mirror
/
drone-kubernetes
mirror of https://github.com/honestbee/drone-kubernetes.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #1 from razorpay/code-sanity 

Code sanity
This commit is contained in:
Hashfyre 2018-01-10 18:50:34 +05:30 committed by GitHub
parent ad2ec49271 78e44f22aa
commit 9063cbdafa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 107 additions and 166 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Dockerfile
View File

@ -1,7 +1,7 @@
FROM alpine:3.4
RUN apk --no-cache add curl ca-certificates bash
RUN curl -Lo /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
RUN chmod +x /usr/local/bin/kubectl
RUN apk --no-cache add curl ca-certificates bash && \
curl -Lo /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && \
chmod +x /usr/local/bin/kubectl
COPY update.sh /bin/
ENTRYPOINT ["/bin/bash"]
CMD ["/bin/update.sh"]

176
README.md
View File

@ -1,140 +1,76 @@
# Kubernetes plugin for drone.io [![Docker Repository on Quay](https://quay.io/repository/honestbee/drone-kubernetes/status "Docker Repository on Quay")](https://quay.io/repository/honestbee/drone-kubernetes)
# Kubernetes plugin for drone.io [Docker Repository on Docker Cloud](https://cloud.docker.com/app/razorpay/repository/docker/razorpay/drone-kubernetes)
## Borrowed and distilled from [honestbee/drone-kubernetes](https://github.com/honestbee/drone-kubernetes)
This plugin allows to update a Kubernetes deployment.
- Cert based auth for tls
- Insecure auth without tls
This version deprecates token based auth
## Usage
This pipeline will update the `my-deployment` deployment with the image tagged `DRONE_COMMIT_SHA:0:8`
```yaml
pipeline:
deploy:
image: quay.io/honestbee/drone-kubernetes
deployment: my-deployment
repo: myorg/myrepo
container: my-container
tag:
- mytag
- latest
pipeline:
deploy:
image: razorpay/drone-kubernetes
pull: true
secrets:
- docker_username
- docker_password
- server_url_<cluster>
- server_cert_<cluster>
- client_cert_<cluster>
- client_key_<cluster>
- ...
user: <kubernetes-user with a cluster-rolebinding>
cluster: <kubernetes-cluster>
deployment: [<kubernetes-deployements, ...>]
repo: <org/repo>
container: [ <containers,...> ]
namespace: <kubernetes-namespace>
tag:
- ${DRONE_REPO_BRANCH}-${DRONE_COMMIT_SHA}
- ...
when:
environment: <kubernetes-cluster>
branch: [ <branches>,... ]
event:
exclude: [push, pull_request, tag]
include: [deployment]
```
Deploying containers across several deployments, eg in a scheduler-worker setup. Make sure your container `name` in your manifest is the same for each pod.
```yaml
pipeline:
deploy:
image: quay.io/honestbee/drone-kubernetes
deployment: [server-deploy, worker-deploy]
repo: myorg/myrepo
container: my-container
tag:
- mytag
- latest
```
Deploying multiple containers within the same deployment.
```yaml
pipeline:
deploy:
image: quay.io/honestbee/drone-kubernetes
deployment: my-deployment
repo: myorg/myrepo
container: [container1, container2]
tag:
- mytag
- latest
```
**NOTE**: Combining multi container deployments across multiple deployments is not recommended
This more complex example demonstrates how to deploy to several environments based on the branch, in a `app` namespace
```yaml
pipeline:
deploy-qa:
image: quay.io/honestbee/drone-kubernetes
kubernetes_user: ${KUBERNETES_USER}
