From f6232364e373d6103c76bf3f1573486c421cde30 Mon Sep 17 00:00:00 2001
From: Andrey Arapov <andrey.arapov@nixaid.com>
Date: Sun, 11 Feb 2018 20:25:25 +0100
Subject: [PATCH] use Drone CI

---
 .drone.sh           | 39 +++++++++++++++++++++++++++++++++++++++
 .drone.yml          | 28 ++++++++++++++++++++++++++++
 DRONE.md            | 42 ++++++++++++++++++++++++++++++++++++++++++
 k8s/deployment.yaml | 26 ++++++++++++++++++++++++++
 k8s/ingress.yml     | 22 ++++++++++++++++++++++
 k8s/service.yaml    | 11 +++++++++++
 k8s/storage.yaml    | 12 ++++++++++++
 7 files changed, 180 insertions(+)
 create mode 100755 .drone.sh
 create mode 100644 .drone.yml
 create mode 100644 DRONE.md
 create mode 100644 k8s/deployment.yaml
 create mode 100644 k8s/ingress.yml
 create mode 100644 k8s/service.yaml
 create mode 100644 k8s/storage.yaml

diff --git a/.drone.sh b/.drone.sh
new file mode 100755
index 0000000..575651b
--- /dev/null
+++ b/.drone.sh
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+set -e
+# set -x
+
+# echo "--------------------------"
+# echo "--- export ---"
+# export
+# echo "--- env ---"
+# env
+# echo "--- set ---"
+# set
+# echo "--------------------------"
+
+# only execute this script as part of the pipeline.
+[ -z "$CI" ] && ( echo "I am not running in Drone CI"; exit 2; )
+
+# only execute the script when the client key and certificate exist.
+[ -z "$KUB_KEY" ] && ( echo "I need kub_key secret"; exit 3; )
+[ -z "$KUB_CRT" ] && ( echo "I need kub_crt secret"; exit 4; )
+
+# only execute the script when the CA certificate is present.
+[ -z "$KUB_CA" ] && ( echo "I need kub_ca"; exit 5; )
+
+# write the client key and the certificate
+echo -n "$KUB_KEY" > /root/kub.key
+chmod 600 /root/kub.key
+echo -n "$KUB_CRT" > /root/kub.crt
+
+# write the Kubernetes CA
+echo -n "$KUB_CA" > /root/ca.crt
+
+# check whether the certificate is signed by the CA
+# TODO: (install openssl ? ) openssl verify -CAfile /root/ca.crt /root/kub.crt && ( echo "kub_crt is not signed by kub_ca"; exit 6; )
+
+# Configure the cluster and the context
+kubectl config set-credentials arno --client-certificate=/root/kub.crt --client-key=/root/kub.key
+kubectl config set-cluster kubernetes --server=https://k8s.nixaid.com:6443 --certificate-authority=/root/ca.crt
+kubectl config set-context kub-context --cluster=kubernetes --namespace=arno --user=arno
diff --git a/.drone.yml b/.drone.yml
new file mode 100644
index 0000000..ee7f4f1
--- /dev/null
+++ b/.drone.yml
@@ -0,0 +1,28 @@
+pipeline:
+  publish:
+    # image: plugins/docker:17.10
+    image: docker.nixaid.com:5010/plugins/docker:17.12
+    # privileged: true -- rather pass DRONE_ESCALATE=docker.nixaid.com:5010/plugins/docker:17.12 to a Drone server
+    registry: docker.nixaid.com:5010
+    repo: docker.nixaid.com:5010/andrey01/rainloop
+    # repo: andrey01/rainloop
+    tag:
+      - 1.11.3
+      - latest
+    dockerfile: Dockerfile
+    secrets: [ docker_username, docker_password ]
+    when:
+      event: [ push, tag ]
+
+  kubectl:
+    image: docker.nixaid.com:5010/andrey01/kubectl:1.9.1
+    pull: true # always pull the image
+    secrets: [ kub_key, kub_crt, kub_ca ]
+    commands:
+      - "sh .drone.sh"
+      - "kubectl --context=kub-context version"
+      - "kubectl --context=kub-context get pods"
+      - "kubectl --context=kub-context replace --force -f k8s/"
+      - "sleep 3"
+      - "kubectl --context=kub-context get pods"
+      # XXX - kubectl --context=kub-context patch deployment testapp1 -p '{"spec":{"template":{"spec":{"containers":[{"name":"testapp1","image":"andrey01/testapp1:latest"}]}}}}'
diff --git a/DRONE.md b/DRONE.md
new file mode 100644
