apiVersion: apps/v1
kind: Deployment
metadata:
  name: clawdbox
  namespace: clawdbox
  labels:
    app: clawdbox
spec:
  replicas: 1
  selector:
    matchLabels:
      app: clawdbox
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: clawdbox
    spec:
      serviceAccountName: clawd-sa
      securityContext:
        fsGroup: 1000
        runAsNonRoot: true
      initContainers:
        - name: setup-ssh
          image: busybox:latest
          command:
            - sh
            - -c
            - |
              # Fix data volume permissions if needed
              # Note: On some systems this requires root in the init container
              # but often fsGroup handles this.
              mkdir -p /data/ssh && chmod 775 /data
              
              # Setup writable SSH directory from Secret
              cp /mnt/keys/authorized_keys /working-ssh/
              chmod 600 /working-ssh/authorized_keys
          volumeMounts:
            - name: data-volume
              mountPath: /data
            - name: ssh-keys-secret
              mountPath: /mnt/keys
            - name: ssh-working
              mountPath: /working-ssh
      containers:
        - name: clawdbox
          image: default-route-openshift-image-registry.apps.lab.apilab.us/clawdbox/clawdbox:latest
          imagePullPolicy: Always
          # CMD is defined in Dockerfile, no need to override unless changing behavior
          ports:
            - containerPort: 2222
              name: ssh
          env:
            - name: TERM
              value: xterm-256color
            - name: DEBIAN_FRONTEND
              value: noninteractive
            - name: TZ
              value: UTC
          startupProbe:
            tcpSocket:
              port: ssh
            failureThreshold: 30
            periodSeconds: 5
          readinessProbe:
            tcpSocket:
              port: ssh
            initialDelaySeconds: 5
            periodSeconds: 10
            timeoutSeconds: 2
            failureThreshold: 3
          livenessProbe:
            tcpSocket:
              port: ssh
            initialDelaySeconds: 15
            periodSeconds: 20
            timeoutSeconds: 2
            failureThreshold: 3
          volumeMounts:
            - mountPath: /data
              name: data-volume
            - mountPath: /home/claw/.ssh
              name: ssh-working
            - mountPath: /home/claw/.kube
              name: kubeconfig-secret
            - mountPath: /data/scripts
              name: helper-scripts
          resources:
            limits:
              memory: "2Gi"
              cpu: "2000m"
            requests:
              memory: "256Mi"
              cpu: "500m"
          securityContext:
            runAsUser: 1000
            runAsGroup: 1000
            allowPrivilegeEscalation: false
            capabilities:
              drop: ["ALL"]
              add: ["NET_BIND_SERVICE"]
      volumes:
        - name: data-volume
          persistentVolumeClaim:
            claimName: clawdbox-pvc
        - name: ssh-keys-secret
          secret:
            secretName: clawdbox-ssh-keys
        - name: kubeconfig-secret
          secret:
            secretName: kube
        - name: ssh-working
          emptyDir: {}
        - name: helper-scripts
          configMap:
            name: clawdbox-scripts
            defaultMode: 0755