538ea57ed4
Claude Config API (v0.6): - Add CRUD endpoints for commands, skills, and agents - Commands/skills/agents stored in /workspace/.claude/ (per-project, in git) - Credentials shared via PVC at /root/.claude/ (shared across pods) - Use base64 encoding for file writes (prevents shell injection) - Add content size limits (1MB max) Security Hardening: - Add sanitize package for command/prompt validation - Add rate limiting middleware (token bucket algorithm) - Add concurrent command limiting - Add input sanitization to all command handlers - Gitignore secrets.yaml and credentials.yaml - Add *.example templates for secrets Testing Infrastructure: - Add testutil package with mocks and fixtures - Add unit tests for auth package (63% coverage) - Add unit tests for executor (47% coverage) - Add handler integration tests (40% coverage) - Add 100% coverage for sanitize, cmdlimit packages - Add 96% coverage for ratelimit package Infrastructure: - Shared Claude credentials PVC (ReadWriteMany) - Reduced workspace PVC size from 20Gi to 5Gi - Add init container cleanup before git clone - Document Longhorn RWX requirements Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
68 lines
1.9 KiB
Bash
Executable File
68 lines
1.9 KiB
Bash
Executable File
#!/bin/bash
|
|
# Deploy rdev to k3s cluster
|
|
|
|
set -e
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
|
|
|
|
# Ensure kubeconfig is set
|
|
if [[ -z "$KUBECONFIG" ]]; then
|
|
echo "Error: KUBECONFIG not set"
|
|
echo "Run: export KUBECONFIG=~/.kube/orchard9-k3sf.yaml"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Deploying rdev to k3s..."
|
|
echo "Using kubeconfig: $KUBECONFIG"
|
|
echo ""
|
|
|
|
# Verify cluster access
|
|
echo "Verifying cluster access..."
|
|
kubectl cluster-info > /dev/null || {
|
|
echo "Error: Cannot connect to cluster"
|
|
exit 1
|
|
}
|
|
|
|
# Note: Claude auth is stored in a PVC, not a secret
|
|
# User will authenticate via: kubectl exec -it -n rdev claudebox-0 -- claude
|
|
|
|
# Check if ghcr-secret exists in rdev namespace
|
|
if ! kubectl get secret ghcr-secret -n rdev > /dev/null 2>&1; then
|
|
echo ""
|
|
echo "Copying ghcr-secret from apps namespace to rdev..."
|
|
kubectl get secret ghcr-secret -n apps -o yaml | \
|
|
sed 's/namespace: apps/namespace: rdev/' | \
|
|
kubectl apply -f - 2>/dev/null || {
|
|
echo "ghcr-secret not found in apps namespace, checking default..."
|
|
kubectl get secret ghcr-secret -n default -o yaml | \
|
|
sed 's/namespace: default/namespace: rdev/' | \
|
|
kubectl apply -f -
|
|
}
|
|
fi
|
|
|
|
# Apply manifests
|
|
echo ""
|
|
echo "Applying Kustomize manifests..."
|
|
kubectl apply -k "$PROJECT_ROOT/deployments/k8s/base"
|
|
|
|
echo ""
|
|
echo "Waiting for claudebox pod to be ready..."
|
|
kubectl wait --for=condition=ready pod -l app=claudebox -n rdev --timeout=120s || {
|
|
echo ""
|
|
echo "Pod not ready. Check status with:"
|
|
echo " kubectl get pods -n rdev"
|
|
echo " kubectl describe pod claudebox-0 -n rdev"
|
|
echo " kubectl logs claudebox-0 -n rdev"
|
|
exit 1
|
|
}
|
|
|
|
echo ""
|
|
echo "Deployment complete!"
|
|
echo ""
|
|
echo "Verify with:"
|
|
echo " kubectl exec -n rdev claudebox-0 -- claude --version"
|
|
echo ""
|
|
echo "Test Claude:"
|
|
echo " kubectl exec -it -n rdev claudebox-0 -- claude \"say hello\""
|