Skip to content

Commit

Permalink
JWT as secret, fix commands, first milestone
Browse files Browse the repository at this point in the history
  • Loading branch information
@Smorci
Smorci committed Sep 4, 2024
1 parent a499a52 commit 9363d3c
Show file tree
Hide file tree
Showing 7 changed files with 85 additions and 126 deletions.
2 changes: 1 addition & 1 deletion flake.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
in
{
devShell = with pkgs; mkShell {
buildInputs = [ fluxcd fluxctl kind kubectx kubectl ];
buildInputs = [ fluxcd fluxctl kind kubectx kubectl git openssl ];
};
}
);
Expand Down
75 changes: 29 additions & 46 deletions kustomize/consensus-layer.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,16 +21,10 @@ spec:
labels:
app: consensus-layer
spec:
initContainers:
- name: jwttoken
image: alpine/openssl:latest
imagePullPolicy: IfNotPresent
command: ["sh", "-c", "/mnt/scripts/generate-token.sh"]
volumeMounts:
- name: script-volume
mountPath: /mnt/scripts
- name: jwt-token-volume
mountPath: /mnt/jwt
securityContext:
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
containers:
- name: lighthouse
image: sigp/lighthouse:v5.1.3-modern
Expand All @@ -54,35 +48,16 @@ spec:
- name: peering
containerPort: 9001
protocol: UDP
command:
- lighthouse bn
- --network mainnet
- --http --http-address 0.0.0.0
- --execution-endpoint http://reth:8551
- --metrics --metrics-address 0.0.0.0
- --execution-jwt /mnt/jwttoken/jwt.hex
- --checkpoint-sync-url https://mainnet.checkpoint.sigp.io
#env:
#- name: PODINFO_UI_COLOR
#value: "#34577c"
#livenessProbe:
#exec:
#command:
#- podcli
#- check
#- http
#- localhost:9898/healthz
#initialDelaySeconds: 5
#timeoutSeconds: 5
#readinessProbe:
#exec:
#command:
#- podcli
#- check
#- http
#- localhost:9898/readyz
#initialDelaySeconds: 5
#timeoutSeconds: 5
command: ["/bin/sh", "-c"]
args:
- >
lighthouse bn
--network mainnet
--http --http-address 0.0.0.0
--execution-endpoint http://execution-layer-svc:8551
--metrics --metrics-address 0.0.0.0
--execution-jwt /mnt/token/jwt
--checkpoint-sync-url https://mainnet.checkpoint.sigp.io
resources:
limits:
cpu: 3000m
Expand All @@ -91,12 +66,20 @@ spec:
cpu: 2000m
memory: 8192Mi
volumeMounts:
- name: jwt-token-volume
mountPath: /mnt/jwttoken
- name: jwt-secret-volume
readOnly: true
mountPath: /mnt/token
- name: logs
mountPath: /logs
- name: lighthouse
mountPath: /.lighthouse
volumes:
- name: script-volume
configMap:
name: jwt-script-configmap
- name: jwt-token-volume
- name: jwt-secret-volume
secret:
secretName: jwt-secret
defaultMode: 0770
- name: logs
emptyDir: {}
- name: lighthouse
emptyDir: {}

77 changes: 34 additions & 43 deletions kustomize/execution-layer.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,16 +21,10 @@ spec:
labels:
app: execution-layer
spec:
initContainers:
- name: jwttoken
image: alpine/openssl:latest
imagePullPolicy: IfNotPresent
command: ["sh", "-c", "/mnt/scripts/generate-token.sh"]
volumeMounts:
- name: script-volume
mountPath: /mnt/scripts
- name: jwt-token-volume
mountPath: /mnt/jwt
securityContext:
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
containers:
- name: reth
image: ghcr.io/paradigmxyz/reth
Expand All @@ -48,37 +42,19 @@ spec:
- name: peering
containerPort: 30303
protocol: TCP
command:
- node
- --chain mainnet
- --metrics 0.0.0.0:5054
- --log.file.directory /root/logs
- --authrpc.addr 0.0.0.0
- --authrpc.port 8551
- --authrpc.jwtsecret /mnt/jwttoken/jwt.hex
- --http --http.addr 0.0.0.0 --http.port 8545
- --http.api "eth,net,web3"
#env:
#- name: PODINFO_UI_COLOR
#value: "#34577c"
#livenessProbe:
#exec:
#command:
#- podcli
#- check
#- http
#- localhost:9898/healthz
#initialDelaySeconds: 5
#timeoutSeconds: 5
#readinessProbe:
#exec:
#command:
#- podcli
#- check
#- http
#- localhost:9898/readyz
#initialDelaySeconds: 5
#timeoutSeconds: 5
command: ["/bin/sh", "-c"]
args:
- >
reth node
--chain mainnet
--metrics 0.0.0.0:5054
--log.file.directory /logs
--authrpc.addr 0.0.0.0
--authrpc.port 8551
--authrpc.jwtsecret /mnt/token/jwt
--http --http.addr 0.0.0.0 --http.port 8545
--http.api "eth,net,web3"
# command: ["sh", "-c", "sleep infinity"]
resources:
limits:
cpu: 3000m
Expand All @@ -87,6 +63,21 @@ spec:
cpu: 2000m
memory: 8192Mi
volumeMounts:
- name: jwt-token-volume
mountPath: /mnt/jwttoken
- name: jwt-secret-volume
readOnly: true
mountPath: /mnt/token
- name: logs
mountPath: /logs
- name: local
mountPath: /.local
volumes:
- name: jwt-secret-volume
secret:
secretName: jwt-secret
defaultMode: 0770
- name: logs
emptyDir: {}
- name: local
emptyDir: {}


14 changes: 0 additions & 14 deletions kustomize/generate-token.yaml
View file

This file was deleted.

20 changes: 0 additions & 20 deletions kustomize/hpa.yaml
View file

This file was deleted.

2 changes: 0 additions & 2 deletions kustomize/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- hpa.yaml
- generate-token.yaml
- execution-layer.yaml
- consensus-layer.yaml
- execution-layer-svc.yaml
Expand Down
21 changes: 21 additions & 0 deletions scripts/generate-token.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
#!/usr/bin/env bash

REPO_ROOT=$(git rev-parse --show-toplevel)

if [ $? -ne 0 ]; then
echo "Not inside a Git repository"
exit 1
fi

if [[ ! -f $REPO_ROOT/temp/jwt ]]
then
mkdir -p $REPO_ROOT/temp
openssl rand -hex 32 | tr -d "\n" | tee > $REPO_ROOT/temp/jwt
else
echo "$REPO_ROOT/temp/jwt already exists!"
fi

kubectl create secret generic jwt-secret --from-file=$REPO_ROOT/temp/jwt

# Clean up temp file
rm -r $REPO_ROOT/temp

0 comments on commit 9363d3c

Please sign in to comment.