kubernetes_server: ${KUBERNETES_SERVER_QA}
kubernetes_cert: ${KUBERNETES_CERT_QA}
kubernetes_client_cert: ${PLUGIN_KUBERNETES_CLIENT_CERT}
kubernetes_client_key: ${PLUGIN_KUBERNETES_CLIENT_KEY}
deployment: my-deployment
repo: myorg/myrepo
container: my-container
namespace: app
tag:
- mytag
- latest
when:
branch: [ qa ]
deploy-staging:
image: quay.io/honestbee/drone-kubernetes
kubernetes_user: ${KUBERNETES_USER}
kubernetes_server: ${KUBERNETES_SERVER_STAGING}
kubernetes_cert: ${KUBERNETES_CERT_STAGING}
kubernetes_token: ${KUBERNETES_TOKEN_STAGING}
deployment: my-deployment
repo: myorg/myrepo
container: my-container
namespace: app
tag:
- mytag
- latest
when:
branch: [ staging ]
deploy-prod:
image: quay.io/honestbee/drone-kubernetes
kubernetes_server: ${KUBERNETES_SERVER_PROD}
kubernetes_token: ${KUBERNETES_TOKEN_PROD}
# notice: no tls verification will be done, warning will is printed
deployment: my-deployment
repo: myorg/myrepo
container: my-container
namespace: app
tag:
- mytag
- latest
when:
branch: [ master ]
```
## Required secrets
```bash
drone secret add --image=honestbee/drone-kubernetes \
your-user/your-repo KUBERNETES_SERVER https://mykubernetesapiserver
drone secret add --image=honestbee/drone-kubernetes \
your-user/your-repo KUBERNETES_CERT <base64 encoded CA.crt>
drone secret add --image=honestbee/drone-kubernetes \
your-user/your-repo KUBERNETES_TOKEN eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJ...
```
- server_url
- tls:
- server_cert
- `kubectl get secret [ your default secret name ] -o yaml | egrep 'ca.crt:' > ca.crt`
- `kubectl get secret [ your default secret name ] -o yaml | egrep 'ca.key:' > ca.key`
- client_cert
- client_key
- ```
openssl genrsa -out client.key
openssl req -new -key client.key -out client.csr -subj "/CN=drone/O=org"
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 500
```
- ```
cat ca.crt | base64 > car.crt.enc
cat client.crt | base64 > client.crt.enc
cat client.key | base64 > client.key.enc
```
- ```
drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name server_url_<cluster> -value https://k8s.org.com.:443
drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name server_cert_<cluster> -value @./ca.crt.enc
drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name client_cert_<cluster> -value @./client.crt.enc
drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name client_key_<cluster> -value @./client.key.enc
```
When using TLS Verification, ensure Server Certificate used by kubernetes API server
is signed for SERVER url ( could be a reason for failures if using aliases of kubernetes cluster )
## How to get token
1. After deployment inspect you pod for name of (k8s) secret with **token** and **ca.crt**
```bash
kubectl describe po/[ your pod name ] | grep SecretName | grep token
```
(When you use **default service account**)
2. Get data from you (k8s) secret
```bash
kubectl get secret [ your default secret name ] -o yaml | egrep 'ca.crt:|token:'
```
3. Copy-paste contents of ca.crt into your drone's **KUBERNETES_CERT** secret
4. Decode base64 encoded token
```bash
echo [ your k8s base64 encoded token ] | base64 -d && echo''
```
5. Copy-paste decoded token into your drone's **KUBERNETES_TOKEN** secret
### RBAC
When using a version of kubernetes with RBAC (role-based access control)

91
update.sh
View File

@ -1,69 +1,74 @@
#!/bin/bash
set -euo pipefail
if [ ! -z ${PLUGIN_KUBERNETES_USER} ]; then
KUBERNETES_USER=${PLUGIN_KUBERNETES_USER:-default}
# check optional params
if [ ! -z ${PLUGIN_USER} ]; then
USER=${PLUGIN_USER:-default}
fi
if [ ! -z ${PLUGIN_KUBERNETES_ENV} ]; then
KUBERNETES_ENV=${PLUGIN_KUBERNETES_ENV}
if [ ! -z ${PLUGIN_NAMESPACE} ]; then
NAMESPACE=${PLUGIN_NAMESPACE:-default}
fi
KUBERNETES_SERVER_VAR=KUBERNETES_SERVER_${KUBERNETES_ENV}
KUBERNETES_CERT_VAR=KUBERNETES_SERVER_CERT_${KUBERNETES_ENV}
# check required params
if [ ! -z ${PLUGIN_CLUSTER} ]; then
# convert cluster name to ucase and assign
CLUSTER=${PLUGIN_CLUSTER^^}
KUBERNETES_SERVER=${!KUBERNETES_SERVER_VAR}
KUBERNETES_CERT=${!KUBERNETES_CERT_VAR}
# create dynamic cert var names
SERVER_URL_VAR=SERVER_URL_${CLUSTER}
SERVER_CERT_VAR=SERVER_CERT_${CLUSTER}
CLIENT_CERT_VAR=CLIENT_CERT_${CLUSTER}
CLIENT_KEY_VAR=CLIENT_KEY_${CLUSTER}
if [[ -z "${KUBERNETES_SERVER}" ]]; then
echo "ERROR: drone secret ${KUBERNETES_SERVER_VAR} not added!"
# expand the var contents
SERVER_URL=${!SERVER_URL_VAR}
SERVER_CERT=${!SERVER_CERT_VAR}
CLIENT_CERT=${!CLIENT_CERT_VAR}
CLIENT_KEY=${!CLIENT_KEY_VAR}
if [[ -z "${SERVER_URL}" ]]; then
echo "[ERROR] drone secret: ${SERVER_URL_VAR} not added!"
exit 1
fi
if [[ -z "${KUBERNETES_CERT}" ]]; then
echo "ERROR: drone secret ${KUBERNETES_CERT_VAR} not added!"
echo "Inscure connection to the cluster will be used."
if [[ ! -z "${SERVER_CERT}" ]]; then
echo "[INFO] Using secure connection with tls-certificate."
echo ${SERVER_CERT} | base64 -d > ca.crt
kubectl config set-cluster default --server=${SERVER_URL} --certificate-authority=ca.crt
if [[ ! -z "${CLIENT_CERT}" ]] && [[ ! -z "${CLIENT_KEY}" ]]; then
echo "[INFO] Setting client credentials with signed-certificate and key."
echo ${CLIENT_CERT} | base64 -d > client.crt
echo ${CLIENT_KEY} | base64 -d > client.key
kubectl config set-credentials ${USER} --client-certificate=client.crt --client-key=client.key
else
echo "[ERROR] Required plugin parameters:"
echo " - client_cert"
echo " - client_key"
echo "are not provided"
exit 1
fi
else
echo "[WARNING] Required plugin parameter: ${SERVER_CERT_VAR} not added!"
echo "[WARNING] Using insecure connection to cluster"
kubectl config set-cluster default --server=${SERVER_URL} --insecure-skip-tls-verify=true
fi
else
echo "ERROR: kubernetes_env not provided"
echo "[ERROR] Required pipeline parameter: cluster not provided"
exit 1
fi
if [ -z ${PLUGIN_NAMESPACE} ]; then
PLUGIN_NAMESPACE="default"
fi
if [[ ! -z "${KUBERNETES_CLIENT_CERT}" ]] && [[ ! -z "${KUBERNETES_CLIENT_KEY}" ]]; then
echo "INFO: Setting client credentials with signed-certificate and key."
echo ${KUBERNETES_CLIENT_CERT} | base64 -d > client.crt
echo ${KUBERNETES_CLIENT_KEY} | base64 -d > client.key
kubectl config set-credentials ${KUBERNETES_USER} --client-certificate=client.crt --client-key=client.key
else
echo "ERROR: Provide the following authentication params:"
echo " - kubernetes_client_cert"
echo " - kubernetes_client_key"
echo "as drone secrets"
exit 1
fi
if [ ! -z "${KUBERNETES_CERT}" ]; then
echo "INFO: Using secure connection with tls-certificate."
echo ${KUBERNETES_CERT} | base64 -d > ca.crt
kubectl config set-cluster default --server=${KUBERNETES_SERVER} --certificate-authority=ca.crt
else
echo "WARNING: Using insecure connection to cluster"
kubectl config set-cluster default --server=${KUBERNETES_SERVER} --insecure-skip-tls-verify=true
fi
kubectl config set-context default --cluster=default --user=${KUBERNETES_USER}
kubectl config set-context default --cluster=default --user=${USER}
kubectl config use-context default
# kubectl version
IFS=',' read -r -a DEPLOYMENTS <<< "${PLUGIN_DEPLOYMENT}"
IFS=',' read -r -a CONTAINERS <<< "${PLUGIN_CONTAINER}"
for DEPLOY in ${DEPLOYMENTS[@]}; do
echo Deploying to ${KUBERNETES_ENV}
echo Deploying to ${CLUSTER}
for CONTAINER in ${CONTAINERS[@]}; do
kubectl -n ${PLUGIN_NAMESPACE} set image deployment/${DEPLOY} \
kubectl -n ${NAMESPACE} set image deployment/${DEPLOY} \
${CONTAINER}="${PLUGIN_REPO}:${PLUGIN_TAG}" --record
done
done