Skip to content

Commit

Permalink
feat(chart): secret fix, deployment fix for evm-rollup (#1096)
Browse files Browse the repository at this point in the history 
## Summary
Fixes secret push to match general pattern, updates deployment of most
blockscout & faucet resources to only be deployed when used.
  • Loading branch information
@joroshiba
joroshiba authored May 22, 2024
1 parent 23c4d9a commit c77d6e0
Show file tree
Hide file tree
Showing 8 changed files with 51 additions and 32 deletions.
2 changes: 1 addition & 1 deletion charts/evm-rollup/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.17.1
version: 0.17.2

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
6 changes: 5 additions & 1 deletion charts/evm-rollup/templates/configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ data:
{{- else }}
{{- end }}
---
{{- if .Values.config.faucet.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
Expand All @@ -79,9 +80,10 @@ data:
ETH_FAUCET_EVM_PROVIDER_URL: "http://{{ .Values.config.rollup.name }}-evm-service:{{ .Values.ports.jsonRPC }}"
ETH_FAUCET_AMOUNT: "{{ .Values.config.faucet.amount }}"
{{- if not .Values.secretProvider.enabled }}
ETH_FAUCET_EVM_PRIVATE_KEY: "{{ .Values.config.faucet.privateKey }}"
ETH_FAUCET_EVM_PRIVATE_KEY: "{{ .Values.config.faucet.privateKey.devContent }}"
{{- end }}
---
{{- end }}
apiVersion: v1
kind: ConfigMap
metadata:
Expand All @@ -102,6 +104,7 @@ data:
init-geth.sh: |
{{- tpl (.Files.Get "files/scripts/init-geth.sh") $ | nindent 4 }}
---
{{- if .Values.config.blockscout.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
Expand Down Expand Up @@ -258,6 +261,7 @@ data:
VISUALIZER__SERVER__GRPC__ENABLED: "false"
VISUALIZER__SERVER__HTTP__ADDR: "0.0.0.0:8151"
---
{{- end }}
{{- if not .Values.secretProvider.enabled }}
apiVersion: v1
kind: ConfigMap
Expand Down
8 changes: 4 additions & 4 deletions charts/evm-rollup/templates/deployments.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ spec:
- name: ETH_FAUCET_EVM_PRIVATE_KEY
valueFrom:
secretKeyRef:
name: evm-private-key
name: faucet-private-key
key: {{ .Values.secretProvider.secrets.evmPrivateKey.key }}
{{- end }}
volumeMounts:
Expand All @@ -44,7 +44,7 @@ spec:
subPath: {{ .Values.config.rollup.name }}/faucet
{{- if .Values.secretProvider.enabled }}
- mountPath: /var/secrets
name: evm-private-key
name: faucet-private-key
{{- end }}
ports:
- containerPort: {{ .Values.ports.faucet }}
Expand All @@ -53,12 +53,12 @@ spec:
- emptyDir: {}
name: {{ .Values.config.rollup.name }}-faucet-home-vol
{{- if .Values.secretProvider.enabled }}
- name: evm-private-key
- name: faucet-private-key
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: evm-private-key
secretProviderClass: faucet-private-key
{{- end }}
---
{{- end }}
27 changes: 17 additions & 10 deletions charts/evm-rollup/templates/secretproviderclass.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,28 @@
{{- if .Values.secretProvider.enabled }}
{{- range $key, $value := .Values.secretProvider.secrets }}
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: sequencer-private-key
spec:
provider: {{ .Values.secretProvider.provider }}
parameters:
{{- $_ := set $ "key" .Values.config.sequencer.privateKey.secret }}
{{- tpl $.Values.secretProvider.parametersTemplate $ | nindent 4 }}
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: {{ kebabcase $key }}
name: faucet-private-key
spec:
provider: gcp
provider: {{ .Values.secretProvider.provider }}
secretObjects:
- secretName: {{ kebabcase $key }}
- secretName: faucet-private-key
type: Opaque
data:
- objectName: {{ $value.filename }}
key: {{ $value.key }}
- objectName: {{ .Values.config.faucet.privateKey.secret.filename }}
key: {{ .Values.config.faucet.privateKey.secret.key }}
parameters:
secrets: |
- resourceName: {{ $value.resourceName }}
fileName: "{{ $value.filename }}"
{{- end }}
{{- $_ := set $ "key" .Values.config.faucet.privateKey.secret }}
