jenkins: Add CronJob for updatecheck

`updatecheck` is a little utility I wrote that queries Fedora Bodhi for
updates and sends an HTTP request when one is found.  I am specifically
going to use it to trigger rebuilding the _gasket-driver_ RPM whenever
there is a new _kernel_ published.

jenkins/kustomization.yaml

@@ -11,6 +11,18 @@ resources:
 - iscsi.yaml
 - ssh-host-keys
 - workspace-volume.yaml
+- updatecheck.yaml
+
+configMapGenerator:
+- name: updatecheck
+  namespace: jenkins
+  files:
+  - config.toml=updatecheck.toml
+  options:
+    disableNameSuffixHash: true
+    labels:
+      app.kubernetes.io/name: updatecheck
+      app.kubernetes.io/component: updatecheck
 
 patches:
 - patch: |
@@ -23,6 +35,15 @@ patches:
       volumeName: jenkins
       storageClassName: ''
 
+- patch: |
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: updatecheck
+      namespace: jenkins
+    spec:
+      storageClassName: synology-iscsi
+
 images:
 - name: docker.io/jenkins/jenkins
   newTag: 2.528.2-lts

jenkins/updatecheck.toml

@@ -0,0 +1,13 @@
+[storage]
+dir = "/var/lib/updatecheck"
+
+[[watch]]
+packages = "kernel"
+
+[watch.on_update]
+url = "https://jenkins.pyrocufflink.blue/generic-webhook-trigger/invoke"
+coalesce = true
+
+[[watch.on_update.headers]]
+name = 'Token'
+value_file = '/run/secrets/updatecheck/token'

jenkins/updatecheck.yaml

@@ -0,0 +1,74 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: updatecheck
+  namespace: jenkins
+  labels:
+    app.kubernetes.io/name: updatecheck
+    app.kubernetes.io/component: updatecheck
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 300Mi
+
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: updatecheck
+  namespace: jenkins
+  labels: &labels
+    app.kubernetes.io/name: updatecheck
+    app.kubernetes.io/component: updatecheck
+spec:
+  schedule: >-
+    22 */4 * * *
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    metadata:
+      labels: *labels
+    spec:
+      template:
+        metadata:
+          labels: *labels
+        spec:
+          restartPolicy: Never
+          containers:
+          - name: updatecheck
+            image: git.pyrocufflink.net/infra/updatecheck
+            args:
+            - /etc/updatecheck/config.toml
+            env:
+            - name: RUST_LOG
+              value: updatecheck=debug,info
+            securityContext:
+              readOnlyRootFilesystem: true
+            volumeMounts:
+            - mountPath: /etc/updatecheck
+              name: config
+            - mountPath: /run/secrets/updatecheck
+              name: secrets
+              readOnly: true
+            - mountPath: /var/lib/updatecheck
+              name: data
+          securityContext:
+            runAsUser: 21470
+            runAsGroup: 21470
+            fsGroup: 21470
+            runAsNonRoot: true
+          volumes:
+          - name: config
+            configMap:
+              name: updatecheck
+          - name: data
+            persistentVolumeClaim:
+              claimName: updatecheck
+          - name: secrets
+            secret:
+              secretName: webhook-trigger
+              items:
+              - key: text
+                path: token
+                mode: 0440