feat: deploy blog with kustomize

2023-07-17 15:39:00 +00:00 · 2023-07-17 15:39:00 +00:00 · 72007957e3
commit 72007957e3
parent e6040be0b4
13 changed files with 161 additions and 300 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -12,8 +12,8 @@ steps:
  network_mode: host
  commands:
    - >
-            echo "{\"auths\": {\"https://code.icb4dc0.de\": {\"auth\" : \"$(printf '%s:%s' $$GITEA_USER $$GITEA_TOKEN | base64)\" }}}" > /kaniko/.docker/config.json
-    - /kaniko/executor --destination "$${IMAGE_REPO}:$${IMAGE_TAG}" --context "$${BUILD_CONTEXT}"
+      echo "{\"auths\": {\"https://code.icb4dc0.de\": {\"auth\" : \"$(printf '%s:%s' $$GITEA_USER $$GITEA_TOKEN | base64)\" }}}" > /kaniko/.docker/config.json
+    - /kaniko/executor --destination "$${IMAGE_REPO}:$${DRONE_COMMIT_SHA}_$${IMAGE_TAG}" --context "$${BUILD_CONTEXT}"
  environment:
    GITEA_USER: prskr
    GITEA_TOKEN:
@ -36,8 +36,8 @@ steps:
  network_mode: host
  commands:
    - >
-            echo "{\"auths\": {\"https://code.icb4dc0.de\": {\"auth\" : \"$(printf '%s:%s' $$GITEA_USER $$GITEA_TOKEN | base64)\" }}}" > /kaniko/.docker/config.json
-    - /kaniko/executor --destination "$${IMAGE_REPO}:$${IMAGE_TAG}" --context "$${BUILD_CONTEXT}"
+      echo "{\"auths\": {\"https://code.icb4dc0.de\": {\"auth\" : \"$(printf '%s:%s' $$GITEA_USER $$GITEA_TOKEN | base64)\" }}}" > /kaniko/.docker/config.json
+    - /kaniko/executor --destination "$${IMAGE_REPO}:$${DRONE_COMMIT_SHA}_$${IMAGE_TAG}" --context "$${BUILD_CONTEXT}"
  environment:
    GITEA_USER: prskr
    GITEA_TOKEN:
@ -62,14 +62,35 @@ steps:
  privileged: true
  commands:
    - buildah login "$${IMAGE_REGISTRY}" --username "$${GITEA_USER}" --password "$${GITEA_TOKEN}"
-    - buildah manifest create "$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${IMAGE_TAG}"
-    - buildah manifest add "$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${IMAGE_TAG}" "docker://$${IMAGE_REGISTRY}/$${IMAGE_REPO}:x86_64"
-    - buildah manifest add "$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${IMAGE_TAG}" "docker://$${IMAGE_REGISTRY}/$${IMAGE_REPO}:arm64"
-    - buildah manifest push --all "$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${IMAGE_TAG}" "docker://$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${IMAGE_TAG}"
+    - buildah manifest create "$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${DRONE_COMMIT_SHA}"
+    - buildah manifest add "$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${DRONE_COMMIT_SHA}" "docker://$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${DRONE_COMMIT_SHA}_x86_64"
+    - buildah manifest add "$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${DRONE_COMMIT_SHA}" "docker://$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${DRONE_COMMIT_SHA}_arm64"
+    - buildah manifest push --all "$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${DRONE_COMMIT_SHA}" "docker://$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${DRONE_COMMIT_SHA}"
  environment:
    GITEA_USER: prskr
    GITEA_TOKEN:
      from_secret: gitea_token
    IMAGE_REGISTRY: code.icb4dc0.de
    IMAGE_REPO: prskr/blog
-    IMAGE_TAG: latest
+
+- name: deploy
+  image: code.icb4dc0.de/prskr/ci-images/kustomize:latest
+  network_mode: host
+  commands:
+    - cd deploy/k8s
+    - kustomize edit set image buildr-docs=code.icb4dc0.de/prskr/blog:$DRONE_COMMIT_SHA
+    - kubectl config set-cluster hetzner --server=$K8S_API_URL --insecure-skip-tls-verify=true
+    - kubectl config set-credentials drone-deploy --token=$K8S_TOKEN
+    - kubectl config set-context hetzner --user=drone-deploy --namespace=buildr --cluster hetzner
+    - kubectl config use-context hetzner
+    - kubectl apply -k .
