diff --git a/flux/cluster/apps/drone/drone-deployment.yaml b/flux/cluster/apps/drone/drone-deployment.yaml new file mode 100644 index 0000000..e774ee5 --- /dev/null +++ b/flux/cluster/apps/drone/drone-deployment.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: drone-deployment + namespace: drone + labels: + app: drone-deployment + # keel.sh/policy: force +spec: + replicas: 1 + selector: + matchLabels: + app: drone-deployment + template: + metadata: + labels: + app: drone-deployment + spec: + containers: + - name: drone-deployment + image: drone/drone:2 + ports: + - containerPort: 80 + env: + - name: DRONE_GITEA_CLIENT_ID + valueFrom: + secretKeyRef: + name: drone-secrets + key: gitea-client-id + - name: DRONE_GITEA_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: drone-secrets + key: gitea-client-secret + - name: DRONE_GITEA_SERVER + valueFrom: + secretKeyRef: + name: drone-secrets + key: gitea-server + - name: DRONE_GIT_ALWAYS_AUTH + valueFrom: + secretKeyRef: + name: drone-secrets + key: git-always-auth + - name: DRONE_RPC_SECRET + valueFrom: + secretKeyRef: + name: drone-secrets + key: drone-rpc-secret + - name: DRONE_SERVER_HOST + valueFrom: + secretKeyRef: + name: drone-secrets + key: drone-server-host + - name: DRONE_SERVER_PROTO + valueFrom: + secretKeyRef: + name: drone-secrets + key: drone-server-proto + imagePullSecrets: + - name: registry-creds \ No newline at end of file diff --git a/flux/cluster/apps/drone/ingress.yaml b/flux/cluster/apps/drone/ingress.yaml new file mode 100644 index 0000000..a0c29fe --- /dev/null +++ b/flux/cluster/apps/drone/ingress.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + namespace: drone + name: drone-deployment-ingress +spec: + rules: + - host: "drone.voidcorp.nl" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: drone-deployment-service + port: + number: 80 \ No newline at end of file diff --git a/flux/cluster/apps/drone/kustomization.yaml b/flux/cluster/apps/drone/kustomization.yaml new file mode 100644 index 0000000..6d33988 --- /dev/null +++ b/flux/cluster/apps/drone/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - registry-creds.yaml + - rbac.yaml + - drone-deployment.yaml + - ingress.yaml + - service.yaml + - runner.yaml + - secret.yaml diff --git a/flux/cluster/apps/drone/rbac.yaml b/flux/cluster/apps/drone/rbac.yaml new file mode 100644 index 0000000..0149dcd --- /dev/null +++ b/flux/cluster/apps/drone/rbac.yaml @@ -0,0 +1,40 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: drone + name: drone +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete +- apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - get + - create + - delete + - list + - watch + - update + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: drone + namespace: drone +subjects: +- kind: ServiceAccount + name: default + namespace: drone +roleRef: + kind: Role + name: drone + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/flux/cluster/apps/drone/registry-creds.yaml b/flux/cluster/apps/drone/registry-creds.yaml new file mode 100644 index 0000000..ef1363c --- /dev/null +++ b/flux/cluster/apps/drone/registry-creds.yaml @@ -0,0 +1,19 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: registry-creds + namespace: drone +spec: + refreshInterval: "5m" + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: registry-creds + template: + type: kubernetes.io/dockerconfigjson + data: + - secretKey: .dockerconfigjson + remoteRef: + key: k8s/registry-creds + property: dockerconfigjson \ No newline at end of file diff --git a/flux/cluster/apps/drone/runner.yaml b/flux/cluster/apps/drone/runner.yaml new file mode 100644 index 