sync forge tf changes

aptos-labs · Apr 11, 2024 · 865663b · 865663b
1 parent 462ec0b
commit 865663b
Show file tree

Hide file tree

Showing 8 changed files with 136 additions and 40 deletions.
diff --git a/terraform/helm/aptos-node/README.md b/terraform/helm/aptos-node/README.md
@@ -17,20 +17,22 @@ Aptos blockchain node deployment
 | chain.chain_id | int | `4` | Chain ID |
 | chain.era | int | `1` | Bump this number to wipe the underlying storage |
 | chain.name | string | `"testnet"` | Internal: name of the testnet to connect to |
+| cluster_name | string | `"unknown"` |  |
 | enablePrivilegedMode | bool | `false` | TEST ONLY: Enable running as root for profiling |
 | fullnode.affinity | object | `{}` |  |
 | fullnode.config | object | `{"full_node_networks":[{"network_id":"public","seeds":{}}]}` | Fullnode configuration. See NodeConfig https://github.com/aptos-labs/aptos-core/blob/main/config/src/config/mod.rs |
 | fullnode.force_enable_telemetry | bool | `false` | Flag to force enable telemetry service (useful for forge tests) |
-| fullnode.groups | list | `[{"name":"fullnode","replicas":1}]` | Specify fullnode groups by `name` and number of `replicas` |
+| fullnode.groups | list | `[{"dns_name":"vfn","name":"fullnode","replicas":1}]` | Specify fullnode groups by `name` and number of `replicas` |
 | fullnode.nodeSelector | object | `{}` |  |
-| fullnode.resources.limits.cpu | float | `15.5` |  |
-| fullnode.resources.limits.memory | string | `"26Gi"` |  |
-| fullnode.resources.requests.cpu | int | `15` |  |
-| fullnode.resources.requests.memory | string | `"26Gi"` |  |
+| fullnode.resources.limits.cpu | int | `14` |  |
+| fullnode.resources.limits.memory | string | `"56Gi"` |  |
+| fullnode.resources.requests.cpu | int | `14` |  |
+| fullnode.resources.requests.memory | string | `"56Gi"` |  |
 | fullnode.rust_log | string | `"info"` | Log level for the fullnode |
 | fullnode.storage.class | string | `nil` | Kubernetes storage class to use for fullnode persistent storage |
 | fullnode.storage.size | string | `"2048Gi"` | Size of fullnode persistent storage |
 | fullnode.tolerations | list | `[]` |  |
+| genesis_blob_upload_url | string | `"https://us-west1-aptos-forge-gcp-0.cloudfunctions.net/signed-url"` |  |
 | haproxy.affinity | object | `{}` |  |
 | haproxy.config.send_proxy_protocol | bool | `false` | Whether to send Proxy Protocol v2 |
 | haproxy.enabled | bool | `true` | Enable HAProxy deployment in front of validator and fullnodes |
@@ -43,28 +45,31 @@ Aptos blockchain node deployment
 | haproxy.limits.validator.tcpBufSize | int | `524288` |  |
 | haproxy.nodeSelector | object | `{}` |  |
 | haproxy.replicas | int | `1` | Number of HAProxy replicas |
-| haproxy.resources.limits.cpu | int | `4` |  |
-| haproxy.resources.limits.memory | string | `"8Gi"` |  |
-| haproxy.resources.requests.cpu | int | `4` |  |
-| haproxy.resources.requests.memory | string | `"8Gi"` |  |
+| haproxy.resources.limits.cpu | int | `3` |  |
+| haproxy.resources.limits.memory | string | `"6Gi"` |  |
+| haproxy.resources.requests.cpu | int | `3` |  |
+| haproxy.resources.requests.memory | string | `"6Gi"` |  |
 | haproxy.tls_secret | string | `nil` | Name of the Kubernetes TLS secret to use for HAProxy |
 | haproxy.tolerations | list | `[]` |  |
 | imageTag | string | `"devnet"` | Default image tag to use for all validator and fullnode images |
 | labels | string | `nil` |  |
 | loadTestGenesis | bool | `false` | Load test-data for starting a test network |
 | manageImages | bool | `true` | If true, helm will always override the deployed image with what is configured in the helm values. If not, helm will take the latest image from the currently running workloads, which is useful if you have a separate procedure to update images (e.g. rollout) |
+| migrations.enable_vfn_explicit_pvc | bool | `false` | See templates/fullnode.yaml |
 | multicluster | object | `{"enabled":false,"targetClusters":["forge-multiregion-1","forge-multiregion-2","forge-multiregion-3"]}` | Options for multicluster mode. This is *experimental only*. |
 | numFullnodeGroups | int | `1` | Total number of fullnode groups to deploy |
 | numValidators | int | `1` | Number of validators to deploy |
 | overrideNodeConfig | bool | `false` | Specify validator and fullnode NodeConfigs via named ConfigMaps, rather than the generated ones from this chart. |
 | service.domain | string | `nil` | If set, the base domain name to use for External DNS |
+| service.fullnode.enableAdminPort | bool | `false` | Enable the admin port on fullnodes |
 | service.fullnode.enableMetricsPort | bool | `false` | Enable the metrics port on fullnodes |
 | service.fullnode.enableRestApi | bool | `true` | Enable the REST API on fullnodes |
 | service.fullnode.external.type | string | `"LoadBalancer"` | The Kubernetes ServiceType to use for fullnodes' HAProxy |
 | service.fullnode.externalTrafficPolicy | string | `"Local"` | The externalTrafficPolicy for the fullnode service |
 | service.fullnode.internal.headless | bool | `false` |  |
 | service.fullnode.internal.type | string | `"ClusterIP"` | The Kubernetes ServiceType to use for fullnodes |
 | service.fullnode.loadBalancerSourceRanges | string | `nil` | If set and if the ServiceType is LoadBalancer, allow traffic to fullnodes from these CIDRs |
+| service.validator.enableAdminPort | bool | `false` | Enable the admin port on the validator |
 | service.validator.enableMetricsPort | bool | `false` | Enable the metrics port on the validator |
 | service.validator.enableRestApi | bool | `true` | Enable the REST API on the validator |
 | service.validator.external.type | string | `"LoadBalancer"` | The Kubernetes ServiceType to use for validator's HAProxy |
@@ -83,10 +88,10 @@ Aptos blockchain node deployment
 | validator.image.tag | string | `nil` | Image tag to use for validator images. If set, overrides `imageTag` |
 | validator.name | string | `nil` | Internal: name of your validator for use in labels |
 | validator.nodeSelector | object | `{}` |  |
-| validator.resources.limits.cpu | float | `15.5` |  |
-| validator.resources.limits.memory | string | `"26Gi"` |  |
-| validator.resources.requests.cpu | int | `15` |  |
-| validator.resources.requests.memory | string | `"26Gi"` |  |
+| validator.resources.limits.cpu | int | `14` |  |
+| validator.resources.limits.memory | string | `"56Gi"` |  |
+| validator.resources.requests.cpu | int | `14` |  |
+| validator.resources.requests.memory | string | `"56Gi"` |  |
 | validator.rust_log | string | `"info"` | Log level for the validator |
 | validator.storage.class | string | `nil` | Kubernetes storage class to use for validator persistent storage |
 | validator.storage.size | string | `"2048Gi"` | Size of validator persistent storage |

