adds isc-bind
This commit is contained in:
parent
9bc26437f7
commit
135d533615
GPG Key ID:
C50D0BBB5BC40BEA
173
build-bind.jenkins
Normal file
173
build-bind.jenkins
Normal file
@ -0,0 +1,173 @@
|
||||
def repository = "registry.c.test-chamber-13.lan"
|
||||
def repositoryCreds = "harbor-repository-creds"
|
||||
|
||||
def workspace
|
||||
def dockerFile
|
||||
def startFile
|
||||
def signzoneFile
|
||||
|
||||
def label = "kubernetes-${UUID.randomUUID().toString()}"
|
||||
def templateName = "pipeline-worker"
|
||||
|
||||
pipeline {
|
||||
agent {
|
||||
kubernetes{
|
||||
yaml functions.podYaml(
|
||||
repo: repository,
|
||||
templateName: templateName,
|
||||
kaniko: true
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
stages {
|
||||
stage ('Initalize Jenkins') {
|
||||
steps {
|
||||
script {
|
||||
workspace = pwd()
|
||||
startFile = """
|
||||
#! /usr/bin/env bash
|
||||
SIGN_DOMAINS="\$(ls -1 /var/named/masters)" sign-zone.sh
|
||||
chown -R bind:bind /var/named
|
||||
bind_exporter --bind.stats-url="http://127.0.0.1:8553" --web.listen-address=0.0.0.0:8053 &
|
||||
/usr/sbin/named -g -c /etc/bind/named.conf -u bind
|
||||
"""
|
||||
writeFile(file: workspace + "/start.sh", text: startFile)
|
||||
|
||||
signzoneFile = """
|
||||
#! /usr/bin/env bash
|
||||
|
||||
# Keys directory
|
||||
KEYDIR="/var/named/keys"
|
||||
|
||||
# Zone directory
|
||||
ZONEDIR="/var/named/masters"
|
||||
|
||||
# Destination directory
|
||||
DESTDIR="/var/named/dynamic"
|
||||
|
||||
function CleanJournal () {
|
||||
if [ -e "\${DESTDIR}/\${DOMAIN}.signed.jnl" ]; then
|
||||
printf 'Removing Journal File: %s\n' "\${DOMAIN}"
|
||||
rm -f "\${DESTDIR}/\${DOMAIN}.signed.jnl"
|
||||
fi
|
||||
}
|
||||
|
||||
function SignZone () {
|
||||
CleanJournal "\${DOMAIN}"
|
||||
RANDOM_HASH=\$(head -c 1000 /dev/random | sha1sum | cut -b 1-16)
|
||||
EXP=\$(( \$(/bin/date +%Y) + 1))\$(/bin/date +%m%d)000000
|
||||
TEMP_FILE=\$(mktemp /tmp/zone-XXXXXXXXXX)
|
||||
|
||||
printf '%s\\n' "Updating Zone Serial"
|
||||
cp "\${ZONEDIR}/\${DOMAIN}" "\${TEMP_FILE}"
|
||||
sed -i -r -e "s/[0-9]+\t; Serial/\$(date +%Y%m%d%H)\t; Serial/" "\${TEMP_FILE}"
