feat: drone job (#298)

also added gcp-key to drone env

Author: Maurice Faber

bin/common.sh

@@ -90,7 +90,8 @@ function hf_values() {
 }
 
 function prepare_crypt() {
-  [[ -z "$GCLOUD_SERVICE_KEY" ]] && err "The GCLOUD_SERVICE_KEY environment variable is not set" && exit 2
+  [ -n "$GOOGLE_APPLICATION_CREDENTIALS" ] && return 0
+  [ -z "$GCLOUD_SERVICE_KEY" ] && err "The GCLOUD_SERVICE_KEY environment variable is not set" && exit 2
   GOOGLE_APPLICATION_CREDENTIALS="/tmp/key.json"
   echo $GCLOUD_SERVICE_KEY >$GOOGLE_APPLICATION_CREDENTIALS
   export GOOGLE_APPLICATION_CREDENTIALS

charts/drone/templates/deployment-agent.yaml

@@ -62,6 +62,8 @@ spec:
               secretKeyRef:
                 name: {{ template "drone.fullname" . }}
                 key: secret
+          - name: DRONE_RUNNER_ENV_FILE
+            value: /etc/drone/env      
           - name: DRONE_NAMESPACE_DEFAULT
             value: {{ .Values.kubernetes.namespace }}
           {{- range $key, $value := .Values.kubernetes.env }}
@@ -76,13 +78,18 @@ spec:
         volumeMounts:
           - mountPath: /var/run/docker.sock
             name: docker-socket
+          - name: envfile
+            mountPath: /etc/drone
       {{- with .Values.kubernetes.volumeMounts }}
           {{- toYaml . | nindent 10 }}
       {{- end }}
       volumes:
         - name: docker-socket
           hostPath:
             path: /var/run/docker.sock
+        - name: envfile
+          secret:
+            secretName: {{ template "drone.fullname" . }}-envfile
 {{- else }}
       {{- with .Values.kubernetes.volumeMounts }}
         volumeMounts:
@@ -98,12 +105,12 @@ spec:
         args: {{ .Values.dind.args }}
 {{ end }}
         env:
-        - name: DOCKER_DRIVER
-          value: {{ .Values.dind.driver }}
-        {{ range $key, $value := .Values.dind.env }}
-        - name: {{ $key }}
-          value: {{ $value | quote }}
-        {{ end }}
+          - name: DOCKER_DRIVER
+            value: {{ .Values.dind.driver }}
+          {{ range $key, $value := .Values.dind.env }}
+          - name: {{ $key }}
+            value: {{ $value | quote }}
+          {{ end }}
         securityContext:
           privileged: true
         resources:
@@ -115,9 +122,9 @@ spec:
           {{- toYaml . | nindent 10 }}
       {{- end }}
       volumes:
-      - name: docker-graph-storage
-        emptyDir: {}
+        - name: docker-graph-storage
+          emptyDir: {}
 {{- end }}
-    {{- with .Values.kubernetes.volumes }}
+      {{- with .Values.kubernetes.volumes }}
         {{- toYaml . | nindent 6 }}
-    {{- end }}
+      {{- end }}

charts/drone/templates/deployment-server.yaml

@@ -69,10 +69,6 @@ spec:
             value: {{ template "drone.fullname" . }}.{{ template "drone.namespace" . }}:{{ .Values.service.httpPort }}
           - name: DRONE_SERVER_PROTO
             value: {{ .Values.server.protocol }}
-          {{- if .Values.server.adminUser }}
-          - name: DRONE_USER_CREATE
-            value: username:{{ .Values.server.adminUser }},machine:false,admin:true
-          {{- end }}
           - name: DRONE_RPC_SECRET
             valueFrom:
               secretKeyRef:
@@ -87,6 +83,13 @@ spec:
                 key: {{ . | quote }}
           {{- end }}
           {{- end }}
+          {{- if .Values.server.adminUser }}
+          - name: DRONE_USER_CREATE
+            valueFrom:
+              secretKeyRef:
+                name: {{ template "drone.fullname" . }}-envfile
+                key: DRONE_USER_CREATE
+          {{- end }}
           {{- range $key, $value := .Values.server.env }}
           - name: {{ $key }}
             value: {{ $value | quote }}

charts/drone/templates/secrets.yaml

@@ -1,5 +1,20 @@
 apiVersion: v1
 kind: Secret
+metadata:
+  name: {{ template "drone.fullname" . }}-envfile
+  namespace: {{ template "drone.namespace" . }}
+  labels:
+    app: {{ template "drone.name" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  env: "{{ .Values.kubernetes.envFile | b64enc }}"
+  DRONE_USER_CREATE: {{ printf "username:%s,machine:true,admin:true,token:%s" .Values.server.adminUser (.Values.server.adminToken | default (randAlphaNum 32)) | b64enc }}
+---
+apiVersion: v1
+kind: Secret
 metadata:
   name: {{ template "drone.fullname" . }}
   namespace: {{ template "drone.namespace" . }}

charts/jobs/templates/configmap.yaml

@@ -4,7 +4,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ $name }}
+  name: job-{{ $name }}
   labels: {{- include "jobs.labels" $ | nindent 4 }}
 data: {{- toYaml $spec.env | nindent 2 }}
 ---

