diff --git a/cluster/apps/development/drone/drone-kubernetes-secrets/helm-release.yaml b/cluster/apps/development/drone/drone-kubernetes-secrets/helm-release.yaml new file mode 100644 index 0000000000..eca45fb416 --- /dev/null +++ b/cluster/apps/development/drone/drone-kubernetes-secrets/helm-release.yaml @@ -0,0 +1,23 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: drone-kubernetes-secrets + namespace: default +spec: + interval: 1h + chart: + spec: + chart: drone-kubernetes-secrets + version: 0.1.4 + sourceRef: + kind: HelmRepository + name: drone + namespace: flux-system + values: + env: + KUBERNETES_NAMESPACE: default + valuesFrom: + - targetPath: env.SECRET_KEY + kind: Secret + name: drone + valuesKey: DRONE_SECRET_PLUGIN_TOKEN \ No newline at end of file diff --git a/cluster/apps/development/drone/drone-kubernetes-secrets/kustomization.yaml b/cluster/apps/development/drone/drone-kubernetes-secrets/kustomization.yaml new file mode 100644 index 0000000000..2fa2de20ca --- /dev/null +++ b/cluster/apps/development/drone/drone-kubernetes-secrets/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - helm-release.yaml diff --git a/cluster/apps/development/drone/drone-runner-kube/helm-release.yaml b/cluster/apps/development/drone/drone-runner-kube/helm-release.yaml new file mode 100644 index 0000000000..c4196655ed --- /dev/null +++ b/cluster/apps/development/drone/drone-runner-kube/helm-release.yaml @@ -0,0 +1,35 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: drone-runner-kube + namespace: default +spec: + interval: 1h + chart: + spec: + chart: drone-runner-kube + version: 0.1.10 + sourceRef: + kind: HelmRepository + name: drone + namespace: flux-system + dependsOn: + - name: drone-kubernetes-secrets + namespace: default + values: + image: + repository: drone/drone-runner-kube + tag: 1.0.0-beta.5 + env: + DRONE_NAMESPACE_DEFAULT: default + DRONE_RPC_HOST: drone.default.svc:8080 + DRONE_SECRET_PLUGIN_ENDPOINT: http://drone-kubernetes-secrets.default.svc:3000 + valuesFrom: + - targetPath: env.DRONE_RPC_SECRET + kind: Secret + name: drone + valuesKey: DRONE_RPC_SECRET + - targetPath: env.DRONE_SECRET_PLUGIN_TOKEN + kind: Secret + name: drone + valuesKey: DRONE_SECRET_PLUGIN_TOKEN \ No newline at end of file diff --git a/cluster/apps/development/drone/drone-runner-kube/kustomization.yaml b/cluster/apps/development/drone/drone-runner-kube/kustomization.yaml new file mode 100644 index 0000000000..2fa2de20ca --- /dev/null +++ b/cluster/apps/development/drone/drone-runner-kube/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - helm-release.yaml diff --git a/cluster/apps/development/drone/helm-release.yaml b/cluster/apps/development/drone/helm-release.yaml new file mode 100644 index 0000000000..66725b1d64 --- /dev/null +++ b/cluster/apps/development/drone/helm-release.yaml @@ -0,0 +1,65 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: drone + namespace: default +spec: + interval: 1h + chart: + spec: + chart: drone + version: 0.6.4 + sourceRef: + kind: HelmRepository + name: drone + namespace: flux-system + dependsOn: + - name: drone-runner-kube + namespace: default + - name: gitea + namespace: default + - name: postgres-cluster + namespace: default + values: + image: + repository: drone/drone + tag: 2.15.0 + persistentVolume: + enabled: false + env: + DRONE_DATABASE_DRIVER: postgres + DRONE_GIT_ALWAYS_AUTH: true + DRONE_GITEA_SERVER: https://gitea.