def repository = "registry.c.test-chamber-13.lan"
def repositoryCreds = "harbor-repository-creds"
def workspace
def dockerFile
def startFile
def signzoneFile
def label = "kubernetes-${UUID.randomUUID().toString()}"
def templateName = "pipeline-worker"
pipeline {
agent {
kubernetes{
yaml functions.podYaml(
repo: repository,
templateName: templateName,
kaniko: true
)
}
}
stages {
stage ('Initalize Jenkins') {
steps {
script {
workspace = pwd()
startFile = """
#! /usr/bin/env bash
SIGN_DOMAINS="\$(ls -1 /var/named/masters)" sign-zone.sh
chown -R bind:bind /var/named
bind_exporter --bind.stats-url="http://127.0.0.1:8553" --web.listen-address=0.0.0.0:8053 &
/usr/sbin/named -g -c /etc/bind/named.conf -u bind
"""
signzoneFile = """
#! /usr/bin/env bash
# Keys directory
KEYDIR="/var/named/keys"
# Zone directory
ZONEDIR="/var/named/masters"
# Destination directory
DESTDIR="/var/named/dynamic"
function CleanJournal () {
if [ -e "\${DESTDIR}/\${DOMAIN}.signed.jnl" ]; then
printf 'Removing Journal File: %s\n' "\${DOMAIN}"
rm -f "\${DESTDIR}/\${DOMAIN}.signed.jnl"
fi
}
function SignZone () {
CleanJournal "\${DOMAIN}"
RANDOM_HASH=\$(head -c 1000 /dev/random | sha1sum | cut -b 1-16)
EXP=\$(( \$(/bin/date +%Y) + 1))\$(/bin/date +%m%d)000000
TEMP_FILE=\$(mktemp /tmp/zone-XXXXXXXXXX)
printf '%s\\n' "Updating Zone Serial"
cp "\${ZONEDIR}/\${DOMAIN}" "\${TEMP_FILE}"
sed -i -r -e "s/[0-9]+\t; Serial/\$(date +%Y%m%d%H)\t; Serial/" "\${TEMP_FILE}"
# If key files do not exist, generate them.
if [ -e "\${KEYDIR}/K\${DOMAIN}*.key" ]; then
# Keys does not exist so we will generate them
printf '%s\\n' "Creating Key Signing Key (4096-bit)"
dnssec-keygen -K \${KEYDIR} -f KSK -a RSASHA256 -3 -b 4096 -n ZONE "\${DOMAIN}"
printf '%s\\n' "Creating Zone Signing Key (4096-bit)"
dnssec-keygen -K \${KEYDIR} -a RSASHA256 -3 -b 4096 -n ZONE "\${DOMAIN}"
# Append keys to Zone
cat "\${KEYDIR}/K\${DOMAIN}*.key" >> "\${TEMP_FILE}"
fi
# Locate the Key Signing Key
if ! KSK=\$(grep -i -H "key-signing key" "\${KEYDIR}/K\${DOMAIN}"*.key | cut -d: -f1); then
printf '%s\n' "ERROR: Unable to detect Key Signing Key"
exit 100
fi
filename=\$(basename "\${KSK}")
KSKBASE=\${filename%.*}
# Locate the Zone Signing Key
if ! ZSK=\$(grep -i -H "zone-signing key" "\${KEYDIR}/K\${DOMAIN}"*.key | cut -d: -f1); then
printf '%s\\n' "ERROR: Unable to detect Zone Signing Key"
exit 100
fi
filename=\$(basename "\${ZSK}")
ZSKBASE=\${filename%.*}
printf '%s\\n' "Signing Zone: \${DOMAIN}"
cd "\${KEYDIR}" || exit 100
dnssec-signzone -3 "\${RANDOM_HASH}" -u -N INCREMENT -o "\${DOMAIN}" -k "\${KSKBASE}" -e "\${EXP}" -f "\${DESTDIR}/\${DOMAIN}.signed" "\${TEMP_FILE}" "\${KEYDIR}/\${ZSKBASE}.private"
printf '\\n%s\\n' "*** DNSSEC DS RR Generation ***"
dnssec-dsfromkey -2 "\${KEYDIR}/\${KSKBASE}.key"
printf '%s\\n' "Cleaning Temporary File"
rm -f "\${TEMP_FILE}"
}
# Check to see how we were called
if [ ! -z \${SIGN_DOMAINS+x} ]; then
for DOMAIN in \${SIGN_DOMAINS}; do
if [ ! -e "\${ZONEDIR}/\${DOMAIN}" ]; then
printf '%s\n' "ERROR: Unable to locate Zone: \${DOMAIN}"
exit 100
else
SignZone "\${DOMAIN}"
fi
done
elif [ "\${#}" -gt 0 ]; then
for DOMAIN in "\${@}"; do
if [ ! -e "\${ZONEDIR}/\${DOMAIN}" ]; then
printf '%s\n' "ERROR: Unable to locate Zone: \${DOMAIN}"
exit 100
else
SignZone "\${DOMAIN}"
fi
done
else
printf '%s' "Please enter the Zone (domain) in lowescase: "
read -r DOMAIN
SignZone "\${DOMAIN}"
fi
"""
writeFile(file: workspace + "/start.sh", text: startFile)
writeFile(file: workspace + "/sign-zone.sh", text: signzoneFile)
writeFile(file: workspace + "/test-chamber-13.lan.root.crt", text: functions.getCurrentRootCA())
dockerFile = """
FROM ${repository}/dockerhub/internetsystemsconsortium/bind9:9.21
LABEL org.opencontainers.image.authors="The_Spider <spider@smoothnet.org>"
LABEL org.opencontainers.image.title="bind"
LABEL org.opencontainers.image.base.name="registry.hub.docker.com/internetsystemsconsortium/bind9"
COPY *.sh /usr/local/bin/
COPY test-chamber-13.lan.root.crt /usr/local/share/ca-certificates/
RUN set -eux && \\
chmod +x /usr/local/bin/start.sh /usr/local/bin/sign-zone.sh && \\
cat /usr/local/share/ca-certificates/test-chamber-13.lan.root.crt >> /etc/ssl/certs/ca-certificates.crt && \\
sed -i 's/dl-cdn.alpinelinux.org/nexus.c.test-chamber-13.lan\\/repository/g' /etc/apk/repositories && \\
apk add --no-cache ca-certificates bind-dnssec-tools bash && \\
update-ca-certificates --fresh
ENTRYPOINT [ "/bin/bash", "-c", "start.sh" ]
"""
}
}
}
stage ('Build & Push') {
steps {
container ('kaniko') {
script {
declarativeFunctions.buildContainerMultipleDestinations(
dockerFile: dockerFile,
repositoryAccess: [
[
repository: repository,
credentials: repositoryCreds
],
[
repository: "https://index.docker.io/v1/",
credentials: "dockerhub-repository-creds"
],
],
destination: [
"index.docker.io/thespider/bind9:latest",
]
)
}
}
}
}
}
}