job "democratic-csi-controller" { datacenters = ["dc1"] region = "global" priority = 90 constraint { operator = "distinct_hosts" value = "true" } group "iscsi-controller" { count = 1 constraint { operator = "distinct_hosts" value = "true" } service { name = "democratic-csi-iscsi-controller" meta { alloc = "${NOMAD_ALLOC_INDEX}" datacenter = "${NOMAD_DC}" group = "${NOMAD_GROUP_NAME}" job = "${NOMAD_JOB_NAME}" namespace = "${NOMAD_NAMESPACE}" node = "${node.unique.name}" region = "${NOMAD_REGION}" } } restart { interval = "5m" attempts = 30 delay = "10s" mode = "delay" } task "iscsi-controller" { driver = "docker" env { NODE_EXTRA_CA_CERTS = "/local/ca.crt" } # Use a template block instead of env {} so we can fetch values from vault template { data = <<_EOT LANG=fr_FR.utf8 TZ=Europe/Paris _EOT destination = "secrets/.env" perms = 400 env = true } vault { policies = ["democratic-csi"] env = false disable_file = true } config { image = "danielberteaud/democratic-csi:1.9.0-1" args = [ "--csi-version=1.5.0", "--csi-name=org.democratic-csi.iscsi", "--driver-config-file=/secrets/config.yml", "--log-level=info", "--csi-mode=controller", "--server-socket=/csi/csi.sock" ] network_mode = "host" privileged = true userns_mode = "host" } template { data = <<_EOF driver: freenas-api-iscsi instance_id: httpConnection: protocol: https host: truenas.example.org:443 port: 443 apiKey: {{ with secret "kv/service/democratic-csi" }}{{ .Data.data.truenas_api_key }}{{ end }} allowInsecure: false apiVersion: 2 zfs: datasetParentName: zpool/csi/iscsi detachedSnapshotsDatasetParentName: zpool/csi/iscsisnap zvolCompression: zvolDedup: zvolEnableReservation: false zvolBlocksize: false iscsi: targetPortals: - 10.99.3.27:3260 interface: namePrefix: "" nameSuffix: "" targetGroups: - targetGroupPortalGroup: 1 targetGroupInitiatorGroup: 1 targetGroupAuthType: None targetGroupAuthGroup: extentInsecureTpc: true extentXenCompat: false extentDisablePhysicalBlocksize: false extentBlocksize: 512 extentRpm: "SSD" extentAvailThreshold: 0 _EOF destination = "secrets/config.yml" } # Load vault root CA into the trust store template { data = <<-EOF {{ with secret "pki/root/cert/ca" }}{{ .Data.certificate }}{{ end }} EOF destination = "local/ca.crt" } csi_plugin { id = "org.democratic-csi.iscsi" type = "controller" mount_dir = "/csi" } resources { cpu = 100 memory = 128 memory_max = 192 } } } group "nfs-controller" { count = 1 constraint { operator = "distinct_hosts" value = "true" } service { name = "democratic-csi-nfs-controller" meta { alloc = "${NOMAD_ALLOC_INDEX}" datacenter = "${NOMAD_DC}" group = "${NOMAD_GROUP_NAME}" job = "${NOMAD_JOB_NAME}" namespace = "${NOMAD_NAMESPACE}" node = "${node.unique.name}" region = "${NOMAD_REGION}" } } restart { interval = "5m" attempts = 30 delay = "10s" mode = "delay" } task "nfs-controller" { driver = "docker" env { NODE_EXTRA_CA_CERTS = "/local/ca.crt" } # Use a template block instead of env {} so we can fetch values from vault template { data = <<_EOT LANG=fr_FR.utf8 TZ=Europe/Paris _EOT destination = "secrets/.env" perms = 400 env = true } vault { policies = ["democratic-csi"] env = false disable_file = true } config { image = "danielberteaud/democratic-csi:1.9.0-1" args = [ "--csi-version=1.5.0", "--csi-name=org.democratic-csi.nfs", "--driver-config-file=/secrets/config.yml", "--log-level=info", "--csi-mode=controller", "--server-socket=/csi/csi.sock" ] network_mode = "host" privileged = true userns_mode = "host" } template { data = <<_EOF driver: freenas-api-nfs instance_id: httpConnection: protocol: https host: truenas.example.org:443 port: 443 apiKey: {{ with secret "kv/service/democratic-csi" }}{{ .Data.data.truenas_api_key }}{{ end }} allowInsecure: false apiVersion: 2 zfs: datasetParentName: zpool/csi/nfs detachedSnapshotsDatasetParentName: zpool/csi/nfssnap datasetEnableQuotas: false datasetEnableReservation: false datasetPermissionsMode: "0770" datasetPermissionsUser: 0 datasetPermissionsGroup: 0 nfs: shareHost: 10.99.3.27 shareAlldirs: false shareAllowedHosts: [] shareAllowedNetworks: - 10.99.9.0/24 shareMaprootUser: root shareMaprootGroup: root shareMapallUser: "" shareMapallGroup: "" _EOF destination = "secrets/config.yml" } # Load vault root CA into the trust store template { data = <<-EOF {{ with secret "pki/root/cert/ca" }}{{ .Data.certificate }}{{ end }} EOF destination = "local/ca.crt" } csi_plugin { id = "org.democratic-csi.nfs" type = "controller" mount_dir = "/csi" } resources { cpu = 100 memory = 128 memory_max = 192 } } } } # vim: syntax=hcl