From 0610bb40a72c0d62be84dd8486a51b8437f31e37 Mon Sep 17 00:00:00 2001
From: Tamas Kiss <kiss.tamas94@gmail.com>
Date: Mon, 28 Nov 2022 20:36:44 +0100
Subject: [PATCH] feat: add docker runner and set runner dashboards

---
 README.md    |  5 ++-
 dashboard.tf | 21 +++++++++++++
 drone.tf     |  6 ++--
 locals.tf    |  7 +++--
 oauth.tf     |  2 +-
 runner.tf    | 88 +++++++++++++++++++++++++++++++++++++++++++++++++---
 6 files changed, 118 insertions(+), 11 deletions(-)
 create mode 100644 dashboard.tf

diff --git a/README.md b/README.md
index 97016f8..3a832a2 100644
--- a/README.md
+++ b/README.md
@@ -74,11 +74,14 @@ Version:
 The following resources are used by this module:
 
 - [gitea_oauth2_app.this](https://registry.terraform.io/providers/malarinv/gitea/latest/docs/resources/oauth2_app) (resource)
-- [helm_release.drone_runner](https://registry.terraform.io/providers/hashicorp/helm/2.5.1/docs/resources/release) (resource)
+- [helm_release.drone_runner_docker](https://registry.terraform.io/providers/hashicorp/helm/2.5.1/docs/resources/release) (resource)
+- [helm_release.drone_runner_kube](https://registry.terraform.io/providers/hashicorp/helm/2.5.1/docs/resources/release) (resource)
 - [helm_release.drone_server](https://registry.terraform.io/providers/hashicorp/helm/2.5.1/docs/resources/release) (resource)
 - [kubernetes_namespace.jobs](https://registry.terraform.io/providers/hashicorp/kubernetes/2.11.0/docs/resources/namespace) (resource)
 - [kubernetes_namespace.server](https://registry.terraform.io/providers/hashicorp/kubernetes/2.11.0/docs/resources/namespace) (resource)
+- [kubernetes_secret.runner_dashboard](https://registry.terraform.io/providers/hashicorp/kubernetes/2.11.0/docs/resources/secret) (resource)
 - [random_password.drone_rpc_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) (resource)
+- [random_password.runner_dashboard](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) (resource)
 
