droneci-https

Droneci and SSL

Finally managed to get Drone working properly with traefik v2 in docker.

I had to go back and forth while I managed to track down my issues, which were:

  • wrong hostname configured on the drone docker label parts
  • play with docker env vars while I get the oath2 redirect working between gitea, drone and traefik

SSL and redirection required me to change up config somewhat, which looks like this below:

note: it's from an ansible playbook

- name: Run drone docker-compose
  docker_compose:
    project_name: droneci
    state: present
    pull: yes
    remove_orphans: yes
    remove_volumes: yes
    restarted: yes
    remove_images: all
    debug: true
    definition:
      version: '2'
      networks:
        ci:
          external: true
      services:

        drone:
         container_name: drone
         image: drone/drone:1
         restart: unless-stopped
         hostname: drone
         networks:
           - ci
         environment:
           - DRONE_GITEA_SERVER={{ DRONE_GITEA_SERVER }}
           - DRONE_GITEA_CLIENT_ID={{ DRONE_GITEA_CLIENT_ID }}
           - DRONE_GITEA_CLIENT_SECRET={{ GITEA_CLIENT_SECRET }}
           - DRONE_RPC_SECRET={{ DRONE_RPC_SECRET }}
           - DRONE_SERVER_HOST={{ DRONE_SERVER_HOST }}
           - DRONE_SERVER_PROTO=https
           - DRONE_DATADOG_ENABLED=false
         labels:
           - "traefik.enable=true"
           - "traefik.http.routers.drone.rule=Host(`drone.sub.domain.tld`)"
           - "traefik.http.routers.drone.entrypoints=websecure"
           - "traefik.http.routers.drone.tls.certresolver=myresolver"
         volumes:
           - /var/lib/drone:/data

        drunner:
         container_name: drunner
         image: drone/drone-runner-docker:1
         restart: unless-stopped
         hostname: drunner
         ports:
           - "3000:3000"
         networks:
           - ci
         environment:
           - DRONE_RPC_PROTO=https
           - DRONE_RPC_HOST=drone
           - DRONE_RPC_SECRET={{ DRONE_RPC_SECRET }}
           - DRONE_SERVER_HOST=drone
           - DRONE_RUNNER_CAPACITY=2
           - DRONE_DATADOG_ENABLED=false
         volumes:
           - /var/run/docker.sock:/var/run/docker.sock

        traefik:
         image: traefik:2.2
         restart: unless-stopped
         container_name: traefik
         command:
           - "--providers.docker=true"
           - "--providers.docker.exposedbydefault=false"
           - "--entrypoints.web.address=:80"
           - "--entrypoints.websecure.address=:443"
           - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
           - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
           - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
           - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
           - "--certificatesresolvers.myresolver.acme.email={{ traefik_var_CF_API_EMAIL }}"
           - "--certificatesresolvers.myresolver.acme.storage=/acme.json"
           - "--global.sendAnonymousUsage=false"
         environment:
           - CF_API_EMAIL={{ traefik_var_CF_API_EMAIL }}
           - CF_API_KEY={{ traefik_var_CF_API_KEY }}
         ports:
           - 80:80
           - 443:443
         networks:
           - ci
         volumes:
           - /var/run/docker.sock:/var/run/docker.sock
           - /var/docker/traefik/acme.json:/acme.json

Somethings remain to be done

I'm just testing what needs to be fixed and tweaked now that drone runs on ssl.

A few days ago I only set up 1 repo to test, so it needed its webhooks updated to point to the https new url.

Also need to fix my test runner as it seems it can't connect to the drone server so no ci runs are performed. Great.

Finally got the runner working with the server, had to configure the runner to use:

DRONE_RPC_PROTO=http

instead of

DRONE_RPC_PROTO=https

as above.

I also need to decide how many and what repos I want to locally test.

Also want to know whether drone can run my ansible roles with molecule.

Also I'm not a fan of mounting the docker socket into any containers, but these are running in their own virtual machine at this time.

Also want to try to upgrade to traefik v2.4.

Also had to figure out an issue with drone not being able to connect to my gitea server anymore.

Turned out it had some routing issues, and I have no idea what messed up the routing table inside the drone vm as only ansible was modifying it.

Useful reminder:

ip route add 192.168.123.0/24 via 192.168.122.1

Another issue that came up while trying to get an ansible role working was the concept of trusted repos in droneci.

I forgot to add the docker socket into the pipeline, so my droneci looks awful like this:

---
kind: pipeline
type: docker
name: default

steps:
  - name: local build
    image: qwe1/dind-ansible-molecule:2.9-root
    volumes:
      - name: dsock
        path: /var/run/docker.sock
    commands:
      - ls -lah
      - pwd
      - mkdir -p ~/.ansible/roles && cp -aR "$(pwd)" ~/.ansible/roles/richardskumat.ansible_role_user
      - molecule test

volumes:
  - name: dsock
    host:
      path: /var/run/docker.sock

I didn't specify an admin user for drone when setting up, so when setting up an ansible role to be tested in drone, I was getting the following error:

default: linter: untrusted repositories cannot mount host volumes

So added the following env var to my drone container and it was happy afterwards:

DRONE_USER_CREATE=username:user,admin:true

username:user in my case had to match the gitea user I was using.

links

social