diff --git a/script/deploy b/script/deploy index 78f965575cce449473195f47fbe5d328afddf4a5..b375329c91fb3f83810291836788391c280509f7 100755 --- a/script/deploy +++ b/script/deploy @@ -22,16 +22,16 @@ if [[ ! -f $ENV_FILE ]]; then exit 1 fi -if [[ -n $(git status --short) ]]; then - echo "Cannot deploy with uncommited changes" +if [[ $ZED_KUBE_NAMESPACE == "production" && -n $(git status --short) ]]; then + echo "Cannot deploy uncommited changes to production" exit 1 fi git_sha=$(git rev-parse HEAD) -export ZED_IMAGE_ID=registry.digitalocean.com/zed/zed-server:${ZED_KUBE_NAMESPACE}-${git_sha} +export ZED_IMAGE_ID="registry.digitalocean.com/zed/zed-server:${ZED_KUBE_NAMESPACE}-${git_sha}" export $(cat $ENV_FILE) -docker build . --tag $ZED_IMAGE_ID -docker push $ZED_IMAGE_ID +docker build . --tag "$ZED_IMAGE_ID" +docker push "$ZED_IMAGE_ID" envsubst < server/k8s/manifest.template.yml | kubectl apply -f - diff --git a/script/kube-shell b/script/kube-shell new file mode 100755 index 0000000000000000000000000000000000000000..9181dc959c41f7c813e09cdf6f6230a08216c14f --- /dev/null +++ b/script/kube-shell @@ -0,0 +1,11 @@ +#!/bin/bash + +if [[ $# < 1 ]]; then + echo "Usage: $0 [production|staging|...]" + exit 1 +fi + +export ZED_KUBE_NAMESPACE=$1 + +pod=$(kubectl --namespace=${ZED_KUBE_NAMESPACE} get pods --selector=app=zed --output=jsonpath='{.items[*].metadata.name}') +exec kubectl --namespace $ZED_KUBE_NAMESPACE exec --tty --stdin $pod -- /bin/bash \ No newline at end of file diff --git a/server/k8s/manifest.template.yml b/server/k8s/manifest.template.yml index 02a30232e399cb14ceebf59466fac0950ecf4968..ff9929e98a2beb2da9463c648e6dbefaaef6a06d 100644 --- a/server/k8s/manifest.template.yml +++ b/server/k8s/manifest.template.yml @@ -76,3 +76,8 @@ spec: secretKeyRef: name: github key: privateKey + securityContext: + capabilities: + # FIXME - Switch to the more restrictive `PERFMON` capability. + # This capability isn't yet available in a stable version of Debian. + add: ["SYS_ADMIN"]