Droneci and SSL
Finally managed to get Drone working properly with traefik v2 in docker.
I had to go back and forth while I managed to track down my issues, which were:
- wrong hostname configured on the drone docker label parts
- play with docker env vars while I get the oath2 redirect working between gitea, drone and traefik
SSL and redirection required me to change up config somewhat, which looks like this below:
note: it's from an ansible playbook
- name: Run drone docker-compose
docker_compose:
project_name: droneci
state: present
pull: yes
remove_orphans: yes
remove_volumes: yes
restarted: yes
remove_images: all
debug: true
definition:
version: '2'
networks:
ci:
external: true
services:
drone:
container_name: drone
image: drone/drone:1
restart: unless-stopped
hostname: drone
networks:
- ci
environment:
- DRONE_GITEA_SERVER={{ DRONE_GITEA_SERVER }}
- DRONE_GITEA_CLIENT_ID={{ DRONE_GITEA_CLIENT_ID }}
- DRONE_GITEA_CLIENT_SECRET={{ GITEA_CLIENT_SECRET }}
- DRONE_RPC_SECRET={{ DRONE_RPC_SECRET }}
- DRONE_SERVER_HOST={{ DRONE_SERVER_HOST }}
- DRONE_SERVER_PROTO=https
- DRONE_DATADOG_ENABLED=false
labels:
- "traefik.enable=true"
- "traefik.http.routers.drone.rule=Host(`drone.sub.domain.tld`)"
- "traefik.http.routers.drone.entrypoints=websecure"
- "traefik.http.routers.drone.tls.certresolver=myresolver"
volumes:
- /var/lib/drone:/data
drunner:
container_name: drunner
image: drone/drone-runner-docker:1
restart: unless-stopped
hostname: drunner
ports:
- "3000:3000"
networks:
- ci
environment:
- DRONE_RPC_PROTO=https
- DRONE_RPC_HOST=drone
- DRONE_RPC_SECRET={{ DRONE_RPC_SECRET }}
- DRONE_SERVER_HOST=drone
- DRONE_RUNNER_CAPACITY=2
- DRONE_DATADOG_ENABLED=false
volumes:
- /var/run/docker.sock:/var/run/docker.sock
traefik:
image: traefik:2.2
restart: unless-stopped
container_name: traefik
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
- "--certificatesresolvers.myresolver.acme.dnschallenge=true"
- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.myresolver.acme.email={{ traefik_var_CF_API_EMAIL }}"
- "--certificatesresolvers.myresolver.acme.storage=/acme.json"
- "--global.sendAnonymousUsage=false"
environment:
- CF_API_EMAIL={{ traefik_var_CF_API_EMAIL }}
- CF_API_KEY={{ traefik_var_CF_API_KEY }}
ports:
- 80:80
- 443:443
networks:
- ci
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/docker/traefik/acme.json:/acme.json
Somethings remain to be done
I'm just testing what needs to be fixed and tweaked now that drone runs on ssl.
A few days ago I only set up 1 repo to test, so it needed its webhooks updated to point to the https new url.
Also need to fix my test runner as it seems it can't connect to the drone server so no ci runs are performed. Great.
Finally got the runner working with the server, had to configure the runner to use:
DRONE_RPC_PROTO=http
instead of
DRONE_RPC_PROTO=https
as above.
I also need to decide how many and what repos I want to locally test.
Also want to know whether drone can run my ansible roles with molecule.
Also I'm not a fan of mounting the docker socket into any containers, but these are running in their own virtual machine at this time.
Also want to try to upgrade to traefik v2.4.
Also had to figure out an issue with drone not being able to connect to my gitea server anymore.
Turned out it had some routing issues, and I have no idea what messed up the routing table inside the drone vm as only ansible was modifying it.
Useful reminder:
ip route add 192.168.123.0/24 via 192.168.122.1
Another issue that came up while trying to get an ansible role working was the concept of trusted repos in droneci.
I forgot to add the docker socket into the pipeline, so my droneci looks awful like this:
---
kind: pipeline
type: docker
name: default
steps:
- name: local build
image: qwe1/dind-ansible-molecule:2.9-root
volumes:
- name: dsock
path: /var/run/docker.sock
commands:
- ls -lah
- pwd
- mkdir -p ~/.ansible/roles && cp -aR "$(pwd)" ~/.ansible/roles/richardskumat.ansible_role_user
- molecule test
volumes:
- name: dsock
host:
path: /var/run/docker.sock
I didn't specify an admin user for drone when setting up, so when setting up an ansible role to be tested in drone, I was getting the following error:
default: linter: untrusted repositories cannot mount host volumes
So added the following env var to my drone container and it was happy afterwards:
DRONE_USER_CREATE=username:user,admin:true
username:user in my case had to match the gitea user I was using.