diff --git a/charts/foundry/README.md b/charts/foundry/README.md index 20036596e..e617317ed 100644 --- a/charts/foundry/README.md +++ b/charts/foundry/README.md @@ -16,4 +16,24 @@ anvil: forkTimeout: "45000" forkComputeUnitsPerSecond: "330" # forkNoRateLimit: "true" +``` + +By default ingress is disabled, so remember to enable it in `values.yaml`. +Sample command: +```bash +export RELEASE_NAME="your-release-name" +export NAMESPACE="your-namespace" +export INGRESS_BASE_DOMAIN="your-ingress-base-domain" +export INGRESS_CERT_ARN="your-ingress-certificate" +export INGRESS_CIDRS="allowed-cidrs" + +helm install "${RELEASE_NAME}" . -f ./values.yaml \ +--set ingress.annotation_certificate_arn="${INGRESS_CERT_ARN}" \ +--set "ingress.hosts[0].host"="${NAMESPACE}-anvil.${INGRESS_BASE_DOMAIN}" \ +--set "ingress.annotation_group_name"="${NAMESPACE}" \ +--set "ingress.enabled"=true \ +--set "networkPolicyDefault.ingress.allowCustomCidrs"=true \ +--set "networkPolicyDefault.ingress.customCidrs"="${INGRESS_CIDRS}" +# to override default chain id uncomment the following line +# --set "anvil.chainId"="2337" ``` \ No newline at end of file diff --git a/charts/foundry/templates/ingress.yaml b/charts/foundry/templates/ingress.yaml index e725f0860..ef80d1441 100644 --- a/charts/foundry/templates/ingress.yaml +++ b/charts/foundry/templates/ingress.yaml @@ -1,61 +1,44 @@ {{- if .Values.ingress.enabled -}} -{{- $fullName := include "foundry.fullname" . -}} -{{- $svcPort := .Values.service.port -}} -{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} - {{- end }} -{{- end }} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} kind: Ingress metadata: - name: {{ $fullName }} + name: {{ .Release.Name }} labels: - {{- include "foundry.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} + app: {{ .Release.Name }} + release: {{ .Release.Name }} + {{- range $key, $value := .Values.labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} annotations: - {{- toYaml . | nindent 4 }} + alb.ingress.kubernetes.io/backend-protocol: HTTP + alb.ingress.kubernetes.io/certificate-arn: {{ .Values.ingress.annotation_certificate_arn | quote }} + alb.ingress.kubernetes.io/group.name: {{ .Values.ingress.annotation_group_name | quote }} + alb.ingress.kubernetes.io/scheme: internal + alb.ingress.kubernetes.io/target-type: ip + external-dns.alpha.kubernetes.io/ttl: "120" + {{- if .Values.ingress.extra_annotations }} + {{- range $key, $value := .Values.ingress.extra_annotations }} + {{ $key }}: {{ $value | quote }} {{- end }} -spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} {{- end }} - {{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} +spec: + {{- with .Values.ingress.ingressClassName }} + ingressClassName: {{ . }} {{- end }} rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} + {{- $root := . -}} + {{- range .Values.ingress.hosts }} + - host: {{ .host }} http: paths: - {{- range .paths }} - - path: {{ .path }} - {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} - pathType: {{ .pathType }} - {{- end }} + {{- range .http.paths }} + - path: "/*" + pathType: ImplementationSpecific backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} service: - name: {{ $fullName }} + name: {{ include "foundry.fullname" $root }} port: - number: {{ $svcPort }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} + number: {{ .backend.service.port.number }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/charts/foundry/templates/networkpolicy-default.yml b/charts/foundry/templates/networkpolicy-default.yml new file mode 100644 index 000000000..a0e2a162a --- /dev/null +++ b/charts/foundry/templates/networkpolicy-default.yml @@ -0,0 +1,25 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default +spec: + podSelector: + matchLabels: {} + policyTypes: + - Ingress + ingress: + {{- if and .Values.networkPolicyDefault.ingress.allowCustomCidrs (not (empty .Values.networkPolicyDefault.ingress.customCidrs)) }} + # Using a comma separated list to make it easy to pass in with: + # `helm template ... --set networkPolicyDefault.ingress.customCidrs=...` + {{- $cidrs := splitList "," .Values.networkPolicyDefault.ingress.customCidrs }} + - from: + {{- range $cidr := $cidrs }} + - ipBlock: + cidr: {{ $cidr | quote }} + {{- end }} + {{- else }} + # Deny all ingress if no rules are specified. Rules can still be specified in other templates. + - {} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/foundry/values.yaml b/charts/foundry/values.yaml index 5fbb8c982..f1f3b8963 100644 --- a/charts/foundry/values.yaml +++ b/charts/foundry/values.yaml @@ -10,12 +10,12 @@ anvil: chainId: 1337 blockTime: 1 runAsOptimism: false - forkURL: 'https://goerli.infura.io/v3/...' - forkBlockNumber: "10448829" - forkRetries: "5" - forkTimeout: "45000" - forkComputeUnitsPerSecond: "330" - forkNoRateLimit: "true" + # forkURL: 'https://goerli.infura.io/v3/...' + # forkBlockNumber: "10448829" + # forkRetries: "5" + # forkTimeout: "45000" + # forkComputeUnitsPerSecond: "330" + # forkNoRateLimit: "true" image: repository: ghcr.io/foundry-rs/foundry @@ -60,19 +60,31 @@ service: ingress: enabled: false - className: '' annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: 'true' + ingressClassName: alb + annotation_certificate_arn: '' + annotation_group_name: '' hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local + - host: chainlink-anvil.local + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: anvil + port: + number: 8545 + +networkPolicies: + enabled: true + +# Configure the default network policy. +networkPolicyDefault: + ingress: + allowCustomCidrs: false + # List of custom CIDRs to allow ingress from. If allowCustomCidrs is true, this list will be appended to the default list of CIDRs. + customCidrs: '' resources: {} # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/charts/geth-non-root/Readme.md b/charts/geth-non-root/Readme.md index ccc8a7fa8..709a39839 100644 --- a/charts/geth-non-root/Readme.md +++ b/charts/geth-non-root/Readme.md @@ -1,28 +1,23 @@ # Raison d'etre -This chart allows to run a geth node as a non-root user, which is esential for running it on more secure clusters. Geth is running as Proof-of-Authority private network with a single node. - -# Deploying with ingress - -By default ingress is disabled. To enable it you need to override a couple of values in the values.yaml file. You can easily do it from command-line when installing the chart. - -Currently ingress created for CRIB doesn't work, even though there are no errors or warnings in Kubernetes. Hopefuly soon we will have some eyes on it. +This chart allows to run a geth node as a non-root user, which is esential for running it on more secure clusters. Geth is running as Proof-of-Authority private network with a single node. By default ingress is disabled, so remember to enable it in `values.yaml`. Sample command: ```bash export RELEASE_NAME="your-release-name" export NAMESPACE="your-namespace" export INGRESS_BASE_DOMAIN="your-ingress-base-domain" -export INGRESS_CERT="your-ingress-certificate" -export INGRESS_CIDRS="your-ingress-cidrs" +export INGRESS_CERT_ARN="your-ingress-certificate" +export INGRESS_CIDRS="allowed-cidrs" helm install "${RELEASE_NAME}" . -f ./values.yaml \ ---set ingress.annotation_certificate_arn="${INGRESS_CERT}"\ ---set "ingress.hosts[0].host"="${NAMESPACE}-geth-http.${INGRESS_BASE_DOMAIN}"\ ---set "ingress.hosts[1].host"="${NAMESPACE}-geth-ws.${INGRESS_BASE_DOMAIN}"\ ---set "ingress.annotation_group_name"="${NAMESPACE}"\ ---set "ingress.enabled"=true\ +--set ingress.annotation_certificate_arn="${INGRESS_CERT_ARN}" \ +--set "ingress.hosts[0].host"="${NAMESPACE}-geth-http.${INGRESS_BASE_DOMAIN}" \ +--set "ingress.hosts[1].host"="${NAMESPACE}-geth-ws.${INGRESS_BASE_DOMAIN}" \ +--set "ingress.annotation_group_name"="${NAMESPACE}" \ +--set "ingress.enabled"=true \ +--set "networkPolicyDefault.ingress.allowCustomCidrs"=true \ +--set "networkPolicyDefault.ingress.customCidrs"="${INGRESS_CIDRS}" # to override default chain id uncomment the following line # --set "geth.networkId"="2337" ---set "networkPolicy.ingress.allowCustomCidrs=${INGRESS_CIDRS}" ``` \ No newline at end of file diff --git a/charts/geth-non-root/templates/geth-config-map.yml b/charts/geth-non-root/templates/config-map.yml similarity index 100% rename from charts/geth-non-root/templates/geth-config-map.yml rename to charts/geth-non-root/templates/config-map.yml diff --git a/charts/geth-non-root/templates/geth-deployment.yml b/charts/geth-non-root/templates/deployment.yml similarity index 92% rename from charts/geth-non-root/templates/geth-deployment.yml rename to charts/geth-non-root/templates/deployment.yml index 103453aba..5717dcc15 100644 --- a/charts/geth-non-root/templates/geth-deployment.yml +++ b/charts/geth-non-root/templates/deployment.yml @@ -7,20 +7,22 @@ spec: selector: matchLabels: app: geth + release: {{ .Release.Name }} + instance: geth # Used for testing. # havoc-component-group and havoc-network-group are used by "havoc" chaos testing tool havoc-component-group: "blockchain" havoc-network-group: "blockchain" - release: {{ .Release.Name }} template: metadata: labels: app: geth + instance: geth + release: {{ .Release.Name }} # Used for testing. # havoc-component-group and havoc-network-group are used by "havoc" chaos testing tool havoc-component-group: "blockchain" havoc-network-group: "blockchain" - release: {{ .Release.Name }} annotations: {{- range $key, $value := .Values.podAnnotations }} {{ $key }}: {{ $value | quote }} @@ -33,11 +35,11 @@ spec: - name: devchain-volume emptyDir: {} securityContext: - {{- toYaml $.Values.geth.podSecurityContext | nindent 8 }} + {{- toYaml .Values.geth.podSecurityContext | nindent 8 }} containers: - name: geth-network securityContext: - {{- toYaml $.Values.geth.securityContext | nindent 12 }} + {{- toYaml .Values.geth.securityContext | nindent 12 }} image: "{{ default "ethereum/client-go" .Values.geth.image }}:{{ default "stable" .Values.geth.version }}" command: [ "sh", "/chain/init.sh" ] volumeMounts: @@ -88,7 +90,7 @@ spec: - '--rpc.txfeecap' - '0' - '--dev.period' - - '{{ .Values.geth.blocktime }}' + - '{{ $.Values.geth.blocktime }}' - '--miner.gasprice' - '10000000000' ports: @@ -96,7 +98,7 @@ spec: containerPort: 8544 - name: ws-rpc containerPort: 8546 - {{ if (hasKey .Values.geth "resources") }} + {{ if (hasKey $.Values.geth "resources") }} resources: requests: memory: {{ default "1024Mi" .Values.geth.resources.requests.memory }} @@ -118,4 +120,4 @@ spec: tolerations: {{ toYaml . | indent 8 }} {{- end }} -{{ end }} +{{ end }} \ No newline at end of file diff --git a/charts/geth-non-root/templates/geth-networkpolicy.yaml b/charts/geth-non-root/templates/geth-networkpolicy.yaml deleted file mode 100644 index feba5d710..000000000 --- a/charts/geth-non-root/templates/geth-networkpolicy.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- if .Values.networkPolicies.enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ $.Release.Name }}-geth -spec: - podSelector: - matchLabels: - app: geth - policyTypes: - - Ingress - ingress: - - from: - # Allow http and websocket connections from the node pods. - - podSelector: - matchLabels: - app: {{ $.Release.Name }} - # Allow http and websocket connections from the runner pods. - - podSelector: - matchLabels: - app: runner - ports: - - protocol: TCP - port: 8544 - - protocol: TCP - port: 8546 -{{- end }} diff --git a/charts/geth-non-root/templates/ingress.yaml b/charts/geth-non-root/templates/ingress.yaml index e84de6eae..d60e453f7 100644 --- a/charts/geth-non-root/templates/ingress.yaml +++ b/charts/geth-non-root/templates/ingress.yaml @@ -2,19 +2,20 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ $.Release.Name }} + name: {{ .Release.Name }} labels: - app: {{ $.Release.Name }} - release: {{ $.Release.Name }} - {{- range $key, $value := $.Values.labels }} + app: {{ .Release.Name }} + release: {{ .Release.Name }} + {{- range $key, $value := .Values.labels }} {{ $key }}: {{ $value | quote }} {{- end }} annotations: alb.ingress.kubernetes.io/backend-protocol: HTTP - alb.ingress.kubernetes.io/certificate-arn: {{ $.Values.ingress.annotation_certificate_arn | quote }} - alb.ingress.kubernetes.io/group.name: {{ $.Values.ingress.annotation_group_name | quote }} + alb.ingress.kubernetes.io/certificate-arn: {{ .Values.ingress.annotation_certificate_arn | quote }} + alb.ingress.kubernetes.io/group.name: {{ .Values.ingress.annotation_group_name | quote }} alb.ingress.kubernetes.io/scheme: internal alb.ingress.kubernetes.io/target-type: ip + external-dns.alpha.kubernetes.io/ttl: "120" {{- if .Values.ingress.extra_annotations }} {{- range $key, $value := .Values.ingress.extra_annotations }} {{ $key }}: {{ $value | quote }} diff --git a/charts/geth-non-root/templates/networkpolicy-default.yml b/charts/geth-non-root/templates/networkpolicy-default.yml new file mode 100644 index 000000000..a0e2a162a --- /dev/null +++ b/charts/geth-non-root/templates/networkpolicy-default.yml @@ -0,0 +1,25 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default +spec: + podSelector: + matchLabels: {} + policyTypes: + - Ingress + ingress: + {{- if and .Values.networkPolicyDefault.ingress.allowCustomCidrs (not (empty .Values.networkPolicyDefault.ingress.customCidrs)) }} + # Using a comma separated list to make it easy to pass in with: + # `helm template ... --set networkPolicyDefault.ingress.customCidrs=...` + {{- $cidrs := splitList "," .Values.networkPolicyDefault.ingress.customCidrs }} + - from: + {{- range $cidr := $cidrs }} + - ipBlock: + cidr: {{ $cidr | quote }} + {{- end }} + {{- else }} + # Deny all ingress if no rules are specified. Rules can still be specified in other templates. + - {} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/geth-non-root/templates/geth-service.yml b/charts/geth-non-root/templates/service.yml similarity index 64% rename from charts/geth-non-root/templates/geth-service.yml rename to charts/geth-non-root/templates/service.yml index 5aafe97ae..925de576e 100644 --- a/charts/geth-non-root/templates/geth-service.yml +++ b/charts/geth-non-root/templates/service.yml @@ -5,14 +5,14 @@ metadata: name: geth spec: selector: - app: geth + instance: geth release: {{ .Release.Name }} ports: - name: ws-rpc - port: {{ default "8546" $.Values.geth.wsrpc_port}} + port: {{ default "8546" .Values.geth.wsrpc_port}} targetPort: ws-rpc - name: http-rpc - port: {{ default "8544" $.Values.geth.httprpc_port}} + port: {{ default "8544" .Values.geth.httprpc_port}} targetPort: http-rpc type: ClusterIP -{{ end }} +{{ end }} \ No newline at end of file diff --git a/charts/geth-non-root/values.yaml b/charts/geth-non-root/values.yaml index d0f6f09cd..5ecd51630 100644 --- a/charts/geth-non-root/values.yaml +++ b/charts/geth-non-root/values.yaml @@ -53,13 +53,6 @@ ingress: # monitoring.coreos.com/v1 PodMonitor for each node prometheusMonitor: false -networkPolicy: - ingress: - # Should be a comma separated list of CIDR blocks. To include - # AWS ALB private CIDRs and optionally other custom CIDRs. - # Example format: 10.0.0.0/16,192.168.0.1/24 - allowCustomCidrs: '0.0.0.0/0' - networkPolicies: enabled: true @@ -67,7 +60,5 @@ networkPolicies: networkPolicyDefault: ingress: allowCustomCidrs: false - # String of comma separated CIDRs - customCidrs: null - # Example: - # customCidrs: '10.0.0.0/16,192.168.0.1/24' + # List of custom CIDRs to allow ingress from. If allowCustomCidrs is true, this list will be appended to the default list of CIDRs. + customCidrs: ''