dep: upgrade helm/kube providers

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # helm_release.drone_runner will be updated in-place
  ~ resource "helm_release" "drone_runner" {
        id                         = "runner"
        name                       = "runner"
      ~ version                    = "0.1.8" -> "0.6.0"
        # (26 unchanged attributes hidden)

        set_sensitive {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

.drone.yml

@@ -0,0 +1,92 @@
+---
+kind: pipeline
+type: docker
+name: Terraform root module
+
+trigger:
+  ref:
+    - refs/heads/main
+    - refs/pull/*/head
+
+environment:
+  TF_IN_AUTOMATION: "1"
+
+steps:
+- name: terraform init
+  image: hashicorp/terraform:1.3.5
+  commands:
+    - mkdir -p ~/.ssh
+    - chmod 755 ~/.ssh
+    - echo "$${CI_SSH_KEY}" | base64 -d > ~/.ssh/id_rsa
+    - chmod 600 ~/.ssh/id_rsa
+    - terraform init
+  environment:
+    GIT_SSH_COMMAND: "ssh -o StrictHostKeyChecking=no"
+    CI_SSH_KEY:
+      from_secret: ci-ssh-key
+    AWS_ACCESS_KEY_ID:
+      from_secret: terraform-aws-key-id
+    AWS_SECRET_ACCESS_KEY:
+      from_secret: terraform-aws-secret-access-key
+
+- name: terraform plan
+  image: hashicorp/terraform:1.3.5
+  commands:
+  - terraform plan $([[ $${DRONE_BUILD_EVENT} = cron ]] && echo "-detailed-exitcode") -out .tfplan
+  environment:
+    AWS_ACCESS_KEY_ID:
+      from_secret: terraform-aws-key-id
+    AWS_SECRET_ACCESS_KEY:
+      from_secret: terraform-aws-secret-access-key
+    GITEA_TOKEN:
+      from_secret: gitea-token
+    KUBE_TOKEN:
+      from_secret: lawndale-k8s-ci-token
+
+- name: terraform apply
+  when:
+    when:
+      branch:
+      - main
+      event:
+      - push
+  image: hashicorp/terraform:1.3.5
+  commands:
+    - terraform apply .tfplan
+  environment:
+    AWS_ACCESS_KEY_ID:
+      from_secret: terraform-aws-key-id
+    AWS_SECRET_ACCESS_KEY:
+      from_secret: terraform-aws-secret-access-key
+    GITEA_TOKEN:
+      from_secret: gitea-token
+    KUBE_TOKEN:
+      from_secret: lawndale-k8s-ci-token
+
+---
+kind: pipeline
+type: kubernetes
+name: Check docs and format
+
+environment:
+  TF_IN_AUTOMATION: "1"
+
+trigger:
+  ref:
+    - refs/pull/*/head
+
+steps:
+- name: format and generate docs
+  image: hashicorp/terraform:1.3.5
+  commands:
+    - apk add bash wget 
+    - wget -q https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz -O - | tar -xz terraform-docs -C /usr/local/bin
+    - terraform fmt
+    - terraform-docs .
+    - git diff --exit-code
+
+---
+kind: signature
+hmac: fab1e0f28b70ec8cee84520cd4b03df265e12e1ed0625403304ced079ecd11ae
+
+...

.terraform-docs.yml

@@ -0,0 +1,5 @@
+formatter: markdown document
+
+output:
+  mode: inject
+  file: README.md

