apiVersion: batch/v1
kind: CronJob
metadata:
  name: sync-dataprotection-keys
  namespace: redis
spec:
  schedule: "0 12 14 * *" # at noon the 14th of every month
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: sync
            image: redis
            command: [ "/bin/sh", "/script/sync.sh" ]
            env:
            - name: PROD_REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: prod-redis
                  key: redis-password
            - name: STAGING_REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: staging-redis
                  key: redis-password
            volumeMounts:
            - name: script
              mountPath: /script
            securityContext:
              allowPrivilegeEscalation: false
              capabilities:
                drop:
                - ALL
              readOnlyRootFilesystem: false
              runAsGroup: 0
              runAsNonRoot: true
              runAsUser: 1001
              seccompProfile:
                type: RuntimeDefault
          securityContext:
            fsGroup: 1001
            fsGroupChangePolicy: Always
          volumes:
            - name: script
              configMap:
                name: sync-dataprotection-keys-script
                defaultMode: 0500
          restartPolicy: Never
      backoffLimit: 4
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: sync-dataprotection-keys-script
  namespace: redis
data:
  sync.sh: |-
    #!/bin/sh
    redis-cli -h prod-redis-master -a $PROD_REDIS_PASSWORD -D "" --raw dump DataProtection-Keys |\
    redis-cli -h staging-redis-master -a $STAGING_REDIS_PASSWORD -X keys restore DataProtection-Keys 0 keys replace