From febb5759c9ae3a5bb6df8f837a3e0e14d0f4ffb8 Mon Sep 17 00:00:00 2001
From: Jean-Francois Roy <jf@devklog.net>
Date: Sat, 14 Sep 2024 15:41:27 -0700
Subject: [PATCH] feat(storage): deploy media zfs pvc and smb share

---
 kubernetes/apps/storage/kustomization.yaml    |  6 ++--
 kubernetes/apps/storage/media/ks.yaml         | 22 +++++++++++++
 .../storage/media/media/externalsecret.yaml   | 31 +++++++++++++++++++
 .../storage/media/media/kustomization.yaml    | 11 +++++++
 kubernetes/apps/storage/media/media/pvc.yaml  | 11 +++++++
 .../storage/media/media/smbcommonconfig.yaml  |  8 +++++
 .../media/media/smbsecurityconfig.yaml        | 10 ++++++
 .../apps/storage/media/media/smbshare.yaml    | 13 ++++++++
 .../storage/media/media/storageclass.yaml     | 22 +++++++++++++
 kubernetes/apps/storage/namespace.yaml        |  2 ++
 10 files changed, 133 insertions(+), 3 deletions(-)
 create mode 100644 kubernetes/apps/storage/media/ks.yaml
 create mode 100644 kubernetes/apps/storage/media/media/externalsecret.yaml
 create mode 100644 kubernetes/apps/storage/media/media/kustomization.yaml
 create mode 100644 kubernetes/apps/storage/media/media/pvc.yaml
 create mode 100644 kubernetes/apps/storage/media/media/smbcommonconfig.yaml
 create mode 100644 kubernetes/apps/storage/media/media/smbsecurityconfig.yaml
 create mode 100644 kubernetes/apps/storage/media/media/smbshare.yaml
 create mode 100644 kubernetes/apps/storage/media/media/storageclass.yaml

diff --git a/kubernetes/apps/storage/kustomization.yaml b/kubernetes/apps/storage/kustomization.yaml
index 1a3236b80..074616de4 100644
--- a/kubernetes/apps/storage/kustomization.yaml
+++ b/kubernetes/apps/storage/kustomization.yaml
@@ -2,6 +2,6 @@
 # yaml-language-server: $schema=https://json.schemastore.org/kustomization
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources: []
-  # - ./namespace.yaml
-  # - ./minio-storage/ks.yaml
+resources:
+  - ./namespace.yaml
+  - ./media/ks.yaml
diff --git a/kubernetes/apps/storage/media/ks.yaml b/kubernetes/apps/storage/media/ks.yaml
new file mode 100644
index 000000000..d9f2260ff
--- /dev/null
+++ b/kubernetes/apps/storage/media/ks.yaml
@@ -0,0 +1,22 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: storage-media
+  namespace: flux-system
+spec:
+  targetNamespace: storage
+  dependsOn:
+    - name: external-secrets-stores
+    - name: openebs
+    - name: samba-operator
+  path: ./kubernetes/apps/storage/media/media
+  prune: false  # don't prune media objects for safety
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
diff --git a/kubernetes/apps/storage/media/media/externalsecret.yaml b/kubernetes/apps/storage/media/media/externalsecret.yaml
new file mode 100644
index 000000000..c86e5394e
--- /dev/null
+++ b/kubernetes/apps/storage/media/media/externalsecret.yaml
@@ -0,0 +1,31 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: media-smb
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  target:
+    name: media-smb-secret
+    template:
+      engineVersion: v2
+      data:
+        users: |-
+          {
+            "samba-container-config": "v0",
+            "users": {
+              {{- $users := list }}
+              {{- range $u, $p := . }}
+                {{- if $p }}
+                  {{- $users = append $users (dict "name" $u "password" $p) }}
+                {{- end }}
+              {{- end }}
+              "all_entries": {{ $users | toJson }}
+            }
+          }
