Add replay-mounter daemonset

Author: Brutus5000

.gitignore

@@ -11,4 +11,7 @@ spicy-secrets/**
 
 tilt_config.json
 .local-data/
-.helm-cache/
+.helm-cache/
+
+# Script related stuff
+**/.gradle

README.MD

@@ -52,13 +52,14 @@ kubectl apply -f app-set-test.yaml
 
 Many apps will fail to start, because the lack the secrets that will be generated by infisical. But infiscal needs be setup too.
 We use the cloud edition, but there is also a self hosted one we do not cover here.
-For our stack you need to create a service token in the web ui and add this as a secret in all affected namespaces:
+For our stack you need to create a machine identity in the web ui and add its credentials as a secret in all affected namespaces:
 
 ```sh
-for namespace in "faf-apps faf-ops argocd"; do
-kubectl create secret generic "infisical-service-token" \
+for namespace in faf-apps faf-ops argocd replay-mounter; do
+  kubectl create secret generic infisical-machine-identity \
     -n "$namespace" \
-    --from-literal=infisicalToken=<your-token-here>
+    --from-literal=clientId=<your-client-id-here> \
+    --from-literal=clientSecret=<your-client-secret-here>
 done
 ```
 

cluster/namespaces.yaml

@@ -19,4 +19,10 @@ metadata:
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: traefik
+  name: traefik
+
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: replay-mounter

cluster/replay-mounter/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: replay-mounter
+version: 1.0.0
+description: CIFS/SMB mount watchdog for the faf-replays hostPath PV
+
+dependencies:
+  - name: infisical-secret
+    version: 1.0.0
+    repository: file://../../common/infisical-secret

cluster/replay-mounter/templates/daemonset.yaml

@@ -0,0 +1,96 @@
+{{- if .Values.cifsMount.enabled }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: replay-mounter
+  namespace: replay-mounter
+spec:
+  selector:
+    matchLabels:
+      app: replay-mounter
+  template:
+    metadata:
+      labels:
+        app: replay-mounter
+    spec:
+      nodeSelector:
+        openebs.io/nodeid: {{ .Values.zfs.nodeId }}
+      terminationGracePeriodSeconds: 30
+      containers:
+      - name: replay-mounter
+        image: {{ .Values.cifsMount.image }}
+        securityContext:
+          privileged: true
+        env:
+        - name: CIFS_SERVER
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.cifsMount.credentialsSecret }}
+              key: CIFS_SERVER
+        - name: CIFS_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.cifsMount.credentialsSecret }}
+              key: CIFS_USERNAME
+        - name: CIFS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.cifsMount.credentialsSecret }}
+              key: CIFS_PASSWORD
+        - name: MOUNT_TARGET
+          value: "{{ .Values.cifsMount.mountPath }}"
+        volumeMounts:
+        - name: host-base
+          mountPath: "{{ .Values.cifsMount.hostBasePath }}"
+          mountPropagation: Bidirectional
+        command:
+        - /bin/sh
+        - -c
+        - |
+          echo "Installing cifs-utils..."
+          apk add --no-cache cifs-utils
+          echo "cifs-utils installed."
+
+          cleanup() {
+            echo "Shutting down, unmounting $MOUNT_TARGET..."
+            umount "$MOUNT_TARGET" 2>/dev/null || \
+            umount -l "$MOUNT_TARGET" 2>/dev/null || true
+            exit 0
+          }
+          trap cleanup TERM INT
+
+          mount_cifs() {
+            mkdir -p "$MOUNT_TARGET"
+            echo "Mounting $CIFS_SERVER -> $MOUNT_TARGET..."
+            mount -t cifs "$CIFS_SERVER" "$MOUNT_TARGET" \
+              -o "username=$CIFS_USERNAME,password=$CIFS_PASSWORD,{{ .Values.cifsMount.mountOptions }}"
+          }
+
+          is_mounted() { grep -q " $MOUNT_TARGET cifs " /proc/mounts; }
+
+          if is_mounted; then
+            echo "Mount already present, skipping initial mount."
+          else
+            echo "Mount not present, mounting..."
+            until mount_cifs; do echo "Mount failed, retrying in 10s..."; sleep 10; done
+            echo "Mount successful."
+          fi
+
+          echo "Entering watchdog loop (30s interval)..."
+          # Watchdog: kernel CIFS handles transient reconnects automatically;
+          # remount only if the mount fully disappears from /proc/mounts
+          while true; do
+            sleep 30 &
+            wait $!
+            if ! is_mounted; then
+              echo "Mount lost, remounting..."
+              umount -l "$MOUNT_TARGET" 2>/dev/null || true
+              mount_cifs || true
+            fi
+          done
+      volumes:
+      - name: host-base
+        hostPath:
+          path: "{{ .Values.cifsMount.hostBasePath }}"
+          type: Directory
+{{- end }}

cluster/replay-mounter/values-prod.yaml

@@ -0,0 +1,2 @@
+cifsMount:
+  enabled: true

cluster/replay-mounter/values-test.yaml

@@ -0,0 +1,2 @@
+cifsMount:
+  enabled: true

cluster/replay-mounter/values.yaml

@@ -0,0 +1,14 @@
+cifsMount:
+  enabled: false
+  mountPath: "/opt/faf/data/replays-old"
+  hostBasePath: "/opt/faf/data"    # parent dir shared via Bidirectional propagation
+  credentialsSecret: "cifs-credentials"
+  mountOptions: "ro,vers=3.0,uid=1000,gid=1000,file_mode=0644,dir_mode=0755"
+  image: "alpine:3.21"
+
+# zfs.nodeId injected from config/prod.yaml
+# infisical-secret.enabled injected from config/prod.yaml
+infisical-secret:
+  name: cifs-credentials
+  secretNamespace: replay-mounter   # namespace where infisical-machine-identity lives
+  overrideSecretPath: "/replay-mounter"