Merge pull request 'Second drone ci port fix' (#42) from dev into main

Reviewed-on: #42

kubernetes-templates/droneci.yml

@@ -1,331 +1,172 @@
 ---
-# Namespace for Drone CI
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: droneci
-
+  name: drone-ci
 ---
-# Service Account
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: droneci-sa
-  namespace: droneci
-
+  name: drone-runner-sa
+  namespace: drone-ci
 ---
-# ConfigMap for Drone configuration
-apiVersion: v1
-kind: ConfigMap
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
-  name: droneci-config
-  namespace: droneci
-data:
-  server.domain: "droneci.apps.mngoma.lab"
-  server.proto: "https"
-  server.runnername: "drone-runner"
-  server.runnercapacity: "2"
-  server.runnernetworks: "default"
-  database.type: "postgres"
-  database.host: "192.168.1.137:5432"
-  database.name: "dronecim"
-  gitea.server: "https://gitea.apps.mngoma.lab"
-  gitea.server.internal: "https://gitea-server.gitea.svc.cluster.local"
-
+  name: drone-runner-role
+  namespace: drone-ci
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "pods/log", "secrets"]
+    verbs: ["get", "create", "delete", "list", "watch", "update"]
 ---
-# Secret for Drone credentials
-apiVersion: v1
-kind: Secret
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
 metadata:
-  name: droneci-secret
-  namespace: droneci
-type: Opaque
-data:
-  server.rpctoken: MDFLNlFHTkE4VEMxQjJGVzNGV0JSWDJFNE4=
-  database.username: YXBwX3VzZXI=
-  database.password: MTIzNDU=
-  database.connectstring: cG9zdGdyZXM6Ly9hcHBfdXNlcjoxMjM0NUAxOTIuMTY4LjEuMTM3OjU0MzIvZHJvbmVjaW0/c3NsbW9kZT1kaXNhYmxl
-  gitea.clientid: MGRiNTliZDAtMGI3Ni00ODgxLThhODQtNjI0N2ZlYTExOTcz
-  gitea.clientsecret: Z3RvX3l6bXB6NmJvZG52cmRnMnM1MmVmNWF1c3ozZTYzNGdyeTc0MjJqZ2hwd3ZnbGc2M2JtcnE=
-
+  name: drone-runner-rb
+  namespace: drone-ci
+subjects:
+  - kind: ServiceAccount
+    name: drone-runner-sa
+    namespace: drone-ci
+roleRef:
+  kind: Role
+  name: drone-runner-role
+  apiGroup: rbac.authorization.k8s.io
 ---
-# Persistent Volume for Drone data
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: droneci-pv
-  labels:
-    type: local
-spec:
-  capacity:
-    storage: 5Gi
-  accessModes: ["ReadWriteOnce"]
-  storageClassName: local-pvs
-  local:
-    path: /home/ansible/k3s/makhiwane/droneci
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-        - matchExpressions:
-            - key: kubernetes.io/hostname
-              operator: In
-              values: ["lead"]
-  persistentVolumeReclaimPolicy: Retain
-
----
-# Persistent Volume Claim
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: droneci-pvc
-  namespace: droneci
+  name: drone-server-data-pvc
+  namespace: drone-ci
 spec:
-  accessModes: ["ReadWriteOnce"]
-  storageClassName: local-pvs
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: nfs-storage
   resources:
     requests:
       storage: 5Gi
-
 ---
-# Drone Server Deployment
+apiVersion: v1
+kind: Secret
+metadata:
+  name: drone-secrets
+  namespace: drone-ci
+type: Opaque
+stringData:
+  DRONE_RPC_SECRET: "b505b2906ae213070b10d9698cc35e84"
+  DRONE_GITEA_CLIENT_ID: "a9b4a947-0b4c-4782-a5f8-3ed79a4b295d"
+  DRONE_GITEA_CLIENT_SECRET: "gto_ukxcserdy7vei36git4tbuz2tdyez4rb2eo5woownmtyct3lz3aq"
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: drone
-  namespace: droneci
-  labels:
-    app.kubernetes.io/name: drone
+  name: drone-server
+  namespace: drone-ci
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/name: drone
+      app: drone-server
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: drone
+        app: drone-server
     spec:
-      serviceAccountName: droneci-sa
       hostAliases:
-        - ip: "192.168.1.160"
-          hostnames:
-            - "gitea.apps.mngoma.lab"
+        - ip: "169.255.58.144"
+          hostnames: ["gitea.khongisa.co.za"]
       containers:
-        - name: drone
-          image: drone/drone:latest
+        - name: drone-server
+          image: drone/drone:2
           ports:
             - containerPort: 80
               name: http
           resources:
             requests:
+              cpu: "100m"
               memory: "256Mi"
-              cpu: "250m"
             limits:
-              memory: "512Mi"
               cpu: "500m"
+              memory: "512Mi"
           env:
-            - name: DRONE_SERVER_HOST
-              valueFrom:
-                configMapKeyRef:
-                  name: droneci-config
-                  key: server.domain
-            - name: DRONE_SERVER_PROTO
-              valueFrom:
-                configMapKeyRef:
-                  name: droneci-config
-                  key: server.proto
-            - name: DRONE_SERVER_PORT
+            # FIX: Explicitly bind the address to bypass port validation logic
+            - name: DRONE_SERVER_ADDR
               value: ":80"
-            - name: DRONE_TLS_AUTOCERT
-              value: "false"
-            - name: DRONE_LOGS_DEBUG
-              value: "true"
-            - name: DRONE_RPC_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: droneci-secret
-                  key: server.rpctoken
-            - name: DRONE_DATABASE_DRIVER
-              valueFrom:
-                configMapKeyRef:
-                  name: droneci-config
-                  key: database.type
-            - name: DRONE_DATABASE_DATASOURCE
-              valueFrom:
-                secretKeyRef:
-                  name: droneci-secret
-                  key: database.connectstring
-            - name: DRONE_DB_USER
-              valueFrom:
-                secretKeyRef:
-                  name: droneci-secret
-                  key: database.username
-            - name: DRONE_DB_PASS
-              valueFrom:
-                secretKeyRef:
-                  name: droneci-secret
-                  key: database.password
+            - name: DRONE_SERVER_HOST
+              value: "drone.khongisa.co.za"
+            - name: DRONE_SERVER_PROTO
+              value: "https"
             - name: DRONE_GITEA_SERVER
-              valueFrom:
-                configMapKeyRef:
-                  name: droneci-config
-                  key: gitea.server
+              value: "https://gitea.khongisa.co.za"
+            - name: DRONE_RPC_SECRET
+              valueFrom: { secretKeyRef: { name: drone-secrets, key: DRONE_RPC_SECRET } }
             - name: DRONE_GITEA_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: droneci-secret
-                  key: gitea.clientid
+              valueFrom: { secretKeyRef: { name: drone-secrets, key: DRONE_GITEA_CLIENT_ID } }
             - name: DRONE_GITEA_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: droneci-secret
-                  key: gitea.clientsecret
-            - name: DRONE_GITEA_SKIP_VERIFY
-              value: "true"
+              valueFrom: { secretKeyRef: { name: drone-secrets, key: DRONE_GITEA_CLIENT_SECRET } }
+            - name: DRONE_DATABASE_DRIVER
+              value: "sqlite3"
+            - name: DRONE_DATABASE_DATASOURCE
+              value: "/data/database.sqlite"
           volumeMounts:
-            - name: drone-storage
+            - name: data
               mountPath: /data
       volumes:
-        - name: drone-storage
+        - name: data
           persistentVolumeClaim:
-            claimName: droneci-pvc
-
+            claimName: drone-server-data-pvc
 ---
-# Drone Server Service
-apiVersion: v1
-kind: Service
-metadata:
-  name: drone-server
-  namespace: droneci
-spec:
-  selector:
-    app.kubernetes.io/name: drone
-  ports:
-    - name: http
-      port: 80
-      targetPort: 80
-  type: ClusterIP
-
----
-# Drone Runner Deployment
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: drone-runner
-  namespace: droneci
-  labels:
-    app.kubernetes.io/name: drone-runner
+  namespace: drone-ci
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/name: drone-runner
+      app: drone-runner
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: drone-runner
+        app: drone-runner
     spec:
-      serviceAccountName: droneci-sa
+      serviceAccountName: drone-runner-sa
       hostAliases:
-        - ip: "192.168.1.160"
-          hostnames:
