Migrate drone-ci and runners (#8)

Reviewed-on: https://git.badhouseplants.net/badhouseplants/k8s-cluster-config/pulls/8

.drone.yml

@@ -19,20 +19,24 @@ steps:
   environment:
     KUBECONFIG_CONTENT:
       from_secret: KUBECONFIG_CONTENT
+    SOPS_AGE_KEY:
+      from_secret: SOPS_AGE_KEY
   commands:
     - mkdir $HOME/.kube
     - echo $KUBECONFIG_CONTENT | base64 -d > $HOME/.kube/config
-    - helmfile -e badhouseplants diff
+    - helmfile -e badhouseplants diff --suppress-secrets
 
 - name: Diff eterosoft
   image: ghcr.io/helmfile/helmfile:canary
   environment:
+    SOPS_AGE_KEY:
+      from_secret: SOPS_AGE_KEY
     KUBECONFIG_CONTENT:
       from_secret: KUBECONFIG_CONTENT
   commands:
     - mkdir $HOME/.kube
     - echo $KUBECONFIG_CONTENT | base64 -d > $HOME/.kube/config
-    - helmfile -e etersoft diff
+    - helmfile -e etersoft diff --suppress-secrets
 
 ---
 # ----------------------------------------------
@@ -54,18 +58,22 @@ steps:
   environment:
     KUBECONFIG_CONTENT:
       from_secret: KUBECONFIG_CONTENT
+    SOPS_AGE_KEY:
+      from_secret: SOPS_AGE_KEY
   commands:
     - mkdir $HOME/.kube
     - echo $KUBECONFIG_CONTENT | base64 -d > $HOME/.kube/config
-    - helmfile -e badhouseplants apply
+    - helmfile -e badhouseplants apply --suppress-secrets
 
 - name: Apply eterosoft
   image: ghcr.io/helmfile/helmfile:canary
   environment:
     KUBECONFIG_CONTENT:
       from_secret: KUBECONFIG_CONTENT
+    SOPS_AGE_KEY:
+      from_secret: SOPS_AGE_KEY
   commands:
     - mkdir $HOME/.kube
     - echo $KUBECONFIG_CONTENT | base64 -d > $HOME/.kube/config
-    - helmfile -e etersoft apply
+    - helmfile -e etersoft apply --suppress-secrets
 

.sops.yaml

@@ -0,0 +1,6 @@
+creation_rules:
+  - path_regex: .*/values/.*
+    key_groups:
+      - age:
+        - age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+

badhouseplants/helmfile.yaml

@@ -0,0 +1,17 @@
+---
+{{ readFile "../releases.yaml" }}
+
+releases:
+  - <<: *drone
+    installed: true
+    namespace: drone-service
+    createNamespace: false
+  
+  - <<: *drone-runner-kube
+    installed: true
+    namespace: drone-service
+    createNamespace: false
+
+bases:
+  - ../environments.yaml
+  - ../repositories.yaml

badhouseplants/values/secrets.drone-runner-kube.yaml

@@ -0,0 +1,22 @@
+env:
+    DRONE_SECRET_PLUGIN_TOKEN: ENC[AES256_GCM,data:6vsbRkd6DbWKf6qPPtfmv14cvKc=,iv:PPlH4m+SyMNNo/bV5/hpW2CZPGwxNKwO3RzY5RPOu5w=,tag:BGEf82OvMjDQvKe078/Fkg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOVk0yaTlySHpuOWFFT3J5
+            Z210NzJPTmV0akdFQ1REM1JzK0pwTC9XWjJJCm54QmQ3ODJwakZuamMzYTBIeEJi
+            aUxKNmQ3dU52V2N2cjl5VTJpTTAwWGsKLS0tIDFyR2o2VnQ4QWFCWWRzZGNMZnNQ
+            em1VMlhBNGRrVFhXVUVRdU16Q1Q4bUEKvZ6UbZsfdvfCk37FlEN4vg0RTnPO2nwh
+            DY4klzcan+9DBRT2qdIIy6pj94GuSoXKXEYc9X0AvYab/HoLithMWA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-02-19T11:56:50Z"
+    mac: ENC[AES256_GCM,data:5U/D1hI+3zulh0UuuBv/oGAU8Bz5hpWvLCxUSCQbPSOW08S2jBiyDEdDJH7g0/y1xQkd3xJYLzJ7ccWx98j+0QJ+HOzcUF1Hwro6Zl0GSw8D4xvIeulHwwM6MBJGtOanbSHjeJ6Qyqf/tM5bF9GXpDblrNOXrnhvGOHj2GkzstU=,iv:AWAn3hAUEs8mbproV0M5EJyKddfNmUrI0ouIjvh1fEE=,tag:bFIQa/v4CaDx4RAJ7aHjeg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

