release: chart upgrades for new releases (#1019)

## Summary
Upgrades all our charts to utilize latest releases, including updates
celestia-node. Additionally removes the token server from celestia-node
& celestia-local which is not needed now that we submit directly to app.
Some secret information has been moved from the core chart into the dev
values to avoid someone actually deploying with these values in
production.

## Background
New releases of core services are cut, this upgrades the charts to
support those.

## Changes
- List changes which were made.

## Testing
Local testing of setitngs with charts both in dev mode and not. CI smoke
test for dev-mode.

## Breaking Changelist
- Charts are upgraded, new releases that are major updates

charts/celestia-local/Chart.yaml

@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.7
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.6.0"
+appVersion: "1.8.0"
 
 maintainers:
   - name: wafflesvonmaple

charts/celestia-local/files/scripts/start-bridge.sh

@@ -2,18 +2,6 @@
 
 set -o errexit -o nounset -o pipefail
 
-function set_token() {
-  # NOTE - this is a hack to get the token to the token-server directory.
-  TOKEN=$(celestia bridge auth admin \
-    --node.store "$home_dir/bridge" \
-    --keyring.accname $validator_key_name)
-
-  # Busybox's httpd doesn't support url rewriting, so it's not simple to server another file.
-  # To support an ingress rule path of `/`, we write the token to index.html, which httpd serves by default.
-  mkdir -p "$home_dir"/token-server
-  echo "$TOKEN" >"$home_dir"/token-server/index.html
-}
-
 function get_genesis() {
   local genesis_hash=$(curl -s -S -X GET "http://127.0.0.1:$celestia_app_host_port/block?height=1" | jq -r '.result.block_id.hash')
   echo "$genesis_hash"
@@ -30,12 +18,6 @@ function wait_for_genesis() {
   echo "$genesis_hash"
 }
 
-# only create token if it does not already exist
-# FIXME - would it be bad to get a new token on every start?
-if [ ! -f "$home_dir"/token-server/index.html ]; then
-  set_token
-fi
-
 echo "waiting for genesis hash from celestia..."
 genesis_hash=$(wait_for_genesis)
 echo "genesis hash received: $genesis_hash"
@@ -50,6 +32,7 @@ find "$home_dir/bridge/keys" -type f -exec chmod 0600 {} \;
 
 echo "staring bridge!"
 exec celestia bridge start \
+  --rpc.skip-auth \
   --node.store "$home_dir/bridge" \
   --core.ip 0.0.0.0 \
   --core.rpc.port "$celestia_app_host_port" \

charts/celestia-local/templates/deployment.yaml

@@ -92,22 +92,6 @@ spec:
             limits:
               cpu: 2
               memory: 8Gi
-        - name: token-server
-          image: {{ .Values.tokenServerImage }}
-          command: [ "/bin/httpd", "-v", "-f", "-p", "5353", "-h", "/home/celestia/token-server/" ]
-          ports:
-            - containerPort: {{ .Values.ports.celestiaTokenService }}
-              name: token-svc
-          volumeMounts:
-            - mountPath: /home/celestia
-              name: celestia-home-vol
-              readOnly: true
-          startupProbe:
-            httpGet:
-              path: /
-              port: token-svc
-            failureThreshold: 30
-            periodSeconds: 5
       volumes:
         - name: bridge-scripts-volume
           configMap:

charts/celestia-local/templates/service.yaml

@@ -13,9 +13,6 @@ spec:
     - name: bridge-jsonrpc
       port: {{ .Values.ports.bridgeRPC }}
       targetPort: bridge-jsonrpc
-    - name: token-svc
-      port: {{ .Values.ports.celestiaTokenService }}
-      targetPort: token-svc
 ---
 apiVersion: v1
 kind: Service

charts/celestia-local/values.yaml

@@ -16,8 +16,7 @@ storage:
       path: "/data/celestia-data"
 
 celestiaAppImage: "ghcr.io/celestiaorg/celestia-app:v1.8.0"
-celestiaNodeImage: "ghcr.io/celestiaorg/celestia-node:v0.12.4"
-tokenServerImage: "busybox:1.35.0-musl"
+celestiaNodeImage: "ghcr.io/celestiaorg/celestia-node:v0.13.4"
 
