scubbo/blogcontent
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
blogcontent/.drone.yml
Jack Jackson 35046c91e8 Communicate with Docker registry securely
2022-06-30 19:26:51 -07:00

85 lines
3.3 KiB
YAML
Raw Blame History

kind: pipeline
name: hello-world
type: docker
platform:
os: linux
arch: arm64
steps:
- name: copy-cert-into-place
image: busybox
volumes:
- name: docker-cert-persistence
path: /etc/docker/certs.d/
commands:
# https://stackoverflow.com/questions/72823418/how-to-make-drone-docker-plugin-use-self-signed-certs
- mkdir -p /etc/docker/certs.d/docker-registry.scubbo.org:8843
- cp /registry_cert.crt /etc/docker/certs.d/docker-registry.scubbo.org:8843/ca.crt
- name: check-cert-persists-between-stages
image: alpine
volumes:
- name: docker-cert-persistence
path: /etc/docker/certs.d/
commands:
- apk add curl
- curl https://docker-registry.scubbo.org:8843/v2/_catalog --cacert /etc/docker/certs.d/docker-registry.scubbo.org:8843/ca.crt
- name: build-blog
image: alpine
# Very unlikely to need updates, and pulling images seems slow on this setup -
# can manually reset this if necessary
pull: if-not-exists
commands:
# I considered caching this install in a pre-built image in registry,
# but the install seems pretty quick!
- apk add hugo git
- git submodule init
- git submodule update --recursive
- hugo --source blog
- name: push-built-image
image: plugins/docker
volumes:
- name: docker-cert-persistence
path: /etc/docker/certs.d/
settings:
repo: docker-registry.scubbo.org:8843/scubbo/blog_nginx
tags: built_in_ci
debug: true
launch_debug: true
- name: update_blog_deployment
# I've tried using https://github.com/sinlead/drone-kubectl and
# https://github.com/honestbee/drone-kubernetes, but neither is built for arm64
image: busybox
# Replicating the commands from
# https://github.com/sinlead/drone-kubectl/blob/master/init-kubectl
commands:
# https://github.com/bitnami/bitnami-docker-kubectl/issues/22 -
# there's no bitnami/kubectl image for arm64
- wget https://storage.googleapis.com/kubernetes-release/release/v1.19.2/bin/linux/arm64/kubectl
- chmod +x kubectl
- echo "Echoing Kubernetes Server"
- echo $kubernetesServer
- ./kubectl config set-credentials default --token=$kubernetesToken
- echo $kubernetesCert | base64 -d > ca.crt
- ./kubectl config set-cluster default --server=$kubernetesServer --certificate-authority=ca.crt
- ./kubectl config set-context default --cluster=default --user=default
- ./kubectl config use-context default
- ./kubectl apply -f kubernetes-resources.yml
# This next line wouldn't be necessary if new tags were generated for each image
# (though then I'd have to dynamically plumb them into the yml file)
# TODO - research if there's a better way to do this. Note that this isn't done
# in the `honestbee` repo that I copied from - but I confirmed by `curl`-ing localhost
# that simply applying the yml leaves the definitions and the service's output
# unchanged, despite `imagePullPolicy: 'Always'`
- ./kubectl rollout restart -n blog deployment/blog-deployment
environment:
kubernetesServer:
from_secret: k8s_server
kubernetesCert:
from_secret: k8s_cert
kubernetesToken:
from_secret: k8s_token
volumes:
- name: docker-cert-persistence
temp: {}
Reference in New Issue View Git Blame Copy Permalink