Deploy to k8s clusters (#103)

* Deploy to k8s clusters * pub metrics net policy * Fix some values
Chia-Network · Sep 16, 2024 · 25538d2 · 25538d2
1 parent 83e02fb
commit 25538d2
Show file tree

Hide file tree

Showing 5 changed files with 109 additions and 19 deletions.
diff --git a/.github/workflows/build-deploy.yml b/.github/workflows/build-deploy.yml
@@ -23,11 +23,22 @@ jobs:
       alternate-latest-mode: true
 
   deploy:
+    name: Deploy ${{ matrix.colo.region }}
     needs:
       - package
-    runs-on: [k8s-public]
+    runs-on: "k8s-public-${{ matrix.colo.region }}"
     container:
       image: registry.gitlab.com/cmmarslender/kubectl-helm:v3
+    strategy:
+      fail-fast: false
+      matrix:
+        colo:
+          - region: fmt
+          - region: msp
+          - region: ldn
+          - region: sin
+    env:
+      REGION: ${{ matrix.colo.region }}
     steps:
       - uses: actions/checkout@v4
 
@@ -43,31 +54,31 @@ jobs:
           url: ${{ secrets.VAULT_URL }}
           token: ${{ env.VAULT_TOKEN }}
           secrets: |
-            secret/data/pub-metrics-eks/rds/rds-info db_host | BLOCK_METRICS_DB_HOST;
-            secret/data/pub-metrics-eks/rds/blocks-read-user username | BLOCK_METRICS_USER;
-            secret/data/pub-metrics-eks/rds/blocks-read-user password | BLOCK_METRICS_PASSWORD;
+            secret/data/${{ matrix.colo.region }}/k8s/k8s-${{ matrix.colo.region }} api_server_url | K8S_API_SERVER_URL;
+            secret/data/${{ matrix.colo.region }}/mysql/db-info host | DB_HOST;
+            secret/data/${{ matrix.colo.region }}/mysql/users/grafana-read-pub username | GRAFANA_PUB_READ_USERNAME;
+            secret/data/${{ matrix.colo.region }}/mysql/users/grafana-read-pub password | GRAFANA_PUB_READ_PASSWORD;
 
       - name: Template grafana configs
         run: |
           j2 templates/datasources.yaml.j2 -o helm/pub-metrics-grafana/datasources
 
-      - name: Get ephemeral aws credentials
-        uses: Chia-Network/actions/vault/aws-sts@main
+      - name: Login to k8s cluster
+        uses: Chia-Network/actions/vault/k8s-login@main
         with:
           vault_url: ${{ secrets.VAULT_URL }}
           vault_token: ${{ env.VAULT_TOKEN }}
-          role_name: pub-metrics-deploy
-
-      - name: Log in to cluster
-        run: aws eks update-kubeconfig --name pub-metrics --region us-west-2
+          backend_name: k8s-${{ matrix.colo.region }}
+          role_name: github-actions
+          cluster_url: ${{ env.K8S_API_SERVER_URL }}
 
       - uses: Chia-Network/actions/helm/deploy@main
         env:
           REPLICAS: 3
-          HOSTNAME: "dashboard.chia.net"
+          HOSTNAME: "dashboard-${{ matrix.colo.region }}.chia.net"
           IMAGE_TAG: "sha-${{ github.sha }}"
         with:
-          namespace: grafana
+          namespace: grafana-pub
           app_name: grafana
           helm_chart: "./helm/pub-metrics-grafana"
           helm_values: "./helm/values.yaml"

diff --git a/helm/pub-metrics-grafana/templates/network-policy.yaml b/helm/pub-metrics-grafana/templates/network-policy.yaml
@@ -0,0 +1,35 @@
+{{- if .Values.networkPolicy.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "pub-metrics-grafana.fullname" . }}
+  labels:
+    {{- include "pub-metrics-grafana.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchExpressions:
+      - key: app.kubernetes.io/instance
+        operator: In
+        values:
+          - {{ .Release.Name }}
+      - key: app.kubernetes.io/name
+        operator: In
+        values:
+          - {{ include "pub-metrics-grafana.name" . }}
+  policyTypes:
+    {{- with .Values.networkPolicy.policyTypes }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{if has "Ingress" .Values.networkPolicy.policyTypes }}
+  ingress:
+    {{- with .Values.networkPolicy.ingressRules }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+  {{if has "Egress" .Values.networkPolicy.policyTypes }}
+  egress:
+    {{- with .Values.networkPolicy.egressRules }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/helm/pub-metrics-grafana/values.yaml b/helm/pub-metrics-grafana/values.yaml
@@ -85,3 +85,26 @@ nodeSelector: {}
 tolerations: []
 
 affinity: {}
+
+networkPolicy:
+  enabled: false
+  policyTypes: []
+  #    - Egress
+  #    - Ingress
+  egressRules: []
+  #    - to:
+  #        - namespaceSelector:
+  #            matchLabels:
+  #              name: chia-blockchain
+  #      ports:
+  #        - protocol: TCP
+  #          port: 8555
+  ingressRules: []
+#    - from:
+#        - namespaceSelector:
+#            matchLabels:
+#              kubernetes.io/metadata.name: chia-blockchain
+#      ports:
+#        - protocol: TCP
+#          port: 8555
+#          port: 8555
diff --git a/helm/values.yaml.j2 b/helm/values.yaml.j2
@@ -6,12 +6,9 @@ image:
 
 ingress:
   enabled: true
-  className: alb
+  className: nginx
   annotations:
     external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
-    alb.ingress.kubernetes.io/target-type: "ip"
-    alb.ingress.kubernetes.io/scheme: "internet-facing"
-    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
   hosts:
     - host: {{ HOSTNAME }}
       paths:
@@ -20,6 +17,7 @@ ingress:
   tls:
     - hosts:
         - dashboard.chia.net
+        - dashboard-{{ REGION }}.chia.net
 
 env:
   - name: GF_SERVER_ROOT_URL
@@ -54,3 +52,26 @@ affinity:
                   - pub-metrics-grafana
           topologyKey: kubernetes.io/hostname
         weight: 100
+
+networkPolicy:
+  enabled: true
+  policyTypes:
+    - Egress
+  egressRules:
+    - to:
+        - ipBlock:
+            cidr: "{{ DB_HOST }}/32"
+      ports:
+        - protocol: TCP
+          port: 3306
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: pub-metrics
+      ports:
+        - protocol: TCP
+          port: 8480
+        - protocol: TCP
+          port: 9090
+        - protocol: TCP
+          port: 9093
diff --git a/templates/datasources.yaml.j2 b/templates/datasources.yaml.j2
@@ -22,10 +22,10 @@ datasources:
     editable: False
   - name: block-data
     type: mysql
-    url: {{ BLOCK_METRICS_DB_HOST }}:3306
+    url: {{ DB_HOST }}:3306
     uid: P00A25F4DA48796D5
-    user: '{{ BLOCK_METRICS_USER }}'
+    user: '{{ GRAFANA_PUB_READ_USERNAME }}'
     jsonData:
       database: blocks
     secureJsonData:
-      password: '{{ BLOCK_METRICS_PASSWORD }}'
+      password: '{{ GRAFANA_PUB_READ_PASSWORD }}'