index 0000000..73b79bc
--- /dev/null
+++ b/DRONE.md
@@ -0,0 +1,42 @@
+# Drone CI
+
+- Registry cannot be removed if it has https:// in its name #2341
+
+https://github.com/drone/drone/issues/2341
+
+https://discourse.drone.io/t/unable-to-delete-registry-from-repository/943
+
+## Limitations
+
+- Drone DIND would always reuse cached docker images which could lead to the image leak across the private repos;
+
+- Drone runs plugins/drone in privileged mode despite the repo does not have Trusted: true nor privileged: true [ref](https://github.com/drone-plugins/drone-docker/issues/170)
+
+- Registry cannot be removed if it has https:// in its name #2341
+  https://github.com/drone/drone/issues/2341
+  https://discourse.drone.io/t/unable-to-delete-registry-from-repository/943
+
+- Builds history cannot be removed (could lead to info leaks)
+
+## Troubleshooting
+
+- Set the Registry creds in your Drone repo
+
+```
+Error response from daemon: Get https://docker.nixaid.com:5010/v2/plugins/docker/manifests/17.12: no basic auth credentials
+```
+
+- Make sure plugins/drone is running in a privileged mode, by passing DRONE_ESCALATE=custom-docker-registry.com:5010/plugins/docker to the Drone server installation.
+
+- https://discourse.drone.io/t/plugins-docker-cannot-pull-when-image-repo-set-to-the-same-custom-docker-registry/1748
+- https://github.com/drone-plugins/drone-docker/issues/170
+
+```
+environment:
+     DOCKER_LAUNCH_DEBUG: 'true'
+```
+
+```
++ /usr/local/bin/dockerd -g /var/lib/docker
+time="2018-02-11T21:13:26Z" level=fatal msg="Error authenticating: exit status 1"
+```
diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
new file mode 100644
index 0000000..a4d753d
--- /dev/null
+++ b/k8s/deployment.yaml
@@ -0,0 +1,26 @@
+kind: Deployment
+apiVersion: extensions/v1beta1
+metadata:
+  name: rainloop
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: rainloop
+    spec:
+      imagePullSecrets:
+        - name: regsecret
+      containers:
+      - name: rainloop
+        # command: ["sleep", "3600"]
+        image: docker.nixaid.com:5010/andrey01/rainloop:1.11.3
+        imagePullPolicy: Always
+        volumeMounts:
+        - mountPath: /opt/rainloop/data
+          name: rainloop
+        # rainloop also mounts /var/log/rainloop to a docker volume
+      volumes:
+      - name: rainloop
+        persistentVolumeClaim:
+          claimName: rainloop
diff --git a/k8s/ingress.yml b/k8s/ingress.yml
new file mode 100644
index 0000000..dfa0872
--- /dev/null
+++ b/k8s/ingress.yml
@@ -0,0 +1,22 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: rainloop
+  annotations:
+    ingress.kubernetes.io/rewrite-target: /
+    kubernetes.io/ingress.class: "nginx"
+    kubernetes.io/tls-acme: "true"
+    ingress.kubernetes.io/proxy-body-size: 2g
+spec:
+  rules:
+  - host: "webmail.nixaid.com"
+    http:
+      paths:
+      - backend:
+          serviceName: rainloop
+          servicePort: 80
+        path: /
+  tls:
+    - hosts:
+      - webmail.nixaid.com
+      secretName: webmail-nixaid-com-tls
diff --git a/k8s/service.yaml b/k8s/service.yaml
new file mode 100644
index 0000000..83731c3
--- /dev/null
+++ b/k8s/service.yaml
@@ -0,0 +1,11 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: rainloop
+spec:
+  selector:
+    app: rainloop
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8080
diff --git a/k8s/storage.yaml b/k8s/storage.yaml
new file mode 100644
index 0000000..2380a75
--- /dev/null
+++ b/k8s/storage.yaml
@@ -0,0 +1,12 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: rainloop
+spec:
+  storageClassName: cinder
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  volumeName: rainloop