
git.clone([urlRepo: "${env.JENKINS_GIT_REPOSITORY_SSH_URL}/${ansibleRepo}.git",
branch: 'master'])
}
stage('Update roles policies') {
withCredentials([[$class: 'VaultTokenCredentialBinding',
credentialsId: 'vault-role',
vaultAddr: "${env.JENKINS_VAULT_URL}"]]) {
withEnv(["PATH=$PATH:/home/jenkins/.local/bin"]) {
ansiColor('xterm') {
sh 'pip install --user --pre -r requirements.txt'
sh "sed -ie 's/vault_password_file.*//' ansible.cfg"
vaultType.each { type ->
vaultHosts.each { host ->
ansiblePlaybook(
installation: 'ansible',
colorized: true,
playbook: "playbooks/cicd/vault-${type}-update.yaml",
extraVars: [
vault_host: host.host,
ansible_env: host.env
],
)
}
}
}
}
}
}
} catch (err) {
errorMessage = err.getMessage()
println 'ERROR: ' + errorMessage
currentBuild.result = 'FAILURE'
String emailSubject = "${currentBuild.currentResult}. Pipeline task: ${currentBuild.fullDisplayName}"
Notifications.email(
script: this,
subject: emailSubject,
errorString: errorMessage,
recipientProviders: [],
to: recipient
)
} finally {
cleanWs()
}
}
}
}

18
pipelines/gitea-events/jobs-runner.groovy
View File

@@ -15,8 +15,20 @@ properties([
Map projects = [ Map projects = [
'DevOps/jenkins-pipelines': [ 'DevOps/jenkins-pipelines': [
['branches': [], [
'jobs': [[job: 'jobs-dsl/jobs-dsl']]], 'branches': [],
'jobs': [
[job: 'jobs-dsl/jobs-dsl']
]
],
],
'DevOps/ansible': [
[
'branches': [],
'jobs': [
[job: 'Automation/DevOps/vault-policies-and-roles-update']
]
],
] ]
] ]
@@ -24,7 +36,7 @@ podTemplate(workspaceVolume: hostPathWorkspaceVolume(hostPath: "/data"),
yaml: """ yaml: """
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
spec: spec:
containers: containers:
- name: linux - name: linux
image: ${env.JENKINS_DOCKER_REGISTRY}/docker-hub-proxy/library/alpine:3.18.5 image: ${env.JENKINS_DOCKER_REGISTRY}/docker-hub-proxy/library/alpine:3.18.5