[DO-502] add_vault_restore_policy (!42)
Co-authored-by: Rustam Tagaev <rustam.tagaev@avroid.tech> Reviewed-on: https://git.avroid.tech/DevOps/jenkins-pipelines/pulls/42 Reviewed-by: Denis Patrakeev <denis.patrakeev@avroid.team> Reviewed-by: Aleksandr Vodyanov <aleksandr.vodyanov@avroid.team>
This commit is contained in:
Rustam Tagaev
@@ -0,0 +1,25 @@
|
||||
pipelineJob('Automation/DevOps/vault-policies-and-roles-update') {
|
||||
logRotator {
|
||||
numToKeep(10)
|
||||
artifactNumToKeep(10)
|
||||
}
|
||||
|
||||
properties {
|
||||
disableConcurrentBuilds()
|
||||
}
|
||||
|
||||
definition {
|
||||
cpsScm {
|
||||
scm {
|
||||
git {
|
||||
remote {
|
||||
url("${JENKINS_GIT_REPOSITORY_URL}/DevOps/jenkins-pipelines.git")
|
||||
credentials("${JENKINS_GIT_CREDENTIALS_HTTP}")
|
||||
}
|
||||
branch('master')
|
||||
}
|
||||
}
|
||||
scriptPath('pipelines/Automation/DevOps/vault-policies-and-roles-update.groovy')
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,77 @@
|
||||
@Library('shared-lib') _
|
||||
|
||||
import tech.avroid.scm.Git
|
||||
import tech.avroid.jenkins.Notifications
|
||||
|
||||
properties([
|
||||
buildDiscarder(logRotator(artifactNumToKeepStr: '10',
|
||||
numToKeepStr: '10')),
|
||||
disableConcurrentBuilds()
|
||||
])
|
||||
|
||||
String recipient = "devops@avroid.team"
|
||||
String ansibleRepo = 'DevOps/ansible'
|
||||
|
||||
List vaultType = ['policies', 'roles']
|
||||
List vaultHosts = [
|
||||
[env: 'avroid_prod', host: 'vault.avroid.tech'],
|
||||
]
|
||||
|
||||
podTemplate(workspaceVolume: hostPathWorkspaceVolume(hostPath: '/data'),
|
||||
yaml: getPodTemplate('pythonBuild')){
|
||||
node(POD_LABEL) {
|
||||
container(name: 'python-build') {
|
||||
try {
|
||||
stage('Get repository') {
|
||||
Git git = new Git(this, "$env.JENKINS_GIT_CREDENTIALS_SSH")
|
||||
|
||||
git.clone([urlRepo: "${env.JENKINS_GIT_REPOSITORY_SSH_URL}/${ansibleRepo}.git",
|
||||
branch: 'master'])
|
||||
}
|
||||
|
||||
stage('Update roles policies') {
|
||||
withCredentials([[$class: 'VaultTokenCredentialBinding',
|
||||
credentialsId: 'vault-role',
|
||||
vaultAddr: "${env.JENKINS_VAULT_URL}"]]) {
|
||||
withEnv(["PATH=$PATH:/home/jenkins/.local/bin"]) {
|
||||
ansiColor('xterm') {
|
||||
sh 'pip install --user --pre -r requirements.txt'
|
||||
sh "sed -ie 's/vault_password_file.*//' ansible.cfg"
|
||||
vaultType.each { type ->
|
||||
vaultHosts.each { host ->
|
||||
ansiblePlaybook(
|
||||
installation: 'ansible',
|
||||
colorized: true,
|
||||
playbook: "playbooks/cicd/vault-${type}-update.yaml",
|
||||
extraVars: [
|
||||
vault_host: host.host,
|
||||
ansible_env: host.env
|
||||
],
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
} catch (err) {
|
||||
errorMessage = err.getMessage()
|
||||
|
||||
println 'ERROR: ' + errorMessage
|
||||
|
||||
currentBuild.result = 'FAILURE'
|
||||
|
||||
String emailSubject = "${currentBuild.currentResult}. Pipeline task: ${currentBuild.fullDisplayName}"
|
||||
Notifications.email(
|
||||
script: this,
|
||||
subject: emailSubject,
|
||||
errorString: errorMessage,
|
||||
recipientProviders: [],
|
||||
to: recipient
|
||||
)
|
||||
} finally {
|
||||
cleanWs()
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -15,8 +15,20 @@ properties([
|
||||
|
||||
Map projects = [
|
||||
'DevOps/jenkins-pipelines': [
|
||||
['branches': [],
|
||||
'jobs': [[job: 'jobs-dsl/jobs-dsl']]],
|
||||
[
|
||||
'branches': [],
|
||||
'jobs': [
|
||||
[job: 'jobs-dsl/jobs-dsl']
|
||||
]
|
||||
],
|
||||
],
|
||||
'DevOps/ansible': [
|
||||
[
|
||||
'branches': [],
|
||||
'jobs': [
|
||||
[job: 'Automation/DevOps/vault-policies-and-roles-update']
|
||||
]
|
||||
],
|
||||
]
|
||||
]
|
||||
|
||||
@@ -24,7 +36,7 @@ podTemplate(workspaceVolume: hostPathWorkspaceVolume(hostPath: "/data"),
|
||||
yaml: """
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
spec:
|
||||
spec:
|
||||
containers:
|
||||
- name: linux
|
||||
image: ${env.JENKINS_DOCKER_REGISTRY}/docker-hub-proxy/library/alpine:3.18.5
|
||||
|
||||
Reference in New Issue
Block a user