From 9363d3c4e586320b8b69537418326512f64db0f4 Mon Sep 17 00:00:00 2001 From: Smorci Date: Wed, 4 Sep 2024 10:16:25 +0200 Subject: [PATCH] JWT as secret, fix commands, first milestone --- flake.nix | 2 +- kustomize/consensus-layer.yaml | 75 +++++++++++++-------------------- kustomize/execution-layer.yaml | 77 +++++++++++++++------------------- kustomize/generate-token.yaml | 14 ------- kustomize/hpa.yaml | 20 --------- kustomize/kustomization.yaml | 2 - scripts/generate-token.sh | 21 ++++++++++ 7 files changed, 85 insertions(+), 126 deletions(-) delete mode 100644 kustomize/generate-token.yaml delete mode 100644 kustomize/hpa.yaml create mode 100755 scripts/generate-token.sh diff --git a/flake.nix b/flake.nix index 3dfc247..a7aefee 100644 --- a/flake.nix +++ b/flake.nix @@ -11,7 +11,7 @@ in { devShell = with pkgs; mkShell { - buildInputs = [ fluxcd fluxctl kind kubectx kubectl ]; + buildInputs = [ fluxcd fluxctl kind kubectx kubectl git openssl ]; }; } ); diff --git a/kustomize/consensus-layer.yaml b/kustomize/consensus-layer.yaml index 0606360..50ac334 100644 --- a/kustomize/consensus-layer.yaml +++ b/kustomize/consensus-layer.yaml @@ -21,16 +21,10 @@ spec: labels: app: consensus-layer spec: - initContainers: - - name: jwttoken - image: alpine/openssl:latest - imagePullPolicy: IfNotPresent - command: ["sh", "-c", "/mnt/scripts/generate-token.sh"] - volumeMounts: - - name: script-volume - mountPath: /mnt/scripts - - name: jwt-token-volume - mountPath: /mnt/jwt + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 containers: - name: lighthouse image: sigp/lighthouse:v5.1.3-modern @@ -54,35 +48,16 @@ spec: - name: peering containerPort: 9001 protocol: UDP - command: - - lighthouse bn - - --network mainnet - - --http --http-address 0.0.0.0 - - --execution-endpoint http://reth:8551 - - --metrics --metrics-address 0.0.0.0 - - --execution-jwt /mnt/jwttoken/jwt.hex - - --checkpoint-sync-url https://mainnet.checkpoint.sigp.io - #env: - #- name: PODINFO_UI_COLOR - #value: "#34577c" - #livenessProbe: - #exec: - #command: - #- podcli - #- check - #- http - #- localhost:9898/healthz - #initialDelaySeconds: 5 - #timeoutSeconds: 5 - #readinessProbe: - #exec: - #command: - #- podcli - #- check - #- http - #- localhost:9898/readyz - #initialDelaySeconds: 5 - #timeoutSeconds: 5 + command: ["/bin/sh", "-c"] + args: + - > + lighthouse bn + --network mainnet + --http --http-address 0.0.0.0 + --execution-endpoint http://execution-layer-svc:8551 + --metrics --metrics-address 0.0.0.0 + --execution-jwt /mnt/token/jwt + --checkpoint-sync-url https://mainnet.checkpoint.sigp.io resources: limits: cpu: 3000m @@ -91,12 +66,20 @@ spec: cpu: 2000m memory: 8192Mi volumeMounts: - - name: jwt-token-volume - mountPath: /mnt/jwttoken + - name: jwt-secret-volume + readOnly: true + mountPath: /mnt/token + - name: logs + mountPath: /logs + - name: lighthouse + mountPath: /.lighthouse volumes: - - name: script-volume - configMap: - name: jwt-script-configmap - - name: jwt-token-volume + - name: jwt-secret-volume + secret: + secretName: jwt-secret + defaultMode: 0770 + - name: logs + emptyDir: {} + - name: lighthouse emptyDir: {} - + diff --git a/kustomize/execution-layer.yaml b/kustomize/execution-layer.yaml index 8aca7e5..7e21641 100644 --- a/kustomize/execution-layer.yaml +++ b/kustomize/execution-layer.yaml @@ -21,16 +21,10 @@ spec: labels: app: execution-layer spec: - initContainers: - - name: jwttoken - image: alpine/openssl:latest - imagePullPolicy: IfNotPresent - command: ["sh", "-c", "/mnt/scripts/generate-token.sh"] - volumeMounts: - - name: script-volume - mountPath: /mnt/scripts - - name: jwt-token-volume - mountPath: /mnt/jwt + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 containers: - name: reth image: ghcr.io/paradigmxyz/reth @@ -48,37 +42,19 @@ spec: - name: peering containerPort: 30303 protocol: TCP - command: - - node - - --chain mainnet - - --metrics 0.0.0.0:5054 - - --log.file.directory /root/logs - - --authrpc.addr 0.0.0.0 - - --authrpc.port 8551 - - --authrpc.jwtsecret /mnt/jwttoken/jwt.hex - - --http --http.addr 0.0.0.0 --http.port 8545 - - --http.api "eth,net,web3" - #env: - #- name: PODINFO_UI_COLOR - #value: "#34577c" - #livenessProbe: - #exec: - #command: - #- podcli - #- check - #- http - #- localhost:9898/healthz - #initialDelaySeconds: 5 - #timeoutSeconds: 5 - #readinessProbe: - #exec: - #command: - #- podcli - #- check - #- http - #- localhost:9898/readyz - #initialDelaySeconds: 5 - #timeoutSeconds: 5 + command: ["/bin/sh", "-c"] + args: + - > + reth node + --chain mainnet + --metrics 0.0.0.0:5054 + --log.file.directory /logs + --authrpc.addr 0.0.0.0 + --authrpc.port 8551 + --authrpc.jwtsecret /mnt/token/jwt + --http --http.addr 0.0.0.0 --http.port 8545 + --http.api "eth,net,web3" +# command: ["sh", "-c", "sleep infinity"] resources: limits: cpu: 3000m @@ -87,6 +63,21 @@ spec: cpu: 2000m memory: 8192Mi volumeMounts: - - name: jwt-token-volume - mountPath: /mnt/jwttoken + - name: jwt-secret-volume + readOnly: true + mountPath: /mnt/token + - name: logs + mountPath: /logs + - name: local + mountPath: /.local + volumes: + - name: jwt-secret-volume + secret: + secretName: jwt-secret + defaultMode: 0770 + - name: logs + emptyDir: {} + - name: local + emptyDir: {} + diff --git a/kustomize/generate-token.yaml b/kustomize/generate-token.yaml deleted file mode 100644 index 310fb9e..0000000 --- a/kustomize/generate-token.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: jwt-script-configmap -data: - generate-token.sh: | - #!/bin/bash - - if [[ ! -f /mnt/jwttoken/jwt.hex ]] - then - openssl rand -hex 32 | tr -d "\n" | tee > /mnt/jwttoken/jwt.hex - else - echo "/mnt/jwttoken/jwt.hex already exists!" - fi diff --git a/kustomize/hpa.yaml b/kustomize/hpa.yaml deleted file mode 100644 index 263e912..0000000 --- a/kustomize/hpa.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: podinfo -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: podinfo - minReplicas: 2 - maxReplicas: 4 - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - # scale up if usage is above - # 99% of the requested CPU (100m) - averageUtilization: 99 diff --git a/kustomize/kustomization.yaml b/kustomize/kustomization.yaml index 51cc769..dd89bb5 100644 --- a/kustomize/kustomization.yaml +++ b/kustomize/kustomization.yaml @@ -1,8 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - hpa.yaml - - generate-token.yaml - execution-layer.yaml - consensus-layer.yaml - execution-layer-svc.yaml diff --git a/scripts/generate-token.sh b/scripts/generate-token.sh new file mode 100755 index 0000000..e236611 --- /dev/null +++ b/scripts/generate-token.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +REPO_ROOT=$(git rev-parse --show-toplevel) + +if [ $? -ne 0 ]; then + echo "Not inside a Git repository" + exit 1 +fi + +if [[ ! -f $REPO_ROOT/temp/jwt ]] +then + mkdir -p $REPO_ROOT/temp + openssl rand -hex 32 | tr -d "\n" | tee > $REPO_ROOT/temp/jwt +else + echo "$REPO_ROOT/temp/jwt already exists!" +fi + +kubectl create secret generic jwt-secret --from-file=$REPO_ROOT/temp/jwt + +# Clean up temp file +rm -r $REPO_ROOT/temp