${SECRET_CLUSTER_DOMAIN} + DRONE_SERVER_HOST: &host drone.${SECRET_CLUSTER_DOMAIN} + DRONE_SERVER_PROTO: https + DRONE_SERVER_PROXY_HOST: drone.default.svc + DRONE_SERVER_PROXY_PROTO: http + DRONE_USER_CREATE: username:context,admin:true + ingress: + enabled: true + className: nginx + hosts: + - host: *host + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - *host + valuesFrom: + - targetPath: env.DRONE_DATABASE_DATASOURCE + kind: Secret + name: drone + valuesKey: DRONE_DATABASE_DATASOURCE + - targetPath: env.DRONE_GITEA_CLIENT_ID + kind: Secret + name: drone + valuesKey: DRONE_GITEA_CLIENT_ID + - targetPath: env.DRONE_GITEA_CLIENT_SECRET + kind: Secret + name: drone + valuesKey: DRONE_GITEA_CLIENT_SECRET + - targetPath: env.DRONE_RPC_SECRET + kind: Secret + name: drone + valuesKey: DRONE_RPC_SECRET \ No newline at end of file diff --git a/cluster/apps/development/drone/kustomization.yaml b/cluster/apps/development/drone/kustomization.yaml new file mode 100644 index 0000000000..52aa1774b9 --- /dev/null +++ b/cluster/apps/development/drone/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - drone-kubernetes-secrets + - drone-runner-kube + - helm-release.yaml + - secret.sops.yaml \ No newline at end of file diff --git a/cluster/apps/development/drone/secret.sops.yaml b/cluster/apps/development/drone/secret.sops.yaml new file mode 100644 index 0000000000..3f2471db29 --- /dev/null +++ b/cluster/apps/development/drone/secret.sops.yaml @@ -0,0 +1,33 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: drone + namespace: default +type: Opaque +stringData: + DRONE_DATABASE_DATASOURCE: ENC[AES256_GCM,data:+9NZ76uh+GIJCyXz/4KT9TUhnHRkZ7OCHPEJ9w3zwgxqFhbtf6qRoTbPszumvFkn71xgmBhkul8ZWx6A5/gIhbwfTi3+829VLzBivXdFv0nC9/KYPcEGmsXVMFQ=,iv:NhUdL1/fVhfpsIQYgYGxqhO1zt/4QvgooNb9VVbXrWM=,tag:yWWvV7IwwtlcMYefty3ytw==,type:str] + DRONE_GITEA_CLIENT_ID: ENC[AES256_GCM,data:tcXCVpdKB16QrXd35BhWtafVKgs/BlxWkxK9iQ+sm/wTUren,iv:/zEGKJzuaurIAOWXAhtsRnxkIwmzqrAZkW7rfAaTEVQ=,tag:XnHiNYyHUjsLgnTl62wQPQ==,type:str] + DRONE_GITEA_CLIENT_SECRET: ENC[AES256_GCM,data:wEIM5nc+cmc18ujFztAQQKO0YFXVtH90G+C4yCQOZlUf1xu9R1t2M0iLB7aP+y1lfxo3cgfiT+k=,iv:Nish+j12JfctzLGLXJ6Gle4sJLTDSlPnVMQ9L1BRRTs=,tag:uXWDbzpE13p5X/BnsKvQPQ==,type:str] + DRONE_RPC_SECRET: ENC[AES256_GCM,data:O+YljkHzgFe4HSgSRkosuTTFpaOPSyAjeVpC39BKSIU=,iv:H8SO0S8TL060mnKCOBPWexUNdYwUmyVPdetuoto6uck=,tag:XU8JCsippp0Gadptpuwuog==,type:str] + DRONE_SECRET_PLUGIN_TOKEN: ENC[AES256_GCM,data:rRP1/jdkyHkwTmB8j5svo0xg6YFw64f9EVcoMzyzHbk=,iv:LYMgl50+edTnk0Im7uzLZW0THemraadOpOLkyvL/5Og=,tag:nIkuWVAK1NvawHksQar0tQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVWZVaFFvMVJRRWR1eUU3 + QzI5cjNscE83czk0TG9Ra1JvVmExa0hWbWt3Ck1YY1htcXhDamwxY1pVcE0wS2U3 + WWNQbTJFK1dFdEhkMk8vbG9pQlJzN1kKLS0tIDBUTUZhMUF2VVJhbFNpQ1FTNWZC + ZUZsSDdUYXFVb3JROEFnaC8yRU1zZ0UK1klzjeo3oaS6n1Apy0nY746ax2Uxxddg + Mn61QDtkPf8FLNBC3tFTe3pWzhWseD/89WaW3f3GScJxy34SFUZxLQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-11-17T00:42:15Z" + mac: ENC[AES256_GCM,data:D401bweTZOPX4wlHObquqTGTVmO7beunzjzGlJMYmxsMVA0lxYqs6tzrjbb/0yy/Dhee6CUCalstX977HltaEOg3TlPdo60wsQe2K4Zl9rikbj7fIM+Qfw433HY4QZ+Rp7oEr5rUXVrGo3zUtaFDBTm5T4x9prDZWL6awGNwGDo=,iv:waybTiK127sh167CfzUwkHnbkzWw28UWYxR4w4QhSK0=,tag:PRV/ruen25JVNnBu7so0tw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/cluster/apps/development/gitea/external-backup/helm-release.yaml b/cluster/apps/development/gitea/external-backup/helm-release.yaml index ad8d2205c7..30c72a8392 100644 --- a/cluster/apps/development/gitea/external-backup/helm-release.yaml +++ b/cluster/apps/development/gitea/external-backup/helm-release.yaml @@ -58,11 +58,12 @@ spec: ssh -o StrictHostKeyChecking=no homelab@${LOCAL_LAN_TRUENAS} << 'EOF' - set -x + set -o nounset + set -o errexit WORK_DIR="/mnt/storage/backups/apps/gitea" - ORGANISATIONS=$(curl --silent --location --request GET "https://gitea.${SECRET_CLUSTER_DOMAIN}/api/v1/orgs" --header "Authorization: Bearer ${GITEA_API_TOKEN}" | jq --raw-output .[].username) + ORGANISATIONS=$(curl --silent --location --request GET "https://gitea.${SECRET_CLUSTER_DOMAIN}/api/v1/orgs" --header "Authorization: Bearer ${SECRET_GITEA_API_TOKEN}" | jq --raw-output .[].username) ORGANISATIONS+=" auricom" for org in $ORGANISATIONS @@ -73,7 +74,7 @@ spec: else keyword="orgs" fi - REPOSITORIES=$(curl --silent --location --request GET "https://gitea.${SECRET_CLUSTER_DOMAIN}/api/v1/$keyword/$org/repos?limit=1000" --header "Authorization: Bearer ${GITEA_API_TOKEN}" | jq --raw-output .[].name) + REPOSITORIES=$(curl --silent --location --request GET "https://gitea.${SECRET_CLUSTER_DOMAIN}/api/v1/$keyword/$org/repos?limit=1000" --header "Authorization: Bearer ${SECRET_GITEA_API_TOKEN}" | jq --raw-output .[].name) for repo in $REPOSITORIES do if [ -d "$WORK_DIR/$org/$repo" ]; then @@ -101,7 +102,7 @@ spec: done done echo "INFO: Backup done" - curl -m 10 --retry 5 http://healthchecks.default.svc.cluster.local./ping/${SECRET_HEALTHCHECKS_PING_KEY}/k3s-gitea-repositories-backup + curl -m 10 --retry 5 https://healthchecks.${SECRET_CLUSTER_DOMAIN}/ping/${SECRET_HEALTHCHECKS_PING_KEY}/k3s-gitea-repositories-backup EOF volumeMounts: - name: secret diff --git a/cluster/apps/development/kustomization.yaml b/cluster/apps/development/kustomization.yaml index b8d5446f91..f7051a4124 100644 --- a/cluster/apps/development/kustomization.yaml +++ b/cluster/apps/development/kustomization.yaml @@ -1,4 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - drone - gitea diff --git a/cluster/charts/drone-charts.yaml b/cluster/charts/drone-charts.yaml new file mode 100644 index 0000000000..3b8e45aaa5 --- /dev/null +++ b/cluster/charts/drone-charts.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: drone + namespace: flux-system +spec: + interval: 1h + url: https://charts.drone.io \ No newline at end of file diff --git a/cluster/charts/kustomization.yaml b/cluster/charts/kustomization.yaml index cfabb8ef8c..3d39c7fa1d 100644 --- a/cluster/charts/kustomization.yaml +++ b/cluster/charts/kustomization.yaml @@ -7,6 +7,7 @@ resources: - cert-manager-webhook-ovh.yaml - cloudnative-pg-charts.yaml - descheduler-charts.yaml + - drone-charts.yaml - dysnix-charts.yaml - emxq-charts.yaml - external-dns-charts.yaml