.terraform.lock.hcl

@@ -81,23 +81,24 @@ provider "registry.terraform.io/hashicorp/random" {
 }
 
 provider "registry.terraform.io/malarinv/gitea" {
-  version = "0.0.4"
+  version     = "0.1.0"
+  constraints = ">= 0.1.0"
   hashes = [
-    "h1:W4u/HfWhyc1zXRb0KHL/dsJWHdyYo+sXAwSJJHDf+PE=",
+    "h1:9gvLZEw2s1gw/ndFQWx8KmnZFVaMx0tcxv4N8Ry0BCY=",
-    "zh:20d7d5ee0ebbb0359b014cb6f66b2d94fb3dd5e53abc50313d3fb9b85c629e01",
+    "zh:0783653310ba6eb14d59bdc3a45ef5b5f7e7558ba450e359c3baf9ef9ca873d0",
-    "zh:21086620ed6a41d7189a00a3caadbd68648311824e4aee842a661ea79e7b0ffe",
+    "zh:13ff110936da51b21111ee5d0f67a5374518f2ad6d0eb9e7bf30b7a528f7a6d1",
-    "zh:334ebed7a13f503b5a538d56c461f2a42f8ed108776868c076dd7880fab68455",
+    "zh:4e25e89514dc4ed9d9dba9a206058717696bf4432d94fc68492173557748911f",
-    "zh:3f52c69f0d5dce1b3c04df6c60362bfd43925cbaa9a81698e9721cb58890351f",
+    "zh:626153305e29e3c9d7234974da1e7877ced31186b15c3fb56192d5f3a4d6a00a",
-    "zh:5c475d8ecff582dde0d3e4f02587c730e00efe3b10e1b6d0cd612b25de9303c6",
+    "zh:74d4ff48cd68665636e6ba26f376e519abbf50f87eba153a68743a9101d88aed",
-    "zh:5cd331d2dfa47abb3f9950b110fc54dd1674101e61d77ca3f9666175db0aa3f2",
+    "zh:87800efb75162dde6dab86875be108745b0eb080aed7d2ef9409e443e1542299",
-    "zh:784bfaff53e564f7ab04e04e9cb821bee8c68e40834009d69424c1d8f54d9a19",
+    "zh:8b7e051eb36d4a78991fc6106b261f3b79385a5ad3a795e27ff217c81f3a44a2",
-    "zh:a4f7176a311c52bb8f47c0ea755ca8d1899fd3155022a11540019a73dee0a73e",
+    "zh:8bd28d2ee0301be6dfdb4853dc5dbcd9333537ff3b6ac172acf1939c128a2077",
-    "zh:cd56c1b847d24d3b917836257a88423d76032a908e5822306526f536baea1f2f",
+    "zh:914b2c6eba8ee3b19912b899bd36bd029668c09f99bd8b6b24ebf2b2472d2367",
-    "zh:deecf94952f5e77e452b56fa6a4e2d652e167ee0df4b57fe35e0c37a9c3db58d",
+    "zh:981a34b82860a7986eadc4c8a690f816854e26aa0a61ff9ede696bc37dfb19b1",
-    "zh:dfa6529978b92d8db22f2040172d895d4a07e4e46346d4fc1ab3041c508732fd",
+    "zh:a62167212cf15a51bf14b52e9c64c49a1bb1ac4f51c0dd50c4a0381e09630078",
-    "zh:ecf4c9d84348c25049c8ac5d5477807f7cc72b33ecd816cc11f721066dc7fbac",
+    "zh:cdd6ef29f319902d07a472ce2efb9c1f35dd9bc8a8102a5fe072fdbf0a719c71",
+    "zh:d6e6a7c1337495131be7c8ad7b7e6a3d82ca3427ef0f81ed301f671063498b73",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f58d45a08c6f51da91bcc27ff3095edc03a04897c76a60dfada1c3a6f26daf41",
+    "zh:fd7018726dcd8a7b8bde3ac4ffc4ca0fe7f1b87cce63452a3e18d03eb8c2bc31",
-    "zh:f8461ecc0df2c0d6abfd383270b08a7d216d9188f89ef3a30435b8f6a935a1fe",
   ]
 }

README.md

@@ -1,4 +1,6 @@
 # Terraform config for drone
+[![Build Status](https://drone.thomasklein.me/api/badges/thomasklein/terraform-app-drone/status.svg)](https://drone.thomasklein.me/thomasklein/terraform-app-drone)
+
 Drone is a self-hosted Continuous Integration platform. This terraform root module will create a Gitea OAuth2 application, a persistent volume for Drone and installs Drone to a Kubernetes namespace on Lawndale.
 
 **This module assumes Lawndale as the hosting environment!**
@@ -30,3 +32,66 @@ Sources:
 
 ## Persistent volume
 Persistence is supported by [terraform-modules//9p-persistent-volume](git.thomasklein.me/thomasklein/terraform-modules/9p-persistent-volume).
+
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+The following requirements are needed by this module:
+
+- <a name="requirement_aws"></a> [aws](#requirement\_aws) (~> 4.9.0)
+
+- <a name="requirement_gitea"></a> [gitea](#requirement\_gitea) (>= 0.1.0)
+
+- <a name="requirement_helm"></a> [helm](#requirement\_helm) (2.5.1)
+
+- <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) (2.11.0)
+
+## Providers
+
+The following providers are used by this module:
+
+- <a name="provider_gitea"></a> [gitea](#provider\_gitea) (0.1.0)
+
+- <a name="provider_helm"></a> [helm](#provider\_helm) (2.5.1)
+
+- <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) (2.11.0)
+
+- <a name="provider_random"></a> [random](#provider\_random) (3.2.0)
+
+## Modules
+
+The following Modules are called:
+
+### <a name="module_drone_persistance"></a> [drone\_persistance](#module\_drone\_persistance)
+
+Source: git@git.thomasklein.me:thomasklein/terraform-modules//9p-persistent-volume
+
+Version:
+
+## Resources
+
+The following resources are used by this module:
+
+- [gitea_oauth2_app.this](https://registry.terraform.io/providers/malarinv/gitea/latest/docs/resources/oauth2_app) (resource)
+- [helm_release.drone_runner_docker](https://registry.terraform.io/providers/hashicorp/helm/2.5.1/docs/resources/release) (resource)
+- [helm_release.drone_runner_kube](https://registry.terraform.io/providers/hashicorp/helm/2.5.1/docs/resources/release) (resource)
+- [helm_release.drone_server](https://registry.terraform.io/providers/hashicorp/helm/2.5.1/docs/resources/release) (resource)
+- [kubernetes_namespace.jobs](https://registry.terraform.io/providers/hashicorp/kubernetes/2.11.0/docs/resources/namespace) (resource)
+- [kubernetes_namespace.server](https://registry.terraform.io/providers/hashicorp/kubernetes/2.11.0/docs/resources/namespace) (resource)
+- [kubernetes_secret.runner_dashboard](https://registry.terraform.io/providers/hashicorp/kubernetes/2.11.0/docs/resources/secret) (resource)
+- [random_password.drone_rpc_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) (resource)
+- [random_password.runner_dashboard](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) (resource)
+
+## Required Inputs
+
+No required inputs.
+
+## Optional Inputs
+
+No optional inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

