apiVersion: v1
kind: ServiceAccount
metadata:
  name: drone-runner-kube
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: application-config
data:
  DRONE_DEBUG: "false"
  DRONE_TRACE: "false"
  DRONE_NAMESPACE_DEFAULT: "drone-execution"
  DRONE_RPC_HOST: "drone.k-space.ee"
  DRONE_RPC_PROTO: "https"
  PLUGIN_MTU: "1300"
  DRONE_SECRET_PLUGIN_ENDPOINT: "http://secrets:3000"
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: drone-runner-kube
  namespace: "drone-execution"
  labels:
    app: drone-runner-kube
rules:
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - create
      - delete
  - apiGroups:
      - ""
    resources:
      - pods
      - pods/log
    verbs:
      - get
      - create
      - delete
      - list
      - watch
      - update
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: drone-runner-kube
  namespace: drone-execution
  labels:
    app: drone-runner-kube
subjects:
  - kind: ServiceAccount
    name: drone-runner-kube
    namespace: drone-execution
roleRef:
  kind: Role
  name: drone-runner-kube
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Service
metadata:
  name: drone-runner-kube
  labels:
    app: drone-runner-kube
spec:
  type: ClusterIP
  ports:
    - port: 3000
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app: drone-runner-kube
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: drone-runner-kube
  annotations:
    keel.sh/policy: force
    keel.sh/trigger: poll
    keel.sh/pollSchedule: "@midnight"
spec:
  replicas: 1
  selector:
    matchLabels:
      app: drone-runner-kube
  template:
    metadata:
      labels:
        app: drone-runner-kube
    spec:
      serviceAccountName: drone-runner-kube
      terminationGracePeriodSeconds: 3600
      containers:
        - name: server
          securityContext:
            {}
          image: drone/drone-runner-kube
          imagePullPolicy: Always
          ports:
          - name: http
            containerPort: 3000
            protocol: TCP
          envFrom:
          - configMapRef:
              name: application-config
          - secretRef:
              name: application-secrets
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: drone-kubernetes-secrets
  annotations:
    keel.sh/policy: force
    keel.sh/trigger: poll
    keel.sh/pollSchedule: "@midnight"
spec:
  replicas: 1
  selector:
    matchLabels:
      app: drone-kubernetes-secrets
  template:
    metadata:
      labels:
        app: drone-kubernetes-secrets
    spec:
      containers:
      - name: secrets
        image: drone/kubernetes-secrets
        imagePullPolicy: Always
        ports:
        - containerPort: 3000
        env:
        - name: SECRET_KEY
          valueFrom:
            secretKeyRef:
              name: application-secrets
              key: DRONE_SECRET_PLUGIN_TOKEN
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: drone-kubernetes-secrets
spec:
  podSelector:
    matchLabels:
      app: drone-kubernetes-secrets
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: drone-runner-kube
    ports:
    - port: 3000
---
# Following should block access to pods in other namespaces, but should permit
# Git checkout, pip install, talking to Traefik via public IP etc
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: drone-runner-kube
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0