# services/finance/firefly-user-sync-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
  name: firefly-user-sync
  namespace: finance
  labels:
    atlas.bstein.dev/glue: "true"
spec:
  schedule: "0 6 * * *"
  suspend: true
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 0
      template:
        metadata:
          annotations:
            vault.hashicorp.com/agent-inject: "true"
            vault.hashicorp.com/agent-pre-populate-only: "true"
            vault.hashicorp.com/role: "finance"
            vault.hashicorp.com/agent-inject-secret-firefly-env.sh: "kv/data/atlas/finance/firefly-db"
            vault.hashicorp.com/agent-inject-template-firefly-env.sh: |
              {{ with secret "kv/data/atlas/finance/firefly-db" }}
              export DB_CONNECTION="pgsql"
              export DB_HOST="{{ .Data.data.DB_HOST }}"
              export DB_PORT="{{ .Data.data.DB_PORT }}"
              export DB_DATABASE="{{ .Data.data.DB_DATABASE }}"
              export DB_USERNAME="{{ .Data.data.DB_USERNAME }}"
              export DB_PASSWORD="$(cat /vault/secrets/firefly-db-password)"
              {{ end }}
              {{ with secret "kv/data/atlas/finance/firefly-secrets" }}
              export APP_KEY="$(cat /vault/secrets/firefly-app-key)"
              {{ end }}
            vault.hashicorp.com/agent-inject-secret-firefly-db-password: "kv/data/atlas/finance/firefly-db"
            vault.hashicorp.com/agent-inject-template-firefly-db-password: |
              {{- with secret "kv/data/atlas/finance/firefly-db" -}}
              {{ .Data.data.DB_PASSWORD }}
              {{- end -}}
            vault.hashicorp.com/agent-inject-secret-firefly-app-key: "kv/data/atlas/finance/firefly-secrets"
            vault.hashicorp.com/agent-inject-template-firefly-app-key: |
              {{- with secret "kv/data/atlas/finance/firefly-secrets" -}}
              {{ .Data.data.APP_KEY }}
              {{- end -}}
        spec:
          serviceAccountName: finance-vault
          restartPolicy: Never
          affinity:
            nodeAffinity:
              preferredDuringSchedulingIgnoredDuringExecution:
                - weight: 100
                  preference:
                    matchExpressions:
                      - key: hardware
                        operator: In
                        values: ["rpi5"]
                - weight: 70
                  preference:
                    matchExpressions:
                      - key: hardware
                        operator: In
                        values: ["rpi4"]
          nodeSelector:
            kubernetes.io/arch: arm64
            node-role.kubernetes.io/worker: "true"
          containers:
            - name: sync
              image: fireflyiii/core:version-6.4.15
              command: ["/bin/sh", "-c"]
              args:
                - |
                  set -eu
                  . /vault/secrets/firefly-env.sh
                  exec php /scripts/firefly_user_sync.php
              env:
                - name: APP_ENV
                  value: production
                - name: APP_DEBUG
                  value: "false"
                - name: TZ
                  value: Etc/UTC
              volumeMounts:
                - name: firefly-user-sync-script
                  mountPath: /scripts
                  readOnly: true
          volumes:
            - name: firefly-user-sync-script
              configMap:
                name: firefly-user-sync-script
                defaultMode: 0555