Drone CI on GCP with Terraform and Kubernetes

This is a terraform definition with some scripts to make it easy to bootstrap https://drone.io into a GKE cluster using:

• GitHub as default VCS
• drone-runner-kube as runner
• sqlite as a database, stored in a GCE Persistent Disk

This will expose your Drone CI server in a public IP without TLS. Terraform will output the IP for you.

The scripts can:

• Enable and disable gcloud services
• Create and destroy terraform service accounts with editor roles

The terraform definition can provision:

• GKE cluster
  • Random Master Password Generation
  • Separate managed node pool
    • Using Preemptible Instances
• GCE External IP Address
• GCE Persistent Disk to store Drone CI master configuration and data
• All Kubernetes resources Drone CI needs to run:
  • Namespace drone
  • Secret drone-secrets with the RPC secret stored
    • Random Secret Generation
  • ConfigMap drone-config with all configuration for server and runners
  • Deployment for the Drone Server
    • Environment Variables loaded from Config Map
    • Environment Variables loaded from Secret
    • Volumes mounted from GCE Persistent Disk
  • Service as an ingress load balancer to the Drone Server
    • With GCE External IP Address Assigned
  • Role for the Drone Runner
  • Role Binding for the Drone Runner
  • Service Account for the Drone Runner
  • A deployment for the Drone Runner
    • With Service Account binded

Next steps

• Run workload in different k8s namespace
• Enable horizontal and vertical autoscaling

Installing it

Setup a Github OAuth Application

Create a Github OAuth Application so you can have a Github Client ID and a Github Client Secret.

Set terraform variables

Change the region and the zones accordingly. Also, change it to use your github client id and secrets here.

cat > ./variables.tfvars <<EOL
gcloud_region              = "us-central1"
gcloud_zone                = "us-central1-c"
drone_github_client_id     = "github-client-id"
drone_github_client_secret = "github-client-secret"
EOL

Prepare cloud environment

gcloud auth login
gcloud config set project [PROJECT-ID]

Create terraform backend GCS

Here we're using GCS to store remote terraform state, so you need to create a bucket and a backend configuration file.

# This script will output a terraform-state-[hex] bucket name for you
./scripts/create-terraform-state-gcs.sh

Get the gcs name and then generate a ./backend.tfvars file

cat > ./backend.tfvars <<EOL
bucket  = "terraform-state-[hex]"
prefix  = "production"
EOL

Bring it up

source ./scripts/_shared.sh

./scripts/enable-gcloud-services.sh
./scripts/create-terraform-service-account.sh

terraform init -backend-config=./backend.tfvars
terraform plan -var-file=./variables.tfvars
terraform apply -var-file=./variables.tfvars

Edit Github OAuth to use generated IP Address

Terraform will provision a Static IP Address for you in GCE and will output it.

It will look like this:

cluster_endpoint = 34.30.4.746
cluster_node_pools = []
cluster_password = blablablbla
cluster_username = drone-cluster-master
drone_server_external_ip = 32.42.37.14

Edit your Github OAuth application to use the drone_server_external_ip output.

Access and enjoy

Tearing it down

source ./scripts/_shared.sh
terraform destroy -var-file=./variables.tfvars
./scripts/delete-terraform-service-account.sh
./scripts/disable-gcloud-services.sh

Copyright

MIT, Armando Magalhaes, 2020