From a1b5b510ccac2ee896c2717980786bcf4dc29114 Mon Sep 17 00:00:00 2001 From: Nikolai Rodionov Date: Thu, 10 Oct 2024 07:25:16 +0200 Subject: [PATCH] Prepare roles --- .pre-commit-config.yaml | 1 + charts/roles/templates/rolebindings.yaml | 27 +++++++++++ .../templates/{namespaces.yaml => roles.yaml} | 0 charts/roles/templates/sa.yaml | 20 ++++++++ installations/pipelines/helmfile.yaml | 7 +++ .../secrets.woodpecker-ci-kube.yaml | 23 +++++++++ .../badhouseplants/secrets.woodpecker-ci.yaml | 48 +++++++++---------- values/badhouseplants/values.roles.yaml | 14 ++++++ .../values.woodpecker-ci-kube.yaml | 16 +++++++ 9 files changed, 132 insertions(+), 24 deletions(-) create mode 100644 charts/roles/templates/rolebindings.yaml rename charts/roles/templates/{namespaces.yaml => roles.yaml} (100%) create mode 100644 charts/roles/templates/sa.yaml create mode 100644 values/badhouseplants/secrets.woodpecker-ci-kube.yaml create mode 100644 values/badhouseplants/values.woodpecker-ci-kube.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7f4fa1f..036e282 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,6 +7,7 @@ repos: rev: v0.13.0 hooks: - id: yamlfmt + exclude: ^charts/ - repo: local hooks: - id: check-sops-secrets diff --git a/charts/roles/templates/rolebindings.yaml b/charts/roles/templates/rolebindings.yaml new file mode 100644 index 0000000..4108870 --- /dev/null +++ b/charts/roles/templates/rolebindings.yaml @@ -0,0 +1,27 @@ +{{- if .Values.bindings }} +{{- range $bindings := .Values.bindings }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: {{ $bindings.kind }} +metadata: + name: {{ $bindings.name }} + namespace: {{ $bindings.namespace }} + labels: + {{- include "roles.labels" $ | nindent 4 }} + {{- with $bindings.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $bindings.annotations}} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +subjects: +{{- with $bindings.subjects }} +{{- toYaml . | nindent 4 }} +{{- end }} +roleRef: +{{- with $bindings.roleRef }} +{{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/roles/templates/namespaces.yaml b/charts/roles/templates/roles.yaml similarity index 100% rename from charts/roles/templates/namespaces.yaml rename to charts/roles/templates/roles.yaml diff --git a/charts/roles/templates/sa.yaml b/charts/roles/templates/sa.yaml new file mode 100644 index 0000000..ce02cf0 --- /dev/null +++ b/charts/roles/templates/sa.yaml @@ -0,0 +1,20 @@ +{{- if .Values.sa }} +{{- range $sa := .Values.roles }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $sa.name }} + namespace: {{ $sa.namespace }} + labels: + {{- include "roles.labels" $ | nindent 4 }} + {{- with $sa.