def repository = "registry.c.test-chamber-13.lan" def repositoryCreds = "harbor-repository-creds" def workspace def dockerFile def startFile def signzoneFile def label = "kubernetes-${UUID.randomUUID().toString()}" def templateName = "pipeline-worker" pipeline { agent { kubernetes{ yaml functions.podYaml( repo: repository, templateName: templateName, kaniko: true ) } } stages { stage ('Initalize Jenkins') { steps { script { workspace = pwd() startFile = """ #! /usr/bin/env bash SIGN_DOMAINS="\$(ls -1 /var/named/masters)" sign-zone.sh chown -R bind:bind /var/named bind_exporter --bind.stats-url="http://127.0.0.1:8553" --web.listen-address=0.0.0.0:8053 & /usr/sbin/named -g -c /etc/bind/named.conf -u bind """ signzoneFile = """ #! /usr/bin/env bash # Keys directory KEYDIR="/var/named/keys" # Zone directory ZONEDIR="/var/named/masters" # Destination directory DESTDIR="/var/named/dynamic" function CleanJournal () { if [ -e "\${DESTDIR}/\${DOMAIN}.signed.jnl" ]; then printf 'Removing Journal File: %s\n' "\${DOMAIN}" rm -f "\${DESTDIR}/\${DOMAIN}.signed.jnl" fi } function SignZone () { CleanJournal "\${DOMAIN}" RANDOM_HASH=\$(head -c 1000 /dev/random | sha1sum | cut -b 1-16) EXP=\$(( \$(/bin/date +%Y) + 1))\$(/bin/date +%m%d)000000 TEMP_FILE=\$(mktemp /tmp/zone-XXXXXXXXXX) printf '%s\\n' "Updating Zone Serial" cp "\${ZONEDIR}/\${DOMAIN}" "\${TEMP_FILE}" sed -i -r -e "s/[0-9]+\t; Serial/\$(date +%Y%m%d%H)\t; Serial/" "\${TEMP_FILE}" # If key files do not exist, generate them. if [ -e "\${KEYDIR}/K\${DOMAIN}*.key" ]; then # Keys does not exist so we will generate them printf '%s\\n' "Creating Key Signing Key (4096-bit)" dnssec-keygen -K \${KEYDIR} -f KSK -a RSASHA256 -3 -b 4096 -n ZONE "\${DOMAIN}" printf '%s\\n' "Creating Zone Signing Key (4096-bit)" dnssec-keygen -K \${KEYDIR} -a RSASHA256 -3 -b 4096 -n ZONE "\${DOMAIN}" # Append keys to Zone cat "\${KEYDIR}/K\${DOMAIN}*.key" >> "\${TEMP_FILE}" fi # Locate the Key Signing Key if ! KSK=\$(grep -i -H "key-signing key" "\${KEYDIR}/K\${DOMAIN}"*.key | cut -d: -f1); then printf '%s\n' "ERROR: Unable to detect Key Signing Key" exit 100 fi filename=\$(basename "\${KSK}") KSKBASE=\${filename%.*} # Locate the Zone Signing Key if ! ZSK=\$(grep -i -H "zone-signing key" "\${KEYDIR}/K\${DOMAIN}"*.key | cut -d: -f1); then printf '%s\\n' "ERROR: Unable to detect Zone Signing Key" exit 100 fi filename=\$(basename "\${ZSK}") ZSKBASE=\${filename%.*} printf '%s\\n' "Signing Zone: \${DOMAIN}" cd "\${KEYDIR}" || exit 100 dnssec-signzone -3 "\${RANDOM_HASH}" -u -N INCREMENT -o "\${DOMAIN}" -k "\${KSKBASE}" -e "\${EXP}" -f "\${DESTDIR}/\${DOMAIN}.signed" "\${TEMP_FILE}" "\${KEYDIR}/\${ZSKBASE}.private" printf '\\n%s\\n' "*** DNSSEC DS RR Generation ***" dnssec-dsfromkey -2 "\${KEYDIR}/\${KSKBASE}.key" printf '%s\\n' "Cleaning Temporary File" rm -f "\${TEMP_FILE}" } # Check to see how we were called if [ ! -z \${SIGN_DOMAINS+x} ]; then for DOMAIN in \${SIGN_DOMAINS}; do if [ ! -e "\${ZONEDIR}/\${DOMAIN}" ]; then printf '%s\n' "ERROR: Unable to locate Zone: \${DOMAIN}" exit 100 else SignZone "\${DOMAIN}" fi done elif [ "\${#}" -gt 0 ]; then for DOMAIN in "\${@}"; do if [ ! -e "\${ZONEDIR}/\${DOMAIN}" ]; then printf '%s\n' "ERROR: Unable to locate Zone: \${DOMAIN}" exit 100 else SignZone "\${DOMAIN}" fi done else printf '%s' "Please enter the Zone (domain) in lowescase: " read -r DOMAIN SignZone "\${DOMAIN}" fi """ writeFile(file: workspace + "/start.sh", text: startFile) writeFile(file: workspace + "/sign-zone.sh", text: signzoneFile) writeFile(file: workspace + "/test-chamber-13.lan.root.crt", text: functions.getCurrentRootCA()) dockerFile = """ FROM ${repository}/dockerhub/internetsystemsconsortium/bind9:9.20 LABEL org.opencontainers.image.authors="The_Spider " LABEL org.opencontainers.image.title="bind" LABEL org.opencontainers.image.base.name="registry.hub.docker.com/internetsystemsconsortium/bind9" COPY *.sh /usr/local/bin/ COPY test-chamber-13.lan.root.crt /usr/local/share/ca-certificates/ RUN set -eux && \\ chmod +x /usr/local/bin/start.sh /usr/local/bin/sign-zone.sh && \\ cat /usr/local/share/ca-certificates/test-chamber-13.lan.root.crt >> /etc/ssl/certs/ca-certificates.crt && \\ sed -i 's/dl-cdn.alpinelinux.org/nexus.c.test-chamber-13.lan\\/repository/g' /etc/apk/repositories && \\ apk add --no-cache ca-certificates bind-dnssec-tools bash && \\ update-ca-certificates --fresh ENTRYPOINT [ "/bin/bash", "-c", "start.sh" ] """ } } } stage ('Build & Push') { steps { container ('kaniko') { script { declarativeFunctions.buildContainerMultipleDestinations( dockerFile: dockerFile, repositoryAccess: [ [ repository: repository, credentials: repositoryCreds ], [ repository: "https://index.docker.io/v1/", credentials: "dockerhub-repository-creds" ], ], destination: [ "index.docker.io/thespider/bind9:latest", ] ) } } } } } }