 podSecurityContext:
   runAsUser: 10001
@@ -43,6 +42,5 @@ validatorStake: "5000000000utia"
 ports:
   celestiaAppHostPort: 26657
   celestiaAppGrpcPort: 9090
-  celestiaTokenService: 5353
   bridgeRPC: 26658
   bridgeHTTP: 26659

charts/celestia-node/Chart.yaml

@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.1
+version: 0.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.12.4"
+appVersion: "0.13.4"
 
 maintainers:
   - name: wafflesvonmaple

charts/celestia-node/files/scripts/start-node.sh

@@ -5,16 +5,14 @@ set -o errexit -o nounset -o pipefail
 
 {{- if .Values.config.tokenAuthLevel }}
 function set_token() {
-  # NOTE - this is a hack to get the token to the token-server directory.
+  # NOTE - this is a hack to give access to a token generated on startup to people with ssh access
   TOKEN=$(/bin/celestia {{ .Values.config.type }} auth {{ .Values.config.tokenAuthLevel }} --node.store "/celestia")
 
-  # Busybox's httpd doesn't support url rewriting, so it's not simple to server another file.
-  # To support an ingress rule path of `/`, we write the token to index.html, which httpd serves by default.
-  mkdir -p /celestia/token-server
-  echo "$TOKEN" > /celestia/token-server/index.html
+  mkdir -p /celestia/token
+  echo "$TOKEN" > /celestia/token/token.key
 }
 
-if [ ! -f /celestia/token-server/index.html ]; then
+if [ ! -f /celestia/token/token.key ]; then
   set_token
 fi
 {{- end }}
@@ -25,6 +23,9 @@ export CELESTIA_CUSTOM=$CELESTIA_CUSTOM_TO_BE
 
 exec /bin/celestia {{ .Values.config.type }} start \
   --node.store /celestia \
+  {{- if not .Values.config.tokenAuthLevel }}
+  --rpc.skipAuth \
+  {{- end }}
   {{- if not $isCustomNetwork }}
   --core.ip {{ .Values.config.coreIp }} \
   --core.grpc.port "{{ .Values.config.coreGrpcPort }}" \

charts/celestia-node/templates/statefulset.yaml

@@ -72,24 +72,6 @@ spec:
               subPath: {{ $secret.filename }}
             {{- end }}
             {{- end }}
-        {{- if .Values.config.tokenAuthLevel }}
-        - name: token-server
-          image: {{ .Values.images.tokenServer }}
-          command: [ "/bin/httpd", "-v", "-f", "-p", "{{ .Values.ports.tokenServer }}", "-h", "/celestia/token-server/" ]
-          ports:
-            - containerPort: {{ .Values.ports.tokenServer }}
-              name: token-svc
-          volumeMounts:
-            - mountPath: /celestia
-              name: {{ $label }}-vol
-              readOnly: true
-          startupProbe:
-            httpGet:
-              path: /
-              port: token-svc
-            failureThreshold: 30
-            periodSeconds: 5
-        {{- end }}
       volumes:
         # ------------ Startup scripts -------------
         - name: {{ $label }}-scripts-vol

charts/celestia-node/values.yaml

@@ -11,15 +11,13 @@ config:
   chainId: mocha-4
   coreIp: "full.consensus.mocha-4.celestia-mocha.com"
   type: light
+  tokenAuthLevel: read  # can set to nil or false to disable rpc auth
   coreGrpcPort: 9090
-  tokenAuthLevel: 'read'
   customInfo: ''
 
 images:
   pullPolicy: IfNotPresent
-  node: ghcr.io/celestiaorg/celestia-node:v0.12.4
-  tokenServer: "busybox:1.35.0-musl"
-
+  node: ghcr.io/celestiaorg/celestia-node:v0.13.4
 
 ports:
   celestia:

charts/evm-rollup/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: celestia-node
   repository: file://../celestia-node
-  version: 0.2.1
-digest: sha256:42e3beb2b8dac70b3288ba9bea36cf87d1d51357f84197847895f5056aaafef5
-generated: "2024-03-20T15:44:26.418305-04:00"
+  version: 0.3.0
+digest: sha256:11880d5ac9449bd674625fe78e6af327ba9b8fadacbfe2b43d53f849c80a9860
+generated: "2024-04-26T14:51:12.590892-07:00"

