From ec8858ceda4e6746f815fdbf978dd1029a20d783 Mon Sep 17 00:00:00 2001
From: Jeff Moore <jeoffmore@gmail.com>
Date: Mon, 24 Jun 2019 08:41:55 -0400
Subject: [PATCH] Refactor code to support running on secure environments
 (namely OpenShift)

---
 deploy/auth.yaml             |  8 +++++++-
 deploy/deployment.yaml       | 11 +++++------
 deploy/ingress.yaml          |  1 +
 deploy/redis-deployment.yaml | 31 ++++++++++++++++++++++++++++---
 deploy/redis-service.yaml    |  1 +
 deploy/service.yaml          |  1 +
 6 files changed, 43 insertions(+), 10 deletions(-)

diff --git a/deploy/auth.yaml b/deploy/auth.yaml
index 0b35be4..cbac2ad 100644
--- a/deploy/auth.yaml
+++ b/deploy/auth.yaml
@@ -1,8 +1,14 @@
----
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: kube-ops-view
+  namespace: default
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-ops-view-redis
+  namespace: default
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml
index 8e2203c..e02e8e9 100644
--- a/deploy/deployment.yaml
+++ b/deploy/deployment.yaml
@@ -5,6 +5,7 @@ metadata:
     application: kube-ops-view
     version: v0.11
   name: kube-ops-view
+  namespace: default
 spec:
   replicas: 1
   selector:
@@ -16,13 +17,12 @@ spec:
         application: kube-ops-view
         version: v0.11
     spec:
-      serviceAccount: kube-ops-view
+      serviceAccountName: kube-ops-view
       containers:
       - name: service
         # see https://github.com/hjacobs/kube-ops-view/releases
         image: hjacobs/kube-ops-view:0.11
         args:
-        # remove this option to use built-in memory store
         - --redis-url=redis://kube-ops-view-redis:6379
         ports:
         - containerPort: 8080
@@ -35,12 +35,11 @@ spec:
           timeoutSeconds: 1
         resources:
           limits:
+            cpu: 300m
+            memory: 200Mi
+          requests:
             cpu: 200m
             memory: 100Mi
-          requests:
-            cpu: 50m
-            memory: 50Mi
         securityContext:
           readOnlyRootFilesystem: true
           runAsNonRoot: true
-          runAsUser: 1000
diff --git a/deploy/ingress.yaml b/deploy/ingress.yaml
index bde19af..d430c30 100644
--- a/deploy/ingress.yaml
+++ b/deploy/ingress.yaml
@@ -2,6 +2,7 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
   name: kube-ops-view
+  namespace: default
 spec:
   rules:
   - host: "kube-ops-view.example.org"
diff --git a/deploy/redis-deployment.yaml b/deploy/redis-deployment.yaml
index c33fd40..9108e8b 100644
--- a/deploy/redis-deployment.yaml
+++ b/deploy/redis-deployment.yaml
@@ -5,6 +5,7 @@ metadata:
     application: kube-ops-view-redis
     version: v0.0.1
   name: kube-ops-view-redis
+  namespace: default
 spec:
   replicas: 1
   selector:
@@ -16,9 +17,25 @@ spec:
         application: kube-ops-view-redis
         version: v0.0.1
     spec:
+      # Test
+      serviceAccountName: kube-ops-view-redis
+      # Since there are read-only filesystems, important data is copied to an
+      # emptyDir via an initContainer to avoid read-only errors
+      initContainers:
+      - name: copy-files-to-vol
+        image: bitnami/redis:5.0.5
+        command: ["sh", "-c", "[ \"$(ls -A /mnt/data)\" ] || (cp -R /opt/bitnami/redis/* /mnt/data/ && exit 0)"]
+        volumeMounts:
+        - name: bitnami-fs
+          mountPath: /mnt/data
       containers:
       - name: redis
-        image: redis:5-alpine
+        # bitnami/redis is chosen over library/redis so support out-of-the-box
+        # rootless containers
+        image: bitnami/redis:5.0.5
+        env:
+        - name: ALLOW_EMPTY_PASSWORD
+          value: "yes"
         ports:
         - containerPort: 6379
           protocol: TCP
@@ -32,8 +49,16 @@ spec:
           requests:
             cpu: 50m
             memory: 50Mi
+        volumeMounts:
+        - mountPath: /bitnami/redis/data
+          name: redis-bitnami-data
+        - mountPath: /opt/bitnami/redis
+          name: bitnami-fs
         securityContext:
           readOnlyRootFilesystem: true
           runAsNonRoot: true
-          # we need to use the "redis" uid
-          runAsUser: 100
+      volumes:
+      - name: redis-bitnami-data
+        emptyDir: {}
+      - name: bitnami-fs
+        emptyDir: {}
diff --git a/deploy/redis-service.yaml b/deploy/redis-service.yaml
index f25c7bf..143cd52 100644
--- a/deploy/redis-service.yaml
+++ b/deploy/redis-service.yaml
@@ -4,6 +4,7 @@ metadata:
   labels:
     application: kube-ops-view-redis
   name: kube-ops-view-redis
+  namespace: default
 spec:
   selector:
     application: kube-ops-view-redis
diff --git a/deploy/service.yaml b/deploy/service.yaml
index 68ffed4..063ba78 100644
--- a/deploy/service.yaml
+++ b/deploy/service.yaml
@@ -4,6 +4,7 @@ metadata:
   labels:
     application: kube-ops-view
   name: kube-ops-view
+  namespace: default
 spec:
   selector:
     application: kube-ops-view