apiVersion: batch/v1
kind: CronJob
metadata:
  name: backup
spec:
  schedule: "42 */6 * * *"
  concurrencyPolicy: Replace
  jobTemplate:
    spec:
      completions: 10
      parallelism: 3
      completionMode: Indexed
      ttlSecondsAfterFinished: 300
      backoffLimitPerIndex: 3
      template:
        spec:
          containers:
          - name: rclone
            image: rclone
            command: ["/bin/ash", "-c"]
            args:
            - |
              for bucket in $(cat /config/backup/buckets | head -n $JOB_COMPLETION_INDEX | tail -n 1);
              do
                  if [ -z "$bucket" ]; then exit 0; fi
                  echo "Syncing bucket $bucket";
                  rclone sync -P \
                    --update \
                    --checksum \
                    --no-traverse \
                    --no-update-modtime \
                    --no-update-dir-modtime \
                    --ignore-errors \
                    -v \
                    "garage:$bucket" "storagebox:garage/$bucket/";
              done
            volumeMounts:
            - name: rclone-config
              mountPath: /config/rclone
            - name: backup-config
              mountPath: /config/backup
            securityContext:
              capabilities:
                drop:
                  - ALL
              readOnlyRootFilesystem: true
          restartPolicy: Never
          volumes:
            - name: rclone-config
              secret:
                secretName: rclone-backup-config
                defaultMode: 420
            - name: backup-config
              configMap:
                name: backup-config
                defaultMode: 420
          securityContext:
            allowPrivilegeEscalation: false
            runAsUser: 1000
            runAsGroup: 1000
            fsGroup: 1000
            runAsNonRoot: true