feat(drone): configure service account for K8s deployments

k8s/inventory/ci_workers.yaml

@@ -1,9 +0,0 @@
-all:
-  vars:
-    ansible_user: root
-    concourse_version: "7.9.1"
-  children:
-    concourse_workers:
-      hosts:
-        concourse-worker-1:
-          ansible_host: "95.217.220.68"

k8s/roles/drone/tasks/main.yml

@@ -10,6 +10,21 @@
         labels:
           prometheus: default
 
+- name: Create additional namespaces
+  kubernetes.core.k8s:
+    name: "{{ item }}"
+    api_version: v1
+    kind: Namespace
+    state: present
+    definition:
+      metadata:
+        labels:
+          prometheus: default
+  loop: 
+    - inetmock
+    - blog
+    - buildr
+
 - name: Create Drone server secret
   kubernetes.core.k8s:
     state: present
@@ -42,6 +57,95 @@
       data:
         DRONE_RPC_SECRET: "{{ drone.rpc.secret | b64encode }}"
 
+- name: Create Drone service account
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: drone-deploy
+        namespace: drone
+
+- name: Create Drone deploy secret
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: drone-deploy
+        namespace: drone
+        annotations:
+          kubernetes.io/service-account.name: drone-deploy
+      type: kubernetes.io/service-account-token
+
+- name: Create Drone service account
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRole
+      metadata:
+        name: drone-deploy
+      rules:
+      - apiGroups: [""]
+        resources:
+        - secrets
+        - configmaps
+        - pods
+        - services
+        - persistentvolumeclaims
+        - serviceaccounts
+        verbs: ["*"]
+      - apiGroups: ["apps"]
+        resources:
+        - replicasets
+        - deployments
+        - statefulsets
+        verbs: ["*"]
+      - apiGroups: ["batch"]
+        resources:
+        - jobs
+        - cronjobs
+        verbs: ["*"]
+      - apiGroups: ["autoscaling"]
+        resources:
+        - horizontalpodautoscalers
+        verbs: ["*"]
+      - apiGroups: ["networking.k8s.io"]
+        resources:
+        - ingresses
+        verbs: ["*"]
+      - apiGroups: ["rbac.authorization.k8s.io"]
+        resources:
+        - roles
+        - rolebindings
+        verbs: ["*"]
+
+
+- name: Create Drone service account
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: RoleBinding
+      metadata:
+        name: drone-deploy-{{ item }}
+        namespace: "{{ item }}"
+      subjects:
+      - kind: ServiceAccount
+        name: drone-deploy
+        namespace: drone
+      roleRef:
+        kind: ClusterRole
+        name: drone-deploy
+        apiGroup: rbac.authorization.k8s.io
+  loop:
+    - blog
+    - inetmock
+    - buildr
+
 - name: Add Drone chart repo
   kubernetes.core.helm_repository:
     name: drone

k8s/setup_cluster.yaml

@@ -10,8 +10,3 @@
   hosts: control_plane
   roles:
     - role: k3s/master
-
-- name: Setup worker nodes
-  hosts: worker_nodes
-  roles:
-    - role: k3s/node