diff --git a/projects/woodpecker/manifests/netpol.yaml b/projects/woodpecker/manifests/netpol.yaml new file mode 100644 index 00000000..6e37d2d5 --- /dev/null +++ b/projects/woodpecker/manifests/netpol.yaml @@ -0,0 +1,16 @@ +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: allow-kubeapi + namespace: woodpecker +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/name: agent + egress: + - toEntities: + - kube-apiserver + - toPorts: + - ports: + - port: "6443" + protocol: TCP diff --git a/projects/woodpecker/project.yml b/projects/woodpecker/project.yml index cb27da5c..d40e9313 100644 --- a/projects/woodpecker/project.yml +++ b/projects/woodpecker/project.yml @@ -12,8 +12,8 @@ config: apps: - - name: woodpecker-server - path: charts/server + - name: woodpecker + path: charts/woodpecker secrets: - name: github-oauth keys: @@ -22,12 +22,3 @@ apps: - name: woodpecker-secret keys: - WOODPECKER_AGENT_SECRET - - - name: woodpecker-agent - namespace: woodpecker-agent - path: charts/agent - secrets: - - name: woodpecker-secret - fromApp: woodpecker-server - keys: - - WOODPECKER_AGENT_SECRET diff --git a/projects/woodpecker/values/woodpecker-agent.yaml b/projects/woodpecker/values/woodpecker-agent.yaml deleted file mode 100644 index 3e512560..00000000 --- a/projects/woodpecker/values/woodpecker-agent.yaml +++ /dev/null @@ -1,45 +0,0 @@ -replicaCount: 2 - -image: - registry: docker.io - repository: woodpeckerci/woodpecker-agent - pullPolicy: Always - tag: "next" - -env: - WOODPECKER_SERVER: "woodpecker-server.woodpecker.svc.cluster.local:9000" - WOODPECKER_BACKEND: kubernetes - WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker-agent - WOODPECKER_BACKEND_K8S_STORAGE_CLASS: "ssd" - WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 1G - WOODPECKER_BACKEND_K8S_STORAGE_RWX: false - -dind: - enabled: false - -extraSecretNamesForEnvFrom: -- woodpecker-secret - -serviceAccount: - create: true - rbac: - create: true - -podSecurityContext: - fsGroup: 2000 - -securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - -resources: - limits: - cpu: 4000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi diff --git a/projects/woodpecker/values/woodpecker-server.yaml b/projects/woodpecker/values/woodpecker-server.yaml deleted file mode 100644 index 8e0e3cc2..00000000 --- a/projects/woodpecker/values/woodpecker-server.yaml +++ /dev/null @@ -1,81 +0,0 @@ -replicaCount: 1 - -image: - registry: docker.io - repository: woodpeckerci/woodpecker-server - pullPolicy: Always - # Overrides the image tag whose default is the chart appVersion. - tag: "next" - -dind: - enabled: false - -env: - WOODPECKER_OPEN: "false" - WOODPECKER_ADMIN: "Nold360" - WOODPECKER_HOST: https://ci.nold.in - WOODPECKER_GITHUB: "true" - #WOODPECKER_REPO_OWNERS: "nold360" - - HTTP_PROXY: http://proxy-squid.proxy.svc.cluster.local:3128 - HTTPS_PROXY: http://proxy-squid.proxy.svc.cluster.local:3128 - http_proxy: http://proxy-squid.proxy.svc.cluster.local:3128 - https_proxy: http://proxy-squid.proxy.svc.cluster.local:3128 - NO_PROXY: localhost,.cluster.local,10.43.0.1 - no_proxy: localhost,.cluster.local,10.43.0.1 - - -extraSecretNamesForEnvFrom: -- github-oauth -- woodpecker-secret - -persistentVolume: - enabled: true - size: 10Gi - mountPath: "/var/lib/woodpecker" - storageClass: "local-path" - -podSecurityContext: - fsGroup: 2000 - -securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - -service: - type: ClusterIP - port: 80 - -ingress: - enabled: true - ingressClassName: ingress-external - labels: - environment: external - annotations: - kubernetes.io/tls-acme: "true" - cert-manager.io/cluster-issuer: letsencrypt - external-dns.alpha.kubernetes.io/hostname: ci.nold.in - external-dns.alpha.kubernetes.io/target: nold.in - hosts: - - host: ci.nold.in - paths: - - path: / - backend: - serviceName: server - servicePort: 80 - tls: - - secretName: ci-nold-in-tls - hosts: - - ci.nold.in - -resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 128Mi diff --git a/projects/woodpecker/values/woodpecker.yml b/projects/woodpecker/values/woodpecker.yml new file mode 100644 index 00000000..bbde5ec4 --- /dev/null +++ b/projects/woodpecker/values/woodpecker.yml @@ -0,0 +1,148 @@ +agent: + # -- Enable the agent component + enabled: true + + # -- The number of replicas for the deployment + replicaCount: 2 + + image: + registry: docker.io + repository: woodpeckerci/woodpecker-agent + pullPolicy: Always + tag: 'next' + + env: + # -- Add the environment variables for the agent component + WOODPECKER_SERVER: 'woodpecker-server:9000' + WOODPECKER_BACKEND: kubernetes + WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker + WOODPECKER_BACKEND_K8S_STORAGE_CLASS: 'ssd' + WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 10G + WOODPECKER_BACKEND_K8S_STORAGE_RWX: false + WOODPECKER_BACKEND_K8S_POD_LABELS: '' + WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS: '' + WOODPECKER_CONNECT_RETRY_COUNT: '1' + + # -- Add extra secret that is contains environment variables + extraSecretNamesForEnvFrom: + - woodpecker-secret + + persistence: + enabled: true + size: 1Gi + storageClass: 'ssd' + accessModes: + - ReadWriteOnce + + # -- Add pod security context + podSecurityContext: + runAsUser: 1000 + runAsGroup: 2000 + fsGroup: 2000 + + # -- Add security context + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 2000 + + # -- Specifies the resources for the agent component + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 10m + memory: 10Mi + +server: + enabled: true + + statefulSet: + replicaCount: 1 + + updateStrategy: + type: RollingUpdate + + image: + registry: docker.io + repository: woodpeckerci/woodpecker-server + pullPolicy: Always + tag: 'next' + + # -- Add environment variables for the server component + env: + WOODPECKER_OPEN: "false" + WOODPECKER_ADMIN: "Nold360" + WOODPECKER_HOST: https://ci.nold.in + WOODPECKER_GITHUB: "true" + #WOODPECKER_REPO_OWNERS: "nold360" + + HTTP_PROXY: http://proxy-squid.proxy.svc.cluster.local:3128 + HTTPS_PROXY: http://proxy-squid.proxy.svc.cluster.local:3128 + http_proxy: http://proxy-squid.proxy.svc.cluster.local:3128 + https_proxy: http://proxy-squid.proxy.svc.cluster.local:3128 + NO_PROXY: localhost,.cluster.local,10.43.0.1 + no_proxy: localhost,.cluster.local,10.43.0.1 + + + # -- Add extra environment variables from the secrets list + extraSecretNamesForEnvFrom: + - woodpecker-secret + - github-oauth + + # -- Create a generic secret to store things in, e.g. env values + secrets: + - name: woodpecker-store + + persistentVolume: + enabled: true + size: 10Gi + mountPath: '/var/lib/woodpecker' + storageClass: '' + + podSecurityContext: + fsGroup: 2000 + + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + + ingress: + enabled: true + ingressClassName: ingress-external + labels: + environment: external + annotations: + kubernetes.io/tls-acme: "true" + cert-manager.io/cluster-issuer: letsencrypt + external-dns.alpha.kubernetes.io/hostname: ci.nold.in + external-dns.alpha.kubernetes.io/target: nold.in + hosts: + - host: ci.nold.in + paths: + - path: / + backend: + serviceName: server + servicePort: 80 + tls: + - secretName: ci-nold-in-tls + hosts: + - ci.nold.in + + # -- Specifies the ressources for the server component + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 100m + memory: 128Mi