Deploy with helm

templates/drone-Namespace.yaml.j2

@@ -1,5 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: drone
-

templates/drone-helm-value.yaml.j2

@@ -0,0 +1,250 @@
+{% if drone_version is defined %}
+image:
+#  repository: drone/drone
+  tag: "{{ drone_version }}"
+#  pullPolicy: IfNotPresent
+{% endif %}
+
+## If you need to pull images from a private Docker image repository, pass in the name
+## of a Kubernetes Secret that contains the needed secret. For more details, see:
+## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+##
+imagePullSecrets: []
+# - name: "image-pull-secret"
+
+nameOverride: ""
+fullnameOverride: ""
+
+# Drone server does not interact with the Kubernetes API server
+automountServiceAccountToken: false
+
+podSecurityContext:
+  fsGroup: 2000
+
+securityContext:
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
+
+## Add extra annotations to the Drone server pods here. See below example for
+## Prometheus scrape annotations.
+##
+podAnnotations:
+ prometheus.io/scrape: "true"
+ prometheus.io/port: "80"
+
+updateStrategy: {}
+
+service:
+  type: ClusterIP
+  port: 80
+
+ingress:
+  enabled: true
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    # kubernetes.io/tls-acme: "true"
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+    traefik.ingress.kubernetes.io/router.middlewares: security_headers@file
+  hosts:
+    - host: drone.{{ traefik_domain }}
+      paths:
+        - "/"
+  tls:
+    - secretName: drone.{{ traefik_domain }}
+      hosts:
+        - drone.{{ traefik_domain }}
+
+resources:
+  limits:
+    cpu: 100m
+    memory: 128Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi
+
+## If you'd like to force the Drone server to run on a specific node or set of nodes,
+## set a selector here.
+##
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+## If you'd like to make additional files or volumes available to Drone, declare additional
+## Volumes here per the Pod spec's "volumes" section.
+## Ref: https://kubernetes.io/docs/concepts/storage/volumes/
+##
+extraVolumes: []
+## If you have declared extra volumes, mount them here, per the Pod Container's
+## "volumeMounts" section.
+##
+extraVolumeMounts: []
+
+persistentVolume:
+  ## If you are using SQLite as your DB for Drone, it is recommended to enable persistence. If
+  ## enabled, the Chart will create a PersistentVolumeClaim to store its state in. If you are
+  ## using a DB other than SQLite, set this to false to avoid allocating unused storage.
+  ## If set to false, Drone will use an emptyDir instead, which is ephemeral.
+  ##
+  enabled: true
+
+  ## Drone server data Persistent Volume access modes
+  ## Must match those of existing PV or dynamic provisioner
+  ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
+  ##
+  accessModes:
+    - ReadWriteOnce
+
+  ## Drone server data Persistent Volume annotations
+  ##
+  annotations: {}
+
+  ## If you'd like to bring your own PVC for persisting Drone state, pass the name of the
+  ## created + ready PVC here. If set, this Chart will not create the default PVC.
+  ## Requires server.persistentVolume.enabled: true
+  ##
+  existingClaim: ""
+
+  ## Drone server data Persistent Volume mount root path
+  ##
+  mountPath: /data
+
+  ## Drone server data Persistent Volume size
+  ##
+  size: 8Gi
+
+  ## Drone server data Persistent Volume Storage Class
+  ## If defined, storageClassName: <storageClass>
+  ## If set to "-", storageClassName: "", which disables dynamic provisioning
+  ## If undefined (the default) or set to null, no storageClassName spec is
+  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
+  ##   GKE, AWS & OpenStack)
+  ##
+{% if drone_storage_classname is defined %}
+  storageClass: "{{ drone_storage_classname }}"
+{% else %}
+  storageClass: ""
+{% endif %}
+
+  ## Drone server data Persistent Volume Binding Mode
+  ## If defined, volumeMode: <volumeMode>
+  ## If empty (the default) or set to null, no volumeBindingMode spec is
+  ## set, choosing the default mode.
+  ##
+  volumeMode: ""
+
+  ## Subdirectory of Drone server data Persistent Volume to mount
+  ## Useful if the volume's root directory is not empty
+  ##
+  subPath: ""
+
+## If persistentVolume.enabled is set to false, Drone will mount an emptyDir instead of
+## a PVC for any state that it needs to persist.