diff --git a/terraform/helm/aptos-node/templates/fullnode.yaml b/terraform/helm/aptos-node/templates/fullnode.yaml
@@ -98,12 +98,14 @@ spec:
         app.kubernetes.io/instance: fullnode-{{$i}}
         group: {{ .name }}
       annotations:
-        seccomp.security.alpha.kubernetes.io/pod: runtime/default
         checksum/fullnode.yaml: {{ tpl ($.Files.Get "files/configs/fullnode.yaml") $ | sha256sum }}
         prometheus.io/scrape: "true"
         prometheus.io/port: "9101"
     spec:
       terminationGracePeriodSeconds: 0
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       initContainers:
         - name: run-script
           image: curlimages/curl:latest
@@ -113,8 +115,19 @@ spec:
             - |
               set -x
               cp /opt/aptos/genesis_readonly/* /opt/aptos/genesis
-              signed_url=$(curl -s -X GET "{{ $.Values.genesis_blob_upload_url }}?cluster_name={{ $.Values.cluster_name }}&namespace={{ $.Release.Namespace }}&era={{ $.Values.chain.era }}&method=GET")
-              curl -o /opt/aptos/genesis/genesis.blob "$signed_url"
+              if [ ! -f /opt/aptos/genesis/genesis.blob ]; then
+                genesis_blob_upload_url="{{ $.Values.genesis_blob_upload_url }}"
+                if echo "$genesis_blob_upload_url" | grep -q "\?"; then
+                  genesis_blob_upload_url="$genesis_blob_upload_url&namespace={{ $.Release.Namespace }}&method=GET"
+                else
+                  genesis_blob_upload_url="$genesis_blob_upload_url?namespace={{ $.Release.Namespace }}&method=GET"
+                fi
+                echo "genesis.blob not found locally, downloading..."
+                signed_url=$(curl -s -X GET "$genesis_blob_upload_url&namespace={{ $.Release.Namespace }}&method=GET")
+                curl -o /opt/aptos/genesis/genesis.blob "$signed_url"
+              else
+                echo "genesis.blob found locally"
+              fi
               ls -l /opt/aptos/genesis
           volumeMounts:
             - name: genesis-config

diff --git a/terraform/helm/aptos-node/templates/haproxy.yaml b/terraform/helm/aptos-node/templates/haproxy.yaml
@@ -145,9 +145,11 @@ spec:
         app.kubernetes.io/name: haproxy
         app.kubernetes.io/instance: haproxy-{{$i}}
       annotations:
-        seccomp.security.alpha.kubernetes.io/pod: runtime/default
         checksum/haproxy.cfg: {{ tpl ($.Files.Get "files/haproxy.cfg") $ | sha256sum }}
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       {{- with $.Values.haproxy }}
       containers:
       - name: haproxy

diff --git a/terraform/helm/aptos-node/templates/validator.yaml b/terraform/helm/aptos-node/templates/validator.yaml
@@ -78,12 +78,14 @@ spec:
         app.kubernetes.io/name: validator
         app.kubernetes.io/instance: validator-{{$i}}
       annotations:
-        seccomp.security.alpha.kubernetes.io/pod: runtime/default
         checksum/validator.yaml: {{ tpl ($.Files.Get "files/configs/validator.yaml") $ | sha256sum }}
         prometheus.io/scrape: "true"
         prometheus.io/port: "9101"
     spec:
       terminationGracePeriodSeconds: 0
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       initContainers:
         - name: run-script
           image: curlimages/curl:latest
@@ -93,8 +95,19 @@ spec:
             - |
               set -x
               cp /opt/aptos/genesis_readonly/* /opt/aptos/genesis
-              signed_url=$(curl -s -X GET "{{ $.Values.genesis_blob_upload_url }}?cluster_name={{ $.Values.cluster_name }}&namespace={{ $.Release.Namespace }}&era={{ $.Values.chain.era }}&method=GET")
-              curl -o /opt/aptos/genesis/genesis.blob "$signed_url"
+              if [ ! -f /opt/aptos/genesis/genesis.blob ]; then
+                genesis_blob_upload_url="{{ $.Values.genesis_blob_upload_url }}"
+                if echo "$genesis_blob_upload_url" | grep -q "\?"; then
+                  genesis_blob_upload_url="$genesis_blob_upload_url&namespace={{ $.Release.Namespace }}&method=GET"
+                else
+                  genesis_blob_upload_url="$genesis_blob_upload_url?namespace={{ $.Release.Namespace }}&method=GET"
+                fi
+                echo "genesis.blob not found locally, downloading..."
+                signed_url=$(curl -s -X GET "$genesis_blob_upload_url&namespace={{ $.Release.Namespace }}&method=GET")
+                curl -o /opt/aptos/genesis/genesis.blob "$signed_url"
+              else
+                echo "genesis.blob found locally"
+              fi
               ls -l /opt/aptos/genesis
           volumeMounts:
             - name: genesis-config

diff --git a/terraform/helm/aptos-node/values.yaml b/terraform/helm/aptos-node/values.yaml
@@ -184,7 +184,7 @@ loadTestGenesis: false
 # -- TEST ONLY: Enable running as root for profiling
 enablePrivilegedMode: false
 
-genesis_blob_upload_url: https://us-west1-aptos-forge-gcp-0.cloudfunctions.net/signed-url
+genesis_blob_upload_url: https://us-west1-aptos-forge-gcp-0.cloudfunctions.net/signed-url?cluster_name=unknown&era=1
 cluster_name: unknown
 