-            - "droneci.apps.mngoma.lab"
+        - ip: "169.255.58.144"
+          hostnames: ["gitea.khongisa.co.za"]
       containers:
-        - name: runner
+        - name: drone-runner
           image: drone/drone-runner-kube:latest
-          ports:
-            - containerPort: 3000
-          env:
-            # propagate SSL skip and internal Gitea to ephemeral pods
-            - name: DRONE_RUNNER_ENV_VARS
-              valueFrom:
-                configMapKeyRef:
-                  name: droneci-config
-                  key: gitea.server.internal
-            - name: DRONE_RPC_HOST
-              value: drone-server.droneci.svc.cluster.local
-            - name: DRONE_RPC_PROTO
-              value: "http"
-            - name: DRONE_RPC_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: droneci-secret
-                  key: server.rpctoken
-            - name: DRONE_RUNNER_NAME
-              valueFrom:
-                configMapKeyRef:
-                  name: droneci-config
-                  key: server.runnername
-            - name: DRONE_RUNNER_CAPACITY
-              valueFrom:
-                configMapKeyRef:
-                  name: droneci-config
-                  key: server.runnercapacity
-            - name: DRONE_RUNNER_NETWORKS
-              valueFrom:
-                configMapKeyRef:
-                  name: droneci-config
-                  key: server.runnernetworks
           resources:
             requests:
+              cpu: "100m"
               memory: "128Mi"
-              cpu: "200m"
             limits:
+              cpu: "300m"
               memory: "256Mi"
-              cpu: "400m"
-
+          env:
+            - name: DRONE_RPC_PROTO
+              value: "http"
+            - name: DRONE_RPC_HOST
+              value: "drone-server.drone-ci.svc.cluster.local"
+            - name: DRONE_RPC_SECRET
+              valueFrom: { secretKeyRef: { name: drone-secrets, key: DRONE_RPC_SECRET } }
+            - name: DRONE_NAMESPACE_DEFAULT
+              value: "drone-ci"
 ---
-# Drone IngressRoute for Traefik
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
+apiVersion: v1
+kind: Service
 metadata:
-  name: droneci-web
-  namespace: droneci
+  name: drone-server
+  namespace: drone-ci
 spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`droneci.apps.mngoma.lab`)
-      kind: Rule
-      services:
-        - name: drone-server
-          port: 80
-          scheme: http
-  tls: {}
----
-# ClusterRole for Drone CI Service Account
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: droneci-cluster-role
-rules:
-  - apiGroups: [""] # core API
-    resources: ["pods", "pods/exec", "pods/log", "services", "endpoints", "configmaps", "secrets", "persistentvolumeclaims", "namespaces"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-  - apiGroups: ["apps"]
-    resources: ["deployments", "replicasets", "statefulsets"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-  - apiGroups: ["batch"]
-    resources: ["jobs", "cronjobs"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-  - apiGroups: ["extensions", "networking.k8s.io"]
-    resources: ["ingresses"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-  - apiGroups: ["policy"]
-    resources: ["poddisruptionbudgets"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-
----
-# ClusterRoleBinding for Drone CI Service Account
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: droneci-cluster-rolebinding
-subjects:
-  - kind: ServiceAccount
-    name: droneci-sa
-    namespace: droneci
-roleRef:
-  kind: ClusterRole
-  name: droneci-cluster-role
-  apiGroup: rbac.authorization.k8s.io
+  type: NodePort
+  selector:
+    app: drone-server
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+      nodePort: 31001

kubernetes-templates/semaphoreui.yml

@@ -5,6 +5,36 @@ metadata:
   name: semaphore
 ---
 apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: semaphore-sa
+  namespace: semaphore
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: semaphore-role
+  namespace: semaphore
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "secrets", "configmaps"]
