Dustin C. Hatch
0b914d617e
Usually, we do not want the continuous enforcement jobs installing or upgrading software packages. Sometimes, though, we may want to use a Jenkins job to roll out something new, so this new `ALLOW_INSTALL` parameter will control whether or not Ansible tasks tagged with `install` are skipped.
142 lines
4.1 KiB
Groovy
142 lines
4.1 KiB
Groovy
// vim: set sw=4 ts=4 sts=4 et :
|
|
import groovy.transform.Field
|
|
import org.jenkinsci.plugins.pipeline.modeldefinition.Utils
|
|
|
|
def call(rw_limit, stages) {
|
|
properties([
|
|
parameters([
|
|
booleanParam([
|
|
description: 'Allow installing packages',
|
|
name: 'ALLOW_INSTALL',
|
|
]),
|
|
]),
|
|
pipelineTriggers([cron('H H * * *')])
|
|
])
|
|
|
|
timeout(time: 1, unit: 'HOURS') {
|
|
lock('cfgpol') {
|
|
podTemplate(containers: [
|
|
containerTemplate(
|
|
name: 'ansible',
|
|
image: 'git.pyrocufflink.net/containerimages/ansible',
|
|
alwaysPullImage: true,
|
|
)
|
|
]) {
|
|
node(POD_LABEL) {
|
|
checkout scm
|
|
withCredentials([
|
|
file(
|
|
credentialsId: 'jenkins-cfgmgmt-cert',
|
|
variable: 'SSHCERT',
|
|
)
|
|
]) {
|
|
withEnv([
|
|
"HOME=${WORKSPACE}",
|
|
"KRB5CCNAME=${WORKSPACE}/.krb5cc",
|
|
"ANSIBLE_SSH_EXTRA_ARGS=-A -oCertificateFile=${SSHCERT}",
|
|
]) {
|
|
container('ansible') {
|
|
try {
|
|
stageKinit()
|
|
sshagent([
|
|
'jenkins-cfgmgmt',
|
|
'jenkins-sudo-sshkey',
|
|
]) {
|
|
generateStages(stages)
|
|
}
|
|
} catch (err) {
|
|
postFailure(err)
|
|
} finally {
|
|
postCleanup()
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
def stageKinit() {
|
|
stage('kinit') {
|
|
withCredentials([file(
|
|
credentialsId: 'keytab-jenkins@pyrocufflink.blue',
|
|
variable: 'KEYTAB'
|
|
)]) {
|
|
sh 'kinit -kt "${KEYTAB}" jenkins@PYROCUFFLINK.BLUE'
|
|
}
|
|
sh 'rm -rf .fact-cache'
|
|
}
|
|
}
|
|
|
|
|
|
def stageRemountRW(limit) {
|
|
def STAGE_NAME = 'Remount R/W'
|
|
stage(STAGE_NAME) {
|
|
if (limit) {
|
|
ansiblePlaybook \
|
|
playbook: 'remount.yml',
|
|
limit: limit,
|
|
become: true,
|
|
credentialsId: 'jenkins-cfgmgmt',
|
|
vaultCredentialsId: 'ansible-vault',
|
|
extraVars: [
|
|
remount_state: 'rw',
|
|
]
|
|
} else {
|
|
Utils.markStageSkippedForConditional(STAGE_NAME)
|
|
}
|
|
}
|
|
}
|
|
|
|
def generateStages(stages) {
|
|
def skip_tags = []
|
|
if (!params.ALLOW_INSTALL) {
|
|
skip_tags += 'install'
|
|
}
|
|
stages.each { name, playbooks ->
|
|
stage(name) {
|
|
playbooks.each { playbook ->
|
|
ansiblePlaybook \
|
|
playbook: playbook,
|
|
become: true,
|
|
credentialsId: 'jenkins-cfgmgmt',
|
|
vaultCredentialsId: 'ansible-vault',
|
|
extras: '--diff',
|
|
skippedTags: skip_tags.join(',')
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
def stageRemountRO(limit) {
|
|
def STAGE_NAME = 'Remount R/O'
|
|
stage(STAGE_NAME) {
|
|
if (limit) {
|
|
ansiblePlaybook \
|
|
playbook: 'remount.yml',
|
|
limit: limit + ':!rw-root',
|
|
become: true,
|
|
credentialsId: 'jenkins-cfgmgmt',
|
|
vaultCredentialsId: 'ansible-vault',
|
|
extras: '--diff'
|
|
} else {
|
|
Utils.markStageSkippedForConditional(STAGE_NAME)
|
|
}
|
|
}
|
|
}
|
|
|
|
def postCleanup() {
|
|
sh 'kdestroy'
|
|
}
|
|
|
|
def postFailure(err) {
|
|
currentBuild.result = 'FAILURE'
|
|
emailext \
|
|
to: 'gyrfalcon@ebonfire.com',
|
|
subject: '$DEFAULT_SUBJECT',
|
|
body: '$DEFAULT_CONTENT'
|
|
error "${err}"
|
|
}
|