charts/evm-rollup/Chart.yaml

@@ -15,8 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-
-version: 0.13.1
+version: 0.14.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
@@ -26,7 +25,7 @@ appVersion: "0.9.1"
 
 dependencies:
   - name: celestia-node
-    version: "0.2.1"
+    version: "0.3.0"
     repository: "file://../celestia-node"
     condition: celestia-node.enabled
 

charts/evm-rollup/templates/configmap.yaml

@@ -12,6 +12,7 @@ data:
   TOKEN_SERVER_URL: "{{ .Values.config.celestia.token }}"
   ASTRIA_CONDUCTOR_CELESTIA_NODE_HTTP_URL: "{{ .Values.config.celestia.rpc }}"
   {{- end }}
+  ASTRIA_CONDUCTOR_CELESTIA_BLOCK_TIME_MS: "12000"
   ASTRIA_CONDUCTOR_EXECUTION_RPC_URL: "http://127.0.0.1:{{ .Values.ports.executionGRPC }}"
   ASTRIA_CONDUCTOR_EXECUTION_COMMIT_LEVEL: "{{ .Values.config.rollup.executionCommitLevel }}"
   ASTRIA_CONDUCTOR_INITIAL_SEQUENCER_BLOCK_HEIGHT: "{{ .Values.config.sequencer.initialBlockHeight }}"
@@ -23,43 +24,27 @@ data:
   ASTRIA_CONDUCTOR_FORCE_STDOUT: "{{ .Values.global.useTTY }}"
   ASTRIA_CONDUCTOR_PRETTY_PRINT: "{{ .Values.global.useTTY }}"
   ASTRIA_CONDUCTOR_NO_OTEL: "{{ not .Values.config.rollup.otel.enabled }}"
+  ASTRIA_CONDUCTOR_CELESTIA_BEARER_TOKEN: "{{ .Values.config.celestia.token }}"
   OTEL_EXPORTER_OTLP_ENDPOINT: "{{ .Values.config.rollup.otel.endpoint }}"
   OTEL_EXPORTER_OTLP_TRACES_ENDPOINT: "{{ .Values.config.rollup.otel.tracesEndpoint }}"
   OTEL_EXPORTER_OTLP_TRACES_TIMEOUT: "{{ .Values.config.rollup.otel.tracesTimeout }}"
   OTEL_EXPORTER_OTLP_TRACES_COMPRESSION: "{{ .Values.config.rollup.otel.tracesCompression }}"
   OTEL_EXPORTER_OTLP_HEADERS: "{{ .Values.config.rollup.otel.otlpHeaders }}"
   OTEL_EXPORTER_OTLP_TRACE_HEADERS: "{{ .Values.config.rollup.otel.traceHeaders }}"
   {{- if not .Values.global.dev }}
-
-  # This block is for removing `ASTRIA_CONDUCTOR_CELESTIA_NODE_WEBSOCKET_URL`.
-  # 
-  {{- if (index .Values "celestia-node").enabled }}
-  ASTRIA_CONDUCTOR_CELESTIA_NODE_WEBSOCKET_URL: "{{ include "celestiaNode.service.addresses.ws" (index .Subcharts "celestia-node") }}"
   {{- else }}
-  ASTRIA_CONDUCTOR_CELESTIA_NODE_WEBSOCKET_URL: "{{ .Values.config.celestia.ws }}"
-  {{- end }}
-
-  {{- else }}
-  ASTRIA_CONDUCTOR_CELESTIA_BLOCK_TIME_MS: "12000"
   {{- end }}
 ---
 apiVersion: v1
 kind: ConfigMap
-metadata:
-  name: {{ .Values.config.rollup.name }}-conductor-scripts
-  namespace: {{ include "rollup.namespace" .  }}
-data:
-  start-conductor.sh: |
-    {{- .Files.Get "files/scripts/start-conductor.sh" | nindent 4 }}
----
-apiVersion: v1
-kind: ConfigMap
 metadata:
   name: {{ .Values.config.rollup.name }}-composer-env
   namespace: {{ include "rollup.namespace" .  }}
 data:
   ASTRIA_COMPOSER_LOG: "astria_composer={{ .Values.config.logLevel }}"
   ASTRIA_COMPOSER_API_LISTEN_ADDR: "0.0.0.0:0"
+  ASTRIA_COMPOSER_GRPC_ADDR: "0.0.0.0:{{ .Values.ports.composerGRPC }}"
+  ASTRIA_COMPOSER_SEQUENCER_CHAIN_ID: "{{ .Values.config.sequencer.chainId }}"
   ASTRIA_COMPOSER_SEQUENCER_URL: "{{ .Values.config.sequencer.rpc }}"
   ASTRIA_COMPOSER_ROLLUPS: "{{ .Values.config.rollup.name }}::ws://127.0.0.1:{{ .Values.ports.wsRPC }}"
   ASTRIA_COMPOSER_MAX_BYTES_PER_BUNDLE: "{{ .Values.config.rollup.maxBytesPerBundle }}"
@@ -81,8 +66,6 @@ data:
   {{- end }}
   {{- if not .Values.global.dev }}
   {{- else }}
-  ASTRIA_COMPOSER_GRPC_ADDR: "0.0.0.0:0"
-  ASTRIA_COMPOSER_SEQUENCER_CHAIN_ID: "{{ .Values.config.sequencer.chainId }}"
   {{- end }}
 ---
 apiVersion: v1

