From 1d3d58f1a0f2982f283ccfc41174356bbf7ab51d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= <lauri@k-space.ee>
Date: Sat, 27 May 2023 10:09:15 +0300
Subject: [PATCH] Add Woodpecker CI

---
 storage-class.yaml               |  13 ++++
 woodpecker/README.md             |  17 ++++
 woodpecker/woodpecker-agent.yml  |  98 +++++++++++++++++++++++
 woodpecker/woodpecker-server.yml | 129 +++++++++++++++++++++++++++++++
 4 files changed, 257 insertions(+)
 create mode 100644 woodpecker/README.md
 create mode 100644 woodpecker/woodpecker-agent.yml
 create mode 100644 woodpecker/woodpecker-server.yml

diff --git a/storage-class.yaml b/storage-class.yaml
index 9d0d70b..969826b 100644
--- a/storage-class.yaml
+++ b/storage-class.yaml
@@ -53,3 +53,16 @@ volumeBindingMode: WaitForFirstConsumer
 allowVolumeExpansion: true
 parameters:
   fsType: "xfs"
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: woodpecker
+provisioner: driver.longhorn.io
+reclaimPolicy: Delete
+volumeBindingMode: Immediate
+allowVolumeExpansion: true
+parameters:
+  dataLocality: best-effort
+  numberOfReplicas: "1"
+  fsType: "xfs"
diff --git a/woodpecker/README.md b/woodpecker/README.md
new file mode 100644
index 0000000..0367159
--- /dev/null
+++ b/woodpecker/README.md
@@ -0,0 +1,17 @@
+# Woodpecker CI
+Woodpecker CI obsoletes Drone CI which has confusing licensing conditions.
+
+Deployment steps:
+
+```
+kubectl create namespace woodpecker
+kubectl create namespace woodpecker-execution
+kubectl create secret generic -n woodpecker woodpecker-secret \
+  --from-literal=WOODPECKER_AGENT_SECRET=$(openssl rand -hex 32) \
+  --from-literal=WOODPECKER_GITEA_CLIENT=... \
+  --from-literal=WOODPECKER_GITEA_SECRET=...
+kubectl create secret generic -n woodpecker-execution woodpecker-secret \
+  --from-literal=WOODPECKER_AGENT_SECRET=$(kubectl get secret -n woodpecker woodpecker-secret -o jsonpath="{.data.WOODPECKER_AGENT_SECRET}" | base64 -d)
+kubectl apply -n woodpecker -f woodpecker-server.yml
+kubectl apply -n woodpecker-execution -f woodpecker-agent.yml
+```
diff --git a/woodpecker/woodpecker-agent.yml b/woodpecker/woodpecker-agent.yml
new file mode 100644
index 0000000..fc19068
--- /dev/null
+++ b/woodpecker/woodpecker-agent.yml
@@ -0,0 +1,98 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: woodpecker-agent
+  namespace: woodpecker-execution
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: woodpecker-agent
+  namespace: woodpecker-execution
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - persistentvolumeclaims
+    verbs:
+      - create
+      - delete
+  - apiGroups:
+      - ''
+    resources:
+      - services
+    verbs:
+      - create
+      - delete
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+      - pods/log
+    verbs:
+      - watch
+      - create
+      - delete
+      - get
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: woodpecker-agent
+  namespace: woodpecker-execution
+subjects:
+  - kind: ServiceAccount
+    name: woodpecker-agent
+    namespace: woodpecker-execution
+roleRef:
+  kind: Role
+  name: woodpecker-agent
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: woodpecker-agent
+  namespace: woodpecker-execution
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: woodpecker-agent
+  template:
+    metadata:
+      labels:
+        app: woodpecker-agent
+    spec:
+      serviceAccountName: woodpecker-agent
+      securityContext:
+        {}
+      containers:
+        - name: agent
+          securityContext:
+            {}
+          image: woodpeckerci/woodpecker-agent:next
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+          env:
+            - name: WOODPECKER_BACKEND
+              value: kubernetes
+            - name: WOODPECKER_BACKEND_K8S_NAMESPACE
+              value: woodpecker-execution
+            - name: WOODPECKER_BACKEND_K8S_STORAGE_CLASS
+              value: woodpecker
+            - name: WOODPECKER_BACKEND_K8S_STORAGE_RWX
+              value: "false"
+            - name: WOODPECKER_BACKEND_K8S_VOLUME_SIZE
+              value: 100Mi
+            - name: WOODPECKER_SERVER
+              value: "woodpecker-grpc.woodpecker.svc.cluster.local:9000"
+            - name: WOODPECKER_AGENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: woodpecker-secret
+                  key: WOODPECKER_AGENT_SECRET
diff --git a/woodpecker/woodpecker-server.yml b/woodpecker/woodpecker-server.yml
new file mode 100644
index 0000000..58e0009
--- /dev/null
+++ b/woodpecker/woodpecker-server.yml
@@ -0,0 +1,129 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: woodpecker
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app: woodpecker
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: woodpecker-grpc
+spec:
+  type: ClusterIP
+  ports:
+    - port: 9000
+      targetPort: grpc
+      protocol: TCP
+      name: grpc
+  selector:
+    app: woodpecker
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: woodpecker
+spec:
+  serviceName: woodpecker
+  replicas: 1
+  selector:
+    matchLabels:
+      app: woodpecker
+  template:
+    metadata:
+      labels:
+        app: woodpecker
+    spec:
+      automountServiceAccountToken: false
+      securityContext:
+        {}
+      containers:
+        - name: server
+          securityContext:
+            {}
+          image: woodpeckerci/woodpecker-server:next
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+            - name: grpc
+              containerPort: 9000
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          env:
+            - name: WOODPECKER_ADMIN
+              value: laurivosandi
+            - name: WOODPECKER_OPEN
+              value: "true"
+            - name: WOODPECKER_ORGS
+              value: codemowers
+            - name: WOODPECKER_HOST
+              value: "https://woodpecker.k-space.ee"
+            - name: WOODPECKER_GITEA
+              value: "true"
+            - name: WOODPECKER_GITEA_URL
+              value: "https://git.k-space.ee/"
+            - name: WOODPECKER_GITEA_CLIENT
+              valueFrom:
+                secretKeyRef:
+                  name: woodpecker-secret
+                  key: WOODPECKER_GITEA_CLIENT
+            - name: WOODPECKER_GITEA_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: woodpecker-secret
+                  key: WOODPECKER_GITEA_SECRET
+            - name: "WOODPECKER_AGENT_SECRET"
+              valueFrom:
+                secretKeyRef:
+                  name: woodpecker-secret
+                  key: WOODPECKER_AGENT_SECRET
+          volumeMounts:
+            - name: woodpecker-data
+              mountPath: /var/lib/woodpecker
+  volumeClaimTemplates:
+    - metadata:
+        name: woodpecker-data
+      spec:
+        storageClassName: longhorn
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 8Gi
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: woodpecker
+  annotations:
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  tls:
+    - hosts:
+        - "*.k-space.ee"
+  rules:
+    - host: "woodpecker.k-space.ee"
+      http:
+        paths:
+          - pathType: Prefix
+            path: /
+            backend:
+              service:
+                name: woodpecker
+                port:
+                  number: 80