dep: upgrade helm/kube providers

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # helm_release.drone_runner will be updated in-place
  ~ resource "helm_release" "drone_runner" {
        id                         = "runner"
        name                       = "runner"
      ~ version                    = "0.1.8" -> "0.6.0"
        # (26 unchanged attributes hidden)

        set_sensitive {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

.drone.yml

@@ -1,21 +1,19 @@
 ---
 kind: pipeline
-type: kubernetes
+type: docker
 name: Terraform root module
 
 trigger:
-  event:
-  - cron
-  - push
-  branch:
-  - main
+  ref:
+    - refs/heads/main
+    - refs/pull/*/head
 
 environment:
   TF_IN_AUTOMATION: "1"
 
 steps:
 - name: terraform init
-  image: hashicorp/terraform:1.1.8
+  image: hashicorp/terraform:1.3.5
   commands:
     - mkdir -p ~/.ssh
     - chmod 755 ~/.ssh
@@ -32,9 +30,9 @@ steps:
       from_secret: terraform-aws-secret-access-key
 
 - name: terraform plan
-  image: hashicorp/terraform:1.1.8
+  image: hashicorp/terraform:1.3.5
   commands:
-  - terraform plan -out .tfplan
+  - terraform plan $([[ $${DRONE_BUILD_EVENT} = cron ]] && echo "-detailed-exitcode") -out .tfplan
   environment:
     AWS_ACCESS_KEY_ID:
       from_secret: terraform-aws-key-id
@@ -52,7 +50,7 @@ steps:
       - main
       event:
       - push
-  image: hashicorp/terraform:1.1.8
+  image: hashicorp/terraform:1.3.5
   commands:
     - terraform apply .tfplan
   environment:
@@ -65,8 +63,30 @@ steps:
     KUBE_TOKEN:
       from_secret: lawndale-k8s-ci-token
 
+---
+kind: pipeline
+type: kubernetes
+name: Check docs and format
+
+environment:
+  TF_IN_AUTOMATION: "1"
+
+trigger:
+  ref:
+    - refs/pull/*/head
+
+steps:
+- name: format and generate docs
+  image: hashicorp/terraform:1.3.5
+  commands:
+    - apk add bash wget 
+    - wget -q https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz -O - | tar -xz terraform-docs -C /usr/local/bin
+    - terraform fmt
+    - terraform-docs .
+    - git diff --exit-code
+
 ---
 kind: signature
-hmac: 6950738d3bbe37bb7d5201b9fd7a086ee09a2206a433f19d01c2570cc5718b61
+hmac: fab1e0f28b70ec8cee84520cd4b03df265e12e1ed0625403304ced079ecd11ae
 
 ...

.terraform-docs.yml

@@ -0,0 +1,5 @@
+formatter: markdown document
+
+output:
+  mode: inject
+  file: README.md

README.md

@@ -32,3 +32,66 @@ Sources:
 
 ## Persistent volume
 Persistence is supported by [terraform-modules//9p-persistent-volume](git.thomasklein.me/thomasklein/terraform-modules/9p-persistent-volume).
+
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+The following requirements are needed by this module:
+
+- <a name="requirement_aws"></a> [aws](#requirement\_aws) (~> 4.9.0)
+
+- <a name="requirement_gitea"></a> [gitea](#requirement\_gitea) (>= 0.1.0)
+
+- <a name="requirement_helm"></a> [helm](#requirement\_helm) (2.5.1)
+
+- <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) (2.11.0)
+
+## Providers
+
+The following providers are used by this module:
+
+- <a name="provider_gitea"></a> [gitea](#provider\_gitea) (0.1.0)
+
+- <a name="provider_helm"></a> [helm](#provider\_helm) (2.5.1)
+
+- <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) (2.11.0)
+
+- <a name="provider_random"></a> [random](#provider\_random) (3.2.0)
+
+## Modules
+
+The following Modules are called:
+
+### <a name="module_drone_persistance"></a> [drone\_persistance](#module\_drone\_persistance)
+
+Source: git@git.thomasklein.me:thomasklein/terraform-modules//9p-persistent-volume
+
+Version:
+
+## Resources
+
+The following resources are used by this module:
+
+- [gitea_oauth2_app.this](https://registry.terraform.io/providers/malarinv/gitea/latest/docs/resources/oauth2_app) (resource)
+- [helm_release.drone_runner_docker](https://registry.terraform.io/providers/hashicorp/helm/2.5.1/docs/resources/release) (resource)
+- [helm_release.drone_runner_kube](https://registry.terraform.io/providers/hashicorp/helm/2.5.1/docs/resources/release) (resource)
+- [helm_release.drone_server](https://registry.terraform.io/providers/hashicorp/helm/2.5.1/docs/resources/release) (resource)
+- [kubernetes_namespace.jobs](https://registry.terraform.io/providers/hashicorp/kubernetes/2.11.0/docs/resources/namespace) (resource)
+- [kubernetes_namespace.server](https://registry.terraform.io/providers/hashicorp/kubernetes/2.11.0/docs/resources/namespace) (resource)
+- [kubernetes_secret.runner_dashboard](https://registry.terraform.io/providers/hashicorp/kubernetes/2.11.0/docs/resources/secret) (resource)
+- [random_password.drone_rpc_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) (resource)
+- [random_password.runner_dashboard](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) (resource)
+
+## Required Inputs
+
+No required inputs.
+
+## Optional Inputs
+
+No optional inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

dashboard.tf

@@ -0,0 +1,21 @@
+locals {
+  runner_dashboard_user = "admin"
+}
+
+resource "random_password" "runner_dashboard" {
+  length  = 30
+  special = false
+}
+
+resource "kubernetes_secret" "runner_dashboard" {
+  metadata {
+    name      = "runner-dashboard-access"
+    namespace = kubernetes_namespace.server.metadata.0.name
+  }
+  data = {
+    username = local.runner_dashboard_user
+    password = random_password.runner_dashboard.result
+  }
+
+  type = "kubernetes.io/basic-auth"
+}

drone.tf

@@ -3,13 +3,19 @@ resource "helm_release" "drone_server" {
   name             = "drone"
   chart            = "drone"
   repository       = "https://charts.drone.io"
+  version          = "0.6.5"
   namespace        = kubernetes_namespace.server.metadata.0.name
   create_namespace = false
 
+  set {
+    name = "image.tag"
+    value = "2.26.0"
+  }
+
   values = [
     jsonencode({
       env = {
-        DRONE_SERVER_HOST  = local.ingress_domain
+        DRONE_SERVER_HOST  = local.drone_domain
         DRONE_SERVER_PROTO = "https"
         DRONE_GITEA_SERVER = "https://${local.gitea_server}/"
       }
@@ -18,15 +24,13 @@ resource "helm_release" "drone_server" {
       ingress = {
         enabled = true
         annotations = {
-          "kubernetes.io/ingress.class"                             = "traefik"
-          "traefik.ingress.kubernetes.io/router.entrypoints"        = "websecure"
-          "traefik.ingress.kubernetes.io/router.tls"                = "true"
-          "traefik.ingress.kubernetes.io/router.tls.certresolver"   = "acme-thomasklein-me"
-          "traefik.ingress.kubernetes.io/router.tls.domains.0.main" = local.ingress_domain
+          "kubernetes.io/ingress.class"                      = "traefik"
+          "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
+          "cert-manager.io/cluster-issuer"                   = "acme-thomasklein-me"
         }
         hosts = [
           {
-            host = local.ingress_domain
+            host = local.drone_domain
             paths = [
               {
                 path     = "/"
@@ -35,6 +39,14 @@ resource "helm_release" "drone_server" {
             ]
           }
         ]
+        tls = [
+          {
+            secretName = "drone-thomasklein.me-tls"
+            hosts = [
+              local.drone_domain,
+            ]
+          }
+        ]
       }
     }),
     jsonencode({
@@ -63,4 +75,4 @@ resource "helm_release" "drone_server" {
 resource "random_password" "drone_rpc_secret" {
   special = true
   length  = 32
-}
+}

locals.tf

@@ -1,4 +1,7 @@
 locals {
-  gitea_server   = "git.thomasklein.me"
-  ingress_domain = "drone.thomasklein.me"
+  gitea_server = "git.thomasklein.me"
+  drone_domain = "drone.thomasklein.me"
+
+  runner_gc_interval = "5m"
+  runner_cache_size  = "5G"
 }

oauth.tf

@@ -1,6 +1,6 @@
 resource "gitea_oauth2_app" "this" {
   name = "Drone"
   redirect_uris = [
-    "https://drone.thomasklein.me/login",
+    "https://${local.drone_domain}/login",
   ]
 }

provider.tf

@@ -6,18 +6,18 @@ terraform {
     }
 
     gitea = {
-      source = "malarinv/gitea"
+      source  = "malarinv/gitea"
       version = ">= 0.1.0"
     }
 
     helm = {
       source  = "hashicorp/helm"
-      version = "2.5.1"
+      version = "2.8.0"
     }
 
     kubernetes = {
       source  = "hashicorp/kubernetes"
-      version = "2.11.0"
+      version = "~> 2.16.1"
     }
 
