From f5ddf2e421a525289ec2d9aff7ff692dd7f764b2 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Tue, 21 Nov 2023 13:02:34 -0500 Subject: [PATCH 01/56] Make CICD work with new ECRs (#495) --- .github/workflows/automation-ondemand-tests.yml | 4 ++-- .github/workflows/build-publish-develop.yml | 2 +- .github/workflows/build-publish.yml | 9 +++------ .github/workflows/integration-chaos-tests.yml | 2 +- 4 files changed, 7 insertions(+), 10 deletions(-) diff --git a/.github/workflows/automation-ondemand-tests.yml b/.github/workflows/automation-ondemand-tests.yml index 5cd2182ff62..8d3de7ce702 100644 --- a/.github/workflows/automation-ondemand-tests.yml +++ b/.github/workflows/automation-ondemand-tests.yml @@ -61,7 +61,7 @@ jobs: id: check-image uses: smartcontractkit/chainlink-github-actions/docker/image-exists@e865e376b8c2d594028c8d645dd6c47169b72974 # v2.2.16 with: - repository: chainlink + repository: ${{ github.repository }} tag: ${{ github.sha }}${{ matrix.image.tag-suffix }} AWS_REGION: ${{ secrets.QA_AWS_REGION }} AWS_ROLE_TO_ASSUME: ${{ secrets.QA_AWS_ROLE_TO_ASSUME }} @@ -115,7 +115,7 @@ jobs: pull-requests: write id-token: write contents: read - needs: [ build-chainlink, build-test-image ] + needs: [build-chainlink, build-test-image] env: CHAINLINK_COMMIT_SHA: ${{ github.sha }} CHAINLINK_ENV_USER: ${{ github.actor }} diff --git a/.github/workflows/build-publish-develop.yml b/.github/workflows/build-publish-develop.yml index b8859722378..3a8cff975fb 100644 --- a/.github/workflows/build-publish-develop.yml +++ b/.github/workflows/build-publish-develop.yml @@ -49,7 +49,7 @@ jobs: aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }} aws-region: ${{ secrets.AWS_REGION }} ecr-hostname: ${{ secrets.AWS_DEVELOP_ECR_HOSTNAME }} - ecr-image-name: chainlink + ecr-image-name: chainlink-internal-develop ecr-tag-suffix: ${{ matrix.image.tag-suffix }} dockerfile: ${{ matrix.image.dockerfile }} dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }} diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml index de33663d88d..1e71c7f9382 100644 --- a/.github/workflows/build-publish.yml +++ b/.github/workflows/build-publish.yml @@ -17,7 +17,6 @@ jobs: - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Check for VERSION file bump on tags - # Avoids checking VERSION file bump on forks. if: ${{ github.repository == 'smartcontractkit/chainlink' && startsWith(github.ref, 'refs/tags/v') }} uses: ./.github/actions/version-file-bump with: @@ -42,11 +41,9 @@ jobs: aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }} aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }} aws-region: ${{ secrets.AWS_REGION }} - sign-images: true - sign-method: "keypair" - cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} - cosign-public-key: ${{ secrets.COSIGN_PUBLIC_KEY }} - cosign-password: ${{ secrets.COSIGN_PASSWORD }} + ecr-hostname: ${{ secrets.AWS_ECR_HOSTNAME }} + ecr-image-name: chainlink-internal-vrf + sign-images: false dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }} dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }} verify-signature: true diff --git a/.github/workflows/integration-chaos-tests.yml b/.github/workflows/integration-chaos-tests.yml index 10c62810996..22af9992ee7 100644 --- a/.github/workflows/integration-chaos-tests.yml +++ b/.github/workflows/integration-chaos-tests.yml @@ -32,7 +32,7 @@ jobs: id: check-image uses: smartcontractkit/chainlink-github-actions/docker/image-exists@e865e376b8c2d594028c8d645dd6c47169b72974 # v2.2.16 with: - repository: chainlink + repository: chainlink-internal tag: ${{ github.sha }} AWS_REGION: ${{ secrets.QA_AWS_REGION }} AWS_ROLE_TO_ASSUME: ${{ secrets.QA_AWS_ROLE_TO_ASSUME }} From 8f6e90302a4f858642698f3d2500c151fb787009 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Tue, 21 Nov 2023 16:29:57 -0500 Subject: [PATCH 02/56] Fix ECR and publish on PRs (#496) --- .github/workflows/build-publish.yml | 4 ++-- test.txt | 0 2 files changed, 2 insertions(+), 2 deletions(-) create mode 100644 test.txt diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml index 1e71c7f9382..29b786cf604 100644 --- a/.github/workflows/build-publish.yml +++ b/.github/workflows/build-publish.yml @@ -1,6 +1,7 @@ name: "Build Chainlink and Publish" on: + pull_request: # Mimics old circleci behaviour push: tags: @@ -42,11 +43,10 @@ jobs: aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }} aws-region: ${{ secrets.AWS_REGION }} ecr-hostname: ${{ secrets.AWS_ECR_HOSTNAME }} - ecr-image-name: chainlink-internal-vrf + ecr-image-name: chainlink-internal sign-images: false dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }} dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }} - verify-signature: true - name: Collect Metrics if: always() id: collect-gha-metrics diff --git a/test.txt b/test.txt new file mode 100644 index 00000000000..e69de29bb2d From 893cc49fb73a0a446a61ee3121bb35f30a4ebe34 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Wed, 22 Nov 2023 16:06:21 -0500 Subject: [PATCH 03/56] Remove test file --- test.txt | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 test.txt diff --git a/test.txt b/test.txt deleted file mode 100644 index e69de29bb2d..00000000000 From 3bd5f4ec49ea5303e82ecea088658492f5c094e3 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Wed, 22 Nov 2023 17:08:17 -0500 Subject: [PATCH 04/56] Add mockserver to helm chart dependency --- charts/chainlink-cluster/Chart.yaml | 8 ++- charts/chainlink-cluster/devspace.yaml | 9 +-- charts/chainlink-cluster/values-raw-helm.yaml | 57 ++++++++++--------- 3 files changed, 41 insertions(+), 33 deletions(-) diff --git a/charts/chainlink-cluster/Chart.yaml b/charts/chainlink-cluster/Chart.yaml index bfea29c82ec..f242ef84cbd 100644 --- a/charts/chainlink-cluster/Chart.yaml +++ b/charts/chainlink-cluster/Chart.yaml @@ -2,4 +2,10 @@ apiVersion: v1 name: chainlink-cluster description: Chainlink nodes cluster version: 0.1.3 -appVersion: '2.6.0' \ No newline at end of file +appVersion: "2.6.0" + +dependencies: + - name: mockserver + version: "5.14.0" + repository: "@mockserver" + condition: mockserver.enabled diff --git a/charts/chainlink-cluster/devspace.yaml b/charts/chainlink-cluster/devspace.yaml index 4f7cf8641a3..a99ae4364fd 100644 --- a/charts/chainlink-cluster/devspace.yaml +++ b/charts/chainlink-cluster/devspace.yaml @@ -50,6 +50,7 @@ deployments: networkid: 1337 blocktime: 1 mockserver: + enabled: true port: 1080 db: stateful: false @@ -76,10 +77,10 @@ deployments: image: ${DEVSPACE_IMAGE} version: latest prometheusMonitor: "true" - podAnnotations: { } - nodeSelector: { } - tolerations: [ ] - affinity: { } + podAnnotations: {} + nodeSelector: {} + tolerations: [] + affinity: {} profiles: # this replaces only "runner" pod, usable when you'd like to run some system level tests inside k8s diff --git a/charts/chainlink-cluster/values-raw-helm.yaml b/charts/chainlink-cluster/values-raw-helm.yaml index 726a5347119..189803ab545 100644 --- a/charts/chainlink-cluster/values-raw-helm.yaml +++ b/charts/chainlink-cluster/values-raw-helm.yaml @@ -17,34 +17,34 @@ chainlink: image: "public.ecr.aws/chainlink/chainlink:latest" # override default config per node # for example, use OCRv2 P2P setup, the whole config -# toml: | -# RootDir = './clroot' -# [Log] -# JSONConsole = true -# Level = 'debug' -# [WebServer] -# AllowOrigins = '*' -# SecureCookies = false -# SessionTimeout = '999h0m0s' -# [OCR2] -# Enabled = true -# [P2P] -# [P2P.V2] -# Enabled = false -# AnnounceAddresses = [] -# DefaultBootstrappers = [] -# DeltaDial = '15s' -# DeltaReconcile = '1m0s' -# ListenAddresses = [] -# [[EVM]] -# ChainID = '1337' -# MinContractPayment = '0' -# [[EVM.Nodes]] -# Name = 'node-0' -# WSURL = 'ws://geth:8546' -# HTTPURL = 'http://geth:8544' -# [WebServer.TLS] -# HTTPSPort = 0 + # toml: | + # RootDir = './clroot' + # [Log] + # JSONConsole = true + # Level = 'debug' + # [WebServer] + # AllowOrigins = '*' + # SecureCookies = false + # SessionTimeout = '999h0m0s' + # [OCR2] + # Enabled = true + # [P2P] + # [P2P.V2] + # Enabled = false + # AnnounceAddresses = [] + # DefaultBootstrappers = [] + # DeltaDial = '15s' + # DeltaReconcile = '1m0s' + # ListenAddresses = [] + # [[EVM]] + # ChainID = '1337' + # MinContractPayment = '0' + # [[EVM.Nodes]] + # Name = 'node-0' + # WSURL = 'ws://geth:8546' + # HTTPURL = 'http://geth:8544' + # [WebServer.TLS] + # HTTPSPort = 0 # or use overridesToml to override some part of configuration # overridesToml: | - name: node-2 @@ -93,6 +93,7 @@ geth: # mockserver is https://www.mock-server.com/where/kubernetes.html # used to stub External Adapters mockserver: + enabled: true port: 1080 resources: requests: From 2e4f815564eb1dde4f10bb67f99cbc7780095bee Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Wed, 22 Nov 2023 17:19:51 -0500 Subject: [PATCH 05/56] Add default values file --- charts/chainlink-cluster/values.yaml | 110 +++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) create mode 100644 charts/chainlink-cluster/values.yaml diff --git a/charts/chainlink-cluster/values.yaml b/charts/chainlink-cluster/values.yaml new file mode 100644 index 00000000000..deb63d59d3d --- /dev/null +++ b/charts/chainlink-cluster/values.yaml @@ -0,0 +1,110 @@ +# override resources for keys "chainlink", "db", or "geth" if needed +# resources: +# requests: +# cpu: 350m +# memory: 1024Mi +# limits: +# cpu: 350m +# memory: 1024Mi +# images can be overriden for the same keys: +# image: ethereum/client-go +# version: stable +chainlink: + web_port: 6688 + p2p_port: 8090 + nodes: + - name: node-1 + image: "public.ecr.aws/chainlink/chainlink:latest" + # override default config per node + # for example, use OCRv2 P2P setup, the whole config + # toml: | + # RootDir = './clroot' + # [Log] + # JSONConsole = true + # Level = 'debug' + # [WebServer] + # AllowOrigins = '*' + # SecureCookies = false + # SessionTimeout = '999h0m0s' + # [OCR2] + # Enabled = true + # [P2P] + # [P2P.V2] + # Enabled = false + # AnnounceAddresses = [] + # DefaultBootstrappers = [] + # DeltaDial = '15s' + # DeltaReconcile = '1m0s' + # ListenAddresses = [] + # [[EVM]] + # ChainID = '1337' + # MinContractPayment = '0' + # [[EVM.Nodes]] + # Name = 'node-0' + # WSURL = 'ws://geth:8546' + # HTTPURL = 'http://geth:8544' + # [WebServer.TLS] + # HTTPSPort = 0 + - name: node-2 + - name: node-3 + - name: node-4 + resources: + requests: + cpu: 350m + memory: 1024Mi + limits: + cpu: 350m + memory: 1024Mi + +# each CL node have a dedicated PostgreSQL 11.15 +# use StatefulSet by setting: +# +# stateful: true +# capacity 10Gi +# +# if you are running long tests +db: + stateful: false + resources: + requests: + cpu: 1 + memory: 1024Mi + limits: + cpu: 1 + memory: 1024Mi +# default cluster shipped with latest Geth ( dev mode by default ) +geth: + version: v1.12.0 + wsrpc-port: 8546 + httprpc-port: 8544 + networkid: 1337 + blocktime: 1 + resources: + requests: + cpu: 1 + memory: 1024Mi + limits: + cpu: 1 + memory: 1024Mi +# mockserver is https://www.mock-server.com/where/kubernetes.html +# used to stub External Adapters +mockserver: + enabled: true +runner: + stateful: false + resources: + requests: + cpu: 1 + memory: 512Mi + limits: + cpu: 1 + memory: 512Mi + +# monitoring.coreos.com/v1 PodMonitor for each node +prometheusMonitor: false + +# deployment placement, standard helm stuff +podAnnotations: +nodeSelector: +tolerations: +affinity: From 231be264df3d68aca5d4f3515b5c47fe898e5f3f Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Wed, 22 Nov 2023 17:43:29 -0500 Subject: [PATCH 06/56] Add security contexts --- .../templates/chainlink-deployment.yaml | 6 ++++++ .../chainlink-cluster/templates/geth-deployment.yaml | 4 ++++ .../chainlink-cluster/templates/runner-deployment.yaml | 4 ++++ charts/chainlink-cluster/values.yaml | 10 ++++++++++ 4 files changed, 24 insertions(+) diff --git a/charts/chainlink-cluster/templates/chainlink-deployment.yaml b/charts/chainlink-cluster/templates/chainlink-deployment.yaml index b434c9894b0..29766059223 100644 --- a/charts/chainlink-cluster/templates/chainlink-deployment.yaml +++ b/charts/chainlink-cluster/templates/chainlink-deployment.yaml @@ -47,8 +47,12 @@ spec: - name: {{ $.Release.Name }}-{{ $cfg.name }}-cm configMap: name: {{ $.Release.Name }}-{{ $cfg.name }}-cm + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: chainlink-db + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} image: {{ default "postgres:11.15" $.Values.db.image }} command: - docker-entrypoint.sh @@ -121,6 +125,8 @@ spec: subPath: postgres-db {{ end }} - name: node + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} image: {{ default "public.ecr.aws/chainlink/chainlink" $cfg.image }} imagePullPolicy: Always command: ["bash", "-c", "while ! pg_isready --host 0.0.0.0 --port 5432; do echo \"waiting for database to start\"; sleep 1; done && chainlink -c /etc/node-secrets-volume/default.toml -c /etc/node-secrets-volume/overrides.toml -secrets /etc/node-secrets-volume/secrets.toml node start -d -p /etc/node-secrets-volume/node-password -a /etc/node-secrets-volume/apicredentials --vrfpassword=/etc/node-secrets-volume/apicredentials"] diff --git a/charts/chainlink-cluster/templates/geth-deployment.yaml b/charts/chainlink-cluster/templates/geth-deployment.yaml index 11fb0cbee22..ba4950d3c0b 100644 --- a/charts/chainlink-cluster/templates/geth-deployment.yaml +++ b/charts/chainlink-cluster/templates/geth-deployment.yaml @@ -22,8 +22,12 @@ spec: - name: configmap-volume configMap: name: geth-cm + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: geth-network + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ default "ethereum/client-go" .Values.geth.image }}:{{ default "stable" .Values.geth.version }}" command: [ "sh", "./root/init.sh" ] volumeMounts: diff --git a/charts/chainlink-cluster/templates/runner-deployment.yaml b/charts/chainlink-cluster/templates/runner-deployment.yaml index 5d9025b41c5..668341af668 100644 --- a/charts/chainlink-cluster/templates/runner-deployment.yaml +++ b/charts/chainlink-cluster/templates/runner-deployment.yaml @@ -22,8 +22,12 @@ spec: annotations: prometheus.io/scrape: 'true' spec: + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: runner + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} image: {{ default "public.ecr.aws/chainlink/chainlink" .Values.runner.image }} imagePullPolicy: Always command: [ "/bin/bash", "-c", "--" ] diff --git a/charts/chainlink-cluster/values.yaml b/charts/chainlink-cluster/values.yaml index deb63d59d3d..f51e167e94f 100644 --- a/charts/chainlink-cluster/values.yaml +++ b/charts/chainlink-cluster/values.yaml @@ -9,6 +9,16 @@ # images can be overriden for the same keys: # image: ethereum/client-go # version: stable +podSecurityContext: + fsGroup: 2000 + +securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 chainlink: web_port: 6688 p2p_port: 8090 From 92f4299960ad74937f3ff38e619abdd1a0e001f4 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Wed, 22 Nov 2023 17:54:37 -0500 Subject: [PATCH 07/56] Fix ref to values --- .../chainlink-cluster/templates/chainlink-deployment.yaml | 8 ++++---- charts/chainlink-cluster/templates/geth-deployment.yaml | 4 ++-- charts/chainlink-cluster/templates/runner-deployment.yaml | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/chainlink-cluster/templates/chainlink-deployment.yaml b/charts/chainlink-cluster/templates/chainlink-deployment.yaml index 29766059223..942714e72ba 100644 --- a/charts/chainlink-cluster/templates/chainlink-deployment.yaml +++ b/charts/chainlink-cluster/templates/chainlink-deployment.yaml @@ -48,11 +48,11 @@ spec: configMap: name: {{ $.Release.Name }}-{{ $cfg.name }}-cm securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml $.Values.podSecurityContext | nindent 8 }} containers: - name: chainlink-db securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml $.Values.securityContext | nindent 12 }} image: {{ default "postgres:11.15" $.Values.db.image }} command: - docker-entrypoint.sh @@ -126,7 +126,7 @@ spec: {{ end }} - name: node securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml $.Values.securityContext | nindent 12 }} image: {{ default "public.ecr.aws/chainlink/chainlink" $cfg.image }} imagePullPolicy: Always command: ["bash", "-c", "while ! pg_isready --host 0.0.0.0 --port 5432; do echo \"waiting for database to start\"; sleep 1; done && chainlink -c /etc/node-secrets-volume/default.toml -c /etc/node-secrets-volume/overrides.toml -secrets /etc/node-secrets-volume/secrets.toml node start -d -p /etc/node-secrets-volume/node-password -a /etc/node-secrets-volume/apicredentials --vrfpassword=/etc/node-secrets-volume/apicredentials"] @@ -187,4 +187,4 @@ spec: {{ toYaml . | indent 8 }} {{- end }} --- -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/chainlink-cluster/templates/geth-deployment.yaml b/charts/chainlink-cluster/templates/geth-deployment.yaml index ba4950d3c0b..3e0d3a24df7 100644 --- a/charts/chainlink-cluster/templates/geth-deployment.yaml +++ b/charts/chainlink-cluster/templates/geth-deployment.yaml @@ -23,11 +23,11 @@ spec: configMap: name: geth-cm securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml $.Values.podSecurityContext | nindent 8 }} containers: - name: geth-network securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml $.Values.securityContext | nindent 12 }} image: "{{ default "ethereum/client-go" .Values.geth.image }}:{{ default "stable" .Values.geth.version }}" command: [ "sh", "./root/init.sh" ] volumeMounts: diff --git a/charts/chainlink-cluster/templates/runner-deployment.yaml b/charts/chainlink-cluster/templates/runner-deployment.yaml index 668341af668..622efbae8fb 100644 --- a/charts/chainlink-cluster/templates/runner-deployment.yaml +++ b/charts/chainlink-cluster/templates/runner-deployment.yaml @@ -23,11 +23,11 @@ spec: prometheus.io/scrape: 'true' spec: securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml $.Values.podSecurityContext | nindent 8 }} containers: - name: runner securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml $.Values.securityContext | nindent 12 }} image: {{ default "public.ecr.aws/chainlink/chainlink" .Values.runner.image }} imagePullPolicy: Always command: [ "/bin/bash", "-c", "--" ] From fef162353e98521164484ad8b9f6fef09d85b71d Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 09:22:05 -0500 Subject: [PATCH 08/56] Use head SHA instead of commit SHA for image tagging --- .github/actions/build-sign-publish-chainlink/action.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml index 62add53092a..f3c4fb3b0bc 100644 --- a/.github/actions/build-sign-publish-chainlink/action.yml +++ b/.github/actions/build-sign-publish-chainlink/action.yml @@ -123,7 +123,10 @@ runs: - name: Generate docker metadata for root image id: meta-root uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4.4.4 + env: + DOCKER_METADATA_PR_HEAD_SHA: "true" with: + context: git # list of Docker images to use as base name for tags images: ${{ env.shared-images }} # XXX: DO NOT USE SHARED TAGS HERE @@ -165,7 +168,10 @@ runs: - name: Generate docker metadata for non-root image id: meta-nonroot uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4.4.4 + env: + DOCKER_METADATA_PR_HEAD_SHA: "true" with: + context: git flavor: | latest=auto prefix= From 81f94e30e361334097aec668a283ca005c1bf401 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 10:43:26 -0500 Subject: [PATCH 09/56] Use emptyDir mount for postgres to resolve perm issues --- .../chainlink-cluster/templates/chainlink-deployment.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/charts/chainlink-cluster/templates/chainlink-deployment.yaml b/charts/chainlink-cluster/templates/chainlink-deployment.yaml index 942714e72ba..3b53db6a264 100644 --- a/charts/chainlink-cluster/templates/chainlink-deployment.yaml +++ b/charts/chainlink-cluster/templates/chainlink-deployment.yaml @@ -47,6 +47,10 @@ spec: - name: {{ $.Release.Name }}-{{ $cfg.name }}-cm configMap: name: {{ $.Release.Name }}-{{ $cfg.name }}-cm + {{ if not $.Values.db.stateful }} + - name: postgres + emptyDir: {} + {{ end }} securityContext: {{- toYaml $.Values.podSecurityContext | nindent 8 }} containers: @@ -118,12 +122,12 @@ spec: - mountPath: /docker-entrypoint-initdb.d/init.sql name: {{ $.Release.Name }}-{{ $cfg.name }}-cm subPath: init.sql - {{ if $.Values.db.stateful }} volumeMounts: - mountPath: /var/lib/postgresql/data name: postgres + {{ if $.Values.db.stateful }} subPath: postgres-db - {{ end }} + {{ end }} - name: node securityContext: {{- toYaml $.Values.securityContext | nindent 12 }} From 54cadca788d96a9fe384619508d0177765742138 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 10:55:57 -0500 Subject: [PATCH 10/56] Fix volume mounts on postgres --- charts/chainlink-cluster/templates/chainlink-deployment.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/chainlink-cluster/templates/chainlink-deployment.yaml b/charts/chainlink-cluster/templates/chainlink-deployment.yaml index 3b53db6a264..5f518a2ab92 100644 --- a/charts/chainlink-cluster/templates/chainlink-deployment.yaml +++ b/charts/chainlink-cluster/templates/chainlink-deployment.yaml @@ -122,7 +122,6 @@ spec: - mountPath: /docker-entrypoint-initdb.d/init.sql name: {{ $.Release.Name }}-{{ $cfg.name }}-cm subPath: init.sql - volumeMounts: - mountPath: /var/lib/postgresql/data name: postgres {{ if $.Values.db.stateful }} From 3eadf8858f65ba4f228dee471c8a80136177d24d Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 11:29:47 -0500 Subject: [PATCH 11/56] Fix /tmp writes and mount /tmp emptyDir --- .../chainlink-cluster/templates/chainlink-deployment.yaml | 6 ++++++ charts/chainlink-cluster/values.yaml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/charts/chainlink-cluster/templates/chainlink-deployment.yaml b/charts/chainlink-cluster/templates/chainlink-deployment.yaml index 5f518a2ab92..418027c057e 100644 --- a/charts/chainlink-cluster/templates/chainlink-deployment.yaml +++ b/charts/chainlink-cluster/templates/chainlink-deployment.yaml @@ -47,6 +47,8 @@ spec: - name: {{ $.Release.Name }}-{{ $cfg.name }}-cm configMap: name: {{ $.Release.Name }}-{{ $cfg.name }}-cm + - name: temp-volume + emptyDir: {} {{ if not $.Values.db.stateful }} - name: postgres emptyDir: {} @@ -127,6 +129,10 @@ spec: {{ if $.Values.db.stateful }} subPath: postgres-db {{ end }} + {{ if not $.Values.db.stateful }} + - mountPath: /tmp + name: temp-volume + {{ end }} - name: node securityContext: {{- toYaml $.Values.securityContext | nindent 12 }} diff --git a/charts/chainlink-cluster/values.yaml b/charts/chainlink-cluster/values.yaml index f51e167e94f..34f49e4a5ea 100644 --- a/charts/chainlink-cluster/values.yaml +++ b/charts/chainlink-cluster/values.yaml @@ -16,7 +16,7 @@ securityContext: capabilities: drop: - ALL - readOnlyRootFilesystem: true + readOnlyRootFilesystem: false runAsNonRoot: true runAsUser: 1000 chainlink: From 3c45404bda87f812728d3b4409f6092e833d8d5c Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 11:38:50 -0500 Subject: [PATCH 12/56] Remove custom uid --- charts/chainlink-cluster/values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/chainlink-cluster/values.yaml b/charts/chainlink-cluster/values.yaml index 34f49e4a5ea..6c5c5097733 100644 --- a/charts/chainlink-cluster/values.yaml +++ b/charts/chainlink-cluster/values.yaml @@ -18,7 +18,6 @@ securityContext: - ALL readOnlyRootFilesystem: false runAsNonRoot: true - runAsUser: 1000 chainlink: web_port: 6688 p2p_port: 8090 From f0d60b9e94fb5d12294454427a670b578cd7c3b1 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 11:56:45 -0500 Subject: [PATCH 13/56] Run as same uid as postgres --- charts/chainlink-cluster/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/chainlink-cluster/values.yaml b/charts/chainlink-cluster/values.yaml index 6c5c5097733..83d9c656257 100644 --- a/charts/chainlink-cluster/values.yaml +++ b/charts/chainlink-cluster/values.yaml @@ -18,6 +18,7 @@ securityContext: - ALL readOnlyRootFilesystem: false runAsNonRoot: true + runAsUser: 999 chainlink: web_port: 6688 p2p_port: 8090 From ee75fe9498c6bf38fbae72964f7d0a64e2994912 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 12:14:11 -0500 Subject: [PATCH 14/56] Test DOCKER_METADATA_PR_HEAD_SHA disable for root image --- .github/actions/build-sign-publish-chainlink/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml index f3c4fb3b0bc..66ac4798c9a 100644 --- a/.github/actions/build-sign-publish-chainlink/action.yml +++ b/.github/actions/build-sign-publish-chainlink/action.yml @@ -124,7 +124,7 @@ runs: id: meta-root uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4.4.4 env: - DOCKER_METADATA_PR_HEAD_SHA: "true" + DOCKER_METADATA_PR_HEAD_SHA: "false" with: context: git # list of Docker images to use as base name for tags From 03413ead831c2b06288a001d4df1e931ded001de Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 12:19:06 -0500 Subject: [PATCH 15/56] Upgrade docker metadata action --- .github/actions/build-sign-publish-chainlink/action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml index 66ac4798c9a..505c2999386 100644 --- a/.github/actions/build-sign-publish-chainlink/action.yml +++ b/.github/actions/build-sign-publish-chainlink/action.yml @@ -122,9 +122,9 @@ runs: - name: Generate docker metadata for root image id: meta-root - uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4.4.4 + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 env: - DOCKER_METADATA_PR_HEAD_SHA: "false" + DOCKER_METADATA_PR_HEAD_SHA: "true" with: context: git # list of Docker images to use as base name for tags @@ -167,7 +167,7 @@ runs: - name: Generate docker metadata for non-root image id: meta-nonroot - uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4.4.4 + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 env: DOCKER_METADATA_PR_HEAD_SHA: "true" with: From 46bdcdf26b6c63ec027213bce15161042477dcaa Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 12:25:34 -0500 Subject: [PATCH 16/56] Do a full clone --- .github/workflows/build-publish-develop.yml | 1 + .github/workflows/build-publish.yml | 2 ++ .github/workflows/build.yml | 2 ++ 3 files changed, 5 insertions(+) diff --git a/.github/workflows/build-publish-develop.yml b/.github/workflows/build-publish-develop.yml index 3a8cff975fb..5254a35d0c5 100644 --- a/.github/workflows/build-publish-develop.yml +++ b/.github/workflows/build-publish-develop.yml @@ -34,6 +34,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ env.GIT_REF }} + fetch-depth: 0 # When this is ran from manual workflow_dispatch, the github.sha may be # different than the checked out commit sha. The core build uses this # commit sha as build metadata, so we need to make sure it's correct. diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml index 29b786cf604..0df32dc2dea 100644 --- a/.github/workflows/build-publish.yml +++ b/.github/workflows/build-publish.yml @@ -34,6 +34,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 - name: Build, sign and publish chainlink image uses: ./.github/actions/build-sign-publish-chainlink diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6282e2168d8..1b883b7370c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,6 +12,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 - name: Build chainlink image uses: ./.github/actions/build-sign-publish-chainlink From 0a780db326c147b9d65ed2a0c0fd0e997709d791 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 13:05:35 -0500 Subject: [PATCH 17/56] Avoid emptyDir mounts and update gid --- .../templates/chainlink-deployment.yaml | 12 +----------- charts/chainlink-cluster/values.yaml | 2 +- 2 files changed, 2 insertions(+), 12 deletions(-) diff --git a/charts/chainlink-cluster/templates/chainlink-deployment.yaml b/charts/chainlink-cluster/templates/chainlink-deployment.yaml index 418027c057e..248b6e39c57 100644 --- a/charts/chainlink-cluster/templates/chainlink-deployment.yaml +++ b/charts/chainlink-cluster/templates/chainlink-deployment.yaml @@ -47,12 +47,6 @@ spec: - name: {{ $.Release.Name }}-{{ $cfg.name }}-cm configMap: name: {{ $.Release.Name }}-{{ $cfg.name }}-cm - - name: temp-volume - emptyDir: {} - {{ if not $.Values.db.stateful }} - - name: postgres - emptyDir: {} - {{ end }} securityContext: {{- toYaml $.Values.podSecurityContext | nindent 8 }} containers: @@ -124,14 +118,10 @@ spec: - mountPath: /docker-entrypoint-initdb.d/init.sql name: {{ $.Release.Name }}-{{ $cfg.name }}-cm subPath: init.sql + {{ if $.Values.db.stateful }} - mountPath: /var/lib/postgresql/data name: postgres - {{ if $.Values.db.stateful }} subPath: postgres-db - {{ end }} - {{ if not $.Values.db.stateful }} - - mountPath: /tmp - name: temp-volume {{ end }} - name: node securityContext: diff --git a/charts/chainlink-cluster/values.yaml