apiVersion: v1
kind: ServiceAccount
metadata:
  name: claw-sa
  namespace: clawdbox
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: clawdbox
  labels:
    app: clawdbox
spec:
  replicas: 1
  selector:
    matchLabels:
      app: clawdbox
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: clawdbox
    spec:
      serviceAccountName: claw-sa
      containers:
      - name: clawdbox
        image: image-registry.openshift-image-registry.svc:5000/clawdbox/clawdbox:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 2222
          name: ssh
        volumeMounts:
        - mountPath: /data
          name: data-volume
        - mountPath: /home/claw/.ssh
          name: ssh-keys
        resources:
          limits:
            memory: "2Gi"
            cpu: "1000m"
          requests:
            memory: "512Mi"
            cpu: "250m"
        securityContext:
          runAsUser: 1000
          runAsGroup: 1000
          fsGroup: 1000
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["ALL"]
      volumes:
      - name: data-volume
        persistentVolumeClaim:
          claimName: clawdbox-pvc
      - name: ssh-keys
        secret:
          secretName: clawdbox-ssh-keys
          defaultMode: 0600
---
apiVersion: v1
kind: Service
metadata:
  name: clawdbox
  labels:
    app: clawdbox
spec:
  ports:
  - port: 2222
    targetPort: 2222
    name: ssh
  selector:
    app: clawdbox
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: clawdbox-pvc
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi