Add last used cluster deployment config files (#316)

* New staging domain

* Keep sensitive data in secrets

* Run deploy-start sequence at container startup

* Revert to stable image

* Add production deployment manifests

* Add chain spec deployment Job and Secret

* Network policy for Hubble Commander service

* Hubble Commander is not going to be scaled

* Grab the env vars required for runnign chain spec job

* Use the apiVersion which is up to date

* Update chain spec file content

* Apply the latest chain spec file content

* Remove unneeded HUBBLE_BOOTSTRAP_NODE_URL from config maps

* Allow payments service accessing hubble directly

* Fix HUBBLE_ROLLUP_MIN_TXS_PER_COMMITMENT env var

* Add the volume and affinity params

* Move k8s deployment config files to cluster/ subdir

Co-authored-by: Michał Sieczkowski <michal@ethworks.io>

Author: gvidon

.gitignore

@@ -9,3 +9,7 @@ config.yaml
 e2e/geth-data/geth
 chain-spec.yaml
 backups/
+
+# Kubernetes
+kustomization.yaml
+secrets.yaml

deployment/cluster/production/chain-spec/job.yaml

@@ -0,0 +1,35 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: chain-spec
+  namespace: production
+spec:
+  template:
+    spec:
+      imagePullSecrets:
+        - name: regcred
+      volumes:
+      - name: chain-spec
+        emptyDir:
+          sizeLimit: 1Gi
+      containers:
+      - name: chain-spec
+        image: "ghcr.io/worldcoin/hubble-commander@sha256:f65594ef5814288b2a3f188ca821edd113e3743bb0224c8f5386d25a4ecb1f72"
+        command:
+            - /bin/sh
+            - -c
+            - "/go/src/app/build/hubble deploy -file /chain-spec/chain-spec.yaml; cat /chain-spec/chain-spec.yaml | base64"
+        volumeMounts:
+        - name: chain-spec
+          mountPath: /chain-spec
+        envFrom:
+          - configMapRef:
+              name: hubble-commander
+          - configMapRef:
+              name: primary-hubble-commander
+          - secretRef:
+              name: hubble-commander
+          - secretRef:
+              name: primary-hubble-commander
+      restartPolicy: Never
+  backoffLimit: 0

deployment/cluster/production/chain-spec/secret.yml

@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: chain-spec
+  namespace: production
+type: Opaque
+data:
+  # Placeholder value
+  chain-spec.yaml: |
+    Y2hhaW5faWQ6ICIxMzM3IgphY2NvdW50X3JlZ2lzdHJ5OiAweGNjYTQzOTFjZjI1ZDk3NzNiNDgz
+    MWUyNDBiMWRkZjkzMTdiMDk0Y2QKZGVwbG95bWVudF9ibG9jazogNDEyMgpyb2xsdXA6IDB4NzEw
+    NzI1YzBkOWZjZWE2N2RlN2JhZWIwMzUzNzdkMDJlMTljNDJkYgpnZW5lc2lzX2FjY291bnRzOgot
+    IHB1YmxpY19rZXk6IDB4MGRmNjhjYjg3ODU2MjI5YjBiYzNmMTU4ZmZmOGI4MmIwNGRlYjFhNGMy
+    M2RhZGJmM2VkMmRhNGVjNmY2ZWZjYjFjMTY1YzZiNDdkOGM4OWFiMmRkYjA4MzFjMTgyMjM3YjI3
+    YTRiM2Q5NzAxNzc1YWQ2YzE4MDMwM2Y4N2VmMjYwNTY2Y2IyZjBiY2M3Yjg5YzIyNjBkZTJmZWU4
+    ZWMyOWQ3YjVlNTc1YTFlMzZlYjRiY2VhZDUyYTc0YTUxMWI3MTg4ZDdkZjdjOWQwOGY5NGI5ZGFh
+    OWQ4OTEwNWZiZGYyMmJmMTRlMzBiODRmOGFkZWZiMzY5NWViZmYwMGU4OAogIHB1Yl9rZXlfaWQ6
+    IDAKICBzdGF0ZV9pZDogMAogIGJhbGFuY2U6ICIxMDAwMDAwMDAwMDAwMDAwMDAwIgotIHB1Ymxp
+    Y19rZXk6IDB4MDA5N2Y0NjVmZTgyN2NlNGRhZDc1MTk4OGY2Y2U1ZWM3NDc0NTgwNzU5OTIxODBj
+    YTExYjA3NzZiOWVhM2E5MTBjM2VlNGRjYTRhMDNkMDZjMzg2Mzc3OGFmZmU5MWNlMzhkNTAyMTM4
+    MzU2YTM1YWUxMjY5NWM1NjViMjRlYTYxNTFiODNlYWJkNDFhNjA5MGI4YWMzYmIyNWUxNzNjODRj
+    M2IwODBhNTU0NTI2MGIxMzI3NDk1OTIwYzM0MmMwMmQ1MWNhYzQ0MTgyMjhkYjFhM2Q5OGFhMTJl
+    NmZkN2IzMjY3YzcwMzQ3NWY1OTk5YjJlYzdhMTk3YWQ3ZDhiYwogIHB1Yl9rZXlfaWQ6IDEKICBz
+    dGF0ZV9pZDogMQogIGJhbGFuY2U6ICIxMDAwMDAwMDAwMDAwMDAwMDAwIgotIHB1YmxpY19rZXk6
+    IDB4MWNjZjE5ODcxMzIwYjdlODUwNDc1ODQ1ZDg3OWE5Zjk3MTdhNmM5Njk0ZmFiMTk0OThlNDI2
+    MWI0NDJkZTRlMDExNDA2YmRjOTY3OTg0NzcxNTA4YTJlNTBkNzc0ZjQ5ZGIzNmJmNWIwNGIxNWY5
+    ZjQxMWI4Yzg3MzNmZTBkOGUzMDFmOGYyZTlhYTk4ZjdkZGU3ZGUzNjM1YmFhMjE2ZmRjOTY5ZTc1
+    MmY0ZWY2NDZmZDVmODFkODllNDZkMzk4MDRjMGFjOTJjN2VhNGNjNTk1N2I0MjE0ZWY0MWEwYWE0
+    ZjFhNmYzNDNjZWJmYjU3N2U5ZGNhZjhmZjI1NTFkNQogIHB1Yl9rZXlfaWQ6IDIKICBzdGF0ZV9p
+    ZDogMgogIGJhbGFuY2U6ICIxMDAwMDAwMDAwMDAwMDAwMDAwIgotIHB1YmxpY19rZXk6IDB4MDA5
+    N2Y0NjVmZTgyN2NlNGRhZDc1MTk4OGY2Y2U1ZWM3NDc0NTgwNzU5OTIxODBjYTExYjA3NzZiOWVh
+    M2E5MTBjM2VlNGRjYTRhMDNkMDZjMzg2Mzc3OGFmZmU5MWNlMzhkNTAyMTM4MzU2YTM1YWUxMjY5
+    NWM1NjViMjRlYTYxNTFiODNlYWJkNDFhNjA5MGI4YWMzYmIyNWUxNzNjODRjM2IwODBhNTU0NTI2
+    MGIxMzI3NDk1OTIwYzM0MmMwMmQ1MWNhYzQ0MTgyMjhkYjFhM2Q5OGFhMTJlNmZkN2IzMjY3Yzcw
+    MzQ3NWY1OTk5YjJlYzdhMTk3YWQ3ZDhiYwogIHB1Yl9rZXlfaWQ6IDMKICBzdGF0ZV9pZDogMwog
+    IGJhbGFuY2U6ICIxMDAwMDAwMDAwMDAwMDAwMDAwIgotIHB1YmxpY19rZXk6IDB4MjAwNzAwMzE3
+    MmI1NDUzYzU0NjhkYzQxODFjMWZiMDU4ZjFhZGVjMjJmNWU5NTVmNTliMjVhY2RjMTgyMDdjNDA2
+    ZjYxNWVjNjkzYWExYzkzYzdjNmNkMGRlMGZiM2E5YTRlZTY4Y2Q0YzA3OTFkZDdiMWMyMWFhNjE2
+    MThiZjcxNTljNjEyYmRiZDA0YThmMjhlNDQwMDI2ZjgwYzFmYjdlZmM3ZWRhYWQ0NDNiYWU2NDNi
+    YjcwMTU0ZTExZjBmMWRmOTI5ZWVmY2NmYmVkZGI0MzI5MDY2M2YxYTJiMzY3Y2ZiMGJjODZlOWRm
+    MWU4NDlhNWYxOWY5NzA5ZjhiNwogIHB1Yl9rZXlfaWQ6IDQKICBzdGF0ZV9pZDogNAogIGJhbGFu
+    Y2U6ICIxMDAwMDAwMDAwMDAwMDAwMDAwIgotIHB1YmxpY19rZXk6IDB4MDIyNjk5ZjAzYzFjOWZk
+    ZGQ3Y2MyOWU1ZTNjODM3YzFkY2ZjYjQwMmVkOWI0N2Q0M2JkOTcwMjMyMTY2MmQ4NjBjYTIwODFk
+    MDQ2YTAxZTg1MmI2ZTRlY2Q4NjBlZGY4NWUwZTBjMWFlZjVlNjJhZjM0Yzg1ZjdjZTIyMWJjMzEx
+    NzlkZTk1YzQxNjIxMTFhNjA1ZDA5YWFhNjZhNjNhN2E1MDJjOTA0ZDQyZDc2NzVkYWQ1YjQ4MzI4
+    YjhjY2RjMWExMGM2YmNmNzc0ZTdmNWExMmRlYWIxMWM0ODhlMTlmZDNmMzk5NWY3ZDljMjA5MGZm
+    YWI4OGRlYjhiNzFmNwogIHB1Yl9rZXlfaWQ6IDUKICBzdGF0ZV9pZDogNQogIGJhbGFuY2U6ICIx
+    MDAwMDAwMDAwMDAwMDAwMDAwIgo=

deployment/cluster/production/geth/deployment.yaml

@@ -0,0 +1,46 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: geth
+  name: geth
+  namespace: production
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: geth
+  template:
+    metadata:
+      labels:
+        app: geth
+        admission.datadoghq.com/enabled: "true"
+      annotations:
+        ad.datadoghq.com/geth.logs: '[{"source":"go","service":"geth"}]'
+        ad.datadoghq.com/tags: '{"env":"production"}'
+    spec:
+      containers:
+        - name: geth
+          image: "ethereum/client-go"
+          command: ["/bin/sh"]
+
+          args: [
+            "-c",
+
+            "echo \"Creating the cipher file...\" &&
+            mkdir -p /root/ethereum/keystore &&
+            echo '{\"address\":\"9f758331b439c1b664e86f2050f2360370f06849\",\"crypto\":{\"cipher\":\"aes-128-ctr\",\"ciphertext\":\"e1860e27080f7c6e7353cd132ae498b889d045849aa3f224d470d5d97ea09fc4\",\"cipherparams\":{\"iv\":\"3626816e04320eaa4bd4a7626787e839\"},\"kdf\":\"scrypt\",\"kdfparams\":{\"dklen\":32,\"n\":262144,\"p\":1,\"r\":8,\"salt\":\"34636cdd63c05f88c20632b5bdc312896125ec35e1b572a9c3276f75cab2408e\"},\"mac\":\"0a7edb666e831f892b06791da54c8d9ee61cbf0f99ab2ec03b6d812ee0ef334e\"},\"id\":\"db483d8e-2d98-490b-997e-26ed52ee6365\",\"version\":3}' | cat > /root/ethereum/keystore/UTC--2021-06-07T12-34-01.339648000Z--9f758331b439c1b664e86f2050f2360370f06849 &&
+            geth --datadir=/root/ethereum --dev --dev.period=5 --http --http.addr=0.0.0.0 --ws --ws.addr=0.0.0.0",
+          ]
+
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8545
+            - containerPort: 8546
+          resources:
+            requests:
+              memory: "124Mi"
+              cpu: "250m"
+            limits:
+              memory: "6144Mi"
+              cpu: "1500m"

deployment/cluster/production/geth/service.yaml

@@ -0,0 +1,14 @@
+kind: Service
+apiVersion: v1
+metadata:
+  labels:
+    app: geth
+  name: geth
+  namespace: production
+spec:
+  type: ClusterIP
+  selector:
+    app: geth
+  ports:
+    - port: 8546
+      targetPort: 8546

deployment/cluster/production/hubble-commander/config-map.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app: hubble-commander
+  name: hubble-commander
+  namespace: production
+data:
+  HUBBLE_ETHEREUM_RPC_URL: ws://geth:8546
+  HUBBLE_ETHEREUM_CHAIN_ID: "1337"
+  HUBBLE_POSTGRES_HOST: consumer-app-crypto-db-production.cluster-c1amkrvabwaw.us-east-1.rds.amazonaws.com
+  HUBBLE_POSTGRES_PORT: "5432"
+  HUBBLE_BOOTSTRAP_CHAIN_SPEC_PATH: "/chain-spec/chain-spec.yaml"
+  HUBBLE_ROLLUP_MIN_TXS_PER_COMMITMENT: "1"
+  HUBBLE_ROLLUP_MIN_COMMITMENTS_PER_BATCH: "1"
+  HUBBLE_LOG_LEVEL: "debug"
+  HUBBLE_LOG_FORMAT: "json"