   }

runner.tf

@@ -1,10 +1,99 @@
-resource "helm_release" "drone_runner" {
-  name             = "runner"
-  chart            = "drone-runner-kube"
+resource "helm_release" "drone_runner_docker" {
+  name             = "runner-docker"
+  chart            = "drone-runner-docker"
   repository       = "https://charts.drone.io"
+  version          = "0.7.0"
   namespace        = kubernetes_namespace.server.metadata.0.name
   create_namespace = false
 
+  set {
+    name = "image.tag"
+    value = "1.8.4"
+  }
+  set {
+    name = "dind.tag"
+    value = "28-dind"
+  }
+
+  values = [jsonencode({
+    serviceAccount = {
+      create = true
+    }
+    }),
+    jsonencode({
+      env = {
+        DRONE_SERVER_HOST = "https://${local.drone_domain}"
+        DRONE_RPC_HOST    = "${helm_release.drone_server.name}.${helm_release.drone_server.namespace}.svc.k8s.lawndale:8080"
+        DRONE_RPC_PROTO   = "http"
+        DRONE_UI_USERNAME = local.runner_dashboard_user
+        DRONE_RUNNER_NAME = "docker"
+        DRONE_RUNNER_CAPACITY = 10
+      }
+    }),
+    jsonencode({
+      dind = {
+        commandArgs = [
+          "--host",
+          "tcp://localhost:2375",
+          "--mtu",
+          "\"1360\"",
+        ]
+      }
+    }),
+    jsonencode({
+      dind = {
+        resources = {
+          requests = {
+            cpu                 = "250m"
+            memory              = "1G"
+            "ephemeral-storage" = upper(local.runner_cache_size)
+          }
+          limits = {
+            cpu                 = "1"
+            memory              = "3G"
+            "ephemeral-storage" = upper(local.runner_cache_size)
+          }
+        }
+      }
+    }),
+    jsonencode({
+      ingress = {
+        enabled = false
+      }
+    }),
+    jsonencode({
+      gc = {
+        enabled = true
+        env = {
+          GC_INTERVAL = local.runner_gc_interval
+          GC_CACHE    = "${lower(local.runner_cache_size)}b"
+        }
+      }
+    }),
+  ]
+  set_sensitive {
+    name  = "env.DRONE_RPC_SECRET"
+    value = random_password.drone_rpc_secret.result
+  }
+  set_sensitive {
+    name  = "env.DRONE_UI_PASSWORD"
+    value = random_password.runner_dashboard.result
+  }
+}
+
+resource "helm_release" "drone_runner_kube" {
+  name             = "runner-kube"
+  chart            = "drone-runner-kube"
+  repository       = "https://charts.drone.io"
+  version          = "0.1.10"
+  namespace        = kubernetes_namespace.server.metadata.0.name
+  create_namespace = false
+
+  set {
+    name = "image.tag"
+    value = "1.0.0-rc.5"
+  }
+
   values = [jsonencode({
     rbac = {
       buildNamespaces = [
@@ -14,10 +103,23 @@ resource "helm_release" "drone_runner" {
     }),
     jsonencode({
       env = {
-        DRONE_SERVER_HOST = "https://${local.ingress_domain}"
-        DRONE_RPC_HOST    = "${helm_release.drone_server.name}.${helm_release.drone_server.namespace}.svc.cluster.local"
-        DRONE_RPC_PROTO   = "http"
+        DRONE_SERVER_HOST       = "https://${local.drone_domain}"
+        DRONE_RPC_HOST          = "${helm_release.drone_server.name}.${helm_release.drone_server.namespace}.svc.k8s.lawndale:8080"
+        DRONE_RPC_PROTO         = "http"
         DRONE_NAMESPACE_DEFAULT = kubernetes_namespace.jobs.metadata.0.name
+        DRONE_UI_USERNAME       = local.runner_dashboard_user
+      }
+    }),
+    jsonencode({
+      resources = {
+        requests = {
+          cpu    = "100m"
+          memory = "50Mi"
+        }
+        limits = {
+          cpu    = "300m"
+          memory = "200Mi"
+        }
       }
     }),
     jsonencode({
@@ -30,4 +132,8 @@ resource "helm_release" "drone_runner" {
     name  = "env.DRONE_RPC_SECRET"
     value = random_password.drone_rpc_secret.result
   }
+  set_sensitive {
+    name  = "env.DRONE_UI_PASSWORD"
+    value = random_password.runner_dashboard.result
+  }
 }