diff --git a/build-bind.jenkins b/build-bind.jenkins new file mode 100644 index 0000000..a96c2ec --- /dev/null +++ b/build-bind.jenkins @@ -0,0 +1,173 @@ +def repository = "registry.c.test-chamber-13.lan" +def repositoryCreds = "harbor-repository-creds" + +def workspace +def dockerFile +def startFile +def signzoneFile + +def label = "kubernetes-${UUID.randomUUID().toString()}" +def templateName = "pipeline-worker" + +pipeline { + agent { + kubernetes{ + yaml functions.podYaml( + repo: repository, + templateName: templateName, + kaniko: true + ) + } + } + + stages { + stage ('Initalize Jenkins') { + steps { + script { + workspace = pwd() + startFile = """ +#! /usr/bin/env bash +SIGN_DOMAINS="\$(ls -1 /var/named/masters)" sign-zone.sh +chown -R bind:bind /var/named +bind_exporter --bind.stats-url="http://127.0.0.1:8553" --web.listen-address=0.0.0.0:8053 & +/usr/sbin/named -g -c /etc/bind/named.conf -u bind +""" + writeFile(file: workspace + "/start.sh", text: startFile) + + signzoneFile = """ +#! /usr/bin/env bash + +# Keys directory +KEYDIR="/var/named/keys" + +# Zone directory +ZONEDIR="/var/named/masters" + +# Destination directory +DESTDIR="/var/named/dynamic" + +function CleanJournal () { + if [ -e "\${DESTDIR}/\${DOMAIN}.signed.jnl" ]; then + printf 'Removing Journal File: %s\n' "\${DOMAIN}" + rm -f "\${DESTDIR}/\${DOMAIN}.signed.jnl" + fi +} + +function SignZone () { + CleanJournal "\${DOMAIN}" + RANDOM_HASH=\$(head -c 1000 /dev/random | sha1sum | cut -b 1-16) + EXP=\$(( \$(/bin/date +%Y) + 1))\$(/bin/date +%m%d)000000 + TEMP_FILE=\$(mktemp /tmp/zone-XXXXXXXXXX) + + printf '%s\\n' "Updating Zone Serial" + cp "\${ZONEDIR}/\${DOMAIN}" "\${TEMP_FILE}" + sed -i -r -e "s/[0-9]+\t; Serial/\$(date +%Y%m%d%H)\t; Serial/" "\${TEMP_FILE}" + + # If key files do not exist, generate them. + if [ -e "\${KEYDIR}/K\${DOMAIN}*.key" ]; then + # Keys does not exist so we will generate them + printf '%s\\n' "Creating Key Signing Key (4096-bit)" + dnssec-keygen -K \${KEYDIR} -f KSK -a RSASHA256 -3 -b 4096 -n ZONE "\${DOMAIN}" + printf '%s\\n' "Creating Zone Signing Key (4096-bit)" + dnssec-keygen -K \${KEYDIR} -a RSASHA256 -3 -b 4096 -n ZONE "\${DOMAIN}" + + # Append keys to Zone + cat "\${KEYDIR}/K\${DOMAIN}*.key" >> "\${TEMP_FILE}" + fi + + # Locate the Key Signing Key + if ! KSK=\$(grep -i -H "key-signing key" "\${KEYDIR}/K\${DOMAIN}"*.key | cut -d: -f1); then + printf '%s\n' "ERROR: Unable to detect Key Signing Key" + exit 100 + fi + filename=\$(basename "\${KSK}") + KSKBASE=\${filename%.*} + + # Locate the Zone Signing Key + if ! ZSK=\$(grep -i -H "zone-signing key" "\${KEYDIR}/K\${DOMAIN}"*.key | cut -d: -f1); then + printf '%s\\n' "ERROR: Unable to detect Zone Signing Key" + exit 100 + fi + filename=\$(basename "\${ZSK}") + ZSKBASE=\${filename%.*} + + printf '%s\\n' "Signing Zone: \${DOMAIN}" + cd "\${KEYDIR}" || exit 100 + dnssec-signzone -3 "\${RANDOM_HASH}" -u -N INCREMENT -o "\${DOMAIN}" -k "\${KSKBASE}" -e "\${EXP}" -f "\${DESTDIR}/\${DOMAIN}.signed" "\${TEMP_FILE}" "\${KEYDIR}/\${ZSKBASE}.private" + + printf '\\n%s\\n' "*** DNSSEC DS RR Generation ***" + dnssec-dsfromkey -2 "\${KEYDIR}/\${KSKBASE}.key" + + printf '%s\\n' "Cleaning Temporary File" + rm -f "\${TEMP_FILE}" +} + +# Check to see how we were called +if [ ! -z \${SIGN_DOMAINS+x} ]; then + for DOMAIN in \${SIGN_DOMAINS}; do + if [ ! -e "\${ZONEDIR}/\${DOMAIN}" ]; then + printf '%s\n' "ERROR: Unable to locate Zone: \${DOMAIN}" + exit 100 + else + SignZone "\${DOMAIN}" + fi + done +elif [ "\${#}" -gt 0 ]; then + for DOMAIN in "\${@}"; do + if [ ! -e "\${ZONEDIR}/\${DOMAIN}" ]; then + printf '%s\n' "ERROR: Unable to locate Zone: \${DOMAIN}" + exit 100 + else + SignZone "\${DOMAIN}" + fi + done +else + printf '%s' "Please enter the Zone (domain) in lowescase: " + read -r DOMAIN + SignZone "\${DOMAIN}" +fi +""" + writeFile(file: workspace + "/sign-zone.sh", text: signzoneFile) + + dockerFile = """ +FROM registry.hub.docker.com/internetsystemsconsortium/bind9:9.18 + +COPY *.sh /usr/local/bin/ + +RUN apt-get update && \ + apt-get install -y --no-install-recommends dnsutils && \ + chmod +x /usr/local/bin/start.sh /usr/local/bin/sign-zone.sh + +CMD [ "/bin/bash", "-c", "start.sh" ] +""" + writeFile(file: workspace + "/test-chamber-13.lan.root.crt", text: functions.getCurrentRootCA()) + } + } + } + + stage ('Build & Push') { + steps { + container ('kaniko') { + script { + declarativeFunctions.buildContainerMultipleDestinations( + dockerFile: dockerFile, + repositoryAccess: [ + [ + repository: repository, + credentials: repositoryCreds + ], + [ + repository: "https://index.docker.io/v1/", + credentials: "dockerhub-repository-creds" + ], + ], + destination: [ + "index.docker.io/thespider/bind9:latest", + ] + ) + } + } + } + } + } +}