deploy drone secrets

2023-12-18 21:10:47 +01:00 · 2023-12-18 21:10:47 +01:00 · ac9b34da97
parent 50ed20e8b0
commit ac9b34da97
1 changed files with 77 additions and 1 deletions
--- a/apps/drone.yaml
+++ b/apps/drone.yaml
@ -68,6 +68,8 @@ spec:
              value: eu
            - name: DRONE_S3_BUCKET
              value: drone
+            - name: DRONE_LOGS_DEBUG
+              value: "true"
            - name: DRONE_S3_ENDPOINT
              valueFrom:
                secretKeyRef:
@ -139,6 +141,13 @@ spec:
              value: "1"
            - name: DRONE_RUNNER_NAME
              value: "k8s-runner"
+            - name: DRONE_SECRET_ENDPOINT
+              value: http://drone-secrets.default:3000
+            - name: DRONE_SECRET_PLUGIN_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: secrets
+                  key: DRONE_RPC_SECRET
          volumeMounts:
            - name: docker-sock
              mountPath: /var/run/docker.sock
@ -147,4 +156,71 @@ spec:
          hostPath:
            path: /var/run/docker.sock
 ---
-
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: drone-secrets-service-account
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: secret-reader
+  namespace: default
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: drone-secrets-rolebinding
+  namespace: default
+subjects:
+  - kind: ServiceAccount
+    name: drone-secrets-service-account
+roleRef:
+  kind: Role
+  name: secret-reader
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: drone-secrets
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: drone-secrets
+  template:
+    metadata:
+      labels:
+        app: drone-secrets
+    spec:
+      serviceAccountName: drone-secrets-service-account
+      containers:
+        - name: drone
+          image: drone/kubernetes-secrets:latest
+          ports:
+            - containerPort: 3000
+          env:
+            - name: SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: secrets
+                  key: DRONE_RPC_SECRET
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: drone-secrets
+  namespace: default
+spec:
+  ports:
+    - port: 3000
+      targetPort: 3000
+  selector:
+    app: drone-secrets