# Copyright 2021 Security Scorecard Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: scorecard-batch-controller
rules:
  - apiGroups: ["apps", "extensions"]
    resources: ["deployments"]
    resourceNames: ["scorecard-batch-worker"]
    verbs: ["get", "patch"]
---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: scorecard-batch-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: scorecard-batch-controller
subjects:
  - kind: ServiceAccount
    name: default
---

apiVersion: batch/v1
kind: CronJob
metadata:
  name: scorecard-batch-controller
spec:
  # At 02:00UTC on Monday.
  schedule: "0 2 * * 1"
  concurrencyPolicy: "Forbid"
  jobTemplate:
    spec:
      template:
        spec:
          restartPolicy: Never
          containers:
          - name: controller
            image: gcr.io/openssf/scorecard-batch-controller:stable
            args: ["cron/data/projects.csv"]
            imagePullPolicy: Always
            resources:
              limits:
                memory: 1Gi
              requests:
                memory: 1Gi
          - name: worker-update
            image: bitnami/kubectl@sha256:44468c0f5b348e6dcf5e11feb6fdcc969c874bba2856150fe50eb1aacb3bdfee
            command:
              - "kubectl"
              - "rollout"
              - "restart"
              - "deployment/scorecard-batch-worker"