Prepare roles

.pre-commit-config.yaml

@@ -7,6 +7,7 @@ repos:
     rev: v0.13.0
     hooks:
       - id: yamlfmt
+        exclude: ^charts/
   - repo: local
     hooks:
       - id: check-sops-secrets

charts/roles/templates/rolebindings.yaml

@@ -0,0 +1,27 @@
+{{- if .Values.bindings }}
+{{- range $bindings := .Values.bindings }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ $bindings.kind }}
+metadata:
+  name: {{ $bindings.name }}
+  namespace: {{ $bindings.namespace }}
+  labels:
+    {{- include "roles.labels" $ | nindent 4 }}
+    {{- with $bindings.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with $bindings.annotations}}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+subjects:
+{{- with $bindings.subjects }}
+{{- toYaml . | nindent 4 }}
+{{- end }}
+roleRef:
+{{- with $bindings.roleRef }}
+{{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/roles/templates/sa.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.sa }}
+{{- range $sa := .Values.roles }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $sa.name }}
+  namespace: {{ $sa.namespace }}
+  labels:
+    {{- include "roles.labels" $ | nindent 4 }}
+    {{- with $sa.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with $sa.annotations}}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: true
+{{- end }}
+{{- end }}

installations/pipelines/helmfile.yaml

@@ -17,6 +17,13 @@ releases:
       - template: ext-database
       - template: default-env-values
       - template: default-env-secrets
+  - name: woodpecker-ci-kube
+    chart: woodpecker/woodpecker
+    namespace: pipelines
+    version: 1.6.0
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets
   - name: renovate-gitea
     chart: renovate/renovate
     namespace: pipelines

values/badhouseplants/secrets.woodpecker-ci-kube.yaml

@@ -0,0 +1,23 @@
+agent:
+  env:
+    WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:w9ey2dRr2J5Wp0NzrhO4nxLcQ46RkZzXJaodUdCkwmX0cRQ5U26E7SVHiCIBbQw4b4PGVUz0sqkmQKfSilbG7A==,iv:UFW80TdFuASBwVwk91WehKSwga6UCvcC5F2jjgk6Gi8=,tag:QIVzA5kJAENCkMT9jsEgLA==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvU1kySE5oTkVTKzRkSXNO
+        cG83UFBoMVh2S2tjcG1KTUNYSVVEaWxDZ3pvCjluY0IrWWFmYkxzWXFITmFUZm00
+        a2ZEUTU3T25QNDkySXJzOXpmVTV5dmMKLS0tIFZaeGVlM2tUeEUzdlVzR3c2cGNv
+        YWUyaS90YVhwUHZwOFVXOEg5M3cwOWcKTZXRuLS3Ywd0BTN6emE7ngm5RWTWI1Ka
+        IKJVfvBa9DtpD0diWbaQJq5Mabh6K+VXlnM8T9p6qtWimR/Jy0N+6g==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-10-10T05:07:15Z"
+  mac: ENC[AES256_GCM,data:8clnBEEKrGK2G/PWdjXNhiufmR4C52rVAeNR8mKz5R1bvxN3wyj/kz7I+pdS1EI+fE7ZVuB24e4cmYHTrY4vJJOc8yT8wHT7WfLqKsia8A9AZc+wKhlyRr5w0iyBs834bIe9IKJymvqxEm58vjujybdRcWkqBY7pySQGYQ4MTDw=,iv:vT59gP4SegYITLdIrcgVv/ocSCmv8lr+jyRZX7Io4Ro=,tag:SbMp5hljVbKbaevo8KRKig==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.9.1

