apiVersion: v1
kind: ServiceAccount
metadata:
  name: drone-runner
  namespace: gitea
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: gitea
  name: drone-runner
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - delete
- apiGroups:
  - ""
  resources:
  - pods
  - pods/log
  verbs:
  - get
  - create
  - delete
  - list
  - watch
  - update

---

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: drone-runner
  namespace: gitea
subjects:
- kind: ServiceAccount
  name: drone-runner
  namespace: gitea
roleRef:
  kind: Role
  name: drone-runner
  apiGroup: rbac.authorization.k8s.io

---

apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: gitea
  name: drone-runner
  labels:
    app.kubernetes.io/name: drone-runner
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: drone-runner
  template:
    metadata:
      labels:
        app.kubernetes.io/name: drone-runner
    spec:
      serviceAccountName: drone-runner
      containers:
      - name: runner
        image: drone/drone-runner-kube:latest
        ports:
        - containerPort: 3000
        env:
        - name: DRONE_RPC_HOST
          value: drone-server:80
        - name: DRONE_RPC_PROTO
          value: http
        - name: DRONE_RPC_SECRET
          valueFrom:
            secretKeyRef:
              name: drone-server-secret
              key: rpc_secret
        - name: DRONE_NAMESPACE_DEFAULT
          value: gitea
        # - name: DRONE_NAMESPACE_RULES
        #   value: "drone-runner:*"
        - name: DRONE_SERVICE_ACCOUNT_DEFAULT
          value: drone-runner