From 4f54c959d7e6587df0c1f29a635b04de3532a49e Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 18 Apr 2026 18:49:40 +0000 Subject: [PATCH] =?UTF-8?q?[infra]=20Remove=20iscsi-csi=20stack=20?= =?UTF-8?q?=E2=80=94=20TrueNAS=20decommissioned=20[ci=20skip]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Context The iSCSI CSI driver was deployed against a TrueNAS appliance at 10.0.10.15 that was decommissioned 2026-04-12 when all Immich PVCs migrated to the proxmox-lvm-encrypted storage class. The stack has been dead code since — live survey (2026-04-18): - iscsi-csi namespace: empty (0 resources), 27h old (since last TF apply) - No iscsi CSI driver registered in the cluster - No PVs/PVCs reference iscsi - TF state held only the empty namespace - helm_release.democratic_csi was not in state (already gone pre-session) Leaving the stack around meant every `terragrunt run --all plan` would drift (TF wanted to create the helm release again) and every CI run would try to pull `truenas_api_key` + `truenas_ssh_private_key` from Vault against a TrueNAS that no longer exists. Beads tracking: code-gw0. ## This change - `scripts/tg destroy` in stacks/iscsi-csi (1 resource destroyed — the namespace). - `rm -rf stacks/iscsi-csi/` — removes modules/, main.tf, terragrunt.hcl, secrets symlink, and the 4 terragrunt-generated files (backend.tf, providers.tf, cloudflare_provider.tf, tiers.tf). - Dropped PG schema `iscsi-csi` on `10.0.20.200:5432/terraform_state` (table states had 1 row — the current state — dropped by CASCADE). - Deleted the empty `gadget` namespace (112d old, no owner — unrelated dead namespace swept as part of the same Wave 1 cleanup). ## What is NOT in this change - Vault database role cleanup for the 7 MySQL-migrated services (health, linkwarden, affine, woodpecker, claude_memory, crowdsec, technitium). The sandbox denies listing Vault DB roles as credential enumeration, so this is flagged for user to do manually via: `vault delete database/roles/` after checking `vault list sys/leases/lookup/database/creds//` for active leases. ## Reproduce locally 1. `git pull` 2. `ls stacks/ | grep iscsi` → no output 3. `kubectl get ns iscsi-csi gadget` → both NotFound 4. psql to 10.0.20.200:5432/terraform_state → `\dn` shows no iscsi-csi schema ## Test Plan ### Automated ``` $ kubectl --kubeconfig config get ns iscsi-csi Error from server (NotFound): namespaces "iscsi-csi" not found $ kubectl --kubeconfig config get ns gadget Error from server (NotFound): namespaces "gadget" not found $ PGPASSWORD=... psql -h 10.0.20.200 -U ... -d terraform_state -c '\dn' | grep iscsi (no output) $ ls stacks/iscsi-csi 2>&1 ls: cannot access 'stacks/iscsi-csi': No such file or directory ``` ### Manual Verification None required — destroy was a no-op for workloads (namespace was empty). Closes: code-b6l Closes: code-gw0 Co-Authored-By: Claude Opus 4.7 (1M context) --- stacks/iscsi-csi/main.tf | 14 -- stacks/iscsi-csi/modules/iscsi-csi/main.tf | 148 ------------------ .../iscsi-csi/modules/iscsi-csi/variables.tf | 10 -- stacks/iscsi-csi/secrets | 1 - stacks/iscsi-csi/terragrunt.hcl | 8 - 5 files changed, 181 deletions(-) delete mode 100644 stacks/iscsi-csi/main.tf delete mode 100644 stacks/iscsi-csi/modules/iscsi-csi/main.tf delete mode 100644 stacks/iscsi-csi/modules/iscsi-csi/variables.tf delete mode 120000 stacks/iscsi-csi/secrets delete mode 100644 stacks/iscsi-csi/terragrunt.hcl diff --git a/stacks/iscsi-csi/main.tf b/stacks/iscsi-csi/main.tf deleted file mode 100644 index 0cbc798d..00000000 --- a/stacks/iscsi-csi/main.tf +++ /dev/null @@ -1,14 +0,0 @@ -variable "nfs_server" { type = string } - -data "vault_kv_secret_v2" "secrets" { - mount = "secret" - name = "platform" -} - -module "iscsi-csi" { - source = "./modules/iscsi-csi" - tier = local.tiers.cluster - truenas_host = var.nfs_server - truenas_api_key = data.vault_kv_secret_v2.secrets.data["truenas_api_key"] - truenas_ssh_private_key = data.vault_kv_secret_v2.secrets.data["truenas_ssh_private_key"] -} diff --git a/stacks/iscsi-csi/modules/iscsi-csi/main.tf