+  environment:
+    K8S_TOKEN:
+      from_secret: k8s_token
+    K8S_API_URL:
+      from_secret: k8s_api_url
+  when:
+    ref:
+      include:
+        - refs/tags/**
+        - refs/heads/main
--- a/deploy/helm/Chart.yaml
+++ b/deploy/helm/Chart.yaml
@ -1,24 +0,0 @@
-apiVersion: v2
-name: web
-description: A Helm chart for Kubernetes
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.16.0"
--- a/deploy/helm/templates/_helpers.tpl
+++ b/deploy/helm/templates/_helpers.tpl
@ -1,62 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "web.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "web.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "web.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "web.labels" -}}
-helm.sh/chart: {{ include "web.chart" . }}
-{{ include "web.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "web.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "web.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "web.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "web.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
--- a/deploy/helm/templates/deployment.yaml
+++ b/deploy/helm/templates/deployment.yaml
@ -1,61 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "web.fullname" . }}
-  labels:
-    {{- include "web.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "web.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      {{- with .Values.podAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        {{- include "web.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      containers:
-        - name: {{ .Chart.Name }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          ports:
-            - name: http
-              containerPort: 3000
-              protocol: TCP
-            - name: metrics
-              containerPort: 9100
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /metrics
-              port: metrics
-          readinessProbe:
-            httpGet:
-              path: /metrics
-              port: metrics
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
--- a/deploy/helm/templates/ingress.yaml
+++ b/deploy/helm/templates/ingress.yaml
@ -1,61 +0,0 @@
-{{- if .Values.ingress.enabled -}}
-{{- $fullName := include "web.fullname" . -}}
-{{- $svcPort := .Values.service.port -}}
-{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
-  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
-  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
-  {{- end }}
-{{- end }}
-{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
-apiVersion: networking.k8s.io/v1
-{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
-apiVersion: networking.k8s.io/v1beta1
-{{- else -}}
-apiVersion: extensions/v1beta1
-{{- end }}
-kind: Ingress
-metadata:
-  name: {{ $fullName }}
-  labels:
-    {{- include "web.labels" . | nindent 4 }}
-  {{- with .Values.ingress.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
-  ingressClassName: {{ .Values.ingress.className }}
-  {{- end }}
-  {{- if .Values.ingress.tls }}
-  tls:
-    {{- range .Values.ingress.tls }}
-    - hosts:
-        {{- range .hosts }}
-        - {{ . | quote }}
-        {{- end }}
-      secretName: {{ .secretName }}
-    {{- end }}
-  {{- end }}
-  rules:
-    {{- range .Values.ingress.hosts }}
-    - host: {{ .host | quote }}
-      http:
-        paths:
-          {{- range .paths }}
-          - path: {{ .path }}
-            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
-            pathType: {{ .pathType }}
-            {{- end }}
-            backend:
-              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
-              service:
-                name: {{ $fullName }}
-                port:
-                  number: {{ $svcPort }}
-              {{- else }}
-              serviceName: {{ $fullName }}
-              servicePort: {{ $svcPort }}
-              {{- end }}
-          {{- end }}
-    {{- end }}
-{{- end }}
--- a/deploy/helm/templates/pod_monitor.yaml
+++ b/deploy/helm/templates/pod_monitor.yaml
@ -1,12 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: PodMonitor
-metadata:
-  name: {{ include "web.fullname" . }}
-  labels:
-    {{- include "web.labels" . | nindent 4 }}
-spec:
-  selector:
-    matchLabels:
-      {{- include "web.selectorLabels" . | nindent 6 }}
-  podMetricsEndpoints:
-  - port: metrics
--- a/deploy/helm/templates/service.yaml
+++ b/deploy/helm/templates/service.yaml
@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "web.fullname" . }}
-  labels:
-    {{- include "web.labels" . | nindent 4 }}
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.service.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    {{- include "web.selectorLabels" . | nindent 4 }}
--- a/deploy/helm/values.yaml
+++ b/deploy/helm/values.yaml
@ -1,56 +0,0 @@
-replicaCount: 2
-
-image:
-  repository: code.icb4dc0.de/prskr/blog
-  pullPolicy: Always
-  # Overrides the image tag whose default is the chart appVersion.
