Add drone and drone-kubernetes-runner

deploy/base/deploy-drone-runner.yaml

@@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: drone-runner
+  labels:
+    app.kubernetes.io/name: drone-runner
+    app.kubernetes.io/instance: drone-runner
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: drone-runner
+      app.kubernetes.io/instance: drone-runner
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: drone-runner
+        app.kubernetes.io/instance: drone-runner
+    spec:
+      containers:
+      - name: drone-runner
+        image: drone/drone-runner-kube:latest
+        ports:
+        - name: http
+          protocol: TCP
+          containerPort: 3000
+        env:
+        - name: DRONE_RPC_HOST
+          valueFrom:
+            configMapKeyRef:
+              name: drone-config
+              key: rpc-host
+        - name: DRONE_RPC_PROTO
+          valueFrom:
+            configMapKeyRef:
+              name: drone-config
+              key: rpc-proto
+        - name: DRONE_RPC_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: drone-credentials
+              key: rpc-secret
+        - name: DRONE_DEBUG
+          valueFrom:
+            configMapKeyRef:
+              name: drone-config
+              key: logs-debug
+        - name: DRONE_RESOURCE_REQUEST_CPU
+          value: "500"

deploy/base/deploy-drone.yaml

@@ -0,0 +1,89 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: drone
+  labels:
+    app.kubernetes.io/name: drone
+    app.kubernetes.io/instance: drone
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: drone
+      app.kubernetes.io/instance: drone
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: drone
+        app.kubernetes.io/instance: drone
+    spec:
+      containers:
+      - name: drone
+        image: drone/drone:2
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: http
+          protocol: TCP
+          containerPort: 80
+        env:
+        # Limit users permitted to use Drone, to prevent bitcoin mining :-/
+        - name: DRONE_USER_FILTER
+          value: rob
+        - name: DRONE_DATABASE_DRIVER
+          value: postgres
+        - name: DRONE_DATABASE_DATASOURCE
+          valueFrom:
+            secretKeyRef:
+              name: drone-credentials
+              key: database-url
+        - name: DRONE_GITEA_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: drone-credentials
+              key: gitea-client-id
+        - name: DRONE_GITEA_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: drone-credentials
+              key: gitea-client-secret
+        - name: DRONE_RPC_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: drone-credentials
+              key: rpc-secret
+        - name: DRONE_GITEA_SERVER
+          valueFrom:
+            configMapKeyRef:
+              name: drone-config
+              key: gitea-server
+        - name: DRONE_SERVER_HOST
+          valueFrom:
+            configMapKeyRef:
+              name: drone-config
+              key: server-host
+        - name: DRONE_SERVER_PROTO
+          valueFrom:
+            configMapKeyRef:
+              name: drone-config
+              key: server-proto
+        - name: DRONE_LOGS_DEBUG
+          valueFrom:
+            configMapKeyRef:
+              name: drone-config
+              key: logs-debug
+        resources:
+          requests:
+            memory: "32Mi"
+            cpu: "50m"
+          limits:
+            memory: "128Mi"
+            cpu: "250m"
+        livenessProbe:
+          failureThreshold: 10
+          httpGet:
+            path: /healthz
+            port: 80
+            scheme: HTTP
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 10

deploy/base/ingress.yaml

@@ -42,6 +42,8 @@ spec:
             name: element
             port:
               name: http
+  # See the comment in the drone-config configMapGenerator in
+  # dev/kustomization.yaml:
   - host: gitea.internal
     http:
       paths:
@@ -52,3 +54,13 @@ spec:
             name: gitea
             port:
               name: http
+  - host: drone.internal
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: drone
+            port:
+              name: http

deploy/base/kustomization.yaml

@@ -81,6 +81,12 @@ resources:
 - statefulset-gitea.yaml
 - svc-gitea.yaml
 
+- deploy-drone.yaml
+- svc-drone.yaml
+- deploy-drone-runner.yaml
+- role-drone-runner.yaml
+- rolebinding-drone-runner.yaml
+
 configMapGenerator:
 - name: gitea-scripts
   files:

deploy/base/role-drone-runner.yaml

@@ -0,0 +1,25 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: default
+  name: drone-runner
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/log
+  verbs:
+  - get
+  - create
+  - delete
+  - list
+  - watch
+  - update

deploy/base/rolebinding-drone-runner.yaml

@@ -0,0 +1,14 @@
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: drone-runner
+  namespace: default
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: default
+roleRef:
+  kind: Role
+  name: drone-runner
+  apiGroup: rbac.authorization.k8s.io

deploy/base/svc-drone.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: drone
+    app.kubernetes.io/name: drone
+  name: drone
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app.kubernetes.io/instance: drone
+    app.kubernetes.io/name: drone
+  type: ClusterIP

deploy/dev/kustomization.yaml

@@ -33,6 +33,16 @@ configMapGenerator:
 - name: element-config
   files:
   - config.json=element-config.json
+- name: drone-config
+  literals:
+  # For Gitea/drone integration to work in dev, Gitea must be served from the
+  # external hostname `dev-gitea` so it matches with the internal DNS.
+  - gitea-server=http://dev-gitea
+  - server-host=dev-drone
+  - server-proto=http
+  - rpc-host=dev-drone
+  - rpc-proto=http
+  - logs-debug=false
 
 secretGenerator:
 - name: grafana-credentials
@@ -55,6 +65,12 @@ secretGenerator:
   - admin-email=mail@localhost
   files:
   - config.ini=gitea-config.ini
+- name: drone-credentials
+  literals:
+  - database-url=postgres://postgres:postgres@dev-db:5432/drone?sslmode=disable
+  - gitea-client-id=55847c4a-c80e-4e77-ab36-c6d102273115
+  - gitea-client-secret=IU4cb59RNNLuI9PRkUbldcEQ5wYPEZMBK5s6p7vTdVfe
+  - rpc-secret=f5ec349109bb9bbdf00e4394afd28754
 
 patches:
 # Patch the metrics-server to not require TLS in dev cluster.

deploy/prod/ingress.yaml

@@ -13,6 +13,7 @@
       - tube.netflux.io
       - element.netflux.io
       - git.netflux.io
+      - drone.netflux.io
       secretName: prod-ingress-tls
 - op: replace
   path: /spec/rules/0/host
@@ -26,3 +27,6 @@
 - op: replace
   path: /spec/rules/3/host
   value: git.netflux.io
+- op: replace
+  path: /spec/rules/4/host
+  value: drone.netflux.io

deploy/prod/kustomization.yaml

@@ -21,6 +21,14 @@ configMapGenerator:
 - name: element-config
   files:
   - config.json=element-config.json
+- name: drone-config
+  literals:
+  - gitea-server=https://git.netflux.io
+  - server-host=drone.netflux.io
+  - server-proto=https
+  - rpc-host=drone.netflux.io
+  - rpc-proto=https
+  - logs-debug=false
 
 secretGenerator:
 - name: prometheus-credentials
@@ -46,6 +54,12 @@ secretGenerator:
   - admin-password=secrets/gitea-admin-password
   - admin-email=secrets/gitea-admin-email
   - config.ini=secrets/gitea-config.ini
+- name: drone-credentials
+  files:
+  - database-url=secrets/drone-database-url
+  - gitea-client-id=secrets/drone-gitea-client-id
+  - gitea-client-secret=secrets/drone-gitea-client-secret
+  - rpc-secret=secrets/drone-rpc-secret
 
 patches:
 # Patch the ingress-nginx deployment to allow it to use a service with a