From 33a9bbdeccebdeb8e63f80781f2654644e2bb5a9 Mon Sep 17 00:00:00 2001 From: Peter Kurfer Date: Tue, 18 Apr 2023 09:19:03 +0200 Subject: [PATCH] feat(drone): configure service account for K8s deployments --- k8s/inventory/ci_workers.yaml | 9 --- k8s/roles/drone/tasks/main.yml | 104 +++++++++++++++++++++++++++++++++ k8s/setup_cluster.yaml | 5 -- 3 files changed, 104 insertions(+), 14 deletions(-) delete mode 100644 k8s/inventory/ci_workers.yaml diff --git a/k8s/inventory/ci_workers.yaml b/k8s/inventory/ci_workers.yaml deleted file mode 100644 index 35c7859..0000000 --- a/k8s/inventory/ci_workers.yaml +++ /dev/null @@ -1,9 +0,0 @@ -all: - vars: - ansible_user: root - concourse_version: "7.9.1" - children: - concourse_workers: - hosts: - concourse-worker-1: - ansible_host: "95.217.220.68" \ No newline at end of file diff --git a/k8s/roles/drone/tasks/main.yml b/k8s/roles/drone/tasks/main.yml index 567625b..881ebe2 100644 --- a/k8s/roles/drone/tasks/main.yml +++ b/k8s/roles/drone/tasks/main.yml @@ -10,6 +10,21 @@ labels: prometheus: default +- name: Create additional namespaces + kubernetes.core.k8s: + name: "{{ item }}" + api_version: v1 + kind: Namespace + state: present + definition: + metadata: + labels: + prometheus: default + loop: + - inetmock + - blog + - buildr + - name: Create Drone server secret kubernetes.core.k8s: state: present @@ -42,6 +57,95 @@ data: DRONE_RPC_SECRET: "{{ drone.rpc.secret | b64encode }}" +- name: Create Drone service account + kubernetes.core.k8s: + state: present + definition: + apiVersion: v1 + kind: ServiceAccount + metadata: + name: drone-deploy + namespace: drone + +- name: Create Drone deploy secret + kubernetes.core.k8s: + state: present + definition: + apiVersion: v1 + kind: Secret + metadata: + name: drone-deploy + namespace: drone + annotations: + kubernetes.io/service-account.name: drone-deploy + type: kubernetes.io/service-account-token + +- name: Create Drone service account + kubernetes.core.k8s: + state: present + definition: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: drone-deploy + rules: + - apiGroups: [""] + resources: + - secrets + - configmaps + - pods + - services + - persistentvolumeclaims + - serviceaccounts + verbs: ["*"] + - apiGroups: ["apps"] + resources: + - replicasets + - deployments + - statefulsets + verbs: ["*"] + - apiGroups: ["batch"] + resources: + - jobs + - cronjobs + verbs: ["*"] + - apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: ["*"] + - apiGroups: ["networking.k8s.io"] + resources: + - ingresses + verbs: ["*"] + - apiGroups: ["rbac.authorization.k8s.io"] + resources: + - roles + - rolebindings + verbs: ["*"] + + +- name: Create Drone service account + kubernetes.core.k8s: + state: present + definition: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: drone-deploy-{{ item }} + namespace: "{{ item }}" + subjects: + - kind: ServiceAccount + name: drone-deploy + namespace: drone + roleRef: + kind: ClusterRole + name: drone-deploy + apiGroup: rbac.authorization.k8s.io + loop: + - blog + - inetmock + - buildr + - name: Add Drone chart repo kubernetes.core.helm_repository: name: drone diff --git a/k8s/setup_cluster.yaml b/k8s/setup_cluster.yaml index 59a8a9d..4047eb9 100644 --- a/k8s/setup_cluster.yaml +++ b/k8s/setup_cluster.yaml @@ -10,8 +10,3 @@ hosts: control_plane roles: - role: k3s/master - -- name: Setup worker nodes - hosts: worker_nodes - roles: - - role: k3s/node