---
apiVersion: v1
kind: Namespace
metadata:
  name: droneci
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: droneci-sa
  namespace: droneci
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: droneci-config
  namespace: droneci
data:
  server.domain: "droneci.apps.mngoma.lab"
  server.proto: "https"
  server.runnername: "drone_runner"
  server.runnernetworks: "default"
  server.runnercapacity: "2"
  database.type: "postgres"
  database.host: "192.168.1.137:5432"
  database.name: "dronecim"
  gitea.server: "https://gitea.apps.mngoma.lab"  
---
apiVersion: v1
kind: Secret
metadata:
  name: droneci-secret
  namespace: droneci
type: Opaque
data:
  server.rpctoken: MDFLNlFHTkE4VEMxQjJGVzNGV0JSWDJFNE4=
  database.username: YXBwX3VzZXI=
  database.password: MTIzNDU=
  database.connectstring: cG9zdGdyZXM6Ly9hcHBfdXNlcjoxMjM0NUAxOTIuMTY4LjEuMTM3OjU0MzIvZHJvbmVjaW0/c3NsbW9kZT1kaXNhYmxl
  gitea.clientid: MGRiNTliZDAtMGI3Ni00ODgxLThhODQtNjI0N2ZlYTExOTcz
  gitea.clientsecret: Z3RvX3l6bXB6NmJvZG52cmRnMnM1MmVmNWF1c3ozZTYzNGdyeTc0MjJqZ2hwd3ZnbGc2M2JtcnE=
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: droneci-role
  namespace: droneci
rules:
- apiGroups: [""]
  resources: ["pods", "services", "endpoints", "persistentvolumeclaims", "configmaps", "secrets"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: droneci-rolebinding
  namespace: droneci
subjects:
- kind: ServiceAccount
  name: droneci-sa
  namespace: droneci
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: droneci-role
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: drone-runner-role
  namespace: droneci
rules:
- apiGroups: [""]
  resources: ["pods", "pods/exec", "services", "endpoints", "configmaps", "secrets", "persistentvolumeclaims"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apps"]
  resources: ["deployments", "replicasets"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: drone-runner-rolebinding
  namespace: droneci
subjects:
- kind: ServiceAccount
  name: droneci-sa
  namespace: droneci
roleRef:
  kind: Role
  name: drone-runner-role
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: droneci-pv
  labels:
    type: local
spec:
  capacity:
    storage: 10Gi
  accessModes: ["ReadWriteOnce"]
  storageClassName: local-pvs
  local:
    path: /home/ansible/k3s/makhiwane/droneci
  nodeAffinity:
    required:
      nodeSelectorTerms:
      - matchExpressions:
          - key: kubernetes.io/hostname
            operator: In
            values: ["lead"]
  persistentVolumeReclaimPolicy: Retain
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: droneci-pvc
  namespace: droneci
spec:
  accessModes: ["ReadWriteOnce"]
  storageClassName: local-pvs
  resources:
    requests:
      storage: 10Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: drone
  namespace: droneci
  labels:
    app.kubernetes.io/name: drone
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: drone
  template:
    metadata:
      labels:
        app.kubernetes.io/name: drone
    spec:
      hostAliases:
      - ip: "192.168.1.160"
        hostnames:
        - "gitea.apps.mngoma.lab"
        - "droneci.apps.mngoma.lab"
      serviceAccountName: droneci-sa
      containers:
      - name: drone
        image: drone/drone:latest
        ports:
        - containerPort: 80
          name: http
        env:
        - name: DRONE_SERVER_HOST
          valueFrom:
            configMapKeyRef:
              name: droneci-config
              key: server.domain
        - name: DRONE_SERVER_PROTO
          valueFrom:
            configMapKeyRef:
              name: droneci-config
              key: server.proto
        - name: DRONE_SERVER_PORT
          value: ":80"
        - name: DRONE_TLS_AUTOCERT
          value: "false"
        - name: DRONE_LOGS_DEBUG
          value: "true"
        - name: DRONE_RPC_SECRET
          valueFrom:
            secretKeyRef:
              name: droneci-secret
              key: server.rpctoken
        - name: DRONE_DATABASE_DRIVER
          valueFrom:
            configMapKeyRef:
              name: droneci-config
              key: database.type
        - name: DRONE_DATABASE_DATASOURCE
          valueFrom:
            secretKeyRef:
              name: droneci-secret
              key: database.connectstring
        - name: DRONE_DB_USER
          valueFrom:
            secretKeyRef:
              name: droneci-secret
              key: database.username
        - name: DRONE_DB_PASS
          valueFrom:
            secretKeyRef:
              name: droneci-secret
              key: database.password
        - name: DRONE_GITEA_SERVER
          valueFrom:
            configMapKeyRef:
              name: droneci-config
              key: gitea.server
        - name: DRONE_GITEA_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name: droneci-secret
              key: gitea.clientid
        - name: DRONE_GITEA_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: droneci-secret
              key: gitea.clientsecret
        - name: DRONE_GITEA_SKIP_VERIFY
          value: "true"
        readinessProbe:
          httpGet:
            path: /healthz
            port: 80
          initialDelaySeconds: 20
          periodSeconds: 10
          failureThreshold: 3
        livenessProbe:
          httpGet:
            path: /healthz
            port: 80
          initialDelaySeconds: 30
          periodSeconds: 20
          failureThreshold: 3
        volumeMounts:
        - name: drone-storage
          mountPath: /data
      volumes:
      - name: drone-storage
        persistentVolumeClaim:
          claimName: droneci-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: drone-server
  namespace: droneci
spec:
  selector:
    app.kubernetes.io/name: drone
  ports:
    - name: http
      port: 80
      targetPort: 80
  type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: drone-runner
  namespace: droneci
  labels:
    app.kubernetes.io/name: drone-runner
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: drone-runner
  template:
    metadata:
      labels:
        app.kubernetes.io/name: drone-runner
    spec:
      hostAliases:
      - ip: "192.168.1.160"
        hostnames:
        - "gitea.apps.mngoma.lab"
        - "droneci.apps.mngoma.lab"
      serviceAccountName: droneci-sa
      containers:
      - name: runner
        image: drone/drone-runner-kube:latest
        ports:
        - containerPort: 3000
        env:
        - name: DRONE_RPC_HOST
          value: drone-server.droneci.svc.cluster.local
        - name: DRONE_RPC_PROTO
          value: "http"
        - name: DRONE_RPC_SECRET
          valueFrom:
            secretKeyRef:
              name: droneci-secret
              key: server.rpctoken
        - name: DRONE_RUNNER_NAME
          valueFrom:
            configMapKeyRef:
              name: droneci-config
              key: server.runnername
        - name: DRONE_RUNNER_CAPACITY
          valueFrom:
            configMapKeyRef:
              name: droneci-config
              key: server.runnercapacity
        - name: DRONE_RUNNER_NETWORKS
          valueFrom:
            configMapKeyRef:
              name: droneci-config
              key: server.runnernetworks
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: droneci-web
  namespace: droneci
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`droneci.apps.mngoma.lab`)
      kind: Rule
      services:
        - name: drone-server
          port: 80
          scheme: http
  tls: {}