feat: replace concourse with drone

2023-02-22 22:24:44 +01:00 · 2023-02-22 22:24:44 +01:00 · ae55b8ae64
commit ae55b8ae64
parent a5e1fd6eb0
16 changed files with 828 additions and 1036 deletions
--- a/infrastructure/ci_worker.tf
+++ b/infrastructure/ci_worker.tf
@ -1,31 +0,0 @@
-resource "hcloud_server" "concourse_nodes" {
-  for_each = var.ci_workers
-
-  name        = each.key
-  server_type = each.value.server_type
-  datacenter  = "hel1-dc2"
-  image       = "ubuntu-22.04"
-
-  backups = false
-
-  ssh_keys = [
-    hcloud_ssh_key.default.id
-  ]
-
-  labels = {
-    "node_type" = each.value.node_type
-  }
-
-  public_net {
-    ipv4_enabled = true
-    ipv6_enabled = true
-  }
-}
-
-resource "hcloud_server_network" "concourse_internal" {
-  for_each = var.ci_workers
-
-  server_id  = hcloud_server.concourse_nodes[each.key].id
-  network_id = hcloud_network.k8s_net.id
-  ip         = each.value.private_ip
-}
--- a/infrastructure/vars.tf
+++ b/infrastructure/vars.tf
@ -24,14 +24,6 @@ variable "k3os_workers" {
  }))
 }

-variable "ci_workers" {
-  type = map(object({
-    node_type   = string
-    server_type = string
-    private_ip  = string
-  }))
-}
-
 variable "ssh_keys" {
  type        = list(string)
  default     = []
--- a/infrastructure/vms.auto.tfvars
+++ b/infrastructure/vms.auto.tfvars
@ -2,14 +2,14 @@ k3os_workers = {
  "worker1-gen2" = {
    backups     = false
    node_type   = "worker"
-    server_type = "cpx21"
+    server_type = "cx31"
    private_ip  = "172.23.2.22"
  }

  "worker2-gen2" = {
    backups     = false
    node_type   = "worker"
-    server_type = "cpx21"
+    server_type = "cx31"
    private_ip  = "172.23.2.23"
  }
 }
@ -23,14 +23,6 @@ vms = {
  }
 }

-ci_workers = {
-  "concourse-worker-vm-1" = {
-    node_type   = "concourse_worker"
-    server_type = "cpx21"
-    private_ip  = "172.23.2.31"
-  }
-}
-
 ssh_keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfHZaI0F5GjAcrM8hjWqwMfULDkAZ2TOIBTQtRocg1F id_ed25519"]

 release_channel = "stable"
--- a/k8s/configure_cluster.yaml
+++ b/k8s/configure_cluster.yaml
@ -7,4 +7,4 @@
  - role: hcloud
  - role: minio
  - role: gitea
-  - role: concourse
+  - role: drone
--- a/k8s/inventory/group_vars/all.yml
+++ b/k8s/inventory/group_vars/all.yml
--- a/k8s/roles/concourse-worker/tasks/main.yml
+++ b/k8s/roles/concourse-worker/tasks/main.yml
@ -1,68 +0,0 @@
---
- name: Download concourse
-  ansible.builtin.get_url:
-    url: https://github.com/concourse/concourse/releases/download/v{{ concourse_version }}/concourse-{{ concourse_version }}-linux-amd64.tgz
-    dest: /tmp/concourse.tgz
-    mode: '0640'
-    checksum: sha1:https://github.com/concourse/concourse/releases/download/v{{ concourse_version }}/concourse-{{ concourse_version }}-linux-amd64.tgz.sha1
-  register: download_concourse
-
- name: Extract concourse
-  ansible.builtin.unarchive:
-    src: /tmp/concourse.tgz
-    dest: /opt/
-    remote_src: true
-  when: download_concourse.changed
-
- name: Create concourse user
-  ansible.builtin.user:
-    name: concourse
-    home: /var/lib/concourse
-    shell: /bin/false
-    groups: users,docker
-
- name: Create /etc/concourse
-  ansible.builtin.file:
-    path: /etc/concourse
-    state: directory
-
- name: Create /etc/concourse
-  ansible.builtin.file:
-    path: /var/lib/concourse/.ssh
-    state: directory
-    owner: concourse
-
- name: Deploy concourse keys
-  ansible.builtin.copy:
-    content: "{{ item.content }}"
-    dest: "{{ item.dest }}"
-    mode: '0440'
-  loop:
-    - content: "{{ concourse.worker.workerKey }}"
-      dest: /var/lib/concourse/.ssh/id_rsa
-    - content: "{{ concourse.worker.workerKeyPub }}"
-      dest: /var/lib/concourse/.ssh/id_rsa.pub
-    - content: "{{ concourse.worker.hostKeyPub }}"
-      dest: /var/lib/concourse/.ssh/web_key.pub
-
- name: Create concourse config
-  ansible.builtin.template:
-    src: concourse-cfg.j2
-    dest: /etc/concourse/worker
-    mode: '0640'
-  register: create_concourse_config
-
- name: Create concourse service file
-  ansible.builtin.template:
-    src: concourse-worker.service.j2
-    dest: /lib/systemd/system/concourse-worker.service
-    mode: '0640'
-  register: create_concourse_service
-
- name: Make sure a service unit is running
-  ansible.builtin.systemd:
-    name: concourse-worker
-    state: restarted
-    daemon_reload: true
-    enabled: true
-  when: create_concourse_service.changed or create_concourse_config.changed
--- a/k8s/roles/concourse-worker/templates/concourse-cfg.j2
+++ b/k8s/roles/concourse-worker/templates/concourse-cfg.j2
@ -1,8 +0,0 @@
-CONCOURSE_WORK_DIR=/var/lib/concourse
-CONCOURSE_TSA_HOST=172.23.2.10:32222
-CONCOURSE_CONTAINERD_DNS_SERVER="1.1.1.1"
-CONCOURSE_CONTAINERD_ALLOW_HOST_ACCESS="true"
-CONCOURSE_TSA_PUBLIC_KEY=/var/lib/concourse/.ssh/web_key.pub
-CONCOURSE_TSA_WORKER_PRIVATE_KEY=/var/lib/concourse/.ssh/id_rsa
-CONCOURSE_RUNTIME=containerd
-CONCOURSE_TAG="linux,vm,ubuntu"
--- a/k8s/roles/concourse-worker/templates/concourse-worker.service.j2
+++ b/k8s/roles/concourse-worker/templates/concourse-worker.service.j2
@ -1,11 +0,0 @@
-[Unit]
-Description=Concourse worker
-
-[Service]
-EnvironmentFile=/etc/concourse/worker
-ExecStart=/opt/concourse/bin/concourse worker
-KillSignal=SIGUSR1
-TimeoutStopSec=300
-
-[Install]
-WantedBy=multi-user.target
--- a/k8s/roles/concourse/tasks/main.yml
+++ b/k8s/roles/concourse/tasks/main.yml
@ -1,107 +0,0 @@
---
- name: Create Concourse namespace
-  kubernetes.core.k8s:
-    name: concourse
-    api_version: v1
-    kind: Namespace
-    state: present
-    definition:
-      metadata:
-        labels:
-          prometheus: default
-
- name: Add Concourse chart repo
-  kubernetes.core.helm_repository:
-    name: concourse
-    repo_url: https://concourse-charts.storage.googleapis.com/
-
- name: Create Concourse worker secret
-  kubernetes.core.k8s:
-    state: present
-    definition:
-      apiVersion: v1
-      kind: Secret
-      metadata:
-        name: concourse-worker
-        namespace: concourse
-      data:
-        host-key-pub: "{{ concourse.worker.hostKeyPub | b64encode}}"
-        worker-key: "{{ concourse.worker.workerKey | b64encode}}"
-        worker-key-pub: "{{ concourse.worker.workerKeyPub | b64encode}}"
-
- name: Create Concourse web secret
-  kubernetes.core.k8s:
-    state: present
-    definition:
-      apiVersion: v1
-      kind: Secret
-      metadata:
-        name: concourse-web
-        namespace: concourse
-      data:
-        worker-key-pub: "{{ concourse.worker.workerKeyPub | b64encode}}"
-        host-key: "{{ concourse.web.hostKey | b64encode}}"
-        session-signing-key: "{{ concourse.web.sessionSigningKey | b64encode}}"
-        postgresql-user: "{{ concourse.db.user | b64encode}}"
-        postgresql-password: "{{ concourse.db.password | b64encode}}"
-        encryption-key: "{{ concourse.encryptionKey | b64encode}}"
-        oidc-client-id: "{{ concourse.auth.clientId | b64encode }}"
-        oidc-client-secret: "{{ concourse.auth.clientSecret | b64encode }}"
-        local-users: "{{ ('concourse:%s' % concourse.local.password) | b64encode }}"
-
- name: Deploy Concourse chart
-  kubernetes.core.helm:
-    name: concourse
-    chart_ref: concourse/concourse
-    release_namespace: concourse
-    chart_version: 17.1.1
-    update_repo_cache: true
-    release_values: "{{ lookup('template', 'values.concourse.yml.j2') | from_yaml }}"
-
- name: Create concourse RBAC resources
-  kubernetes.core.k8s:
-    state: present
-    definition: "{{ lookup('template', 'rbac/deploy-role.yml.j2') | from_yaml }}"
-
- name: Bind service account for deployment
-  kubernetes.core.k8s:
-    name: "{{ item }}"
-    namespace: "{{ item }}"