dashboard.tf

@@ -0,0 +1,21 @@
+locals {
+  runner_dashboard_user = "admin"
+}
+
+resource "random_password" "runner_dashboard" {
+  length  = 30
+  special = false
+}
+
+resource "kubernetes_secret" "runner_dashboard" {
+  metadata {
+    name      = "runner-dashboard-access"
+    namespace = kubernetes_namespace.server.metadata.0.name
+  }
+  data = {
+    username = local.runner_dashboard_user
+    password = random_password.runner_dashboard.result
+  }
+
+  type = "kubernetes.io/basic-auth"
+}

drone.tf

@@ -3,13 +3,19 @@ resource "helm_release" "drone_server" {
   name             = "drone"
   chart            = "drone"
   repository       = "https://charts.drone.io"
+  version          = "0.6.5"
   namespace        = kubernetes_namespace.server.metadata.0.name
   create_namespace = false
 
+  set {
+    name = "image.tag"
+    value = "2.26.0"
+  }
+
   values = [
     jsonencode({
       env = {
-        DRONE_SERVER_HOST  = local.ingress_domain
+        DRONE_SERVER_HOST  = local.drone_domain
         DRONE_SERVER_PROTO = "https"
         DRONE_GITEA_SERVER = "https://${local.gitea_server}/"
       }
@@ -18,15 +24,13 @@ resource "helm_release" "drone_server" {
       ingress = {
         enabled = true
         annotations = {
-          "kubernetes.io/ingress.class"                             = "traefik"
+          "kubernetes.io/ingress.class"                      = "traefik"
-          "traefik.ingress.kubernetes.io/router.entrypoints"        = "websecure"
+          "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
-          "traefik.ingress.kubernetes.io/router.tls"                = "true"
+          "cert-manager.io/cluster-issuer"                   = "acme-thomasklein-me"
-          "traefik.ingress.kubernetes.io/router.tls.certresolver"   = "acme-thomasklein-me"
-          "traefik.ingress.kubernetes.io/router.tls.domains.0.main" = local.ingress_domain
         }
         hosts = [
           {
-            host = local.ingress_domain
+            host = local.drone_domain
             paths = [
               {
                 path     = "/"
@@ -35,6 +39,14 @@ resource "helm_release" "drone_server" {
             ]
           }
         ]
+        tls = [
+          {
+            secretName = "drone-thomasklein.me-tls"
+            hosts = [
+              local.drone_domain,
+            ]
+          }
+        ]
       }
     }),
     jsonencode({
@@ -63,4 +75,4 @@ resource "helm_release" "drone_server" {
 resource "random_password" "drone_rpc_secret" {
   special = true
   length  = 32
-}
+}

locals.tf

@@ -1,4 +1,7 @@
 locals {
-  gitea_server   = "git.thomasklein.me"
+  gitea_server = "git.thomasklein.me"
-  ingress_domain = "drone.thomasklein.me"
+  drone_domain = "drone.thomasklein.me"
+
+  runner_gc_interval = "5m"
+  runner_cache_size  = "5G"
 }

oauth.tf

@@ -1,6 +1,6 @@
 resource "gitea_oauth2_app" "this" {
   name = "Drone"
   redirect_uris = [
-    "https://drone.thomasklein.me/login",
+    "https://${local.drone_domain}/login",
   ]
 }

provider.tf

@@ -6,17 +6,18 @@ terraform {
     }
 
     gitea = {
-      source = "malarinv/gitea"
+      source  = "malarinv/gitea"
+      version = ">= 0.1.0"
     }
 
     helm = {
       source  = "hashicorp/helm"
-      version = "2.5.1"
+      version = "2.8.0"
     }
 
     kubernetes = {
       source  = "hashicorp/kubernetes"
-      version = "2.11.0"
+      version = "~> 2.16.1"
     }
 