b/charts/chainlink-cluster/values.yaml index 83d9c656257..c0fdf925127 100644 --- a/charts/chainlink-cluster/values.yaml +++ b/charts/chainlink-cluster/values.yaml @@ -10,7 +10,7 @@ # image: ethereum/client-go # version: stable podSecurityContext: - fsGroup: 2000 + fsGroup: 999 securityContext: capabilities: From 9c4c14ade78092c5c04e15f94ce32c0db5b0aedf Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 13:34:19 -0500 Subject: [PATCH 18/56] Use head SHA when on a PR as default input --- .github/actions/build-sign-publish-chainlink/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml index 505c2999386..d9d685e209f 100644 --- a/.github/actions/build-sign-publish-chainlink/action.yml +++ b/.github/actions/build-sign-publish-chainlink/action.yml @@ -34,7 +34,7 @@ inputs: required: false git-commit-sha: description: Git commit SHA used as metadata when building the application (appears in logs) - default: ${{ github.sha }} + default: ${{ github.event.pull_request.head.sha || github.sha }} required: false aws-role-to-assume: description: The AWS role to assume as the CD user, if any. Used in configuring the docker/login-action From 61aa60dd1c1c9fee8f535a15cc85728b64d82237 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 14:01:07 -0500 Subject: [PATCH 19/56] Downgrade metata action to latest on prev major --- .github/actions/build-sign-publish-chainlink/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml index d9d685e209f..6cbe199fc92 100644 --- a/.github/actions/build-sign-publish-chainlink/action.yml +++ b/.github/actions/build-sign-publish-chainlink/action.yml @@ -122,7 +122,7 @@ runs: - name: Generate docker metadata for root image id: meta-root - uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + uses: docker/metadata-action@2c0bd771b40637d97bf205cbccdd294a32112176 # v4.5.0 env: DOCKER_METADATA_PR_HEAD_SHA: "true" with: @@ -167,7 +167,7 @@ runs: - name: Generate docker metadata for non-root image id: meta-nonroot - uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + uses: docker/metadata-action@2c0bd771b40637d97bf205cbccdd294a32112176 # v4.5.0 env: DOCKER_METADATA_PR_HEAD_SHA: "true" with: From 6584e125eebe51eab880107434285e0d8d9046e1 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 14:19:04 -0500 Subject: [PATCH 20/56] Override sha tag with HEAD value --- .github/actions/build-sign-publish-chainlink/action.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml index 6cbe199fc92..a2ae9f8fd41 100644 --- a/.github/actions/build-sign-publish-chainlink/action.yml +++ b/.github/actions/build-sign-publish-chainlink/action.yml @@ -73,15 +73,21 @@ runs: using: composite steps: - name: Set shared variables - shell: sh + shell: bash # See https://docs.github.com/en/actions/learn-github-actions/workflow-commands-for-github-actions#multiline-strings run: | + if [[ "${{ github.event_name }}" = "pull_request" ]]; then + SHORT_SHA=$(git rev-parse HEAD | cut -c1-7) + else + SHORT_SHA=${GITHUB_SHA:0:7} + fi SHARED_IMAGES=${{ inputs.ecr-hostname }}/${{ inputs.ecr-image-name }} SHARED_TAG_LIST=$(cat << EOF type=ref,event=branch,suffix=${{ inputs.ecr-tag-suffix }} type=semver,pattern={{version}},suffix=${{ inputs.ecr-tag-suffix }} type=sha,format=short,suffix=${{ inputs.ecr-tag-suffix }} + type=sha,priority=9999,prefix=sha,suffix=${{ inputs.ecr-tag-suffix }},value=${SHORT_SHA} EOF ) From b09c9594d9b52bd5160fd44fa29c71ff16a34a40 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 14:26:05 -0500 Subject: [PATCH 21/56] Remove old sha tag default --- .github/actions/build-sign-publish-chainlink/action.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml index a2ae9f8fd41..375ea495036 100644 --- a/.github/actions/build-sign-publish-chainlink/action.yml +++ b/.github/actions/build-sign-publish-chainlink/action.yml @@ -86,7 +86,6 @@ runs: SHARED_TAG_LIST=$(cat << EOF type=ref,event=branch,suffix=${{ inputs.ecr-tag-suffix }} type=semver,pattern={{version}},suffix=${{ inputs.ecr-tag-suffix }} - type=sha,format=short,suffix=${{ inputs.ecr-tag-suffix }} type=sha,priority=9999,prefix=sha,suffix=${{ inputs.ecr-tag-suffix }},value=${SHORT_SHA} EOF ) From f3442f2a2ebece2e688ee354cd84f4677e637644 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 14:39:03 -0500 Subject: [PATCH 22/56] Attempt to fix sha tag --- .github/actions/build-sign-publish-chainlink/action.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml index 375ea495036..ec4c1ea66ca 100644 --- a/.github/actions/build-sign-publish-chainlink/action.yml +++ b/.github/actions/build-sign-publish-chainlink/action.yml @@ -76,11 +76,7 @@ runs: shell: bash # See https://docs.github.com/en/actions/learn-github-actions/workflow-commands-for-github-actions#multiline-strings run: | - if [[ "${{ github.event_name }}" = "pull_request" ]]; then - SHORT_SHA=$(git rev-parse HEAD | cut -c1-7) - else - SHORT_SHA=${GITHUB_SHA:0:7} - fi + SHORT_SHA=$(echo ${{ inputs.git-commit-sha }} | cut -c1-7)) SHARED_IMAGES=${{ inputs.ecr-hostname }}/${{ inputs.ecr-image-name }} SHARED_TAG_LIST=$(cat << EOF From 08f72209df705c162bc4dd2d6bc06b18d148e1c4 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 14:43:16 -0500 Subject: [PATCH 23/56] Fix syntax error --- .github/actions/build-sign-publish-chainlink/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml index ec4c1ea66ca..9c8c55e782b 100644 --- a/.github/actions/build-sign-publish-chainlink/action.yml +++ b/.github/actions/build-sign-publish-chainlink/action.yml @@ -76,7 +76,7 @@ runs: shell: bash # See https://docs.github.com/en/actions/learn-github-actions/workflow-commands-for-github-actions#multiline-strings run: | - SHORT_SHA=$(echo ${{ inputs.git-commit-sha }} | cut -c1-7)) + SHORT_SHA=$(echo ${{ inputs.git-commit-sha }} | cut -c1-7) SHARED_IMAGES=${{ inputs.ecr-hostname }}/${{ inputs.ecr-image-name }} SHARED_TAG_LIST=$(cat << EOF From ab4a967033af5f45a3bf84de7e31779bb57e431f Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 15:00:08 -0500 Subject: [PATCH 24/56] Remove DOCKER_METADATA_PR_HEAD_SHA env --- .github/actions/build-sign-publish-chainlink/action.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml index 9c8c55e782b..48004fd1182 100644 --- a/.github/actions/build-sign-publish-chainlink/action.yml +++ b/.github/actions/build-sign-publish-chainlink/action.yml @@ -82,7 +82,7 @@ runs: SHARED_TAG_LIST=$(cat << EOF type=ref,event=branch,suffix=${{ inputs.ecr-tag-suffix }} type=semver,pattern={{version}},suffix=${{ inputs.ecr-tag-suffix }} - type=sha,priority=9999,prefix=sha,suffix=${{ inputs.ecr-tag-suffix }},value=${SHORT_SHA} + type=sha,priority=9999,prefix=sha-,suffix=${{ inputs.ecr-tag-suffix }},value=${SHORT_SHA} EOF ) @@ -124,10 +124,7 @@ runs: - name: Generate docker metadata for root image id: meta-root uses: docker/metadata-action@2c0bd771b40637d97bf205cbccdd294a32112176 # v4.5.0 - env: - DOCKER_METADATA_PR_HEAD_SHA: "true" with: - context: git # list of Docker images to use as base name for tags images: ${{ env.shared-images }} # XXX: DO NOT USE SHARED TAGS HERE @@ -169,10 +166,7 @@ runs: - name: Generate docker metadata for non-root image id: meta-nonroot uses: docker/metadata-action@2c0bd771b40637d97bf205cbccdd294a32112176 # v4.5.0 - env: - DOCKER_METADATA_PR_HEAD_SHA: "true" with: - context: git flavor: | latest=auto prefix= From ff0c7339284d70af6abf8118c9ecde4630fe6137 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 15:28:24 -0500 Subject: [PATCH 25/56] Refactor shared var output --- .../build-sign-publish-chainlink/action.yml | 48 +++++++------------ 1 file changed, 18 insertions(+), 30 deletions(-) diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml index 48004fd1182..3adebd0502c 100644 --- a/.github/actions/build-sign-publish-chainlink/action.yml +++ b/.github/actions/build-sign-publish-chainlink/action.yml @@ -76,32 +76,20 @@ runs: shell: bash # See https://docs.github.com/en/actions/learn-github-actions/workflow-commands-for-github-actions#multiline-strings run: | - SHORT_SHA=$(echo ${{ inputs.git-commit-sha }} | cut -c1-7) - SHARED_IMAGES=${{ inputs.ecr-hostname }}/${{ inputs.ecr-image-name }} + SHORT_SHA=$(echo "${{ inputs.git-commit-sha }}" | cut -c1-7) + SHARED_IMAGES="${{ inputs.ecr-hostname }}/${{ inputs.ecr-image-name }}" + echo "SHORT_SHA=$SHORT_SHA" >> $GITHUB_ENV + echo "SHARED_IMAGES=$SHARED_IMAGES" >> $GITHUB_ENV - SHARED_TAG_LIST=$(cat << EOF - type=ref,event=branch,suffix=${{ inputs.ecr-tag-suffix }} - type=semver,pattern={{version}},suffix=${{ inputs.ecr-tag-suffix }} - type=sha,priority=9999,prefix=sha-,suffix=${{ inputs.ecr-tag-suffix }},value=${SHORT_SHA} - EOF - ) + echo 'SHARED_TAG_LIST<> $GITHUB_ENV + echo "type=ref,event=branch,suffix=${{ inputs.ecr-tag-suffix }}" >> $GITHUB_ENV + echo "type=semver,pattern={{version}},suffix=${{ inputs.ecr-tag-suffix }}" >> $GITHUB_ENV + echo "type=sha,priority=9999,prefix=sha-,suffix=${{ inputs.ecr-tag-suffix }},value=$SHORT_SHA" >> $GITHUB_ENV + echo 'EOF' >> $GITHUB_ENV - SHARED_BUILD_ARGS=$(cat << EOF - COMMIT_SHA=${{ inputs.git-commit-sha }} - EOF - ) - - echo "shared-images<> $GITHUB_ENV - echo "$SHARED_IMAGES" >> $GITHUB_ENV - echo "EOF" >> $GITHUB_ENV - - echo "shared-tag-list<> $GITHUB_ENV - echo "$SHARED_TAG_LIST" >> $GITHUB_ENV - echo "EOF" >> $GITHUB_ENV - - echo "shared-build-args<> $GITHUB_ENV - echo "$SHARED_BUILD_ARGS" >> $GITHUB_ENV - echo "EOF" >> $GITHUB_ENV + echo 'SHARED_BUILD_ARGS<> $GITHUB_ENV + echo "COMMIT_SHA=${{ inputs.git-commit-sha }}" >> $GITHUB_ENV + echo 'EOF' >> $GITHUB_ENV - if: inputs.publish == 'true' # Log in to AWS for publish to ECR @@ -126,12 +114,12 @@ runs: uses: docker/metadata-action@2c0bd771b40637d97bf205cbccdd294a32112176 # v4.5.0 with: # list of Docker images to use as base name for tags - images: ${{ env.shared-images }} + images: ${{ env.SHARED_IMAGES }} # XXX: DO NOT USE SHARED TAGS HERE tags: | type=ref,event=branch,suffix=${{ inputs.ecr-tag-suffix }}-root type=semver,pattern={{version}},suffix=${{ inputs.ecr-tag-suffix }}-root - type=sha,format=short,suffix=${{ inputs.ecr-tag-suffix }}-root + type=sha,format=short,prefix=sha-,value=${{ env.SHORT_SHA }},suffix=${{ inputs.ecr-tag-suffix }}-root # To avoid rate limiting from Docker Hub, we login with a paid user account. - name: Login to Docker Hub @@ -153,7 +141,7 @@ runs: file: ${{ inputs.dockerfile }} build-args: | CHAINLINK_USER=root - ${{ env.shared-build-args }} + ${{ env.SHARED_BUILD_ARGS }} - name: Save root image name in GITHUB_ENV id: save-root-image-name-env @@ -171,8 +159,8 @@ runs: latest=auto prefix= suffix= - images: ${{ env.shared-images }} - tags: ${{ env.shared-tag-list }} + images: ${{ env.SHARED_IMAGES }} + tags: ${{ env.SHARED_TAG_LIST }} # To avoid rate limiting from Docker Hub, we login with a paid user account. - name: Login to Docker Hub @@ -194,7 +182,7 @@ runs: file: ${{ inputs.dockerfile }} build-args: | CHAINLINK_USER=chainlink - ${{ env.shared-build-args }} + ${{ env.SHARED_BUILD_ARGS }} - name: Save non-root image name in GITHUB_ENV and GITHUB_STEP_SUMMARY id: save-non-root-image-name-env From 952eeddd6e13ea38aca3cc7941956616284b89f5 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 15:51:03 -0500 Subject: [PATCH 26/56] Revert "Refactor shared var output" This reverts commit 2362fe6473974d4723cf5294cccec7090ab07a0f. --- .../build-sign-publish-chainlink/action.yml | 48 ++++++++++++------- 1 file changed, 30 insertions(+), 18 deletions(-) diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml index 3adebd0502c..48004fd1182 100644 --- a/.github/actions/build-sign-publish-chainlink/action.yml +++ b/.github/actions/build-sign-publish-chainlink/action.yml @@ -76,20 +76,32 @@ runs: shell: bash # See https://docs.github.com/en/actions/learn-github-actions/workflow-commands-for-github-actions#multiline-strings run: | - SHORT_SHA=$(echo "${{ inputs.git-commit-sha }}" | cut -c1-7) - SHARED_IMAGES="${{ inputs.ecr-hostname }}/${{ inputs.ecr-image-name }}" - echo "SHORT_SHA=$SHORT_SHA" >> $GITHUB_ENV - echo "SHARED_IMAGES=$SHARED_IMAGES" >> $GITHUB_ENV + SHORT_SHA=$(echo ${{ inputs.git-commit-sha }} | cut -c1-7) + SHARED_IMAGES=${{ inputs.ecr-hostname }}/${{ inputs.ecr-image-name }} - echo 'SHARED_TAG_LIST<> $GITHUB_ENV - echo "type=ref,event=branch,suffix=${{ inputs.ecr-tag-suffix }}" >> $GITHUB_ENV - echo "type=semver,pattern={{version}},suffix=${{ inputs.ecr-tag-suffix }}" >> $GITHUB_ENV - echo "type=sha,priority=9999,prefix=sha-,suffix=${{ inputs.ecr-tag-suffix }},value=$SHORT_SHA" >> $GITHUB_ENV - echo 'EOF' >> $GITHUB_ENV + SHARED_TAG_LIST=$(cat << EOF + type=ref,event=branch,suffix=${{ inputs.ecr-tag-suffix }} + type=semver,pattern={{version}},suffix=${{ inputs.ecr-tag-suffix }} + type=sha,priority=9999,prefix=sha-,suffix=${{ inputs.ecr-tag-suffix }},value=${SHORT_SHA} + EOF + ) - echo 'SHARED_BUILD_ARGS<> $GITHUB_ENV - echo "COMMIT_SHA=${{ inputs.git-commit-sha }}" >> $GITHUB_ENV - echo 'EOF' >> $GITHUB_ENV + SHARED_BUILD_ARGS=$(cat << EOF + COMMIT_SHA=${{ inputs.git-commit-sha }} + EOF + ) + + echo "shared-images<> $GITHUB_ENV + echo "$SHARED_IMAGES" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + + echo "shared-tag-list<> $GITHUB_ENV + echo "$SHARED_TAG_LIST" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + + echo "shared-build-args<> $GITHUB_ENV + echo "$SHARED_BUILD_ARGS" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV - if: inputs.publish == 'true' # Log in to AWS for publish to ECR @@ -114,12 +126,12 @@ runs: uses: docker/metadata-action@2c0bd771b40637d97bf205cbccdd294a32112176 # v4.5.0 with: # list of Docker images to use as base name for tags - images: ${{ env.SHARED_IMAGES }} + images: ${{ env.shared-images }} # XXX: DO NOT USE SHARED TAGS HERE tags: | type=ref,event=branch,suffix=${{ inputs.ecr-tag-suffix }}-root type=semver,pattern={{version}},suffix=${{ inputs.ecr-tag-suffix }}-root - type=sha,format=short,prefix=sha-,value=${{ env.SHORT_SHA }},suffix=${{ inputs.ecr-tag-suffix }}-root + type=sha,format=short,suffix=${{ inputs.ecr-tag-suffix }}-root # To avoid rate limiting from Docker Hub, we login with a paid user account. - name: Login to Docker Hub @@ -141,7 +153,7 @@ runs: file: ${{ inputs.dockerfile }} build-args: | CHAINLINK_USER=root - ${{ env.SHARED_BUILD_ARGS }} + ${{ env.shared-build-args }} - name: Save root image name in GITHUB_ENV id: save-root-image-name-env @@ -159,8 +171,8 @@ runs: latest=auto prefix= suffix= - images: ${{ env.SHARED_IMAGES }} - tags: ${{ env.SHARED_TAG_LIST }} + images: ${{ env.shared-images }} + tags: ${{ env.shared-tag-list }} # To avoid rate limiting from Docker Hub, we login with a paid user account. - name: Login to Docker Hub @@ -182,7 +194,7 @@ runs: file: ${{ inputs.dockerfile }} build-args: | CHAINLINK_USER=chainlink - ${{ env.SHARED_BUILD_ARGS }} + ${{ env.shared-build-args }} - name: Save non-root image name in GITHUB_ENV and GITHUB_STEP_SUMMARY id: save-non-root-image-name-env From de373f177296ee1189dc1db28312a156480e1745 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 15:51:17 -0500 Subject: [PATCH 27/56] Revert "Remove DOCKER_METADATA_PR_HEAD_SHA env" This reverts commit a7bd01e544ad97603147ccb33576e8006056e930. --- .github/actions/build-sign-publish-chainlink/action.