apiVersion: v1 kind: Namespace metadata: name: cicd labels: name: cicd --- apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-woodpecker namespace: cicd spec: acme: email: me@adrien.run server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: letsencrypt-woodpecker solvers: - http01: ingress: class: traefik --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: woodpecker-websecure-ingress namespace: cicd annotations: cert-manager.io/cluster-issuer: letsencrypt-woodpecker traefik.ingress.kubernetes.io/router.entrypoints: websecure spec: tls: - hosts: - woodpecker.adrien.run secretName: tls-woodpecker-ingress rules: - host: woodpecker.adrien.run http: paths: - path: / pathType: Prefix backend: service: name: woodpecker port: name: web --- # Service account to allow pod access to Vault via K8s auth apiVersion: v1 kind: ServiceAccount metadata: name: woodpecker-server namespace: cicd automountServiceAccountToken: true --- apiVersion: apps/v1 kind: Deployment metadata: name: woodpecker-server namespace: cicd labels: app: woodpecker-server spec: replicas: 1 selector: matchLabels: app: woodpecker-server template: metadata: labels: app: woodpecker-server annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject-secret-woodpecker-server: "database/creds/cicd-woodpecker-server" vault.hashicorp.com/agent-inject-template-woodpecker-server: | {{ with secret "database/creds/cicd-woodpecker-server" -}} export WOODPECKER_DATABASE_DATASOURCE=postgres://{{ .Data.username }}:{{ .Data.password }}@postgres.default:5432/cicd_woodpecker?sslmode=disable {{- end }} {{ with secret "cicd-woodpecker-server/oauth2-id" -}} export WOODPECKER_GITEA_CLIENT={{ .Data.key }} {{- end}} {{ with secret "cicd-woodpecker-server/oauth2-secret" -}} export WOODPECKER_GITEA_SECRET={{ .Data.key }} {{- end}} {{ with secret "cicd-woodpecker/agent-secret" -}} export WOODPECKER_AGENT_SECRET={{ .Data.key }} {{- end}} vault.hashicorp.com/role: "cicd-woodpecker-server" spec: containers: - name: woodpecker-server image: woodpeckerci/woodpecker-server:latest-alpine command: ["/bin/sh"] args: ["-c", "source /vault/secrets/woodpecker-server ; /bin/woodpecker-server"] env: - name: WOODPECKER_DATABASE_DRIVER value: postgres - name: WOODPECKER_OPEN value: "false" - name: WOODPECKER_ADMIN value: Adrien - name: WOODPECKER_HOST value: https://woodpecker.adrien.run - name: WOODPECKER_LOG_LEVEL value: trace - name: WOODPECKER_GITEA value: "true" - name: WOODPECKER_GITEA_URL value: https://git.adrien.run ports: - name: web containerPort: 8000 - name: agents containerPort: 9000 serviceAccountName: woodpecker-server --- # Service account to allow pod access to Vault via K8s auth apiVersion: v1 kind: ServiceAccount metadata: name: woodpecker-agent namespace: cicd --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pod-creator namespace: cicd rules: - apiGroups: [""] resources: ["pods", "pods/log"] verbs: ["create", "get", "watch", "list", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: woodpecker-agent-pod-creator namespace: cicd roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pod-creator subjects: - kind: ServiceAccount name: woodpecker-agent namespace: cicd --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pvc-creator namespace: cicd rules: - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["create", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: woodpecker-agent-pvc-creator namespace: cicd roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pvc-creator subjects: - kind: ServiceAccount name: woodpecker-agent namespace: cicd --- apiVersion: apps/v1 kind: Deployment metadata: name: woodpecker-agent namespace: cicd labels: app: woodpecker-agent spec: replicas: 1 selector: matchLabels: app: woodpecker-agent template: metadata: labels: app: woodpecker-agent annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject-secret-woodpecker-agent: "database/creds/cicd-woodpecker-agent" vault.hashicorp.com/agent-inject-template-woodpecker-agent: | {{ with secret "cicd-woodpecker/agent-secret" -}} export WOODPECKER_AGENT_SECRET={{ .Data.key }} {{- end}} vault.hashicorp.com/role: "cicd-woodpecker-agent" spec: containers: - name: woodpecker-agent image: woodpeckerci/woodpecker-agent:latest-alpine command: ["/bin/sh"] args: ["-c", "source /vault/secrets/woodpecker-agent ; /bin/woodpecker-agent"] env: - name: WOODPECKER_USERNAME value: woodpecker-agent - name: WOODPECKER_SERVER value: woodpecker:9000 - name: WOODPECKER_BACKEND_K8S_NAMESPACE value: cicd - name: WOODPECKER_BACKEND_K8S_STORAGE_CLASS value: nfs - name: WOODPECKER_BACKEND_K8S_VOLUME_SIZE value: 1Gi - name: WOODPECKER_DEBUG_PRETTY value: "true" - name: WOODPECKER_BACKEND value: kubernetes - name: WOODPECKER_LOG_LEVEL value: trace ports: - name: web containerPort: 3000 serviceAccountName: woodpecker-agent --- apiVersion: v1 kind: Service metadata: name: woodpecker namespace: cicd labels: app: woodpecker-server spec: ports: - name: web port: 8000 targetPort: web - name: agents port: 9000 targetPort: agents selector: app: woodpecker-server