 ## Required Inputs
 
diff --git a/dashboard.tf b/dashboard.tf
new file mode 100644
index 0000000..0f891b1
--- /dev/null
+++ b/dashboard.tf
@@ -0,0 +1,21 @@
+locals {
+  runner_dashboard_user = "admin"
+}
+
+resource "random_password" "runner_dashboard" {
+  length  = 30
+  special = false
+}
+
+resource "kubernetes_secret" "runner_dashboard" {
+  metadata {
+    name      = "runner-dashboard-access"
+    namespace = kubernetes_namespace.server.metadata.0.name
+  }
+  data = {
+    username = local.runner_dashboard_user
+    password = random_password.runner_dashboard.result
+  }
+
+  type = "kubernetes.io/basic-auth"
+}
diff --git a/drone.tf b/drone.tf
index 5747230..aa3fab3 100644
--- a/drone.tf
+++ b/drone.tf
@@ -10,7 +10,7 @@ resource "helm_release" "drone_server" {
   values = [
     jsonencode({
       env = {
-        DRONE_SERVER_HOST  = local.ingress_domain
+        DRONE_SERVER_HOST  = local.drone_domain
         DRONE_SERVER_PROTO = "https"
         DRONE_GITEA_SERVER = "https://${local.gitea_server}/"
       }
@@ -23,11 +23,11 @@ resource "helm_release" "drone_server" {
           "traefik.ingress.kubernetes.io/router.entrypoints"        = "websecure"
           "traefik.ingress.kubernetes.io/router.tls"                = "true"
           "traefik.ingress.kubernetes.io/router.tls.certresolver"   = "acme-thomasklein-me"
-          "traefik.ingress.kubernetes.io/router.tls.domains.0.main" = local.ingress_domain
+          "traefik.ingress.kubernetes.io/router.tls.domains.0.main" = local.drone_domain
         }
         hosts = [
           {
-            host = local.ingress_domain
+            host = local.drone_domain
             paths = [
               {
                 path     = "/"
diff --git a/locals.tf b/locals.tf
index fddc08d..cd4fe00 100644
--- a/locals.tf
+++ b/locals.tf
@@ -1,4 +1,7 @@
 locals {
-  gitea_server   = "git.thomasklein.me"
-  ingress_domain = "drone.thomasklein.me"
+  gitea_server = "git.thomasklein.me"
+  drone_domain = "drone.thomasklein.me"
+
+  runner_gc_interval = "5m"
+  runner_cache_size  = "5G"
 }
diff --git a/oauth.tf b/oauth.tf
index 16e290d..6b06dc4 100644
--- a/oauth.tf
+++ b/oauth.tf
@@ -1,6 +1,6 @@
 resource "gitea_oauth2_app" "this" {
   name = "Drone"
   redirect_uris = [
-    "https://drone.thomasklein.me/login",
+    "https://${local.drone_domain}/login",
   ]
 }
diff --git a/runner.tf b/runner.tf
index 4b01532..4334b5c 100644
--- a/runner.tf
+++ b/runner.tf
@@ -1,7 +1,70 @@
-resource "helm_release" "drone_runner" {
-  name             = "runner"
+resource "helm_release" "drone_runner_docker" {
+  name             = "runner-docker"
+  chart            = "drone-runner-docker"
+  repository       = "https://charts.drone.io"
+  version          = "0.6.0"
+  namespace        = kubernetes_namespace.server.metadata.0.name
+  create_namespace = false
+
+  values = [jsonencode({
+    serviceAccount = {
+      create = true
+    }
+    }),
+    jsonencode({
+      env = {
+        DRONE_SERVER_HOST = "https://${local.drone_domain}"
+        DRONE_RPC_HOST    = "${helm_release.drone_server.name}.${helm_release.drone_server.namespace}.svc.cluster.local:8080"
+        DRONE_RPC_PROTO   = "http"
+        DRONE_UI_USERNAME = local.runner_dashboard_user
+      }
+    }),
+    jsonencode({
+      dind = {
+        resources = {
+          requests = {
+            cpu                 = "250m"
+            memory              = "1G"
+            "ephemeral-storage" = upper(local.runner_cache_size)
+          }
+          limits = {
+            cpu                 = "1"
+            memory              = "3G"
+            "ephemeral-storage" = upper(local.runner_cache_size)
+          }
+        }
+      }
+    }),
+    jsonencode({
+      ingress = {
+        enabled = false
+      }
+    }),
+    jsonencode({
+      gc = {
+        enabled = true
+        env = {
+          GC_INTERVAL = local.runner_gc_interval
+          GC_CACHE    = "${lower(local.runner_cache_size)}b"
+        }
+      }
+    }),
+  ]
+  set_sensitive {
+    name  = "env.DRONE_RPC_SECRET"
+    value = random_password.drone_rpc_secret.result
+  }
+  set_sensitive {
+    name  = "env.DRONE_UI_PASSWORD"
+    value = random_password.runner_dashboard.result
+  }
+}
+
+resource "helm_release" "drone_runner_kube" {
+  name             = "runner-kube"
   chart            = "drone-runner-kube"
   repository       = "https://charts.drone.io"
+  version          = "0.1.10"
   namespace        = kubernetes_namespace.server.metadata.0.name
   create_namespace = false
 
@@ -14,10 +77,23 @@ resource "helm_release" "drone_runner" {
     }),
     jsonencode({
       env = {
-        DRONE_SERVER_HOST       = "https://${local.ingress_domain}"
-        DRONE_RPC_HOST          = "${helm_release.drone_server.name}.${helm_release.drone_server.namespace}.svc.cluster.local"
+        DRONE_SERVER_HOST       = "https://${local.drone_domain}"
+        DRONE_RPC_HOST          = "${helm_release.drone_server.name}.${helm_release.drone_server.namespace}.svc.cluster.local:8080"
         DRONE_RPC_PROTO         = "http"
         DRONE_NAMESPACE_DEFAULT = kubernetes_namespace.jobs.metadata.0.name
+        DRONE_UI_USERNAME       = local.runner_dashboard_user
+      }
+    }),
+    jsonencode({
+      resources = {
+        requests = {
+          cpu    = "100m"
+          memory = "50Mi"
+        }
+        limits = {
+          cpu    = "300m"
+          memory = "200Mi"
+        }
       }
     }),
     jsonencode({
@@ -30,4 +106,8 @@ resource "helm_release" "drone_runner" {
     name  = "env.DRONE_RPC_SECRET"
     value = random_password.drone_rpc_secret.result
   }
+  set_sensitive {
+    name  = "env.DRONE_UI_PASSWORD"
+    value = random_password.runner_dashboard.result
+  }
 }