From 983ab06df10da397ed96b8030c7c23fd02bc7e67 Mon Sep 17 00:00:00 2001 From: alvarof2 Date: Fri, 3 Nov 2023 16:35:18 +0100 Subject: [PATCH 1/4] Update values files and GCP Signers docs --- docs/kubernetes-deployment/combiner/README.md | 22 ++-- .../combiner/values/values-alfajores.yaml | 104 ++++++++++++++- .../combiner/values/values-mainnet.yaml | 119 ++++++++++++++++-- .../combiner/values/values-staging.yaml | 117 +++++++++++++++-- docs/kubernetes-deployment/signer/README.md | 88 +++++++++++++ .../staging/values-signer0-staging.yaml | 70 +++++++++++ .../staging/values-signer1-staging.yaml | 70 +++++++++++ .../staging/values-signer2-staging.yaml | 0 8 files changed, 561 insertions(+), 29 deletions(-) create mode 100644 docs/kubernetes-deployment/signer/README.md create mode 100644 docs/kubernetes-deployment/signer/values/staging/values-signer0-staging.yaml create mode 100644 docs/kubernetes-deployment/signer/values/staging/values-signer1-staging.yaml create mode 100644 docs/kubernetes-deployment/signer/values/staging/values-signer2-staging.yaml diff --git a/docs/kubernetes-deployment/combiner/README.md b/docs/kubernetes-deployment/combiner/README.md index b98d24e0d..836d1ea11 100644 --- a/docs/kubernetes-deployment/combiner/README.md +++ b/docs/kubernetes-deployment/combiner/README.md @@ -16,8 +16,8 @@ Notice the following: - ``: Name of the Helm release. - ``: Kubernetes namespace to deploy the Helm chart. -- ``: Path to your `values.yaml` file that define the Helm deployment. You can use the examples under [./values] as a guide, but you will have to modify it according to your needs. You can find a table defining the values file [here](https://github.com/celo-org/charts/tree/main/charts/odis-combiner#values). -- ``: The version of the Helm chart. If omitted, it will use the latest version (available at the [chart's README](https://github.com/celo-org/charts/tree/main/charts/odis-combiner#odis-combiner) as a GitHub badge). +- ``: Path to your `values.yaml` file that defines the Helm deployment. You can use the examples under [./values] as a guide, but you will have to modify it according to your needs. You can find a table defining the values file [here](https://github.com/celo-org/charts/tree/main/charts/odis-combiner#values). +- ``: The version of the Helm chart. If omitted, it will use the latest version (available in the [chart's README](https://github.com/celo-org/charts/tree/main/charts/odis-combiner#odis-combiner) as a GitHub badge). ## cLabs Developers @@ -31,23 +31,23 @@ ODIS combiner is deployed in the following clusters: - URL: `https://odis-combiner-staging.integration-tests.celo-networks-dev.org` - Alfajores: cluster `alfajores`, namespace `odis-combiner-alfajores` with this [`values-alfajores.yaml` file](./values/values-alfajores.yaml). - URL: `https://odis-combiner-alfajores.alfajores.celo-testnet.org` -- Mainnet: cluster `mainnet`, namespace `odis-combiner-mainnet` with this [`values-mainnet.yaml` file](./values/values-mainnet.yaml). - - URL: `https://odis-combiner-mainnet.mainnet.celo-testnet.org` +- Mainnet: cluster `rc1-us-west1`, namespace `odis-combiner-mainnet` with this [`values-mainnet.yaml` file](./values/values-mainnet.yaml). + - URL: `https://odis-combiner-mainnet.rc1-europe-west1.celo-testnet.org` ### Modifying the deployment There are 2 main ways to modify the ODIS combiner deployment in Kubernetes. -- Directly modify the deployment in GCP console. +- Directly modify the deployment in the GCP console. - Use [Helm](https://helm.sh/). -#### Directly modify the deployment in GCP console +#### Directly modify the deployment in the GCP console -You can access the ODIS deployment following these links. There you can edit the deployment and modify any value as needed (image, Env. Vars., etc.). +You can access the ODIS deployment by following these links. There you can edit the deployment and modify any value as needed (image, Env. Vars., etc.). - [Staging](https://console.cloud.google.com/kubernetes/deployment/us-west1-b/integration-tests/odis-combiner-staging/odis-combiner-staging/yaml/view?project=celo-testnet&supportedpurview=project) - [Alfajores](https://console.cloud.google.com/kubernetes/deployment/us-west1-a/alfajores/odis-combiner-alfajores/odis-combiner-alfajores/yaml/view?project=celo-testnet-production&supportedpurview=project) -- [Mainnet](https://console.cloud.google.com/kubernetes/deployment/us-west1-a/mainnet/odis-combiner-mainnet/odis-combiner-mainnet/overview?project=celo-testnet-production&supportedpurview=project) +- [Mainnet](https://console.cloud.google.com/kubernetes/deployment/europe-west1-b/rc1-europe-west1/odis-combiner-mainnet/odis-combiner-mainnet/yaml/view?project=celo-testnet-production&supportedpurview=project) #### Use Helm @@ -66,3 +66,9 @@ You can access the ODIS deployment following these links. There you can edit the ``` 5. Ensure there are no sensitive values in the `./values/values-.yaml` file and commit it to this repo. + +### Tracing + +Tracing is enabled in the ODIS combiner. The combiners send traces to a Grafana Agent deployed in the same cluster as the combiners. + +- Staging Grafana Agent URL: `http://grafana-agent.monitoring:14268/api/traces` diff --git a/docs/kubernetes-deployment/combiner/values/values-alfajores.yaml b/docs/kubernetes-deployment/combiner/values/values-alfajores.yaml index 7ea948f4a..a7d821561 100644 --- a/docs/kubernetes-deployment/combiner/values/values-alfajores.yaml +++ b/docs/kubernetes-deployment/combiner/values/values-alfajores.yaml @@ -1,92 +1,192 @@ +# Default values for odis-combiner-helm. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Chart name override nameOverride: "" +# -- Chart full name override fullnameOverride: "" + +# -- Number of deployment replicas replicaCount: 1 + image: + # -- Image repository repository: us-west1-docker.pkg.dev/devopsre/dev-images/odis-combiner + # -- Image pullpolicy pullPolicy: Always + # -- Image tag + # Overrides the image tag whose default is the chart appVersion. tag: "85baf6c3854aff588d88332addd709d544ebd6c4" + +# -- Image pull secrets imagePullSecrets: [] + serviceAccount: + # -- Specifies whether a service account should be created create: true + # -- Annotations to add to the service account annotations: {} + # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template name: "" + env: tracing: + # -- Enable tracing enabled: true + # -- Env. Var TRACER_ENDPOINT. If enabled is false, will not be added to the deployment. endpoint: "https://grafana-agent.odis-alfajores-signer-3.celo-networks-dev.org/api/traces" + # -- Env. Var TRACING_SERVICE_NAME. If enabled is false, will not be added to the deployment. serviceName: "odis-combiner-alfajores-k8s" log: + # -- Env. Var LOG_FORMAT. format: stackdriver + # -- Env. Var LOG_LEVEL. level: trace blockchain: + # -- Env. Var BLOCKCHAIN_PROVIDER. blockchainProvider: "https://alfajores-forno.celo-testnet.org" + # -- Existing secret for Env. Var BLOCKCHAIN_API_KEY. blockchainApiKeyExistingSecret: "odis-combiner-forno-key" domain: + # -- Env. Var DOMAINS_API_ENABLED. domainEnabled: true + # -- Env. Var DOMAIN_FULL_NODE_DELAY_MS domainFullNodeDelayMs: "100" + # -- Env. Var DOMAIN_FULL_NODE_RETRY_COUNT domainFullNodeRetryCount: "5" + # -- Env. Var DOMAIN_FULL_NODE_TIMEOUT_MS domainFullNodeTimeoutMs: "1000" + # -- Env. Var DOMAIN_KEYS_CURRENT_VERSION domainKeysCurrentVersion: "1" + # -- Env. Var DOMAIN_KEYS_VERSIONS domainKeysVersions: '[{"keyVersion":1,"threshold":2,"polynomial":"0200000000000000f99af1c8fbcb0a15945ff0f23f0e93b86c101f48250c911b4ab4b15004723f93eea98c8ffd4e166535757b46c0522a0167a40224c88ba43c13685bf2f159e63394416cb41432b320e69e3e0810aa8fa1e1b0c7dcc948fc5742f2b8d752b65081f10d83821b4e2cf90b56cc4fc8c98dc00e5f24f2c5b53fa8ad7c2ebd3963c9223cf95209692d267a4f8084edfc0b5f01f7a31d82bf5421c544b6258749c691b79e6f36d9ba963ead6f25b9986b6bcb7d45b5edb33a616af630b4ce17bf552c81","pubKey":"+ZrxyPvLChWUX/DyPw6TuGwQH0glDJEbSrSxUARyP5PuqYyP/U4WZTV1e0bAUioBZ6QCJMiLpDwTaFvy8VnmM5RBbLQUMrMg5p4+CBCqj6HhsMfcyUj8V0LyuNdStlCB"},{"keyVersion":2,"threshold":2,"polynomial":"0200000000000000f99af1c8fbcb0a15945ff0f23f0e93b86c101f48250c911b4ab4b15004723f93eea98c8ffd4e166535757b46c0522a0167a40224c88ba43c13685bf2f159e63394416cb41432b320e69e3e0810aa8fa1e1b0c7dcc948fc5742f2b8d752b65081f10d83821b4e2cf90b56cc4fc8c98dc00e5f24f2c5b53fa8ad7c2ebd3963c9223cf95209692d267a4f8084edfc0b5f01f7a31d82bf5421c544b6258749c691b79e6f36d9ba963ead6f25b9986b6bcb7d45b5edb33a616af630b4ce17bf552c81","pubKey":"+ZrxyPvLChWUX/DyPw6TuGwQH0glDJEbSrSxUARyP5PuqYyP/U4WZTV1e0bAUioBZ6QCJMiLpDwTaFvy8VnmM5RBbLQUMrMg5p4+CBCqj6HhsMfcyUj8V0LyuNdStlCB"}]' + # -- Env. Var DOMAIN_ODIS_SERVICES_SIGNERS domainOdisServicesSigners: '[{"url": "https://odis-alfajores-signer2.azurefd.net"},{"url": "https://odis-alfajores-signer3.azurefd.net"},{"url": "https://odis-alfajores-signer-1-b.azurefd.net"}]' + # -- Env. Var DOMAIN_ODIS_SERVICES_TIMEOUT_MILLISECONDS domainOdisServicesTimeoutMillisecond: "5000" + # -- Env. Var DOMAIN_SERVICE_NAME domainServiceName: "odis_combiner" + # -- Env. Var DOMAIN_SHOULD_AUTHENTICATE domainShouldAuthenticate: true + # -- Env. Var DOMAIN_SHOULD_CHECK_QUOTA domainShouldCheckQuota: false pnp: + # -- Env. Var PHONE_NUMBER_PRIVACY_API_ENABLED. pnpEnabled: true + # -- Env. Var PNP_FULL_NODE_DELAY_MS pnpFullNodeDelayMs: "100" + # -- Env. Var PNP_FULL_NODE_RETRY_COUNT pnpFullNodeRetryCount: "5" + # -- Env. Var PNP_FULL_NODE_TIMEOUT_MS pnpFullNodeTimeoutMs: "1000" + # -- Env. Var PNP_KEYS_CURRENT_VERSION pnpKeysCurrentVersion: "1" + # -- Env. Var PNP_KEYS_VERSIONS pnpKeysVersions: '[{"keyVersion":1,"threshold":2,"polynomial":"0200000000000000ec5b161ac167995bd17cc0e9cf3f79369efac1fff5b0f68ad0e83dca207e3fc41b8e20bc155ebb3416a7b3d87364490169032189aa7380c47a0a464864fbe0c106e803197ae4959165e7067b95775cee2c74a78d7a67406764f342e5a4b99a003a510287524c9437b12ebb0bfdc7ea46078b807d1b665966961784bd71c4227c272b01c0fcd19c5b92226c1aac324b010abef36192e8ff3abb25686b3e6707bc747b129c32e572b5850db8446bd8f0af9a3fbf6b579793002b1b68528ca4ac00","pubKey":"kPoRxWdEdZ/Nd3uQnp3FJFs54zuiS+ksqvOm9x8vY6KHPG8jrfqysvIRU0wtqYsBKA7SoAsICMBv8C/Fb2ZpDOqhSqvr/sZbZoHmQfvbqrzbtDIPvUIrHgRS0ydJCMsA"},{"keyVersion":2,"threshold":2,"polynomial":"0200000000000000ec5b161ac167995bd17cc0e9cf3f79369efac1fff5b0f68ad0e83dca207e3fc41b8e20bc155ebb3416a7b3d87364490169032189aa7380c47a0a464864fbe0c106e803197ae4959165e7067b95775cee2c74a78d7a67406764f342e5a4b99a003a510287524c9437b12ebb0bfdc7ea46078b807d1b665966961784bd71c4227c272b01c0fcd19c5b92226c1aac324b010abef36192e8ff3abb25686b3e6707bc747b129c32e572b5850db8446bd8f0af9a3fbf6b579793002b1b68528ca4ac00","pubKey":"kPoRxWdEdZ/Nd3uQnp3FJFs54zuiS+ksqvOm9x8vY6KHPG8jrfqysvIRU0wtqYsBKA7SoAsICMBv8C/Fb2ZpDOqhSqvr/sZbZoHmQfvbqrzbtDIPvUIrHgRS0ydJCMsA"}]' + # -- Env. Var PNP_MOCK_DECK pnpMockDeck: "0xbf8a2b73baf8402f8fe906ad3f42b560bf14b39f7df7797ece9e293d6f162188" + # -- Env. Var PNP_ODIS_SERVICES_SIGNERS pnpOdisServicesSigners: '[{"url": "https://odis-alfajores-signer2.azurefd.net"},{"url": "https://odis-alfajores-signer3.azurefd.net"},{"url": "https://odis-alfajores-signer-1-b.azurefd.net"}]' + # -- Env. Var PNP_ODIS_SERVICES_TIMEOUT_MILLISECONDS pnpOdisServicesTimeoutMilliseconds: "5000" + # -- Env. Var PNP_SERVICE_NAME pnpServiceName: "odis_combiner" + # -- Env. Var PNP_SHOULD_AUTHENTICATE pnpShouldAuthenticate: true - pnpShouldCheckQuota: false + # -- Env. Var PNP_SHOULD_CHECK_QUOTA + pnpShoulñdCheckQuota: false + # -- Env. Var PNP_SHOULD_MOCK_ACCOUNT_SERVICE pnpShouldMockAccountService: false service: + # -- Env. Var SERVICE_NAME serviceName: "odis-combiner-k8s" + +# -- Custom pod annotations podAnnotations: prometheus.io/path: /metrics prometheus.io/port: "8080" prometheus.io/scrape: "true" + +# -- Custom pod security context podSecurityContext: {} + # fsGroup: 2000 + +# -- Custom container security context securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + ingress: + # -- Enable ingress resource enabled: true + # -- Ingress class name className: "nginx" + # -- Ingress annotations annotations: kubernetes.io/tls-acme: "true" - hosts: + # kubernetes.io/ingress.class: nginx + # -- Ingress hostnames + hosts: - host: odis-combiner-alfajores.alfajores.celo-testnet.org paths: - path: / pathType: ImplementationSpecific + # -- Ingress TLS configuration tls: - secretName: odis-combiner-alfajores.alfajores.celo-testnet.org-tls hosts: - odis-combiner-alfajores.alfajores.celo-testnet.org + +# -- Liveness probe configuration livenessProbe: timeoutSeconds: 30 initialDelaySeconds: 60 httpGet: path: /status port: http + +# -- Readiness probe configuration readinessProbe: timeoutSeconds: 30 initialDelaySeconds: 60 httpGet: path: /status port: http + +# -- Container resources resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + autoscaling: + # -- Enable autoscaling enabled: false + # -- Minimum replicas minReplicas: 1 + # -- Maximum replicas maxReplicas: 3 + # -- CPU target utilization targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# -- Kubernetes node selector nodeSelector: {} + +# -- Kubernetes tolerations tolerations: [] + +# -- Kubernetes pod affinity affinity: {} diff --git a/docs/kubernetes-deployment/combiner/values/values-mainnet.yaml b/docs/kubernetes-deployment/combiner/values/values-mainnet.yaml index c69f9eba1..8bd00b8ad 100644 --- a/docs/kubernetes-deployment/combiner/values/values-mainnet.yaml +++ b/docs/kubernetes-deployment/combiner/values/values-mainnet.yaml @@ -1,92 +1,191 @@ +# Default values for odis-combiner-helm. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Chart name override nameOverride: "" +# -- Chart full name override fullnameOverride: "" + +# -- Number of deployment replicas replicaCount: 1 + image: - repository: us-west1-docker.pkg.dev/devopsre/dev-images/odis-combiner + # -- Image repository + repository: us-west1-docker.pkg.dev/devopsre/social-connect/odis-combiner + # -- Image pullpolicy pullPolicy: Always - tag: "85baf6c3854aff588d88332addd709d544ebd6c4" + # -- Image tag + # Overrides the image tag whose default is the chart appVersion. + tag: "odis-combiner-3.3.1" + +# -- Image pull secrets imagePullSecrets: [] + serviceAccount: + # -- Specifies whether a service account should be created create: true + # -- Annotations to add to the service account annotations: {} + # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template name: "" + env: tracing: + # -- Enable tracing enabled: true + # -- Env. Var TRACER_ENDPOINT. If enabled is false, will not be added to the deployment. endpoint: "https://grafana-agent.odis-mainnet-signer-westus2.celo-networks-dev.org/api/traces" + # -- Env. Var TRACING_SERVICE_NAME. If enabled is false, will not be added to the deployment. serviceName: "odis-combiner-mainnet-k8s" log: + # -- Env. Var LOG_FORMAT. format: stackdriver + # -- Env. Var LOG_LEVEL. level: trace blockchain: + # -- Env. Var BLOCKCHAIN_PROVIDER. blockchainProvider: "https://forno.celo.org" + # -- Existing secret for Env. Var BLOCKCHAIN_API_KEY. blockchainApiKeyExistingSecret: "odis-combiner-forno-key" domain: + # -- Env. Var DOMAINS_API_ENABLED. domainEnabled: true + # -- Env. Var DOMAIN_FULL_NODE_DELAY_MS domainFullNodeDelayMs: "100" + # -- Env. Var DOMAIN_FULL_NODE_RETRY_COUNT domainFullNodeRetryCount: "5" + # -- Env. Var DOMAIN_FULL_NODE_TIMEOUT_MS domainFullNodeTimeoutMs: "1000" + # -- Env. Var DOMAIN_KEYS_CURRENT_VERSION domainKeysCurrentVersion: "1" + # -- Env. Var DOMAIN_KEYS_VERSIONS domainKeysVersions: '[{"keyVersion":1,"threshold":5,"polynomial":"05000000000000002d7e2d2e2b989bc81e677ced987ee8216cf8a215eddde3d14ddf416c6f513bce8d32b0297e58a888ecca62d22cca3100d2e6ab9d7f049a8fa5b936386f0116a60643c8f604e9431602805a641772e8d0cc800c526dd36d69012ae757c18c250029d97c8a3d4b81e305780b49d511c80dc3009c02b8f651a06c8ec2d5530937a1f7eadf730ad46762a4c089bbd973a000ba77717ec36ebb6fd58904b444a6cde7dd3b3b7ac6fa37f9cd8d00aa67e7cfe81adee5ed45218f7f78b4f8473b564601f4361d228dc6dabf7decd3f61f5bb0ad2c7bd7fe5b7a88054959543e82f4deb08d4fe9af4ac775c9353e038e79f82200863ac9cb7fd6b5fa263eb9d1dead51002607f3eadac153596b671b854715bdb07bee1b0bc8d5178f0dac1b4d00ed0700f46e37135e96604d389f3a323028e29b07f36279e829da00eee1794f3ad6e5dca24eba65a7821755cc464add27c7a601c7e187756e79a5ec3c847f4d91b037fe3cd40590fc1a46b46c2f68c0edcbe5cd7727162a195a711008e4e956eb8a81011b290057cee3f14b9a4198a3e9909cac69a9e7d648fa3dd185794acc4c1e4b994637dca36621d463b42e015115ac2c015fc176d8f143bf99cca654ae95a3101afbdc0c5026f95fbf31af1ac115399f5b6b6d1de09af367745415be9533f8c080","pubKey":"LX4tLiuYm8geZ3ztmH7oIWz4ohXt3ePRTd9BbG9RO86NMrApflioiOzKYtIsyjEA0uarnX8Emo+luTY4bwEWpgZDyPYE6UMWAoBaZBdy6NDMgAxSbdNtaQEq51fBjCUA"}]' + # -- Env. Var DOMAIN_ODIS_SERVICES_SIGNERS domainOdisServicesSigners: '[{"url": "https://odis.vladiatorlabs.io"},{"url": "https://mainnet-pgpnp-brazilsouth.azurefd.net"},{"url": "https://phone.chainlayerattestations.com"},{"url": "https://pnprivacy.wotrust.us"},{"url": "https://pgpnp.census.works"},{"url": "https://odis.keyko.rocks"},{"url": "https://odis.celo.spruceid.xyz"}]' + # -- Env. Var DOMAIN_ODIS_SERVICES_TIMEOUT_MILLISECONDS domainOdisServicesTimeoutMillisecond: "5000" + # -- Env. Var DOMAIN_SERVICE_NAME domainServiceName: "odis-combiner-mainnet" + # -- Env. Var DOMAIN_SHOULD_AUTHENTICATE domainShouldAuthenticate: true + # -- Env. Var DOMAIN_SHOULD_CHECK_QUOTA domainShouldCheckQuota: false pnp: + # -- Env. Var PHONE_NUMBER_PRIVACY_API_ENABLED. pnpEnabled: true + # -- Env. Var PNP_FULL_NODE_DELAY_MS pnpFullNodeDelayMs: "100" + # -- Env. Var PNP_FULL_NODE_RETRY_COUNT pnpFullNodeRetryCount: "5" + # -- Env. Var PNP_FULL_NODE_TIMEOUT_MS pnpFullNodeTimeoutMs: "1000" + # -- Env. Var PNP_KEYS_CURRENT_VERSION pnpKeysCurrentVersion: "1" + # -- Env. Var PNP_KEYS_VERSIONS pnpKeysVersions: '[{"keyVersion":1,"threshold":6,"polynomial":"060000000000000016fade1df2e68418f0c47c6cc5ecab70e2ed4a89c2f63ecadd6ad2e106a962c407e8b75a0d368d1a69e540c7c5634e01a7f2b8c00bea4303bdfdba8f54229ff197bc399a3c16b9a8838258e31022c2bb2a397c6e835d7e86d8c47b5a63e2e30017f865337fd0060497457135173e2b0eaec6f8f14f0cacb17a5d150218e15bd46963ed1b9d56f956f9c4fc692813100042f098b7f70913f671e28ed1c99104b9b740549c42c59212b6671f1e1675674f7e6b6d690a13bd474ab9f0c83cd48e017514ca3874606f6abde2b957c791376e24d55efe6ccc7a1194a685b9589ca873a51c7e77b7b814a76cd9af2aafef500155280fb84efd3219b04312635568788b3393fd45a11f431a7eef8a8fc59ff2bfd4aab744baf9221bf1774653dda61d8193b720f60c627d5a9fec5c2c16a27e948f2f4545b460090303327262ec87f51fbf860f58d5e051d91d5bb869c8912300a9b1c2d922d329c9b7d5179946e049d52ed9b3876f36e5c8b2a47831eb235a51d8d877a284fbe07750449f9654d332808beb9641404188813cddb8ffad906752d71f3f042b583f501b3b7f3906946f9931c598575bf4c8d3e8941168f8cc8e001c092117257bb073db3885dffca5e8dd76b689d395bb5555cf00f9943a9e1ec9939f9d700407330163220f3c15a9420011b8693fb95c635168b6b0a021263b246301343e80161eac44fe79ba657fe59deb9d297ced18d090a8f65dc9c2e0990177f186d7501a2256ac9ecca36743e118f5dd4ce35dc976d38c8679d53cd11b0f11edb45c3473ce848d35875e63b2d100","pubKey":"FvreHfLmhBjwxHxsxeyrcOLtSonC9j7K3WrS4QapYsQH6LdaDTaNGmnlQMfFY04Bp/K4wAvqQwO9/bqPVCKf8Ze8OZo8Frmog4JY4xAiwrsqOXxug11+htjEe1pj4uMA"},{"keyVersion":2,"threshold":5,"polynomial":"050000000000000016fade1df2e68418f0c47c6cc5ecab70e2ed4a89c2f63ecadd6ad2e106a962c407e8b75a0d368d1a69e540c7c5634e01a7f2b8c00bea4303bdfdba8f54229ff197bc399a3c16b9a8838258e31022c2bb2a397c6e835d7e86d8c47b5a63e2e300399b80040cf5b4b7e016100f02326636696ad6f449cca503bf336c0fec8f7f96d8d410974ca92708a740257029836a00d5b30808af8ab33d6a069656570402339e649a5d4ee2d399768b1598590c3e9deee17d750f480c94f94fb62ad7554b810fb72e1984c0dc2704cf3a6c67d8470104ee5e727b3fc56efb44d53f50ad3d53a18874dc7c3a670c2c34266b33825601fbb1193929115fdebbc99185f2d327904759c18173d1e2abfcaa3db8954f1d41c816a140b86c8d80ba2c2c39faad7080a0068a13aca4767671c13a75735f638d0f0ba8ae2ad650cff7a2f17a89ea7a28699e0e1f232142b2e5f7662c6b582d01b5ac16fb20791462492bed5fa7e28dc2616cf9703f9b4358d8ceb511c7a9cd4054d2d37a8b25f73aa50086c58e723d8145bbd7a6f3024aa7201fa965558e5641839c1b51930bdbc310f9df2894c37e75c4cebe36f4ac5b35c813605b8cbc830078988790de7525fc7d37c44d6ef75b41392b5b117adcfba29f50d6634b331f63cd9ac341744097cd955007b60e86e200","pubKey":"FvreHfLmhBjwxHxsxeyrcOLtSonC9j7K3WrS4QapYsQH6LdaDTaNGmnlQMfFY04Bp/K4wAvqQwO9/bqPVCKf8Ze8OZo8Frmog4JY4xAiwrsqOXxug11+htjEe1pj4uMA"}]' + # -- Env. Var PNP_MOCK_DECK pnpMockDeck: "0xbf8a2b73baf8402f8fe906ad3f42b560bf14b39f7df7797ece9e293d6f162188" + # -- Env. Var PNP_ODIS_SERVICES_SIGNERS pnpOdisServicesSigners: '[{"url": "https://odis.vladiatorlabs.io"},{"url": "https://mainnet-pgpnp-brazilsouth.azurefd.net"},{"url": "https://mainnet-pgpnp-eastasia.azurefd.net"},{"url": "https://phone.chainlayerattestations.com"},{"url": "https://pnprivacy.wotrust.us"},{"url": "https://pgpnp.census.works"},{"url": "https://odis.keyko.rocks"},{"url": "https://odis.celo.spruceid.xyz"}]' + # -- Env. Var PNP_ODIS_SERVICES_TIMEOUT_MILLISECONDS pnpOdisServicesTimeoutMilliseconds: "5000" + # -- Env. Var PNP_SERVICE_NAME pnpServiceName: "odis-combiner-mainnet" + # -- Env. Var PNP_SHOULD_AUTHENTICATE pnpShouldAuthenticate: true + # -- Env. Var PNP_SHOULD_CHECK_QUOTA pnpShouldCheckQuota: false + # -- Env. Var PNP_SHOULD_MOCK_ACCOUNT_SERVICE pnpShouldMockAccountService: false service: + # -- Env. Var SERVICE_NAME serviceName: "odis-combiner-k8s" -podAnnotations: - prometheus.io/path: /metrics - prometheus.io/port: "8080" - prometheus.io/scrape: "true" + # -- Env. Var SERVICE_PORT + serverPort: 8081 + +# -- Custom pod annotations +podAnnotations: {} + +# -- Custom pod security context podSecurityContext: {} + # fsGroup: 2000 + +# -- Custom container security context securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + ingress: + # -- Enable ingress resource enabled: true + # -- Ingress class name className: "nginx" + # -- Ingress annotations annotations: kubernetes.io/tls-acme: "true" - hosts: - - host: odis-combiner-mainnet.mainnet.celo-testnet.org + # kubernetes.io/ingress.class: nginx + # -- Ingress hostnames + hosts: + - host: odis-combiner-mainnet.rc1-europe-west1.celo-testnet.org paths: - path: / pathType: ImplementationSpecific + # -- Ingress TLS configuration tls: - - secretName: odis-combiner-mainnet.mainnet.celo-testnet.org-tls + - secretName: odis-combiner-mainnet.rc1-europe-west1.celo-testnet.org-tls hosts: - - odis-combiner-mainnet.mainnet.celo-testnet.org + - odis-combiner-mainnet.rc1-europe-west1.celo-testnet.org + +# -- Liveness probe configuration livenessProbe: timeoutSeconds: 30 initialDelaySeconds: 60 httpGet: path: /status port: http + +# -- Readiness probe configuration readinessProbe: timeoutSeconds: 30 initialDelaySeconds: 60 httpGet: path: /status port: http + +# -- Container resources resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + autoscaling: + # -- Enable autoscaling enabled: false + # -- Minimum replicas minReplicas: 1 + # -- Maximum replicas maxReplicas: 3 + # -- CPU target utilization targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# -- Kubernetes node selector nodeSelector: {} + +# -- Kubernetes tolerations tolerations: [] + +# -- Kubernetes pod affinity affinity: {} diff --git a/docs/kubernetes-deployment/combiner/values/values-staging.yaml b/docs/kubernetes-deployment/combiner/values/values-staging.yaml index 935be7227..8f2586f74 100644 --- a/docs/kubernetes-deployment/combiner/values/values-staging.yaml +++ b/docs/kubernetes-deployment/combiner/values/values-staging.yaml @@ -1,92 +1,191 @@ +# Default values for odis-combiner-helm. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Chart name override nameOverride: "" +# -- Chart full name override fullnameOverride: "" + +# -- Number of deployment replicas replicaCount: 1 + image: - repository: us-west1-docker.pkg.dev/devopsre/dev-images/odis-combiner + # -- Image repository + repository: us-west1-docker.pkg.dev/devopsre/social-connect/odis-combiner + # -- Image pullpolicy pullPolicy: Always - tag: "85baf6c3854aff588d88332addd709d544ebd6c4" + # -- Image tag + # Overrides the image tag whose default is the chart appVersion. + tag: "odis-combiner-3.3.1" + +# -- Image pull secrets imagePullSecrets: [] + serviceAccount: + # -- Specifies whether a service account should be created create: true + # -- Annotations to add to the service account annotations: {} + # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template name: "" + env: tracing: + # -- Enable tracing enabled: true - endpoint: "https://grafana-agent.staging-odis2-centralus.celo-networks-dev.org/api/traces" + # -- Env. Var TRACER_ENDPOINT. If enabled is false, will not be added to the deployment. + endpoint: "http://grafana-agent.monitoring:14268/api/traces" + # -- Env. Var TRACING_SERVICE_NAME. If enabled is false, will not be added to the deployment. serviceName: "odis-combiner-staging-k8s" log: + # -- Env. Var LOG_FORMAT. format: stackdriver + # -- Env. Var LOG_LEVEL. level: trace blockchain: + # -- Env. Var BLOCKCHAIN_PROVIDER. blockchainProvider: "https://alfajores-forno.celo-testnet.org" + # -- Existing secret for Env. Var BLOCKCHAIN_API_KEY. blockchainApiKeyExistingSecret: "odis-combiner-forno-key" domain: + # -- Env. Var DOMAINS_API_ENABLED. domainEnabled: true + # -- Env. Var DOMAIN_FULL_NODE_DELAY_MS domainFullNodeDelayMs: "100" + # -- Env. Var DOMAIN_FULL_NODE_RETRY_COUNT domainFullNodeRetryCount: "5" + # -- Env. Var DOMAIN_FULL_NODE_TIMEOUT_MS domainFullNodeTimeoutMs: "1000" + # -- Env. Var DOMAIN_KEYS_CURRENT_VERSION domainKeysCurrentVersion: "1" + # -- Env. Var DOMAIN_KEYS_VERSIONS domainKeysVersions: '[{"keyVersion":1,"threshold":2,"polynomial":"0200000000000000ec5b161ac167995bd17cc0e9cf3f79369efac1fff5b0f68ad0e83dca207e3fc41b8e20bc155ebb3416a7b3d87364490169032189aa7380c47a0a464864fbe0c106e803197ae4959165e7067b95775cee2c74a78d7a67406764f342e5a4b99a003a510287524c9437b12ebb0bfdc7ea46078b807d1b665966961784bd71c4227c272b01c0fcd19c5b92226c1aac324b010abef36192e8ff3abb25686b3e6707bc747b129c32e572b5850db8446bd8f0af9a3fbf6b579793002b1b68528ca4ac00","pubKey":"7FsWGsFnmVvRfMDpzz95Np76wf/1sPaK0Og9yiB+P8QbjiC8FV67NBans9hzZEkBaQMhiapzgMR6CkZIZPvgwQboAxl65JWRZecGe5V3XO4sdKeNemdAZ2TzQuWkuZoA"},{"keyVersion":2,"threshold":2,"polynomial":"0200000000000000ec5b161ac167995bd17cc0e9cf3f79369efac1fff5b0f68ad0e83dca207e3fc41b8e20bc155ebb3416a7b3d87364490169032189aa7380c47a0a464864fbe0c106e803197ae4959165e7067b95775cee2c74a78d7a67406764f342e5a4b99a003a510287524c9437b12ebb0bfdc7ea46078b807d1b665966961784bd71c4227c272b01c0fcd19c5b92226c1aac324b010abef36192e8ff3abb25686b3e6707bc747b129c32e572b5850db8446bd8f0af9a3fbf6b579793002b1b68528ca4ac00","pubKey":"7FsWGsFnmVvRfMDpzz95Np76wf/1sPaK0Og9yiB+P8QbjiC8FV67NBans9hzZEkBaQMhiapzgMR6CkZIZPvgwQboAxl65JWRZecGe5V3XO4sdKeNemdAZ2TzQuWkuZoA"},{"keyVersion":3,"threshold":2,"polynomial":"0200000000000000ec5b161ac167995bd17cc0e9cf3f79369efac1fff5b0f68ad0e83dca207e3fc41b8e20bc155ebb3416a7b3d87364490169032189aa7380c47a0a464864fbe0c106e803197ae4959165e7067b95775cee2c74a78d7a67406764f342e5a4b99a003a510287524c9437b12ebb0bfdc7ea46078b807d1b665966961784bd71c4227c272b01c0fcd19c5b92226c1aac324b010abef36192e8ff3abb25686b3e6707bc747b129c32e572b5850db8446bd8f0af9a3fbf6b579793002b1b68528ca4ac00","pubKey":"7FsWGsFnmVvRfMDpzz95Np76wf/1sPaK0Og9yiB+P8QbjiC8FV67NBans9hzZEkBaQMhiapzgMR6CkZIZPvgwQboAxl65JWRZecGe5V3XO4sdKeNemdAZ2TzQuWkuZoA"}]' - domainOdisServicesSigners: '[{"url": "https://staging-pgpnp-signer0.azurefd.net", "fallbackUrl": "http://52.154.55.35"},{"url": "https://staging-pgpnp-signer1.azurefd.net", "fallbackUrl": "http://13.89.116.218"},{"url": "https://staging-pgpnp-signer2.azurefd.net", "fallbackUrl": "http://20.84.128.169"}]' + # -- Env. Var DOMAIN_ODIS_SERVICES_SIGNERS + domainOdisServicesSigners: '[{"url": "http://odis-signer0-staging.odis-signer0-staging:3000", "fallbackUrl": ""},{"url": "http://odis-signer1-staging.odis-signer1-staging:3000", "fallbackUrl": ""},{"url": "http://odis-signer2-staging.odis-signer2-staging:3000", "fallbackUrl": ""}]' + # -- Env. Var DOMAIN_ODIS_SERVICES_TIMEOUT_MILLISECONDS domainOdisServicesTimeoutMillisecond: "5000" + # -- Env. Var DOMAIN_SERVICE_NAME domainServiceName: "odis_combiner" + # -- Env. Var DOMAIN_SHOULD_AUTHENTICATE domainShouldAuthenticate: true + # -- Env. Var DOMAIN_SHOULD_CHECK_QUOTA domainShouldCheckQuota: false pnp: + # -- Env. Var PHONE_NUMBER_PRIVACY_API_ENABLED. pnpEnabled: true + # -- Env. Var PNP_FULL_NODE_DELAY_MS pnpFullNodeDelayMs: "100" + # -- Env. Var PNP_FULL_NODE_RETRY_COUNT pnpFullNodeRetryCount: "5" + # -- Env. Var PNP_FULL_NODE_TIMEOUT_MS pnpFullNodeTimeoutMs: "1000" + # -- Env. Var PNP_KEYS_CURRENT_VERSION pnpKeysCurrentVersion: "1" + # -- Env. Var PNP_KEYS_VERSIONS pnpKeysVersions: '[{"keyVersion":1,"threshold":2,"polynomial":"0200000000000000ec5b161ac167995bd17cc0e9cf3f79369efac1fff5b0f68ad0e83dca207e3fc41b8e20bc155ebb3416a7b3d87364490169032189aa7380c47a0a464864fbe0c106e803197ae4959165e7067b95775cee2c74a78d7a67406764f342e5a4b99a003a510287524c9437b12ebb0bfdc7ea46078b807d1b665966961784bd71c4227c272b01c0fcd19c5b92226c1aac324b010abef36192e8ff3abb25686b3e6707bc747b129c32e572b5850db8446bd8f0af9a3fbf6b579793002b1b68528ca4ac00","pubKey":"7FsWGsFnmVvRfMDpzz95Np76wf/1sPaK0Og9yiB+P8QbjiC8FV67NBans9hzZEkBaQMhiapzgMR6CkZIZPvgwQboAxl65JWRZecGe5V3XO4sdKeNemdAZ2TzQuWkuZoA"},{"keyVersion":2,"threshold":2,"polynomial":"0200000000000000ec5b161ac167995bd17cc0e9cf3f79369efac1fff5b0f68ad0e83dca207e3fc41b8e20bc155ebb3416a7b3d87364490169032189aa7380c47a0a464864fbe0c106e803197ae4959165e7067b95775cee2c74a78d7a67406764f342e5a4b99a003a510287524c9437b12ebb0bfdc7ea46078b807d1b665966961784bd71c4227c272b01c0fcd19c5b92226c1aac324b010abef36192e8ff3abb25686b3e6707bc747b129c32e572b5850db8446bd8f0af9a3fbf6b579793002b1b68528ca4ac00","pubKey":"7FsWGsFnmVvRfMDpzz95Np76wf/1sPaK0Og9yiB+P8QbjiC8FV67NBans9hzZEkBaQMhiapzgMR6CkZIZPvgwQboAxl65JWRZecGe5V3XO4sdKeNemdAZ2TzQuWkuZoA"},{"keyVersion":3,"threshold":2,"polynomial":"0200000000000000ec5b161ac167995bd17cc0e9cf3f79369efac1fff5b0f68ad0e83dca207e3fc41b8e20bc155ebb3416a7b3d87364490169032189aa7380c47a0a464864fbe0c106e803197ae4959165e7067b95775cee2c74a78d7a67406764f342e5a4b99a003a510287524c9437b12ebb0bfdc7ea46078b807d1b665966961784bd71c4227c272b01c0fcd19c5b92226c1aac324b010abef36192e8ff3abb25686b3e6707bc747b129c32e572b5850db8446bd8f0af9a3fbf6b579793002b1b68528ca4ac00","pubKey":"7FsWGsFnmVvRfMDpzz95Np76wf/1sPaK0Og9yiB+P8QbjiC8FV67NBans9hzZEkBaQMhiapzgMR6CkZIZPvgwQboAxl65JWRZecGe5V3XO4sdKeNemdAZ2TzQuWkuZoA"}]' + # -- Env. Var PNP_MOCK_DECK pnpMockDeck: "0xbf8a2b73baf8402f8fe906ad3f42b560bf14b39f7df7797ece9e293d6f162188" - pnpOdisServicesSigners: '[{"url": "https://staging-pgpnp-signer0.azurefd.net", "fallbackUrl": "http://52.154.55.35"},{"url": "https://staging-pgpnp-signer1.azurefd.net", "fallbackUrl": "http://13.89.116.218"},{"url": "https://staging-pgpnp-signer2.azurefd.net", "fallbackUrl": "http://20.84.128.169"}]' + # -- Env. Var PNP_ODIS_SERVICES_SIGNERS + pnpOdisServicesSigners: '[{"url": "http://odis-signer0-staging.odis-signer0-staging:3000", "fallbackUrl": ""},{"url": "http://odis-signer1-staging.odis-signer1-staging:3000", "fallbackUrl": ""},{"url": "http://odis-signer2-staging.odis-signer2-staging:3000", "fallbackUrl": ""}]' + # -- Env. Var PNP_ODIS_SERVICES_TIMEOUT_MILLISECONDS pnpOdisServicesTimeoutMilliseconds: "5000" + # -- Env. Var PNP_SERVICE_NAME pnpServiceName: "odis_combiner" + # -- Env. Var PNP_SHOULD_AUTHENTICATE pnpShouldAuthenticate: true + # -- Env. Var PNP_SHOULD_CHECK_QUOTA pnpShouldCheckQuota: false + # -- Env. Var PNP_SHOULD_MOCK_ACCOUNT_SERVICE pnpShouldMockAccountService: false service: + # -- Env. Var SERVICE_NAME serviceName: "odis-combiner-k8s" -podAnnotations: - prometheus.io/path: /metrics - prometheus.io/port: "8080" - prometheus.io/scrape: "true" + # -- Env. Var SERVICE_PORT + serverPort: 8081 + +# -- Custom pod annotations +podAnnotations: {} + +# -- Custom pod security context podSecurityContext: {} + # fsGroup: 2000 + +# -- Custom container security context securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + ingress: + # -- Enable ingress resource enabled: true + # -- Ingress class name className: "nginx" + # -- Ingress annotations annotations: kubernetes.io/tls-acme: "true" + # kubernetes.io/ingress.class: nginx + # -- Ingress hostnames hosts: - host: odis-combiner-staging.integration-tests.celo-networks-dev.org paths: - path: / pathType: ImplementationSpecific + # -- Ingress TLS configuration tls: - secretName: odis-combiner-staging.integration-tests.celo-networks-dev.org-tls hosts: - odis-combiner-staging.integration-tests.celo-networks-dev.org + +# -- Liveness probe configuration livenessProbe: timeoutSeconds: 30 initialDelaySeconds: 60 httpGet: path: /status port: http + +# -- Readiness probe configuration readinessProbe: timeoutSeconds: 30 initialDelaySeconds: 60 httpGet: path: /status port: http + +# -- Container resources resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + autoscaling: + # -- Enable autoscaling enabled: false + # -- Minimum replicas minReplicas: 1 + # -- Maximum replicas maxReplicas: 3 + # -- CPU target utilization targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# -- Kubernetes node selector nodeSelector: {} + +# -- Kubernetes tolerations tolerations: [] + +# -- Kubernetes pod affinity affinity: {} diff --git a/docs/kubernetes-deployment/signer/README.md b/docs/kubernetes-deployment/signer/README.md new file mode 100644 index 000000000..df4e94071 --- /dev/null +++ b/docs/kubernetes-deployment/signer/README.md @@ -0,0 +1,88 @@ +# Kubernetes Deployment + +ODIS Signer can be deployed in Kubernetes with a Helm chart. + +## Helm chart + +ODIS signer Helm chart templates are available [here](https://github.com/celo-org/charts/tree/main/charts/odis-signer). The chart is available through a public GCP Artifact Registry `oci://us-west1-docker.pkg.dev/devopsre/clabs-public-oci/odis-signer`. + +Hence the ODIS signer can be deployed as follows in your Kubernetes cluster: + +```bash +helm upgrade -install oci://us-west1-docker.pkg.dev/devopsre/clabs-public-oci/odis-signer -n --create-namespace -f [--version ] +``` + +Notice the following: + +- ``: Name of the Helm release. +- ``: Kubernetes namespace to deploy the Helm chart. +- ``: Path to your `values.yaml` file that defines the Helm deployment. You can use the examples under [./values] as a guide, but you will have to modify it according to your needs. You can find a table defining the values file [here](https://github.com/celo-org/charts/tree/main/charts/odis-signer#values). +- ``: The version of the Helm chart. If omitted, it will use the latest version (available in the [chart's README](https://github.com/celo-org/charts/tree/main/charts/odis-signer#odis-signer) as a GitHub badge). + +## cLabs Developers + +For cLabs developers, this section contains links and information for useful deployments. + +> :warning: You will need to be a cLabs employee with appropiate permissions to access these links. + +ODIS signer is deployed in the following clusters: + +- Staging: cluster `integration-tests` + - Signer0 in namespace `odis-signer0-staging` with this [`values-signer0-staging.yaml` file](./values/staging/values-signer0-staging.yaml). + - URL: `http://odis-signer0-staging.odis-signer0-staging:3000`. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! + - Signer1 in namespace `odis-signer1-staging` with this [`values-signer1-staging.yaml` file](./values/staging/values-signer1-staging.yaml). + - URL: `http://odis-signer1-staging.odis-signer1-staging:3000`. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! + - Signer2 in namespace `odis-signer2-staging` with this [`values-signer2-staging.yaml` file](./values/staging/values-signer2-staging.yaml). + - URL: `http://odis-signer2-staging.odis-signer2-staging:3000`. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! + +### Modifying the deployment + +There are 2 main ways to modify the ODIS combiner deployment in Kubernetes. + +- Directly modify the deployment in the GCP console. +- Use [Helm](https://helm.sh/). + +#### Directly modify the deployment in the GCP console + +You can access the ODIS deployment by following these links. There you can edit the deployment and modify any value as needed (image, Env. Vars., etc.). + +- Staging: + - [Signer0](https://console.cloud.google.com/kubernetes/deployment/us-west1-b/integration-tests/odis-signer0-staging/odis-signer0-staging/yaml/view?project=celo-testnet&supportedpurview=project) + - [Signer1](https://console.cloud.google.com/kubernetes/deployment/us-west1-b/integration-tests/odis-signer1-staging/odis-signer1-staging/yaml/view?project=celo-testnet&supportedpurview=project) + - [Signer2](https://console.cloud.google.com/kubernetes/deployment/us-west1-b/integration-tests/odis-signer2-staging/odis-signer2-staging/yaml/view?project=celo-testnet&supportedpurview=project) + +#### Use Helm + +1. Ensure you are connected to the correct Kubernetes cluster (currently, only staging). +2. Get the currently deployed Helm chart values: + + ```bash + helm get values -n odis-signer<0|1|2>-staging odis-signer<0|1|2>-staging -o yaml > ./values/values-signer<0|1|2>-staging.yaml + ``` + +3. Modify the values file accordingly +4. Deploy the new release: + + ```bash + helm upgrade -install odis-signer<0|1|2>-staging oci://us-west1-docker.pkg.dev/devopsre/clabs-public-oci/odis-signer -n odis-signer<0|1|2>-staging -f ./values/values-signer<0|1|2>-staging --create-namespace --version + ``` + +5. Ensure there are no sensitive values in the values `.yaml` file and commit it to this repo. + +### Postgres DB + +Each signer has an associated Postgres DB running in its same Kubernetes namespace. These DBs are a copy of the DBs in Azure (database, tables, users, permissions, etc.). + +- Staging: + - Signer0 DB host: `odis-signer0-staging-db-postgresql-hl`, port 5432. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! + - Deployment: [`odis-signer0-staging-db-postgresql`](https://console.cloud.google.com/kubernetes/statefulset/us-west1-b/integration-tests/odis-signer0-staging/odis-signer0-staging-db-postgresql/details?project=celo-testnet&supportedpurview=project) + - Signer1 DB host: `odis-signer1-staging-db-postgresql-hl`, port 5432. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! + - Deployment: [`odis-signer1-staging-db-postgresql`](https://console.cloud.google.com/kubernetes/statefulset/us-west1-b/integration-tests/odis-signer1-staging/odis-signer1-staging-db-postgresql/details?project=celo-testnet&supportedpurview=project) + - Signer2 DB host: `odis-signer2-staging-db-postgresql-hl`, port 5432. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! + - Deployment: [`odis-signer2-staging-db-postgresql`](https://console.cloud.google.com/kubernetes/statefulset/us-west1-b/integration-tests/odis-signer2-staging/odis-signer2-staging-db-postgresql/details?project=celo-testnet&supportedpurview=project) + +### Tracing + +Tracing is enabled in the ODIS signer. The signers send traces to a Grafana Agent deployed in the same cluster as the signers. + +- Staging Grafana Agent URL: `http://grafana-agent.monitoring:14268/api/traces` diff --git a/docs/kubernetes-deployment/signer/values/staging/values-signer0-staging.yaml b/docs/kubernetes-deployment/signer/values/staging/values-signer0-staging.yaml new file mode 100644 index 000000000..d29ccaa3b --- /dev/null +++ b/docs/kubernetes-deployment/signer/values/staging/values-signer0-staging.yaml @@ -0,0 +1,70 @@ +affinity: {} +autoscaling: + enabled: false + maxReplicas: 3 + minReplicas: 1 + targetCPUUtilizationPercentage: 80 +env: + api: + domainsAPIEnabled: true + pnpAPIEnabled: true + blockchain: + blockchainApiKeyExistingSecret: odis-signer-forno-key + blockchainProvider: https://alfajores-forno.celo-testnet.org + db: + cloudSqlProxy: false + database: phoneNumberPrivacy + host: odis-signer0-staging-db-postgresql-hl + passwordExistingSecret: odis-signer-db-password + port: 5432 + type: postgres + useSsl: false + username: pgpnp + keystore: + domainsKeyLatestVersion: null + domainsKeyNameBase: odis-signer0-staging-domains + gcp: + projectID: celo-testnet + pnpKeyLatestVersion: null + pnpKeyNameBase: odis-signer0-staging-phoneNumberPrivacy + type: GoogleSecretManager + log: + format: stackdriver + level: trace + odis: + mockDek: 0x034846bc781cacdafc66f3a77aa9fc3c56a9dadcd683c72be3c446fee8da041070 + odisSignerTimeout: "6000" + shouldMockAccountService: "false" + shouldMockRequestService: "false" + testQuotaBypassPercentage: "50" + tracing: + enabled: true + endpoint: "http://grafana-agent.monitoring:14268/api/traces" + serviceName: "odis-signer0-staging-k8s" +fullnameOverride: "" +image: + pullPolicy: Always + repository: us.gcr.io/celo-testnet/celo-monorepo + tag: oblivious-decentralized-identifier-service-3.0.1 +imagePullSecrets: [] +ingress: + annotations: {} + className: nginx + enabled: false + hosts: [] + tls: [] +livenessProbe: {} +nameOverride: "" +nodeSelector: {} +podAnnotations: {} +podSecurityContext: {} +readinessProbe: {} +replicaCount: 1 +resources: {} +securityContext: {} +serviceAccount: + annotations: + iam.gke.io/gcp-service-account: odis-signer0-staging@celo-testnet.iam.gserviceaccount.com + create: true + name: "" +tolerations: [] diff --git a/docs/kubernetes-deployment/signer/values/staging/values-signer1-staging.yaml b/docs/kubernetes-deployment/signer/values/staging/values-signer1-staging.yaml new file mode 100644 index 000000000..3ccb61596 --- /dev/null +++ b/docs/kubernetes-deployment/signer/values/staging/values-signer1-staging.yaml @@ -0,0 +1,70 @@ +affinity: {} +autoscaling: + enabled: false + maxReplicas: 3 + minReplicas: 1 + targetCPUUtilizationPercentage: 80 +env: + api: + domainsAPIEnabled: true + pnpAPIEnabled: true + blockchain: + blockchainApiKeyExistingSecret: odis-signer-forno-key + blockchainProvider: https://alfajores-forno.celo-testnet.org + db: + cloudSqlProxy: false + database: phoneNumberPrivacy + host: odis-signer1-staging-db-postgresql-hl + passwordExistingSecret: odis-signer-db-password + port: 5432 + type: postgres + useSsl: false + username: pgpnp + keystore: + domainsKeyLatestVersion: null + domainsKeyNameBase: odis-signer1-staging-domains + gcp: + projectID: celo-testnet + pnpKeyLatestVersion: null + pnpKeyNameBase: odis-signer1-staging-phoneNumberPrivacy + type: GoogleSecretManager + log: + format: stackdriver + level: trace + odis: + mockDek: 0x034846bc781cacdafc66f3a77aa9fc3c56a9dadcd683c72be3c446fee8da041070 + odisSignerTimeout: "6000" + shouldMockAccountService: "false" + shouldMockRequestService: "false" + testQuotaBypassPercentage: "50" + tracing: + enabled: true + endpoint: "http://grafana-agent.monitoring:14268/api/traces" + serviceName: "odis-signer1-staging-k8s" +fullnameOverride: "" +image: + pullPolicy: Always + repository: us.gcr.io/celo-testnet/celo-monorepo + tag: oblivious-decentralized-identifier-service-3.0.1 +imagePullSecrets: [] +ingress: + annotations: {} + className: nginx + enabled: false + hosts: [] + tls: [] +livenessProbe: {} +nameOverride: "" +nodeSelector: {} +podAnnotations: {} +podSecurityContext: {} +readinessProbe: {} +replicaCount: 1 +resources: {} +securityContext: {} +serviceAccount: + annotations: + iam.gke.io/gcp-service-account: odis-signer1-staging@celo-testnet.iam.gserviceaccount.com + create: true + name: "" +tolerations: [] diff --git a/docs/kubernetes-deployment/signer/values/staging/values-signer2-staging.yaml b/docs/kubernetes-deployment/signer/values/staging/values-signer2-staging.yaml new file mode 100644 index 000000000..e69de29bb From 64530a832c81e5a5f03b918037f07dd41d3d8509 Mon Sep 17 00:00:00 2001 From: alvarof2 Date: Fri, 3 Nov 2023 16:36:00 +0100 Subject: [PATCH 2/4] Empty changeset --- .changeset/quiet-taxis-crash.md | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .changeset/quiet-taxis-crash.md diff --git a/.changeset/quiet-taxis-crash.md b/.changeset/quiet-taxis-crash.md new file mode 100644 index 000000000..a845151cc --- /dev/null +++ b/.changeset/quiet-taxis-crash.md @@ -0,0 +1,2 @@ +--- +--- From 8b7054e24053a72a856b529604bb06a02495cdf2 Mon Sep 17 00:00:00 2001 From: alvarof2 Date: Mon, 6 Nov 2023 11:09:10 +0100 Subject: [PATCH 3/4] Fixes and alfajores signers docs --- docs/kubernetes-deployment/combiner/README.md | 1 + .../combiner/values/values-alfajores.yaml | 15 ++-- docs/kubernetes-deployment/signer/README.md | 26 ++++++- .../alfajores/values-signer0-alfajores.yaml | 70 +++++++++++++++++++ .../alfajores/values-signer1-alfajores.yaml | 70 +++++++++++++++++++ .../alfajores/values-signer2-alfajores.yaml | 70 +++++++++++++++++++ .../staging/values-signer2-staging.yaml | 70 +++++++++++++++++++ 7 files changed, 311 insertions(+), 11 deletions(-) create mode 100644 docs/kubernetes-deployment/signer/values/alfajores/values-signer0-alfajores.yaml create mode 100644 docs/kubernetes-deployment/signer/values/alfajores/values-signer1-alfajores.yaml create mode 100644 docs/kubernetes-deployment/signer/values/alfajores/values-signer2-alfajores.yaml diff --git a/docs/kubernetes-deployment/combiner/README.md b/docs/kubernetes-deployment/combiner/README.md index 836d1ea11..d71c0c722 100644 --- a/docs/kubernetes-deployment/combiner/README.md +++ b/docs/kubernetes-deployment/combiner/README.md @@ -72,3 +72,4 @@ You can access the ODIS deployment by following these links. There you can edit Tracing is enabled in the ODIS combiner. The combiners send traces to a Grafana Agent deployed in the same cluster as the combiners. - Staging Grafana Agent URL: `http://grafana-agent.monitoring:14268/api/traces` +- Alfajores Grafana Agent URL: `http://grafana-agent.monitoring:14268/api/traces` diff --git