From ac9b34da97788ee8c9d86ca54450e3a650b41710 Mon Sep 17 00:00:00 2001
From: Florian Herrengt <contact@florianherrengt.com>
Date: Mon, 18 Dec 2023 21:10:47 +0100
Subject: [PATCH] deploy drone secrets

---
 apps/drone.yaml | 78 ++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 77 insertions(+), 1 deletion(-)

diff --git a/apps/drone.yaml b/apps/drone.yaml
index 87aca38..03ebe06 100644
--- a/apps/drone.yaml
+++ b/apps/drone.yaml
@@ -68,6 +68,8 @@ spec:
               value: eu
             - name: DRONE_S3_BUCKET
               value: drone
+            - name: DRONE_LOGS_DEBUG
+              value: "true"
             - name: DRONE_S3_ENDPOINT
               valueFrom:
                 secretKeyRef:
@@ -139,6 +141,13 @@ spec:
               value: "1"
             - name: DRONE_RUNNER_NAME
               value: "k8s-runner"
+            - name: DRONE_SECRET_ENDPOINT
+              value: http://drone-secrets.default:3000
+            - name: DRONE_SECRET_PLUGIN_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: secrets
+                  key: DRONE_RPC_SECRET
           volumeMounts:
             - name: docker-sock
               mountPath: /var/run/docker.sock
@@ -147,4 +156,71 @@ spec:
           hostPath:
             path: /var/run/docker.sock
 ---
-
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: drone-secrets-service-account
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: secret-reader
+  namespace: default
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: drone-secrets-rolebinding
+  namespace: default
+subjects:
+  - kind: ServiceAccount
+    name: drone-secrets-service-account
+roleRef:
+  kind: Role
+  name: secret-reader
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: drone-secrets
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: drone-secrets
+  template:
+    metadata:
+      labels:
+        app: drone-secrets
+    spec:
+      serviceAccountName: drone-secrets-service-account
+      containers:
+        - name: drone
+          image: drone/kubernetes-secrets:latest
+          ports:
+            - containerPort: 3000
+          env:
+            - name: SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: secrets
+                  key: DRONE_RPC_SECRET
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: drone-secrets
+  namespace: default
+spec:
+  ports:
+    - port: 3000
+      targetPort: 3000
+  selector:
+    app: drone-secrets