From 166215b7b0265c91d542e7e205ec7b22f3a58faa Mon Sep 17 00:00:00 2001 From: Marcin-Ramotowski Date: Sat, 19 Jul 2025 18:27:24 +0200 Subject: [PATCH] Added Woodpecker configuration --- woodpecker/rbac-role.yaml | 12 +++++ woodpecker/secret-store.yaml | 35 ++++++++++++++ woodpecker/woodpecker-agent.yaml | 39 +++++++++++++++ woodpecker/woodpecker-ingress.yaml | 20 ++++++++ woodpecker/woodpecker-server.yaml | 76 ++++++++++++++++++++++++++++++ woodpecker/woodpecker-volume.yaml | 11 +++++ 6 files changed, 193 insertions(+) create mode 100644 woodpecker/rbac-role.yaml create mode 100644 woodpecker/secret-store.yaml create mode 100644 woodpecker/woodpecker-agent.yaml create mode 100644 woodpecker/woodpecker-ingress.yaml create mode 100644 woodpecker/woodpecker-server.yaml create mode 100644 woodpecker/woodpecker-volume.yaml diff --git a/woodpecker/rbac-role.yaml b/woodpecker/rbac-role.yaml new file mode 100644 index 0000000..99efbd3 --- /dev/null +++ b/woodpecker/rbac-role.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: deployer-binding +subjects: +- kind: User + name: f91aef65-7d2a-4df8-a884-e33b05d54a31 + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io diff --git a/woodpecker/secret-store.yaml b/woodpecker/secret-store.yaml new file mode 100644 index 0000000..50bd504 --- /dev/null +++ b/woodpecker/secret-store.yaml @@ -0,0 +1,35 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: woodpecker-secrets + namespace: woodpecker +spec: + provider: azure + secretObjects: + - secretName: woodpecker-secret + type: Opaque + data: + - objectName: woodpecker-gitea-client + key: WOODPECKER_GITEA_CLIENT + - objectName: woodpecker-gitea-secret + key: WOODPECKER_GITEA_SECRET + - objectName: woodpecker-agent-secret + key: WOODPECKER_AGENT_SECRET + parameters: + usePodIdentity: "false" + useVMManagedIdentity: "true" + userAssignedIdentityID: "f91aef65-7d2a-4df8-a884-e33b05d54a31" # client_id of the user-assigned managed identity + clientID: "f91aef65-7d2a-4df8-a884-e33b05d54a31" # client_id of the user-assigned managed identity + keyvaultName: "dev-aks" + objects: | + array: + - | + objectName: woodpecker-gitea-client + objectType: secret + - | + objectName: woodpecker-gitea-secret + objectType: secret + - | + objectName: woodpecker-agent-secret + objectType: secret + tenantID: "f4e3e6f7-d21c-460e-b201-2192174e7f41" diff --git a/woodpecker/woodpecker-agent.yaml b/woodpecker/woodpecker-agent.yaml new file mode 100644 index 0000000..7436ba8 --- /dev/null +++ b/woodpecker/woodpecker-agent.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: woodpecker-agent + namespace: woodpecker +spec: + replicas: 1 + selector: + matchLabels: + app: woodpecker-agent + template: + metadata: + labels: + app: woodpecker-agent + spec: + containers: + - name: agent + image: woodpeckerci/woodpecker-agent:latest + env: + - name: WOODPECKER_SERVER + value: "woodpecker-server:9000" + - name: WOODPECKER_HEALTHCHECK + value: "false" + - name: WOODPECKER_AGENT_SECRET + valueFrom: + secretKeyRef: + name: woodpecker-secret + key: WOODPECKER_AGENT_SECRET + volumeMounts: + - name: secrets-store + mountPath: "/mnt/secrets" + readOnly: true + volumes: + - name: secrets-store + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: "woodpecker-secrets" diff --git a/woodpecker/woodpecker-ingress.yaml b/woodpecker/woodpecker-ingress.yaml new file mode 100644 index 0000000..7885b0d --- /dev/null +++ b/woodpecker/woodpecker-ingress.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: woodpecker-ingress + namespace: woodpecker + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / +spec: + ingressClassName: nginx + rules: + - host: woodpecker.marcin00.pl + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: woodpecker-server + port: + number: 80 diff --git a/woodpecker/woodpecker-server.yaml b/woodpecker/woodpecker-server.yaml new file mode 100644 index 0000000..a2ae1d7 --- /dev/null +++ b/woodpecker/woodpecker-server.yaml @@ -0,0 +1,76 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: woodpecker-server + namespace: woodpecker +spec: + replicas: 1 + selector: + matchLabels: + app: woodpecker-server + template: + metadata: + labels: + app: woodpecker-server + spec: + containers: + - name: server + image: woodpeckerci/woodpecker-server:latest + ports: + - containerPort: 8000 + env: + - name: WOODPECKER_OPEN + value: "true" + - name: WOODPECKER_GITEA + value: "true" + - name: WOODPECKER_GITEA_URL + value: "https://gitea.marcin00.pl" + - name: WOODPECKER_HOST + value: "https://woodpecker.marcin00.pl" + - name: WOODPECKER_AGENT_SECRET + valueFrom: + secretKeyRef: + name: woodpecker-secret + key: WOODPECKER_AGENT_SECRET + - name: WOODPECKER_GITEA_CLIENT + valueFrom: + secretKeyRef: + name: woodpecker-secret + key: WOODPECKER_GITEA_CLIENT + - name: WOODPECKER_GITEA_SECRET + valueFrom: + secretKeyRef: + name: woodpecker-secret + key: WOODPECKER_GITEA_SECRET + volumeMounts: + - name: secrets-store + mountPath: "/mnt/secrets" + readOnly: true + - name: woodpecker-data + mountPath: /var/lib/woodpecker/ + volumes: + - name: secrets-store + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: "woodpecker-secrets" + - name: woodpecker-data + persistentVolumeClaim: + claimName: woodpecker-pvc +--- +apiVersion: v1 +kind: Service +metadata: + name: woodpecker-server + namespace: woodpecker +spec: + selector: + app: woodpecker-server + ports: + - name: http + port: 80 + targetPort: 8000 + - name: grpc + port: 9000 + targetPort: 9000 diff --git a/woodpecker/woodpecker-volume.yaml b/woodpecker/woodpecker-volume.yaml new file mode 100644 index 0000000..5691084 --- /dev/null +++ b/woodpecker/woodpecker-volume.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: woodpecker-pvc + namespace: woodpecker +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi