diff --git a/kubernetes/apps/production/drone/kustomization.yaml b/kubernetes/apps/production/drone/kustomization.yaml new file mode 100644 index 0000000..fdc3603 --- /dev/null +++ b/kubernetes/apps/production/drone/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: drone-ci +resources: + - namespace.yaml + - ./server/sealed-secrets.yaml + - ./server/pvc.yaml + - ./server/server-deployment.yaml + - ./server/service.yaml + - ./server/ingress.yaml + - ./runner/runner-deployment.yaml + - ./runner/rbac.yaml diff --git a/kubernetes/apps/production/drone/namespace.yaml b/kubernetes/apps/production/drone/namespace.yaml new file mode 100644 index 0000000..4e2bfb9 --- /dev/null +++ b/kubernetes/apps/production/drone/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: drone-ci + labels: + pod-security.kubernetes.io/enforce: privileged diff --git a/kubernetes/apps/production/drone/runner/rbac.yaml b/kubernetes/apps/production/drone/runner/rbac.yaml new file mode 100644 index 0000000..e25aac7 --- /dev/null +++ b/kubernetes/apps/production/drone/runner/rbac.yaml @@ -0,0 +1,40 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: drone + namespace: drone-ci +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - get + - create + - delete + - list + - watch + - update + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: drone + namespace: drone-ci +subjects: + - kind: ServiceAccount + name: default + namespace: drone-ci +roleRef: + kind: Role + name: drone + apiGroup: rbac.authorization.k8s.io diff --git a/kubernetes/apps/production/drone/runner/runner-deployment.yaml b/kubernetes/apps/production/drone/runner/runner-deployment.yaml new file mode 100644 index 0000000..7505089 --- /dev/null +++ b/kubernetes/apps/production/drone/runner/runner-deployment.yaml @@ -0,0 +1,41 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: drone-runner + namespace: drone-ci + labels: + app.kubernetes.io/name: drone +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: drone + template: + metadata: + labels: + app.kubernetes.io/name: drone + spec: + containers: + - name: runner + image: drone/drone-runner-kube:latest + ports: + - containerPort: 3000 + resources: + requests: + cpu: 50m + memory: 75Mi + limits: + cpu: 100m + memory: 200Mi + env: + - name: DRONE_RPC_HOST + value: drone.fascinated.cc + - name: DRONE_RPC_PROTO + value: https + - name: DRONE_NAMESPACE_DEFAULT + value: drone-ci + - name: DRONE_RPC_SECRET + valueFrom: + secretKeyRef: + name: drone-secret + key: DRONE_RPC_SECRET diff --git a/kubernetes/apps/production/drone/server/ingress.yaml b/kubernetes/apps/production/drone/server/ingress.yaml new file mode 100644 index 0000000..f4e34df --- /dev/null +++ b/kubernetes/apps/production/drone/server/ingress.