feat(drone): configure service account for K8s deployments

2023-04-18 09:19:03 +02:00 · 2023-04-18 09:19:03 +02:00 · 33a9bbdecc
commit 33a9bbdecc
parent 55d8d53aa4
3 changed files with 104 additions and 14 deletions
--- a/k8s/inventory/ci_workers.yaml
+++ b/k8s/inventory/ci_workers.yaml
@ -1,9 +0,0 @@
-all:
-  vars:
-    ansible_user: root
-    concourse_version: "7.9.1"
-  children:
-    concourse_workers:
-      hosts:
-        concourse-worker-1:
-          ansible_host: "95.217.220.68"
--- a/k8s/roles/drone/tasks/main.yml
+++ b/k8s/roles/drone/tasks/main.yml
@ -10,6 +10,21 @@
        labels:
          prometheus: default

+- name: Create additional namespaces
+  kubernetes.core.k8s:
+    name: "{{ item }}"
+    api_version: v1
+    kind: Namespace
+    state: present
+    definition:
+      metadata:
+        labels:
+          prometheus: default
+  loop: 
+    - inetmock
+    - blog
+    - buildr
+
 - name: Create Drone server secret
  kubernetes.core.k8s:
    state: present
@ -42,6 +57,95 @@
      data:
        DRONE_RPC_SECRET: "{{ drone.rpc.secret | b64encode }}"

+- name: Create Drone service account
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: drone-deploy
+        namespace: drone
+
+- name: Create Drone deploy secret
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: drone-deploy
+        namespace: drone
+        annotations:
+          kubernetes.io/service-account.name: drone-deploy
+      type: kubernetes.io/service-account-token
+
+- name: Create Drone service account
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRole
+      metadata:
+        name: drone-deploy
+      rules:
+      - apiGroups: [""]
+        resources:
+        - secrets
+        - configmaps
+        - pods
+        - services
+        - persistentvolumeclaims
+        - serviceaccounts
+        verbs: ["*"]
+      - apiGroups: ["apps"]
+        resources:
+        - replicasets
+        - deployments
+        - statefulsets
+        verbs: ["*"]
+      - apiGroups: ["batch"]
+        resources:
+        - jobs
+        - cronjobs
+        verbs: ["*"]
+      - apiGroups: ["autoscaling"]
+        resources:
+        - horizontalpodautoscalers
+        verbs: ["*"]
+      - apiGroups: ["networking.k8s.io"]
+        resources:
+        - ingresses
+        verbs: ["*"]
+      - apiGroups: ["rbac.authorization.k8s.io"]
+        resources:
+        - roles
+        - rolebindings
+        verbs: ["*"]
+
+
+- name: Create Drone service account
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: RoleBinding
+      metadata:
+        name: drone-deploy-{{ item }}
+        namespace: "{{ item }}"
+      subjects:
+      - kind: ServiceAccount
+        name: drone-deploy
+        namespace: drone
+      roleRef:
+        kind: ClusterRole
+        name: drone-deploy
+        apiGroup: rbac.authorization.k8s.io
+  loop:
+    - blog
+    - inetmock
+    - buildr
+
 - name: Add Drone chart repo
  kubernetes.core.helm_repository:
    name: drone
--- a/k8s/setup_cluster.yaml
+++ b/k8s/setup_cluster.yaml
@ -10,8 +10,3 @@
  hosts: control_plane
  roles:
    - role: k3s/master
-
- name: Setup worker nodes
-  hosts: worker_nodes
-  roles:
-    - role: k3s/node