Adrien/projects-platform
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add woodpecker CI/CD

Browse Source
This commit is contained in:
Adrien
2024-02-11 11:51:39 +01:00
parent 52f68f8eb7
commit 4643d14df3
5 changed files with 316 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

252
ci-cd.yaml Normal file
View File

@@ -0,0 +1,252 @@
apiVersion: v1
kind: Namespace
metadata:
name: cicd
labels:
name: cicd
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-woodpecker
namespace: cicd
spec:
acme:
email: me@adrien.run
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-woodpecker
solvers:
- http01:
ingress:
class: traefik
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: woodpecker-websecure-ingress
namespace: cicd
annotations:
cert-manager.io/cluster-issuer: letsencrypt-woodpecker
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
tls:
- hosts:
- woodpecker.adrien.run
secretName: tls-woodpecker-ingress
rules:
- host: woodpecker.adrien.run
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: woodpecker
port:
name: web
---
# Service account to allow pod access to Vault via K8s auth
apiVersion: v1
kind: ServiceAccount
metadata:
name: woodpecker-server
namespace: cicd
automountServiceAccountToken: true
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: woodpecker-server
namespace: cicd
labels:
app: woodpecker-server
spec:
replicas: 1
selector:
matchLabels:
app: woodpecker-server
template:
metadata:
labels:
app: woodpecker-server
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-woodpecker-server: "database/creds/cicd-woodpecker-server"
vault.hashicorp.com/agent-inject-template-woodpecker-server: |
{{ with secret "database/creds/cicd-woodpecker-server" -}}
export WOODPECKER_DATABASE_DATASOURCE=postgres://{{ .Data.username }}:{{ .Data.password }}@postgres.default:5432/cicd_woodpecker?sslmode=disable
{{- end }}
{{ with secret "cicd-woodpecker-server/oauth2-id" -}}
export WOODPECKER_GITEA_CLIENT={{ .Data.key }}
{{- end}}
{{ with secret "cicd-woodpecker-server/oauth2-secret" -}}
export WOODPECKER_GITEA_SECRET={{ .Data.key }}
{{- end}}
{{ with secret "cicd-woodpecker/agent-secret" -}}
export WOODPECKER_AGENT_SECRET={{ .Data.key }}
{{- end}}
vault.hashicorp.com/role: "cicd-woodpecker-server"
spec:
containers:
- name: woodpecker-server
image: woodpeckerci/woodpecker-server:latest-alpine
command: ["/bin/sh"]
args: ["-c", "source /vault/secrets/woodpecker-server ; /bin/woodpecker-server"]
env:
- name: WOODPECKER_DATABASE_DRIVER
value: postgres
- name: WOODPECKER_OPEN
value: "false"
- name: WOODPECKER_ADMIN
value: Adrien
- name: WOODPECKER_HOST
value: https://woodpecker.adrien.run
- name: WOODPECKER_LOG_LEVEL
value: trace
- name: WOODPECKER_GITEA
value: "true"
- name: WOODPECKER_GITEA_URL
value: https://git.adrien.run
ports:
- name: web
containerPort: 8000
- name: agents
containerPort: 9000
serviceAccountName: woodpecker-server
---
# Service account to allow pod access to Vault via K8s auth
apiVersion: v1
kind: ServiceAccount
metadata:
name: woodpecker-agent
namespace: cicd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-creator
namespace: cicd
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["create", "get", "watch", "list", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: woodpecker-agent-pod-creator
namespace: cicd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pod-creator
subjects:
- kind: ServiceAccount
name: woodpecker-agent
namespace: cicd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pvc-creator
namespace: cicd
rules:
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["create", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: woodpecker-agent-pvc-creator
namespace: cicd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pvc-creator
subjects:
- kind: ServiceAccount
name: woodpecker-agent
namespace: cicd
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: woodpecker-agent
namespace: cicd
labels:
app: woodpecker-agent
spec:
replicas: 1
selector:
matchLabels:
app: woodpecker-agent
template:
metadata:
labels:
app: woodpecker-agent
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-woodpecker-agent: "database/creds/cicd-woodpecker-agent"
vault.hashicorp.com/agent-inject-template-woodpecker-agent: |
{{ with secret "cicd-woodpecker/agent-secret" -}}
export WOODPECKER_AGENT_SECRET={{ .Data.key }}
{{- end}}
vault.hashicorp.com/role: "cicd-woodpecker-agent"
spec:
containers:
- name: woodpecker-agent
image: woodpeckerci/woodpecker-agent:latest-alpine
command: ["/bin/sh"]
args: ["-c", "source /vault/secrets/woodpecker-agent ; /bin/woodpecker-agent"]
env:
- name: WOODPECKER_USERNAME
value: woodpecker-agent
- name: WOODPECKER_SERVER
value: woodpecker:9000
- name: WOODPECKER_BACKEND_K8S_NAMESPACE
value: cicd
- name: WOODPECKER_BACKEND_K8S_STORAGE_CLASS
value: nfs
- name: WOODPECKER_BACKEND_K8S_VOLUME_SIZE
value: 1Gi
- name: WOODPECKER_DEBUG_PRETTY
value: "true"
- name: WOODPECKER_BACKEND
value: kubernetes
- name: WOODPECKER_LOG_LEVEL
value: trace
ports:
- name: web
containerPort: 3000
serviceAccountName: woodpecker-agent
---
apiVersion: v1
kind: Service
metadata:
name: woodpecker
namespace: cicd
labels:
app: woodpecker-server
spec:
ports:
- name: web
port: 8000
targetPort: web
- name: agents
port: 9000
targetPort: agents
selector:
app: woodpecker-server