 # Additional labels

diff --git a/terraform/helm/genesis/README.md b/terraform/helm/genesis/README.md
@@ -24,15 +24,20 @@ Aptos blockchain automated genesis ceremony for testnets
 | chain.min_stake | int | `100000000000000` | Minimum stake. Defaults to 1M APTOS coins with 8 decimals |
 | chain.min_voting_threshold | int | `100000000000000` | Mininum voting threshold. Defaults to 1M APTOS coins with 8 decimals |
 | chain.name | string | `"testnet"` | Internal: name of the testnet to connect to |
+| chain.on_chain_consensus_config | string | `nil` | Onchain Consensus Config |
+| chain.on_chain_execution_config | string | `nil` | Onchain Execution Config |
 | chain.recurring_lockup_duration_secs | int | `86400` | Recurring lockup duration in seconds. Defaults to 1 day |
 | chain.required_proposer_stake | int | `100000000000000` | Required stake to be a proposer. 1M APTOS coins with 8 decimals |
 | chain.rewards_apy_percentage | int | `10` | Rewards APY percentage |
 | chain.root_key | string | `"0x5243ca72b0766d9e9cbf2debf6153443b01a1e0e6d086c7ea206eaf6f8043956"` | If specified, the key for the minting capability in testnet |
 | chain.voting_duration_secs | int | `43200` | Voting duration in seconds. Defaults to 12 hours |
 | chain.voting_power_increase_limit | int | `20` | Limit on how much voting power can join every epoch. Defaults to 20%. |
+| enabled | bool | `true` | Used to toggle on and off the automatic genesis job |
+| genesis.cluster_name | string | `"unknown"` |  |
 | genesis.domain | string | `nil` | If set, the base domain name of the fullnode and validator endpoints |
 | genesis.fullnode.enable_onchain_discovery | bool | `true` | Use External DNS as created by aptos-node helm chart for fullnode host in genesis |
 | genesis.fullnode.internal_host_suffix | string | `"fullnode-lb"` | If `enable_onchain_discovery` is false, use this host suffix for internal kubernetes service name |
+| genesis.genesis_blob_upload_url | string | `"https://us-west1-aptos-forge-gcp-0.cloudfunctions.net/signed-url"` |  |
 | genesis.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy to use for tools image |
 | genesis.image.repo | string | `"aptoslabs/tools"` | Image repo to use for tools image for running genesis |
 | genesis.image.tag | string | `nil` | Image tag to use for tools image. If set, overrides `imageTag` |
@@ -51,3 +56,5 @@ Aptos blockchain automated genesis ceremony for testnets
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
 | serviceAccount.name | string | `nil` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
 
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)
diff --git a/terraform/helm/genesis/files/genesis.sh b/terraform/helm/genesis/files/genesis.sh
@@ -12,6 +12,8 @@
 # FULLNODE_INTERNAL_HOST_SUFFIX: default fullnode-lb
 #
 
+set -x
+
 WORKSPACE=${WORKSPACE:-/tmp}
 USERNAME_PREFIX=${USERNAME_PREFIX:-aptos-node}
 VALIDATOR_INTERNAL_HOST_SUFFIX=${VALIDATOR_INTERNAL_HOST_SUFFIX:-validator-lb}
@@ -59,11 +61,6 @@ if [ -z ${CLUSTER_NAME} ]; then
   exit 1
 fi
 
-if [ -z ${GENESIS_BLOB_UPLOAD_URL} ]; then
-  echo "GENESIS_BLOB_UPLOAD_URL must be set"
-  exit 1
-fi
-
 echo "NUM_VALIDATORS=${NUM_VALIDATORS}"
 echo "ERA=${ERA}"
 echo "WORKSPACE=${WORKSPACE}"
@@ -139,17 +136,75 @@ kubectl get pvc -o name | grep /fn- | grep -v "e${ERA}-" | xargs -r kubectl dele
 # delete all genesis secrets except for those from this era
 kubectl get secret -o name | grep "genesis-e" | grep -v "e${ERA}-" | xargs -r kubectl delete
 
