diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index b3118076c..cbbe225f0 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -1,11 +1,8 @@ - [Helm Chart Development](#helm-chart-development) - [Prerequisites](#prerequisites) -- [Using devspace](#using-devspace) - - [Notes](#notes) - [Helm Charts](#helm-charts) - [Creating Charts](#creating-charts) - [Run local development chart](#run-local-development-chart) - - [Notes](#notes-1) - [Creating Docker Images](#creating-docker-images) - [Releases](#releases) @@ -13,8 +10,6 @@ ## Prerequisites -- Install [devspace](https://devspace.sh/cli/docs/introduction). - - Ensure minikube is running: ```shell @@ -27,42 +22,6 @@ eval $(minikube docker-env) ``` -# Using devspace - -- Tell devspace which namespace to use: - - ```shell - devspace use namespace oxheadalpha - ``` - -- Run `mkchain` to generate your Helm values. (Note: Devspace will only deploy `rpc-auth` if you use the `rpc-auth` profile, regardless if you set it in mkchain. This is to avoid devspace deployment issues. See more below.) - -- Set a `CHAIN_NAME` env var. - -- Run `devspace dev --var CHAIN_NAME=$CHAIN_NAME` (you can leave out the `--var` flag if you used `export CHAIN_NAME=my-chain`). - -- You may add the `rpc-auth` devspace [profile](https://devspace.sh/cli/docs/configuration/profiles/basics) by using the `-p rpc-auth` flag in the `devspace dev` command. This tells devspace deploy `rpc-auth` and to redeploy it if its files change. You can also pass another `--var` flag for `rpc-auth` like so: `--var FLASK_ENV=`. Devpsace defaults it to `development`. Running with `development` will allow the python server to hot reload on file changes. Devspace does not need to restart the pod on file changes as the python server file is [synced](https://devspace.sh/cli/docs/configuration/development/file-synchronization) to the container. - -Devspace will now do a few things: - -- Create namespace if it doesn't already exist. -- Runs a hook to enable the minikube nginx ingress addon. This is the gateway for external users to access the `rpc-auth` backend and to then make RPC calls to the Tezos node. -- Runs a hook to increase `fs.inotify.max_user_watches` to 1048576 in minikube. This is to avoid a "no space left on device" error. See [here](https://serverfault.com/questions/963529/minikube-k8s-kubectl-failed-to-watch-file-no-space-left-on-device) for more. -- Builds docker images and tags them. -- Deploys Helm charts. -- Starts [sync](https://devspace.sh/cli/docs/configuration/development/file-synchronization), [logging](https://devspace.sh/cli/docs/configuration/development/log-streaming), and [port-forwarding](https://devspace.sh/cli/docs/configuration/development/port-forwarding) services. - - Right now just `rpc-auth` produces logs from the python server. - - Port-forwarding allows you to directly communicate with containers, allowing for easy bootstrap node RPC calls, as well as requests to the `rpc-auth` server instead of having to go through the NGINX ingress. Example: `curl localhost:8732/chains/main/chain_id` -- Will automatically redeploy Helm charts and rebuild docker images depending upon the files you modify. - -## Notes - -- Devspace recommends to run [devspace purge](https://devspace.sh/cli/docs/commands/devspace_purge) to delete deployments. Keep in mind though that it currently does not delete persistent volumes and claims. They currently don't mention this in their docs. If you want to delete all resources including persistent volumes and claims, run `kubectl delete namespace `. Even with this command, there are times where PV's/PVC's do not get deleted. This is important to know because you may be spinning up nodes that get old volumes attached with old state, and you may encounter Tezos pod errors. I have experienced this in situations where I left my cluster running for a long time, say overnight, and I shut my laptop and/or it went to sleep. After logging back in and deleting the namespace, the PV's/PVC's are still there and need to be manually deleted. - -- If you would like to build all of our images without using Devspace to deploy (you might want to do a `helm install` instead), you can run `devspace build -t dev --skip-push`. - -- If you find that you have images built but Devspace is having a hard time getting them and/or is producing errors that don't seem to make sense, you can try `rm -rf .devspace` to remove any potentially wrong state. - # Helm Charts ## Creating Charts @@ -83,10 +42,6 @@ Instructions as per README install the latest release of tezos-k8s helm chart fr helm install tezos-mainnet charts/tezos --namespace oxheadalpha --create-namespace ``` -## Notes - -If you use `helm install|upgrade` (instead of devspace) for local charts, make sure you `helm dependency update ` to get the latest local dependency chart changes that you've made packaged into the parent chart. - # Creating Docker Images Currently, we are placing all docker images in the root level directory. The name of the folder is treated as the name of the image being created. diff --git a/charts/rpc-auth/.helmignore b/charts/rpc-auth/.helmignore deleted file mode 100644 index 0e8a0eb36..000000000 --- a/charts/rpc-auth/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/rpc-auth/Chart.yaml b/charts/rpc-auth/Chart.yaml deleted file mode 100644 index 033da15be..000000000 --- a/charts/rpc-auth/Chart.