diff --git a/.drone.yml b/.drone.yml index 54c7254..a326c90 100644 --- a/.drone.yml +++ b/.drone.yml @@ -19,20 +19,24 @@ steps: environment: KUBECONFIG_CONTENT: from_secret: KUBECONFIG_CONTENT + SOPS_AGE_KEY: + from_secret: SOPS_AGE_KEY commands: - mkdir $HOME/.kube - echo $KUBECONFIG_CONTENT | base64 -d > $HOME/.kube/config - - helmfile -e badhouseplants diff + - helmfile -e badhouseplants diff --suppress-secrets - name: Diff eterosoft image: ghcr.io/helmfile/helmfile:canary environment: + SOPS_AGE_KEY: + from_secret: SOPS_AGE_KEY KUBECONFIG_CONTENT: from_secret: KUBECONFIG_CONTENT commands: - mkdir $HOME/.kube - echo $KUBECONFIG_CONTENT | base64 -d > $HOME/.kube/config - - helmfile -e etersoft diff + - helmfile -e etersoft diff --suppress-secrets --- # ---------------------------------------------- @@ -54,18 +58,22 @@ steps: environment: KUBECONFIG_CONTENT: from_secret: KUBECONFIG_CONTENT + SOPS_AGE_KEY: + from_secret: SOPS_AGE_KEY commands: - mkdir $HOME/.kube - echo $KUBECONFIG_CONTENT | base64 -d > $HOME/.kube/config - - helmfile -e badhouseplants apply + - helmfile -e badhouseplants apply --suppress-secrets - name: Apply eterosoft image: ghcr.io/helmfile/helmfile:canary environment: KUBECONFIG_CONTENT: from_secret: KUBECONFIG_CONTENT + SOPS_AGE_KEY: + from_secret: SOPS_AGE_KEY commands: - mkdir $HOME/.kube - echo $KUBECONFIG_CONTENT | base64 -d > $HOME/.kube/config - - helmfile -e etersoft apply + - helmfile -e etersoft apply --suppress-secrets diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..583442d --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,6 @@ +creation_rules: + - path_regex: .*/values/.* + key_groups: + - age: + - age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + diff --git a/badhouseplants/helmfile.yaml b/badhouseplants/helmfile.yaml index e69de29..cdee092 100644 --- a/badhouseplants/helmfile.yaml +++ b/badhouseplants/helmfile.yaml @@ -0,0 +1,17 @@ +--- +{{ readFile "../releases.yaml" }} + +releases: + - <<: *drone + installed: true + namespace: drone-service + createNamespace: false + + - <<: *drone-runner-kube + installed: true + namespace: drone-service + createNamespace: false + +bases: + - ../environments.yaml + - ../repositories.yaml diff --git a/badhouseplants/values/secrets.drone-runner-kube.yaml b/badhouseplants/values/secrets.drone-runner-kube.yaml new file mode 100644 index 0000000..67c1c78 --- /dev/null +++ b/badhouseplants/values/secrets.drone-runner-kube.yaml @@ -0,0 +1,22 @@ +env: + DRONE_SECRET_PLUGIN_TOKEN: ENC[AES256_GCM,data:6vsbRkd6DbWKf6qPPtfmv14cvKc=,iv:PPlH4m+SyMNNo/bV5/hpW2CZPGwxNKwO3RzY5RPOu5w=,tag:BGEf82OvMjDQvKe078/Fkg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOVk0yaTlySHpuOWFFT3J5 + Z210NzJPTmV0akdFQ1REM1JzK0pwTC9XWjJJCm54QmQ3ODJwakZuamMzYTBIeEJi + aUxKNmQ3dU52V2N2cjl5VTJpTTAwWGsKLS0tIDFyR2o2VnQ4QWFCWWRzZGNMZnNQ + em1VMlhBNGRrVFhXVUVRdU16Q1Q4bUEKvZ6UbZsfdvfCk37FlEN4vg0RTnPO2nwh + DY4klzcan+9DBRT2qdIIy6pj94GuSoXKXEYc9X0AvYab/HoLithMWA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-02-19T11:56:50Z" + mac: ENC[AES256_GCM,data:5U/D1hI+3zulh0UuuBv/oGAU8Bz5hpWvLCxUSCQbPSOW08S2jBiyDEdDJH7g0/y1xQkd3xJYLzJ7ccWx98j+0QJ+HOzcUF1Hwro6Zl0GSw8D4xvIeulHwwM6MBJGtOanbSHjeJ6Qyqf/tM5bF9GXpDblrNOXrnhvGOHj2GkzstU=,iv:AWAn3hAUEs8mbproV0M5EJyKddfNmUrI0ouIjvh1fEE=,tag:bFIQa/v4CaDx4RAJ7aHjeg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/badhouseplants/values/secrets.drone.yaml b/badhouseplants/values/secrets.drone.yaml new file mode 100644 index 0000000..0d56eec --- /dev/null +++ b/badhouseplants/values/secrets.drone.yaml @@ -0,0 +1,23 @@ +env: + DRONE_GITEA_CLIENT_ID: ENC[AES256_GCM,data:BbhUhVbrqFhD3Bw3w0ZfXRFNDkR7LV2gtabUOR990UQ6xDFw,iv:PfsuCU8A0C7MxVd9q6h6hexpeqxDJIshG16+Yoj9uTA=,tag:5mqw0hVJSlIta4p9VxGomw==,type:str] + DRONE_GITEA_CLIENT_SECRET: ENC[AES256_GCM,data:W3NzKBlKhzB1lPmLbMfVkHxtnod25tGi1lHJW2RWc46je6NeWHX1XZlRefbVqKO6gO4AUTlJOq4=,iv:08EQ/9iVZ93P0I+mYBv3SuKfLs/T3ZS6yZkdAuzU4KI=,tag:c2OiB4R/aBLjVY5EfPSJgA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaREllV3RqUVg0anpIU1Rj + RFh3WkdGdEU5bWg0bWk3bWU5OHFkeFF6SGh3CmlOek9zL2w4a0ZHc0p0WTNucE1Q + dVpDeW93QlNHZGY1dWhOc0FneUFjQUUKLS0tIEhuZE1CMmZLZFIxbXJTZmIzcEE4 + QStxOG1iMWlxQ2dmOXRabXp4cm9NSU0K/+CRAc7DH4PgbQscXvDb7yLe8VoEpixr + icD3GL37kYE2D4h1cm+p+/b7BF4/yjNlCUvo5cITXRjZAuiWGwUixQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-02-19T10:39:39Z" + mac: ENC[AES256_GCM,data:UXfogL8cIidQpdrTNVCofPRkoC00OczHIQcISQ1AlL+BTl8NjdQfzVdknczDagtooAXdV8Cf+Qf9xMzDd7svFv2Uyc6Tzz80171My9d8bHLtv1Q5TbJ4OSAVr38tOd35APnPgsvgX2SXEDf/vvUuTN7mljPTFuF0raCqLlN+LGg=,iv:s2AH5PUohmLTo2LN3Vq9RW1OOO4I9YkyuK1/ODGwegc=,tag:YmzJBbt2TGJsy5ym8ZkP2Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/badhouseplants/values/values.drone-runner-kube.yaml b/badhouseplants/values/values.drone-runner-kube.yaml new file mode 100644 index 0000000..2589a1c --- /dev/null +++ b/badhouseplants/values/values.drone-runner-kube.yaml @@ -0,0 +1,13 @@ +--- +env: + DRONE_RPC_SECRET: drone-rpc-sec + DRONE_RPC_HOST: drone.badhouseplants.net + DRONE_RPC_PROTO: https + DRONE_NAMESPACE_DEFAULT: drone-service + DRONE_RESOURCE_LIMIT_CPU: 300 + DRONE_RESOURCE_REQUEST_CPU: 100 + DRONE_RESOURCE_LIMIT_MEMORY: 2048Mi + DRONE_RESOURCE_REQUEST_MEMORY: 512Mi +rbac: + buildNamespaces: + - drone-service \ No newline at end of file diff --git a/badhouseplants/values/values.drone.yaml b/badhouseplants/values/values.drone.yaml new file mode 100644 index 0000000..b3dc07e --- /dev/null +++ b/badhouseplants/values/values.drone.yaml @@ -0,0 +1,6 @@ +env: + DRONE_SERVER_HOST: drone.badhouseplants.net + DRONE_SERVER_PROTO: https + DRONE_RPC_SECRET: drone-rpc-sec + DRONE_GITEA_SERVER: https://git.badhouseplants.net + DRONE_USER_CREATE: username:allanger,admin:true diff --git a/releases.yaml b/releases.yaml index d6cbb12..4d17d80 100644 --- a/releases.yaml +++ b/releases.yaml @@ -20,9 +20,17 @@ templates: args: - -c - "helm show crds {{ .Release.Chart }} --version {{ .Release.Version }} | kubectl delete -f -" + default-env-values: + values: + - "{{ requiredEnv \"PWD\" }}/{{ .Environment.Name }}/values/values.{{ .Release.Name }}.yaml" + default-env-secrets: + secrets: + - "{{ requiredEnv \"PWD\" }}/{{ .Environment.Name }}/values/secrets.{{ .Release.Name }}.yaml" # ---------------------------- # -- Releases # ---------------------------- + # -- System + # ---------------------------- metrics-server: &metrics-server name: metrics-server chart: metrics-server/metrics-server @@ -52,22 +60,41 @@ templates: istio-gateway: &istio-gateway name: istio-gateway chart: istio/gateway - values: - - "{{ .Environment.Name }}/values/values.{{ .Release.Name }}.yaml" inherit: - template: istio-version + - template: default-env-values istiod: &istiod name: istiod chart: istio/istiod - values: - - "{{ .Environment.Name }}/values/values.{{ .Release.Name }}.yaml" inherit: - template: istio-version - + - template: default-env-values + + # ---------------------------- + # -- Applications + # ---------------------------- openvpn: &openvpn name: openvpn chart: allanger-charts/openvpn version: 1.0.1 - values: - - "{{ .Environment.Name }}/values/values.{{ .Release.Name }}.yaml" + inherit: + - template: default-env-values + + drone: &drone + name: drone + chart: drone/drone + version: 0.6.4 + inherit: + - template: default-env-values + - template: default-env-secrets + + drone-runner-kube: &drone-runner-kube + name: drone-runner-kube + chart: drone/drone-runner-kube + version: 0.1.10 + inherit: + - template: default-env-values + - template: default-env-secrets + + diff --git a/repositories.yaml b/repositories.yaml index 67edd60..6772423 100644 --- a/repositories.yaml +++ b/repositories.yaml @@ -8,3 +8,5 @@ repositories: url: https://charts.jetstack.io - name: istio url: https://istio-release.storage.googleapis.com/charts + - name: drone + url: https://charts.drone.io