drone-kubernetes/README.md

199 lines
6.0 KiB
Markdown
Raw Normal View History

# Kubernetes plugin for drone.io [![Docker Repository on Quay](https://quay.io/repository/honestbee/drone-kubernetes/status "Docker Repository on Quay")](https://quay.io/repository/honestbee/drone-kubernetes)
2017-01-13 10:07:48 +00:00
This plugin allows to update a Kubernetes deployment.
2017-12-09 10:18:39 +00:00
## Usage
2017-01-13 10:07:48 +00:00
2017-05-25 05:54:49 +00:00
This pipeline will update the `my-deployment` deployment with the image tagged `DRONE_COMMIT_SHA:0:8`
2017-01-13 10:07:48 +00:00
2017-06-28 03:55:53 +00:00
```yaml
2017-01-13 10:07:48 +00:00
pipeline:
deploy:
image: quay.io/honestbee/drone-kubernetes
deployment: my-deployment
repo: myorg/myrepo
2017-01-17 10:12:14 +00:00
container: my-container
2017-12-09 10:18:39 +00:00
tag:
2017-06-28 03:55:53 +00:00
- mytag
- latest
```
2017-01-13 10:07:48 +00:00
2017-03-07 10:06:06 +00:00
Deploying containers across several deployments, eg in a scheduler-worker setup. Make sure your container `name` in your manifest is the same for each pod.
2017-12-09 10:18:39 +00:00
2017-06-28 03:55:53 +00:00
```yaml
2017-02-08 05:45:22 +00:00
pipeline:
deploy:
image: quay.io/honestbee/drone-kubernetes
deployment: [server-deploy, worker-deploy]
repo: myorg/myrepo
container: my-container
2017-12-09 10:18:39 +00:00
tag:
2017-06-28 03:55:53 +00:00
- mytag
- latest
```
2017-02-08 05:45:22 +00:00
2017-03-07 10:06:06 +00:00
Deploying multiple containers within the same deployment.
2017-06-28 03:55:53 +00:00
```yaml
2017-03-07 10:06:06 +00:00
pipeline:
deploy:
image: quay.io/honestbee/drone-kubernetes
deployment: my-deployment
repo: myorg/myrepo
container: [container1, container2]
2017-12-09 10:18:39 +00:00
tag:
2017-06-28 03:55:53 +00:00
- mytag
- latest
```
2017-03-07 10:06:06 +00:00
**NOTE**: Combining multi container deployments across multiple deployments is not recommended
2017-12-09 10:18:39 +00:00
This more complex example demonstrates how to deploy to several environments based on the branch, in a `app` namespace
2017-02-07 06:09:44 +00:00
2017-06-28 03:55:53 +00:00
```yaml
2017-02-07 06:09:44 +00:00
pipeline:
2017-12-09 10:18:39 +00:00
deploy-qa:
image: quay.io/honestbee/drone-kubernetes
kubernetes_user: ${KUBERNETES_USER}
2017-12-09 10:38:15 +00:00
kubernetes_server: ${KUBERNETES_SERVER_QA}
kubernetes_cert: ${KUBERNETES_CERT_QA}
2017-12-09 10:18:39 +00:00
kubernetes_client_cert: ${PLUGIN_KUBERNETES_CLIENT_CERT}
kubernetes_client_key: ${PLUGIN_KUBERNETES_CLIENT_KEY}
deployment: my-deployment
repo: myorg/myrepo
container: my-container
namespace: app
tag:
- mytag
- latest
when:
branch: [ qa ]
2017-02-07 06:09:44 +00:00
deploy-staging:
image: quay.io/honestbee/drone-kubernetes
2017-12-09 10:18:39 +00:00
kubernetes_user: ${KUBERNETES_USER}
2017-02-07 06:09:44 +00:00
kubernetes_server: ${KUBERNETES_SERVER_STAGING}
2017-02-20 10:20:47 +00:00
kubernetes_cert: ${KUBERNETES_CERT_STAGING}
2017-02-07 06:09:44 +00:00
kubernetes_token: ${KUBERNETES_TOKEN_STAGING}
deployment: my-deployment
repo: myorg/myrepo
container: my-container
namespace: app
2017-12-09 10:18:39 +00:00
tag:
2017-06-28 03:55:53 +00:00
- mytag
- latest
2017-02-07 06:09:44 +00:00
when:
branch: [ staging ]
deploy-prod:
image: quay.io/honestbee/drone-kubernetes
kubernetes_server: ${KUBERNETES_SERVER_PROD}
kubernetes_token: ${KUBERNETES_TOKEN_PROD}
