zgorizzo69/ca-crt-config-map.yaml

## ca-crt-config-map.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: ca-crt
  namespace: drone
data:
  kubca.crt: |
    -----BEGIN CERTIFICATE-----
    MIICMzCCAZygAwIBAgIJALiPnVsvq8dsMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNV
    BAYTAlVTMQwwCgYDVQQIEwNmb28xDDAKBgNVBAcTA2ZvbzEMMAoGA1UEChMDZm9v
    MQwwCgYDVQQLEwNmb28xDDAKBgNVBAMTA2ZvbzAeFw0xMzAzMTkxNTQwMTlaFw0x
    xph0pSfsfFsTKM4RhTWD2v4fgk+xZiKd1p0+L4hTtpwnEw0uXRVd0ki6muwV5y/P
    +5FHUeldq+pgTcgzuK8CAwEAAaMPMA0wCwYDVR0PBAQDAgLkMA0GCSqGSIb3DQEB
    BQUAA4GBAJiDAAtY0mQQeuxWdzLRzXmjvdSuL9GoyT3BF/jSnpxz5/58dba8pWen
    v3pj4P3w5DoOso0rzkZy2jEsEitlVM2mLSbQpMM+MUVQCQoiG6W9xuCFuxSrwPIS
    pAqEAuV4DNoxQKKWmhVv+J0ptMWD25Pnpxeq5sXzghfJnslJlQND
    -----END CERTIFICATE-----


## drone-vault-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    app: drone-vault
  name: drone-vault
  namespace: drone
spec:
  replicas: 1
  selector:
    matchLabels:
      app: drone-vault
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: drone-vault
    spec:
      volumes:
        - name: ca-crt
          configMap:
            name: ca-crt
      containers:
        - image: drone/vault
          name: vault
          resources:
            limits:
              cpu: 500m
              memory: 512Mi
            requests:
              cpu: 100m
              memory: 256Mi
          ports:
            - name: api
              containerPort: 3000
              protocol: TCP
          volumeMounts:
            - name: ca-crt
              mountPath: /etc/ssl/certs/ca.crt
              subPath: kubca.crt
              readOnly: false
          env:
            - name: DRONE_DEBUG
              value: "false"
            - name: DRONE_SECRET
              valueFrom:
                secretKeyRef:
                  key: shared_secret
                  name: vault-drone
            - name: VAULT_ADDR
              value: "https://vault-server.vault.svc.cluster.local:8200"
            - name: VAULT_CACERT
              value: "/etc/ssl/certs/ca.crt"
            - name: VAULT_AUTH_TYPE
              value: "approle"
            - name: VAULT_TOKEN_TTL
              value: "48h"
            - name: VAULT_TOKEN_RENEWAL
              value: "24h"
            - name: VAULT_APPROLE_ID
              valueFrom:
                secretKeyRef:
                  key: approle_role_id
                  name: vault-drone
            - name: VAULT_APPROLE_SECRET
              valueFrom:
                secretKeyRef:
                  key: approle_role_secret
                  name: vault-drone

status: {}

## drone-vault-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: vault-drone
  namespace: drone
data:
  approle_role_id: APPROLE_ID_FROM_VAULT
  approle_role_secret: APPROLE_SECRET_FROM_VAULT
  shared_secret: CHOOSE_A_SECRET_TO_SHARE_WITH_DRONE_RUNNER
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: ca-crt
	namespace: drone
	data:
	kubca.crt: \|
	-----BEGIN CERTIFICATE-----
	MIICMzCCAZygAwIBAgIJALiPnVsvq8dsMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNV
	BAYTAlVTMQwwCgYDVQQIEwNmb28xDDAKBgNVBAcTA2ZvbzEMMAoGA1UEChMDZm9v
	MQwwCgYDVQQLEwNmb28xDDAKBgNVBAMTA2ZvbzAeFw0xMzAzMTkxNTQwMTlaFw0x
	xph0pSfsfFsTKM4RhTWD2v4fgk+xZiKd1p0+L4hTtpwnEw0uXRVd0ki6muwV5y/P
	+5FHUeldq+pgTcgzuK8CAwEAAaMPMA0wCwYDVR0PBAQDAgLkMA0GCSqGSIb3DQEB
	BQUAA4GBAJiDAAtY0mQQeuxWdzLRzXmjvdSuL9GoyT3BF/jSnpxz5/58dba8pWen
	v3pj4P3w5DoOso0rzkZy2jEsEitlVM2mLSbQpMM+MUVQCQoiG6W9xuCFuxSrwPIS
	pAqEAuV4DNoxQKKWmhVv+J0ptMWD25Pnpxeq5sXzghfJnslJlQND
	-----END CERTIFICATE-----
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	creationTimestamp: null
	labels:
	app: drone-vault
	name: drone-vault
	namespace: drone
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: drone-vault
	strategy: {}
	template:
	metadata:
	creationTimestamp: null
	labels:
	app: drone-vault
	spec:
	volumes:
	- name: ca-crt
	configMap:
	name: ca-crt
	containers:
	- image: drone/vault
	name: vault
	resources:
	limits:
	cpu: 500m
	memory: 512Mi
	requests:
	cpu: 100m
	memory: 256Mi
	ports:
	- name: api
	containerPort: 3000
	protocol: TCP
	volumeMounts:
	- name: ca-crt
	mountPath: /etc/ssl/certs/ca.crt
	subPath: kubca.crt
	readOnly: false
	env:
	- name: DRONE_DEBUG
	value: "false"
	- name: DRONE_SECRET
	valueFrom:
	secretKeyRef:
	key: shared_secret
	name: vault-drone
	- name: VAULT_ADDR
	value: "https://vault-server.vault.svc.cluster.local:8200"
	- name: VAULT_CACERT
	value: "/etc/ssl/certs/ca.crt"
	- name: VAULT_AUTH_TYPE
	value: "approle"
	- name: VAULT_TOKEN_TTL
	value: "48h"
	- name: VAULT_TOKEN_RENEWAL
	value: "24h"
	- name: VAULT_APPROLE_ID
	valueFrom:
	secretKeyRef:
	key: approle_role_id
	name: vault-drone
	- name: VAULT_APPROLE_SECRET
	valueFrom:
	secretKeyRef:
	key: approle_role_secret
	name: vault-drone

	status: {}
	apiVersion: v1
	kind: Secret
	metadata:
	name: vault-drone
	namespace: drone
	data:
	approle_role_id: APPROLE_ID_FROM_VAULT
	approle_role_secret: APPROLE_SECRET_FROM_VAULT
	shared_secret: CHOOSE_A_SECRET_TO_SHARE_WITH_DRONE_RUNNER