kubernetes/jenkins/updatecheck.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: updatecheck
  namespace: jenkins
  labels:
    app.kubernetes.io/name: updatecheck
    app.kubernetes.io/component: updatecheck
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 300Mi

---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: updatecheck
  namespace: jenkins
  labels: &labels
    app.kubernetes.io/name: updatecheck
    app.kubernetes.io/component: updatecheck
spec:
  schedule: >-
    22 */4 * * *
  concurrencyPolicy: Forbid
  jobTemplate:
    metadata:
      labels: *labels
    spec:
      template:
        metadata:
          labels: *labels
        spec:
          restartPolicy: Never
          containers:
          - name: updatecheck
            image: git.pyrocufflink.net/infra/updatecheck
            args:
            - /etc/updatecheck/config.toml
            env:
            - name: RUST_LOG
              value: updatecheck=debug,info
            securityContext:
              readOnlyRootFilesystem: true
            volumeMounts:
            - mountPath: /etc/updatecheck
              name: config
            - mountPath: /run/secrets/updatecheck
              name: secrets
              readOnly: true
            - mountPath: /var/lib/updatecheck
              name: data
          securityContext:
            runAsUser: 21470
            runAsGroup: 21470
            fsGroup: 21470
            runAsNonRoot: true
          volumes:
          - name: config
            configMap:
              name: updatecheck
          - name: data
            persistentVolumeClaim:
              claimName: updatecheck
          - name: secrets
            secret:
              secretName: webhook-trigger
              items:
              - key: text
                path: token
                mode: 0440