   }
@@ -24,7 +25,6 @@ terraform {
 
 provider "gitea" {
   base_url = "https://${local.gitea_server}"
-  token    = "915f506e315f263bec1ee7440dff065395e81462"
 }
 
 provider "aws" {

runner.tf

@@ -1,10 +1,99 @@
-resource "helm_release" "drone_runner" {
+resource "helm_release" "drone_runner_docker" {
-  name             = "runner"
+  name             = "runner-docker"
-  chart            = "drone-runner-kube"
+  chart            = "drone-runner-docker"
   repository       = "https://charts.drone.io"
+  version          = "0.7.0"
   namespace        = kubernetes_namespace.server.metadata.0.name
   create_namespace = false
 
+  set {
+    name = "image.tag"
+    value = "1.8.4"
+  }
+  set {
+    name = "dind.tag"
+    value = "28-dind"
+  }
+
+  values = [jsonencode({
+    serviceAccount = {
+      create = true
+    }
+    }),
+    jsonencode({
+      env = {
+        DRONE_SERVER_HOST = "https://${local.drone_domain}"
+        DRONE_RPC_HOST    = "${helm_release.drone_server.name}.${helm_release.drone_server.namespace}.svc.k8s.lawndale:8080"
+        DRONE_RPC_PROTO   = "http"
+        DRONE_UI_USERNAME = local.runner_dashboard_user
+        DRONE_RUNNER_NAME = "docker"
+        DRONE_RUNNER_CAPACITY = 10
+      }
+    }),
+    jsonencode({
+      dind = {
+        commandArgs = [
+          "--host",
+          "tcp://localhost:2375",
+          "--mtu",
+          "\"1360\"",
+        ]
+      }
+    }),
+    jsonencode({
+      dind = {
+        resources = {
+          requests = {
+            cpu                 = "250m"
+            memory              = "1G"
+            "ephemeral-storage" = upper(local.runner_cache_size)
+          }
+          limits = {
+            cpu                 = "1"
+            memory              = "3G"
+            "ephemeral-storage" = upper(local.runner_cache_size)
+          }
+        }
+      }
+    }),
+    jsonencode({
+      ingress = {
+        enabled = false
+      }
+    }),
+    jsonencode({
+      gc = {
+        enabled = true
+        env = {
+          GC_INTERVAL = local.runner_gc_interval
+          GC_CACHE    = "${lower(local.runner_cache_size)}b"
+        }
+      }
+    }),
+  ]
+  set_sensitive {
+    name  = "env.DRONE_RPC_SECRET"
+    value = random_password.drone_rpc_secret.result
+  }
+  set_sensitive {
+    name  = "env.DRONE_UI_PASSWORD"
+    value = random_password.runner_dashboard.result
+  }
+}
+
+resource "helm_release" "drone_runner_kube" {
+  name             = "runner-kube"
+  chart            = "drone-runner-kube"
+  repository       = "https://charts.drone.io"
+  version          = "0.1.10"
+  namespace        = kubernetes_namespace.server.metadata.0.name
+  create_namespace = false
+
+  set {
+    name = "image.tag"
+    value = "1.0.0-rc.5"
+  }
+
   values = [jsonencode({
     rbac = {
       buildNamespaces = [
@@ -14,9 +103,23 @@ resource "helm_release" "drone_runner" {
     }),
     jsonencode({
       env = {
-        DRONE_SERVER_HOST = "https://${local.ingress_domain}"
+        DRONE_SERVER_HOST       = "https://${local.drone_domain}"
-        DRONE_RPC_HOST    = "${helm_release.drone_server.name}.${helm_release.drone_server.namespace}.svc.cluster.local"
+        DRONE_RPC_HOST          = "${helm_release.drone_server.name}.${helm_release.drone_server.namespace}.svc.k8s.lawndale:8080"
-        DRONE_RPC_PROTO   = "http"
+        DRONE_RPC_PROTO         = "http"
+        DRONE_NAMESPACE_DEFAULT = kubernetes_namespace.jobs.metadata.0.name
+        DRONE_UI_USERNAME       = local.runner_dashboard_user
+      }
+    }),
+    jsonencode({
+      resources = {
+        requests = {
+          cpu    = "100m"
+          memory = "50Mi"
+        }
+        limits = {
+          cpu    = "300m"
+          memory = "200Mi"
+        }
       }
     }),
     jsonencode({
@@ -29,4 +132,8 @@ resource "helm_release" "drone_runner" {
     name  = "env.DRONE_RPC_SECRET"
     value = random_password.drone_rpc_secret.result
   }
+  set_sensitive {
+    name  = "env.DRONE_UI_PASSWORD"
+    value = random_password.runner_dashboard.result
+  }
 }