apiVersion: batch/v1
kind: CronJob
metadata:
  name: niks3-gc
  namespace: niks3
  labels:
    app: niks3-gc
spec:
  # Daily at 03:00. niks3 gc asks the server to drop closures older than
  # --older-than and clean up stale failed uploads; the server performs the
  # actual S3 deletions, so this job only needs to reach the in-cluster API.
  schedule: "0 3 * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 3
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 2
      template:
        metadata:
          # NOT app: niks3 — that label is the Service selector and would route
          # cache traffic to this job. Its egress is governed by allow-gc-egress.
          labels:
            app: niks3-gc
        spec:
          restartPolicy: Never
          containers:
            - name: gc
              image: ghcr.io/mic92/niks3:v1.6.1
              # Image entrypoint is /bin/niks3-server; override with the client.
              command: ["/bin/niks3", "gc"]
              args:
                - --server-url=http://niks3:5751
                - --auth-token-path=/secrets/api-token
                - --older-than=720h
              volumeMounts:
                - name: server
                  mountPath: /secrets
                  readOnly: true
              resources:
                requests:
                  cpu: 10m
                  memory: 32Mi
                limits:
                  memory: 128Mi
          volumes:
            - name: server
              secret:
                secretName: server