538ea57ed4
Claude Config API (v0.6): - Add CRUD endpoints for commands, skills, and agents - Commands/skills/agents stored in /workspace/.claude/ (per-project, in git) - Credentials shared via PVC at /root/.claude/ (shared across pods) - Use base64 encoding for file writes (prevents shell injection) - Add content size limits (1MB max) Security Hardening: - Add sanitize package for command/prompt validation - Add rate limiting middleware (token bucket algorithm) - Add concurrent command limiting - Add input sanitization to all command handlers - Gitignore secrets.yaml and credentials.yaml - Add *.example templates for secrets Testing Infrastructure: - Add testutil package with mocks and fixtures - Add unit tests for auth package (63% coverage) - Add unit tests for executor (47% coverage) - Add handler integration tests (40% coverage) - Add 100% coverage for sanitize, cmdlimit packages - Add 96% coverage for ratelimit package Infrastructure: - Shared Claude credentials PVC (ReadWriteMany) - Reduced workspace PVC size from 20Gi to 5Gi - Add init container cleanup before git clone - Document Longhorn RWX requirements Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
163 lines
4.5 KiB
YAML
163 lines
4.5 KiB
YAML
# claudebox-pantheon - Claude Code pod for the Pantheon project
|
|
# v0.6 - Shared credentials, project-specific commands/skills/agents in workspace
|
|
|
|
apiVersion: apps/v1
|
|
kind: StatefulSet
|
|
metadata:
|
|
name: claudebox-pantheon
|
|
namespace: rdev
|
|
labels:
|
|
app.kubernetes.io/name: claudebox-pantheon
|
|
app.kubernetes.io/part-of: rdev
|
|
rdev.orchard9.ai/project: pantheon
|
|
spec:
|
|
serviceName: claudebox-pantheon
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: claudebox-pantheon
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: claudebox-pantheon
|
|
app.kubernetes.io/name: claudebox-pantheon
|
|
app.kubernetes.io/part-of: rdev
|
|
rdev.orchard9.ai/project: pantheon
|
|
spec:
|
|
# Init container clones repo if workspace is empty
|
|
initContainers:
|
|
- name: git-clone
|
|
image: ghcr.io/orchard9/rdev-claudebox:v0.3.0
|
|
command:
|
|
- /bin/bash
|
|
- -c
|
|
- |
|
|
set -e
|
|
|
|
# Setup SSH for GitHub
|
|
mkdir -p /root/.ssh
|
|
cp /ssh-keys/id_ed25519 /root/.ssh/id_ed25519
|
|
chmod 600 /root/.ssh/id_ed25519
|
|
cp /ssh-keys/known_hosts /root/.ssh/known_hosts
|
|
chmod 644 /root/.ssh/known_hosts
|
|
|
|
# Clone or fetch
|
|
if [ ! -d /workspace/.git ]; then
|
|
echo "Cloning pantheon repository..."
|
|
# Remove any existing files (e.g., lost+found from filesystem)
|
|
rm -rf /workspace/* /workspace/.[!.]* 2>/dev/null || true
|
|
git clone git@github.com:orchard9/pantheon.git /workspace
|
|
echo "Clone complete."
|
|
else
|
|
echo "Repository exists, fetching latest..."
|
|
cd /workspace
|
|
git fetch origin
|
|
echo "Fetch complete."
|
|
fi
|
|
|
|
# Show status
|
|
cd /workspace
|
|
git log -1 --oneline
|
|
volumeMounts:
|
|
- name: workspace
|
|
mountPath: /workspace
|
|
- name: ssh-keys
|
|
mountPath: /ssh-keys
|
|
readOnly: true
|
|
|
|
containers:
|
|
- name: claudebox
|
|
image: ghcr.io/orchard9/rdev-claudebox:v0.3.0
|
|
imagePullPolicy: Always
|
|
|
|
resources:
|
|
requests:
|
|
cpu: "500m"
|
|
memory: "1Gi"
|
|
limits:
|
|
cpu: "2"
|
|
memory: "4Gi"
|
|
|
|
volumeMounts:
|
|
# Workspace with cloned repo
|
|
- name: workspace
|
|
mountPath: /workspace
|
|
|
|
# Claude config directory (persistent for auth)
|
|
- name: claude-config
|
|
mountPath: /root/.claude
|
|
|
|
# SSH keys for git operations
|
|
- name: ssh-keys
|
|
mountPath: /root/.ssh
|
|
readOnly: true
|
|
|
|
# Project-specific CLAUDE.md
|
|
- name: project-config
|
|
mountPath: /workspace/CLAUDE.md
|
|
subPath: CLAUDE.md
|
|
|
|
# Simple liveness check - container is running
|
|
livenessProbe:
|
|
exec:
|
|
command:
|
|
- cat
|
|
- /healthcheck.sh
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 60
|
|
|
|
# Readiness - claude CLI is available
|
|
readinessProbe:
|
|
exec:
|
|
command:
|
|
- claude
|
|
- --version
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 30
|
|
timeoutSeconds: 10
|
|
|
|
volumes:
|
|
- name: workspace
|
|
persistentVolumeClaim:
|
|
claimName: claudebox-pantheon-workspace
|
|
|
|
- name: claude-config
|
|
persistentVolumeClaim:
|
|
claimName: claudebox-shared-claude-config
|
|
|
|
- name: ssh-keys
|
|
secret:
|
|
secretName: github-deploy-key-pantheon
|
|
defaultMode: 0600
|
|
items:
|
|
- key: id_ed25519
|
|
path: id_ed25519
|
|
- key: known_hosts
|
|
path: known_hosts
|
|
|
|
- name: project-config
|
|
configMap:
|
|
name: claudebox-pantheon-config
|
|
|
|
# Pull from GitHub Container Registry
|
|
imagePullSecrets:
|
|
- name: ghcr-secret
|
|
---
|
|
# Headless service for StatefulSet
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: claudebox-pantheon
|
|
namespace: rdev
|
|
labels:
|
|
app.kubernetes.io/name: claudebox-pantheon
|
|
app.kubernetes.io/part-of: rdev
|
|
rdev.orchard9.ai/project: pantheon
|
|
spec:
|
|
clusterIP: None
|
|
selector:
|
|
app: claudebox-pantheon
|
|
ports:
|
|
- port: 8080
|
|
name: http
|