From 7a925af1c0128401169199b8c460bbe250df382a Mon Sep 17 00:00:00 2001 From: Khwezi Date: Sun, 12 Apr 2026 14:40:18 +0200 Subject: [PATCH] refactored drone ci template --- kubernetes-templates/droneci.yml | 352 ++++++++----------------------- 1 file changed, 93 insertions(+), 259 deletions(-) diff --git a/kubernetes-templates/droneci.yml b/kubernetes-templates/droneci.yml index 0e98b75..00d146d 100644 --- a/kubernetes-templates/droneci.yml +++ b/kubernetes-templates/droneci.yml @@ -1,331 +1,165 @@ --- -# Namespace for Drone CI apiVersion: v1 kind: Namespace metadata: - name: droneci - + name: drone-ci --- -# Service Account apiVersion: v1 kind: ServiceAccount metadata: - name: droneci-sa - namespace: droneci - + name: drone-runner-sa + namespace: drone-ci --- -# ConfigMap for Drone configuration -apiVersion: v1 -kind: ConfigMap +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: - name: droneci-config - namespace: droneci -data: - server.domain: "droneci.apps.mngoma.lab" - server.proto: "https" - server.runnername: "drone-runner" - server.runnercapacity: "2" - server.runnernetworks: "default" - database.type: "postgres" - database.host: "192.168.1.137:5432" - database.name: "dronecim" - gitea.server: "https://gitea.apps.mngoma.lab" - gitea.server.internal: "https://gitea-server.gitea.svc.cluster.local" - + name: drone-runner-role + namespace: drone-ci +rules: + - apiGroups: [""] + resources: ["pods", "pods/log", "secrets"] + verbs: ["get", "create", "delete", "list", "watch", "update"] --- -# Secret for Drone credentials -apiVersion: v1 -kind: Secret +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: - name: droneci-secret - namespace: droneci -type: Opaque -data: - server.rpctoken: MDFLNlFHTkE4VEMxQjJGVzNGV0JSWDJFNE4= - database.username: YXBwX3VzZXI= - database.password: MTIzNDU= - database.connectstring: cG9zdGdyZXM6Ly9hcHBfdXNlcjoxMjM0NUAxOTIuMTY4LjEuMTM3OjU0MzIvZHJvbmVjaW0/c3NsbW9kZT1kaXNhYmxl - gitea.clientid: MGRiNTliZDAtMGI3Ni00ODgxLThhODQtNjI0N2ZlYTExOTcz - gitea.clientsecret: Z3RvX3l6bXB6NmJvZG52cmRnMnM1MmVmNWF1c3ozZTYzNGdyeTc0MjJqZ2hwd3ZnbGc2M2JtcnE= - + name: drone-runner-rb + namespace: drone-ci +subjects: + - kind: ServiceAccount + name: drone-runner-sa + namespace: drone-ci +roleRef: + kind: Role + name: drone-runner-role + apiGroup: rbac.authorization.k8s.io --- -# Persistent Volume for Drone data -apiVersion: v1 -kind: PersistentVolume -metadata: - name: droneci-pv - labels: - type: local -spec: - capacity: - storage: 5Gi - accessModes: ["ReadWriteOnce"] - storageClassName: local-pvs - local: - path: /home/ansible/k3s/makhiwane/droneci - nodeAffinity: - required: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/hostname - operator: In - values: ["lead"] - persistentVolumeReclaimPolicy: Retain - ---- -# Persistent Volume Claim apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: droneci-pvc - namespace: droneci + name: drone-server-data-pvc + namespace: drone-ci spec: - accessModes: ["ReadWriteOnce"] - storageClassName: local-pvs + accessModes: + - ReadWriteOnce + storageClassName: nfs-storage resources: requests: storage: 5Gi - --- -# Drone Server Deployment +apiVersion: v1 +kind: Secret +metadata: + name: drone-secrets + namespace: drone-ci +type: Opaque +stringData: + DRONE_RPC_SECRET: "b505b2906ae213070b10d9698cc35e84" + DRONE_GITEA_CLIENT_ID: "a9b4a947-0b4c-4782-a5f8-3ed79a4b295d" + DRONE_GITEA_CLIENT_SECRET: "gto_ukxcserdy7vei36git4tbuz2tdyez4rb2eo5woownmtyct3lz3aq" +--- apiVersion: apps/v1 kind: Deployment metadata: - name: drone - namespace: droneci - labels: - app.kubernetes.io/name: drone + name: drone-server + namespace: drone-ci spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: drone + app: drone-server template: metadata: labels: - app.kubernetes.io/name: drone + app: drone-server spec: - serviceAccountName: droneci-sa hostAliases: - - ip: "192.168.1.160" - hostnames: - - "gitea.apps.mngoma.lab" + - ip: "169.255.58.144" + hostnames: ["gitea.khongisa.co.za"] containers: - - name: drone - image: drone/drone:latest + - name: drone-server + image: drone/drone:2 ports: - containerPort: 80 - name: http resources: requests: + cpu: "100m" memory: "256Mi" - cpu: "250m" limits: - memory: "512Mi" cpu: "500m" + memory: "512Mi" env: - - name: DRONE_SERVER_HOST - valueFrom: - configMapKeyRef: - name: droneci-config - key: server.domain - - name: DRONE_SERVER_PROTO - valueFrom: - configMapKeyRef: - name: droneci-config - key: server.proto - - name: DRONE_SERVER_PORT - value: ":80" - - name: DRONE_TLS_AUTOCERT - value: "false" - - name: DRONE_LOGS_DEBUG - value: "true" - - name: DRONE_RPC_SECRET - valueFrom: - secretKeyRef: - name: droneci-secret - key: server.rpctoken - - name: DRONE_DATABASE_DRIVER - valueFrom: - configMapKeyRef: - name: droneci-config - key: database.type - - name: DRONE_DATABASE_DATASOURCE - valueFrom: - secretKeyRef: - name: droneci-secret - key: database.connectstring - - name: DRONE_DB_USER - valueFrom: - secretKeyRef: - name: droneci-secret - key: database.username - - name: DRONE_DB_PASS - valueFrom: - secretKeyRef: - name: droneci-secret - key: database.password - name: DRONE_GITEA_SERVER - valueFrom: - configMapKeyRef: - name: droneci-config - key: gitea.server + value: "https://gitea.khongisa.co.za" + - name: DRONE_SERVER_HOST + value: "drone.khongisa.co.za" + - name: DRONE_SERVER_PROTO + value: "https" + - name: DRONE_RPC_SECRET + valueFrom: { secretKeyRef: { name: drone-secrets, key: DRONE_RPC_SECRET } } - name: DRONE_GITEA_CLIENT_ID - valueFrom: - secretKeyRef: - name: droneci-secret - key: gitea.clientid + valueFrom: { secretKeyRef: { name: drone-secrets, key: DRONE_GITEA_CLIENT_ID } } - name: DRONE_GITEA_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: droneci-secret - key: gitea.clientsecret - - name: DRONE_GITEA_SKIP_VERIFY - value: "true" + valueFrom: { secretKeyRef: { name: drone-secrets, key: DRONE_GITEA_CLIENT_SECRET } } + - name: DRONE_DATABASE_DRIVER + value: "sqlite3" + - name: DRONE_DATABASE_DATASOURCE + value: "/data/database.sqlite" volumeMounts: - - name: drone-storage + - name: data mountPath: /data volumes: - - name: drone-storage + - name: data persistentVolumeClaim: - claimName: droneci-pvc - + claimName: drone-server-data-pvc --- -# Drone Server Service -apiVersion: v1 -kind: Service -metadata: - name: drone-server - namespace: droneci -spec: - selector: - app.kubernetes.io/name: drone - ports: - - name: http - port: 80 - targetPort: 80 - type: ClusterIP - ---- -# Drone Runner Deployment apiVersion: apps/v1 kind: Deployment metadata: name: drone-runner - namespace: droneci - labels: - app.kubernetes.io/name: drone-runner + namespace: drone-ci spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: drone-runner + app: drone-runner template: metadata: labels: - app.kubernetes.io/name: drone-runner + app: drone-runner spec: - serviceAccountName: droneci-sa - hostAliases: - - ip: "192.168.1.160" - hostnames: - - "droneci.apps.mngoma.lab" + serviceAccountName: drone-runner-sa containers: - - name: runner + - name: drone-runner image: drone/drone-runner-kube:latest - ports: - - containerPort: 3000 - env: - # propagate SSL skip and internal Gitea to ephemeral pods - - name: DRONE_RUNNER_ENV_VARS - valueFrom: - configMapKeyRef: - name: droneci-config - key: gitea.server.internal - - name: DRONE_RPC_HOST - value: drone-server.droneci.svc.cluster.local - - name: DRONE_RPC_PROTO - value: "http" - - name: DRONE_RPC_SECRET - valueFrom: - secretKeyRef: - name: droneci-secret - key: server.rpctoken - - name: DRONE_RUNNER_NAME - valueFrom: - configMapKeyRef: - name: droneci-config - key: server.runnername - - name: DRONE_RUNNER_CAPACITY - valueFrom: - configMapKeyRef: - name: droneci-config - key: server.runnercapacity - - name: DRONE_RUNNER_NETWORKS - valueFrom: - configMapKeyRef: - name: droneci-config - key: server.runnernetworks resources: requests: + cpu: "100m" memory: "128Mi" - cpu: "200m" limits: + cpu: "300m" memory: "256Mi" - cpu: "400m" - + env: + - name: DRONE_RPC_PROTO + value: "http" + - name: DRONE_RPC_HOST + value: "drone-server.drone-ci.svc.cluster.local" + - name: DRONE_RPC_SECRET + valueFrom: { secretKeyRef: { name: drone-secrets, key: DRONE_RPC_SECRET } } + - name: DRONE_NAMESPACE_DEFAULT + value: "drone-ci" --- -# Drone IngressRoute for Traefik -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute +apiVersion: v1 +kind: Service metadata: - name: droneci-web - namespace: droneci + name: drone-server + namespace: drone-ci spec: - entryPoints: - - websecure - routes: - - match: Host(`droneci.apps.mngoma.lab`) - kind: Rule - services: - - name: drone-server - port: 80 - scheme: http - tls: {} ---- -# ClusterRole for Drone CI Service Account -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: droneci-cluster-role -rules: - - apiGroups: [""] # core API - resources: ["pods", "pods/exec", "pods/log", "services", "endpoints", "configmaps", "secrets", "persistentvolumeclaims", "namespaces"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["apps"] - resources: ["deployments", "replicasets", "statefulsets"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["batch"] - resources: ["jobs", "cronjobs"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["policy"] - resources: ["poddisruptionbudgets"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - ---- -# ClusterRoleBinding for Drone CI Service Account -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: droneci-cluster-rolebinding -subjects: - - kind: ServiceAccount - name: droneci-sa - namespace: droneci -roleRef: - kind: ClusterRole - name: droneci-cluster-role - apiGroup: rbac.authorization.k8s.io + type: NodePort + selector: + app: drone-server + ports: + - name: http + port: 80 + targetPort: 80 + nodePort: 31001 \ No newline at end of file