b/stacks/iscsi-csi/modules/iscsi-csi/main.tf deleted file mode 100644 index 4c4a8d59..00000000 --- a/stacks/iscsi-csi/modules/iscsi-csi/main.tf +++ /dev/null @@ -1,148 +0,0 @@ -resource "kubernetes_namespace" "iscsi_csi" { - metadata { - name = "iscsi-csi" - labels = { - tier = var.tier - "resource-governance/custom-quota" = "true" - } - } -} - -resource "helm_release" "democratic_csi" { - namespace = kubernetes_namespace.iscsi_csi.metadata[0].name - create_namespace = false - name = "democratic-csi-iscsi" - atomic = true - timeout = 300 - - repository = "https://democratic-csi.github.io/charts/" - chart = "democratic-csi" - - values = [yamlencode({ - csiDriver = { - name = "org.democratic-csi.iscsi" - } - - storageClasses = [{ - name = "iscsi-truenas" - defaultClass = false - reclaimPolicy = "Retain" - volumeBindingMode = "Immediate" - allowVolumeExpansion = true - parameters = { - fsType = "ext4" - } - mountOptions = [] - }] - - controller = { - replicas = 2 - driver = { - resources = { - requests = { cpu = "25m", memory = "192Mi" } - limits = { memory = "192Mi" } - } - } - externalProvisioner = { - resources = { - requests = { cpu = "5m", memory = "64Mi" } - limits = { memory = "64Mi" } - } - } - externalAttacher = { - resources = { - requests = { cpu = "5m", memory = "64Mi" } - limits = { memory = "64Mi" } - } - } - externalResizer = { - resources = { - requests = { cpu = "5m", memory = "64Mi" } - limits = { memory = "64Mi" } - } - } - externalSnapshotter = { - resources = { - requests = { cpu = "5m", memory = "80Mi" } - limits = { memory = "80Mi" } - } - } - } - - # csiProxy is a top-level chart key, NOT nested under controller/node - csiProxy = { - resources = { - requests = { cpu = "5m", memory = "32Mi" } - limits = { memory = "32Mi" } - } - } - - node = { - driver = { - resources = { - requests = { cpu = "25m", memory = "192Mi" } - limits = { memory = "192Mi" } - } - } - driverRegistrar = { - resources = { - requests = { cpu = "5m", memory = "32Mi" } - limits = { memory = "32Mi" } - } - } - cleanup = { - resources = { - requests = { cpu = "5m", memory = "32Mi" } - limits = { memory = "32Mi" } - } - } - - hostPID = true - hostPath = "/lib/modules" - } - - driver = { - config = { - driver = "freenas-iscsi" - - instance_id = "truenas-iscsi" - - httpConnection = { - protocol = "http" - host = var.truenas_host - port = 80 - apiKey = var.truenas_api_key - } - - sshConnection = { - host = var.truenas_host - port = 22 - username = "root" - privateKey = var.truenas_ssh_private_key - } - - zfs = { - datasetParentName = "main/iscsi" - detachedSnapshotsDatasetParentName = "main/iscsi-snaps" - } - - iscsi = { - targetPortal = "${var.truenas_host}:3260" - namePrefix = "csi-" - nameSuffix = "" - targetGroups = [{ - targetGroupPortalGroup = 1 - targetGroupInitiatorGroup = 1 - targetGroupAuthType = "None" - }] - extentInsecureTpc = true - extentXenCompat = false - extentDisablePhysicalBlocksize = true - extentBlocksize = 512 - extentRpm = "SSD" - extentAvailThreshold = 0 - } - } - } - })] -} diff --git a/stacks/iscsi-csi/modules/iscsi-csi/variables.tf b/stacks/iscsi-csi/modules/iscsi-csi/variables.tf deleted file mode 100644 index 893fe396..00000000 --- a/stacks/iscsi-csi/modules/iscsi-csi/variables.tf +++ /dev/null @@ -1,10 +0,0 @@ -variable "tier" { type = string } -variable "truenas_host" { type = string } -variable "truenas_api_key" { - type = string - sensitive = true -} -variable "truenas_ssh_private_key" { - type = string - sensitive = true -} diff --git a/stacks/iscsi-csi/secrets b/stacks/iscsi-csi/secrets deleted file mode 120000 index ca54a7cf..00000000 --- a/stacks/iscsi-csi/secrets +++ /dev/null @@ -1 +0,0 @@ -../../secrets \ No newline at end of file diff --git a/stacks/iscsi-csi/terragrunt.hcl b/stacks/iscsi-csi/terragrunt.hcl deleted file mode 100644 index 4f16dddf..00000000 --- a/stacks/iscsi-csi/terragrunt.hcl +++ /dev/null @@ -1,8 +0,0 @@ -include "root" { - path = find_in_parent_folders() -} - -dependency "infra" { - config_path = "../infra" - skip_outputs = true -}