2017-02-20 10:20:47 +00:00
# notice: no tls verification will be done, warning will is printed
2017-02-07 06:09:44 +00:00
deployment: my-deployment
repo: myorg/myrepo
container: my-container
namespace: app
2017-12-09 10:18:39 +00:00
tag:
2017-06-28 03:55:53 +00:00
- mytag
- latest
2017-02-07 06:09:44 +00:00
when:
branch: [ master ]
2017-06-28 03:55:53 +00:00
```
2017-02-07 06:09:44 +00:00
2017-01-13 10:07:48 +00:00
## Required secrets
2017-06-28 03:55:53 +00:00
```bash
2017-01-13 10:07:48 +00:00
drone secret add --image=honestbee/drone-kubernetes \
your-user/your-repo KUBERNETES_SERVER https://mykubernetesapiserver
2017-02-20 10:20:47 +00:00
drone secret add --image=honestbee/drone-kubernetes \
your-user/your-repo KUBERNETES_CERT <base64 encoded CA.crt>
2017-01-13 10:07:48 +00:00
drone secret add --image=honestbee/drone-kubernetes \
your-user/your-repo KUBERNETES_TOKEN eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJ...
2017-06-28 03:55:53 +00:00
```
2017-01-13 10:07:48 +00:00
2017-12-09 10:18:39 +00:00
When using TLS Verification, ensure Server Certificate used by kubernetes API server
2017-02-20 10:20:47 +00:00
is signed for SERVER url ( could be a reason for failures if using aliases of kubernetes cluster )
## How to get token
1. After deployment inspect you pod for name of (k8s) secret with **token** and **ca.crt**
```bash
kubectl describe po/[ your pod name ] | grep SecretName | grep token
```
(When you use **default service account**)
2. Get data from you (k8s) secret
```bash
kubectl get secret [ your default secret name ] -o yaml | egrep 'ca.crt:|token:'
```
3. Copy-paste contents of ca.crt into your drone's **KUBERNETES_CERT** secret
4. Decode base64 encoded token
```bash
echo [ your k8s base64 encoded token ] | base64 -d && echo''
```
5. Copy-paste decoded token into your drone's **KUBERNETES_TOKEN** secret
2017-09-20 17:36:43 +00:00
### RBAC
When using a version of kubernetes with RBAC (role-based access control)
enabled, you will not be able to use the default service account, since it does
not have access to update deployments. Instead, you will need to create a
custom service account with the appropriate permissions (`Role` and `RoleBinding`, or `ClusterRole` and `ClusterRoleBinding` if you need access across namespaces using the same service account).
As an example (for the `web` namespace):
```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: drone-deploy
namespace: web
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: drone-deploy
namespace: web
rules:
- apiGroups: ["extensions"]
resources: ["deployments"]
verbs: ["get","list","patch","update"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: drone-deploy
namespace: web
subjects:
- kind: ServiceAccount
name: drone-deploy
namespace: web
roleRef:
kind: Role
name: drone-deploy
apiGroup: rbac.authorization.k8s.io
```
Once the service account is created, you can extract the `ca.cert` and `token`
parameters as mentioned for the default service account above:
```
kubectl -n web get secrets
# Substitute XXXXX below with the correct one from the above command
kubectl -n web get secret/drone-deploy-token-XXXXX -o yaml | egrep 'ca.crt:|token:'
```
2017-12-09 10:18:39 +00:00
## To do
2017-01-13 10:07:48 +00:00
Replace the current kubectl bash script with a go implementation.
### Special thanks
Inspired by [drone-helm](https://github.com/ipedrazas/drone-helm).