Skip to content

Commit

Permalink
update for arm
Browse files Browse the repository at this point in the history
  • Loading branch information
@matthewoden
matthewoden committed Oct 19, 2019
1 parent a5776c4 commit ff7120c
Show file tree
Hide file tree
Showing 3 changed files with 111 additions and 78 deletions.
22 changes: 22 additions & 0 deletions .drone.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
kind: pipeline
type: docker
name: default

platform:
os: linux
arch: arm

trigger:
branch:
- master

steps:
- name: docker
image: plugins/docker
settings:
username:
from_secret: docker_username
password:
from_secret: docker_password
repo: matthewoden/drone-kubernetes-arm
dockerfile: ./Dockerfile
4 changes: 2 additions & 2 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
FROM alpine:3.4
FROM arm32v6/alpine:3.10.2
RUN apk --no-cache add curl ca-certificates bash
RUN curl -Lo /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
RUN curl -Lo /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/arm/kubectl
RUN chmod +x /usr/local/bin/kubectl
COPY update.sh /bin/
ENTRYPOINT ["/bin/bash"]
Expand Down
163 changes: 87 additions & 76 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,127 +1,140 @@
# Kubernetes plugin for drone.io [![Docker Repository on Quay](https://quay.io/repository/honestbee/drone-kubernetes/status "Docker Repository on Quay")](https://quay.io/repository/honestbee/drone-kubernetes)
# Kubernetes plugin for drone.io (for ARM architecture)

This plugin allows to update a Kubernetes deployment.
This plugin allows you to update a Kubernetes deployment

## Usage
## Usage

This pipeline will update the `my-deployment` deployment with the image tagged `DRONE_COMMIT_SHA:0:8`

```yaml
pipeline:
deploy:
image: quay.io/honestbee/drone-kubernetes
deployment: my-deployment
repo: myorg/myrepo
container: my-container
tag:
- mytag
- latest
pipeline:
- name: deploy
image: matthewoden/drone-kubernetes-arm
deployment: my-deployment
repo: myorg/myrepo
container: my-container
tag:
- ${DRONE_COMMIT_SHA:0:8}
- latest
```
Deploying containers across several deployments, eg in a scheduler-worker setup. Make sure your container `name` in your manifest is the same for each pod.

```yaml
pipeline:
deploy:
image: quay.io/honestbee/drone-kubernetes
deployment: [server-deploy, worker-deploy]
repo: myorg/myrepo
container: my-container
tag:
- mytag
- latest
pipeline:
- name: deploy
image: matthewoden/drone-kubernetes-arm
deployment: [server-deploy, worker-deploy]
repo: myorg/myrepo
container: my-container
tag:
- mytag
- latest
```

Deploying multiple containers within the same deployment.

```yaml
pipeline:
deploy:
image: quay.io/honestbee/drone-kubernetes
deployment: my-deployment
repo: myorg/myrepo
container: [container1, container2]
tag:
- mytag
- latest
pipeline:
- name: deploy
image: matthewoden/drone-kubernetes-arm
deployment: my-deployment
repo: myorg/myrepo
container: [container1, container2]
tag:
- mytag
- latest
```

