apiVersion: apps/v1
kind: Deployment
metadata:
  name: restic-exporter
  labels:
    app.kubernetes.io/name: restic-exporter
    app.kubernetes.io/component: restic-exporter
    app.kubernetes.io/part-of: restic-exporter
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: restic-exporter
      app.kubernetes.io/component: restic-exporter
  template:
    metadata:
      labels:
        app.kubernetes.io/name: restic-exporter
        app.kubernetes.io/component: restic-exporter
        app.kubernetes.io/part-of: restic-exporter
    spec:
      containers:
      - name: restic-exporter
        image: git.pyrocufflink.net/containerimages/restic-exporter
        ports:
        - containerPort: 8001
          name: metrics
        envFrom:
        - configMapRef:
            name: restic-exporter
            optional: true
        env:
        - name: RESTIC_PASSWORD_FILE
          value: /run/secrets/restic/password
        - name: XDG_CACHE_HOME
          value: /var/cache
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /run/secrets/restic
          name: secrets
        - mountPath: /tmp
          name: tmp
          subPath: tmp
        - mountPath: /var/cache
          name: tmp
          subPath: cache
      securityContext:
        fsGroup: 8001
        runAsGroup: 8001
        runAsNonRoot: true
        runAsUser: 8001
      volumes:
      - name: secrets
        secret:
          secretName: restic-exporter
      - name: tmp
        emptyDir: {}