+##
+emptyDir:
+  ## Total space to request for the emptyDir. An empty value here means no limit.
+  sizeLimit: ""
+
+## If you'd like to provide your own Kubernetes Secret object instead of passing your values
+## in un-encrypted, pass in the name of a created + populated Secret in the same Namespace
+## as the Drone server. All secrets within this configmap will be mounted as environment
+## variables, with each key/value mapping to a corresponding environment variable on the
+## Drone server.
+##
+extraSecretNamesForEnvFrom: []
+#- drone
+
+## The keys within the "env" map are mounted as environment variables on the Drone server pod.
+## See the full reference of Drone server environment variables here:
+## Ref: https://docs.drone.io/installation/reference/
+##
+env:
+  ## REQUIRED: Set the user-visible Drone hostname, sans protocol.
+  ## Ref: https://docs.drone.io/installation/reference/drone-server-host/
+  ##
+  DRONE_SERVER_HOST: "drone.{{ traefik_domain }}"
+  ## The protocol to pair with the value in DRONE_SERVER_HOST (http or https).
+  ## Ref: https://docs.drone.io/installation/reference/drone-server-proto/
+  ##
+  DRONE_SERVER_PROTO: https
+
+  DRONE_SERVER_PORT: ":3000"
+
+  ## REQUIRED: Set the secret secret token that the Drone server and its Runners will use
+  ## to authenticate. This is commented out in order to leave you the ability to set the
+  ## key via a separately provisioned secret (see existingSecretName above).
+  ## Ref: https://docs.drone.io/installation/reference/drone-rpc-secret/
+  ##
+  DRONE_RPC_SECRET: {{ drone_rpc_secret }}
+
+  ## If you'd like to use a DB other than SQLite (the default), set a driver + DSN here.
+  ## Ref: https://docs.drone.io/installation/storage/database/
+  ##
+  # DRONE_DATABASE_DRIVER:
+  # DRONE_DATABASE_DATASOURCE:
+
+  ## If you are going to store build secrets in the Drone database, it is suggested that
+  ## you set a database encryption secret. This must be set before any secrets are stored
+  ## in the database.
+  ## Ref: https://docs.drone.io/installation/storage/encryption/
+  ##
+  DRONE_DATABASE_SECRET: "{{ drone_secret }}"
+
+  ## If you are using self-hosted GitHub or GitLab, you'll need to set this to true.
+  ## Ref: https://docs.drone.io/installation/reference/drone-git-always-auth/
+  ##
+  # DRONE_GIT_ALWAYS_AUTH: false
+
+  ## ===================================================================================
+  ##                         Provider Directives (select ONE)
+  ## -----------------------------------------------------------------------------------
+  ## Select one provider (and only one). Refer to the corresponding documentation link
+  ## before filling the values in. Also note that you can use the 'secretMounts' value
+  ## if you'd rather not have secrets in Kubernetes Secret instead of a ConfigMap.
+  ## ===================================================================================
+
+  ## GitHub-specific variables. See the provider docs here:
+  ## Ref: https://docs.drone.io/installation/providers/github/
+  ##
+  # DRONE_GITHUB_CLIENT_ID:
+  # DRONE_GITHUB_CLIENT_SECRET:
+
+  ## GitLab-specific variables. See the provider docs here:
+  ## Ref: https://docs.drone.io/installation/providers/gitlab/
+  ##
+  # DRONE_GITLAB_CLIENT_ID:
+  # DRONE_GITLAB_CLIENT_SECRET:
+  # DRONE_GITLAB_SERVER:
+
+  ## Bitbucket Cloud-specific variables. See the provider docs here:
+  ## Ref: https://docs.drone.io/installation/providers/bitbucket-cloud/
+  ##
+  # DRONE_BITBUCKET_CLIENT_ID:
+  # DRONE_BITBUCKET_CLIENT_SECRET:
+
+  ## Bitbucket-specific variables. See the provider docs here:
+  ## Ref: https://docs.drone.io/installation/providers/bitbucket-server/
+  ##
+  # DRONE_GIT_USERNAME:
+  # DRONE_GIT_PASSWORD:
+  # DRONE_STASH_CONSUMER_KEY:
+  # DRONE_STASH_PRIVATE_KEY:
+  # DRONE_STASH_SERVER:
+
+  ## Gitea-specific variables. See the provider docs here:
+  ## Ref: https://docs.drone.io/installation/providers/gitea/
+  ##
+  DRONE_GITEA_CLIENT_ID: "{{ drone_gitea_client_id }}"
+  DRONE_GITEA_CLIENT_SECRET: "{{ drone_gitea_client_secret }}"
+  DRONE_GITEA_SERVER: "https://gitea.{{ traefik_domain }}"
+
+  ## Gogs-specific variables. See the provider docs here:
+  ## Ref: https://docs.drone.io/installation/providers/gogs/
+  ##
+  # DRONE_GOGS_SERVER:

templates/drone-runner-helm-value.yaml.j2

@@ -0,0 +1,131 @@
+#image:
+#  repository: drone/drone-runner-kube
+#  tag: 1.0.0-beta.6
+#  pullPolicy: IfNotPresent
+
+## If you need to pull images from a private Docker image repository, pass in the name
+## of a Kubernetes Secret that contains the needed secret. For more details, see:
+## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+##
+imagePullSecrets: []
+# - name: "image-pull-secret"
+
+## For small or experimental deployments of the Kubernetes runner, 1 replica will suffice.
+## For production cases, 2-3 are recommended. This does not grant additional parallelism,
+## but does ensure that upgrades, config changes, and disruptions are handled more gracefully.
+replicaCount: 1
+
+## When the runner receives a SIGTERM/SIGINT (config update, upgrade, etc), it will wait until
+## all jobs that particular pod has spawned complete. It is for this reason that you'll want
+## to make sure that this value is longer than your longest job.
+terminationGracePeriodSeconds: 3600
+
+nameOverride: ""
+fullnameOverride: ""
+
+podSecurityContext:
+  fsGroup: 2000
+
+securityContext:
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
+
+## Add extra annotations to the Kubernetes runner pods here.
+##
+podAnnotations: {}
+
+service:
+  type: ClusterIP
+  port: 3000
+
+ingress:
+  enabled: false
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: chart-example.local
+      paths:
+        - "/"
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+resources:
+  limits:
+    cpu: 100m
+    memory: 128Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi
+
+## If you'd like to force the Drone runner to run on a specific node or set of nodes,
+## set a selector here.
+##
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+## If you'd like to make additional files or volumes available to the runner, declare additional
+## Volumes here per the Pod spec's "volumes" section.
+## Ref: https://kubernetes.io/docs/concepts/storage/volumes/
+##
+extraVolumes: []
+## If you have declared extra volumes, mount them here, per the Pod Container's
+## "volumeMounts" section.
+##
+extraVolumeMounts: []
+
+## If you'd like to provide your own Kubernetes Secret object instead of passing your values
+## in un-encrypted, pass in the name of a created + populated Secret in the same Namespace
+## as the Kubernetes runner. All secrets within this configmap will be mounted as environment
+## variables, with each key/value mapping to a corresponding environment variable on the
+## Kubernetes runner.
+##
+extraSecretNamesForEnvFrom: []
+#- drone-runner
+
+## Each namespace listed below will be configured such that the runner can run build Pods in
+## it. This comes in the form of a Role and a RoleBinding. If you change env.DRONE_NAMESPACE_DEFAULT
+## or the other DRONE_NAMESPACE_* variables, make sure to update this list to include all
+## namespaces.
+rbac:
+  buildNamespaces:
+    - drone-runner
+
+## The keys within the "env" map are mounted as environment variables on the Kubernetes runner pod.
+## See the full reference of Kubernetes runner environment variables here:
+## Ref: https://kube-runner.docs.drone.io/installation/reference/
+##
+env:
+  ## REQUIRED: Set the secret secret token that the Kubernetes runner and its runners will use
+  ## to authenticate. This is commented out in order to leave you the ability to set the
+  ## key via a separately provisioned secret (see existingSecretName above).
+  ## Ref: https://kube-runner.docs.drone.io/installation/reference/drone-rpc-secret/
+  ##
+  DRONE_RPC_SECRET: {{ drone_rpc_secret }}
+
+  ## The hostname/IP (and optionally the port) for your Kubernetes runner. Defaults to the "drone"
+  ## service that the drone server Chart creates by default.
+  ## Ref: https://kube-runner.docs.drone.io/installation/reference/drone-rpc-host/
+  ##
+  DRONE_RPC_HOST: drone.{{ traefik_domain }}
+
+  ## The protocol to use for communication with Drone server.
+  ## Ref: https://kube-runner.docs.drone.io/installation/reference/drone-rpc-proto/
+  ##
+  DRONE_RPC_PROTO: https
+
+  ## Determines the default Kubernetes namespace for Drone builds to run in.
+  ## Ref: https://kube-runner.docs.drone.io/installation/reference/drone-namespace-default/
+  ##
+  DRONE_NAMESPACE_DEFAULT: drone-runner
+  DRONE_UI_DISABLE: "true"
+  DRONE_RUNNER_CAPACITY: "2"

