apiVersion: v1 kind: Service metadata: name: drone namespace: apps spec: ports: - port: 80 targetPort: 80 selector: app: drone --- apiVersion: apps/v1 kind: Deployment metadata: name: drone namespace: apps spec: replicas: 1 selector: matchLabels: app: drone template: metadata: labels: app: drone spec: containers: - name: drone image: drone/drone:2 env: - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: secrets key: POSTGRES_PASSWORD - name: DRONE_GITEA_SERVER value: "https://gitea.nocodelytics.com" - name: DRONE_GITEA_CLIENT_ID valueFrom: secretKeyRef: name: secrets key: GITEA_CLIENT_ID - name: DRONE_GITEA_CLIENT_SECRET valueFrom: secretKeyRef: name: secrets key: GITEA_CLIENT_SECRET - name: DRONE_SERVER_HOST value: drone.nocodelytics.com - name: DRONE_SERVER_PROTO value: https - name: DRONE_RPC_SECRET valueFrom: secretKeyRef: name: secrets key: DRONE_RPC_SECRET - name: DRONE_DATABASE_DRIVER value: postgres - name: DRONE_DATABASE_DATASOURCE value: postgres://postgres:$(POSTGRES_PASSWORD)@postgres.databases:5432/drone?sslmode=disable - name: DRONE_S3_PATH_STYLE value: "true" - name: AWS_REGION value: eu - name: DRONE_S3_BUCKET value: drone - name: DRONE_LOGS_DEBUG value: "true" - name: DRONE_S3_ENDPOINT valueFrom: secretKeyRef: name: secrets key: AWS_ENDPOINTS - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: name: secrets key: AWS_ACCESS_KEY_ID - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: name: secrets key: AWS_SECRET_ACCESS_KEY ports: - containerPort: 80 --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: drone namespace: apps spec: entryPoints: - websecure routes: - match: Host(`drone.nocodelytics.com`) kind: Rule services: - name: drone port: 80 middlewares: - name: https-redirect namespace: default - name: http-auth namespace: default tls: certResolver: letsencrypt domains: - main: drone.nocodelytics.com --- apiVersion: apps/v1 kind: Deployment metadata: name: drone-runner namespace: apps spec: replicas: 1 selector: matchLabels: app: drone-runner template: metadata: labels: app: drone-runner spec: containers: - name: runner image: drone/drone-runner-docker:1 ports: - containerPort: 3000 env: - name: DRONE_RPC_PROTO value: "http" - name: DRONE_RPC_HOST value: "drone.apps" - name: DRONE_RPC_SECRET valueFrom: secretKeyRef: name: secrets key: DRONE_RPC_SECRET - name: DRONE_RUNNER_CAPACITY value: "1" - name: DRONE_RUNNER_NAME value: "k8s-runner" - name: DRONE_SECRET_ENDPOINT value: http://drone-secrets.default:3000 - name: DRONE_SECRET_PLUGIN_TOKEN valueFrom: secretKeyRef: name: secrets key: DRONE_RPC_SECRET volumeMounts: - name: docker-sock mountPath: /var/run/docker.sock volumes: - name: docker-sock hostPath: path: /var/run/docker.sock --- apiVersion: v1 kind: ServiceAccount metadata: name: drone-secrets-service-account namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: secret-reader namespace: default rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: drone-secrets-rolebinding namespace: default subjects: - kind: ServiceAccount name: drone-secrets-service-account roleRef: kind: Role name: secret-reader apiGroup: rbac.authorization.k8s.io --- apiVersion: apps/v1 kind: Deployment metadata: name: drone-secrets namespace: default spec: replicas: 1 selector: matchLabels: app: drone-secrets template: metadata: labels: app: drone-secrets spec: serviceAccountName: drone-secrets-service-account containers: - name: drone image: drone/kubernetes-secrets:latest ports: - containerPort: 3000 env: - name: SECRET_KEY valueFrom: secretKeyRef: name: secrets key: DRONE_RPC_SECRET --- apiVersion: v1 kind: Service metadata: name: drone-secrets namespace: default spec: ports: - port: 3000 targetPort: 3000 selector: app: drone-secrets