Merge branch 'main' into extend-auto-domain

explorer/k8s/helm/micro-squid/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

explorer/k8s/helm/micro-squid/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: squid
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "gemini-3h"

explorer/k8s/helm/micro-squid/config/explorer-env-file

@@ -0,0 +1,8 @@
+POSTGRES_HOST=""
+POSTGRES_USER=""
+POSTGRES_DB="squid"
+POSTGRES_PASSWORD=""
+POSTGRES_PORT=5432
+ARCHIVE_ENDPOINT="https://archive.gemini-3h.subspace.network/api"
+RPC_ENDPOINT="wss://rpc-squids.gemini-3h.subspace.network/ws"
+GQL_PORT=4350

explorer/k8s/helm/micro-squid/misc/acme-certificate.yaml

@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+  namespace: explorer-network
+spec:
+  acme:
+    # You must replace this email address with your own.
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: [email protected]
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: explorer-issuer-account-key
+    # Add a single challenge solver, HTTP01 using nginx
+    solvers:
+    - http01:
+        ingress:
+          class: nginx

explorer/k8s/helm/micro-squid/templates/NOTES.txt

@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Values.namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "squid.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Values.namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Values.namespace }} svc -w {{ include "squid.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Values.namespace }} {{ include "squid.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Values.namespace }} -l "app.kubernetes.io/name={{ include "squid.name" . }},app.kubernetes.io/instance={{ .Values.namespace }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Values.namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Values.namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

explorer/k8s/helm/micro-squid/templates/_helpers.tpl

@@ -0,0 +1,60 @@
+{{/*
+    Expand the name of the chart.
+    */}}
+    {{- define "squid.name" -}}
+    {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+    {{- end }}
+
+    {{/*
+    Create a default fully qualified app name.
+    */}}
+    {{- define "squid.fullname" -}}
+    {{- if .Values.fullnameOverride }}
+    {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+    {{- $name := default .Chart.Name .Values.nameOverride }}
+    {{- if contains $name .Release.Name }}
+    {{- .Release.Name | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+    {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+    {{- end }}
+    {{- end }}
+    {{- end }}
+
+    {{/*
+    Create chart name and version as used by the chart label.
+    */}}
+    {{- define "squid.chart" -}}
+    {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+    {{- end }}
+
+    {{/*
+    Common labels
+    */}}
+    {{- define "squid.labels" -}}
+    helm.sh/chart: {{ include "squid.chart" . }}
+    {{ include "squid.selectorLabels" . }}
+    {{- if .Chart.AppVersion }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+    {{- end }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- end }}
+
+    {{/*
+    Selector labels
+    */}}
+    {{- define "squid.selectorLabels" -}}
+    app.kubernetes.io/name: {{ include "squid.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- end }}
+
+    {{/*
+    Create the name of the service account to use
+    */}}
+    {{- define "squid.serviceAccountName" -}}
+    {{- if .Values.serviceAccount.create }}
+    {{- default (include "squid.fullname" .) .Values.serviceAccount.name }}
+    {{- else }}
+    {{- default "default" .Values.serviceAccount.name }}
+    {{- end }}
+    {{- end }}

explorer/k8s/helm/micro-squid/templates/clusterroles.yaml

@@ -0,0 +1,55 @@
+apiVersion: rbac.authorization.k8s.io/v1
+# This cluster role binding allows anyone in the "manager" group to
+# read secrets in any namespace.
+kind: ClusterRoleBinding
+metadata:
+  name: secret-reader-cluster-binding
+  namespace: {{ .Values.namespace}}
+subjects:
+  - kind: Group
+    name: manager  # Name is case sensitive
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: secret-reader
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  # "namespace" omitted since ClusterRoles are not namespaced
+  name: secret-reader
+rules:
+  - apiGroups: [""]
+    # at the HTTP level, the name of the resource for accessing Secret
+    # objects is "secrets"
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "squid.fullname" . }}-admin
+  namespace: {{ .Values.namespace}}
+subjects:
+  - kind: Group
+    name: {{ include "squid.fullname" . }}-admin
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: admin
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: role-grantor
+rules:
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["rolebindings"]
+  verbs: ["create"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["clusterroles"]
+  verbs: ["bind"]
+  # omit resourceNames to allow binding any ClusterRole
+  resourceNames: ["admin","edit","view"]

