terraform {
  required_providers {
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "2.13.1"
    }
  }
}

locals {
  match_labels = merge({
    "app.kubernetes.io/instance" = "drone"
    "app.kubernetes.io/name"     = "drone-runner"
  }, var.match_labels)
  labels = merge(local.match_labels, {
    "app.kubernetes.io/version" = var.image_tag
  }, var.labels)
}

resource "kubernetes_role" "drone" {
  metadata {
    name      = "drone-runner"
    namespace = var.namespace
  }
  rule {
    api_groups = [""]
    resources  = ["secrets"]
    verbs      = ["create", "delete"]
  }
  rule {
    api_groups = [""]
    resources  = ["pods", "pods/log"]
    verbs      = ["get", "create", "delete", "list", "watch", "update"]
  }
}

resource "kubernetes_service_account" "drone_runner" {
  metadata {
    name      = "drone-runner"
    namespace = var.namespace
    labels    = local.labels
  }
}

resource "kubernetes_role_binding" "drone" {
  metadata {
    name      = "drone-runner"
    namespace = var.namespace
  }
  subject {
    kind      = "ServiceAccount"
    name      = kubernetes_service_account.drone_runner.metadata.0.name
    namespace = var.namespace
  }
  role_ref {
    kind      = "Role"
    name      = kubernetes_role.drone.metadata.0.name
    api_group = "rbac.authorization.k8s.io"
  }
}

resource "kubernetes_deployment" "drone_runner" {
  metadata {
    name      = "drone-runner"
    namespace = var.namespace
    labels    = local.labels
  }
  spec {
    replicas = var.drone_runner_replicas
    selector {
      match_labels = local.match_labels
    }
    template {
      metadata {
        labels = local.labels
        annotations = {
          "ravianand.me/config-hash" = sha1(jsonencode(merge(
            kubernetes_secret.drone_runner.data
          )))
        }
      }
      spec {
        service_account_name = kubernetes_service_account.drone_runner.metadata.0.name
        container {
          image = var.image_registry == "" ? "${var.image_repository}:${var.image_tag}" : "${var.image_registry}/${var.image_repository}:${var.image_tag}"
          name  = "drone-runner"
          security_context {}
          env {
            name  = "DRONE_RPC_HOST"
            value = var.drone_rpc_host
          }
          env {
            name  = "DRONE_RPC_PROTO"
            value = var.drone_rpc_proto
          }
          env {
            name  = "DRONE_NAMESPACE_DEFAULT"
            value = var.namespace
          }
          env {
            name = "DRONE_RPC_SECRET"
            value_from {
              secret_key_ref {
                name = kubernetes_secret.drone_runner.metadata.0.name
                key  = "drone-runner-secret"
              }
            }
          }
          port {
            container_port = 3000
            name           = "http"
            protocol       = "TCP"
          }
          resources {
            requests = {
              cpu    = "250m"
              memory = "250Mi"
            }
            limits = {
              cpu    = 2
              memory = "2Gi"
            }
          }
        }
      }
    }
  }
}

resource "kubernetes_secret" "drone_runner" {
  metadata {
    name      = "drone-runner"
    namespace = var.namespace
  }
  data = {
    "drone-runner-secret" = var.drone_runner_secret
  }
}