**NOTE**: Combining multi container deployments across multiple deployments is not recommended

This more complex example demonstrates how to deploy to several environments based on the branch, in a `app` namespace
This more complex example demonstrates how to deploy to several environments based on the branch, in a `app` namespace

```yaml
pipeline:
deploy-staging:
image: quay.io/honestbee/drone-kubernetes
kubernetes_server: ${KUBERNETES_SERVER_STAGING}
kubernetes_cert: ${KUBERNETES_CERT_STAGING}
kubernetes_token: ${KUBERNETES_TOKEN_STAGING}
deployment: my-deployment
repo: myorg/myrepo
container: my-container
namespace: app
tag:
- mytag
- latest
when:
branch: [ staging ]
deploy-prod:
image: quay.io/honestbee/drone-kubernetes
kubernetes_server: ${KUBERNETES_SERVER_PROD}
kubernetes_token: ${KUBERNETES_TOKEN_PROD}
# notice: no tls verification will be done, warning will is printed
deployment: my-deployment
repo: myorg/myrepo
container: my-container
namespace: app
tag:
- mytag
- latest
when:
branch: [ master ]
pipeline:
- name: deploy-staging
image: matthewoden/drone-kubernetes-arm
kubernetes_server: ${KUBERNETES_SERVER_STAGING}
kubernetes_cert: ${KUBERNETES_CERT_STAGING}
kubernetes_token: ${KUBERNETES_TOKEN_STAGING}
deployment: my-deployment
repo: myorg/myrepo
container: my-container
namespace: app
tag:
- mytag
- latest
when:
branch: [staging]
- name: deploy-prod
image: matthewoden/drone-kubernetes-arm
kubernetes_server: ${KUBERNETES_SERVER_PROD}
kubernetes_token: ${KUBERNETES_TOKEN_PROD}
# notice: no tls verification will be done, warning will be printed
deployment: my-deployment
repo: myorg/myrepo
container: my-container
namespace: app
tag:
- mytag
- latest
when:
branch: [master]
```

## Required secrets

```bash
drone secret add --image=honestbee/drone-kubernetes \
your-user/your-repo KUBERNETES_SERVER https://mykubernetesapiserver
drone secret add --image=honestbee/drone-kubernetes \
your-user/your-repo KUBERNETES_CERT <base64 encoded CA.crt>
drone secret add --image=honestbee/drone-kubernetes \
your-user/your-repo KUBERNETES_TOKEN eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJ...
drone secret add
--respository your-user/your-repo
--name KUBERNETES_SERVER
--data https://mykubernetesapiserver
drone secret add
--repository your-user/your-repo \
--name KUBERNETES_CERT \
--data <base64 encoded CA.crt>
drone secret add
--repository your-user/your-repo \
--name KUBERNETES_TOKEN
--data eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJ...
```

When using TLS Verification, ensure Server Certificate used by kubernetes API server
When using TLS Verification, ensure Server Certificate used by kubernetes API server
is signed for SERVER url ( could be a reason for failures if using aliases of kubernetes cluster )

## How to get token

1. After deployment inspect you pod for name of (k8s) secret with **token** and **ca.crt**

```bash
kubectl describe po/[ your pod name ] | grep SecretName | grep token
```

(When you use **default service account**)

2. Get data from you (k8s) secret

```bash
kubectl get secret [ your default secret name ] -o yaml | egrep 'ca.crt:|token:'
```

3. Copy-paste contents of ca.crt into your drone's **KUBERNETES_CERT** secret
4. Decode base64 encoded token

```bash
echo [ your k8s base64 encoded token ] | base64 -d && echo''
```

5. Copy-paste decoded token into your drone's **KUBERNETES_TOKEN** secret

### RBAC

When using a version of kubernetes with RBAC (role-based access control)
enabled, you will not be able to use the default service account, since it does
not have access to update deployments. Instead, you will need to create a
not have access to update deployments. Instead, you will need to create a
custom service account with the appropriate permissions (`Role` and `RoleBinding`, or `ClusterRole` and `ClusterRoleBinding` if you need access across namespaces using the same service account).

As an example (for the `web` namespace):
Expand All @@ -134,7 +147,6 @@ metadata:
namespace: web
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
Expand All @@ -143,10 +155,9 @@ metadata:
rules:
- apiGroups: ["extensions"]
resources: ["deployments"]
verbs: ["get","list","patch","update"]
verbs: ["get", "list", "patch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
Expand All @@ -171,7 +182,7 @@ kubectl -n web get secrets
kubectl -n web get secret/drone-deploy-token-XXXXX -o yaml | egrep 'ca.crt:|token:'
```

## To do
## To do

Replace the current kubectl bash script with a go implementation.

Expand Down

0 comments on commit ff7120c

Please sign in to comment.