K8S environment uses gitlab+drone2 for continuous delivery

Original address: K8S environment uses gitlab + drone2 for continuous delivery

K8S environment uses gitlab + drone2 for continuous delivery

Environment description

1. K8S: 1.23.0

2. docker: 20.10.13

3. gitlab: 14.7

4. Drone: 2

5. nfs: 4

drone version notes

Drone has two major versions: drone1 and drone2. Starting from drone2, it was acquired by EDGE and the restart project is: Gitness.

The yaml file provided in this tutorial is suitable for both 1 and 2

drone1 interface

drone1.webp

drone2 interface

1697435854153.png

Start deployment

Step one, create an OAuth application

Create GitLab OAuth application authorization resources in gitlab

1697092175124.png

1697092207105.png

Step 2, create a shared key

Create a shared secret to authenticate communication between the runner and the central drone server.

# You can use openssl to generate a shared key
[root@llody-dev ~]#openssl rand -hex 16
303b6068fb64fe4296da1f1def6295db

Step 3, start drone-server

apiVersion: v1
Kind: Service
metadata:
  name: drone-service
  namespace:default
spec:
  selector:
    app: drone
  ports:
    - name: http
      protocol:TCP
      port: 80
      targetPort: 80
    - name: https
      protocol: TCP
      port: 443
      targetPort: 443

---

apiVersion: v1
kind: ConfigMap
metadata:
  name: drone-config
  namespace:default
data:
  DRONE_GITLAB_SERVER: "gitlab address"
  DRONE_GITLAB_CLIENT_ID: "GitLab oauth client ID"
  DRONE_GITLAB_CLIENT_SECRET: "GitLab oauth client secret"
  DRONE_RPC_SECRET: "Shared key generated above"
  DRONE_SERVER_HOST: "drone address, it is recommended to fill in the domain name"
  DRONE_SERVER_PROTO: "https"
  DRONE_USER_CREATE: "username:gitlab administrator name,admin:true"

---

apiVersion: apps/v1
Kind: Deployment
metadata:
  name: drone-deployment
  namespace:default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: drone
  template:
    metadata:
      labels:
        app: drone
    spec:
      containers:
        - name: drone
          image: drone/drone:2
          volumeMounts:
            - name: drone-data
              mountPath: /data
          envFrom:
            - configMapRef:
                name: drone-config
          ports:
            - containerPort: 80
            - containerPort: 443
          resources:
            limits:
              cpu: 2000m
              memory: 2048Mi
            requests:
              cpu: 100m
              memory: 512Mi
      volumes:
        - name: drone-data
          persistentVolumeClaim:
            claimName: drone-pvc
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  # pvc name
  name: drone-pvc
spec:
  # Read and write permissions
  accessModes:
    - ReadWriteOnce
  # Storage class used
  storageClassName: managed-nfs-storage
  # Define capacity
  resources:
    requests:
      Storage: 5Gi
---
apiVersion: extensions/v1beta1
Kind: Ingress
metadata:
  annotations:
    #nginx.ingress.kubernetes.io/rewrite-target: /
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.tls: "true"
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
  labels:
    app: drone
  name: drone
  namespace:default
spec:
  rules:
    - host: droneci.llody.com
      http:
        paths:
          - backend:
              serviceName: drone-service
              servicePort: 80
            path: /
            pathType: ImplementationSpecific
  tls:
    - hosts:
        - droneci.llody.com
      secretName: wildcard.llody.com-tls

There are several points to note

1. The file relies on NFS storage

2. Treafik is used in the file as the ingress external exposure port.

3. Explain several variables in configmap:

  • DRONE_GITLAB_CLIENT_ID** Required string value provides your GitLab oauth client ID.

  • DRONE_GITLAB_CLIENT_SECRET** Required string value providing the GitLab oauth client secret.

  • The DRONE_GITLAB_SERVER** option string value provides your GitLab server URL. The default value is the server address at gitlab.com. `https://gitlab.com`

  • DRONE_GIT_ALWAYS_AUTH** Optional boolean value configures Drone to authenticate when cloning a public repository. This feature should only be enabled when using self-hosted GitLab with private mode enabled.

  • DRONE_RPC_SECRET** The required string value provides the shared secret generated in the previous step. This is used to verify the rpc connection between the server and the runner. The same key value must be provided for both server and runner.

  • DRONE_SERVER_HOST** Required string value provides the external hostname or IP address. If using an IP address, you can include the port. For example drone.domain.com

  • DRONE_SERVER_PROTO** Required string value providing external protocol scheme. This value should be set to or . If ssl or acme is configured, this field defaults to https. `http“https`

  • DRONE_USER_FILTER** Optional comma separated list of GitLab users or organizations. Registration is limited to users on this list or who are members of organizations on this list. *If this value is not set, registration is open to the public. *

Step 4, deploy drone-runner

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace:default
  name: drone
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  -create
  -delete
- apiGroups:
  - ""
  resources:
  -pods
  -pods/log
  verbs:
  - get
  -create
  -delete
  - list
  - watch
  -update
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: drone
  namespace:default
subjects:
- kind: ServiceAccount
  name:default
  namespace:default
roleRef:
  kind: Role
  name: drone
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
Kind: Deployment
metadata:
  name: drone-runner
  labels:
    app.kubernetes.io/name: drone-runner
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: drone-runner
  template:
    metadata:
      labels:
        app.kubernetes.io/name: drone-runner
    spec:
      containers:
      - name: drone-runner
        image: drone/drone-runner-kube:latest
        ports:
        - containerPort: 3000
        env:
        - name: DRONE_RPC_HOST
          value: drone-service.default.svc.cluster.local # Drone Server address
        - name: DRONE_RPC_PROTO
          value: http
        - name: DRONE_RPC_SECRET
          value: 303b6068fb64fe4296da1f1def6295db # The secret shared key filled in during Drone Server deployment
---
apiVersion: v1
Kind: Service
metadata:
  name: drone-runner-service
spec:
  selector:
    app: drone-runner
  ports:
    - protocol: TCP
      port: 3000
      targetPort: 3000

Step 5, log in

1697097696641.png

The user name here is best consistent with the account name in gitlab

Step 6: Enable the required options and configure the required certificate keys, such as image repository address, cache, etc.

1697435317731.png

Step 7: Log in to gitlab to confirm whether webhooks are automatically configured

1697435446540.png

Note: This option is automatically configured after enabling association on your drone page.

Step 8: Write .drone.yml under the nginx-test project

1697435704602.png

Modify the .drone.yml file and push it to the gitlab warehouse

Note that I only performed one operation here, pulling the image I made myself, printing the current path and printing the current file. By default, it will be divided into two steps. The first step will pull the code, and the second step will execute the builds job.

For more pipeline, please refer to the official website: https://docs.drone.io/pipeline/overview/

Step 9, view execution results

1697435854153.png

Summary

Although drone2 may not have a follow-up version, you can still pay attention to Gitness.

Drone2 classifies the CICD information of each project, unlike drone1, which is all piled on one page.

Later, I will add some more silky uses of drone in the cloud native environment.