{{- tpl $.Values.secretProvider.parametersTemplate $ | nindent 4 }}
---
{{- end }}
4 changes: 4 additions & 0 deletions charts/evm-rollup/templates/service.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ spec:
port: {{ .Values.ports.gossipnet }}
targetPort: gossipnet
---
{{- if .Values.config.faucet.enabled}}
kind: Service
apiVersion: v1
metadata:
Expand All @@ -30,6 +31,8 @@ spec:
port: {{ .Values.ports.faucet }}
targetPort: faucet
---
{{- end }}
{{- if .Values.config.blockscout.enabled }}
kind: Service
apiVersion: v1
metadata:
Expand All @@ -43,6 +46,7 @@ spec:
port: {{ .Values.ports.blockscout }}
targetPort: blockscout
---
{{- end }}
{{- if .Values.config.rollup.metrics.enabled }}
kind: Service
apiVersion: v1
Expand Down
2 changes: 2 additions & 0 deletions charts/evm-rollup/templates/storageclasses.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ metadata:
provisioner: kubernetes.io/no-provisioner
volumeBindingMode: WaitForFirstConsumer
reclaimPolicy: Retain
{{- if .Values.config.blockscout.enabled }}
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
Expand All @@ -18,5 +19,6 @@ provisioner: kubernetes.io/no-provisioner
volumeBindingMode: WaitForFirstConsumer
reclaimPolicy: Retain
---
{{- end }}
{{- end }}
{{- end }}
12 changes: 8 additions & 4 deletions charts/evm-rollup/templates/volumes.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ spec:
- astria-dev-cluster-control-plane
- astria-dev-cluster-worker
---
{{- if .Values.config.blockscout.enabled }}
apiVersion: v1
kind: PersistentVolume
metadata:
Expand All @@ -51,6 +52,7 @@ spec:
- astria-dev-cluster-control-plane
- astria-dev-cluster-worker
---
{{- end }}
{{- end }}
apiVersion: v1
kind: PersistentVolumeClaim
Expand All @@ -74,6 +76,7 @@ spec:
requests:
storage: {{ $value.size }}
---
{{- if .Values.config.blockscout.enabled }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
Expand All @@ -84,17 +87,18 @@ metadata:
"app.kubernetes.io/managed-by": {{ $.Release.Service | quote }}
"helm.sh/chart": {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }}
spec:
{{- if $.Values.storage.local }}
{{- if $.Values.storage.local }}
storageClassName: {{ $.Values.config.rollup.name }}-{{ $value.persistentVolumeName }}-blockscout-local
{{- end }}
{{- if $value.storageClassName }}
{{- end }}
{{- if $value.storageClassName }}
storageClassName: {{ $value.storageClassName }}
{{- end }}
{{- end }}
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ $value.size }}
---
{{- end }}
{{- end }}
{{- end }}
22 changes: 10 additions & 12 deletions charts/evm-rollup/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,12 @@ config:
# the corresponding account given a balance in genesis accounts.
# Note: When secretProvider.enabled is true the secret provided by
# `evmPrivateKey` is used instead of this value.
privateKey: "8b3a7999072c9c9314c084044fe705db11714c6c4ed7cddb64da18ea270dd203"
privateKey:
devContent: "8b3a7999072c9c9314c084044fe705db11714c6c4ed7cddb64da18ea270dd203"
secret:
filename: "key.hex"
resourceName: "projects/$PROJECT_ID/secrets/sequencerPrivateKey/versions/latest"
key: token
# The amount of token to give per request
amount: 1

Expand Down Expand Up @@ -214,17 +219,10 @@ celestia-node:
secretProvider:
enabled: false
provider: gcp
secrets:
# Used in place of sequencer.privateKey value when provider enabled
sequencerPrivateKey:
filename: sequencerPrivateKey.txt
resourceName: "projects/$PROJECT_ID/secrets/sequencerPrivateKey/versions/latest"
key: token
# Used in place of faucet.privateKey value when provider enabled
evmPrivateKey:
filename: evmPrivateKey.txt
resourceName: "projects/$PROJECT_ID/secrets/evmPrivateKey/versions/latest"
key: token
parametersTemplate: |-
secrets: |
- resourceName: {{ .key.resourceName }}
fileName: "{{ .key.filename }}"
ingress:
enabled: true
Expand Down

0 comments on commit c77d6e0

Please sign in to comment.