values/badhouseplants/secrets.woodpecker-ci.yaml

@@ -1,27 +1,27 @@
 server:
-    env:
-        WOODPECKER_GITEA_SECRET: ENC[AES256_GCM,data:YCK++7hNKOQ9cuXTdRsN/x6nt76PNqvM16XaLnw4O0Uh5LQGv8nZt+Oighd7KIXFhsUfgCfPUU0=,iv:WrTNlxO+6rMa1uxv58k74L1udl7r7XSw5yzOZHBJuAk=,tag:lsHvrNTsoq1aCl5Q/rzkdA==,type:str]
-        WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:o3w9/9UJtKEHcsKz7lfTl/zboYAQjYZLQUpOs4i3UPxsSaOy1AvezQZauHwYJZoVsJwWFE0XtOLhnd8bx3UlHA==,iv:CD5lgqFY/cJFewbPJqo+lniMCQaZK8PY4CmL1IsC6IQ=,tag:R8GU3HgZXcSLqOedYuMeGg==,type:str]
+  env:
+    WOODPECKER_GITEA_SECRET: ENC[AES256_GCM,data:EWJ97zJee7yMCNBPmX3FnyH0vbtztVtMppGDQv2mfF/o+t2D8EquFtux5HUiutr8IrIM1BYXWeU=,iv:vcavAGo5YJ4jFFHgjI/iSOUkG9ujdPNXPx9We+RLXPk=,tag:nFpRLHMq65cFwdyavMD8VA==,type:str]
+    WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:jLhHB3z2CnTgikMqtlZKBeP2VWqAf6fpMTdPDisr1cymb9SPWjMjvojNRhpUp0dBpkgVlb6i6hbg3FK+l8g23g==,iv:AldKY5wZqN3hCImoLc0ox5f4dx7htSFLXQK4PXvQH4c=,tag:sten4kMl+2Q6P9C1dxP46g==,type:str]
 agent:
-    env:
-        WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:aHTziUzut6goUZR2JtNaqRTC1mvdA1HS1OLJRHdXtI6coVGcLahxl14Kun4JqsKEXLHeAyU9WEijoRRgixOHsA==,iv:txYRgyO2XHbWnp81ow1EyT4VbzxW+Q3d/NzzclNGT6U=,tag:8nEPzQNPi2bXTDYa81M/aw==,type:str]
+  env:
+    WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:FDxYdYR6DDRA4vdlxzB8oNGM2GsDlKVjZGLz8E0eL5JxzMiSfZvpAixKRN95L+pdpJhZJKAxWUIg/21/3ZJgjg==,iv:yova3Ane8wHOKP1uPWF/j2vwfoUQ67siv62Z4iubMT0=,tag:WIvNbUGwm2NpYtHO+ZZcOQ==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqOXBuOG1WaFc2cGVPeEp2
-            bkxTWWJYcFJMdjM4S01wTjRYY2RlZldSbTFRCks1TVlwS3BTTnUySDVjMGpobG43
-            YWU3eHlLcGJMcEIvMUZiVmIyU1NnK28KLS0tIGlwZ3NLQndac0F0QTB1azJHQUlT
-            TmNXN1BYQ1JDOFRJV1A3WWFYQkR5R0kK+dSdoRdeiJBrhU6YnWb9P489dpTvhjBW
-            GFPuTrQxqy3C6frb5K0huI1anarmdirwglD+/3UvTSQ0CEbUk95EMQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-08T20:44:23Z"
-    mac: ENC[AES256_GCM,data:dMXGJRe5/k5+XFuvORJHGCmcSL2fsP9Pim2w1k3sUdJZslqptdDm+lk01mjPBMrQkgMyX7GHIwaqMU2hK5i8nBKYz6SSq91MgD+vtVHQoum5DtmAFwBOdT+m3VVo395OnLvXT1SvskgMU6ddy7uDD7UBrkVe/DxQjX3s0/IntRY=,iv:6v6j8U7nRlQ+YEs9wiPRpnkoGjCMPbfMp/ecrNgksis=,tag:P0aGi7qBJdTz90CNGF10dA==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.0
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByNGN1V0hyS0owU3ZTMzhl
+        cEVXd0NrYm1TajVtZHJRYXdQU3JCRm12UkJvCjA5UFZWZGJlcDNoUFJabDZEc1BE
+        eHdrbWowdkdGdDJvKzZjOVVzcjlhQ28KLS0tIFE3UHhUdHVtUkgzSldHMENsK25Y
+        N0NxK0Q3MVlIUGxRZ2JTMnZnVjRPcUEKIBWPco85fPWl0cv7G7Sl2NlHGFe4gQw4
+        2CU1PhmQYmbkSL5mnz3f8vQ/72JA6p2PGGL+kDlpgL+37mYocNDHyA==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-10-10T05:05:36Z"
+  mac: ENC[AES256_GCM,data:k8T0g9VAVgeaaguE9+QIgSSgCoGAOkadwJn24XAVm8f2snlwb0qargepxLDmG5Lzs8XdoOr8xWHpEzNKibP8UPTVkf3xw8KnAiRI1SDK2biTzthzOqTB0A/FrGatakfPNDqeP87gteBe25HiMcrJnqXeYOWrGyHIZjCZVObM+p0=,iv:cKbVkzyVPkPlQXswtUf5wXyrg4duG5V3IokkhULc9o8=,tag:XTI1eQyZsbHjm7z/b9W+Lw==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.9.1

values/badhouseplants/values.roles.yaml

@@ -7,3 +7,17 @@ roles:
         resources: ["*"]
         verbs: ["*"]
         namespace: ["public-xray"]
+bindings:
+  - name: woodpecker-ci
+    namespace: pipelines
+    kind: ClusterRoleBinding
+    subjects:
+      - kind: ServiceAccount
+        name: pipelines
+        namespace: woodpecker-ci
+    roleRef:
+      kind: ClusterRole
+      name: cluster-admin
+      apiGroup: rbac.authorization.k8s.io
+sa:
+  - name: woodpecker-ci

values/badhouseplants/values.woodpecker-ci-kube.yaml

@@ -0,0 +1,16 @@
+server:
+  enabled: false
+agent:
+  enabled: true
+  extraSecretNamesForEnvFrom: []
+  env:
+    WOODPECKER_SERVER: woodpecker-ci-server:9000
+    WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 2Gi
+    WOODPECKER_BACKEND_K8S_NAMESPACE: pipelines
+    WOODPECKER_BACKEND_K8S_STORAGE_CLASS: openebs-hostpath
+    WOODPECKER_FILTER_LABELS: purpose=kubernetes
+  serviceAccount:
+    create: true
+  rbac:
+    create: true
+  replicaCount: 1