-# Upload the genesis.blob to the cloud
-signed_url=$(curl -s -X GET "${GENESIS_BLOB_UPLOAD_URL}?cluster_name=${CLUSTER_NAME}&namespace=${NAMESPACE}&era=${ERA}&method=PUT")
-curl -X PUT -T ${WORKSPACE}/genesis.blob "$signed_url"
+upload_genesis_blob() {
+  if [ -z ${GENESIS_BLOB_UPLOAD_URL} ]; then
+    echo "Skipping genesis blob upload, GENESIS_BLOB_UPLOAD_URL is not set"
+    return 1
+  fi
 
-# create genesis secrets for validators to startup
-for i in $(seq 0 $(($NUM_VALIDATORS - 1))); do
-  username="${USERNAME_PREFIX}-${i}"
-  user_dir="${WORKSPACE}/${username}"
+  local genesis_blob_path="${WORKSPACE}/genesis.blob"
+  local signed_url status_code
+  local genesis_blob_upload_url="${GENESIS_BLOB_UPLOAD_URL}"
+  if echo "$genesis_blob_upload_url" | grep -q "\?"; then
+    genesis_blob_upload_url="$genesis_blob_upload_url&namespace=${NAMESPACE}&method=PUT"
+  else
+    genesis_blob_upload_url="$genesis_blob_upload_url?namespace=${NAMESPACE}&method=PUT"
+  fi
 
-  kubectl create secret generic "${username}-genesis-e${ERA}" \
-    --from-file=waypoint.txt=${WORKSPACE}/waypoint.txt \
-    --from-file=validator-identity.yaml=${user_dir}/validator-identity.yaml \
-    --from-file=validator-full-node-identity.yaml=${user_dir}/validator-full-node-identity.yaml
-done
+  # Set up a trap to remove the temporary file when the script exits
+  local temp_file="$(mktemp)"
+  trap 'rm -f "$temp_file"' EXIT
+
+  # Get the signed URL for uploading the genesis.blob
+  status_code=$(curl -s -o "$temp_file" -w "%{http_code}" "$genesis_blob_upload_url")
+
+  if [[ "${status_code:0:1}" != "2" ]]; then
+    echo "Failed to get signed URL, server responded with status code $status_code"
+    return 1
+  fi
+
+  set +x
+  signed_url=$(< "$temp_file")
+  set -x
+
+  # Upload the genesis.blob using the signed URL
+  status_code=$(curl -s -o "$temp_file" -w "%{http_code}" -X PUT -T "$genesis_blob_path" "$signed_url")
+
+  if [[ "${status_code:0:1}" != "2" ]]; then
+    echo "Upload failed, server responded with status code $status_code"
+    return 1
+  fi
+
+  echo "Upload successful"
+  return 0
+}
+
+create_secrets() {
+  local include_genesis_blob=$1
+
+  for i in $(seq 0 $((NUM_VALIDATORS - 1))); do
+    local username="${USERNAME_PREFIX}-${i}"
+    local user_dir="${WORKSPACE}/${username}"
+
+    local -a files_to_include=(
+      "--from-file=waypoint.txt=${WORKSPACE}/waypoint.txt"
+      "--from-file=validator-identity.yaml=${user_dir}/validator-identity.yaml"
+      "--from-file=validator-full-node-identity.yaml=${user_dir}/validator-full-node-identity.yaml"
+    )
+
+    if [[ "$include_genesis_blob" == "true" ]]; then
+      files_to_include+=("--from-file=genesis.blob=${WORKSPACE}/genesis.blob")
+    fi
+
+    kubectl create secret generic "${username}-genesis-e${ERA}" "${files_to_include[@]}"
+  done
+}
+
+# Include the genesis blob in the secrets if we can't upload it
+if upload_genesis_blob; then
+  echo "Genesis blob uploaded successfully"
+  create_secrets false
+else
+  echo "Genesis blob upload failed, including it in the secrets"
+  create_secrets true
+fi
diff --git a/terraform/helm/genesis/templates/genesis.yaml b/terraform/helm/genesis/templates/genesis.yaml
@@ -89,10 +89,11 @@ spec:
       labels:
         {{- include "aptos-genesis.selectorLabels" . | nindent 8 }}
         app.kubernetes.io/name: genesis
-      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: runtime/default
     spec:
       restartPolicy: Never
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: genesis
         image: {{ .Values.genesis.image.repo }}:{{ .Values.genesis.image.tag | default .Values.imageTag }}