drone-kubernetes/README.md

# Kubernetes plugin for drone.io
#### [Docker Repository on Docker Cloud](https://cloud.docker.com/app/razorpay/repository/docker/razorpay/drone-kubernetes)
## Borrowed and distilled from [honestbee/drone-kubernetes](https://github.com/honestbee/drone-kubernetes)

This plugin allows to update a Kubernetes deployment.
  - Cert based auth for tls
  - Insecure auth without tls

This version deprecates token based auth

## Usage

This pipeline will update the `my-deployment` deployment with the image tagged `DRONE_COMMIT_SHA:0:8`

```yaml
pipeline:
  deploy:
    image: razorpay/drone-kubernetes
    pull: true
    secrets:
      - docker_username
      - docker_password
      - server_url_<cluster>
      - server_cert_<cluster>
      - client_cert_<cluster>
      - client_key_<cluster>
      - ...
    user: <kubernetes-user with a cluster-rolebinding>
    cluster: <kubernetes-cluster>
    deployment: [<kubernetes-deployements, ...>]
    repo: <org/repo>
    container: [ <containers,...> ]
    namespace: <kubernetes-namespace>
    tag:
      - ${DRONE_REPO_BRANCH}-${DRONE_COMMIT_SHA}
      - ...
    when:
      environment: <kubernetes-cluster>
      branch: [ <branches>,... ]
      event:
        exclude: [push, pull_request, tag]
        include: [deployment]
```


## Required secrets

  - server_url
  - tls:
    - server_cert
      - `kubectl get secret [ your default secret name ] -o yaml | egrep 'ca.crt:' > ca.crt`
      - `kubectl get secret [ your default secret name ] -o yaml | egrep 'ca.key:' > ca.key`
    - client_cert
    - client_key
      - ```
        openssl genrsa -out client.key
        openssl req -new -key client.key -out client.csr -subj "/CN=drone/O=org"
        openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 500
        ```
      - ```
        cat ca.crt | base64 > car.crt.enc
        cat client.crt | base64 > client.crt.enc
        cat client.key | base64 > client.key.enc
        ```
      - ```
        drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name server_url_<cluster> -value https://k8s.org.com.:443
        drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name server_cert_<cluster> -value @./ca.crt.enc
        drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name client_cert_<cluster> -value @./client.crt.enc
        drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name client_key_<cluster> -value @./client.key.enc
        ```

When using TLS Verification, ensure Server Certificate used by kubernetes API server
is signed for SERVER url ( could be a reason for failures if using aliases of kubernetes cluster )

### RBAC

When using a version of kubernetes with RBAC (role-based access control)
enabled, you will not be able to use the default service account, since it does
not have access to update deployments.  Instead, you will need to create a
custom service account with the appropriate permissions (`Role` and `RoleBinding`, or `ClusterRole` and `ClusterRoleBinding` if you need access across namespaces using the same service account).

As an example (for the `web` namespace):

```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: drone-deploy
  namespace: web

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: drone-deploy
  namespace: web
rules:
  - apiGroups: ["extensions"]
    resources: ["deployments"]
    verbs: ["get","list","patch","update"]

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: drone-deploy
  namespace: web
subjects:
  - kind: ServiceAccount
    name: drone-deploy
    namespace: web
roleRef:
  kind: Role
  name: drone-deploy
  apiGroup: rbac.authorization.k8s.io
```

Once the service account is created, you can extract the `ca.cert` and `token`
parameters as mentioned for the default service account above:

```
kubectl -n web get secrets
# Substitute XXXXX below with the correct one from the above command
kubectl -n web get secret/drone-deploy-token-XXXXX -o yaml | egrep 'ca.crt:|token:'
```

## To do

Replace the current kubectl bash script with a go implementation.

### Special thanks

Inspired by [drone-helm](https://github.com/ipedrazas/drone-helm).
readme: fix header 2018-01-10 13:22:00 +00:00			`# Kubernetes plugin for drone.io`
			`#### [Docker Repository on Docker Cloud](https://cloud.docker.com/app/razorpay/repository/docker/razorpay/drone-kubernetes)`
readme: update 2018-01-10 12:00:49 +00:00			`## Borrowed and distilled from [honestbee/drone-kubernetes](https://github.com/honestbee/drone-kubernetes)`
First version 2017-01-13 10:07:48 +00:00
			`This plugin allows to update a Kubernetes deployment.`
readme: update 2018-01-10 12:00:49 +00:00			`- Cert based auth for tls`
			`- Insecure auth without tls`