a/docs/kubernetes-deployment/combiner/values/values-alfajores.yaml b/docs/kubernetes-deployment/combiner/values/values-alfajores.yaml index a7d821561..92585e52a 100644 --- a/docs/kubernetes-deployment/combiner/values/values-alfajores.yaml +++ b/docs/kubernetes-deployment/combiner/values/values-alfajores.yaml @@ -12,12 +12,12 @@ replicaCount: 1 image: # -- Image repository - repository: us-west1-docker.pkg.dev/devopsre/dev-images/odis-combiner + repository: us-west1-docker.pkg.dev/devopsre/social-connect/odis-combiner # -- Image pullpolicy pullPolicy: Always # -- Image tag # Overrides the image tag whose default is the chart appVersion. - tag: "85baf6c3854aff588d88332addd709d544ebd6c4" + tag: "odis-combiner-3.3.1" # -- Image pull secrets imagePullSecrets: [] @@ -35,7 +35,7 @@ env: # -- Enable tracing enabled: true # -- Env. Var TRACER_ENDPOINT. If enabled is false, will not be added to the deployment. - endpoint: "https://grafana-agent.odis-alfajores-signer-3.celo-networks-dev.org/api/traces" + endpoint: "http://grafana-agent.monitoring:14268/api/traces" # -- Env. Var TRACING_SERVICE_NAME. If enabled is false, will not be added to the deployment. serviceName: "odis-combiner-alfajores-k8s" log: @@ -95,18 +95,17 @@ env: # -- Env. Var PNP_SHOULD_AUTHENTICATE pnpShouldAuthenticate: true # -- Env. Var PNP_SHOULD_CHECK_QUOTA - pnpShoulñdCheckQuota: false + pnpShouldCheckQuota: false # -- Env. Var PNP_SHOULD_MOCK_ACCOUNT_SERVICE pnpShouldMockAccountService: false service: # -- Env. Var SERVICE_NAME serviceName: "odis-combiner-k8s" + # -- Env. Var SERVICE_PORT + serverPort: 8081 # -- Custom pod annotations -podAnnotations: - prometheus.io/path: /metrics - prometheus.io/port: "8080" - prometheus.io/scrape: "true" +podAnnotations: {} # -- Custom pod security context podSecurityContext: {} diff --git a/docs/kubernetes-deployment/signer/README.md b/docs/kubernetes-deployment/signer/README.md index df4e94071..c3b9f941a 100644 --- a/docs/kubernetes-deployment/signer/README.md +++ b/docs/kubernetes-deployment/signer/README.md @@ -34,6 +34,14 @@ ODIS signer is deployed in the following clusters: - URL: `http://odis-signer1-staging.odis-signer1-staging:3000`. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! - Signer2 in namespace `odis-signer2-staging` with this [`values-signer2-staging.yaml` file](./values/staging/values-signer2-staging.yaml). - URL: `http://odis-signer2-staging.odis-signer2-staging:3000`. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! +- Alfajores: cluster `alfajores` + - Signer0 in namespace `odis-signer0-alfajores` with this [`values-signer0-alfajores.yaml` file](./values/alfajores/values-signer0-alfajores.yaml). + - URL: `http://odis-signer0-alfajores.odis-signer0-alfajores:3000`. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! + - Signer1 in namespace `odis-signer1-alfajores` with this [`values-signer1-alfajores.yaml` file](./values/alfajores/values-signer1-alfajores.yaml). + - URL: `http://odis-signer1-staging.odis-signer1-staging:3000`. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! + - Signer2 in namespace `odis-signer2-alfajores` with this [`values-signer2-alfajores.yaml` file](./values/alfajores/values-signer2-alfajores.yaml). + - URL: `http://odis-signer2-alfajores.odis-signer2-alfajores:3000`. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! + ### Modifying the deployment @@ -50,21 +58,25 @@ You can access the ODIS deployment by following these links. There you can edit - [Signer0](https://console.cloud.google.com/kubernetes/deployment/us-west1-b/integration-tests/odis-signer0-staging/odis-signer0-staging/yaml/view?project=celo-testnet&supportedpurview=project) - [Signer1](https://console.cloud.google.com/kubernetes/deployment/us-west1-b/integration-tests/odis-signer1-staging/odis-signer1-staging/yaml/view?project=celo-testnet&supportedpurview=project) - [Signer2](https://console.cloud.google.com/kubernetes/deployment/us-west1-b/integration-tests/odis-signer2-staging/odis-signer2-staging/yaml/view?project=celo-testnet&supportedpurview=project) +- Alfajores: + - [Signer0](https://console.cloud.google.com/kubernetes/deployment/us-west1-a/alfajores/odis-signer0-alfajores/odis-signer0-alfajores/yaml/view?project=celo-testnet-production&supportedpurview=project) + - [Signer1](https://console.cloud.google.com/kubernetes/deployment/us-west1-a/alfajores/odis-signer1-alfajores/odis-signer1-alfajores/yaml/view?project=celo-testnet-production&supportedpurview=project) + - [Signer2](https://console.cloud.google.com/kubernetes/deployment/us-west1-a/alfajores/odis-signer2-alfajores/odis-signer2-alfajores/yaml/view?project=celo-testnet-production&supportedpurview=project) #### Use Helm -1. Ensure you are connected to the correct Kubernetes cluster (currently, only staging). +1. Ensure you are connected to the correct Kubernetes cluster (currently, only staging and alfajores). 2. Get the currently deployed Helm chart values: ```bash - helm get values -n odis-signer<0|1|2>-staging odis-signer<0|1|2>-staging -o yaml > ./values/values-signer<0|1|2>-staging.yaml + helm get values -n odis-signer<0|1|2>- odis-signer<0|1|2>- -o yaml > ./values/values-signer<0|1|2>-.yaml ``` 3. Modify the values file accordingly 4. Deploy the new release: ```bash - helm upgrade -install odis-signer<0|1|2>-staging oci://us-west1-docker.pkg.dev/devopsre/clabs-public-oci/odis-signer -n odis-signer<0|1|2>-staging -f ./values/values-signer<0|1|2>-staging --create-namespace --version + helm upgrade -install odis-signer<0|1|2>- oci://us-west1-docker.pkg.dev/devopsre/clabs-public-oci/odis-signer -n odis-signer<0|1|2>- -f ./values//values-signer<0|1|2>- --create-namespace --version ``` 5. Ensure there are no sensitive values in the values `.yaml` file and commit it to this repo. @@ -80,9 +92,17 @@ Each signer has an associated Postgres DB running in its same Kubernetes namespa - Deployment: [`odis-signer1-staging-db-postgresql`](https://console.cloud.google.com/kubernetes/statefulset/us-west1-b/integration-tests/odis-signer1-staging/odis-signer1-staging-db-postgresql/details?project=celo-testnet&supportedpurview=project) - Signer2 DB host: `odis-signer2-staging-db-postgresql-hl`, port 5432. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! - Deployment: [`odis-signer2-staging-db-postgresql`](https://console.cloud.google.com/kubernetes/statefulset/us-west1-b/integration-tests/odis-signer2-staging/odis-signer2-staging-db-postgresql/details?project=celo-testnet&supportedpurview=project) +- Alfajores: + - Signer0 DB host: `odis-signer0-alfajores-db-postgresql-hl`, port 5432. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! + - Deployment: [`odis-signer0-alfajores-db-postgresql`](https://console.cloud.google.com/kubernetes/statefulset/us-west1-a/alfajores/odis-signer0-alfajores/odis-signer0-alfajores-db-postgresql/details?project=celo-testnet-production&supportedpurview=project) + - Signer1 DB host: `odis-signer1-alfajores-db-postgresql-hl`, port 5432. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! + - Deployment: [`odis-signer1-alfajores-db-postgresql`](https://console.cloud.google.com/kubernetes/statefulset/us-west1-a/alfajores/odis-signer1-alfajores/odis-signer1-alfajores-db-postgresql/details?project=celo-testnet-production&supportedpurview=project) + - Signer2 DB host: `odis-signer2-alfajores-db-postgresql-hl`, port 5432. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! + - Deployment: [`odis-signer2-alfajores-db-postgresql`](https://console.cloud.google.com/kubernetes/statefulset/us-west1-a/alfajores/odis-signer2-alfajores/odis-signer2-alfajores-db-postgresql/details?project=celo-testnet-production&supportedpurview=project) ### Tracing Tracing is enabled in the ODIS signer. The signers send traces to a Grafana Agent deployed in the same cluster as the signers. - Staging Grafana Agent URL: `http://grafana-agent.monitoring:14268/api/traces` +- Alfajores Grafana Agent URL: `http://grafana-agent.monitoring:14268/api/traces` diff --git a/docs/kubernetes-deployment/signer/values/alfajores/values-signer0-alfajores.yaml b/docs/kubernetes-deployment/signer/values/alfajores/values-signer0-alfajores.yaml new file mode 100644 index 000000000..f4cab17f5 --- /dev/null +++ b/docs/kubernetes-deployment/signer/values/alfajores/values-signer0-alfajores.yaml @@ -0,0 +1,70 @@ +affinity: {} +autoscaling: + enabled: false + maxReplicas: 3 + minReplicas: 1 + targetCPUUtilizationPercentage: 80 +env: + api: + domainsAPIEnabled: true + pnpAPIEnabled: true + blockchain: + blockchainApiKeyExistingSecret: odis-signer0-forno-key + blockchainProvider: https://alfajores-forno.celo-testnet.org + db: + cloudSqlProxy: false + database: phoneNumberPrivacy + host: odis-signer0-alfajores-db-postgresql-hl + passwordExistingSecret: odis-signer0-db-password + port: 5432 + type: postgres + useSsl: false + username: cLabs + keystore: + domainsKeyLatestVersion: null + domainsKeyNameBase: odis-signer0-alfajores-domains + gcp: + projectID: celo-testnet-production + pnpKeyLatestVersion: null + pnpKeyNameBase: odis-signer0-alfajores-phoneNumberPrivacy + type: GoogleSecretManager + log: + format: stackdriver + level: trace + odis: + mockDek: 0x034846bc781cacdafc66f3a77aa9fc3c56a9dadcd683c72be3c446fee8da041070 + odisSignerTimeout: "6000" + shouldMockAccountService: "false" + shouldMockRequestService: "false" + testQuotaBypassPercentage: "50" + tracing: + enabled: true + endpoint: "http://grafana-agent.monitoring:14268/api/traces" + serviceName: "odis-signer0-alfajores-k8s" +fullnameOverride: "" +image: + pullPolicy: Always + repository: us.gcr.io/celo-testnet/celo-monorepo + tag: oblivious-decentralized-identifier-service-3.0.1 +imagePullSecrets: [] +ingress: + annotations: {} + className: nginx + enabled: false + hosts: [] + tls: [] +livenessProbe: {} +nameOverride: "" +nodeSelector: {} +podAnnotations: {} +podSecurityContext: {} +readinessProbe: {} +replicaCount: 1 +resources: {} +securityContext: {} +serviceAccount: + annotations: + iam.gke.io/gcp-service-account: odis-signer0-alfajores@celo-testnet-production.iam.gserviceaccount.com + create: true + name: "" +tolerations: [] diff --git a/docs/kubernetes-deployment/signer/values/alfajores/values-signer1-alfajores.yaml b/docs/kubernetes-deployment/signer/values/alfajores/values-signer1-alfajores.yaml new file mode 100644 index 000000000..5ba23810f --- /dev/null +++ b/docs/kubernetes-deployment/signer/values/alfajores/values-signer1-alfajores.yaml @@ -0,0 +1,70 @@ +affinity: {} +autoscaling: + enabled: false + maxReplicas: 3 + minReplicas: 1 + targetCPUUtilizationPercentage: 80 +env: + api: + domainsAPIEnabled: true + pnpAPIEnabled: true + blockchain: + blockchainApiKeyExistingSecret: odis-signer1-forno-key + blockchainProvider: https://alfajores-forno.celo-testnet.org + db: + cloudSqlProxy: false + database: phoneNumberPrivacy + host: odis-signer1-alfajores-db-postgresql-hl + passwordExistingSecret: odis-signer1-db-password + port: 5432 + type: postgres + useSsl: false + username: cLabs + keystore: + domainsKeyLatestVersion: null + domainsKeyNameBase: odis-signer1-alfajores-domains + gcp: + projectID: celo-testnet-production + pnpKeyLatestVersion: null + pnpKeyNameBase: odis-signer1-alfajores-phoneNumberPrivacy + type: GoogleSecretManager + log: + format: stackdriver + level: trace + odis: + mockDek: 0x034846bc781cacdafc66f3a77aa9fc3c56a9dadcd683c72be3c446fee8da041070 + odisSignerTimeout: "6000" + shouldMockAccountService: "false" + shouldMockRequestService: "false" + testQuotaBypassPercentage: "50" + tracing: + enabled: true + endpoint: "http://grafana-agent.monitoring:14268/api/traces" + serviceName: "odis-signer1-alfajores-k8s" +fullnameOverride: "" +image: + pullPolicy: Always + repository: us.gcr.io/celo-testnet/celo-monorepo + tag: oblivious-decentralized-identifier-service-3.0.1 +imagePullSecrets: [] +ingress: + annotations: {} + className: nginx + enabled: false + hosts: [] + tls: [] +livenessProbe: {} +nameOverride: "" +nodeSelector: {} +podAnnotations: {} +podSecurityContext: {} +readinessProbe: {} +replicaCount: 1 +resources: {} +securityContext: {} +serviceAccount: + annotations: + iam.gke.io/gcp-service-account: odis-signer1-alfajores@celo-testnet-production.iam.gserviceaccount.com + create: true + name: "" +tolerations: [] diff --git a/docs/kubernetes-deployment/signer/values/alfajores/values-signer2-alfajores.yaml b/docs/kubernetes-deployment/signer/values/alfajores/values-signer2-alfajores.yaml new file mode 100644 index 000000000..745757f45 --- /dev/null +++ b/docs/kubernetes-deployment/signer/values/alfajores/values-signer2-alfajores.yaml @@ -0,0 +1,70 @@ +affinity: {} +autoscaling: + enabled: false + maxReplicas: 3 + minReplicas: 1 + targetCPUUtilizationPercentage: 80 +env: + api: + domainsAPIEnabled: true + pnpAPIEnabled: true + blockchain: + blockchainApiKeyExistingSecret: odis-signer2-forno-key + blockchainProvider: https://alfajores-forno.celo-testnet.org + db: + cloudSqlProxy: false + database: phoneNumberPrivacy + host: odis-signer2-alfajores-db-postgresql-hl + passwordExistingSecret: odis-signer2-db-password + port: 5432 + type: postgres + useSsl: false + username: cLabs + keystore: + domainsKeyLatestVersion: null + domainsKeyNameBase: odis-signer2-alfajores-domains + gcp: + projectID: celo-testnet-production + pnpKeyLatestVersion: null + pnpKeyNameBase: odis-signer2-alfajores-phoneNumberPrivacy + type: GoogleSecretManager + log: + format: stackdriver + level: trace + odis: + mockDek: 0x034846bc781cacdafc66f3a77aa9fc3c56a9dadcd683c72be3c446fee8da041070 + odisSignerTimeout: "6000" + shouldMockAccountService: "false" + shouldMockRequestService: "false" + testQuotaBypassPercentage: "50" + tracing: + enabled: true + endpoint: "http://grafana-agent.monitoring:14268/api/traces" + serviceName: "odis-signer2-alfajores-k8s" +fullnameOverride: "" +image: + pullPolicy: Always + repository: us.gcr.io/celo-testnet/celo-monorepo + tag: oblivious-decentralized-identifier-service-3.0.1 +imagePullSecrets: [] +ingress: + annotations: {} + className: nginx + enabled: false + hosts: [] + tls: [] +livenessProbe: {} +nameOverride: "" +nodeSelector: {} +podAnnotations: {} +podSecurityContext: {} +readinessProbe: {} +replicaCount: 1 +resources: {} +securityContext: {} +serviceAccount: + annotations: + iam.gke.io/gcp-service-account: odis-signer2-alfajores@celo-testnet-production.iam.gserviceaccount.com + create: true + name: "" +tolerations: [] diff --git a/docs/kubernetes-deployment/signer/values/staging/values-signer2-staging.yaml b/docs/kubernetes-deployment/signer/values/staging/values-signer2-staging.yaml index e69de29bb..bb270bbae 100644 --- a/docs/kubernetes-deployment/signer/values/staging/values-signer2-staging.yaml +++ b/docs/kubernetes-deployment/signer/values/staging/values-signer2-staging.yaml @@ -0,0 +1,70 @@ +affinity: {} +autoscaling: + enabled: false + maxReplicas: 3 + minReplicas: 1 + targetCPUUtilizationPercentage: 80 +env: + api: + domainsAPIEnabled: true + pnpAPIEnabled: true + blockchain: + blockchainApiKeyExistingSecret: odis-signer-forno-key + blockchainProvider: https://alfajores-forno.celo-testnet.org + db: + cloudSqlProxy: false + database: phoneNumberPrivacy + host: odis-signer2-staging-db-postgresql-hl + passwordExistingSecret: odis-signer-db-password + port: 5432 + type: postgres + useSsl: false + username: pgpnp + keystore: + domainsKeyLatestVersion: null + domainsKeyNameBase: odis-signer2-staging-domains + gcp: + projectID: celo-testnet + pnpKeyLatestVersion: null + pnpKeyNameBase: odis-signer2-staging-phoneNumberPrivacy + type: GoogleSecretManager + log: + format: stackdriver + level: trace + odis: + mockDek: 0x034846bc781cacdafc66f3a77aa9fc3c56a9dadcd683c72be3c446fee8da041070 + odisSignerTimeout: "6000" + shouldMockAccountService: "false" + shouldMockRequestService: "false" + testQuotaBypassPercentage: "50" + tracing: + enabled: true + endpoint: "http://grafana-agent.monitoring:14268/api/traces" + serviceName: "odis-signer2-staging-k8s" +fullnameOverride: "" +image: + pullPolicy: Always + repository: us.gcr.io/celo-testnet/celo-monorepo + tag: oblivious-decentralized-identifier-service-3.0.1 +imagePullSecrets: [] +ingress: + annotations: {} + className: nginx + enabled: false + hosts: [] + tls: [] +livenessProbe: {} +nameOverride: "" +nodeSelector: {} +podAnnotations: {} +podSecurityContext: {} +readinessProbe: {} +replicaCount: 1 +resources: {} +securityContext: {} +serviceAccount: + annotations: + iam.gke.io/gcp-service-account: odis-signer2-staging@celo-testnet.iam.gserviceaccount.com + create: true + name: "" +tolerations: [] From e6ad144c7627420427e53d671d57fd5d914b03ff Mon Sep 17 00:00:00 2001 From: alvarof2 Date: Wed, 8 Nov 2023 09:39:41 +0100 Subject: [PATCH 4/4] Mainnet signer docs --- docs/kubernetes-deployment/combiner/README.md | 1 + docs/kubernetes-deployment/signer/README.md | 21 ++++-- .../mainnet/values-signer0-mainnet.yaml | 69 +++++++++++++++++++ .../mainnet/values-signer1-mainnet.yaml | 69 +++++++++++++++++++ 4 files changed, 156 insertions(+), 4 deletions(-) create mode 100644 docs/kubernetes-deployment/signer/values/mainnet/values-signer0-mainnet.yaml create mode 100644 docs/kubernetes-deployment/signer/values/mainnet/values-signer1-mainnet.yaml diff --git a/docs/kubernetes-deployment/combiner/README.md b/docs/kubernetes-deployment/combiner/README.md index d71c0c722..34bf1f604 100644 --- a/docs/kubernetes-deployment/combiner/README.md +++ b/docs/kubernetes-deployment/combiner/README.md @@ -73,3 +73,4 @@ Tracing is enabled in the ODIS combiner. The combiners send traces to a Grafana - Staging Grafana Agent URL: `http://grafana-agent.monitoring:14268/api/traces` - Alfajores Grafana Agent URL: `http://grafana-agent.monitoring:14268/api/traces` +- Mainnet Grafana Agent URL: `http://grafana-agent.monitoring:14268/api/traces` \ No newline at end of file diff --git a/docs/kubernetes-deployment/signer/README.md b/docs/kubernetes-deployment/signer/README.md index c3b9f941a..41572d727 100644 --- a/docs/kubernetes-deployment/signer/README.md +++ b/docs/kubernetes-deployment/signer/README.md @@ -41,7 +41,11 @@ ODIS signer is deployed in the following clusters: - URL: `http://odis-signer1-staging.odis-signer1-staging:3000`. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! - Signer2 in namespace `odis-signer2-alfajores` with this [`values-signer2-alfajores.yaml` file](./values/alfajores/values-signer2-alfajores.yaml). - URL: `http://odis-signer2-alfajores.odis-signer2-alfajores:3000`. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! - +- Mainnet: cluster `rc1-europe-west1` + - Signer0 in namespace `odis-signer0-mainnet` with this [`values-signer0-mainnet.yaml` file](./values/mainnet/values-signer0-mainnet.yaml). + - URL: `http://odis-signer0-mainnet.odis-signer0-mainnet:3000`. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! + - Signer1 in namespace `odis-signer1-mainnet` with this [`values-signer1-mainnet.yaml` file](./values/mainnet/values-signer1-mainnet.yaml). + - URL: `http://odis-signer1-mainnet.odis-signer1-mainnet:3000`. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! ### Modifying the deployment @@ -62,21 +66,24 @@ You can access the ODIS deployment by following these links. There you can edit - [Signer0](https://console.cloud.google.com/kubernetes/deployment/us-west1-a/alfajores/odis-signer0-alfajores/odis-signer0-alfajores/yaml/view?project=celo-testnet-production&supportedpurview=project) - [Signer1](https://console.cloud.google.com/kubernetes/deployment/us-west1-a/alfajores/odis-signer1-alfajores/odis-signer1-alfajores/yaml/view?project=celo-testnet-production&supportedpurview=project) - [Signer2](https://console.cloud.google.com/kubernetes/deployment/us-west1-a/alfajores/odis-signer2-alfajores/odis-signer2-alfajores/yaml/view?project=celo-testnet-production&supportedpurview=project) +- Mainnet: + - [Signer0](https://console.cloud.google.com/kubernetes/deployment/europe-west1-b/rc1-europe-west1/odis-signer0-mainnet/odis-signer0-mainnet/yaml/view?project=celo-testnet-production&supportedpurview=project) + - [Signer1](https://console.cloud.google.com/kubernetes/deployment/europe-west1-b/rc1-europe-west1/odis-signer1-mainnet/odis-signer1-mainnet/yaml/view?project=celo-testnet-production&supportedpurview=project) #### Use Helm -1. Ensure you are connected to the correct Kubernetes cluster (currently, only staging and alfajores). +1. Ensure you are connected to the correct Kubernetes cluster (staging, alfajores or mainnet). 2. Get the currently deployed Helm chart values: ```bash - helm get values -n odis-signer<0|1|2>- odis-signer<0|1|2>- -o yaml > ./values/values-signer<0|1|2>-.yaml + helm get values -n odis-signer<0|1|2>- odis-signer<0|1|2>- -o yaml > ./values//values-signer<0|1|2>-.yaml ``` 3. Modify the values file accordingly 4. Deploy the new release: ```bash - helm upgrade -install odis-signer<0|1|2>- oci://us-west1-docker.pkg.dev/devopsre/clabs-public-oci/odis-signer -n odis-signer<0|1|2>- -f ./values//values-signer<0|1|2>- --create-namespace --version + helm upgrade -install odis-signer<0|1|2>- oci://us-west1-docker.pkg.dev/devopsre/clabs-public-oci/odis-signer -n odis-signer<0|1|2>- -f ./values//values-signer<0|1|2>-.yaml --create-namespace --version ``` 5. Ensure there are no sensitive values in the values `.yaml` file and commit it to this repo. @@ -99,6 +106,11 @@ Each signer has an associated Postgres DB running in its same Kubernetes namespa - Deployment: [`odis-signer1-alfajores-db-postgresql`](https://console.cloud.google.com/kubernetes/statefulset/us-west1-a/alfajores/odis-signer1-alfajores/odis-signer1-alfajores-db-postgresql/details?project=celo-testnet-production&supportedpurview=project) - Signer2 DB host: `odis-signer2-alfajores-db-postgresql-hl`, port 5432. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! - Deployment: [`odis-signer2-alfajores-db-postgresql`](https://console.cloud.google.com/kubernetes/statefulset/us-west1-a/alfajores/odis-signer2-alfajores/odis-signer2-alfajores-db-postgresql/details?project=celo-testnet-production&supportedpurview=project) +- Mainnet: + - Signer0 DB host: `odis-signer0-mainnet-db-postgresql-hl`, port 5432. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! + - Deployment: [`odis-signer0-mainnet-db-postgresql`](https://console.cloud.google.com/kubernetes/statefulset/europe-west1-b/rc1-europe-west1/odis-signer0-mainnet/odis-signer0-mainnet-db-postgresql/details?project=celo-testnet-production&supportedpurview=project) + - Signer1 DB host: `odis-signer1-mainnet-db-postgresql-hl`, port 5432. :warning: This is a URL internal to the cluster (i.e. not accessible from outside)!! + - Deployment: [`odis-signer1-mainnet-db-postgresql`](https://console.cloud.google.com/kubernetes/statefulset/europe-west1-b/rc1-europe-west1/odis-signer1-mainnet/odis-signer1-mainnet-db-postgresql/details?project=celo-testnet-production&supportedpurview=project) ### Tracing @@ -106,3 +118,4 @@ Tracing is enabled in the ODIS signer. The signers send traces to a Grafana Agen - Staging Grafana Agent URL: `http://grafana-agent.monitoring:14268/api/traces` - Alfajores Grafana Agent URL: `http://grafana-agent.monitoring:14268/api/traces` +- Mainnet Grafana Agent URL: `http://grafana-agent.monitoring:14268/api/traces` diff --git a/docs/kubernetes-deployment/signer/values/mainnet/values-signer0-mainnet.yaml b/docs/kubernetes-deployment/signer/values/mainnet/values-signer0-mainnet.yaml new file mode 100644 index 000000000..cbcc62970 --- /dev/null +++ b/docs/kubernetes-deployment/signer/values/mainnet/values-signer0-mainnet.yaml @@ -0,0 +1,69 @@ +affinity: {} +autoscaling: + enabled: false + maxReplicas: 3 + minReplicas: 1 + targetCPUUtilizationPercentage: 80 +env: + api: + domainsAPIEnabled: true + pnpAPIEnabled: true + blockchain: + blockchainApiKeyExistingSecret: odis-signer0-forno-key + blockchainProvider: https://forno.celo.org + db: + cloudSqlProxy: false + database: phoneNumberPrivacy + host: odis-signer0-mainnet-db-postgresql-hl + passwordExistingSecret: odis-signer0-db-password + port: 5432 + type: postgres + useSsl: false + username: clabs + keystore: + domainsKeyLatestVersion: null + domainsKeyNameBase: odis-signer0-mainnet-domains + gcp: + projectID: celo-testnet-production + pnpKeyLatestVersion: null + pnpKeyNameBase: odis-signer0-mainnet-phoneNumberPrivacy + type: GoogleSecretManager + log: + format: stackdriver + level: trace + odis: + odisSignerTimeout: "6000" + shouldMockAccountService: "false" + shouldMockRequestService: "false" + testQuotaBypassPercentage: "50" + tracing: + enabled: true + endpoint: "http://grafana-agent.monitoring:14268/api/traces" + serviceName: "odis-signer0-mainnet-k8s" +fullnameOverride: "" +image: + pullPolicy: Always + repository: us.gcr.io/celo-testnet/celo-monorepo + tag: oblivious-decentralized-identifier-service-3.0.1 +imagePullSecrets: [] +ingress: + annotations: {} + className: nginx + enabled: false + hosts: [] + tls: [] +livenessProbe: {} +nameOverride: "" +nodeSelector: {} +podAnnotations: {} +podSecurityContext: {} +readinessProbe: {} +replicaCount: 1 +resources: {} +securityContext: {} +serviceAccount: + annotations: + iam.gke.io/gcp-service-account: odis-signer0-mainnet@celo-testnet-production.iam.gserviceaccount.com + create: true + name: "" +tolerations: [] diff --git a/docs/kubernetes-deployment/signer/values/mainnet/values-signer1-mainnet.yaml b/docs/kubernetes-deployment/signer/values/mainnet/values-signer1-mainnet.yaml new file mode 100644 index 000000000..33dca0ae3 --- /dev/null +++ b/docs/kubernetes-deployment/signer/values/mainnet/values-signer1-mainnet.yaml @@ -0,0 +1,69 @@ +affinity: {} +autoscaling: + enabled: false + maxReplicas: 3 + minReplicas: 1 + targetCPUUtilizationPercentage: 80 +env: + api: + domainsAPIEnabled: true + pnpAPIEnabled: true + blockchain: + blockchainApiKeyExistingSecret: odis-signer1-forno-key + blockchainProvider: https://forno.celo.org + db: + cloudSqlProxy: false + database: phoneNumberPrivacy + host: odis-signer1-mainnet-db-postgresql-hl + passwordExistingSecret: odis-signer1-db-password + port: 5432 + type: postgres + useSsl: false + username: clabs + keystore: + domainsKeyLatestVersion: null + domainsKeyNameBase: odis-signer1-mainnet-domains + gcp: + projectID: celo-testnet-production + pnpKeyLatestVersion: null + pnpKeyNameBase: odis-signer1-mainnet-phoneNumberPrivacy + type: GoogleSecretManager + log: + format: stackdriver + level: trace + odis: + odisSignerTimeout: "6000" + shouldMockAccountService: "false" + shouldMockRequestService: "false" + testQuotaBypassPercentage: "50" + tracing: + enabled: true + endpoint: "http://grafana-agent.monitoring:14268/api/traces" + serviceName: "odis-signer1-mainnet-k8s" +fullnameOverride: "" +image: + pullPolicy: Always + repository: us.gcr.io/celo-testnet/celo-monorepo + tag: oblivious-decentralized-identifier-service-3.0.1 +imagePullSecrets: [] +ingress: + annotations: {} + className: nginx + enabled: false + hosts: [] + tls: [] +livenessProbe: {} +nameOverride: "" +nodeSelector: {} +podAnnotations: {} +podSecurityContext: {} +readinessProbe: {} +replicaCount: 1 +resources: {} +securityContext: {} +serviceAccount: + annotations: + iam.gke.io/gcp-service-account: odis-signer1-mainnet@celo-testnet-production.iam.gserviceaccount.com + create: true + name: "" +tolerations: []