apiVersion: batch/v1
kind: CronJob
metadata:
  name: restic-prune
  labels:
    app.kubernetes.io/name: restic-prune
    app.kubernetes.io/component: restic
spec:
  schedule: 38 9 * * 5
  timeZone: America/Chicago
  concurrencyPolicy: Forbid
  jobTemplate:
    metadata:
      labels: &labels
        app.kubernetes.io/name: restic-prune
        app.kubernetes.io/component: restic
    spec:
      template:
        metadata:
          labels: *labels
        spec:
          restartPolicy: Never
          containers:
          - name: restic-prune
            image: ghcr.io/restic/restic
            args:
            - forget
            - --keep-daily=14
            - --keep-weekly=4
            - --keep-monthly=12
            env:
            - name: XDG_CACHE_HOME
              value: /var/cache
            envFrom:
            - configMapRef:
                name: restic-env
            securityContext:
              readOnlyRootFilesystem: true
            volumeMounts:
            - mountPath: /run/secrets/restic
              name: secrets
              readOnly: true
            - mountPath: /var/cache
              name: cache
            - mountPath: /tmp
              name: tmp
          securityContext:
            runAsUser: 32142
            runAsGroup: 32142
            fsGroup: 32142
            runAsNonRoot: true
          volumes:
          - name: cache
            emptyDir: {}
          - name: secrets
            secret:
              secretName: restic-secrets
          - name: tmp
            emptyDir:
              medium: Memory