apiVersion: batch/v1
kind: CronJob
metadata:
  name: server-cron
  labels:
    app.kubernetes.io/name: nextcloud
    app.kubernetes.io/component: cron
spec:
  schedule: "*/5 * * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 1
  jobTemplate:
    metadata:
      labels:
        app.kubernetes.io/name: nextcloud
        app.kubernetes.io/component: cron
    spec:
      backoffLimit: 0 # no retry
      template:
        metadata:
          labels:
            app.kubernetes.io/name: nextcloud
            app.kubernetes.io/component: cron
        spec:
          restartPolicy: Never
          serviceAccountName: server-cron
          containers:
          - name: kubectl
            image: bitnami/kubectl
            imagePullPolicy: IfNotPresent
            command: ["/bin/bash"]
            args:
              - -xc
              - kubectl exec "$(kubectl get pods -l 'app.kubernetes.io/component=server' -o name)" -- /bin/bash -c '( if ! which sudo &>/dev/null; then apt update && apt install sudo; fi ) && sudo -u www-data php -f /var/www/html/cron.php'
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: server-cron
automountServiceAccountToken: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-list-exec
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: server-cron
subjects:
- kind: ServiceAccount
  name: server-cron
roleRef:
  kind: Role
  name: pod-list-exec
  apiGroup: rbac.authorization.k8s.io