use Drone CI

.drone.sh

@@ -0,0 +1,39 @@
+#!/bin/sh
+
+set -e
+# set -x
+
+# echo "--------------------------"
+# echo "--- export ---"
+# export
+# echo "--- env ---"
+# env
+# echo "--- set ---"
+# set
+# echo "--------------------------"
+
+# only execute this script as part of the pipeline.
+[ -z "$CI" ] && ( echo "I am not running in Drone CI"; exit 2; )
+
+# only execute the script when the client key and certificate exist.
+[ -z "$KUB_KEY" ] && ( echo "I need kub_key secret"; exit 3; )
+[ -z "$KUB_CRT" ] && ( echo "I need kub_crt secret"; exit 4; )
+
+# only execute the script when the CA certificate is present.
+[ -z "$KUB_CA" ] && ( echo "I need kub_ca"; exit 5; )
+
+# write the client key and the certificate
+echo -n "$KUB_KEY" > /root/kub.key
+chmod 600 /root/kub.key
+echo -n "$KUB_CRT" > /root/kub.crt
+
+# write the Kubernetes CA
+echo -n "$KUB_CA" > /root/ca.crt
+
+# check whether the certificate is signed by the CA
+# TODO: (install openssl ? ) openssl verify -CAfile /root/ca.crt /root/kub.crt && ( echo "kub_crt is not signed by kub_ca"; exit 6; )
+
+# Configure the cluster and the context
+kubectl config set-credentials arno --client-certificate=/root/kub.crt --client-key=/root/kub.key
+kubectl config set-cluster kubernetes --server=https://k8s.nixaid.com:6443 --certificate-authority=/root/ca.crt
+kubectl config set-context kub-context --cluster=kubernetes --namespace=arno --user=arno

.drone.yml

@@ -0,0 +1,28 @@
+pipeline:
+  publish:
+    # image: plugins/docker:17.10
+    image: docker.nixaid.com:5010/plugins/docker:17.12
+    # privileged: true -- rather pass DRONE_ESCALATE=docker.nixaid.com:5010/plugins/docker:17.12 to a Drone server
+    registry: docker.nixaid.com:5010
+    repo: docker.nixaid.com:5010/andrey01/rainloop
+    # repo: andrey01/rainloop
+    tag:
+      - 1.11.3
+      - latest
+    dockerfile: Dockerfile
+    secrets: [ docker_username, docker_password ]
+    when:
+      event: [ push, tag ]
+
+  kubectl:
+    image: docker.nixaid.com:5010/andrey01/kubectl:1.9.1
+    pull: true # always pull the image
+    secrets: [ kub_key, kub_crt, kub_ca ]
+    commands:
+      - "sh .drone.sh"
+      - "kubectl --context=kub-context version"
+      - "kubectl --context=kub-context get pods"
+      - "kubectl --context=kub-context replace --force -f k8s/"
+      - "sleep 3"
+      - "kubectl --context=kub-context get pods"
+      # XXX - kubectl --context=kub-context patch deployment testapp1 -p '{"spec":{"template":{"spec":{"containers":[{"name":"testapp1","image":"andrey01/testapp1:latest"}]}}}}'

DRONE.md

@@ -0,0 +1,42 @@
+# Drone CI
+
+- Registry cannot be removed if it has https:// in its name #2341
+
+https://github.com/drone/drone/issues/2341
+
+https://discourse.drone.io/t/unable-to-delete-registry-from-repository/943
+
+## Limitations
+
+- Drone DIND would always reuse cached docker images which could lead to the image leak across the private repos;
+
+- Drone runs plugins/drone in privileged mode despite the repo does not have Trusted: true nor privileged: true [ref](https://github.com/drone-plugins/drone-docker/issues/170)
+
+- Registry cannot be removed if it has https:// in its name #2341
+  https://github.com/drone/drone/issues/2341
+  https://discourse.drone.io/t/unable-to-delete-registry-from-repository/943
+
+- Builds history cannot be removed (could lead to info leaks)
+
+## Troubleshooting
+
+- Set the Registry creds in your Drone repo
+
+```
+Error response from daemon: Get https://docker.nixaid.com:5010/v2/plugins/docker/manifests/17.12: no basic auth credentials
+```
+
+- Make sure plugins/drone is running in a privileged mode, by passing DRONE_ESCALATE=custom-docker-registry.com:5010/plugins/docker to the Drone server installation.
+
+- https://discourse.drone.io/t/plugins-docker-cannot-pull-when-image-repo-set-to-the-same-custom-docker-registry/1748
+- https://github.com/drone-plugins/drone-docker/issues/170
+
+```
+environment:
+     DOCKER_LAUNCH_DEBUG: 'true'
+```
+
+```
++ /usr/local/bin/dockerd -g /var/lib/docker
+time="2018-02-11T21:13:26Z" level=fatal msg="Error authenticating: exit status 1"
+```

k8s/deployment.yaml

@@ -0,0 +1,26 @@
+kind: Deployment
+apiVersion: extensions/v1beta1
+metadata:
+  name: rainloop
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: rainloop
+    spec:
+      imagePullSecrets:
+        - name: regsecret
+      containers:
+      - name: rainloop
+        # command: ["sleep", "3600"]
+        image: docker.nixaid.com:5010/andrey01/rainloop:1.11.3
+        imagePullPolicy: Always
+        volumeMounts:
+        - mountPath: /opt/rainloop/data
+          name: rainloop
+        # rainloop also mounts /var/log/rainloop to a docker volume
+      volumes:
+      - name: rainloop
+        persistentVolumeClaim:
+          claimName: rainloop

k8s/ingress.yml

@@ -0,0 +1,22 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: rainloop
+  annotations:
+    ingress.kubernetes.io/rewrite-target: /
+    kubernetes.io/ingress.class: "nginx"
+    kubernetes.io/tls-acme: "true"
+    ingress.kubernetes.io/proxy-body-size: 2g
+spec:
+  rules:
+  - host: "webmail.nixaid.com"
+    http:
+      paths:
+      - backend:
+          serviceName: rainloop
+          servicePort: 80
+        path: /
+  tls:
+    - hosts:
+      - webmail.nixaid.com
+      secretName: webmail-nixaid-com-tls

k8s/service.yaml

@@ -0,0 +1,11 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: rainloop
+spec:
+  selector:
+    app: rainloop
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8080

k8s/storage.yaml

@@ -0,0 +1,12 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: rainloop
+spec:
+  storageClassName: cinder
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  volumeName: rainloop