drone-kubernetes/README.md

# Kubernetes plugin for drone.io
#### [Docker Repository on Docker Cloud](https://cloud.docker.com/app/razorpay/repository/docker/razorpay/drone-kubernetes)
## Borrowed and distilled from [honestbee/drone-kubernetes](https://github.com/honestbee/drone-kubernetes)

This plugin allows to update a Kubernetes deployment.
  - Cert based auth for tls
  - token based auth
  - Insecure auth without tls

## Usage

This pipeline will update the `my-deployment` deployment with the image tagged `DRONE_COMMIT_SHA:0:8`

```yaml
pipeline:
  deploy:
    image: razorpay/drone-kubernetes
    pull: true
    secrets:
      - docker_username
      - docker_password
      - server_url_<cluster>
      - server_cert_<cluster>
      - client_cert_<cluster> / - server_token_<cluster>
      - client_key_<cluster> / - server_token_<cluster>
      - ...
    user: <kubernetes-user with a cluster-rolebinding>
    cluster: <kubernetes-cluster>
    auth_mode: [ token | client-cert ] // provide only if providing server_cert_<cluster>
    deployment: [<kubernetes-deployements, ...>]
    repo: <org/repo>
    container: [ <containers,...> ]
    namespace: <kubernetes-namespace>
    tag:
      - ${DRONE_REPO_BRANCH}-${DRONE_COMMIT_SHA}
      - ...
    when:
      environment: <kubernetes-cluster>
      branch: [ <branches>,... ]
      event:
        exclude: [push, pull_request, tag]
        include: [deployment]
```


## Required secrets

  - server_url
  - token:
    - server_token
      - `kubectl get secret [ your default secret name ] -o yaml | egrep 'token:' > server.token`
  - tls:
    - server_cert
      - `kubectl get secret [ your default secret name ] -o yaml | egrep 'ca.crt:' > ca.crt`
      - `kubectl get secret [ your default secret name ] -o yaml | egrep 'ca.key:' > ca.key`
    - client_cert
    - client_key
      - ```
        openssl genrsa -out client.key
        openssl req -new -key client.key -out client.csr -subj "/CN=drone/O=org"
        openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 500
        ```
      - ```
        cat ca.crt | base64 > car.crt.enc
        cat client.crt | base64 > client.crt.enc
        cat client.key | base64 > client.key.enc
        ```
      - ```
        drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name server_url_<cluster> -value https://k8s.org.com.:443
        drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name server_cert_<cluster> -value @./ca.crt.enc
        drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name client_cert_<cluster> -value @./client.crt.enc
        drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name client_key_<cluster> -value @./client.key.enc
        ```

When using TLS Verification, ensure Server Certificate used by kubernetes API server
is signed for SERVER url ( could be a reason for failures if using aliases of kubernetes cluster )

### RBAC

When using a version of kubernetes with RBAC (role-based access control)
enabled, you will not be able to use the default service account, since it does
not have access to update deployments.  Instead, you will need to create a
custom service account with the appropriate permissions (`Role` and `RoleBinding`, or `ClusterRole` and `ClusterRoleBinding` if you need access across namespaces using the same service account).

As an example (for the `web` namespace):

```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: drone-deploy
  namespace: web

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: drone-deploy
  namespace: web
rules:
  - apiGroups: ["extensions"]
    resources: ["deployments"]
    verbs: ["get","list","patch","update"]

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: drone-deploy
  namespace: web
subjects:
  - kind: ServiceAccount
    name: drone-deploy
    namespace: web
roleRef:
  kind: Role
  name: drone-deploy
  apiGroup: rbac.authorization.k8s.io
```

Once the service account is created, you can extract the `ca.cert` and `token`
parameters as mentioned for the default service account above:

```
kubectl -n web get secrets
# Substitute XXXXX below with the correct one from the above command
kubectl -n web get secret/drone-deploy-token-XXXXX -o yaml | egrep 'ca.crt:|token:'
```

## To do

Replace the current kubectl bash script with a go implementation.

### Special thanks

Inspired by [drone-helm](https://github.com/ipedrazas/drone-helm).