From 3a94d7a7b71b2d43d4de4e4110663e499b8716ce Mon Sep 17 00:00:00 2001 From: Remy Moll Date: Sat, 25 May 2024 11:50:57 +0200 Subject: [PATCH] add docker builder using kubernetes natively --- infrastructure/gitea/README.md | 31 +++++ infrastructure/gitea/actions.rbac.yaml | 27 ++++ .../gitea/drone-kube-runner.deployment.yaml | 84 ------------- .../gitea/drone-server.deployment.yaml | 117 ------------------ .../gitea/drone-server.sealedsecret.yaml | 23 ---- infrastructure/gitea/kustomization.yaml | 4 +- 6 files changed, 59 insertions(+), 227 deletions(-) create mode 100644 infrastructure/gitea/README.md create mode 100644 infrastructure/gitea/actions.rbac.yaml delete mode 100644 infrastructure/gitea/drone-kube-runner.deployment.yaml delete mode 100644 infrastructure/gitea/drone-server.deployment.yaml delete mode 100644 infrastructure/gitea/drone-server.sealedsecret.yaml diff --git a/infrastructure/gitea/README.md b/infrastructure/gitea/README.md new file mode 100644 index 0000000..82135e6 --- /dev/null +++ b/infrastructure/gitea/README.md @@ -0,0 +1,31 @@ +# Using gitea actions +The actions deployment allows to use gitea actions from repositories within this instance. + +### Building docker images +Docker builds use the kubernetes runner to build the images. For this to work, the pipeline needs to be able to access the kube-api. A service-account is created for this purpose. + +To use the correct docker builder use the following action +```yaml + ... + + - name: Create Kubeconfig + run: | + mkdir $HOME/.kube + echo "${{ secrets.BUILDX_KUBECONFIG }}" > $HOME/.kube/config + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + with: + driver: kubernetes + driver-opts: | + namespace=act-runner + qemu.install=true + + ... + + - name: Build and push + uses: docker/build-push-action@v5 + with: + context: . + +``` diff --git a/infrastructure/gitea/actions.rbac.yaml b/infrastructure/gitea/actions.rbac.yaml new file mode 100644 index 0000000..88b0516 --- /dev/null +++ b/infrastructure/gitea/actions.rbac.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: builder-service-account + namespace: gitea +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: builder-rolebinding + namespace: target +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit +subjects: +- namespace: gitea + kind: ServiceAccount + name: builder-service-account +--- +apiVersion: v1 +kind: Secret +metadata: + name: builder-service-account-secret + annotations: + kubernetes.io/service-account.name: builder-service-account +type: kubernetes.io/service-account-token diff --git a/infrastructure/gitea/drone-kube-runner.deployment.yaml b/infrastructure/gitea/drone-kube-runner.deployment.yaml deleted file mode 100644 index 4324eeb..0000000 --- a/infrastructure/gitea/drone-kube-runner.deployment.yaml +++ /dev/null @@ -1,84 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: drone-runner ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: drone-runner -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete -- apiGroups: - - "" - resources: - - pods - - pods/log - verbs: - - get - - create - - delete - - list - - watch - - update - ---- - -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: drone-runner -subjects: -- kind: ServiceAccount - name: drone-runner -roleRef: - kind: Role - name: drone-runner - apiGroup: rbac.authorization.k8s.io - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: drone-runner - labels: - app.kubernetes.io/name: drone-runner -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: drone-runner - template: - metadata: - labels: - app.kubernetes.io/name: drone-runner - spec: - serviceAccountName: drone-runner - containers: - - name: runner - image: drone/drone-runner-kube:latest - ports: - - containerPort: 3000 - env: - - name: DRONE_RPC_HOST - value: drone-server:80 - - name: DRONE_RPC_PROTO - value: http - - name: DRONE_RPC_SECRET - valueFrom: - secretKeyRef: - name: drone-server-secret - key: rpc_secret - - name: DRONE_NAMESPACE_DEFAULT - value: gitea - # - name: DRONE_NAMESPACE_RULES - # value: "drone-runner:*" - - name: DRONE_SERVICE_ACCOUNT_DEFAULT - value: drone-runner \ No newline at end of file diff --git a/infrastructure/gitea/drone-server.deployment.yaml b/infrastructure/gitea/drone-server.deployment.yaml deleted file mode 100644 index 9fbda6a..0000000 --- a/infrastructure/gitea/drone-server.deployment.yaml +++ /dev/null @@ -1,117 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: drone-server - labels: - app: drone-server -spec: - replicas: 1 - selector: - matchLabels: - app: drone-server - template: - metadata: - labels: - app: drone-server - spec: - containers: - - name: drone - image: drone/drone:latest - env: - - name: DRONE_SERVER_PORT # because the deployment is called drone-server, override this var again! - value: ":80" - - name: DRONE_GITEA_SERVER - value: https://git.kluster.moll.re - - name: DRONE_USER_CREATE - value: username:remoll,admin:true - - name: DRONE_GITEA_CLIENT_ID - valueFrom: - secretKeyRef: - name: drone-server-secret - key: client_id - - name: DRONE_GITEA_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: drone-server-secret - key: client_secret - - name: DRONE_RPC_SECRET - valueFrom: - secretKeyRef: - name: drone-server-secret - key: rpc_secret - - name: DRONE_SERVER_HOST - value: drone.kluster.moll.re - - name: DRONE_SERVER_PROTO - value: https - resources: - requests: - memory: "1Gi" - cpu: 1.5 - volumeMounts: - - mountPath: /data - name: drone-data-nfs - volumes: - - name: drone-data-nfs - persistentVolumeClaim: - claimName: drone-data-nfs - ---- -apiVersion: v1 -kind: Service -metadata: - name: drone-server - labels: - app: drone-server - -spec: - type: ClusterIP - ports: - - port: 80 - name: http - selector: - app: drone-server ---- -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: drone-server-ingress - -spec: - entryPoints: - - websecure - routes: - - match: Host(`drone.kluster.moll.re`) - kind: Rule - services: - - name: drone-server - port: 80 - tls: - certResolver: default-tls - - ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: drone-data-nfs -spec: - capacity: - storage: "1Gi" - accessModes: - - ReadWriteOnce - nfs: - path: /export/kluster/drone - server: 192.168.1.157 ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: drone-data-nfs -spec: - storageClassName: "" - accessModes: - - ReadWriteOnce - resources: - requests: - storage: "1Gi" - volumeName: drone-data-nfs diff --git a/infrastructure/gitea/drone-server.sealedsecret.yaml b/infrastructure/gitea/drone-server.sealedsecret.yaml deleted file mode 100644 index 0395567..0000000 --- a/infrastructure/gitea/drone-server.sealedsecret.