job "[[ .instance ]]-controller" { [[ $c := merge .democratic_csi . -]] [[- template "common/job_start" $c ]] [[- range $proto := coll.Slice "iscsi" "nfs" ]] group "[[ $proto ]]-controller" { [[ $c := merge $c.controller $c ]] count = [[ $c.count ]] [[ template "common/constraints" $c ]] service { name = "[[ $.instance ]]-[[ $proto ]]-controller[[ $.consul.suffix ]]" [[ template "common/service_meta" $c ]] } restart { interval = "5m" attempts = 30 delay = "10s" mode = "delay" } task "[[ $proto ]]-controller" { driver = "[[ $c.nomad.driver ]]" env { NODE_EXTRA_CA_CERTS = "/local/ca.crt" } [[ template "common/file_env" $c ]] vault { policies = ["[[ $.instance ]][[ $.consul.suffix ]]"] env = false disable_file = true } config { image = "[[ $.democratic_csi.image ]]" args = [ "--csi-version=1.5.0", "--csi-name=[[ $.democratic_csi.plugin_id ]].[[ $proto ]]", "--driver-config-file=/secrets/config.yml", "--log-level=info", "--csi-mode=controller", "--server-socket=/csi/csi.sock" ] network_mode = "host" privileged = true userns_mode = "host" } template { data =<<_EOF [[ tmpl.Exec (printf "democratic_csi/%s/controller.yml.tpl" $proto) $c ]] _EOF destination = "secrets/config.yml" } # Load vault root CA into the trust store template { data = <<-EOF {{ with secret "[[ $.vault.pki.issuer ]]/cert/ca" }}{{ .Data.certificate }}{{ end }} EOF destination = "local/ca.crt" } csi_plugin { id = "[[ $.democratic_csi.plugin_id ]].[[ $proto ]]" type = "controller" mount_dir = "/csi" health_timeout = "2m" } [[ template "common/resources" $c ]] } } [[- end ]] } # vim: syntax=hcl