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml index 48004fd1182..9c8c55e782b 100644 --- a/.github/actions/build-sign-publish-chainlink/action.yml +++ b/.github/actions/build-sign-publish-chainlink/action.yml @@ -82,7 +82,7 @@ runs: SHARED_TAG_LIST=$(cat << EOF type=ref,event=branch,suffix=${{ inputs.ecr-tag-suffix }} type=semver,pattern={{version}},suffix=${{ inputs.ecr-tag-suffix }} - type=sha,priority=9999,prefix=sha-,suffix=${{ inputs.ecr-tag-suffix }},value=${SHORT_SHA} + type=sha,priority=9999,prefix=sha,suffix=${{ inputs.ecr-tag-suffix }},value=${SHORT_SHA} EOF ) @@ -124,7 +124,10 @@ runs: - name: Generate docker metadata for root image id: meta-root uses: docker/metadata-action@2c0bd771b40637d97bf205cbccdd294a32112176 # v4.5.0 + env: + DOCKER_METADATA_PR_HEAD_SHA: "true" with: + context: git # list of Docker images to use as base name for tags images: ${{ env.shared-images }} # XXX: DO NOT USE SHARED TAGS HERE @@ -166,7 +169,10 @@ runs: - name: Generate docker metadata for non-root image id: meta-nonroot uses: docker/metadata-action@2c0bd771b40637d97bf205cbccdd294a32112176 # v4.5.0 + env: + DOCKER_METADATA_PR_HEAD_SHA: "true" with: + context: git flavor: | latest=auto prefix= From 34889123860ecc2e9125799dd3fe9ae860d75a8b Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 15:52:30 -0500 Subject: [PATCH 28/56] Try to make things work again --- .github/actions/build-sign-publish-chainlink/action.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml index 9c8c55e782b..348f64e7f0d 100644 --- a/.github/actions/build-sign-publish-chainlink/action.yml +++ b/.github/actions/build-sign-publish-chainlink/action.yml @@ -82,7 +82,7 @@ runs: SHARED_TAG_LIST=$(cat << EOF type=ref,event=branch,suffix=${{ inputs.ecr-tag-suffix }} type=semver,pattern={{version}},suffix=${{ inputs.ecr-tag-suffix }} - type=sha,priority=9999,prefix=sha,suffix=${{ inputs.ecr-tag-suffix }},value=${SHORT_SHA} + type=sha,format=short,suffix=${{ inputs.ecr-tag-suffix }} EOF ) @@ -127,7 +127,6 @@ runs: env: DOCKER_METADATA_PR_HEAD_SHA: "true" with: - context: git # list of Docker images to use as base name for tags images: ${{ env.shared-images }} # XXX: DO NOT USE SHARED TAGS HERE @@ -172,7 +171,6 @@ runs: env: DOCKER_METADATA_PR_HEAD_SHA: "true" with: - context: git flavor: | latest=auto prefix= From cac5bcb79f66243055dd4a469540b3ab2281b347 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 16:33:15 -0500 Subject: [PATCH 29/56] Set the host to localhost for K8s --- charts/chainlink-cluster/templates/chainlink-deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/chainlink-cluster/templates/chainlink-deployment.yaml b/charts/chainlink-cluster/templates/chainlink-deployment.yaml index 248b6e39c57..f79f2dcbfa1 100644 --- a/charts/chainlink-cluster/templates/chainlink-deployment.yaml +++ b/charts/chainlink-cluster/templates/chainlink-deployment.yaml @@ -128,7 +128,7 @@ spec: {{- toYaml $.Values.securityContext | nindent 12 }} image: {{ default "public.ecr.aws/chainlink/chainlink" $cfg.image }} imagePullPolicy: Always - command: ["bash", "-c", "while ! pg_isready --host 0.0.0.0 --port 5432; do echo \"waiting for database to start\"; sleep 1; done && chainlink -c /etc/node-secrets-volume/default.toml -c /etc/node-secrets-volume/overrides.toml -secrets /etc/node-secrets-volume/secrets.toml node start -d -p /etc/node-secrets-volume/node-password -a /etc/node-secrets-volume/apicredentials --vrfpassword=/etc/node-secrets-volume/apicredentials"] + command: ["bash", "-c", "while ! pg_isready --host localhost --port 5432; do echo \"waiting for database to start\"; sleep 1; done && chainlink -c /etc/node-secrets-volume/default.toml -c /etc/node-secrets-volume/overrides.toml -secrets /etc/node-secrets-volume/secrets.toml node start -d -p /etc/node-secrets-volume/node-password -a /etc/node-secrets-volume/apicredentials --vrfpassword=/etc/node-secrets-volume/apicredentials"] ports: - name: access containerPort: {{ $.Values.chainlink.web_port }} @@ -136,7 +136,7 @@ spec: containerPort: {{ $.Values.chainlink.p2p_port }} env: - name: CL_DATABASE_URL - value: postgresql://postgres:verylongdatabasepassword@0.0.0.0/chainlink?sslmode=disable + value: postgresql://postgres:verylongdatabasepassword@localhost/chainlink?sslmode=disable - name: CL_DEV value: "false" volumeMounts: From 84f5e374041c915cba26949c3a295f7a97d97446 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 24 Nov 2023 17:34:11 -0500 Subject: [PATCH 30/56] Add user to pg_isready --- charts/chainlink-cluster/templates/chainlink-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/chainlink-cluster/templates/chainlink-deployment.yaml b/charts/chainlink-cluster/templates/chainlink-deployment.yaml index f79f2dcbfa1..6eefa04d746 100644 --- a/charts/chainlink-cluster/templates/chainlink-deployment.yaml +++ b/charts/chainlink-cluster/templates/chainlink-deployment.yaml @@ -128,7 +128,7 @@ spec: {{- toYaml $.Values.securityContext | nindent 12 }} image: {{ default "public.ecr.aws/chainlink/chainlink" $cfg.image }} imagePullPolicy: Always - command: ["bash", "-c", "while ! pg_isready --host localhost --port 5432; do echo \"waiting for database to start\"; sleep 1; done && chainlink -c /etc/node-secrets-volume/default.toml -c /etc/node-secrets-volume/overrides.toml -secrets /etc/node-secrets-volume/secrets.toml node start -d -p /etc/node-secrets-volume/node-password -a /etc/node-secrets-volume/apicredentials --vrfpassword=/etc/node-secrets-volume/apicredentials"] + command: ["bash", "-c", "while ! pg_isready -U postgres --host localhost --port 5432; do echo \"waiting for database to start\"; sleep 1; done && chainlink -c /etc/node-secrets-volume/default.toml -c /etc/node-secrets-volume/overrides.toml -secrets /etc/node-secrets-volume/secrets.toml node start -d -p /etc/node-secrets-volume/node-password -a /etc/node-secrets-volume/apicredentials --vrfpassword=/etc/node-secrets-volume/apicredentials"] ports: - name: access containerPort: {{ $.Values.chainlink.web_port }} From 7cc3bdcaf0802b7db237f0bc32a167fb37fa7df5 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Sat, 25 Nov 2023 10:46:05 -0500 Subject: [PATCH 31/56] Make securityContext container specific --- .../templates/chainlink-deployment.yaml | 4 +- .../templates/geth-deployment.yaml | 2 +- .../templates/runner-deployment.yaml | 2 +- charts/chainlink-cluster/values-raw-helm.yaml | 43 +++++++++++++++++ charts/chainlink-cluster/values.yaml | 47 ++++++++++++++++--- 5 files changed, 87 insertions(+), 11 deletions(-) diff --git a/charts/chainlink-cluster/templates/chainlink-deployment.yaml b/charts/chainlink-cluster/templates/chainlink-deployment.yaml index 6eefa04d746..d3cd0f8ecb1 100644 --- a/charts/chainlink-cluster/templates/chainlink-deployment.yaml +++ b/charts/chainlink-cluster/templates/chainlink-deployment.yaml @@ -52,7 +52,7 @@ spec: containers: - name: chainlink-db securityContext: - {{- toYaml $.Values.securityContext | nindent 12 }} + {{- toYaml $.Values.db.securityContext | nindent 12 }} image: {{ default "postgres:11.15" $.Values.db.image }} command: - docker-entrypoint.sh @@ -125,7 +125,7 @@ spec: {{ end }} - name: node securityContext: - {{- toYaml $.Values.securityContext | nindent 12 }} + {{- toYaml $.Values.chainlink.securityContext | nindent 12 }} image: {{ default "public.ecr.aws/chainlink/chainlink" $cfg.image }} imagePullPolicy: Always command: ["bash", "-c", "while ! pg_isready -U postgres --host localhost --port 5432; do echo \"waiting for database to start\"; sleep 1; done && chainlink -c /etc/node-secrets-volume/default.toml -c /etc/node-secrets-volume/overrides.toml -secrets /etc/node-secrets-volume/secrets.toml node start -d -p /etc/node-secrets-volume/node-password -a /etc/node-secrets-volume/apicredentials --vrfpassword=/etc/node-secrets-volume/apicredentials"] diff --git a/charts/chainlink-cluster/templates/geth-deployment.yaml b/charts/chainlink-cluster/templates/geth-deployment.yaml index 3e0d3a24df7..139dacdf69e 100644 --- a/charts/chainlink-cluster/templates/geth-deployment.yaml +++ b/charts/chainlink-cluster/templates/geth-deployment.yaml @@ -27,7 +27,7 @@ spec: containers: - name: geth-network securityContext: - {{- toYaml $.Values.securityContext | nindent 12 }} + {{- toYaml $.Values.geth.securityContext | nindent 12 }} image: "{{ default "ethereum/client-go" .Values.geth.image }}:{{ default "stable" .Values.geth.version }}" command: [ "sh", "./root/init.sh" ] volumeMounts: diff --git a/charts/chainlink-cluster/templates/runner-deployment.yaml b/charts/chainlink-cluster/templates/runner-deployment.yaml index 622efbae8fb..e9690861609 100644 --- a/charts/chainlink-cluster/templates/runner-deployment.yaml +++ b/charts/chainlink-cluster/templates/runner-deployment.yaml @@ -27,7 +27,7 @@ spec: containers: - name: runner securityContext: - {{- toYaml $.Values.securityContext | nindent 12 }} + {{- toYaml $.Values.runner.securityContext | nindent 12 }} image: {{ default "public.ecr.aws/chainlink/chainlink" .Values.runner.image }} imagePullPolicy: Always command: [ "/bin/bash", "-c", "--" ] diff --git a/charts/chainlink-cluster/values-raw-helm.yaml b/charts/chainlink-cluster/values-raw-helm.yaml index 189803ab545..036d604f359 100644 --- a/charts/chainlink-cluster/values-raw-helm.yaml +++ b/charts/chainlink-cluster/values-raw-helm.yaml @@ -9,7 +9,18 @@ # images can be overriden for the same keys: # image: ethereum/client-go # version: stable +podSecurityContext: + fsGroup: 999 + chainlink: + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 14933 + runAsGroup: 999 web_port: 6688 p2p_port: 6690 nodes: @@ -68,6 +79,14 @@ chainlink: # # if you are running long tests db: + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 stateful: false resources: requests: @@ -78,6 +97,14 @@ db: memory: 1024Mi # default cluster shipped with latest Geth ( dev mode by default ) geth: + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 version: v1.12.0 wsrpc-port: 8546 httprpc-port: 8544 @@ -93,6 +120,14 @@ geth: # mockserver is https://www.mock-server.com/where/kubernetes.html # used to stub External Adapters mockserver: + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 enabled: true port: 1080 resources: @@ -103,6 +138,14 @@ mockserver: cpu: 1 memory: 1024Mi runner: + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 stateful: false resources: requests: diff --git a/charts/chainlink-cluster/values.yaml b/charts/chainlink-cluster/values.yaml index c0fdf925127..134acf6b9c8 100644 --- a/charts/chainlink-cluster/values.yaml +++ b/charts/chainlink-cluster/values.yaml @@ -12,14 +12,15 @@ podSecurityContext: fsGroup: 999 -securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: false - runAsNonRoot: true - runAsUser: 999 chainlink: + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 14933 + runAsGroup: 999 web_port: 6688 p2p_port: 8090 nodes: @@ -74,6 +75,14 @@ chainlink: # # if you are running long tests db: + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 stateful: false resources: requests: @@ -84,6 +93,14 @@ db: memory: 1024Mi # default cluster shipped with latest Geth ( dev mode by default ) geth: + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 version: v1.12.0 wsrpc-port: 8546 httprpc-port: 8544 @@ -99,8 +116,24 @@ geth: # mockserver is https://www.mock-server.com/where/kubernetes.html # used to stub External Adapters mockserver: + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 enabled: true runner: + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 stateful: false resources: requests: From f6d73e285ddbe42b7b9004529a13699d309648f2 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Mon, 27 Nov 2023 15:52:45 -0500 Subject: [PATCH 32/56] Create init container to create /clroot --- .../templates/chainlink-deployment.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/charts/chainlink-cluster/templates/chainlink-deployment.yaml b/charts/chainlink-cluster/templates/chainlink-deployment.yaml index d3cd0f8ecb1..2363426056a 100644 --- a/charts/chainlink-cluster/templates/chainlink-deployment.yaml +++ b/charts/chainlink-cluster/templates/chainlink-deployment.yaml @@ -49,6 +49,16 @@ spec: name: {{ $.Release.Name }}-{{ $cfg.name }}-cm securityContext: {{- toYaml $.Values.podSecurityContext | nindent 8 }} + initContainers: + - name: init-clroot + image: busybox + command: ['sh', '-c', 'mkdir -p /clroot && chown 14933:999 /clroot && chmod 770 /clroot'] + volumeMounts: + - name: clroot-volume + mountPath: /clroot + volumes: + - name: clroot-volume + emptyDir: {} containers: - name: chainlink-db securityContext: From 0fcdec202a7f860e5991ab2ab5fc2846c34f02fd Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Mon, 27 Nov 2023 16:18:56 -0500 Subject: [PATCH 33/56] Fix volumes --- .../templates/chainlink-deployment.yaml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/charts/chainlink-cluster/templates/chainlink-deployment.yaml b/charts/chainlink-cluster/templates/chainlink-deployment.yaml index 2363426056a..09d95b7dd5b 100644 --- a/charts/chainlink-cluster/templates/chainlink-deployment.yaml +++ b/charts/chainlink-cluster/templates/chainlink-deployment.yaml @@ -47,18 +47,17 @@ spec: - name: {{ $.Release.Name }}-{{ $cfg.name }}-cm configMap: name: {{ $.Release.Name }}-{{ $cfg.name }}-cm + - name: clroot-volume + emptyDir: {} securityContext: {{- toYaml $.Values.podSecurityContext | nindent 8 }} initContainers: - - name: init-clroot - image: busybox - command: ['sh', '-c', 'mkdir -p /clroot && chown 14933:999 /clroot && chmod 770 /clroot'] - volumeMounts: - - name: clroot-volume - mountPath: /clroot - volumes: + - name: init-clroot + image: busybox + command: ['sh', '-c', 'mkdir -p /clroot && chown 14933:999 /clroot && chmod 770 /clroot'] + volumeMounts: - name: clroot-volume - emptyDir: {} + mountPath: /clroot containers: - name: chainlink-db securityContext: From 07b911181b919745448b20880abd2f0abe04756e Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Mon, 27 Nov 2023 16:25:54 -0500 Subject: [PATCH 34/56] Add security context to init container --- charts/chainlink-cluster/templates/chainlink-deployment.