+    verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: semaphore-rb
+  namespace: semaphore
+subjects:
+  - kind: ServiceAccount
+    name: semaphore-sa
+    namespace: semaphore
+roleRef:
+  kind: Role
+  name: semaphore-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: semaphore-data-pvc
@@ -27,10 +57,8 @@ data:
   db-password: c2VYbk42RGt1cFJaN0Y=
   admin-password: QmxhY2tzdGFyMkBob21l
   access-key-encryption: NHZKMm1LMnBMNW5COHhSMnpRN3dFM3RZNnVJMG9QOWE=
-  
-  # CLEAN BASE64 STRINGS (No spaces or newlines)
-  id_ed25519: b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZWQyNTUxOQAAACDnDP06snc4Ci73FOImgNk3Mblsno53hj6XD2SK15dZbAAAAJgel/2wHpf9sAAAAAtzc2gtZWQyNTUxOQAAACDnDP06snc4Ci73FOImgNk3Mblsno53hj6XD2SK15dZbAAAAEBThqcrsWeeUZzEyWVZbhDiJdOEBFXJH85sa1Cc+WWCI+cM/TqydzgKLvcU4iaA2TcxuWyejneGPpcPZIrXl1lsAAAADmtod2V6aUBEQVJLU1VOAQIDBAUGBw==
-  id_ed25519.pub: c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU9jTS9UcXlkemdLTHZjVTRpYUEyVGN4dVd5ZWpuZUdQcGNQWklyWGwxbHMga2h3ZXppQERBUktTVU4=
+  id_ed25519: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFNd0FBQUF0emMyZ3RaVwpReU5UVXhPUUFBQUNEbkRQMDZzbmM0Q2k3M0ZPSW1nTmszTWJsc25vNTNoajZYRDJTSzE1ZFpiQUFBQUpnZWwvMndIcGY5CnNBQUFBQXR6YzJndFpXUXlOVFV4T1FBQUFDRG5EUDA2c25jNENpNzNGT0ltZ05rM01ibHNubzUzaGo2WEQyU0sxNWRaYkEKQUFBRUJUaHFjcnNXZWVVWnpFeVdWWmJoRGlKZE9FQkZYSkg4NXNhMUNjK1dXQ0krY00vVHF5ZHpnS0x2Y1U0aWFBMlRjeAp1V3llam5lR1BwY1BaSXJYbDFsc0FBQUFEbXRvZDJWNmFVQkVRVkpMVTFWT0FRSURCQVVHQnc9PQotLS0tLUVORCBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0K
+  id_ed25519.pub: c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU9jTS9UcXlkemdLTHZjVTRpYUEyVGN4dVd5ZWpuZUdQcGNQWklyWGwxbHMga2h3ZXppQERBUktTVU4K
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -50,8 +78,6 @@ kind: Deployment
 metadata:
   name: semaphore
   namespace: semaphore
-  labels:
-    app: semaphore
 spec:
   replicas: 1
   selector:
@@ -62,6 +88,7 @@ spec:
       labels:
         app: semaphore
     spec:
+      serviceAccountName: semaphore-sa
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
@@ -72,10 +99,23 @@ spec:
       hostAliases:
         - ip: "169.255.58.144"
           hostnames:
-           - "gitea.khongisa.co.za"
+            - "gitea.khongisa.co.za"
+      
       securityContext:
         runAsUser: 1001
         fsGroup: 1001
+        fsGroupChangePolicy: "Always"
+
+      initContainers:
+        - name: fix-ssh-permissions
+          image: busybox:latest
+          # We ensure the directory exists and has 700. 
+          # We don't touch the files yet because they are mounted by the main container.
+          command: ["sh", "-c", "mkdir -p /home/semaphore/.ssh && chmod 700 /home/semaphore/.ssh"]
+          volumeMounts:
+            - name: semaphore-persistent-storage
+              mountPath: /home/semaphore
+
       containers:
         - name: semaphore
           image: semaphoreui/semaphore:latest
@@ -115,22 +155,27 @@ spec:
             - name: SEMAPHORE_ACCESS_KEY_ENCRYPTION
               valueFrom: { secretKeyRef: { name: semaphore-secrets, key: access-key-encryption } }
           volumeMounts:
-            - name: semaphore-tmp
+            - name: semaphore-persistent-storage
+              mountPath: /home/semaphore
+            - name: semaphore-persistent-storage
               mountPath: /tmp/semaphore
+              subPath: tmp
             - name: ssh-keys-volume
               mountPath: /home/semaphore/.ssh/id_ed25519
               subPath: id_ed25519
+              readOnly: true
             - name: ssh-keys-volume
               mountPath: /home/semaphore/.ssh/id_ed25519.pub
               subPath: id_ed25519.pub
+              readOnly: true
       volumes:
-        - name: semaphore-tmp
+        - name: semaphore-persistent-storage
           persistentVolumeClaim:
             claimName: semaphore-data-pvc
         - name: ssh-keys-volume
           secret:
             secretName: semaphore-secrets
-            defaultMode: 384 
+            defaultMode: 384 # 0600
             items:
               - key: id_ed25519
                 path: id_ed25519