templates/drone-runner/drone-runner-Secret.yaml.j2

@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: drone-runner
-  namespace: drone
-type: Opaque
-stringData:
-  DRONE_RPC_SECRET: {{ drone_rpc_secret }}

templates/drone/drone-IngressRoute.yml.j2

@@ -1,53 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: drone
-  namespace: drone
-  labels:
-    app.kubernetes.io/name: drone
-    app.kubernetes.io/instance: drone
-    app.kubernetes.io/component: server
-  annotations:
-    kubernetes.io/ingress.class: "traefik"
-spec:
-  entryPoints:
-    - https
-  routes:
-  # Match is the rule corresponding to an underlying router.
-  # Later on, match could be the simple form of a path prefix, e.g. just "/bar",
-  # but for now we only support a traefik style matching rule.
-  - match: Host(`drone.{{ traefik_domain }}`)
-    # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
-    # "Parameter", etc, to support simpler forms of rule matching, but for now we
-    # only support "Rule".
-    kind: Rule
-    # (optional) Priority disambiguates rules of the same length, for route matching.
-    priority: 12
-{% if basic_auth is defined or ingress_whitelist is defined %}
-    middlewares:
-{% if ingress_whitelist is defined %}
-      - name: traefik-ipwhitelist
-{% endif %}
-{% if basic_auth is defined %}
-      - name: basic-auth
-{% endif %}
-{% endif %}
-    services:
-    - name: drone
-      port: 3000
-      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
-      weight: 1
-      # (default true) PassHostHeader controls whether to leave the request's Host
-      # Header as it was before it reached the proxy, or whether to let the proxy set it
-      # to the destination (backend) host.
-      passHostHeader: true
-      responseForwarding:
-        # (default 100ms) Interval between flushes of the buffered response body to the client.
-        flushInterval: 100ms
-  tls:
-{% if drone_certificate is defined %}
-    secretName: {{ drone_certificate }}
-{% endif %}
-    options:
-      name: default
-      namespace: {{ traefik_namespace }}

templates/drone/drone-PersistentVolumeClaim.yml.j2

@@ -1,32 +0,0 @@
-# Source: drone/templates/pvc.yaml
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  labels:
-    helm.sh/chart: drone-0.1.5
-    app.kubernetes.io/name: drone
-    app.kubernetes.io/instance: drone
-    app.kubernetes.io/component: server
-    app.kubernetes.io/version: "1.6.5"
-    app.kubernetes.io/managed-by: Helm
-  name: drone
-  namespace: drone
-spec:
-{% if drone_storage_classname is defined %}
-{% if drone_storage_classname == "manual" %}
-  storageClassName: manual
-{% elif drone_storage_classname == "local" %}
-  storageClassName: local-path
-{% elif drone_storage_classname == "do-block-storage" %}
-  storageClassName: do-block-storage
-{% elif drone_storage_classname == "linode-block-storage" %}
-  storageClassName: linode-block-storage
-{% elif drone_storage_classname == "nfs" %}
-  storageClassName: nfs
-{% endif %}
-{% endif %}
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: "8Gi"

templates/drone/drone-Secret.yaml.j2

@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: drone
-  namespace: drone
-type: Opaque
-stringData:
-  DRONE_RPC_SECRET: {{ drone_rpc_secret }}
-  DRONE_DATABASE_SECRET: {{ drone_secret }}
-  DRONE_GITEA_CLIENT_ID: {{ drone_gitea_client_id }}
-  DRONE_GITEA_CLIENT_SECRET: {{ drone_gitea_client_secret }}