-    definition: "{{ lookup('template', 'rbac/deploy-rolebinding.yml.j2') | from_yaml }}"
-    state: present
-  loop:
-    - concourse-main
-    - concourse-inetmock
-    - blog
-    - inetmock
-
- name: Create Gitea team credentials
-  kubernetes.core.k8s:
-    state: present
-    definition:
-      apiVersion: v1
-      kind: Secret
-      metadata:
-        name: gitea-credentials
-        namespace: "concourse-{{ item }}"
-      data:
-        user: "{{ concourse.gitea.user | b64encode}}"
-        token: "{{ concourse.gitea.token | b64encode}}"
-  loop:
-    - main
-    - inetmock
-
- name: Create Github team credentials
-  kubernetes.core.k8s:
-    state: present
-    definition:
-      apiVersion: v1
-      kind: Secret
-      metadata:
-        name: github-credentials
-        namespace: "concourse-{{ item }}"
-      data:
-        token: "{{ github.token | b64encode}}"
-  loop:
-    - main
-    - inetmock
--- a/k8s/roles/concourse/templates/rbac/deploy-role.yml.j2
+++ b/k8s/roles/concourse/templates/rbac/deploy-role.yml.j2
@ -1,41 +0,0 @@
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: concourse-deploy
-  labels:
-    app.kubernetes.io/name: concourse
-    app.kubernetes.io/part-of: concourse
-    app.kubernetes.io/component: worker
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-      - secrets
-      - services
-    verbs:
-      - "*"
-
-  - apiGroups:
-      - "apps"
-    resources:
-      - deployments
-      - statefulsets
-    verbs:
-      - "*"
-
-  - apiGroups:
-      - "networking.k8s.io"
-    resources:
-      - "ingresses"
-    verbs:
-      - "*"
-
-  - apiGroups:
-      - "monitoring.coreos.com"
-    resources:
-      - "podmonitors"
-      - "servicemonitors"
-    verbs:
-      - "*"
--- a/k8s/roles/concourse/templates/rbac/deploy-rolebinding.yml.j2
+++ b/k8s/roles/concourse/templates/rbac/deploy-rolebinding.yml.j2
@ -1,13 +0,0 @@
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ item }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: concourse-deploy
-subjects:
- kind: ServiceAccount
-  name: concourse-worker
-  namespace: concourse
--- a/k8s/roles/concourse/templates/values.concourse.yml.j2
+++ b/k8s/roles/concourse/templates/values.concourse.yml.j2
@ -1,66 +0,0 @@
-web:
-  enabled: true
-  env:
-    - name: CONCOURSE_ENABLE_ACROSS_STEP
-      value: "true"
-    - name: CONCOURSE_ENABLE_PIPELINE_INSTANCES
-      value: "true"
-  service:
-    workerGateway:
-      type: NodePort
-      NodePort: 32222
-  ingress:
-    enabled: true
-    hosts:
-      - concourse.icb4dc0.de
-
-worker:
-  enabled: true
-
-concourse:
-  web:
-    externalUrl: https://concourse.icb4dc0.de
-    containerPlacementStrategies:
-      - limit-active-tasks
-      - fewest-build-containers
-    limitActiveTasks: 2
-    auth:
-      mainTeam:
-        oidc:
-          user: prskr
-      oidc:
-        enabled: true
-        displayName: Gitea
-        issuer: https://code.icb4dc0.de/
-        scope: ""
-        userNameKey: preferred_username
-        disableGroups: true
-        skipEmailVerifiedValidation: true
-    postgres:
-      host: postgres-15-postgresql.postgres.svc.cluster.local
-      port: "5432"
-      database: concourse
-    kubernetes:
-      teams:
-        - main
-        - inetmock
-    gc:
-      failedGracePeriod: 30s
-  worker:
-    runtime: containerd
-
-persistence:
-  enabled: true
-  worker:
-    storageClass: hcloud-volumes
-    size: "15Gi"
-
-postgresql:
-  enabled: false
-
-rbac:
-  apiVersion: v1
-  create: true
-
-secrets:
-  create: false
--- a/k8s/roles/drone/tasks/main.yml
+++ b/k8s/roles/drone/tasks/main.yml
@ -0,0 +1,80 @@
+---
+- name: Create Drone namespace
+  kubernetes.core.k8s:
+    name: drone
+    api_version: v1
+    kind: Namespace
+    state: present
+    definition:
+      metadata:
+        labels:
+          prometheus: default
+
