# services/mailu/mailu-sync-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: mailu-sync-2
  namespace: mailu-mailserver
spec:
  template:
    spec:
      restartPolicy: OnFailure
      serviceAccountName: mailu-vault-sync
      containers:
        - name: mailu-sync
          image: python:3.11-alpine
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              . /vault/scripts/mailu_vault_env.sh
              pip install --no-cache-dir requests psycopg2-binary passlib >/tmp/pip.log \
                && python /app/sync.py
          env:
            - name: KEYCLOAK_BASE_URL
              value: http://keycloak.sso.svc.cluster.local
            - name: KEYCLOAK_REALM
              value: atlas
            - name: MAILU_DOMAIN
              value: bstein.dev
            - name: MAILU_DEFAULT_QUOTA
              value: "20000000000"
            - name: MAILU_DB_HOST
              value: postgres-service.postgres.svc.cluster.local
            - name: MAILU_DB_PORT
              value: "5432"
          volumeMounts:
            - name: sync-script
              mountPath: /app/sync.py
              subPath: sync.py
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
            - name: vault-scripts
              mountPath: /vault/scripts
              readOnly: true
          resources:
            requests:
              cpu: 50m
              memory: 128Mi
            limits:
              cpu: 200m
              memory: 256Mi
      volumes:
        - name: sync-script
          configMap:
            name: mailu-sync-script
            defaultMode: 0444
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: mailu-vault
        - name: vault-scripts
          configMap:
            name: mailu-vault-env
            defaultMode: 0555