use Drone CI
All checks were successful
the build was successful

This commit is contained in:
Andy 2018-02-11 20:25:25 +01:00
parent fa51bd7346
commit f6232364e3
Signed by: arno
GPG Key ID: 9076D5E6B31AE99C
7 changed files with 180 additions and 0 deletions

39
.drone.sh Executable file
View File

@ -0,0 +1,39 @@
#!/bin/sh
set -e
# set -x
# echo "--------------------------"
# echo "--- export ---"
# export
# echo "--- env ---"
# env
# echo "--- set ---"
# set
# echo "--------------------------"
# only execute this script as part of the pipeline.
[ -z "$CI" ] && ( echo "I am not running in Drone CI"; exit 2; )
# only execute the script when the client key and certificate exist.
[ -z "$KUB_KEY" ] && ( echo "I need kub_key secret"; exit 3; )
[ -z "$KUB_CRT" ] && ( echo "I need kub_crt secret"; exit 4; )
# only execute the script when the CA certificate is present.
[ -z "$KUB_CA" ] && ( echo "I need kub_ca"; exit 5; )
# write the client key and the certificate
echo -n "$KUB_KEY" > /root/kub.key
chmod 600 /root/kub.key
echo -n "$KUB_CRT" > /root/kub.crt
# write the Kubernetes CA
echo -n "$KUB_CA" > /root/ca.crt
# check whether the certificate is signed by the CA
# TODO: (install openssl ? ) openssl verify -CAfile /root/ca.crt /root/kub.crt && ( echo "kub_crt is not signed by kub_ca"; exit 6; )
# Configure the cluster and the context
kubectl config set-credentials arno --client-certificate=/root/kub.crt --client-key=/root/kub.key
kubectl config set-cluster kubernetes --server=https://k8s.nixaid.com:6443 --certificate-authority=/root/ca.crt
kubectl config set-context kub-context --cluster=kubernetes --namespace=arno --user=arno

28
.drone.yml Normal file
View File

@ -0,0 +1,28 @@
pipeline:
publish:
# image: plugins/docker:17.10
image: docker.nixaid.com:5010/plugins/docker:17.12
# privileged: true -- rather pass DRONE_ESCALATE=docker.nixaid.com:5010/plugins/docker:17.12 to a Drone server
registry: docker.nixaid.com:5010
repo: docker.nixaid.com:5010/andrey01/rainloop
# repo: andrey01/rainloop
tag:
- 1.11.3
- latest
dockerfile: Dockerfile
secrets: [ docker_username, docker_password ]
when:
event: [ push, tag ]
kubectl:
image: docker.nixaid.com:5010/andrey01/kubectl:1.9.1
pull: true # always pull the image
secrets: [ kub_key, kub_crt, kub_ca ]
commands:
- "sh .drone.sh"
- "kubectl --context=kub-context version"
- "kubectl --context=kub-context get pods"
- "kubectl --context=kub-context replace --force -f k8s/"
- "sleep 3"
- "kubectl --context=kub-context get pods"
# XXX - kubectl --context=kub-context patch deployment testapp1 -p '{"spec":{"template":{"spec":{"containers":[{"name":"testapp1","image":"andrey01/testapp1:latest"}]}}}}'

42
DRONE.md Normal file
View File

@ -0,0 +1,42 @@
# Drone CI
- Registry cannot be removed if it has https:// in its name #2341
https://github.com/drone/drone/issues/2341
https://discourse.drone.io/t/unable-to-delete-registry-from-repository/943
## Limitations
- Drone DIND would always reuse cached docker images which could lead to the image leak across the private repos;
- Drone runs plugins/drone in privileged mode despite the repo does not have Trusted: true nor privileged: true [ref](https://github.com/drone-plugins/drone-docker/issues/170)
- Registry cannot be removed if it has https:// in its name #2341
https://github.com/drone/drone/issues/2341
https://discourse.drone.io/t/unable-to-delete-registry-from-repository/943
- Builds history cannot be removed (could lead to info leaks)
## Troubleshooting
- Set the Registry creds in your Drone repo
```
Error response from daemon: Get https://docker.nixaid.com:5010/v2/plugins/docker/manifests/17.12: no basic auth credentials
```
- Make sure plugins/drone is running in a privileged mode, by passing DRONE_ESCALATE=custom-docker-registry.com:5010/plugins/docker to the Drone server installation.
- https://discourse.drone.io/t/plugins-docker-cannot-pull-when-image-repo-set-to-the-same-custom-docker-registry/1748
- https://github.com/drone-plugins/drone-docker/issues/170
```
environment:
DOCKER_LAUNCH_DEBUG: 'true'
```
```
+ /usr/local/bin/dockerd -g /var/lib/docker
time="2018-02-11T21:13:26Z" level=fatal msg="Error authenticating: exit status 1"
```

26
k8s/deployment.yaml Normal file
View File

@ -0,0 +1,26 @@
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: rainloop
spec:
replicas: 1
template:
metadata:
labels:
app: rainloop
spec:
imagePullSecrets:
- name: regsecret
containers:
- name: rainloop
# command: ["sleep", "3600"]
image: docker.nixaid.com:5010/andrey01/rainloop:1.11.3
imagePullPolicy: Always
volumeMounts:
- mountPath: /opt/rainloop/data
name: rainloop
# rainloop also mounts /var/log/rainloop to a docker volume
volumes:
- name: rainloop
persistentVolumeClaim:
claimName: rainloop

22
k8s/ingress.yml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: rainloop
annotations:
ingress.kubernetes.io/rewrite-target: /
kubernetes.io/ingress.class: "nginx"
kubernetes.io/tls-acme: "true"
ingress.kubernetes.io/proxy-body-size: 2g
spec:
rules:
- host: "webmail.nixaid.com"
http:
paths:
- backend:
serviceName: rainloop
servicePort: 80
path: /
tls:
- hosts:
- webmail.nixaid.com
secretName: webmail-nixaid-com-tls

11
k8s/service.yaml Normal file
View File

@ -0,0 +1,11 @@
kind: Service
apiVersion: v1
metadata:
name: rainloop
spec:
selector:
app: rainloop
ports:
- protocol: TCP
port: 80
targetPort: 8080

12
k8s/storage.yaml Normal file
View File

@ -0,0 +1,12 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: rainloop
spec:
storageClassName: cinder
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
volumeName: rainloop