badhouseplants/values/secrets.drone.yaml

@@ -0,0 +1,23 @@
+env:
+    DRONE_GITEA_CLIENT_ID: ENC[AES256_GCM,data:BbhUhVbrqFhD3Bw3w0ZfXRFNDkR7LV2gtabUOR990UQ6xDFw,iv:PfsuCU8A0C7MxVd9q6h6hexpeqxDJIshG16+Yoj9uTA=,tag:5mqw0hVJSlIta4p9VxGomw==,type:str]
+    DRONE_GITEA_CLIENT_SECRET: ENC[AES256_GCM,data:W3NzKBlKhzB1lPmLbMfVkHxtnod25tGi1lHJW2RWc46je6NeWHX1XZlRefbVqKO6gO4AUTlJOq4=,iv:08EQ/9iVZ93P0I+mYBv3SuKfLs/T3ZS6yZkdAuzU4KI=,tag:c2OiB4R/aBLjVY5EfPSJgA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaREllV3RqUVg0anpIU1Rj
+            RFh3WkdGdEU5bWg0bWk3bWU5OHFkeFF6SGh3CmlOek9zL2w4a0ZHc0p0WTNucE1Q
+            dVpDeW93QlNHZGY1dWhOc0FneUFjQUUKLS0tIEhuZE1CMmZLZFIxbXJTZmIzcEE4
+            QStxOG1iMWlxQ2dmOXRabXp4cm9NSU0K/+CRAc7DH4PgbQscXvDb7yLe8VoEpixr
+            icD3GL37kYE2D4h1cm+p+/b7BF4/yjNlCUvo5cITXRjZAuiWGwUixQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-02-19T10:39:39Z"
+    mac: ENC[AES256_GCM,data:UXfogL8cIidQpdrTNVCofPRkoC00OczHIQcISQ1AlL+BTl8NjdQfzVdknczDagtooAXdV8Cf+Qf9xMzDd7svFv2Uyc6Tzz80171My9d8bHLtv1Q5TbJ4OSAVr38tOd35APnPgsvgX2SXEDf/vvUuTN7mljPTFuF0raCqLlN+LGg=,iv:s2AH5PUohmLTo2LN3Vq9RW1OOO4I9YkyuK1/ODGwegc=,tag:YmzJBbt2TGJsy5ym8ZkP2Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

badhouseplants/values/values.drone-runner-kube.yaml

@@ -0,0 +1,13 @@
+---
+env:
+  DRONE_RPC_SECRET: drone-rpc-sec
+  DRONE_RPC_HOST: drone.badhouseplants.net
+  DRONE_RPC_PROTO: https
+  DRONE_NAMESPACE_DEFAULT: drone-service
+  DRONE_RESOURCE_LIMIT_CPU: 300
+  DRONE_RESOURCE_REQUEST_CPU: 100
+  DRONE_RESOURCE_LIMIT_MEMORY: 2048Mi
+  DRONE_RESOURCE_REQUEST_MEMORY: 512Mi
+rbac:
+  buildNamespaces:
+    - drone-service

badhouseplants/values/values.drone.yaml

@@ -0,0 +1,6 @@
+env:
+  DRONE_SERVER_HOST: drone.badhouseplants.net
+  DRONE_SERVER_PROTO: https
+  DRONE_RPC_SECRET: drone-rpc-sec
+  DRONE_GITEA_SERVER: https://git.badhouseplants.net
+  DRONE_USER_CREATE: username:allanger,admin:true

releases.yaml

@@ -20,9 +20,17 @@ templates:
         args: 
           - -c 
           - "helm show crds {{ .Release.Chart }} --version {{ .Release.Version }} | kubectl delete -f -"
+  default-env-values: 
+    values: 
+      - "{{ requiredEnv \"PWD\" }}/{{ .Environment.Name }}/values/values.{{ .Release.Name }}.yaml"
+  default-env-secrets:
+    secrets: 
+      - "{{ requiredEnv \"PWD\" }}/{{ .Environment.Name }}/values/secrets.{{ .Release.Name }}.yaml"
   # ----------------------------
   # -- Releases
   # ----------------------------
+  # -- System
+  # ----------------------------
   metrics-server: &metrics-server
     name: metrics-server
     chart: metrics-server/metrics-server
@@ -52,22 +60,41 @@ templates:
   istio-gateway: &istio-gateway
     name: istio-gateway
     chart: istio/gateway
-    values:
-      - "{{ .Environment.Name }}/values/values.{{ .Release.Name }}.yaml"
     inherit:
       - template: istio-version
+      - template: default-env-values
 
   istiod: &istiod
     name: istiod
     chart: istio/istiod
-    values:
-      - "{{ .Environment.Name }}/values/values.{{ .Release.Name }}.yaml"
     inherit:
       - template: istio-version
-
+      - template: default-env-values
+  
+  # ----------------------------
+  # -- Applications
+  # ----------------------------
   openvpn: &openvpn
     name: openvpn
     chart: allanger-charts/openvpn
     version: 1.0.1
-    values: 
-      - "{{ .Environment.Name }}/values/values.{{ .Release.Name }}.yaml"
+    inherit:
+      - template: default-env-values
+
+  drone: &drone
+    name: drone
+    chart: drone/drone
+    version: 0.6.4
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets
+  
+  drone-runner-kube: &drone-runner-kube
+    name: drone-runner-kube
+    chart: drone/drone-runner-kube
+    version: 0.1.10
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets
+
+

repositories.yaml

@@ -8,3 +8,5 @@ repositories:
     url: https://charts.jetstack.io
   - name: istio
     url: https://istio-release.storage.googleapis.com/charts
+  - name: drone
+    url: https://charts.drone.io