305 lines
5.9 KiB
HCL
305 lines
5.9 KiB
HCL
job "democratic-csi-controller" {
|
|
|
|
|
|
datacenters = ["dc1"]
|
|
region = "global"
|
|
priority = 90
|
|
|
|
|
|
constraint {
|
|
operator = "distinct_hosts"
|
|
value = "true"
|
|
}
|
|
|
|
|
|
|
|
group "iscsi-controller" {
|
|
|
|
count = 1
|
|
|
|
|
|
|
|
constraint {
|
|
operator = "distinct_hosts"
|
|
value = "true"
|
|
}
|
|
|
|
|
|
service {
|
|
name = "democratic-csi-iscsi-controller"
|
|
meta {
|
|
alloc = "${NOMAD_ALLOC_INDEX}"
|
|
datacenter = "${NOMAD_DC}"
|
|
group = "${NOMAD_GROUP_NAME}"
|
|
job = "${NOMAD_JOB_NAME}"
|
|
namespace = "${NOMAD_NAMESPACE}"
|
|
node = "${node.unique.name}"
|
|
region = "${NOMAD_REGION}"
|
|
}
|
|
|
|
}
|
|
|
|
restart {
|
|
interval = "5m"
|
|
attempts = 30
|
|
delay = "10s"
|
|
mode = "delay"
|
|
}
|
|
|
|
task "iscsi-controller" {
|
|
|
|
driver = "docker"
|
|
|
|
env {
|
|
NODE_EXTRA_CA_CERTS = "/local/ca.crt"
|
|
}
|
|
|
|
|
|
|
|
# Use a template block instead of env {} so we can fetch values from vault
|
|
template {
|
|
data = <<_EOT
|
|
LANG=fr_FR.utf8
|
|
TZ=Europe/Paris
|
|
_EOT
|
|
destination = "secrets/.env"
|
|
perms = 400
|
|
env = true
|
|
}
|
|
|
|
|
|
vault {
|
|
policies = ["democratic-csi"]
|
|
env = false
|
|
disable_file = true
|
|
}
|
|
|
|
config {
|
|
image = "danielberteaud/democratic-csi:1.9.0-1"
|
|
|
|
args = [
|
|
"--csi-version=1.5.0",
|
|
"--csi-name=org.democratic-csi.iscsi",
|
|
"--driver-config-file=/secrets/config.yml",
|
|
"--log-level=info",
|
|
"--csi-mode=controller",
|
|
"--server-socket=/csi/csi.sock"
|
|
]
|
|
|
|
network_mode = "host"
|
|
privileged = true
|
|
userns_mode = "host"
|
|
}
|
|
|
|
template {
|
|
data = <<_EOF
|
|
driver: freenas-api-iscsi
|
|
|
|
instance_id:
|
|
httpConnection:
|
|
protocol: https
|
|
host: truenas.example.org:443
|
|
port: 443
|
|
apiKey: {{ with secret "kv/service/democratic-csi" }}{{ .Data.data.truenas_api_key }}{{ end }}
|
|
allowInsecure: false
|
|
apiVersion: 2
|
|
|
|
zfs:
|
|
datasetParentName: zpool/csi/iscsi
|
|
detachedSnapshotsDatasetParentName: zpool/csi/iscsisnap
|
|
zvolCompression:
|
|
zvolDedup:
|
|
zvolEnableReservation: false
|
|
zvolBlocksize: false
|
|
|
|
iscsi:
|
|
targetPortals:
|
|
- 10.99.3.27:3260
|
|
interface:
|
|
|
|
namePrefix: ""
|
|
nameSuffix: ""
|
|
|
|
targetGroups:
|
|
- targetGroupPortalGroup: 1
|
|
targetGroupInitiatorGroup: 1
|
|
targetGroupAuthType: None
|
|
targetGroupAuthGroup:
|
|
|
|
extentInsecureTpc: true
|
|
extentXenCompat: false
|
|
extentDisablePhysicalBlocksize: false
|
|
extentBlocksize: 512
|
|
extentRpm: "SSD"
|
|
extentAvailThreshold: 0
|
|
|
|
_EOF
|
|
destination = "secrets/config.yml"
|
|
}
|
|
|
|
# Load vault root CA into the trust store
|
|
template {
|
|
data = <<-EOF
|
|
{{ with secret "pki/root/cert/ca" }}{{ .Data.certificate }}{{ end }}
|
|
EOF
|
|
destination = "local/ca.crt"
|
|
}
|
|
|
|
csi_plugin {
|
|
id = "org.democratic-csi.iscsi"
