Add replay-mounter daemonset

Author: Brutus5000

.gitignore

@@ -11,4 +11,7 @@ spicy-secrets/**
 
 tilt_config.json
 .local-data/
-.helm-cache/
+.helm-cache/
+
+# Script related stuff
+**/.gradle

README.MD

@@ -52,13 +52,14 @@ kubectl apply -f app-set-test.yaml
 
 Many apps will fail to start, because the lack the secrets that will be generated by infisical. But infiscal needs be setup too.
 We use the cloud edition, but there is also a self hosted one we do not cover here.
-For our stack you need to create a service token in the web ui and add this as a secret in all affected namespaces:
+For our stack you need to create a machine identity in the web ui and add its credentials as a secret in all affected namespaces:
 
 ```sh
-for namespace in "faf-apps faf-ops argocd"; do
-kubectl create secret generic "infisical-service-token" \
+for namespace in faf-apps faf-ops argocd replay-mounter; do
+  kubectl create secret generic infisical-machine-identity \
     -n "$namespace" \
-    --from-literal=infisicalToken=<your-token-here>
+    --from-literal=clientId=<your-client-id-here> \
+    --from-literal=clientSecret=<your-client-secret-here>
 done
 ```
 

cluster/namespaces.yaml

@@ -19,4 +19,10 @@ metadata:
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: traefik
+  name: traefik
+
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: replay-mounter

cluster/replay-mounter/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: replay-mounter
+version: 1.0.0
+description: CIFS/SMB mount watchdog for the faf-replays hostPath PV
+
+dependencies:
+  - name: infisical-secret
+    version: 1.0.0
+    repository: file://../../common/infisical-secret

cluster/replay-mounter/templates/daemonset.yaml

@@ -0,0 +1,88 @@
+{{- if .Values.cifsMount.enabled }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: replay-mounter
+  namespace: replay-mounter
+spec:
+  selector:
+    matchLabels:
+      app: replay-mounter
+  template:
+    metadata:
+      labels:
+        app: replay-mounter
+    spec:
+      nodeSelector:
+        openebs.io/nodeid: {{ .Values.zfs.nodeId }}
+      terminationGracePeriodSeconds: 30
+      containers:
+      - name: replay-mounter
+        image: {{ .Values.cifsMount.image }}
+        securityContext:
+          privileged: true
+        env:
+        - name: CIFS_SERVER
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.cifsMount.credentialsSecret }}
+              key: CIFS_SERVER
+        - name: CIFS_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.cifsMount.credentialsSecret }}
+              key: CIFS_USERNAME
+        - name: CIFS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.cifsMount.credentialsSecret }}
+              key: CIFS_PASSWORD
+        - name: MOUNT_TARGET
+          value: "{{ .Values.cifsMount.mountPath }}"
+        volumeMounts:
+        - name: host-base
+          mountPath: "{{ .Values.cifsMount.hostBasePath }}"
+          mountPropagation: Bidirectional
+        command:
+        - /bin/sh
+        - -c
+        - |
+          apk add --no-cache cifs-utils
+
+          cleanup() {
+            umount "$MOUNT_TARGET" 2>/dev/null || \
+            umount -l "$MOUNT_TARGET" 2>/dev/null || true
+            exit 0
+          }
+          trap cleanup TERM INT
+
+          mount_cifs() {
+            mkdir -p "$MOUNT_TARGET"
+            mount -t cifs "$CIFS_SERVER" "$MOUNT_TARGET" \
+              -o "username=$CIFS_USERNAME,password=$CIFS_PASSWORD,{{ .Values.cifsMount.mountOptions }}"
+          }
+
+          is_alive() { timeout 5 ls "$MOUNT_TARGET" > /dev/null 2>&1; }
+
+          # Skip if already mounted and reachable (handles pod restarts)
+          if ! is_alive; then
+            umount -l "$MOUNT_TARGET" 2>/dev/null || true
+            until mount_cifs; do echo "Mount failed, retrying in 10s..."; sleep 10; done
+          fi
+
+          # Watchdog
+          while true; do
+            sleep 30 &
+            wait $!
+            if ! is_alive; then
+              echo "Mount lost, remounting..."
+              umount -l "$MOUNT_TARGET" 2>/dev/null || true
+              mount_cifs || true
+            fi
+          done
+      volumes:
+      - name: host-base
+        hostPath:
+          path: "{{ .Values.cifsMount.hostBasePath }}"
+          type: Directory
+{{- end }}

cluster/replay-mounter/values-prod.yaml

@@ -0,0 +1,2 @@
+cifsMount:
+  enabled: true

cluster/replay-mounter/values-test.yaml

@@ -0,0 +1,2 @@
+cifsMount:
+  enabled: true

cluster/replay-mounter/values.yaml

@@ -0,0 +1,14 @@
+cifsMount:
+  enabled: false
+  mountPath: "/opt/faf/data/replays-old"
+  hostBasePath: "/opt/faf/data"    # parent dir shared via Bidirectional propagation
+  credentialsSecret: "cifs-credentials"
+  mountOptions: "ro,vers=3.0,uid=1000,gid=1000,file_mode=0644,dir_mode=0755"
+  image: "alpine:3.21"
+
+# zfs.nodeId injected from config/prod.yaml
+# infisical-secret.enabled injected from config/prod.yaml
+infisical-secret:
+  name: cifs-credentials
+  secretNamespace: replay-mounter   # namespace where infisical-machine-identity lives
+  overrideSecretPath: "/replay-mounter"