explorer/k8s/helm/micro-squid/templates/configmap.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.namespace }}-configmap
+  namespace: {{ .Values.namespace }}
+  labels:
+    app: {{ include "squid.fullname" . }}
+data:
+  POSTGRES_PORT: {{ .Values.postgres.postgresPort }}
+  POSTGRES_DB: {{ .Values.postgres.postgresDatabase }}
+  POSTGRES_HOST : {{ .Values.postgres.postgresHost }}
+  files:
+  - ../config/explorer-env-file

explorer/k8s/helm/micro-squid/templates/hpa.yaml

@@ -0,0 +1,46 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "squid.fullname" . }}
+  labels:
+    {{- include "squid.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "squid.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+  - type: Pods
+    pods:
+      metric:
+        name: packets-per-second
+      target:
+        type: AverageValue
+        averageValue: 3k
+  - type: Object
+    object:
+      metric:
+        name: requests-per-second
+      describedObject:
+        apiVersion: networking.k8s.io/v1
+        kind: Ingress
+        name: main-route
+      target:
+        type: Value
+        value: 10k
+{{- end }}

explorer/k8s/helm/micro-squid/templates/ingress.yaml

@@ -0,0 +1,45 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "squid.fullname" . }}-ingress
+  namespace: {{ .Values.namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "squid.name" . }}
+    helm.sh/chart: {{ include "squid.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  {{- with .Values.annotations }}
+  annotations:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - {{ .Values.ingress.hosts | first | quote }}
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ . | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path | quote }}
+            pathType: {{ .pathType | quote }}
+            backend:
+              service:
+                name: {{ .Values.lb_service.name | quote }}
+                port:
+                  number: {{ .Values.lb_service.port }}
+          {{- end }}
+    {{- end }}
+
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/tls
+metadata:
+  name: acme-tls-secret
+data:
+  tls.crt: {{ .Values.ingress.tls.crt | quote }}
+  tls.key: {{ .Values.ingress.tls.key | quote }}

explorer/k8s/helm/micro-squid/templates/loadbal-svc.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "squid.fullname" . }}-loadbal-svc
+  namespace: {{ .Values.namespace}}
+  labels:
+    app: {{ include "squid.fullname" . }}-app
+    chart: {{ include "squid.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  selector:
+    name: {{ include "squid.fullname" . }}-app
+    app: {{ include "squid.fullname" . }}-app
+  type: {{ .Values.lb_service.type }}
+  sessionAffinity: None
+  sessionAffinityConfig:
+    clientIP:
+      timeoutSeconds: 10800
+  ports:
+    {{- range .Values.lb_service.lb_ports }}
+    - port: {{ .port }}
+      name: {{ .name }}
+      targetPort: {{ .targetPort }}
+      protocol: {{ .protocol }}
+    {{- end }}

explorer/k8s/helm/micro-squid/templates/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.namespace }}
+  labels:
+    name: {{ .Values.namespace }}

explorer/k8s/helm/micro-squid/templates/postgres-configmap.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "squid.fullname" . }}-postgres-configmap
+  namespace: {{ .Values.namespace }}
+data:
+  postgres.conf: |-
+    max_connections = 200
+    shared_buffers = 8GB
+    effective_cache_size = 24GB
+    maintenance_work_mem = 2GB
+    checkpoint_completion_target = 0.9
+    wal_buffers = 16MB
+    default_statistics_target = 100
+    random_page_cost = 1.1
+    effective_io_concurrency = 200
+    work_mem = 10485kB
+    min_wal_size = 1GB
+    max_wal_size = 4GB
+    max_worker_processes = 16
+    max_parallel_workers_per_gather = 4
+    max_parallel_workers = 16
+    max_parallel_maintenance_workers = 4
+    shared_preload_libraries='pg_stat_statements'
+    pg_stat_statements.track=all
+    # Replace with particular IP addresses in production
+    listen_addresses = '0.0.0.0'