Dustin C. Hatch
b5c54d7bb3
This doesn't actually work, because the shell expands `~` to the value of the `HOME` environment variable, but `ssh` ignores that variable and reads from the path from the user's `passwd` entry. Since managed hosts all have certificates now, and the CA key is included in the global host key database, individual host keys are not needed anymore anyway.
124 lines
3.5 KiB
Groovy
124 lines
3.5 KiB
Groovy
// vim: set sw=4 ts=4 sts=4 et :
|
|
import groovy.transform.Field
|
|
import org.jenkinsci.plugins.pipeline.modeldefinition.Utils
|
|
|
|
def call(rw_limit, stages) {
|
|
properties([
|
|
pipelineTriggers([cron('H H * * *')])
|
|
])
|
|
|
|
timeout(time: 1, unit: 'HOURS') {
|
|
lock('cfgpol') {
|
|
podTemplate(containers: [
|
|
containerTemplate(
|
|
name: 'ansible',
|
|
image: 'git.pyrocufflink.net/containerimages/ansible',
|
|
alwaysPullImage: true,
|
|
)
|
|
]) {
|
|
node(POD_LABEL) {
|
|
checkout scm
|
|
withEnv([
|
|
"HOME=${WORKSPACE}",
|
|
"KRB5CCNAME=${WORKSPACE}/.krb5cc",
|
|
'ANSIBLE_SSH_EXTRA_ARGS=-A',
|
|
]) {
|
|
container('ansible') {
|
|
try {
|
|
sshagent(['jenkins-sudo-sshkey']) {
|
|
stageKinit()
|
|
stageRemountRW(rw_limit)
|
|
generateStages(stages)
|
|
stageRemountRO(rw_limit)
|
|
}
|
|
} catch (err) {
|
|
postFailure(err)
|
|
} finally {
|
|
postCleanup()
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
def stageKinit() {
|
|
stage('kinit') {
|
|
withCredentials([file(
|
|
credentialsId: 'keytab-jenkins@pyrocufflink.blue',
|
|
variable: 'KEYTAB'
|
|
)]) {
|
|
sh 'kinit -kt "${KEYTAB}" jenkins@PYROCUFFLINK.BLUE'
|
|
}
|
|
sh 'rm -rf .fact-cache'
|
|
}
|
|
}
|
|
|
|
|
|
def stageRemountRW(limit) {
|
|
def STAGE_NAME = 'Remount R/W'
|
|
stage(STAGE_NAME) {
|
|
if (limit) {
|
|
ansiblePlaybook \
|
|
playbook: 'remount.yml',
|
|
limit: limit,
|
|
become: true,
|
|
credentialsId: 'jenkins-cfgmgmt',
|
|
vaultCredentialsId: 'ansible-vault',
|
|
extraVars: [
|
|
remount_state: 'rw',
|
|
]
|
|
} else {
|
|
Utils.markStageSkippedForConditional(STAGE_NAME)
|
|
}
|
|
}
|
|
}
|
|
|
|
def generateStages(stages) {
|
|
stages.each { name, playbooks ->
|
|
stage(name) {
|
|
playbooks.each { playbook ->
|
|
ansiblePlaybook \
|
|
playbook: playbook,
|
|
become: true,
|
|
credentialsId: 'jenkins-cfgmgmt',
|
|
vaultCredentialsId: 'ansible-vault',
|
|
extras: '--diff',
|
|
skippedTags: 'install'
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
def stageRemountRO(limit) {
|
|
def STAGE_NAME = 'Remount R/O'
|
|
stage(STAGE_NAME) {
|
|
if (limit) {
|
|
ansiblePlaybook \
|
|
playbook: 'remount.yml',
|
|
limit: limit + ':!rw-root',
|
|
become: true,
|
|
credentialsId: 'jenkins-cfgmgmt',
|
|
vaultCredentialsId: 'ansible-vault',
|
|
extras: '--diff'
|
|
} else {
|
|
Utils.markStageSkippedForConditional(STAGE_NAME)
|
|
}
|
|
}
|
|
}
|
|
|
|
def postCleanup() {
|
|
sh 'kdestroy'
|
|
}
|
|
|
|
def postFailure(err) {
|
|
currentBuild.result = 'FAILURE'
|
|
emailext \
|
|
to: 'gyrfalcon@ebonfire.com',
|
|
subject: '$DEFAULT_SUBJECT',
|
|
body: '$DEFAULT_CONTENT'
|
|
error "${err}"
|
|
}
|