charts/evm-rollup/templates/statefulsets.yaml

@@ -115,13 +115,9 @@ spec:
             {{- toYaml .Values.resources.composer | trim | nindent 12 }}
         - name: conductor
           image: {{ include "conductor.image" . }}
-          command: [ "/scripts/start-conductor.sh" ]
+          command: [ "/usr/local/bin/astria-conductor" ]
           stdin: {{ .Values.global.useTTY }}
           tty: {{ .Values.global.useTTY }}
-          volumeMounts:
-            - mountPath: /scripts/
-              name: {{ .Values.config.rollup.name }}-conductor-scripts-volume
-              readOnly: true
           envFrom:
             - configMapRef:
                 name: {{ .Values.config.rollup.name }}-conductor-env
@@ -137,10 +133,6 @@ spec:
           configMap:
             name: {{ .Values.config.rollup.name }}-executor-scripts
             defaultMode: 0500
-        - name: {{ .Values.config.rollup.name }}-conductor-scripts-volume
-          configMap:
-            name: {{ .Values.config.rollup.name }}-conductor-scripts
-            defaultMode: 0500
         - name: {{ $.Values.config.rollup.name }}-rollup-shared-storage-vol
           {{- if .Values.storage.enabled }}
           persistentVolumeClaim:

charts/evm-rollup/values.yaml

@@ -8,16 +8,16 @@ global:
 
 images:
   geth:
-    repo: ghcr.io/astriaorg/go-ethereum
-    tag: "0.9.1"
+    repo: ghcr.io/astriaorg/astria-geth
+    tag: 0.9.1
     devTag: latest
   conductor:
     repo: ghcr.io/astriaorg/conductor
-    tag: "0.13.1"
+    tag: "0.14.0"
     devTag: latest
   composer:
     repo: ghcr.io/astriaorg/composer
-    tag: "0.5.0"
+    tag: "0.6.0"
     devTag: latest
 
   # Rollup faucet
@@ -165,7 +165,6 @@ config:
     # if config.rollup.executionLevel is NOT 'SoftOnly' AND celestia-node is not enabled
     # the rpc, ws, and token fields must be set to access celestia network.
     rpc: ""
-    ws: ""
     token: ""
     initialBlockHeight: "2"
     heightVariance: "10"
@@ -180,7 +179,7 @@ celestia-node:
   config:
     labelPrefix: astria
     type: light
-    tokenAuthLevel: read
+    tokenAuthLevel: false  # Set to false to disable auth
     # You can deploy on top of a custom celestia network, uncomment below and
     # update fields with notes
     # network: custom
@@ -326,6 +325,7 @@ ports:
   jsonRPC: 8545
   wsRPC: 8546
   executionGRPC: 50051
+  composerGRPC: 50052
   gossipnet: 2451
   faucet: 8080
   blockscout: 4000

charts/hermes/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/hermes/templates/configmaps.yaml

@@ -16,7 +16,7 @@ metadata:
   namespace: {{ include "hermes.namespace" $ }}
 data:
   {{ $chain.key.name }}.json: |
-  {{- toPrettyJson $chain.key.content | nindent 4 }}
+  {{- toPrettyJson $chain.key.devContent | nindent 4 }}
 ---
 {{- end }}
 {{- end }}