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{ - "kind": "SealedSecret", - "apiVersion": "bitnami.com/v1alpha1", - "metadata": { - "name": "drone-server-secret", - "namespace": "gitea", - "creationTimestamp": null - }, - "spec": { - "template": { - "metadata": { - "name": "drone-server-secret", - "namespace": "gitea", - "creationTimestamp": null - } - }, - "encryptedData": { - "client_id": "AgA53a7kGJ6zZcx2ooTvTNwxaW2FvfzHJnxg6co54+HXinTJKsc4+GJ1PtdIbsZ7Dgu/sLi/4X90fT+PT2sgEx9jIilmHPdJeRtwV1UID3Y46A7cJlfcAKwNOFzp2PWvBvizbNp7tbJwxeAYnVX8GfN6fi700QxBGqAI3u8qQvLpU6UGW2RM96gCXI7s1QhE1Le6TgoESy5HX95pB7csDRNSwVE02OWfDHKEjH8QD8UvBB9xct6uwDfu7KrsJiNJvWMP6arvpfhy/X+UtCTFmj5wmFYL7oc6vSiCkq+QyHgQTEHTmGpEjEGKcQxPQaus3KhbhcxQBYLMEMYRlLPH0AEAA4dzbSpoVXM3LuIe9FppgrTCknK1uRB8wyrHUeInWO8mG7UraV6m5PUS+UYODMvfjwY3PyiGhTSf6LgMlhMl8e+2rb+OsWphT8Pbeom33PucrYaRFr9RpQkJSwE6HU3JEh25YLfIJ7caqRND8C/p8kD679C8UMcNpBN8WS4Cswn5jzmwbeJNM5DGp9yQVZNx7Bv3dHzx9i3ShjJ6QQnR/zWJZ/dWLy6weGYmdZMMXRAO8CCdruvcX5YyeieXZfchSIlZ/GqqBHptdcLpwLiZsfmyTWeBvk5pMAsZaKJ1tfWpQ84s4epzMoieTfhTueGXmeRKX+DJBBcriU+5YoqNxpU1lPL+LoInorJSKN7c3ouFx78N3GDOCq7mlWI94lY0bIs5zhrfUN137ITCcED62AJ7vks=", - "client_secret": "AgDQXU7x6RLhE9Hc+goeR2+3rW316SLLLA8tfqx3tsykL+vxhRkY5UCEaak3Rgei0k14jB/Rmme+/O/D1/5tc/i885+sGn0yjU7Jo4L5nkIssUOHlmRSGkRJDb9ABPauFXAjap9KLix9bd8ewI7R0lS3tOK9ZhThYhcfDUqV9qkkbSHzwNptkH7gYWt9qzG/rqqqpFP+PCtjzKVve4LCBgaxetcnh1t+d5oh7VAFnSI9Bt1G/DRzi+K3YZ+YG5+XKevBp06GMiLUMiv/eUvmOfAB/KO79LnNVbOcRsAHfnqLbXgNjFzspr5xDiGMC/ma1245LavywqXDp0S9jjNEe48i51PPQMwHWV8XEovsM6LHcteluNogt+VkL4mOnmP+sba/V3NO51rt1WXl+ca+U4kBq4dLMsdpWUKemz9BlIRC4etEXjwKJ5DznT7u6GUTrXx2RCm1j0OYWM++P10SdyD6tGjKnZf88a33Wrwm8Y7c47JrPTlP4PqLq9gzvD310uVfs1vGYGULaToGy+D/th8qiWWlu7BIfwqlIj8lruVnOhQ4GeEZmUAsqYf8JfsBwuDc0Y+8qbwjFrr2z+5x+2XBL8KGZVopyme45SHijlBZs7YsJqTBsg5oW09grM8/oO731GtzSYmpat2VZlaILuTjALqo/cu//kxwmqh7UX+jnTJ/2N3bKKSAfHWbHDeHeS2XJ+eKaI4onNYW9J70EfAP3vOpU+zmQ8rOzJuJjRt0HarLwzc5CXb1Xhlgsaoj7zKXPQMnqIDngg==", - "rpc_secret": "AgAcJNCFtOhK28vnLredkTgsVpnMPwaXss5NT5ysc0IbVid2vWRk2CTjBZc5DzjxxLwI1Ok88MFXHP08ZGCYy4rIbwoi7Ei1OEevGWfaI4n5CvAxr4ZamQHSfIX9dVAm9BSSx2M/mDtCKqVEGJEzyHCedrxf6LXM/YTNgjD43BuCZZMu35mRsHItpYFZQSttlHiUvR8y2YKrhV2P7fiWRD3cCVao8ldzKfGuvRfal8ByGoxpsYLj2D9CdtPvRF/TQsWUJJWwzbI9DmbW1MMI4/b26Jfa5TBvHxS1MQxFJpSXuMIengO+b0bi7WaR36y/FrKSNxIrQDHI7XCb00yYaSfj3RkSBVoAD0a2p8vNupHCqsKBoaWd8tMv/wGP8wbBk4DgGeQiTIvfhbQZU/Q2/LVDDficjXVn3IuKP/cqgGVf6lUh5YsUSs8qwpMil7XySiHvaZn+iFAnsXoejd4S2e/pbRvyaxP1aa7TCxnINjpU7IrnUEUiI4glQmAte3MqZWLXcc0Uk3Qz9PP0cD+V8qCOryrPMP2kTAI8LT/K4DgcEMAEGes4Vx1l0oBMF0xJvhM2kZXcEcf0NzuQJvYTgZpQF5xp0TchezLshmEUSIkII9NvAvn+iEYJeHsJUDijjmBloSYe4+QTgdYh6FakVUwYI5U4ztDNrvgqhWjExfbn8HxaFzsNTsuzGoYs+jwXH8Wk2z1Q1oQjDdO5YTjmdqvkSTdin/5CiuCDHaQX6a4gNQ==" - } - } -} diff --git a/infrastructure/gitea/kustomization.yaml b/infrastructure/gitea/kustomization.yaml index 24d3c0c..a9ec1a4 100644 --- a/infrastructure/gitea/kustomization.yaml +++ b/infrastructure/gitea/kustomization.yaml @@ -5,11 +5,9 @@ resources: - gitea.pvc.yaml - gitea.ingress.yaml - gitea.servicemonitor.yaml - - drone-kube-runner.deployment.yaml - - drone-server.deployment.yaml - - drone-server.sealedsecret.yaml - actions.deployment.yaml - actions.sealedsecret.yaml + - actions.rbac.yaml namespace: gitea