# services/finance/firefly-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
  name: firefly-cron
  namespace: finance
spec:
  schedule: "0 3 * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 1
      template:
        metadata:
          annotations:
            vault.hashicorp.com/agent-inject: "true"
            vault.hashicorp.com/agent-pre-populate-only: "true"
            vault.hashicorp.com/role: "finance"
            vault.hashicorp.com/agent-inject-secret-firefly-cron-token: "kv/data/atlas/finance/firefly-secrets"
            vault.hashicorp.com/agent-inject-template-firefly-cron-token: |
              {{- with secret "kv/data/atlas/finance/firefly-secrets" -}}
              {{ .Data.data.STATIC_CRON_TOKEN }}
              {{- end -}}
        spec:
          serviceAccountName: finance-vault
          restartPolicy: Never
          affinity:
            nodeAffinity:
              preferredDuringSchedulingIgnoredDuringExecution:
                - weight: 100
                  preference:
                    matchExpressions:
                      - key: hardware
                        operator: In
                        values: ["rpi5"]
                - weight: 70
                  preference:
                    matchExpressions:
                      - key: hardware
                        operator: In
                        values: ["rpi4"]
          nodeSelector:
            kubernetes.io/arch: arm64
            node-role.kubernetes.io/worker: "true"
          containers:
            - name: cron
              image: curlimages/curl:8.5.0
              command: ["/bin/sh", "-c"]
              args:
                - |
                  set -eu
                  token="$(cat /vault/secrets/firefly-cron-token)"
                  curl -fsS "http://firefly.finance.svc.cluster.local/api/v1/cron/${token}"