+- name: Create Drone server secret
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: drone-secrets
+        namespace: drone
+      data:
+        DRONE_RPC_SECRET: "{{ drone.rpc.secret | b64encode }}"
+        DRONE_GITEA_CLIENT_ID: "{{ drone.auth.clientId | b64encode }}"
+        DRONE_GITEA_CLIENT_SECRET: "{{ drone.auth.clientSecret | b64encode }}"
+        DRONE_GITEA_SERVER: "{{ 'https://code.icb4dc0.de' | b64encode }}"
+        DRONE_DATABASE_DATASOURCE: "{{ 'postgres://%s:%s@postgres-15-postgresql.postgres.svc.cluster.local:5432/drone?sslmode=disable' | format(drone.db.user, drone.db.password) | b64encode }}"
+        DRONE_DATABASE_SECRET: "{{ drone.db.secret | b64encode }}"
+        DRONE_COOKIE_SECRET: "{{ drone.cookie.secret | b64encode }}"
+        AWS_ACCESS_KEY_ID: "{{ minio.rootUser | b64encode }}"
+        AWS_SECRET_ACCESS_KEY: "{{ minio.rootPassword | b64encode }}"
+
+- name: Create Drone runner secret
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: drone-runner-secrets
+        namespace: drone
+      data:
+        DRONE_RPC_SECRET: "{{ drone.rpc.secret | b64encode }}"
+
+- name: Add Drone chart repo
+  kubernetes.core.helm_repository:
+    name: drone
+    repo_url: https://charts.drone.io
+
+- name: Add enapter chart repo
+  kubernetes.core.helm_repository:
+    name: enapter
+    repo_url: https://enapter.github.io/charts/
+
+- name: Deploy KeyDB
+  kubernetes.core.helm:
+    name: drone-session-cache
+    chart_ref: enapter/keydb
+    release_namespace: drone
+    chart_version: 0.46.1
+    update_repo_cache: true
+    release_values: "{{ lookup('template', 'values.keydb.yml.j2') | from_yaml }}"
+
+- name: Deploy Drone chart
+  kubernetes.core.helm:
+    name: drone
+    chart_ref: drone/drone
+    release_namespace: drone
+    chart_version: 0.6.3
+    update_repo_cache: true
+    release_values: "{{ lookup('template', 'values.drone.yml.j2') | from_yaml }}"
+
+- name: Deploy Drone runner chart
+  kubernetes.core.helm:
+    name: drone-kube-runner
+    chart_ref: drone/drone-runner-docker
+    release_namespace: drone
+    chart_version: 0.6.0
+    update_repo_cache: true
+    release_values: "{{ lookup('template', 'values.drone-runner-docker.yml.j2') | from_yaml }}"
--- a/k8s/roles/drone/templates/values.drone-runner-docker.yml.j2
+++ b/k8s/roles/drone/templates/values.drone-runner-docker.yml.j2
@ -0,0 +1,8 @@
+extraSecretNamesForEnvFrom:
+  - drone-runner-secrets
+
+env:
+  DRONE_RUNNER_PRIVILEGED_IMAGES: code.icb4dc0.de/inetmock/inetmock
+  DRONE_RPC_HOST: drone.drone.svc.cluster.local:8080
+  DRONE_RPC_PROTO: http
+  DRONE_RUNNER_CAPACITY: 1
--- a/k8s/roles/drone/templates/values.drone.yml.j2
+++ b/k8s/roles/drone/templates/values.drone.yml.j2
@ -0,0 +1,30 @@
+ingress:
+  enabled: true
+  hosts:
+    - host: drone.icb4dc0.de
+      paths:
+        - path: /
+          pathType: Prefix
+
+persistentVolume:
+  enabled: false
+
+extraSecretNamesForEnvFrom:
+ - drone-secrets
+
+env:
+  ## REQUIRED: Set the user-visible Drone hostname, sans protocol.
+  ## Ref: https://docs.drone.io/installation/reference/drone-server-host/
+  ##
+  DRONE_SERVER_HOST: "drone.icb4dc0.de"
+  DRONE_SERVER_PROTO: https
+
+  DRONE_DATABASE_DRIVER: postgres
+  DRONE_GIT_ALWAYS_AUTH: true
+
+  DRONE_S3_ENDPOINT: http://minio.minio.svc.cluster.local:9000
+  DRONE_S3_BUCKET: drone
+  DRONE_S3_PATH_STYLE: true
+  AWS_DEFAULT_REGION: us-east-1
+  AWS_REGION: us-east-1
+  DRONE_REDIS_CONNECTION: redis://drone-session-cache-keydb:6379
--- a/k8s/roles/drone/templates/values.keydb.yml.j2
+++ b/k8s/roles/drone/templates/values.keydb.yml.j2
@ -0,0 +1,18 @@
+persistentVolume:
+  enabled: false
+
+resources:
+  requests:
+    cpu: 10m
+    memory: 60Mi
+  limits:
+    cpu: 100m
+    memory: 128Mi
+
+serviceMonitor:
+  enabled: true
+  labels:
+    prometheus: default
+
+exporter:
+  enabled: true