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/chainlink-cluster/templates/chainlink-deployment.yaml b/charts/chainlink-cluster/templates/chainlink-deployment.yaml index 09d95b7dd5b..7f8f26637c1 100644 --- a/charts/chainlink-cluster/templates/chainlink-deployment.yaml +++ b/charts/chainlink-cluster/templates/chainlink-deployment.yaml @@ -53,6 +53,8 @@ spec: {{- toYaml $.Values.podSecurityContext | nindent 8 }} initContainers: - name: init-clroot + securityContext: + {{- toYaml $.Values.db.securityContext | nindent 12 }} image: busybox command: ['sh', '-c', 'mkdir -p /clroot && chown 14933:999 /clroot && chmod 770 /clroot'] volumeMounts: From bfc117cb75bc9b44ce4134356772e85da1c960c1 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Mon, 27 Nov 2023 17:02:21 -0500 Subject: [PATCH 35/56] Skip the chown --- charts/chainlink-cluster/templates/chainlink-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/chainlink-cluster/templates/chainlink-deployment.yaml b/charts/chainlink-cluster/templates/chainlink-deployment.yaml index 7f8f26637c1..f49aa4627fe 100644 --- a/charts/chainlink-cluster/templates/chainlink-deployment.yaml +++ b/charts/chainlink-cluster/templates/chainlink-deployment.yaml @@ -56,7 +56,7 @@ spec: securityContext: {{- toYaml $.Values.db.securityContext | nindent 12 }} image: busybox - command: ['sh', '-c', 'mkdir -p /clroot && chown 14933:999 /clroot && chmod 770 /clroot'] + command: ['sh', '-c', 'mkdir -p /clroot && chmod 770 /clroot'] volumeMounts: - name: clroot-volume mountPath: /clroot From 68260c06ad9e031824385ae4164ece61ccfff250 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Mon, 27 Nov 2023 17:19:31 -0500 Subject: [PATCH 36/56] Remove init container --- .../templates/chainlink-deployment.yaml | 11 ----------- charts/chainlink-cluster/values.yaml | 2 +- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/charts/chainlink-cluster/templates/chainlink-deployment.yaml b/charts/chainlink-cluster/templates/chainlink-deployment.yaml index f49aa4627fe..d3cd0f8ecb1 100644 --- a/charts/chainlink-cluster/templates/chainlink-deployment.yaml +++ b/charts/chainlink-cluster/templates/chainlink-deployment.yaml @@ -47,19 +47,8 @@ spec: - name: {{ $.Release.Name }}-{{ $cfg.name }}-cm configMap: name: {{ $.Release.Name }}-{{ $cfg.name }}-cm - - name: clroot-volume - emptyDir: {} securityContext: {{- toYaml $.Values.podSecurityContext | nindent 8 }} - initContainers: - - name: init-clroot - securityContext: - {{- toYaml $.Values.db.securityContext | nindent 12 }} - image: busybox - command: ['sh', '-c', 'mkdir -p /clroot && chmod 770 /clroot'] - volumeMounts: - - name: clroot-volume - mountPath: /clroot containers: - name: chainlink-db securityContext: diff --git a/charts/chainlink-cluster/values.yaml b/charts/chainlink-cluster/values.yaml index 134acf6b9c8..cc1d5eaa62e 100644 --- a/charts/chainlink-cluster/values.yaml +++ b/charts/chainlink-cluster/values.yaml @@ -20,7 +20,7 @@ chainlink: readOnlyRootFilesystem: false runAsNonRoot: true runAsUser: 14933 - runAsGroup: 999 + runAsGroup: 14933 web_port: 6688 p2p_port: 8090 nodes: From d0596c9bc05af00bcd293449ecb3f46b6c824989 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Tue, 28 Nov 2023 16:06:23 -0500 Subject: [PATCH 37/56] Breakout DB into its own deployment and service --- ...ment.yaml => chainlink-db-deployment.yaml} | 65 ++----------- .../templates/chainlink-db-service.yaml | 16 +++ .../templates/chainlink-node-deployment.yaml | 97 +++++++++++++++++++ ...rvice.yaml => chainlink-node-service.yaml} | 0 .../templates/geth-deployment.yaml | 2 +- .../templates/runner-deployment.yaml | 2 +- charts/chainlink-cluster/values.yaml | 13 ++- 7 files changed, 133 insertions(+), 62 deletions(-) rename charts/chainlink-cluster/templates/{chainlink-deployment.yaml => chainlink-db-deployment.yaml} (60%) create mode 100644 charts/chainlink-cluster/templates/chainlink-db-service.yaml create mode 100644 charts/chainlink-cluster/templates/chainlink-node-deployment.yaml rename charts/chainlink-cluster/templates/{chainlink-service.yaml => chainlink-node-service.yaml} (100%) diff --git a/charts/chainlink-cluster/templates/chainlink-deployment.yaml b/charts/chainlink-cluster/templates/chainlink-db-deployment.yaml similarity index 60% rename from charts/chainlink-cluster/templates/chainlink-deployment.yaml rename to charts/chainlink-cluster/templates/chainlink-db-deployment.yaml index d3cd0f8ecb1..f335130ea9f 100644 --- a/charts/chainlink-cluster/templates/chainlink-deployment.yaml +++ b/charts/chainlink-cluster/templates/chainlink-db-deployment.yaml @@ -6,10 +6,10 @@ kind: StatefulSet kind: Deployment {{ end }} metadata: - name: {{ $.Release.Name }}-{{ $cfg.name }} + name: {{ $.Release.Name }}-{{ $cfg.name }}-db spec: {{ if $.Values.db.stateful }} - serviceName: {{ $.Release.Name }}-{{ $cfg.name }}-service + serviceName: {{ $.Release.Name }}-db-${{ $cfg.name }} podManagementPolicy: Parallel volumeClaimTemplates: - metadata: @@ -23,14 +23,14 @@ spec: {{ end }} selector: matchLabels: - app: {{ $.Release.Name }} - instance: {{ $cfg.name }} + app: {{ $.Release.Name }}-db + instance: {{ $cfg.name }}-db release: {{ $.Release.Name }} template: metadata: labels: - app: {{ $.Release.Name }} - instance: {{ $cfg.name }} + app: {{ $.Release.Name }}-db + instance: {{ $cfg.name }}-db release: {{ $.Release.Name }} {{- range $key, $value := $.Values.labels }} {{ $key }}: {{ $value | quote }} @@ -44,11 +44,12 @@ spec: {{- end }} spec: volumes: + # TODO: breakout this config map into a separate one for the db. - name: {{ $.Release.Name }}-{{ $cfg.name }}-cm configMap: name: {{ $.Release.Name }}-{{ $cfg.name }}-cm securityContext: - {{- toYaml $.Values.podSecurityContext | nindent 8 }} + {{- toYaml $.Values.db.podSecurityContext | nindent 8 }} containers: - name: chainlink-db securityContext: @@ -123,56 +124,6 @@ spec: name: postgres subPath: postgres-db {{ end }} - - name: node - securityContext: - {{- toYaml $.Values.chainlink.securityContext | nindent 12 }} - image: {{ default "public.ecr.aws/chainlink/chainlink" $cfg.image }} - imagePullPolicy: Always - command: ["bash", "-c", "while ! pg_isready -U postgres --host localhost --port 5432; do echo \"waiting for database to start\"; sleep 1; done && chainlink -c /etc/node-secrets-volume/default.toml -c /etc/node-secrets-volume/overrides.toml -secrets /etc/node-secrets-volume/secrets.toml node start -d -p /etc/node-secrets-volume/node-password -a /etc/node-secrets-volume/apicredentials --vrfpassword=/etc/node-secrets-volume/apicredentials"] - ports: - - name: access - containerPort: {{ $.Values.chainlink.web_port }} - - name: p2p - containerPort: {{ $.Values.chainlink.p2p_port }} - env: - - name: CL_DATABASE_URL - value: postgresql://postgres:verylongdatabasepassword@localhost/chainlink?sslmode=disable - - name: CL_DEV - value: "false" - volumeMounts: - - name: {{ $.Release.Name }}-{{ $cfg.name }}-cm - mountPath: /etc/node-secrets-volume/ - livenessProbe: - httpGet: - path: /health - port: {{ $.Values.chainlink.web_port }} - initialDelaySeconds: 1 - periodSeconds: 5 - timeoutSeconds: 10 - readinessProbe: - httpGet: - path: /health - port: {{ $.Values.chainlink.web_port }} - initialDelaySeconds: 1 - periodSeconds: 5 - timeoutSeconds: 10 - startupProbe: - httpGet: - path: / - port: {{ $.Values.chainlink.web_port }} - initialDelaySeconds: 15 - periodSeconds: 5 - failureThreshold: 20 - {{ if (hasKey $.Values.chainlink "resources") }} - resources: - requests: - memory: {{ default "1024Mi" $.Values.chainlink.resources.requests.memory }} - cpu: {{ default "500m" $.Values.chainlink.resources.requests.cpu }} - limits: - memory: {{ default "1024Mi" $.Values.chainlink.resources.limits.memory }} - cpu: {{ default "500m" $.Values.chainlink.resources.limits.cpu }} - {{ else }} - {{ end }} {{- with $.Values.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} diff --git a/charts/chainlink-cluster/templates/chainlink-db-service.yaml b/charts/chainlink-cluster/templates/chainlink-db-service.yaml new file mode 100644 index 00000000000..938c0d38f54 --- /dev/null +++ b/charts/chainlink-cluster/templates/chainlink-db-service.yaml @@ -0,0 +1,16 @@ +{{- range $cfg := .Values.chainlink.nodes }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $.Release.Name }}-db-${{ $cfg.name }} +spec: + selector: + app: {{ $.Release.Name }}-db + instance: {{ $cfg.name }}-db + release: {{ $.Release.Name }} + ports: + - protocol: TCP + port: 5432 + targetPort: 5432 +--- +{{- end }} \ No newline at end of file diff --git a/charts/chainlink-cluster/templates/chainlink-node-deployment.yaml b/charts/chainlink-cluster/templates/chainlink-node-deployment.yaml new file mode 100644 index 00000000000..b7d796512db --- /dev/null +++ b/charts/chainlink-cluster/templates/chainlink-node-deployment.yaml @@ -0,0 +1,97 @@ +{{- range $cfg := .Values.chainlink.nodes }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $.Release.Name }}-{{ $cfg.name }} +spec: + selector: + matchLabels: + app: {{ $.Release.Name }} + instance: {{ $cfg.name }} + release: {{ $.Release.Name }} + template: + metadata: + labels: + app: {{ $.Release.Name }} + instance: {{ $cfg.name }} + release: {{ $.Release.Name }} + {{- range $key, $value := $.Values.labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + annotations: + prometheus.io/scrape: 'true' + {{- range $key, $value := $.Values.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + volumes: + - name: {{ $.Release.Name }}-{{ $cfg.name }}-cm + configMap: + name: {{ $.Release.Name }}-{{ $cfg.name }}-cm + securityContext: + {{- toYaml $.Values.chainlink.podSecurityContext | nindent 8 }} + containers: + - name: node + securityContext: + {{- toYaml $.Values.chainlink.securityContext | nindent 12 }} + image: {{ default "public.ecr.aws/chainlink/chainlink" $cfg.image }} + imagePullPolicy: Always + command: ["bash", "-c", "while ! pg_isready -U postgres --host localhost --port 5432; do echo \"waiting for database to start\"; sleep 1; done && chainlink -c /etc/node-secrets-volume/default.toml -c /etc/node-secrets-volume/overrides.toml -secrets /etc/node-secrets-volume/secrets.toml node start -d -p /etc/node-secrets-volume/node-password -a /etc/node-secrets-volume/apicredentials --vrfpassword=/etc/node-secrets-volume/apicredentials"] + ports: + - name: access + containerPort: {{ $.Values.chainlink.web_port }} + - name: p2p + containerPort: {{ $.Values.chainlink.p2p_port }} + env: + - name: CL_DATABASE_URL + value: postgresql://postgres:verylongdatabasepassword@localhost/chainlink?sslmode=disable + - name: CL_DEV + value: "false" + volumeMounts: + - name: {{ $.Release.Name }}-{{ $cfg.name }}-cm + mountPath: /etc/node-secrets-volume/ + livenessProbe: + httpGet: + path: /health + port: {{ $.Values.chainlink.web_port }} + initialDelaySeconds: 1 + periodSeconds: 5 + timeoutSeconds: 10 + readinessProbe: + httpGet: + path: /health + port: {{ $.Values.chainlink.web_port }} + initialDelaySeconds: 1 + periodSeconds: 5 + timeoutSeconds: 10 + startupProbe: + httpGet: + path: / + port: {{ $.Values.chainlink.web_port }} + initialDelaySeconds: 15 + periodSeconds: 5 + failureThreshold: 20 + {{ if (hasKey $.Values.chainlink "resources") }} + resources: + requests: + memory: {{ default "1024Mi" $.Values.chainlink.resources.requests.memory }} + cpu: {{ default "500m" $.Values.chainlink.resources.requests.cpu }} + limits: + memory: {{ default "1024Mi" $.Values.chainlink.resources.limits.memory }} + cpu: {{ default "500m" $.Values.chainlink.resources.limits.cpu }} + {{ else }} + {{ end }} +{{- with $.Values.nodeSelector }} + nodeSelector: + {{ toYaml . | indent 8 }} +{{- end }} +{{- with $.Values.affinity }} + affinity: + {{ toYaml . | indent 8 }} +{{- end }} +{{- with $.Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} +--- +{{- end }} diff --git a/charts/chainlink-cluster/templates/chainlink-service.yaml b/charts/chainlink-cluster/templates/chainlink-node-service.yaml similarity index 100% rename from charts/chainlink-cluster/templates/chainlink-service.yaml rename to charts/chainlink-cluster/templates/chainlink-node-service.yaml diff --git a/charts/chainlink-cluster/templates/geth-deployment.yaml b/charts/chainlink-cluster/templates/geth-deployment.yaml index 139dacdf69e..b019603ac61 100644 --- a/charts/chainlink-cluster/templates/geth-deployment.yaml +++ b/charts/chainlink-cluster/templates/geth-deployment.yaml @@ -23,7 +23,7 @@ spec: configMap: name: geth-cm securityContext: - {{- toYaml $.Values.podSecurityContext | nindent 8 }} + {{- toYaml $.Values.geth.podSecurityContext | nindent 8 }} containers: - name: geth-network securityContext: diff --git a/charts/chainlink-cluster/templates/runner-deployment.yaml b/charts/chainlink-cluster/templates/runner-deployment.yaml index e9690861609..9d80ac1bfab 100644 --- a/charts/chainlink-cluster/templates/runner-deployment.yaml +++ b/charts/chainlink-cluster/templates/runner-deployment.yaml @@ -23,7 +23,7 @@ spec: prometheus.io/scrape: 'true' spec: securityContext: - {{- toYaml $.Values.podSecurityContext | nindent 8 }} + {{- toYaml $.Values.runner.podSecurityContext | nindent 8 }} containers: - name: runner securityContext: diff --git a/charts/chainlink-cluster/values.yaml b/charts/chainlink-cluster/values.yaml index cc1d5eaa62e..5207dff4616 100644 --- a/charts/chainlink-cluster/values.yaml +++ b/charts/chainlink-cluster/values.yaml @@ -9,10 +9,9 @@ # images can be overriden for the same keys: # image: ethereum/client-go # version: stable -podSecurityContext: - fsGroup: 999 - chainlink: + podSecurityContext: + fsGroup: 14933 securityContext: capabilities: drop: @@ -75,6 +74,8 @@ chainlink: # # if you are running long tests db: + podSecurityContext: + fsGroup: 999 securityContext: capabilities: drop: @@ -93,6 +94,8 @@ db: memory: 1024Mi # default cluster shipped with latest Geth ( dev mode by default ) geth: + podSecurityContext: + fsGroup: 999 securityContext: capabilities: drop: @@ -116,6 +119,8 @@ geth: # mockserver is https://www.mock-server.com/where/kubernetes.html # used to stub External Adapters mockserver: + podSecurityContext: + fsGroup: 999 securityContext: capabilities: drop: @@ -126,6 +131,8 @@ mockserver: runAsGroup: 999 enabled: true runner: + podSecurityContext: + fsGroup: 999 securityContext: capabilities: drop: From 9e1cf8aa454ed5f231717d927fb378d77d18244c Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Tue, 28 Nov 2023 16:21:24 -0500 Subject: [PATCH 38/56] Fix typo --- charts/chainlink-cluster/templates/chainlink-db-service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/chainlink-cluster/templates/chainlink-db-service.yaml b/charts/chainlink-cluster/templates/chainlink-db-service.yaml index 938c0d38f54..f27bd9eab20 100644 --- a/charts/chainlink-cluster/templates/chainlink-db-service.yaml +++ b/charts/chainlink-cluster/templates/chainlink-db-service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ $.Release.Name }}-db-${{ $cfg.name }} + name: {{ $.Release.Name }}-db-{{ $cfg.name }} spec: selector: app: {{ $.Release.Name }}-db From 27788c44e7bcb590d9708e28d614b67d6e3923c5 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Tue, 28 Nov 2023 16:42:24 -0500 Subject: [PATCH 39/56] Update localhost to db service dns --- .../templates/chainlink-node-deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/chainlink-cluster/templates/chainlink-node-deployment.yaml b/charts/chainlink-cluster/templates/chainlink-node-deployment.yaml index b7d796512db..463453aff93 100644 --- a/charts/chainlink-cluster/templates/chainlink-node-deployment.yaml +++ b/charts/chainlink-cluster/templates/chainlink-node-deployment.yaml @@ -36,7 +36,7 @@ spec: {{- toYaml $.Values.chainlink.securityContext | nindent 12 }} image: {{ default "public.ecr.aws/chainlink/chainlink" $cfg.image }} imagePullPolicy: Always - command: ["bash", "-c", "while ! pg_isready -U postgres --host localhost --port 5432; do echo \"waiting for database to start\"; sleep 1; done && chainlink -c /etc/node-secrets-volume/default.toml -c /etc/node-secrets-volume/overrides.toml -secrets /etc/node-secrets-volume/secrets.toml node start -d -p /etc/node-secrets-volume/node-password -a /etc/node-secrets-volume/apicredentials --vrfpassword=/etc/node-secrets-volume/apicredentials"] + command: ["bash", "-c", "while ! pg_isready -U postgres --host {{ $.Release.Name }}-db-{{ $cfg.name }} --port 5432; do echo \"waiting for database to start\"; sleep 1; done && chainlink -c /etc/node-secrets-volume/default.toml -c /etc/node-secrets-volume/overrides.toml -secrets /etc/node-secrets-volume/secrets.toml node start -d -p /etc/node-secrets-volume/node-password -a /etc/node-secrets-volume/apicredentials --vrfpassword=/etc/node-secrets-volume/apicredentials"] ports: - name: access containerPort: {{ $.Values.chainlink.web_port }} @@ -44,7 +44,7 @@ spec: containerPort: {{ $.Values.chainlink.p2p_port }} env: - name: CL_DATABASE_URL - value: postgresql://postgres:verylongdatabasepassword@localhost/chainlink?sslmode=disable + value: postgresql://postgres:verylongdatabasepassword@{{ $.Release.Name }}-db-{{ $cfg.name }}/chainlink?sslmode=disable - name: CL_DEV value: "false" volumeMounts: From 6ecba3c1d6792e41ec698db17fbbe16694c27976 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Tue, 28 Nov 2023 22:24:49 -0500 Subject: [PATCH 40/56] Fix path to script --- charts/chainlink-cluster/templates/geth-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/chainlink-cluster/templates/geth-deployment.yaml b/charts/chainlink-cluster/templates/geth-deployment.yaml index b019603ac61..65bb1f0aa91 100644 --- a/charts/chainlink-cluster/templates/geth-deployment.yaml +++ b/charts/chainlink-cluster/templates/geth-deployment.yaml @@ -29,7 +29,7 @@ spec: securityContext: {{- toYaml $.Values.geth.securityContext | nindent 12 }} image: "{{ default "ethereum/client-go" .Values.geth.image }}:{{ default "stable" .Values.geth.version }}" - command: [ "sh", "./root/init.sh" ] + command: [ "sh", "/root/init.sh" ] volumeMounts: - name : configmap-volume mountPath: /root/init.sh From 5266d660e18e948abf2906901dd29de0fd924f08 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Tue, 28 Nov 2023 22:30:54 -0500 Subject: [PATCH 41/56] Change geth /root path to /app --- .../templates/geth-config-map.yaml | 6 +++--- .../templates/geth-deployment.yaml | 16 ++++++++-------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/charts/chainlink-cluster/templates/geth-config-map.yaml b/charts/chainlink-cluster/templates/geth-config-map.yaml index f3369ba580f..022d9f2ea61 100644 --- a/charts/chainlink-cluster/templates/geth-config-map.yaml +++ b/charts/chainlink-cluster/templates/geth-config-map.yaml @@ -50,9 +50,9 @@ data: password.txt: | init.sh: | #!/bin/bash - if [ ! -d /root/.ethereum/keystore ]; then - echo "/root/.ethereum/keystore not found, running 'geth init'..." - geth init /root/ethconfig/genesis.json + if [ ! -d /app/.ethereum/keystore ]; then + echo "/app/.ethereum/keystore not found, running 'geth init'..." + geth init /app/ethconfig/genesis.json echo "...done!" fi diff --git a/charts/chainlink-cluster/templates/geth-deployment.yaml b/charts/chainlink-cluster/templates/geth-deployment.yaml index 65bb1f0aa91..e45480ce2f2 100644 --- a/charts/chainlink-cluster/templates/geth-deployment.yaml +++ b/charts/chainlink-cluster/templates/geth-deployment.yaml @@ -29,28 +29,28 @@ spec: securityContext: {{- toYaml $.Values.geth.securityContext | nindent 12 }} image: "{{ default "ethereum/client-go" .Values.geth.image }}:{{ default "stable" .Values.geth.version }}" - command: [ "sh", "/root/init.sh" ] + command: [ "sh", "/app/init.sh" ] volumeMounts: - name : configmap-volume - mountPath: /root/init.sh + mountPath: /app/init.sh subPath: init.sh - name: configmap-volume - mountPath: /root/config + mountPath: /app/config - name: configmap-volume - mountPath: /root/.ethereum/devchain/keystore/key1 + mountPath: /app/.ethereum/devchain/keystore/key1 subPath: key1 - name: configmap-volume - mountPath: /root/.ethereum/devchain/keystore/key2 + mountPath: /app/.ethereum/devchain/keystore/key2 subPath: key2 - name: configmap-volume - mountPath: /root/.ethereum/devchain/keystore/key3 + mountPath: /app/.ethereum/devchain/keystore/key3 subPath: key3 args: - '--dev' - '--password' - - '/root/config/password.txt' + - '/app/config/password.txt' - '--datadir' - - '/root/.ethereum/devchain' + - '/app/.ethereum/devchain' - '--unlock' - '0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266' - '--unlock' From 302cb0d8f8366b92bfe2489d06318280a846de32 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Wed, 29 Nov 2023 11:22:14 -0500 Subject: [PATCH 42/56] Create emptyDir volume for geth devchain dir --- charts/chainlink-cluster/templates/geth-deployment.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/chainlink-cluster/templates/geth-deployment.yaml b/charts/chainlink-cluster/templates/geth-deployment.yaml index e45480ce2f2..6948c4df288 100644 --- a/charts/chainlink-cluster/templates/geth-deployment.yaml +++ b/charts/chainlink-cluster/templates/geth-deployment.yaml @@ -22,6 +22,8 @@ spec: - name: configmap-volume configMap: name: geth-cm + - name: devchain-volume + emptyDir: {} securityContext: {{- toYaml $.Values.geth.podSecurityContext | nindent 8 }} containers: @@ -31,6 +33,8 @@ spec: image: "{{ default "ethereum/client-go" .Values.geth.image }}:{{ default "stable" .Values.geth.version }}" command: [ "sh", "/app/init.sh" ] volumeMounts: + - name: devchain-volume + mountPath: /app/.ethereum/devchain - name : configmap-volume mountPath: /app/init.sh subPath: init.sh From 281eed5bf60bf636ef1c113d2a1a2dd57c1bc26c Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Wed, 29 Nov 2023 16:32:01 -0500 Subject: [PATCH 43/56] Remove full clone --- .github/workflows/build-publish-develop.yml | 1 - .github/workflows/build-publish.yml | 2 -- .github/workflows/build.yml | 2 -- 3 files changed, 5 deletions(-) diff --git a/.github/workflows/build-publish-develop.yml b/.github/workflows/build-publish-develop.yml index 5254a35d0c5..3a8cff975fb 100644 --- a/.github/workflows/build-publish-develop.yml +++ b/.github/workflows/build-publish-develop.yml @@ -34,7 +34,6 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ env.GIT_REF }} - fetch-depth: 0 # When this is ran from manual workflow_dispatch, the github.sha may be # different than the checked out commit sha. The core build uses this # commit sha as build metadata, so we need to make sure it's correct. diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml index 0df32dc2dea..29b786cf604 100644 --- a/.github/workflows/build-publish.yml +++ b/.github/workflows/build-publish.yml @@ -34,8 +34,6 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 0 - name: Build, sign and publish chainlink image uses: ./.github/actions/build-sign-publish-chainlink diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1b883b7370c..6282e2168d8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,8 +12,6 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 0 - name: Build chainlink image uses: ./.github/actions/build-sign-publish-chainlink From 7a5239cc2048d607279f8968d107ca8ffee32710 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Wed, 29 Nov 2023 16:39:26 -0500 Subject: [PATCH 44/56] Add correct inputs to mockserver --- charts/chainlink-cluster/values.yaml | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/charts/chainlink-cluster/values.yaml b/charts/chainlink-cluster/values.yaml index 5207dff4616..f9e62ebb373 100644 --- a/charts/chainlink-cluster/values.yaml +++ b/charts/chainlink-cluster/values.yaml @@ -119,17 +119,11 @@ geth: # mockserver is https://www.mock-server.com/where/kubernetes.html # used to stub External Adapters mockserver: - podSecurityContext: - fsGroup: 999 - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: false - runAsNonRoot: true - runAsUser: 999 - runAsGroup: 999 enabled: true + releasenameOverride: mockserver + app: + runAsUser: 999 + readOnlyRootFilesystem: false runner: podSecurityContext: fsGroup: 999 From 4158a3dc946e913a9425d49dbb12d8a5eeed5463 Mon Sep 17 00:00:00 2001 From: skudasov Date: Thu, 30 Nov 2023 21:15:48 +0100 Subject: [PATCH 45/56] merge with develop --- .../chainlink-cluster/dashboard/dashboard.go | 42 ---- charts/chainlink-cluster/devspace.yaml | 226 ++++++++++++++++-- .../templates/mockserver.yaml | 2 +- charts/chainlink-cluster/values-raw-helm.yaml | 8 +- charts/chainlink-cluster/values.yaml | 154 ------------ core/chainlink.devspace.Dockerfile | 2 +- 6 files changed, 216 insertions(+), 218 deletions(-) delete mode 100644 charts/chainlink-cluster/values.yaml diff --git a/charts/chainlink-cluster/dashboard/dashboard.go b/charts/chainlink-cluster/dashboard/dashboard.go index b29140c0405..19a596b63e9 100644 --- a/charts/chainlink-cluster/dashboard/dashboard.go +++ b/charts/chainlink-cluster/dashboard/dashboard.go @@ -350,48 +350,6 @@ func (m *CLClusterDashboard) generate() error { ), ), ), - // logs - dashboard.Row( - "Logs", - row.Collapse(), - row.WithTimeSeries( - "Log Counters", - timeseries.Span(12), - timeseries.Height("200px"), - timeseries.DataSource(m.PrometheusDataSourceName), - timeseries.WithPrometheusTarget( - `log_panic_count{namespace="${namespace}"}`, - prometheus.Legend("{{pod}} - panic"), - ), - timeseries.WithPrometheusTarget( - `log_fatal_count{namespace="${namespace}"}`, - prometheus.Legend("{{pod}} - fatal"), - ), - timeseries.WithPrometheusTarget( - `log_critical_count{namespace="${namespace}"}`, - prometheus.Legend("{{pod}} - critical"), - ), - timeseries.WithPrometheusTarget( - `log_warn_count{namespace="${namespace}"}`, - prometheus.Legend("{{pod}} - warn"), - ), - timeseries.WithPrometheusTarget( - `log_error_count{namespace="${namespace}"}`, - prometheus.Legend("{{pod}} - error"), - ), - ), - m.logsRowOption("All errors", ` - {namespace="${namespace}", app="app", container="node"} - | json - | level="error" - | line_format "{{ .instance }} {{ .level }} {{ .ts }} {{ .logger }} {{ .caller }} {{ .msg }} {{ .version }} {{ .nodeTier }} {{ .nodeName }} {{ .node }} {{ .evmChainID }} {{ .nodeOrder }} {{ .mode }} {{ .nodeState }} {{ .sentryEventID }} {{ .stacktrace }}"`), - m.logsRowOption("Node 1", `{namespace="${namespace}", app="app", instance="node-1", container="node"}`), - m.logsRowOption("Node 2", `{namespace="${namespace}", app="app", instance="node-2", container="node"}`), - m.logsRowOption("Node 3", `{namespace="${namespace}", app="app", instance="node-3", container="node"}`), - m.logsRowOption("Node 4", `{namespace="${namespace}", app="app", instance="node-4", container="node"}`), - m.logsRowOption("Node 5", `{namespace="${namespace}", app="app", instance="node-5", container="node"}`), - m.logsRowOption("Node 6", `{namespace="${namespace}", app="app", instance="node-6", container="node"}`), - ), // HeadTracker dashboard.Row("Head tracker", row.Collapse(), diff --git a/charts/chainlink-cluster/devspace.yaml b/charts/chainlink-cluster/devspace.yaml index a99ae4364fd..9c39209ff5c 100644 --- a/charts/chainlink-cluster/devspace.yaml +++ b/charts/chainlink-cluster/devspace.yaml @@ -40,21 +40,18 @@ deployments: # they can be defined the same way in values.yml # devspace merging this "values" and "values.yml" before deploy values: - runner: - image: ${DEVSPACE_IMAGE} - stateful: false - geth: - version: v1.12.0 - wsrpc-port: 8546 - httprpc-port: 8544 - networkid: 1337 - blocktime: 1 - mockserver: - enabled: true - port: 1080 - db: - stateful: false + podSecurityContext: + fsGroup: 999 + chainlink: + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 14933 + runAsGroup: 999 web_port: 6688 p2p_port: 6690 nodes: @@ -76,11 +73,202 @@ deployments: - name: node-6 image: ${DEVSPACE_IMAGE} version: latest - prometheusMonitor: "true" - podAnnotations: {} - nodeSelector: {} - tolerations: [] - affinity: {} + resources: + requests: + cpu: 350m + memory: 1024Mi + limits: + cpu: 350m + memory: 1024Mi + + # each CL node have a dedicated PostgreSQL 11.15 + # use StatefulSet by setting: + # + # stateful: true + # capacity 10Gi + # + # if you are running long tests + db: + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 + stateful: false + resources: + requests: + cpu: 1 + memory: 1024Mi + limits: + cpu: 1 + memory: 1024Mi + # default