…staging/hubble-commander/deployment.yaml …duction/hubble-commander/deployment.yamldeployment/staging/hubble-commander/deployment.yaml renamed to deployment/cluster/production/hubble-commander/deployment.yaml deployment/staging/hubble-commander/deployment.yaml renamed to deployment/cluster/production/hubble-commander/deployment.yaml

@@ -4,7 +4,7 @@ metadata:
   labels:
     app: hubble-commander
   name: hubble-commander
-  namespace: staging
+  namespace: production
 spec:
   replicas: 1
   selector:
@@ -17,21 +17,35 @@ spec:
         admission.datadoghq.com/enabled: "true"
       annotations:
         ad.datadoghq.com/hubble-commander.logs: '[{"source":"go","service":"hubble-commander"}]'
-        ad.datadoghq.com/tags: '{"env":"staging"}'
+        ad.datadoghq.com/tags: '{"env":"production"}'
     spec:
       imagePullSecrets:
         - name: regcred
+      volumes:
+      - name: chain-spec-yaml
+        secret:
+          secretName: chain-spec
+          items:
+          - key: chain-spec.yaml
+            path: chain-spec.yaml
       containers:
         - name: primary-hubble-commander
-          image: "ghcr.io/worldcoin/hubble-commander:stable"
+          image: "ghcr.io/worldcoin/hubble-commander@sha256:f65594ef5814288b2a3f188ca821edd113e3743bb0224c8f5386d25a4ecb1f72"
           imagePullPolicy: Always
+          volumeMounts:
+          - name: chain-spec-yaml
+            mountPath: /chain-spec
           ports:
             - containerPort: 8080
           envFrom:
             - configMapRef:
                 name: hubble-commander
             - configMapRef:
                 name: primary-hubble-commander
+            - secretRef:
+                name: hubble-commander
+            - secretRef:
+                name: primary-hubble-commander
           livenessProbe:
             exec:
               command:
@@ -48,13 +62,20 @@ spec:
               memory: "6144Mi"
               cpu: "1500m"
         - name: secondary-hubble-commander
-          image: "ghcr.io/worldcoin/hubble-commander:stable"
+          image: "ghcr.io/worldcoin/hubble-commander@sha256:f65594ef5814288b2a3f188ca821edd113e3743bb0224c8f5386d25a4ecb1f72"
           imagePullPolicy: Always
+          volumeMounts:
+          - name: chain-spec-yaml
+            mountPath: /chain-spec
           envFrom:
             - configMapRef:
                 name: hubble-commander
             - configMapRef:
                 name: secondary-hubble-commander
+            - secretRef:
+                name: hubble-commander
+            - secretRef:
+                name: secondary-hubble-commander
           livenessProbe:
             exec:
               command:

deployment/cluster/production/hubble-commander/ingress.yaml

@@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: hubble-commander
+  labels:
+    app: hubble-commander
+  namespace: production
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-production"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: /
+spec:
+  tls:
+  - hosts:
+    - production.api.worldcoin-distributors.com
+    secretName: hubble-commander-secret
+  rules:
+  - host: production.api.worldcoin-distributors.com
+    http:
+      paths:
+        - path: /hubble/primary(/|$)
+          pathType: Exact
+          backend:
+            serviceName: hubble-commander
+            servicePort: 80
+        - path: /hubble/secondary(/|$)
+          pathType: Exact
+          backend:
+            serviceName: hubble-commander
+            servicePort: 81

deployment/cluster/production/hubble-commander/network-policy.yaml

@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app: hubble-commander
+  name: hubble-commander
+  namespace: production
+spec:
+  podSelector:
+    matchLabels:
+      app: hubble-commander
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: ingress-nginx
+  - from:
+    - podSelector:
+        matchLabels:
+          app: crypto-sync-transactions
+    - podSelector:
+        matchLabels:
+          app: payments
+    ports:
+    - protocol: TCP
+      port: 8080

deployment/cluster/production/hubble-commander/primary-config-map.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app: hubble-commander
+  name: primary-hubble-commander
+  namespace: production
+data:
+  HUBBLE_POSTGRES_NAME: "primary-hubble-commander"