-  tag: "latest"
-
-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
-
-podAnnotations: {}
-
-podSecurityContext: {}
-  # fsGroup: 2000
-
-securityContext:
-  capabilities:
-    drop:
-    - ALL
-  readOnlyRootFilesystem: true
-  allowPrivilegeEscalation: false
-  runAsNonRoot: true
-  runAsUser: 65532
-
-service:
-  type: ClusterIP
-  port: 3000
-
-ingress:
-  enabled: true
-  className: "traefik"
-  annotations: {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
-  hosts:
-    - host: www.icb4dc0.de
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls: []
-
-resources:
-  limits:
-    cpu: 100m
-    memory: 60Mi
-  requests:
-    cpu: 50m
-    memory: 20Mi
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
--- a/deploy/k8s/deployment.yaml
+++ b/deploy/k8s/deployment.yaml
@ -0,0 +1,62 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: blog
+  namespace: blog
+  labels:
+    app.kubernetes.io/name: blog
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: blog
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: blog
+    spec:
+      containers:
+        - name: blog
+          image: blog
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+            - name: metrics
+              containerPort: 9100
+              protocol: TCP
+          resources:
+            limits:
+              cpu: 100m
+              memory: 60Mi
+            requests:
+              cpu: 50m
+              memory: 20Mi
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+              scheme: HTTP
+            timeoutSeconds: 1
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+              scheme: HTTP
+            timeoutSeconds: 1
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            runAsUser: 65532
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
--- a/deploy/k8s/ingress.yaml
+++ b/deploy/k8s/ingress.yaml
@ -0,0 +1,21 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: blog
+  namespace: blog
+  labels:
+    app.kubernetes.io/name: blog
+spec:
+  ingressClassName: traefik
+  rules:
+    - host: www.icb4dc0.de
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: blog
+                port:
+                  number: 3000
--- a/deploy/k8s/kustomization.yaml
+++ b/deploy/k8s/kustomization.yaml
@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: blog
+
+commonLabels:
+  app.kubernetes.io/instance: blog
+  app.kubernetes.io/managed-by: kustomize
+
+images:
+  - name: blog
+    newName: code.icb4dc0.de/prskr/blog
+    newTag: latest
+
+resources:
+  - "deployment.yaml"
+  - "service.yaml"
+  - "ingress.yaml"
--- a/deploy/k8s/pod_monitor.yaml
+++ b/deploy/k8s/pod_monitor.yaml
@ -0,0 +1,13 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: blog-metrics
+  labels:
+    app.kubernetes.io/name: blog
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: blog
+  podMetricsEndpoints:
+    - port: metrics
--- a/deploy/k8s/service.yaml
+++ b/deploy/k8s/service.yaml
@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: blog
+  namespace: blog
+  labels:
+    app.kubernetes.io/name: blog
+spec:
+  ports:
+    - name: http
+      protocol: TCP
+      port: 3000
+      targetPort: http
+  selector:
+    app.kubernetes.io/name: blog
+  type: ClusterIP