-
Notifications
You must be signed in to change notification settings - Fork 268
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
2582b23
commit 0c31fc9
Showing
5 changed files
with
276 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
# Create ingress firewall rules for UDP | ||
resource "google_compute_firewall" "udp_ingress" { | ||
name = "allow-udp-ingress-custom" | ||
network = "default" | ||
allow { | ||
protocol = "udp" | ||
ports = ["40400-40499", "8080", "8545"] | ||
} | ||
direction = "INGRESS" | ||
source_ranges = ["0.0.0.0/0"] | ||
target_tags = ["gke-node", "aztec-gke-node"] | ||
} | ||
|
||
# Create egress firewall rules for UDP | ||
resource "google_compute_firewall" "udp_egress" { | ||
name = "allow-udp-egress-custom" | ||
network = "default" | ||
allow { | ||
protocol = "udp" | ||
ports = ["40400-40499", "8080", "8545"] | ||
} | ||
direction = "EGRESS" | ||
destination_ranges = ["0.0.0.0/0"] | ||
target_tags = ["gke-node", "aztec-gke-node"] | ||
} | ||
|
||
# Create ingress firewall rules for TCP | ||
resource "google_compute_firewall" "tcp_ingress" { | ||
name = "allow-tcp-ingress-custom" | ||
network = "default" | ||
allow { | ||
protocol = "tcp" | ||
ports = ["40400-40499", "8080", "8545"] | ||
} | ||
direction = "INGRESS" | ||
source_ranges = ["0.0.0.0/0"] | ||
target_tags = ["gke-node", "aztec-gke-node"] | ||
} | ||
|
||
# Create egress firewall rules for TCP | ||
resource "google_compute_firewall" "tcp_egress" { | ||
name = "allow-tcp-egress-custom" | ||
network = "default" | ||
allow { | ||
protocol = "tcp" | ||
ports = ["40400-40499", "8080", "8545"] | ||
} | ||
direction = "EGRESS" | ||
destination_ranges = ["0.0.0.0/0"] | ||
target_tags = ["gke-node", "aztec-gke-node"] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,193 @@ | ||
terraform { | ||
backend "s3" { | ||
bucket = "aztec-terraform" | ||
key = "spartan-gke-cluster/terraform.tfstate" | ||
region = "eu-west-2" | ||
} | ||
required_providers { | ||
google = { | ||
source = "hashicorp/google" | ||
version = "~> 5.0" | ||
} | ||
} | ||
} | ||
|
||
# Configure the Google Cloud provider | ||
provider "google" { | ||
project = var.project | ||
region = var.region | ||
} | ||
|
||
# Create the service account | ||
resource "google_service_account" "gke_sa" { | ||
account_id = "gke-nodes-sa" | ||
display_name = "GKE Nodes Service Account" | ||
description = "Service account for GKE nodes" | ||
} | ||
|
||
# Add IAM roles to the service account | ||
resource "google_project_iam_member" "gke_sa_roles" { | ||
for_each = toset([ | ||
"roles/logging.logWriter", | ||
"roles/monitoring.metricWriter", | ||
"roles/monitoring.viewer", | ||
"roles/artifactregistry.reader" | ||
]) | ||
project = var.project | ||
role = each.key | ||
member = "serviceAccount:${google_service_account.gke_sa.email}" | ||
} | ||
|
||
# Create a new service account for Helm | ||
resource "google_service_account" "helm_sa" { | ||
account_id = "helm-sa" | ||
display_name = "Helm Service Account" | ||
description = "Service account for Helm operations" | ||
} | ||
|
||
# Add IAM roles to the Helm service account | ||
resource "google_project_iam_member" "helm_sa_roles" { | ||
for_each = toset([ | ||
"roles/container.admin", | ||
"roles/storage.admin", | ||
"roles/secretmanager.admin" | ||
]) | ||
project = var.project | ||
role = each.key | ||
member = "serviceAccount:${google_service_account.helm_sa.email}" | ||
} | ||
|
||
# Create a GKE cluster | ||
resource "google_container_cluster" "primary" { | ||
name = "spartan-gke" | ||
location = var.zone | ||
|
||
initial_node_count = 1 | ||
