From a7fb3c5ffc5d27caf6c02e84b44833c2c066a222 Mon Sep 17 00:00:00 2001 From: Ivan Vandot Date: Wed, 7 Oct 2020 17:49:15 +0200 Subject: [PATCH 1/2] enchance clef support --- charts/bee/Chart.yaml | 2 +- charts/bee/README.md | 4 +- charts/bee/templates/_helpers.tpl | 22 ++++++++ charts/bee/templates/secret-clefkeys.yaml | 18 +++++++ charts/bee/templates/statefulset.yaml | 65 ++++++++++++++--------- charts/bee/values.yaml | 25 +++++---- 6 files changed, 97 insertions(+), 39 deletions(-) create mode 100644 charts/bee/templates/secret-clefkeys.yaml diff --git a/charts/bee/Chart.yaml b/charts/bee/Chart.yaml index b13b7b5..2518a2e 100644 --- a/charts/bee/Chart.yaml +++ b/charts/bee/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 appVersion: latest name: bee -version: 0.5.14 +version: 0.5.15 description: Ethereum Swarm Bee Helm chart for Kubernetes home: https://swarm.ethereum.org icon: https://swarm-guide.readthedocs.io/en/latest/_images/swarm.png diff --git a/charts/bee/README.md b/charts/bee/README.md index 856ed58..4d91a15 100644 --- a/charts/bee/README.md +++ b/charts/bee/README.md @@ -86,7 +86,7 @@ apps: namespace: bee description: "Ethereum Swarm Bee" chart: "ethersphere/bee" - version: "0.5.14" + version: "0.5.15" enabled: true set: beeConfig.bootnode: # bootnode multi address @@ -118,7 +118,7 @@ apps: namespace: bee description: "Ethereum Swarm Bee" chart: "ethersphere/bee" - version: "0.5.14" + version: "0.5.15" enabled: true set: beeConfig.bootnode: "/dns4/bee-0-headless.bee.svc.cluster.local/tcp/7070/p2p/16Uiu2HAm6i4dFaJt584m2jubyvnieEECgqM2YMpQ9nusXfy8XFzL" diff --git a/charts/bee/templates/_helpers.tpl b/charts/bee/templates/_helpers.tpl index ef9e0cf..7676bfb 100644 --- a/charts/bee/templates/_helpers.tpl +++ b/charts/bee/templates/_helpers.tpl @@ -170,3 +170,25 @@ Get the swarm key to be retrieved from the secret. {{- printf "swarmKeys" -}} {{- end -}} {{- end -}} + +{{/* +Get the clefKeys secret. +*/}} +{{- define "bee.clefKeysSecretName" -}} +{{- if .Values.clefSettings.existingSecret -}} +{{- printf "%s" .Values.clefSettings.existingSecret -}} +{{- else -}} +{{- printf "%s-clef" (include "bee.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the clef key to be retrieved from the secret. +*/}} +{{- define "bee.clefKeysSecretKey" -}} +{{- if and .Values.clefSettings.existingSecret .Values.clefSettings.existingSecretClefKey -}} +{{- printf "%s" .Values.swarmSettings.existingSecretClefKey -}} +{{- else -}} +{{- printf "clefKeys" -}} +{{- end -}} +{{- end -}} diff --git a/charts/bee/templates/secret-clefkeys.yaml b/charts/bee/templates/secret-clefkeys.yaml new file mode 100644 index 0000000..cfd1a2e --- /dev/null +++ b/charts/bee/templates/secret-clefkeys.yaml @@ -0,0 +1,18 @@ +{{- if and .Values.clefSettings.enabled (not .Values.clefSettings.existingSecret) -}} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "bee.fullname" . }}-clef + namespace: {{ .Release.Namespace }} + labels: + {{- include "bee.labels" . | nindent 4 }} +type: Opaque +stringData: + clefKeys: |- + {{- range $key, $val := .Values.clefSettings.clefKeys }} + {{ $key }}: {{ $val }} + {{- end }} + +{{- end -}} diff --git a/charts/bee/templates/statefulset.yaml b/charts/bee/templates/statefulset.yaml index 6186a8d..cd81ce3 100644 --- a/charts/bee/templates/statefulset.yaml +++ b/charts/bee/templates/statefulset.yaml @@ -84,6 +84,26 @@ spec: - name: bee-swarm mountPath: /tmp/bee {{- end }} + {{- if .Values.clefSettings.enabled }} + - name: init-clef + image: ethersphere/clef:latest + command: + - sh + - -c + - > + export INDEX=$(echo $(hostname) | rev | cut -d'-' -f 1 | rev); + mkdir -p /root/.clef/keys; + export KEY=$(cat /tmp/bee/clef.map | grep bee-${INDEX}: | cut -d' ' -f2); + if [ -z "${KEY}" ]; then exit 0; fi; + printf '%s' "${KEY}" > /root/.clef/keys/clef.key; + /entrypoint.sh init {{ .Values.clefSettings.keySecret }}; + echo 'clef initialization done'; + volumeMounts: + - name: clef + mountPath: /root/.clef + - name: bee-clef + mountPath: /tmp/bee + {{- end }} {{- if .Values.p2pFixedPort.enabled }} - name: init-natport image: busybox:1.28 @@ -166,39 +186,22 @@ spec: mountPath: /home/bee/.secret readOnly: true {{- end }} - {{- if .Values.clefSidecar.enabled }} + {{- if .Values.clefSettings.enabled }} - name: clef - image: "ethereum/client-go:alltools-stable" + image: ethersphere/clef:latest imagePullPolicy: IfNotPresent - env: - {{- if .Values.beeConfig.usePasswordFile }} - - name: SECRET_FILE - value: /secret/password - {{- else }} - - name: SECRET - value: {{ include "bee.password" . }} - {{- end }} command: - - sh - - -c - - > - if [ -n "${SECRET_FILE+x}" ]; then export SECRET=$(cat $SECRET_FILE); fi; - wget -q https://gist.githubusercontent.com/vandot/5063ca7ac3e845261faa5b04053d0a10/raw/50cdcb350fd137e5985b48dc9ac4d8f33217706a -O /clef.sh; - chmod +x /clef.sh; - /clef.sh ${SECRET}; + - /entrypoint.sh + - run + - {{ .Values.clefSettings.keySecret }} ports: - containerPort: 8550 name: api protocol: TCP volumeMounts: - - name: data - mountPath: /bee - readOnly: true - {{- if .Values.beeConfig.usePasswordFile }} - - name: bee-secret - mountPath: /secret - readOnly: true - {{- end }} + - name: clef + mountPath: /root/.clef + readOnly: false {{- end }} volumes: - name: config-file @@ -230,6 +233,16 @@ spec: - key: {{ template "bee.swarmKeysSecretKey" . }} path: swarm.map {{- end }} + {{- if .Values.clefSettings.enabled }} + - name: clef + emptyDir: {} + - name: bee-clef + secret: + secretName: {{ template "bee.clefKeysSecretName" . }} + items: + - key: {{ template "bee.clefKeysSecretKey" . }} + path: clef.map + {{- end }} {{- if not .Values.persistence.enabled }} - name: data emptyDir: {} @@ -240,7 +253,7 @@ spec: labels: {{- include "bee.labelsVCT" . | nindent 8 }} spec: - accessModes: + accessModes: - {{ .Values.persistence.accessMode | quote }} resources: requests: diff --git a/charts/bee/values.yaml b/charts/bee/values.yaml index c4422ae..e07b33f 100644 --- a/charts/bee/values.yaml +++ b/charts/bee/values.yaml @@ -44,11 +44,6 @@ p2pFixedPort: enabled: false nodePortStart: 31000 -## If enabled it will start clef sidecar container that will auto approve every request -## Use only for testing -clefSidecar: - enabled: false - ## If enabled, creates ingress for HTTP api ## Creates one ingress per pod and additionally one common ingress for all pods ## Total number of created ingress objects is: replicaCount + 1 @@ -219,8 +214,8 @@ beeConfig: ## Send a welcome message string during handshakes welcomeMessage: "Welcome to the Swarm, you are Bee-ing connected!" -## if enabled, configures pods with defined libp2p keys -## libp2p keys are pregenerated examples and can be replaced with other values +## If enabled, configures pods with defined libp2p keys +## Libp2p keys are pregenerated examples and can be replaced with other values ## pods without specified key will autogenerate it during start libp2pSettings: enabled: false @@ -229,12 +224,22 @@ libp2pSettings: ## Use existing secret (ignores previous libp2pKeys) # existingSecret: -## if enabled, configures pods with defined swarm keys -## swarm keys are pregenerated examples and can be replaced with other values -## pods without specified key will autogenerate it during start +## If enabled, configures pods with defined swarm keys +## Swarm keys are pregenerated examples and can be replaced with other values +## Pods without specified key will autogenerate it during start swarmSettings: enabled: false swarmKeys: bee-0: '{"address":"f176839c150e52fe30e5c2b5c648465c6fdfa532","crypto":{"cipher":"aes-128-ctr","ciphertext":"352af096f0fca9dfbd20a6861bde43d988efe7f179e0a9ffd812a285fdcd63b9","cipherparams":{"iv":"613003f1f1bf93430c92629da33f8828"},"kdf":"scrypt","kdfparams":{"n":32768,"r":8,"p":1,"dklen":32,"salt":"ad1d99a4c64c95c26131e079e8c8a82221d58bf66a7ceb767c33a4c376c564b8"},"mac":"cafda1bc8ca0ffc2b22eb69afd1cf5072fd09412243443be1b0c6832f57924b6"},"version":3}' ## Use existing secret (ignores previous swarmKeys) # existingSecret: + +## If enabled it will start clef sidecar container that will auto approve every request +## Clef keys are pregenerated examples and can be replaced with other values +clefSettings: + enabled: false + clefKeys: + bee-0: '{"address":"fd50ede4954655b993ed69238c55219da7e81acf","crypto":{"cipher":"aes-128-ctr","ciphertext":"1c0f603b0dffe53294c7ca02c1a2800d81d855970db0df1a84cc11bc1d6cf364","cipherparams":{"iv":"11c9ac512348d7ccfe5ee59d9c9388d3"},"kdf":"scrypt","kdfparams":{"dklen":32,"n":262144,"p":1,"r":8,"salt":"f6d7a0947da105fa5ef70fa298f65409d12967108c0e6260f847dc2b10455b89"},"mac":"fc6585e300ad3cb21c5f648b16b8a59ca33bcf13c58197176ffee4786628eaeb"},"id":"4911f965-b425-4011-895d-a2008f859859","version":3}' + keySecret: clefbeesecret + ## Use existing secret (ignores previous clefKeys) + # existingSecret: From 080d6c0b97b9b9ef587e437264bf0b4541a8c1a1 Mon Sep 17 00:00:00 2001 From: Ivan Vandot Date: Wed, 7 Oct 2020 19:58:30 +0200 Subject: [PATCH 2/2] bump version --- charts/bee/Chart.yaml | 2 +- charts/bee/README.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/bee/Chart.yaml b/charts/bee/Chart.yaml index 2518a2e..85b4cd1 100644 --- a/charts/bee/Chart.yaml +++ b/charts/bee/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 appVersion: latest name: bee -version: 0.5.15 +version: 0.5.16 description: Ethereum Swarm Bee Helm chart for Kubernetes home: https://swarm.ethereum.org icon: https://swarm-guide.readthedocs.io/en/latest/_images/swarm.png diff --git a/charts/bee/README.md b/charts/bee/README.md index 4d91a15..d235bbf 100644 --- a/charts/bee/README.md +++ b/charts/bee/README.md @@ -86,7 +86,7 @@ apps: namespace: bee description: "Ethereum Swarm Bee" chart: "ethersphere/bee" - version: "0.5.15" + version: "0.5.16" enabled: true set: beeConfig.bootnode: # bootnode multi address @@ -118,7 +118,7 @@ apps: namespace: bee description: "Ethereum Swarm Bee" chart: "ethersphere/bee" - version: "0.5.15" + version: "0.5.16" enabled: true set: beeConfig.bootnode: "/dns4/bee-0-headless.bee.svc.cluster.local/tcp/7070/p2p/16Uiu2HAm6i4dFaJt584m2jubyvnieEECgqM2YMpQ9nusXfy8XFzL"