|
|
type = "controller"
|
|
mount_dir = "/csi"
|
|
}
|
|
|
|
|
|
resources {
|
|
cpu = 100
|
|
memory = 128
|
|
memory_max = 192
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
group "nfs-controller" {
|
|
|
|
count = 1
|
|
|
|
|
|
|
|
constraint {
|
|
operator = "distinct_hosts"
|
|
value = "true"
|
|
}
|
|
|
|
|
|
service {
|
|
name = "democratic-csi-nfs-controller"
|
|
meta {
|
|
alloc = "${NOMAD_ALLOC_INDEX}"
|
|
datacenter = "${NOMAD_DC}"
|
|
group = "${NOMAD_GROUP_NAME}"
|
|
job = "${NOMAD_JOB_NAME}"
|
|
namespace = "${NOMAD_NAMESPACE}"
|
|
node = "${node.unique.name}"
|
|
region = "${NOMAD_REGION}"
|
|
}
|
|
|
|
}
|
|
|
|
restart {
|
|
interval = "5m"
|
|
attempts = 30
|
|
delay = "10s"
|
|
mode = "delay"
|
|
}
|
|
|
|
task "nfs-controller" {
|
|
|
|
driver = "docker"
|
|
|
|
env {
|
|
NODE_EXTRA_CA_CERTS = "/local/ca.crt"
|
|
}
|
|
|
|
|
|
|
|
# Use a template block instead of env {} so we can fetch values from vault
|
|
template {
|
|
data = <<_EOT
|
|
LANG=fr_FR.utf8
|
|
TZ=Europe/Paris
|
|
_EOT
|
|
destination = "secrets/.env"
|
|
perms = 400
|
|
env = true
|
|
}
|
|
|
|
|
|
vault {
|
|
policies = ["democratic-csi"]
|
|
env = false
|
|
disable_file = true
|
|
}
|
|
|
|
config {
|
|
image = "danielberteaud/democratic-csi:1.9.0-1"
|
|
|
|
args = [
|
|
"--csi-version=1.5.0",
|
|
"--csi-name=org.democratic-csi.nfs",
|
|
"--driver-config-file=/secrets/config.yml",
|
|
"--log-level=info",
|
|
"--csi-mode=controller",
|
|
"--server-socket=/csi/csi.sock"
|
|
]
|
|
|
|
network_mode = "host"
|
|
privileged = true
|
|
userns_mode = "host"
|
|
}
|
|
|
|
template {
|
|
data = <<_EOF
|
|
driver: freenas-api-nfs
|
|
|
|
instance_id:
|
|
httpConnection:
|
|
protocol: https
|
|
host: truenas.example.org:443
|
|
port: 443
|
|
apiKey: {{ with secret "kv/service/democratic-csi" }}{{ .Data.data.truenas_api_key }}{{ end }}
|
|
allowInsecure: false
|
|
apiVersion: 2
|
|
|
|
zfs:
|
|
datasetParentName: zpool/csi/nfs
|
|
detachedSnapshotsDatasetParentName: zpool/csi/nfssnap
|
|
datasetEnableQuotas: false
|
|
datasetEnableReservation: false
|
|
datasetPermissionsMode: "0770"
|
|
datasetPermissionsUser: 0
|
|
datasetPermissionsGroup: 0
|
|
|
|
nfs:
|
|
shareHost: 10.99.3.27
|
|
shareAlldirs: false
|
|
shareAllowedHosts: []
|
|
shareAllowedNetworks:
|
|
- 10.99.9.0/24
|
|
shareMaprootUser: root
|
|
shareMaprootGroup: root
|
|
shareMapallUser: ""
|
|
shareMapallGroup: ""
|
|
|
|
_EOF
|
|
destination = "secrets/config.yml"
|
|
}
|
|
|
|
# Load vault root CA into the trust store
|
|
template {
|
|
data = <<-EOF
|
|
{{ with secret "pki/root/cert/ca" }}{{ .Data.certificate }}{{ end }}
|
|
EOF
|
|
destination = "local/ca.crt"
|
|
}
|
|
|
|
csi_plugin {
|
|
id = "org.democratic-csi.nfs"
|
|
type = "controller"
|
|
mount_dir = "/csi"
|
|
}
|
|
|
|
|
|
resources {
|
|
cpu = 100
|
|
memory = 128
|
|
memory_max = 192
|
|
}
|
|
|
|
}
|
|
}
|
|
}
|
|
|
|
# vim: syntax=hcl
|