+  dataFrom:
+    - extract:
+        key: media-smb
diff --git a/kubernetes/apps/storage/media/media/kustomization.yaml b/kubernetes/apps/storage/media/media/kustomization.yaml
new file mode 100644
index 000000000..282987c5f
--- /dev/null
+++ b/kubernetes/apps/storage/media/media/kustomization.yaml
@@ -0,0 +1,11 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./externalsecret.yaml
+  - ./pvc.yaml
+  - ./smbcommonconfig.yaml
+  - ./smbsecurityconfig.yaml
+  - ./smbshare.yaml
+  - ./storageclass.yaml
diff --git a/kubernetes/apps/storage/media/media/pvc.yaml b/kubernetes/apps/storage/media/media/pvc.yaml
new file mode 100644
index 000000000..f336f551b
--- /dev/null
+++ b/kubernetes/apps/storage/media/media/pvc.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: media
+spec:
+  accessModes: ["ReadWriteMany"]
+  resources:
+    requests:
+      storage: 200Ti
+  storageClassName: openebs-zfspv-media
diff --git a/kubernetes/apps/storage/media/media/smbcommonconfig.yaml b/kubernetes/apps/storage/media/media/smbcommonconfig.yaml
new file mode 100644
index 000000000..ba626c0ca
--- /dev/null
+++ b/kubernetes/apps/storage/media/media/smbcommonconfig.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: samba-operator.samba.org/v1alpha1
+kind: SmbCommonConfig
+metadata:
+  name: media
+spec:
+  network:
+    publish: external
diff --git a/kubernetes/apps/storage/media/media/smbsecurityconfig.yaml b/kubernetes/apps/storage/media/media/smbsecurityconfig.yaml
new file mode 100644
index 000000000..5e9307d3c
--- /dev/null
+++ b/kubernetes/apps/storage/media/media/smbsecurityconfig.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: samba-operator.samba.org/v1alpha1
+kind: SmbSecurityConfig
+metadata:
+  name: media
+spec:
+  mode: user
+  users:
+    secret: media-smb-secret
+    key: users
diff --git a/kubernetes/apps/storage/media/media/smbshare.yaml b/kubernetes/apps/storage/media/media/smbshare.yaml
new file mode 100644
index 000000000..910875044
--- /dev/null
+++ b/kubernetes/apps/storage/media/media/smbshare.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: samba-operator.samba.org/v1alpha1
+kind: SmbShare
+metadata:
+  name: media
+spec:
+  readOnly: false
+  browseable: true
+  securityConfig: media
+  commonConfig: media
+  storage:
+    pvc:
+      name: media
diff --git a/kubernetes/apps/storage/media/media/storageclass.yaml b/kubernetes/apps/storage/media/media/storageclass.yaml
new file mode 100644
index 000000000..d2b4be22f
--- /dev/null
+++ b/kubernetes/apps/storage/media/media/storageclass.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: openebs-zfspv-media
+allowedTopologies:
+  - matchLabelExpressions:
+      - key: kubernetes.io/hostname
+        values:
+          - kantai1
+allowVolumeExpansion: true
+parameters:
+  compression: "off"
+  dedup: "off"
+  fstype: "zfs"
+  poolname: "reservoir"
+  recordsize: "1M"
+  shared: "yes"
+  thinprovision: "yes"
+provisioner: zfs.csi.openebs.io
+reclaimPolicy: Retain
+volumeBindingMode: Immediate
diff --git a/kubernetes/apps/storage/namespace.yaml b/kubernetes/apps/storage/namespace.yaml
index ec40b5e87..6ffb7fbae 100644
--- a/kubernetes/apps/storage/namespace.yaml
+++ b/kubernetes/apps/storage/namespace.yaml
@@ -5,6 +5,8 @@ metadata:
   name: storage
   annotations:
     kustomize.toolkit.fluxcd.io/prune: disabled
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json
 apiVersion: notification.toolkit.fluxcd.io/v1beta3