charts/jobs/templates/cronjob.yaml

@@ -36,11 +36,11 @@ spec:
               envFrom:
               {{- if $spec.secret }}
               - secretRef:
-                  name: {{ $name }}
+                  name: job-{{ $name }}
               {{- end }}
               {{- if $spec.env }}
               - configMapRef:
-                  name: {{ $name }}
+                  name: job-{{ $name }}
               {{- end }}
           restartPolicy: Never
 ---

charts/jobs/templates/job.yaml

@@ -5,7 +5,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: {{ $name }}
+  name: job-{{ $name }}
   labels: {{- include "jobs.labels" $ | nindent 4 }}
 spec:
   template:
@@ -38,11 +38,11 @@ spec:
         envFrom:
         {{- if $spec.secret }}
         - secretRef:
-            name: {{ $name }}
+            name: job-{{ $name }}
         {{- end }}
         {{- if $spec.env }}
         - configMapRef:
-            name: {{ $name }}
+            name: job-{{ $name }}
         {{- end }}
         volumeMounts:
           - name: fakeroot

charts/jobs/templates/secret.yaml

@@ -6,7 +6,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   labels: {{- include "jobs.labels" $ | nindent 4 }}
-  name: {{ $name }}
+  name: job-{{ $name }}
 data:
 {{- range $key, $val := $spec.secret }}
   {{ $key }}: "{{ $val | b64enc }}"

helmfile.d/helmfile-30.admin.yaml

@@ -9,10 +9,14 @@ releases:
   - name: drone
     installed: {{ $c | get "drone.enabled" true }}
     namespace: team-admin
+    labels:
+      pkg: drone
     <<: *default
   - name: drone-admit-members
     installed: {{ and ($c | get "drone.enabled" true) (eq ($c | get "drone.sourceControl.provider" "github") "github") }}
     namespace: team-admin
+    labels:
+      pkg: drone
     chart: ../charts/drone-admit-members
     values:
       - ../values/drone/drone-admit-members.gotmpl

helmfile.d/helmfile-99.post.yaml

@@ -19,3 +19,8 @@ releases:
   - name: jobs-certs-aws
     installed: {{ eq $v.cluster.provider "aws" }}
     <<: *jobs
+  - name: jobs-drone
+    installed: false # {{ $c.drone.enabled }}
+    labels:
+      pkg: drone
+    <<: *jobs

values-schema.yaml

@@ -660,6 +660,10 @@ properties:
         properties:
           adminUser:
             type: string
+          adminToken:
+            type: string
+            pattern: '^[0-9a-z-]{32}$'
+            description: 32 byte token. Generate one with openssl rand -hex 16.
           debug:
             default: false
             type: boolean
@@ -677,6 +681,10 @@ properties:
                 type: string
           orgsFilter:
             type: string
+          owner:
+            $ref: '#/definitions/idName'
+          repo:
+            $ref: '#/definitions/idName'
           repoFilter:
             type: string
           resources:

values/drone/drone.gotmpl

@@ -17,6 +17,7 @@ server:
   host: {{ $host }}
   protocol: https
   adminUser: {{ $d.adminUser }}
+  adminToken: {{ $d | get "adminToken" nil }}
   dind:
     enabled: false
   resources:
@@ -31,9 +32,6 @@ server:
       cpu: 200m
     {{- end }}
   env:
-    CLOUD: {{ $v.cluster.provider }}
-    CLUSTER: {{ $v.cluster.name }}
-    GCLOUD_SERVICE_KEY: '{{ $v | get "google.kmsAccount" "" | nospace }}'
     DRONE_LOGS_DEBUG: {{ $debug }}
     DRONE_LOGS_TRACE: {{ $debug }}
     DRONE_LOGS_PRETTY: false
@@ -61,6 +59,9 @@ kubernetes:
     # DRONE_TRACE: true
     # DRONE_DEBUG: true
     DRONE_RUNNER_ENVIRON: "CLOUD:{{ $v.cluster.provider }},CLUSTER:{{ $v.cluster.name }}"
+  envFile: |
+    GCLOUD_SERVICE_KEY='{{ $v | get "google.kmsAccount" "" | replace "\n" "" }}'
+
 persistence:
   enabled: true
   storageClass: fast

values/jobs/drone.gotmpl

@@ -0,0 +1,27 @@
+{{- $v := .Environment.Values }}
+{{- $c := $v.charts }}
+{{- $d := $c | get "drone" dict }}
+{{- $teams := keys $v.teamConfig.teams }}
+{{- $teamNames := list -}}
+{{- range $teams -}}
+{{- $teamNames = print "team-" . | append $teamNames -}}
+{{- end -}}
+
+tasks:
+  drone:
+    type: job
+    enabled: true
+    description: Configure Drone to use the right pipeline file
+    image:
+      repository: "otomi/tasks"
+      tag: "drone"
+      pullPolicy: "Always"
+    secret:
+      DRONE_TOKEN: {{ $d | get "adminToken" }}
+    env:
+      DRONE_CONFIG_PATH: env/clouds/{{ $v.cluster.provider }}/{{ $v.cluster.name }}/.drone.yml
+      DRONE_OWNER: {{ $d | get "owner" }}
+      DRONE_REPO: {{ $d | get "repo" }}
+      DRONE_URL: http://drone.team-admin
+    script: npm run tasks:drone
+