cluster shipped with latest Geth ( dev mode by default ) + geth: + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 + version: v1.12.0 + wsrpc-port: 8546 + httprpc-port: 8544 + networkid: 1337 + blocktime: 1 + resources: + requests: + cpu: 1 + memory: 1024Mi + limits: + cpu: 1 + memory: 1024Mi + # mockserver is https://www.mock-server.com/where/kubernetes.html + # used to stub External Adapters + mockserver: + # image: "mockserver/mockserver" + # version: "mockserver-5.15.0" + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 + enabled: true + releasenameOverride: mockserver + app: + runAsUser: 999 + readOnlyRootFilesystem: false + port: 1080 + resources: + requests: + cpu: 1 + memory: 1024Mi + limits: + cpu: 1 + memory: 1024Mi + runner: + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 + stateful: false + resources: + requests: + cpu: 1 + memory: 512Mi + limits: + cpu: 1 + memory: 512Mi + affinity: { } + tolerations: [ ] + nodeSelector: { } + ingress: + enabled: false + className: "" + hosts: [ ] + tls: [ ] + annotations: { } + service: + type: NodePort + port: 8080 + + + # monitoring.coreos.com/v1 PodMonitor for each node + prometheusMonitor: true + + # deployment placement, standard helm stuff + podAnnotations: + nodeSelector: + tolerations: + affinity: +# podSecurityContext: +# fsGroup: 999 +# runner: +# image: ${DEVSPACE_IMAGE} +# stateful: false +# geth: +# podSecurityContext: +# fsGroup: 999 +# securityContext: +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: false +# runAsNonRoot: true +# runAsUser: 999 +# runAsGroup: 999 +# version: v1.12.0 +# wsrpc-port: 8546 +# httprpc-port: 8544 +# networkid: 1337 +# blocktime: 1 +# mockserver: +# enabled: true +# releasenameOverride: mockserver +# app: +# runAsUser: 999 +# readOnlyRootFilesystem: false +# port: 1080 +# db: +# podSecurityContext: +# fsGroup: 999 +# securityContext: +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: false +# runAsNonRoot: true +# runAsUser: 999 +# runAsGroup: 999 +# stateful: false +# chainlink: +# podSecurityContext: +# fsGroup: 14933 +# securityContext: +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: false +# runAsNonRoot: true +# runAsUser: 14933 +# runAsGroup: 14933 +# web_port: 6688 +# p2p_port: 6690 +# nodes: +# - name: node-1 +# image: ${DEVSPACE_IMAGE} +# version: latest +# - name: node-2 +# image: ${DEVSPACE_IMAGE} +# version: latest +# - name: node-3 +# image: ${DEVSPACE_IMAGE} +# version: latest +# - name: node-4 +# image: ${DEVSPACE_IMAGE} +# version: latest +# - name: node-5 +# image: ${DEVSPACE_IMAGE} +# version: latest +# - name: node-6 +# image: ${DEVSPACE_IMAGE} +# version: latest +# prometheusMonitor: "true" +# podAnnotations: {} +# nodeSelector: {} +# tolerations: [] +# affinity: {} profiles: # this replaces only "runner" pod, usable when you'd like to run some system level tests inside k8s diff --git a/charts/chainlink-cluster/templates/mockserver.yaml b/charts/chainlink-cluster/templates/mockserver.yaml index 14c05d0acd5..4c5d2054314 100755 --- a/charts/chainlink-cluster/templates/mockserver.yaml +++ b/charts/chainlink-cluster/templates/mockserver.yaml @@ -21,7 +21,7 @@ spec: spec: containers: - name: {{ .Release.Name }}-mockserver - image: {{ default "mockserver/mockserver" .Values.mockserver.image }}:{{ default "mockserver-5.15.0" .Values.mockserver.version }} + image: "mockserver/mockserver:mockserver-5.15.0" imagePullPolicy: IfNotPresent securityContext: runAsUser: 65534 # nonroot diff --git a/charts/chainlink-cluster/values-raw-helm.yaml b/charts/chainlink-cluster/values-raw-helm.yaml index 036d604f359..99f52e82c2d 100644 --- a/charts/chainlink-cluster/values-raw-helm.yaml +++ b/charts/chainlink-cluster/values-raw-helm.yaml @@ -120,6 +120,8 @@ geth: # mockserver is https://www.mock-server.com/where/kubernetes.html # used to stub External Adapters mockserver: +# image: "mockserver/mockserver" +# version: "mockserver-5.15.0" securityContext: capabilities: drop: @@ -129,6 +131,10 @@ mockserver: runAsUser: 999 runAsGroup: 999 enabled: true + releasenameOverride: mockserver + app: + runAsUser: 999 + readOnlyRootFilesystem: false port: 1080 resources: requests: @@ -169,7 +175,7 @@ runner: # monitoring.coreos.com/v1 PodMonitor for each node -prometheusMonitor: false +prometheusMonitor: true # deployment placement, standard helm stuff podAnnotations: diff --git a/charts/chainlink-cluster/values.yaml b/charts/chainlink-cluster/values.yaml deleted file mode 100644 index f9e62ebb373..00000000000 --- a/charts/chainlink-cluster/values.yaml +++ /dev/null @@ -1,154 +0,0 @@ -# override resources for keys "chainlink", "db", or "geth" if needed -# resources: -# requests: -# cpu: 350m -# memory: 1024Mi -# limits: -# cpu: 350m -# memory: 1024Mi -# images can be overriden for the same keys: -# image: ethereum/client-go -# version: stable -chainlink: - podSecurityContext: - fsGroup: 14933 - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: false - runAsNonRoot: true - runAsUser: 14933 - runAsGroup: 14933 - web_port: 6688 - p2p_port: 8090 - nodes: - - name: node-1 - image: "public.ecr.aws/chainlink/chainlink:latest" - # override default config per node - # for example, use OCRv2 P2P setup, the whole config - # toml: | - # RootDir = './clroot' - # [Log] - # JSONConsole = true - # Level = 'debug' - # [WebServer] - # AllowOrigins = '*' - # SecureCookies = false - # SessionTimeout = '999h0m0s' - # [OCR2] - # Enabled = true - # [P2P] - # [P2P.V2] - # Enabled = false - # AnnounceAddresses = [] - # DefaultBootstrappers = [] - # DeltaDial = '15s' - # DeltaReconcile = '1m0s' - # ListenAddresses = [] - # [[EVM]] - # ChainID = '1337' - # MinContractPayment = '0' - # [[EVM.Nodes]] - # Name = 'node-0' - # WSURL = 'ws://geth:8546' - # HTTPURL = 'http://geth:8544' - # [WebServer.TLS] - # HTTPSPort = 0 - - name: node-2 - - name: node-3 - - name: node-4 - resources: - requests: - cpu: 350m - memory: 1024Mi - limits: - cpu: 350m - memory: 1024Mi - -# each CL node have a dedicated PostgreSQL 11.15 -# use StatefulSet by setting: -# -# stateful: true -# capacity 10Gi -# -# if you are running long tests -db: - podSecurityContext: - fsGroup: 999 - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: false - runAsNonRoot: true - runAsUser: 999 - runAsGroup: 999 - stateful: false - resources: - requests: - cpu: 1 - memory: 1024Mi - limits: - cpu: 1 - memory: 1024Mi -# default cluster shipped with latest Geth ( dev mode by default ) -geth: - podSecurityContext: - fsGroup: 999 - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: false - runAsNonRoot: true - runAsUser: 999 - runAsGroup: 999 - version: v1.12.0 - wsrpc-port: 8546 - httprpc-port: 8544 - networkid: 1337 - blocktime: 1 - resources: - requests: - cpu: 1 - memory: 1024Mi - limits: - cpu: 1 - memory: 1024Mi -# mockserver is https://www.mock-server.com/where/kubernetes.html -# used to stub External Adapters -mockserver: - enabled: true - releasenameOverride: mockserver - app: - runAsUser: 999 - readOnlyRootFilesystem: false -runner: - podSecurityContext: - fsGroup: 999 - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: false - runAsNonRoot: true - runAsUser: 999 - runAsGroup: 999 - stateful: false - resources: - requests: - cpu: 1 - memory: 512Mi - limits: - cpu: 1 - memory: 512Mi - -# monitoring.coreos.com/v1 PodMonitor for each node -prometheusMonitor: false - -# deployment placement, standard helm stuff -podAnnotations: -nodeSelector: -tolerations: -affinity: diff --git a/core/chainlink.devspace.Dockerfile b/core/chainlink.devspace.Dockerfile index 9ec061ae40d..88d3cec16ad 100644 --- a/core/chainlink.devspace.Dockerfile +++ b/core/chainlink.devspace.Dockerfile @@ -20,7 +20,7 @@ RUN make install-chainlink # Final image: ubuntu with chainlink binary FROM golang:1.21-bullseye -ARG CHAINLINK_USER=root +ARG CHAINLINK_USER=chainlink ENV DEBIAN_FRONTEND noninteractive RUN apt-get update && apt-get install -y ca-certificates gnupg lsb-release curl From e429fbb54809cee210756316d199424e007e85cc Mon Sep 17 00:00:00 2001 From: skudasov Date: Thu, 30 Nov 2023 21:56:49 +0100 Subject: [PATCH 46/56] cleanup & verify --- charts/chainlink-cluster/Chart.yaml | 8 +- charts/chainlink-cluster/README.md | 6 +- charts/chainlink-cluster/devspace.yaml | 109 +++++------------- .../{values-raw-helm.yaml => values.yaml} | 8 +- 4 files changed, 40 insertions(+), 91 deletions(-) rename charts/chainlink-cluster/{values-raw-helm.yaml => values.yaml} (95%) diff --git a/charts/chainlink-cluster/Chart.yaml b/charts/chainlink-cluster/Chart.yaml index f242ef84cbd..b80d1f74a61 100644 --- a/charts/chainlink-cluster/Chart.yaml +++ b/charts/chainlink-cluster/Chart.yaml @@ -2,10 +2,4 @@ apiVersion: v1 name: chainlink-cluster description: Chainlink nodes cluster version: 0.1.3 -appVersion: "2.6.0" - -dependencies: - - name: mockserver - version: "5.14.0" - repository: "@mockserver" - condition: mockserver.enabled +appVersion: "2.6.0" \ No newline at end of file diff --git a/charts/chainlink-cluster/README.md b/charts/chainlink-cluster/README.md index e3cec129a91..5fb55536635 100644 --- a/charts/chainlink-cluster/README.md +++ b/charts/chainlink-cluster/README.md @@ -74,10 +74,10 @@ After that all the changes will be synced automatically Check `.profiles` to understand what is uploaded in profiles `runner` and `node` # Helm -If you would like to use `helm` directly, please uncomment data in `values-raw-helm.yaml` +If you would like to use `helm` directly, please uncomment data in `values.yaml` ## Install from local files ``` -helm install -f values-raw-helm.yaml cl-cluster . +helm install -f values.yaml cl-cluster . ``` Forward all apps (in another terminal) ``` @@ -99,7 +99,7 @@ kubectl config set-context --current --namespace cl-cluster Install ``` -helm install -f values-raw-helm.yaml cl-cluster chainlink-cluster/chainlink-cluster --version v0.1.2 +helm install -f values.yaml cl-cluster . ``` ## Create a new release diff --git a/charts/chainlink-cluster/devspace.yaml b/charts/chainlink-cluster/devspace.yaml index 9c39209ff5c..cb4c8bfce49 100644 --- a/charts/chainlink-cluster/devspace.yaml +++ b/charts/chainlink-cluster/devspace.yaml @@ -58,6 +58,38 @@ deployments: - name: node-1 image: ${DEVSPACE_IMAGE} version: latest + # override default config per node + # for example, use OCRv2 P2P setup, the whole config + # toml: | + # RootDir = './clroot' + # [Log] + # JSONConsole = true + # Level = 'debug' + # [WebServer] + # AllowOrigins = '*' + # SecureCookies = false + # SessionTimeout = '999h0m0s' + # [OCR2] + # Enabled = true + # [P2P] + # [P2P.V2] + # Enabled = false + # AnnounceAddresses = [] + # DefaultBootstrappers = [] + # DeltaDial = '15s' + # DeltaReconcile = '1m0s' + # ListenAddresses = [] + # [[EVM]] + # ChainID = '1337' + # MinContractPayment = '0' + # [[EVM.Nodes]] + # Name = 'node-0' + # WSURL = 'ws://geth:8546' + # HTTPURL = 'http://geth:8544' + # [WebServer.TLS] + # HTTPSPort = 0 + # or use overridesToml to override some part of configuration + # overridesToml: | - name: node-2 image: ${DEVSPACE_IMAGE} version: latest @@ -192,83 +224,6 @@ deployments: nodeSelector: tolerations: affinity: -# podSecurityContext: -# fsGroup: 999 -# runner: -# image: ${DEVSPACE_IMAGE} -# stateful: false -# geth: -# podSecurityContext: -# fsGroup: 999 -# securityContext: -# capabilities: -# drop: -# - ALL -# readOnlyRootFilesystem: false -# runAsNonRoot: true -# runAsUser: 999 -# runAsGroup: 999 -# version: v1.12.0 -# wsrpc-port: 8546 -# httprpc-port: 8544 -# networkid: 1337 -# blocktime: 1 -# mockserver: -# enabled: true -# releasenameOverride: mockserver -# app: -# runAsUser: 999 -# readOnlyRootFilesystem: false -# port: 1080 -# db: -# podSecurityContext: -# fsGroup: 999 -# securityContext: -# capabilities: -# drop: -# - ALL -# readOnlyRootFilesystem: false -# runAsNonRoot: true -# runAsUser: 999 -# runAsGroup: 999 -# stateful: false -# chainlink: -# podSecurityContext: -# fsGroup: 14933 -# securityContext: -# capabilities: -# drop: -# - ALL -# readOnlyRootFilesystem: false -# runAsNonRoot: true -# runAsUser: 14933 -# runAsGroup: 14933 -# web_port: 6688 -# p2p_port: 6690 -# nodes: -# - name: node-1 -# image: ${DEVSPACE_IMAGE} -# version: latest -# - name: node-2 -# image: ${DEVSPACE_IMAGE} -# version: latest -# - name: node-3 -# image: ${DEVSPACE_IMAGE} -# version: latest -# - name: node-4 -# image: ${DEVSPACE_IMAGE} -# version: latest -# - name: node-5 -# image: ${DEVSPACE_IMAGE} -# version: latest -# - name: node-6 -# image: ${DEVSPACE_IMAGE} -# version: latest -# prometheusMonitor: "true" -# podAnnotations: {} -# nodeSelector: {} -# tolerations: [] -# affinity: {} profiles: # this replaces only "runner" pod, usable when you'd like to run some system level tests inside k8s diff --git a/charts/chainlink-cluster/values-raw-helm.yaml b/charts/chainlink-cluster/values.yaml similarity index 95% rename from charts/chainlink-cluster/values-raw-helm.yaml rename to charts/chainlink-cluster/values.yaml index 99f52e82c2d..646cb631490 100644 --- a/charts/chainlink-cluster/values-raw-helm.yaml +++ b/charts/chainlink-cluster/values.yaml @@ -26,8 +26,8 @@ chainlink: nodes: - name: node-1 image: "public.ecr.aws/chainlink/chainlink:latest" - # override default config per node - # for example, use OCRv2 P2P setup, the whole config + # override default config per node + # for example, use OCRv2 P2P setup, the whole config # toml: | # RootDir = './clroot' # [Log] @@ -56,8 +56,8 @@ chainlink: # HTTPURL = 'http://geth:8544' # [WebServer.TLS] # HTTPSPort = 0 -# or use overridesToml to override some part of configuration -# overridesToml: | + # or use overridesToml to override some part of configuration + # overridesToml: | - name: node-2 - name: node-3 - name: node-4 From 782eb0f05902f8069ab5e240f95624235c16348a Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Thu, 30 Nov 2023 16:10:43 -0500 Subject: [PATCH 47/56] Add fixes for /chainlink --- .github/workflows/build-publish-develop.yml | 2 +- .github/workflows/build-publish.yml | 11 ++++++++--- .github/workflows/integration-chaos-tests.yml | 2 +- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-publish-develop.yml b/.github/workflows/build-publish-develop.yml index 3a8cff975fb..b8859722378 100644 --- a/.github/workflows/build-publish-develop.yml +++ b/.github/workflows/build-publish-develop.yml @@ -49,7 +49,7 @@ jobs: aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }} aws-region: ${{ secrets.AWS_REGION }} ecr-hostname: ${{ secrets.AWS_DEVELOP_ECR_HOSTNAME }} - ecr-image-name: chainlink-internal-develop + ecr-image-name: chainlink ecr-tag-suffix: ${{ matrix.image.tag-suffix }} dockerfile: ${{ matrix.image.dockerfile }} dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }} diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml index 29b786cf604..e7eb4498838 100644 --- a/.github/workflows/build-publish.yml +++ b/.github/workflows/build-publish.yml @@ -42,11 +42,16 @@ jobs: aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }} aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }} aws-region: ${{ secrets.AWS_REGION }} - ecr-hostname: ${{ secrets.AWS_ECR_HOSTNAME }} - ecr-image-name: chainlink-internal - sign-images: false + sign-images: true + sign-method: "keypair" + cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} + cosign-public-key: ${{ secrets.COSIGN_PUBLIC_KEY }} + cosign-password: ${{ secrets.COSIGN_PASSWORD }} + # Use the custom secret value if it's for a PR, otherwise pass an empty string to use action's default value. + ecr-hostname: ${{ github.event_name == 'pull_request' && secrets.AWS_SDLC_ECR_HOSTNAME || '' }} dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }} dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }} + verify-signature: true - name: Collect Metrics if: always() id: collect-gha-metrics diff --git a/.github/workflows/integration-chaos-tests.yml b/.github/workflows/integration-chaos-tests.yml index 22af9992ee7..10c62810996 100644 --- a/.github/workflows/integration-chaos-tests.yml +++ b/.github/workflows/integration-chaos-tests.yml @@ -32,7 +32,7 @@ jobs: id: check-image uses: smartcontractkit/chainlink-github-actions/docker/image-exists@e865e376b8c2d594028c8d645dd6c47169b72974 # v2.2.16 with: - repository: chainlink-internal + repository: chainlink tag: ${{ github.sha }} AWS_REGION: ${{ secrets.QA_AWS_REGION }} AWS_ROLE_TO_ASSUME: ${{ secrets.QA_AWS_ROLE_TO_ASSUME }} From 7d559babc56613ed23c989611c369ac809fdd55e Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Thu, 30 Nov 2023 16:23:11 -0500 Subject: [PATCH 48/56] Remove unused env var --- .github/actions/build-sign-publish-chainlink/action.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml index 348f64e7f0d..8c79f651afd 100644 --- a/.github/actions/build-sign-publish-chainlink/action.yml +++ b/.github/actions/build-sign-publish-chainlink/action.yml @@ -76,7 +76,6 @@ runs: shell: bash # See https://docs.github.com/en/actions/learn-github-actions/workflow-commands-for-github-actions#multiline-strings run: | - SHORT_SHA=$(echo ${{ inputs.git-commit-sha }} | cut -c1-7) SHARED_IMAGES=${{ inputs.ecr-hostname }}/${{ inputs.ecr-image-name }} SHARED_TAG_LIST=$(cat << EOF From 00eff9f09e07efb9497ea1d4fb7db926052b8e52 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Thu, 30 Nov 2023 16:29:29 -0500 Subject: [PATCH 49/56] Set back to hardcoded repo name --- .github/workflows/automation-ondemand-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/automation-ondemand-tests.yml b/.github/workflows/automation-ondemand-tests.yml index 8d3de7ce702..016a10252be 100644 --- a/.github/workflows/automation-ondemand-tests.yml +++ b/.github/workflows/automation-ondemand-tests.yml @@ -61,7 +61,7 @@ jobs: id: check-image uses: smartcontractkit/chainlink-github-actions/docker/image-exists@e865e376b8c2d594028c8d645dd6c47169b72974 # v2.2.16 with: - repository: ${{ github.repository }} + repository: chainlink tag: ${{ github.sha }}${{ matrix.image.tag-suffix }} AWS_REGION: ${{ secrets.QA_AWS_REGION }} AWS_ROLE_TO_ASSUME: ${{ secrets.QA_AWS_ROLE_TO_ASSUME }} From 4cd2fec22bb1ed61fa2a17048e296a8d3366498f Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 1 Dec 2023 07:40:09 -0500 Subject: [PATCH 50/56] Reset values back to pre rebase changes --- charts/chainlink-cluster/values.yaml | 36 ++++++++++++---------------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/charts/chainlink-cluster/values.yaml b/charts/chainlink-cluster/values.yaml index 646cb631490..eb93e6cefcf 100644 --- a/charts/chainlink-cluster/values.yaml +++ b/charts/chainlink-cluster/values.yaml @@ -9,10 +9,9 @@ # images can be overriden for the same keys: # image: ethereum/client-go # version: stable -podSecurityContext: - fsGroup: 999 - chainlink: + podSecurityContext: + fsGroup: 14933 securityContext: capabilities: drop: @@ -20,7 +19,7 @@ chainlink: readOnlyRootFilesystem: false runAsNonRoot: true runAsUser: 14933 - runAsGroup: 999 + runAsGroup: 14933 web_port: 6688 p2p_port: 6690 nodes: @@ -79,6 +78,8 @@ chainlink: # # if you are running long tests db: + podSecurityContext: + fsGroup: 999 securityContext: capabilities: drop: @@ -97,6 +98,8 @@ db: memory: 1024Mi # default cluster shipped with latest Geth ( dev mode by default ) geth: + podSecurityContext: + fsGroup: 999 securityContext: capabilities: drop: @@ -120,16 +123,6 @@ geth: # mockserver is https://www.mock-server.com/where/kubernetes.html # used to stub External Adapters mockserver: -# image: "mockserver/mockserver" -# version: "mockserver-5.15.0" - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: false - runAsNonRoot: true - runAsUser: 999 - runAsGroup: 999 enabled: true releasenameOverride: mockserver app: @@ -144,6 +137,8 @@ mockserver: cpu: 1 memory: 1024Mi runner: + podSecurityContext: + fsGroup: 999 securityContext: capabilities: drop: @@ -160,20 +155,19 @@ runner: limits: cpu: 1 memory: 512Mi - affinity: { } - tolerations: [ ] - nodeSelector: { } + affinity: {} + tolerations: [] + nodeSelector: {} ingress: enabled: false className: "" - hosts: [ ] - tls: [ ] - annotations: { } + hosts: [] + tls: [] + annotations: {} service: type: NodePort port: 8080 - # monitoring.coreos.com/v1 PodMonitor for each node prometheusMonitor: true From 974250e4efc5b0570ea25202eb22ab633bec30dc Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 1 Dec 2023 07:43:12 -0500 Subject: [PATCH 51/56] Remove mockserver templates in favor of subchart --- .../templates/mockserver-service.yaml | 14 ----- .../templates/mockserver.yaml | 61 ------------------- 2 files changed, 75 deletions(-) delete mode 100644 charts/chainlink-cluster/templates/mockserver-service.yaml delete mode 100755 charts/chainlink-cluster/templates/mockserver.yaml diff --git a/charts/chainlink-cluster/templates/mockserver-service.yaml b/charts/chainlink-cluster/templates/mockserver-service.yaml deleted file mode 100644 index f8ab78a84b5..00000000000 --- a/charts/chainlink-cluster/templates/mockserver-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{ if (hasKey .Values "mockserver") }} -apiVersion: v1 -kind: Service -metadata: - name: {{ .Release.Name }}-mockserver -spec: - selector: - app: {{ .Release.Name }}-mockserver - ports: - - name: serviceport - port: {{ default "1080" $.Values.mockserver.port}} - targetPort: serviceport - type: ClusterIP -{{ end }} \ No newline at end of file diff --git a/charts/chainlink-cluster/templates/mockserver.yaml b/charts/chainlink-cluster/templates/mockserver.yaml deleted file mode 100755 index 4c5d2054314..00000000000 --- a/charts/chainlink-cluster/templates/mockserver.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{ if (hasKey .Values "mockserver") }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Release.Name }}-mockserver - labels: - app: {{ .Release.Name }}-mockserver -spec: - selector: - matchLabels: - app: {{ .Release.Name }}-mockserver - template: - metadata: -{{- if .Values.podAnnotations }} - annotations: -{{ toYaml .Values.podAnnotations | indent 8 }} -{{- end }} - name: {{ .Release.Name }}-mockserver - labels: - app: {{ .Release.Name }}-mockserver - spec: - containers: - - name: {{ .Release.Name }}-mockserver - image: "mockserver/mockserver:mockserver-5.15.0" - imagePullPolicy: IfNotPresent - securityContext: - runAsUser: 65534 # nonroot - readOnlyRootFilesystem: false - ports: - - name: serviceport - containerPort: {{ .Values.mockserver.port }} - protocol: TCP - env: - - name: LOG_LEVEL - value: "DEBUG" - - name: SERVER_PORT - value: {{ .Values.mockserver.port | quote }} - {{ if (hasKey $.Values.chainlink "resources") }} - resources: - requests: - memory: {{ default "1024Mi" $.Values.chainlink.resources.requests.memory }} - cpu: {{ default "500m" $.Values.chainlink.resources.requests.cpu }} - limits: - memory: {{ default "1024Mi" $.Values.chainlink.resources.limits.memory }} - cpu: {{ default "500m" $.Values.chainlink.resources.limits.cpu }} - {{ else }} - {{ end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{ toYaml . | indent 8 }} - {{- end }} -{{- end }} ---- \ No newline at end of file From bc2e5524822ee468da30cd5dfc59c8e333b10537 Mon Sep 17 00:00:00 2001 From: skudasov Date: Fri, 1 Dec 2023 14:39:04 +0100 Subject: [PATCH 52/56] fix connect.toml and rename mockserver connection --- charts/chainlink-cluster/Chart.yaml | 7 ++++++- charts/chainlink-cluster/connect.toml | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/charts/chainlink-cluster/Chart.yaml b/charts/chainlink-cluster/Chart.yaml index b80d1f74a61..127f5b6e326 100644 --- a/charts/chainlink-cluster/Chart.yaml +++ b/charts/chainlink-cluster/Chart.yaml @@ -2,4 +2,9 @@ apiVersion: v1 name: chainlink-cluster description: Chainlink nodes cluster version: 0.1.3 -appVersion: "2.6.0" \ No newline at end of file +appVersion: "2.6.0" +dependencies: + - name: mockserver + version: "5.14.0" + repository: "@mockserver" + condition: mockserver.enabled \ No newline at end of file diff --git a/charts/chainlink-cluster/connect.toml b/charts/chainlink-cluster/connect.toml index f0a74d4c144..1f49b5a6e37 100644 --- a/charts/chainlink-cluster/connect.toml +++ b/charts/chainlink-cluster/connect.toml @@ -9,4 +9,4 @@ cl_node_url_template = "http://app-node-%d:6688" cl_node_internal_dns_record_template = "app-node-%d" cl_node_user = "notreal@fakeemail.ch" cl_node_password = "fj293fbBnlQ!f9vNs" -mockserver_url = "http://app-mockserver:1080" \ No newline at end of file +mockserver_url = "http://mockserver:1080" \ No newline at end of file From ecf66d7af5201b642642c13d540c78ae1d9a7d29 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 1 Dec 2023 09:45:24 -0500 Subject: [PATCH 53/56] Backout triggering on PR --- .github/workflows/build-publish.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml index e7eb4498838..59411a24dee 100644 --- a/.github/workflows/build-publish.yml +++ b/.github/workflows/build-publish.yml @@ -1,7 +1,6 @@ name: "Build Chainlink and Publish" on: - pull_request: # Mimics old circleci behaviour push: tags: From efbd884c99b1014b5b2c37daeefe3f43eddd2a93 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 1 Dec 2023 09:45:50 -0500 Subject: [PATCH 54/56] Create new build-publish workflow for chainlink-untrusted (from PR) --- .github/workflows/build-publish-pr.yml | 44 ++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/build-publish-pr.yml diff --git a/.github/workflows/build-publish-pr.yml b/.github/workflows/build-publish-pr.yml new file mode 100644 index 00000000000..78203484426 --- /dev/null +++ b/.github/workflows/build-publish-pr.yml @@ -0,0 +1,44 @@ +name: "Build and Publish from PR" + +## +# This workflow builds and publishes a Docker image for Chainlink from a PR. +# It doesn't use an environment, has its own special IAM role, does not sign +# the image, and publishes to a special ECR repo. +## + +on: + pull_request: + +jobs: + build-publish-untrusted: + if: ${{ ! startsWith(github.ref_name, 'release/') }} + runs-on: ubuntu-20.04 + permissions: + id-token: write + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Build, sign and publish chainlink image + uses: ./.github/actions/build-sign-publish-chainlink + with: + publish: true + aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_PUBLISH_PR_ARN }} + aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS_DEFAULT }} + aws-region: ${{ secrets.AWS_REGION }} + sign-images: false + ecr-hostname: ${{ secrets.AWS_SDLC_ECR_HOSTNAME }} + ecr-image-name: chainlink-untrusted + dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }} + dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }} + + - name: Collect Metrics + if: always() + id: collect-gha-metrics + uses: smartcontractkit/push-gha-metrics-action@d1618b772a97fd87e6505de97b872ee0b1f1729a # v2.0.2 + with: + basic-auth: ${{ secrets.GRAFANA_CLOUD_BASIC_AUTH }} + hostname: ${{ secrets.GRAFANA_CLOUD_HOST }} + this-job-name: build-publish-untrusted + continue-on-error: true From 51ceaa66096291a897bd37c7c13cbb1daef5d3e4 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 1 Dec 2023 09:51:24 -0500 Subject: [PATCH 55/56] Reset workflow back --- .github/workflows/build-publish.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml index 59411a24dee..de33663d88d 100644 --- a/.github/workflows/build-publish.yml +++ b/.github/workflows/build-publish.yml @@ -17,6 +17,7 @@ jobs: - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Check for VERSION file bump on tags + # Avoids checking VERSION file bump on forks. if: ${{ github.repository == 'smartcontractkit/chainlink' && startsWith(github.ref, 'refs/tags/v') }} uses: ./.github/actions/version-file-bump with: @@ -46,8 +47,6 @@ jobs: cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} cosign-public-key: ${{ secrets.COSIGN_PUBLIC_KEY }} cosign-password: ${{ secrets.COSIGN_PASSWORD }} - # Use the custom secret value if it's for a PR, otherwise pass an empty string to use action's default value. - ecr-hostname: ${{ github.event_name == 'pull_request' && secrets.AWS_SDLC_ECR_HOSTNAME || '' }} dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }} dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }} verify-signature: true From 658713fe6c7dec2f3cf2209018ff2936f55a263f Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 1 Dec 2023 10:15:10 -0500 Subject: [PATCH 56/56] Make step name accurate --- .github/workflows/build-publish-pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-publish-pr.yml b/.github/workflows/build-publish-pr.yml index 78203484426..b958295cf24 100644 --- a/.github/workflows/build-publish-pr.yml +++ b/.github/workflows/build-publish-pr.yml @@ -20,7 +20,7 @@ jobs: - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Build, sign and publish chainlink image + - name: Build and publish chainlink image uses: ./.github/actions/build-sign-publish-chainlink with: publish: true