Add replay-mounter daemonset

Author: Brutus5000

.gitignore

@@ -11,4 +11,7 @@ spicy-secrets/**
 
 tilt_config.json
 .local-data/
-.helm-cache/
+.helm-cache/
+
+# Script related stuff
+**/.gradle

cluster/namespaces.yaml

@@ -19,4 +19,10 @@ metadata:
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: traefik
+  name: traefik
+
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: replay-mounter

cluster/replay-mounter/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: replay-mounter
+version: 1.0.0
+description: CIFS/SMB mount watchdog for the faf-replays hostPath PV
+
+dependencies:
+  - name: infisical-secret
+    version: 1.0.0
+    repository: file://../../common/infisical-secret

cluster/replay-mounter/templates/daemonset.yaml

@@ -0,0 +1,78 @@
+{{- if .Values.cifsMount.enabled }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: replay-mounter
+  namespace: replay-mounter
+spec:
+  selector:
+    matchLabels:
+      app: replay-mounter
+  template:
+    metadata:
+      labels:
+        app: replay-mounter
+    spec:
+      hostPID: true
+      nodeSelector:
+        openebs.io/nodeid: {{ .Values.zfs.nodeId }}
+      terminationGracePeriodSeconds: 30
+      containers:
+      - name: replay-mounter
+        image: {{ .Values.cifsMount.image }}
+        securityContext:
+          privileged: true
+        env:
+        - name: CIFS_SERVER
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.cifsMount.credentialsSecret }}
+              key: CIFS_SERVER
+        - name: CIFS_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.cifsMount.credentialsSecret }}
+              key: CIFS_USERNAME
+        - name: CIFS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.cifsMount.credentialsSecret }}
+              key: CIFS_PASSWORD
+        - name: MOUNT_TARGET
+          value: "{{ .Values.dataPath }}/{{ .Values.targetFolder }}/{{ .Values.cifsMount.subfolder }}"
+        command:
+        - /bin/sh
+        - -c
+        - |
+          apk add --no-cache cifs-utils
+
+          cleanup() {
+            nsenter --mount=/proc/1/ns/mnt -- umount "$MOUNT_TARGET" 2>/dev/null || \
+            nsenter --mount=/proc/1/ns/mnt -- umount -l "$MOUNT_TARGET" 2>/dev/null || true
+            exit 0
+          }
+          trap cleanup TERM INT
+
+          mount_cifs() {
+            nsenter --mount=/proc/1/ns/mnt -- mkdir -p "$MOUNT_TARGET"
+            nsenter --mount=/proc/1/ns/mnt -- \
+              mount -t cifs "$CIFS_SERVER" "$MOUNT_TARGET" \
+              -o "username=$CIFS_USERNAME,password=$CIFS_PASSWORD,{{ .Values.cifsMount.mountOptions }}"
+          }
+
+          # Skip if already mounted (handles pod restarts without unmounting first)
+          if ! nsenter --mount=/proc/1/ns/mnt -- mountpoint -q "$MOUNT_TARGET"; then
+            until mount_cifs; do echo "Mount failed, retrying in 10s..."; sleep 10; done
+          fi
+
+          # Watchdog
+          while true; do
+            sleep 30 &
+            wait $!
+            if ! nsenter --mount=/proc/1/ns/mnt -- mountpoint -q "$MOUNT_TARGET"; then
+              echo "Mount lost, remounting..."
+              nsenter --mount=/proc/1/ns/mnt -- umount -f "$MOUNT_TARGET" 2>/dev/null || true
+              mount_cifs || true
+            fi
+          done
+{{- end }}

cluster/replay-mounter/values-prod.yaml

@@ -0,0 +1,2 @@
+cifsMount:
+  enabled: true

cluster/replay-mounter/values-test.yaml

@@ -0,0 +1,2 @@
+cifsMount:
+  enabled: true

cluster/replay-mounter/values.yaml

@@ -0,0 +1,16 @@
+cifsMount:
+  enabled: false
+  subfolder: "replay-old"           # dir created under /opt/faf/data/replays/
+  credentialsSecret: "cifs-credentials"
+  mountOptions: "ro,vers=3.0,uid=1000,gid=1000,file_mode=0644,dir_mode=0755"
+  image: "alpine:3.21"
+
+dataPath: "/opt/faf/data"
+targetFolder: "replays"
+
+# zfs.nodeId injected from config/prod.yaml
+# infisical-secret.enabled injected from config/prod.yaml
+infisical-secret:
+  name: cifs-credentials
+  secretNamespace: replay-mounter   # namespace where infisical-machine-identity lives
+  overrideSecretPath: "/replay-mounter"