CI vault secrets & Kubernetes (#2)

* Define secrets that use vault plugin * Fix drone linting issue * Persist .kube folder as volume between build steps * Split Build and Publish into separate pipelines * Only run publish pipeline when triggered by main * Import .kube/config from vault * echo env variables contents into kube config file * drone-vault not working, curl with token instead * Removed all secrets, look to org secrets * Kubernetes file * Import dockerconfig from vault and apply as kubernetes secret
2025-10-29 01:30:39 +00:00 · 2024-02-09 23:43:18 +01:00
parent 18428c5767
commit 354d22ba17
5 changed files with 161 additions and 11 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -1,7 +1,7 @@
 ---
 kind: pipeline
 type: docker
-name: Build and publish
+name: Build

 platform:
  os: linux
@@ -15,6 +15,16 @@ steps:
      - make install
      - make build

+---
+kind: pipeline
+type: docker
+name: Publish
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
  - name: Build and publish docker image
    image: plugins/docker
    settings:
@@ -24,19 +34,83 @@ steps:
      username:
        from_secret: GITHUB_USERNAME
      password:
-        from_secret: GITHUB_PASSWORD
+        from_secret: GHCR_UPLOAD_TOKEN
      tags: latest
-    when:
-      event:
-        include:
-          - push
-        exclude:
-          - pull_request
-      branch:
-        - main
+
+trigger:
+  event:
+    include:
+      - push
+    exclude:
+      - pull_request
+  branch:
+    - main
+
+depends_on:
+  - Build
+
+---
+kind: pipeline
+type: docker
+name: Deploy
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
+  - name: Prepare kubernetes environment
+    image: alpine/k8s:1.25.15
+    commands:
+      - mkdir -p /root/.kube
+      - 'curl -s
+        -H "X-Vault-Token: $VAULT_TOKEN"
+        $VAULT_HOST/v1/schleppe/data/kazan/${DRONE_REPO_NAME}
+        | jq -r ".data.data.KUBE_CONFIG" > /root/.kube/config'
+      - 'curl -s
+        -H "X-Vault-Token: $VAULT_TOKEN"
+        $VAULT_HOST/v1/schleppe/data/kazan/${DRONE_REPO_NAME}
+        | jq -r ".data | .data | .[\"ghcr-login-secret\"]" > /root/.kube/dockerconfig.json'
+    environment:
+      VAULT_TOKEN:
+        from_secret: VAULT_TOKEN
+      VAULT_HOST:
+        from_secret: VAULT_HOST
+    volumes:
+    - name: kube-config
+      path: /root/.kube
+
+  - name: Deploy to kubernetes
+    image: alpine/k8s:1.25.15
+    commands:
+      - export DOCKER_CONFIG_BASE64=$(cat /root/.kube/dockerconfig.json | tr -d "\n" | base64 -w 0)
+      - export IMAGE="ghcr.io/kevinmidboe/${DRONE_REPO_NAME}:${DRONE_COMMIT_SHA}"
+      - cat .kubernetes/*.yml
+        | envsubst
+        | kubectl --kubeconfig=/root/.kube/config apply -f -
+    volumes:
+    - name: kube-config
+      path: /root/.kube
+
+trigger:
+  event:
+    include:
+      - push
+    exclude:
+      - pull_request
+  branch:
+    - main
+
+depends_on:
+  - Build
+  - Publish
+
+volumes:
+- name: kube-config
+  temp: {}

 ---
 kind: signature
-hmac: 46d4d087047afb6e18032e1fea13ba964589d86aaf012343821804612baf5678
+hmac: cb65389bbc13b392c364cf85f3863195049ce8cb515c5a378472e0b0b3c68483

 ...
--- a/.kubernetes/0-namespace.yml
+++ b/.kubernetes/0-namespace.yml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: schleppe-lab
--- a/.kubernetes/deployment.yml
+++ b/.kubernetes/deployment.yml
@@ -0,0 +1,42 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    deployment.kubernetes.io/revision: '1'
+  labels:
+    app: schleppe-lab
+  name: schleppe-lab
+  namespace: schleppe-lab
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 2
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: schleppe-lab
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: schleppe-lab
+    spec:
+      containers:
+        - image: ${IMAGE}
+          imagePullPolicy: Always
+          name: schleppe-lab
+          resources: {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+      imagePullSecrets:
+      - name: ghcr-login-secret
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
--- a/.kubernetes/ghcr-token-secret.yml
+++ b/.kubernetes/ghcr-token-secret.yml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ghcr-login-secret
+  namespace: schleppe-lab
+data:
+  .dockerconfigjson: |
+    ${DOCKER_CONFIG_BASE64}
+type: kubernetes.io/dockerconfigjson
--- a/.kubernetes/service.yml
+++ b/.kubernetes/service.yml
@@ -0,0 +1,19 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: schleppe-lab
+  name: schleppe-lab-service
+  namespace: schleppe-lab
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: schleppe-lab
+  sessionAffinity: None
+  type: ClusterIP
+status:
+  loadBalancer: {}