Create your own CI/CD workflow based on Gitea+Drone CI+Vault

Writing in the front

When I first came to Shenzhen, I took part in a lot of offline activities on weekends. Probably due to my lack of working experience in a big factory, I have been focusing on operation and maintenance development (even front-end) since I started my internship in the third year in March 2017, so I soon developed a great interest in DevOps. DevOps feels like a perfect fit for my work.

During the period when I first came to my current company, I was so busy that I didn’t have time to do an entry-level practice. I just wrote some Shell scripts that were regularly launched.

Recently, @Dee Luo has been working hard independently, and the company’s front-end project has gradually completed a SET of CI/CD workflow based on GitLab + Drone CI + Vault in line with the company’s characteristics.

You can hardly imagine how backward the company’s front-end project workflow was before. Front-end development -> push to the GitLab warehouse -> pull to the server -> package. Now, after the front-end development and upload, automatic packaging and deployment begin, which saves labor at the same time, but also more reliable than manual.

Near water tower first get month, sitting next to elder brother I have been ready to move, finally wait until the Spring Festival of this period of time, in recent days without what business and Bug, I feel it is time to big (step) dry (pit) a (since) field (abuse).

Thank @Dee Luo for giving me guidance and help without complaint during her leave (he couldn’t see it anyway).

Tool is introduced

Gitea

Gitea is an open source community-driven Gogs clone, a lightweight code hosting solution written in Go on the back end under the MIT license.

Gitea’s goal is to create an easy to install, very fast to run, install and use your own Git service experience. With Go as the back-end language, you can simply generate an executable program. It is also cross-platform, supporting Linux, macOS, Windows and a variety of architectures, including ARM and PowerPC in addition to x86 and AMD64.

For me, there are two reasons for choosing him

  • Nice UI, I like it
  • Low resource occupancy, minimum requirement for cheap raspberry PI, good for poor B like me
  • Team maintained open source, very active

Drone

Drone is a continuous delivery system based on container technology. Drone uses a simple YAML configuration file (a superset of Docker-compose) to define and execute Pipelines in Docker containers.

Drone integrates seamlessly with popular source code management systems, including GitHub, GitHub Enterprise, Bitbucket and more.

Vault

Vault is a tool for managing Secrets and protecting sensitive data. It comes from HashiCorp, and if you’re unfamiliar with the name, you probably know Vagrant

Vault is a tool for secure access to Secret. Secret is anything that you have strict control over access to, such as API keys, passwords, or certificates. Vault provides a unified interface for any secrets while providing strict access control and detailed audit logs.

Modern systems need access to a lot of Secret: database credentials, API keys for external services, credentials for service-oriented architecture communication, and so on. Knowing who is accessing what secrets is already difficult and platform-specific. Without a custom solution, it is almost impossible to add key rolling, secure storage, and detailed audit logs. This is where Vault comes in.

Key features of Vault include:

  • Secure Secret storage: Any key/value secret can be stored in Vault. Vault encrypts these secrets before writing them to persistent storage, so gaining access to the original store is not enough to access your secrets. Vault can write to disk, Consul, etc.
  • Dynamic Secrets: Vault can generate secrets on demand for certain systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it will ask Vault for credentials, and Vault will generate AWS key pairs with valid permissions as needed. Once these dynamic secrets are created, Vault also automatically revokes them when the lease expires.
  • Data encryption: Vault encrypts and decrypts data without storing it. This allows security teams to define encryption parameters and allows developers to store encrypted data in places like SQL without having to design their own encryption methods.
  • Lease and renew: All secrets in Vault are associated with itThe lease. At the end of the lease, Vault will automatically revoke that secret. Customers can renew their leases through the built-in renewal API.
  • Undo: Vault has built-in support for secret undo. The safe can undo not only individual secrets, but also secret trees, such as all secrets read by a particular user, or all secrets of a particular type. Undo helps with critical scrolling and locks down the system in the event of an intrusion.

Vault UI operation

Vault CLI operation

series

  • Create your own CI/CD workflow based on Gitea+Drone CI+Vault
  • (1) Drone CI For Github — Build their own CI/CD workflow
  • Drone CI uses Vault as credential storage — to build its own CI/CD workflow
  • (3) Lightweight self-built Drone CI For Gitea — to create their own CI/CD workflow
  • Fyi: Build your own code hosting platform based on Gitea