# Remove default node pool after cluster creation | ||
remove_default_node_pool = true | ||
|
||
# Kubernetes version | ||
min_master_version = "latest" | ||
|
||
# Network configuration | ||
network = "default" | ||
subnetwork = "default" | ||
|
||
# Master auth configuration | ||
master_auth { | ||
client_certificate_config { | ||
issue_client_certificate = false | ||
} | ||
} | ||
} | ||
|
||
# Create primary node pool with autoscaling | ||
resource "google_container_node_pool" "primary_nodes" { | ||
name = "primary-node-pool" | ||
location = var.zone | ||
cluster = google_container_cluster.primary.name | ||
|
||
# Enable autoscaling | ||
autoscaling { | ||
min_node_count = 1 | ||
max_node_count = 5 | ||
} | ||
|
||
# Node configuration | ||
node_config { | ||
machine_type = "t2d-standard-32" | ||
|
||
service_account = google_service_account.gke_sa.email | ||
oauth_scopes = [ | ||
"https://www.googleapis.com/auth/cloud-platform" | ||
] | ||
|
||
labels = { | ||
env = "production" | ||
} | ||
tags = ["gke-node"] | ||
} | ||
|
||
# Management configuration | ||
management { | ||
auto_repair = true | ||
auto_upgrade = true | ||
} | ||
} | ||
|
||
# Create node pool for aztec nodes (validators, prover nodes, boot nodes) | ||
resource "google_container_node_pool" "aztec_nodes" { | ||
name = "aztec-node-pool" | ||
location = var.zone | ||
cluster = google_container_cluster.primary.name | ||
|
||
# Enable autoscaling | ||
autoscaling { | ||
min_node_count = 1 | ||
max_node_count = 128 | ||
} | ||
|
||
# Node configuration | ||
node_config { | ||
machine_type = "t2d-standard-8" | ||
|
||
service_account = google_service_account.gke_sa.email | ||
oauth_scopes = [ | ||
"https://www.googleapis.com/auth/cloud-platform" | ||
] | ||
|
||
labels = { | ||
env = "production" | ||
} | ||
tags = ["gke-node", "aztec"] | ||
} | ||
|
||
# Management configuration | ||
management { | ||
auto_repair = true | ||
auto_upgrade = true | ||
} | ||
} | ||
|
||
# Create spot instance node pool with autoscaling | ||
resource "google_container_node_pool" "spot_nodes" { | ||
name = "spot-node-pool" | ||
location = var.zone | ||
cluster = google_container_cluster.primary.name | ||
|
||
# Enable autoscaling | ||
autoscaling { | ||
min_node_count = 0 | ||
max_node_count = 10 | ||
} | ||
|
||
# Node configuration | ||
node_config { | ||
machine_type = "t2d-standard-32" | ||
spot = true | ||
|
||
service_account = google_service_account.gke_sa.email | ||
oauth_scopes = [ | ||
"https://www.googleapis.com/auth/cloud-platform" | ||
] | ||
|
||
labels = { | ||
env = "production" | ||
pool = "spot" | ||
} | ||
tags = ["gke-node", "spot"] | ||
|
||
# Spot instance termination handler | ||
taint { | ||
key = "cloud.google.com/gke-spot" | ||
value = "true" | ||
effect = "NO_SCHEDULE" | ||
} | ||
} | ||
|
||
# Management configuration | ||
management { | ||
auto_repair = true | ||
auto_upgrade = true | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
output "cluster_endpoint" { | ||
value = google_container_cluster.primary.endpoint | ||
} | ||
|
||
output "service_account_email" { | ||
value = google_service_account.gke_sa.email | ||
} | ||
|
||
output "region" { | ||
description = "Google cloud region" | ||
value = var.region | ||
} | ||
|
||
output "kubernetes_cluster_name" { | ||
description = "GKE Cluster Name" | ||
value = google_container_cluster.primary.name | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
variable "project" { | ||
default = "testnet-440309" | ||
} | ||
|
||
variable "region" { | ||
default = "us-east4" | ||
} | ||
|
||
variable "zone" { | ||
default = "us-east4-a" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters