Add Drone

app-of-apps/templates/apps.yaml

@@ -222,14 +222,14 @@ spec:
           externalGrafana:
             url: http://grafana.avril
           fullnameOverride: "oncall-ovrd" # Without this, there are clashes between resources (ServiceAccounts, Secrets) that are similarly named between Oncall itself and the underlying Grafana templates. Also this needs to b e short otherwise the batch jobs created have names that are too long
-          env:
-            - name: FEATURE_TELEGRAM_INTEGRATION_ENABLED
-              value: "true"
-            - name: TELEGRAM_WEBHOOK_HOST
-              valueFrom:
-                secretKeyRef:
-                  name: telegram-webhook-host-secret
-                  key: url
+          # env:
+          #   - name: FEATURE_TELEGRAM_INTEGRATION_ENABLED
+          #     value: "true"
+          #   - name: TELEGRAM_WEBHOOK_HOST
+          #     valueFrom:
+          #       secretKeyRef:
+          #         name: telegram-webhook-host-secret
+          #         key: url
 
           image:
             tag: "v1.3.1-arm64-linux"
@@ -278,11 +278,11 @@ spec:
               repository: arm64v8/postgres
               tag: 15.1
 
-          telegram:
-            enabled: true
-            existingSecret: telegram-auth-secret
-            tokenKey: token
-            webhookUrl: https://oncall-grafana.scubbo.org
+          # telegram:
+          #   enabled: true
+          #   existingSecret: telegram-auth-secret
+          #   tokenKey: token
+          #   webhookUrl: https://oncall-grafana.scubbo.org
 
   destination:
     server: https://kubernetes.default.svc
@@ -384,4 +384,32 @@ spec:
       prune: true
     syncOptions:
     - CreateNamespace=true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: drone
+  namespace: argo
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
 
+  source:
+    repoURL: https://gitea.scubbo.org/scubbo/helm-charts.git
+    targetRevision: HEAD
+    path: charts/drone
+
+    helm:
+      valueFiles:
+      - values.yaml
+
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: drone
+
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+    - CreateNamespace=true

charts/drone/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v2
+name: drone-scubbo
+description: A personalized Helm chart to deploy Gitea to Kubernetes
+
+type: application
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+  - name: drone
+    repository: https://charts.drone.io
+    version: "0.6.4"
+    alias: drone-server
+  - name: drone-runner-docker
+    repository: https://charts.drone.io
+    version: "0.6.1"
+    alias: drone-runner

charts/drone/README.md

@@ -0,0 +1,13 @@
+TODO:
+* Create the following in an initContainer if they don't exist:
+  * The Gitea OAuth application at startup
+  * The Prometheus user (https://cogarius.medium.com/3-3-complete-guide-to-ci-cd-pipelines-with-drone-io-on-kubernetes-drone-metrics-with-prometheus-c2668e42b03f) - probably by mounting the volume, using sqlite3 to parse out admin password, then using that to make API call
+* Create `gitea_password` Organization Secret at init.
+
+Create secret named `gitea-oauth-creds`, with keys `DRONE_GITEA_CLIENT_ID` and `DRONE_GITEA_CLIENT_SECRET`. Remember also to create an Organization Secret named `gitea_password` for pulling.
+
+For MTU problem diagnosis:
+
+https://github.com/gliderlabs/docker-alpine/issues/307#issuecomment-634852419
+
+https://liejuntao001.medium.com/fix-docker-in-docker-network-issue-in-kubernetes-cc18c229d9e5

charts/drone/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "drone-scubbo.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "drone-scubbo.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "drone-scubbo.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "drone-scubbo.labels" -}}
+helm.sh/chart: {{ include "drone-scubbo.chart" . }}
+{{ include "drone-scubbo.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "drone-scubbo.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "drone-scubbo.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "drone-scubbo.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "drone-scubbo.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/drone/templates/rpc_secret.yaml

@@ -0,0 +1,20 @@
+{{- /*
+      https://itnext.io/manage-auto-generated-secrets-in-your-helm-charts-5aee48ba6918
+  */}}
+{{- if empty .Values.manualRPCSecretName }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "rpc-secret"
+  annotations:
+    "helm.sh/resource-policy": "keep"
+type: Opaque
+data:
+  # retrieve the secret data using lookup function and when not exists, return an empty dictionary / map as result
+  {{- $existing_secret := (lookup "v1" "Secret" .Release.Namespace "rpc-secret") | default dict }}
+  {{- $secretData := (get $existing_secret "data") | default dict }}
+  # set $secret to existing secret data or generate a random one when not exists
+  {{- $secret := (get $secretData "secret") | default (randAlphaNum 32 | b64enc) }}
+  # generate 32 chars long random string, base64 encode it and then double-quote the result string.
+  secret: {{ $secret | quote }}
+{{- end }}

charts/drone/values.yaml

@@ -0,0 +1,44 @@
+drone-server:
+  env:
+    DRONE_SERVER_HOST: drone.scubbo.org
+    DRONE_SERVER_PROTO: https
+    DRONE_RPC_SECRET: rpc-secret
+    DRONE_GITEA_SERVER: https://gitea.scubbo.org
+  extraSecretNamesForEnvFrom:
+    - gitea-oauth-creds
+  service:
+    port: 3500
+  persistentVolume:
+    storageClass: longhorn
+
+drone-runner:
+  env:
+    DRONE_RPC_SECRET: rpc-secret
+    DRONE_RPC_HOST: drone-drone-server:3500 # This is the name of the service for the runner
+    DRONE_RUNNER_NETWORK_OPTS: "com.docker.network.driver.mtu:1450"
+  dind:
+    commandArgs:
+      - "--host"
+      - "tcp://localhost:2375"
+      - "--mtu=1450"
+
+drone:
+  server: "drone.scubbo.org"
+  userCreateString: "username:scubbo,admin:true"
+
+volume:
+  nfsServer: rassigma.avril
+  nfsPath: /mnt/BERTHA/drone
+
+service:
+  type: ClusterIP
+  port: 3500
+
+gitea:
+  server: https://gitea.scubbo.org
+  # Secret with keys `clientId` and `clientSecret`
+  oauthSecretName: gitea-oauth-creds
+
+# Set this if you want to use an existing secret for the RPC
+# secret (otherwise, a fresh one will be created if necessary)
+manualRPCSecretName: ""