			`This version deprecates token based auth`
First version 2017-01-13 10:07:48 +00:00
updates readme 2017-12-09 10:18:39 +00:00			`## Usage`
First version 2017-01-13 10:07:48 +00:00
Update readme 2017-05-25 05:54:49 +00:00			This pipeline will update the `my-deployment` deployment with the image tagged `DRONE_COMMIT_SHA:0:8`
First version 2017-01-13 10:07:48 +00:00
Update readme 2017-06-28 03:55:53 +00:00			```yaml
readme: update 2018-01-10 12:00:49 +00:00			`pipeline:`
			`deploy:`
			`image: razorpay/drone-kubernetes`
			`pull: true`
			`secrets:`
			`- docker_username`
			`- docker_password`
			`- server_url_<cluster>`
			`- server_cert_<cluster>`
			`- client_cert_<cluster>`
			`- client_key_<cluster>`
			`- ...`
			`user: <kubernetes-user with a cluster-rolebinding>`
			`cluster: <kubernetes-cluster>`
			`deployment: [<kubernetes-deployements, ...>]`
			`repo: <org/repo>`
			`container: [ <containers,...> ]`
			`namespace: <kubernetes-namespace>`
			`tag:`
			`- ${DRONE_REPO_BRANCH}-${DRONE_COMMIT_SHA}`
			`- ...`
			`when:`
			`environment: <kubernetes-cluster>`
			`branch: [ <branches>,... ]`
			`event:`
			`exclude: [push, pull_request, tag]`
			`include: [deployment]`
Update readme 2017-06-28 03:55:53 +00:00			```
update docs 2017-03-07 10:06:06 +00:00
Add handling environments 2017-02-07 06:09:44 +00:00
First version 2017-01-13 10:07:48 +00:00			`## Required secrets`

readme: update 2018-01-10 12:00:49 +00:00			`- server_url`
			`- tls:`
			`- server_cert`
			- `kubectl get secret [ your default secret name ] -o yaml \| egrep 'ca.crt:' > ca.crt`
			- `kubectl get secret [ your default secret name ] -o yaml \| egrep 'ca.key:' > ca.key`
			`- client_cert`
			`- client_key`
			- ```
			`openssl genrsa -out client.key`
			`openssl req -new -key client.key -out client.csr -subj "/CN=drone/O=org"`
			`openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 500`
			```
			- ```
			`cat ca.crt \| base64 > car.crt.enc`
			`cat client.crt \| base64 > client.crt.enc`
			`cat client.key \| base64 > client.key.enc`
			```
			- ```
			`drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name server_url_<cluster> -value https://k8s.org.com.:443`
			`drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name server_cert_<cluster> -value @./ca.crt.enc`
			`drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name client_cert_<cluster> -value @./client.crt.enc`
			`drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name client_key_<cluster> -value @./client.key.enc`
			```
First version 2017-01-13 10:07:48 +00:00
updates readme 2017-12-09 10:18:39 +00:00			`When using TLS Verification, ensure Server Certificate used by kubernetes API server`
Clarify TLS Verfication impact 2017-02-20 10:20:47 +00:00			`is signed for SERVER url ( could be a reason for failures if using aliases of kubernetes cluster )`

add RBAC documentation and example 2017-09-20 17:36:43 +00:00			`### RBAC`

			`When using a version of kubernetes with RBAC (role-based access control)`
			`enabled, you will not be able to use the default service account, since it does`
			`not have access to update deployments. Instead, you will need to create a`
			custom service account with the appropriate permissions (`Role` and `RoleBinding`, or `ClusterRole` and `ClusterRoleBinding` if you need access across namespaces using the same service account).

			As an example (for the `web` namespace):

			```yaml
			`apiVersion: v1`
			`kind: ServiceAccount`
			`metadata:`
			`name: drone-deploy`
			`namespace: web`

			`---`

			`apiVersion: rbac.authorization.k8s.io/v1beta1`
			`kind: Role`
			`metadata:`
			`name: drone-deploy`
			`namespace: web`
			`rules:`
			`- apiGroups: ["extensions"]`
			`resources: ["deployments"]`
			`verbs: ["get","list","patch","update"]`

			`---`

			`apiVersion: rbac.authorization.k8s.io/v1beta1`
			`kind: RoleBinding`
			`metadata:`
			`name: drone-deploy`
			`namespace: web`
			`subjects:`
			`- kind: ServiceAccount`
			`name: drone-deploy`
			`namespace: web`
			`roleRef:`
			`kind: Role`
			`name: drone-deploy`
			`apiGroup: rbac.authorization.k8s.io`
			```

			Once the service account is created, you can extract the `ca.cert` and `token`
			`parameters as mentioned for the default service account above:`

			```
			`kubectl -n web get secrets`
			`# Substitute XXXXX below with the correct one from the above command`
			`kubectl -n web get secret/drone-deploy-token-XXXXX -o yaml \| egrep 'ca.crt:\|token:'`
			```

updates readme 2017-12-09 10:18:39 +00:00			`## To do`
First version 2017-01-13 10:07:48 +00:00
			`Replace the current kubectl bash script with a go implementation.`

			`### Special thanks`

			`Inspired by [drone-helm](https://github.com/ipedrazas/drone-helm).`