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $sa.annotations}} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: true +{{- end }} +{{- end }} diff --git a/installations/pipelines/helmfile.yaml b/installations/pipelines/helmfile.yaml index 42391cb..e6a385b 100644 --- a/installations/pipelines/helmfile.yaml +++ b/installations/pipelines/helmfile.yaml @@ -17,6 +17,13 @@ releases: - template: ext-database - template: default-env-values - template: default-env-secrets + - name: woodpecker-ci-kube + chart: woodpecker/woodpecker + namespace: pipelines + version: 1.6.0 + inherit: + - template: default-env-values + - template: default-env-secrets - name: renovate-gitea chart: renovate/renovate namespace: pipelines diff --git a/values/badhouseplants/secrets.woodpecker-ci-kube.yaml b/values/badhouseplants/secrets.woodpecker-ci-kube.yaml new file mode 100644 index 0000000..35d91f0 --- /dev/null +++ b/values/badhouseplants/secrets.woodpecker-ci-kube.yaml @@ -0,0 +1,23 @@ +agent: + env: + WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:w9ey2dRr2J5Wp0NzrhO4nxLcQ46RkZzXJaodUdCkwmX0cRQ5U26E7SVHiCIBbQw4b4PGVUz0sqkmQKfSilbG7A==,iv:UFW80TdFuASBwVwk91WehKSwga6UCvcC5F2jjgk6Gi8=,tag:QIVzA5kJAENCkMT9jsEgLA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvU1kySE5oTkVTKzRkSXNO + cG83UFBoMVh2S2tjcG1KTUNYSVVEaWxDZ3pvCjluY0IrWWFmYkxzWXFITmFUZm00 + a2ZEUTU3T25QNDkySXJzOXpmVTV5dmMKLS0tIFZaeGVlM2tUeEUzdlVzR3c2cGNv + YWUyaS90YVhwUHZwOFVXOEg5M3cwOWcKTZXRuLS3Ywd0BTN6emE7ngm5RWTWI1Ka + IKJVfvBa9DtpD0diWbaQJq5Mabh6K+VXlnM8T9p6qtWimR/Jy0N+6g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-10T05:07:15Z" + mac: ENC[AES256_GCM,data:8clnBEEKrGK2G/PWdjXNhiufmR4C52rVAeNR8mKz5R1bvxN3wyj/kz7I+pdS1EI+fE7ZVuB24e4cmYHTrY4vJJOc8yT8wHT7WfLqKsia8A9AZc+wKhlyRr5w0iyBs834bIe9IKJymvqxEm58vjujybdRcWkqBY7pySQGYQ4MTDw=,iv:vT59gP4SegYITLdIrcgVv/ocSCmv8lr+jyRZX7Io4Ro=,tag:SbMp5hljVbKbaevo8KRKig==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/values/badhouseplants/secrets.woodpecker-ci.yaml b/values/badhouseplants/secrets.woodpecker-ci.yaml index 2bca3e8..0d01240 100644 --- a/values/badhouseplants/secrets.woodpecker-ci.yaml +++ b/values/badhouseplants/secrets.woodpecker-ci.yaml @@ -1,27 +1,27 @@ server: - env: - WOODPECKER_GITEA_SECRET: ENC[AES256_GCM,data:YCK++7hNKOQ9cuXTdRsN/x6nt76PNqvM16XaLnw4O0Uh5LQGv8nZt+Oighd7KIXFhsUfgCfPUU0=,iv:WrTNlxO+6rMa1uxv58k74L1udl7r7XSw5yzOZHBJuAk=,tag:lsHvrNTsoq1aCl5Q/rzkdA==,type:str] - WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:o3w9/9UJtKEHcsKz7lfTl/zboYAQjYZLQUpOs4i3UPxsSaOy1AvezQZauHwYJZoVsJwWFE0XtOLhnd8bx3UlHA==,iv:CD5lgqFY/cJFewbPJqo+lniMCQaZK8PY4CmL1IsC6IQ=,tag:R8GU3HgZXcSLqOedYuMeGg==,type:str] + env: + WOODPECKER_GITEA_SECRET: ENC[AES256_GCM,data:EWJ97zJee7yMCNBPmX3FnyH0vbtztVtMppGDQv2mfF/o+t2D8EquFtux5HUiutr8IrIM1BYXWeU=,iv:vcavAGo5YJ4jFFHgjI/iSOUkG9ujdPNXPx9We+RLXPk=,tag:nFpRLHMq65cFwdyavMD8VA==,type:str] + WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:jLhHB3z2CnTgikMqtlZKBeP2VWqAf6fpMTdPDisr1cymb9SPWjMjvojNRhpUp0dBpkgVlb6i6hbg3FK+l8g23g==,iv:AldKY5wZqN3hCImoLc0ox5f4dx7htSFLXQK4PXvQH4c=,tag:sten4kMl+2Q6P9C1dxP46g==,type:str] agent: - env: - WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:aHTziUzut6goUZR2JtNaqRTC1mvdA1HS1OLJRHdXtI6coVGcLahxl14Kun4JqsKEXLHeAyU9WEijoRRgixOHsA==,iv:txYRgyO2XHbWnp81ow1EyT4VbzxW+Q3d/NzzclNGT6U=,tag:8nEPzQNPi2bXTDYa81M/aw==,type:str] + env: + WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:FDxYdYR6DDRA4vdlxzB8oNGM2GsDlKVjZGLz8E0eL5JxzMiSfZvpAixKRN95L+pdpJhZJKAxWUIg/21/3ZJgjg==,iv:yova3Ane8wHOKP1uPWF/j2vwfoUQ67siv62Z4iubMT0=,tag:WIvNbUGwm2NpYtHO+ZZcOQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqOXBuOG1WaFc2cGVPeEp2 - bkxTWWJYcFJMdjM4S01wTjRYY2RlZldSbTFRCks1TVlwS3BTTnUySDVjMGpobG43 - YWU3eHlLcGJMcEIvMUZiVmIyU1NnK28KLS0tIGlwZ3NLQndac0F0QTB1azJHQUlT - TmNXN1BYQ1JDOFRJV1A3WWFYQkR5R0kK+dSdoRdeiJBrhU6YnWb9P489dpTvhjBW - GFPuTrQxqy3C6frb5K0huI1anarmdirwglD+/3UvTSQ0CEbUk95EMQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-08T20:44:23Z" - mac: ENC[AES256_GCM,data:dMXGJRe5/k5+XFuvORJHGCmcSL2fsP9Pim2w1k3sUdJZslqptdDm+lk01mjPBMrQkgMyX7GHIwaqMU2hK5i8nBKYz6SSq91MgD+vtVHQoum5DtmAFwBOdT+m3VVo395OnLvXT1SvskgMU6ddy7uDD7UBrkVe/DxQjX3s0/IntRY=,iv:6v6j8U7nRlQ+YEs9wiPRpnkoGjCMPbfMp/ecrNgksis=,tag:P0aGi7qBJdTz90CNGF10dA==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.0 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByNGN1V0hyS0owU3ZTMzhl + cEVXd0NrYm1TajVtZHJRYXdQU3JCRm12UkJvCjA5UFZWZGJlcDNoUFJabDZEc1BE + eHdrbWowdkdGdDJvKzZjOVVzcjlhQ28KLS0tIFE3UHhUdHVtUkgzSldHMENsK25Y + N0NxK0Q3MVlIUGxRZ2JTMnZnVjRPcUEKIBWPco85fPWl0cv7G7Sl2NlHGFe4gQw4 + 2CU1PhmQYmbkSL5mnz3f8vQ/72JA6p2PGGL+kDlpgL+37mYocNDHyA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-10T05:05:36Z" + mac: ENC[AES256_GCM,data:k8T0g9VAVgeaaguE9+QIgSSgCoGAOkadwJn24XAVm8f2snlwb0qargepxLDmG5Lzs8XdoOr8xWHpEzNKibP8UPTVkf3xw8KnAiRI1SDK2biTzthzOqTB0A/FrGatakfPNDqeP87gteBe25HiMcrJnqXeYOWrGyHIZjCZVObM+p0=,iv:cKbVkzyVPkPlQXswtUf5wXyrg4duG5V3IokkhULc9o8=,tag:XTI1eQyZsbHjm7z/b9W+Lw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/values/badhouseplants/values.roles.yaml b/values/badhouseplants/values.roles.yaml index 0c9d7e8..8d74a12 100644 --- a/values/badhouseplants/values.roles.yaml +++ b/values/badhouseplants/values.roles.yaml @@ -7,3 +7,17 @@ roles: resources: ["*"] verbs: ["*"] namespace: ["public-xray"] +bindings: + - name: woodpecker-ci + namespace: pipelines + kind: ClusterRoleBinding + subjects: + - kind: ServiceAccount + name: pipelines + namespace: woodpecker-ci + roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io +sa: + - name: woodpecker-ci diff --git a/values/badhouseplants/values.woodpecker-ci-kube.yaml b/values/badhouseplants/values.woodpecker-ci-kube.yaml new file mode 100644 index 0000000..780f63e --- /dev/null +++ b/values/badhouseplants/values.woodpecker-ci-kube.yaml @@ -0,0 +1,16 @@ +server: + enabled: false +agent: + enabled: true + extraSecretNamesForEnvFrom: [] + env: + WOODPECKER_SERVER: woodpecker-ci-server:9000 + WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 2Gi + WOODPECKER_BACKEND_K8S_NAMESPACE: pipelines + WOODPECKER_BACKEND_K8S_STORAGE_CLASS: openebs-hostpath + WOODPECKER_FILTER_LABELS: purpose=kubernetes + serviceAccount: + create: true + rbac: + create: true + replicaCount: 1