0000000..e71c777 --- /dev/null +++ b/flux/cluster/apps/drone/runner.yaml @@ -0,0 +1,40 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: drone + namespace: drone + labels: + app.kubernetes.io/name: drone +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: drone + template: + metadata: + labels: + app.kubernetes.io/name: drone + spec: + containers: + - name: runner + image: drone/drone-runner-kube:latest + ports: + - containerPort: 3000 + env: + - name: DRONE_RPC_SECRET + valueFrom: + secretKeyRef: + name: drone-secrets + key: drone-rpc-secret + - name: DRONE_RPC_HOST + valueFrom: + secretKeyRef: + name: drone-secrets + key: drone-server-host + - name: DRONE_RPC_PROTO + valueFrom: + secretKeyRef: + name: drone-secrets + key: drone-server-proto + - name: DRONE_NAMESPACE_DEFAULT + value: drone \ No newline at end of file diff --git a/flux/cluster/apps/drone/secret.yaml b/flux/cluster/apps/drone/secret.yaml new file mode 100644 index 0000000..0be74f4 --- /dev/null +++ b/flux/cluster/apps/drone/secret.yaml @@ -0,0 +1,41 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: drone-secrets + namespace: drone +spec: + refreshInterval: "15s" + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: drone-secrets + data: + - secretKey: drone-rpc-secret + remoteRef: + key: k8s/drone + property: drone-rpc-secret + - secretKey: drone-server-host + remoteRef: + key: k8s/drone + property: drone-server-host + - secretKey: drone-server-proto + remoteRef: + key: k8s/drone + property: drone-server-proto + - secretKey: git-always-auth + remoteRef: + key: k8s/drone + property: git-always-auth + - secretKey: gitea-client-id + remoteRef: + key: k8s/drone + property: gitea-client-id + - secretKey: gitea-client-secret + remoteRef: + key: k8s/drone + property: gitea-client-secret + - secretKey: gitea-server + remoteRef: + key: k8s/drone + property: gitea-server diff --git a/flux/cluster/apps/drone/service.yaml b/flux/cluster/apps/drone/service.yaml new file mode 100644 index 0000000..c9f677e --- /dev/null +++ b/flux/cluster/apps/drone/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: drone + name: drone-deployment-service +spec: + selector: + app: drone-deployment + ports: + - protocol: TCP + port: 80 + targetPort: 80 \ No newline at end of file diff --git a/flux/cluster/apps/kustomization.yaml b/flux/cluster/apps/kustomization.yaml index 38a1d48..6ca5412 100644 --- a/flux/cluster/apps/kustomization.yaml +++ b/flux/cluster/apps/kustomization.yaml @@ -4,3 +4,4 @@ resources: - test - authentik - networking + - drone diff --git a/flux/cluster/core/namespaces/drone.yaml b/flux/cluster/core/namespaces/drone.yaml new file mode 100644 index 0000000..f9449c6 --- /dev/null +++ b/flux/cluster/core/namespaces/drone.yaml @@ -0,0 +1,6 @@ +kind: Namespace +apiVersion: v1 +metadata: + name: drone + labels: + name: drone \ No newline at end of file diff --git a/flux/cluster/core/namespaces/kustomization.yaml b/flux/cluster/core/namespaces/kustomization.yaml index f1fafc0..e77257f 100644 --- a/flux/cluster/core/namespaces/kustomization.yaml +++ b/flux/cluster/core/namespaces/kustomization.yaml @@ -5,3 +5,4 @@ resources: - external-secrets.yaml - authentik.yaml - traefik.yaml + - drone.yaml diff --git a/nixos/machines/nginx/default.nix b/nixos/machines/nginx/default.nix index 9272fb9..ce156bf 100644 --- a/nixos/machines/nginx/default.nix +++ b/nixos/machines/nginx/default.nix @@ -52,6 +52,7 @@ in { proxy "http://vaultwarden.lxd:8000/"; virtualHosts."whoami.asraphiel.dev" = k8sProxy; virtualHosts."auth.asraphiel.dev" = k8sProxy; + virtualHosts."drone.asraphiel.dev" = k8sProxy; }; security.acme.email = "acme@voidcorp.nl";