|
||||
|
||||
# If key files do not exist, generate them.
|
||||
if [ -e "\${KEYDIR}/K\${DOMAIN}*.key" ]; then
|
||||
# Keys does not exist so we will generate them
|
||||
printf '%s\\n' "Creating Key Signing Key (4096-bit)"
|
||||
dnssec-keygen -K \${KEYDIR} -f KSK -a RSASHA256 -3 -b 4096 -n ZONE "\${DOMAIN}"
|
||||
printf '%s\\n' "Creating Zone Signing Key (4096-bit)"
|
||||
dnssec-keygen -K \${KEYDIR} -a RSASHA256 -3 -b 4096 -n ZONE "\${DOMAIN}"
|
||||
|
||||
# Append keys to Zone
|
||||
cat "\${KEYDIR}/K\${DOMAIN}*.key" >> "\${TEMP_FILE}"
|
||||
fi
|
||||
|
||||
# Locate the Key Signing Key
|
||||
if ! KSK=\$(grep -i -H "key-signing key" "\${KEYDIR}/K\${DOMAIN}"*.key | cut -d: -f1); then
|
||||
printf '%s\n' "ERROR: Unable to detect Key Signing Key"
|
||||
exit 100
|
||||
fi
|
||||
filename=\$(basename "\${KSK}")
|
||||
KSKBASE=\${filename%.*}
|
||||
|
||||
# Locate the Zone Signing Key
|
||||
if ! ZSK=\$(grep -i -H "zone-signing key" "\${KEYDIR}/K\${DOMAIN}"*.key | cut -d: -f1); then
|
||||
printf '%s\\n' "ERROR: Unable to detect Zone Signing Key"
|
||||
exit 100
|
||||
fi
|
||||
filename=\$(basename "\${ZSK}")
|
||||
ZSKBASE=\${filename%.*}
|
||||
|
||||
printf '%s\\n' "Signing Zone: \${DOMAIN}"
|
||||
cd "\${KEYDIR}" || exit 100
|
||||
dnssec-signzone -3 "\${RANDOM_HASH}" -u -N INCREMENT -o "\${DOMAIN}" -k "\${KSKBASE}" -e "\${EXP}" -f "\${DESTDIR}/\${DOMAIN}.signed" "\${TEMP_FILE}" "\${KEYDIR}/\${ZSKBASE}.private"
|
||||
|
||||
printf '\\n%s\\n' "*** DNSSEC DS RR Generation ***"
|
||||
dnssec-dsfromkey -2 "\${KEYDIR}/\${KSKBASE}.key"
|
||||
|
||||
printf '%s\\n' "Cleaning Temporary File"
|
||||
rm -f "\${TEMP_FILE}"
|
||||
}
|
||||
|
||||
# Check to see how we were called
|
||||
if [ ! -z \${SIGN_DOMAINS+x} ]; then
|
||||
for DOMAIN in \${SIGN_DOMAINS}; do
|
||||
if [ ! -e "\${ZONEDIR}/\${DOMAIN}" ]; then
|
||||
printf '%s\n' "ERROR: Unable to locate Zone: \${DOMAIN}"
|
||||
exit 100
|
||||
else
|
||||
SignZone "\${DOMAIN}"
|
||||
fi
|
||||
done
|
||||
elif [ "\${#}" -gt 0 ]; then
|
||||
for DOMAIN in "\${@}"; do
|
||||
if [ ! -e "\${ZONEDIR}/\${DOMAIN}" ]; then
|
||||
printf '%s\n' "ERROR: Unable to locate Zone: \${DOMAIN}"
|
||||
exit 100
|
||||
else
|
||||
SignZone "\${DOMAIN}"
|
||||
fi
|
||||
done
|
||||
else
|
||||
printf '%s' "Please enter the Zone (domain) in lowescase: "
|
||||
read -r DOMAIN
|
||||
SignZone "\${DOMAIN}"
|
||||
fi
|
||||
"""
|
||||
writeFile(file: workspace + "/sign-zone.sh", text: signzoneFile)
|
||||
|
||||
dockerFile = """
|
||||
FROM registry.hub.docker.com/internetsystemsconsortium/bind9:9.18
|
||||
|
||||
COPY *.sh /usr/local/bin/
|
||||
|
||||
RUN apt-get update && \
|
||||
apt-get install -y --no-install-recommends dnsutils && \
|
||||
chmod +x /usr/local/bin/start.sh /usr/local/bin/sign-zone.sh
|
||||
|
||||
CMD [ "/bin/bash", "-c", "start.sh" ]
|
||||
"""
|
||||
writeFile(file: workspace + "/test-chamber-13.lan.root.crt", text: functions.getCurrentRootCA())
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
stage ('Build & Push') {
|
||||
steps {
|
||||
container ('kaniko') {
|
||||
script {
|
||||
declarativeFunctions.buildContainerMultipleDestinations(
|
||||
dockerFile: dockerFile,
|
||||
repositoryAccess: [
|
||||
[
|
||||
repository: repository,
|
||||
credentials: repositoryCreds
|
||||
],
|
||||
[
|
||||
repository: "https://index.docker.io/v1/",
|
||||
credentials: "dockerhub-repository-creds"
|
||||
],
|
||||
],
|
||||
destination: [
|
||||
"index.docker.io/thespider/bind9:latest",
|
||||
]
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user