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: drone-ci-ingress + namespace: drone-ci + annotations: + kubernetes.io/ingress.class: traefik-external +spec: + entryPoints: + - websecure + routes: + - match: Host(`drone.fascinated.cc`) + kind: Rule + middlewares: + - name: default-headers + namespace: traefik + services: + - name: drone-service + port: 80 + tls: + secretName: fascinated-cc diff --git a/kubernetes/apps/production/drone/server/pvc.yaml b/kubernetes/apps/production/drone/server/pvc.yaml new file mode 100644 index 0000000..1dcd328 --- /dev/null +++ b/kubernetes/apps/production/drone/server/pvc.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: drone-pvc + namespace: drone-ci +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi diff --git a/kubernetes/apps/production/drone/server/sealed-secrets.yaml b/kubernetes/apps/production/drone/server/sealed-secrets.yaml new file mode 100644 index 0000000..1158ea1 --- /dev/null +++ b/kubernetes/apps/production/drone/server/sealed-secrets.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: drone-secret + namespace: drone-ci +spec: + encryptedData: + DRONE_GITEA_CLIENT_ID: AgBvs/BRqipwanwhehkG+efGyDYwbvkaYkOSsoW6PCqiKx3GX7wFUnSEEljoTLn8qCx7GKGT73KBcK6ItwFisAlJwFHTC7DtgCSJzpHBwHvbCWs+QtKumHCtgnj2XCHGs8yt4o9I9KClGl6mqKFfWAWiDAoBcY6YHCM5l23jh/ipglT1jcRGm+dxouZ5QCCNjHSEN/SD0wVv4bCajRmZ7fwOrJ9lsJFhfhu6hvm0UsFggsrtOGavk0TzwzUoeZPvGM7LOhFk5qAFFdJAMucErcfKlEKcxfPd4V0rwJTNaSQqSL01iEQLSdgwQqsypJxKpKz5D2aByEiYHe4HvpFzm0KnwaOth7MO6gmnp7+mb008MyUL4KSdcj82z76YjD5S9uU3XaeuxlEWrAU1obGWNzFU5E8a9L0iJIoOhH33kwcYhUFjloZ3S2mL0gyl2EpZ3tIXlXpjr8B0WXC/bgWOk5kq+veIaM2+jeTge7iLXhS/8rtxAy7tUk22jEK9ecXT5zqlLrTIpcJz3UMpKTh5N397vIGfRNJ1DoRPCL/UHXWTleNBQTijhGWDb+JcT70makwroXYOLQorZXOVbRLWCC/b+i9Aq8yVNhyBUJy0SR1qhkO4tCgZ5/E5+mXFJvjkH64JYHCyFDI/KPjzefby2HSINjTR1AD5mW+KKOfINMCffFD7Zy90jcd9iViU9JE4coqBRPG4v1lmoGPv++fnJEC5ZNoWKy2FMTkf5rt0cPtuBSsP8CU= + DRONE_GITEA_CLIENT_SECRET: AgBBub2TZ2xb6oVxTVHWZkdiVMo9zFNUrYxL0Iw1YeUFgZmJjkk/CP6UCxlCJbnzOj+b//HbYn1w8sS3vzGK82be8GgfkgI4/hTHHll3GSjEbdaTn7xEL/XJrp+JyVvX7bQNPLCkTsaxIrz7dh7kHUvcgRxOoSsFKHj73hjf27lHa+Qa89fDO5Zb1PjUSeT4IlAHlUuQraKx0viAoy8uEX6OyX3lhX5Aa2NQkbLRYCd8T7+IW0lyKvwwOpOdVH/38G8eAVXmADdKuNyIoq9++bYnUMMFMBj6OdMp3xNyGcEkuKlMI9+DaT29tmOgvDiWog/E2Hg0IERh4z5Dr2p4oJyT7b1N1ynRiwfndLp2di9d+nrzG5STf9NRKOK8U+NWTRcXv4JRkKyIDAi0j4eoC9cVyKGe341A4os3kTg9dky0RL+Q7+NWCWUYFAXIkU5cRHgwW7LTkv96cduerVT8YF3sxvu4FlJgHDNKvNuxFAhPOCwoOozPX8JbhhlEPfxWZ0s9B7QgRdNm/GY6RxV0Dl7F+IhzSxA/PrMxYUzuhenW+K9bIJd5dR73NfTlxbTdt/tM7DpVb00DrHx2Y2BOME1H76AXrRr+MZdWz46XHBSh6yeTMf5D3PRU8SPDEqSUrODEnjlEnJCkjYoxLOYAjXa/5dyZnyxIpS4WDMIB0/aXde0CX83fJ9C5KM6P36kKUZL8VOiJ5HA4Fzz/45X0wjEOkccuIHElWzPzOcW5geLc4vZRNiJa5ydLoktnMObqf7Iy3Jxrlg3SGg== + DRONE_RPC_SECRET: AgA96+L9/gvS8PkIfwDBnpBcagdL+eE1wyTqvMnG2pIGMhy7li10yvra/B1ptsuBak1Aab7WNZvNR5zUf2b2QVEk9Rz0q7D0ZqVFP0U6JiILPJ6p61K0GC+Lh5MKI4yzFmYrT+hfk6HkKGy5dEtJ+JoY2aT6Mn26pIs3dEnKlIObxxR7rQzlKuV2yrkguHnhV38DCvsMkMYaF8G1IiwfDsHJ1JcwXjHlRtkl02v/Arc1sGZi/2lXZpqXMW3UFb2YGRGP6rgeXcsGeNslIkMJkJaUSZdI3HS0ufHwSbJJaiug370E/ZkHChpaABibAEImoblgrRD2IPbwlNymiZdAqXpwjj++sAgoHvBDUkFk48TkIXb0uxOmVFeevgxJgYyXP9DPqJVPj+CtSRxWle7pAODYpmf1avn4bOB4DXdJVR1IR9si8OYgTZW3Fz4Lxh8naOuaTrnyzJosJBrB3Nks9q96IZQHitnzBJZKEuEjhfp6oAzkgaYPej4q2EAy8DoIb8kltFyaA+f+0s+9ipQeXL5OKhfCzNq6vBFsOqn3g5wHse/86NH3FHZnHEmqlOw/4N18gsj+g09TqJSeDVm/Tbzq+eYyPV6KKNN2F/890VAieUo+AyoCznjjv85AXHjA5gfj3JQj7zczW7CyQolcXxvcxoE9+/7fiy6sDQgFciDo1qswFRnYpVML4Y/UBb3howbVMONAt/fSnytT/DB5EH6FLKBxFOzmM9yuTacu4jo1HQ== + template: + metadata: + creationTimestamp: null + name: drone-secret + namespace: drone-ci + type: Opaque diff --git a/kubernetes/apps/production/drone/server/server-deployment.yaml b/kubernetes/apps/production/drone/server/server-deployment.yaml new file mode 100644 index 0000000..7c06dfa --- /dev/null +++ b/kubernetes/apps/production/drone/server/server-deployment.yaml @@ -0,0 +1,62 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: drone-server + namespace: drone-ci + labels: + app: drone +spec: + replicas: 1 + selector: + matchLabels: + app: drone + template: + metadata: + labels: + app: drone + spec: + containers: + - name: drone + image: drone/drone:2 + ports: + - containerPort: 80 + - containerPort: 443 + resources: + requests: + cpu: 50m + memory: 75Mi + limits: + cpu: 100m + memory: 200Mi + env: + - name: DRONE_GITEA_SERVER + value: "https://git.fascinated.cc" + - name: DRONE_GITEA_CLIENT_ID + valueFrom: + secretKeyRef: + name: drone-secret + key: DRONE_GITEA_CLIENT_ID + - name: DRONE_GITEA_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: drone-secret + key: DRONE_GITEA_CLIENT_SECRET + - name: DRONE_RPC_SECRET + valueFrom: + secretKeyRef: + name: drone-secret + key: DRONE_RPC_SECRET + - name: DRONE_SERVER_HOST + value: "drone.local.fascinated.cc" + - name: DRONE_SERVER_PROTO + value: "https" + - name: DRONE_REGISTRATION_CLOSED + value: "true" + volumeMounts: + - name: drone-data + mountPath: /data + volumes: + - name: drone-data + persistentVolumeClaim: + claimName: drone-pvc diff --git a/kubernetes/apps/production/drone/server/service.yaml b/kubernetes/apps/production/drone/server/service.yaml new file mode 100644 index 0000000..81e7ff7 --- /dev/null +++ b/kubernetes/apps/production/drone/server/service.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: drone-service + namespace: drone-ci +spec: + type: ClusterIP + ports: + - name: http + port: 80 + targetPort: 80 + protocol: TCP + - name: https + port: 443 + targetPort: 443 + protocol: TCP + selector: + app: drone