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v2 -name: authenticated-rpc-tezos-chain -description: A Helm chart for Tezos RPC authentication for a private chain -type: application -version: 0.0.0 -keywords: - - tezos - - blockchain -home: https://github.com/oxheadalpha/tezos-k8s diff --git a/charts/rpc-auth/templates/_helpers.tpl b/charts/rpc-auth/templates/_helpers.tpl deleted file mode 100644 index b059a2f81..000000000 --- a/charts/rpc-auth/templates/_helpers.tpl +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "my-chart.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "my-chart.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "my-chart.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "my-chart.labels" -}} -helm.sh/chart: {{ include "my-chart.chart" . }} -{{ include "my-chart.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "my-chart.selectorLabels" -}} -app.kubernetes.io/name: {{ include "my-chart.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "my-chart.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "my-chart.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/charts/rpc-auth/templates/rpc-auth.yaml b/charts/rpc-auth/templates/rpc-auth.yaml deleted file mode 100644 index 9a50536f2..000000000 --- a/charts/rpc-auth/templates/rpc-auth.yaml +++ /dev/null @@ -1,189 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: redis-service - namespace: {{ .Release.Namespace }} - labels: - app: redis -spec: - ports: - - name: redis - port: 6379 - selector: - app: redis ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: redis-pv-claim - namespace: {{ .Release.Namespace }} - labels: - app: redis -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: redis-config - namespace: {{ .Release.Namespace }} -data: - redis.conf: | - appendonly yes - appendfsync always ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: redis - namespace: {{ .Release.Namespace }} - labels: - app: redis -spec: - selector: - matchLabels: - app: redis - template: - metadata: - labels: - app: redis - spec: - containers: - - name: master - image: redis - command: - - redis-server - - "/redis/redis.conf" - readinessProbe: - exec: - command: - - sh - - -c - - "redis-cli -h $(hostname) ping" - initialDelaySeconds: 5 - timeoutSeconds: 5 - livenessProbe: - exec: - command: - - sh - - -c - - "redis-cli -h $(hostname) ping" - initialDelaySeconds: 5 - periodSeconds: 3 - # resources: - # requests: - # cpu: 100m - # memory: 100Mi - ports: - - containerPort: 6379 - volumeMounts: - - mountPath: /data - name: redis-data - - mountPath: /redis - name: redis-config - - volumes: - - name: redis-data - persistentVolumeClaim: - claimName: redis-pv-claim - - name: redis-config - configMap: - name: redis-config ---- -apiVersion: v1 -kind: Service -metadata: - name: rpc-auth - namespace: {{ .Release.Namespace }} -spec: - selector: - app: rpc-auth - ports: - - name: rpc-auth - port: 8080 - targetPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: rpc-auth - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - app: rpc-auth - template: - metadata: - labels: - app: rpc-auth - appType: rpc-auth - spec: - containers: - - name: rpc-auth - image: {{ .Values.tezos_k8s_images.rpc_auth | quote }} - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8080 - env: - - name: REDIS_HOST - value: {{ .Values.redis.host | quote }} - - name: REDIS_PORT - value: {{ .Values.redis.port | quote }} - - name: TEZOS_RPC_SERVICE - value: tezos-node-rpc - - name: TEZOS_RPC_SERVICE_PORT - value: "8732" ---- -apiVersion: networking.k8s.io/v1beta1 -kind: Ingress -metadata: - name: rpc-vending-machine-ingress - namespace: {{ .Release.Namespace }} - annotations: - nginx.ingress.kubernetes.io/use-regex: "true" -spec: - rules: - - http: - paths: - # Client provides chain id and gets back a nonce - - path: /vending-machine/(.*) - pathType: Exact - backend: - serviceName: rpc-auth - servicePort: 8080 - # Client provides signed data and gets back a secret url - - path: /vending-machine - pathType: Exact - backend: - serviceName: rpc-auth - servicePort: 8080 ---- -apiVersion: networking.k8s.io/v1beta1 -kind: Ingress -metadata: - name: tezos-rpc-ingress - namespace: {{ .Release.Namespace }} - annotations: - nginx.ingress.kubernetes.io/use-regex: "true" - nginx.ingress.kubernetes.io/rewrite-target: /$2 - # https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#external-authentication - nginx.ingress.kubernetes.io/auth-url: http://$service_name.$namespace.svc.cluster.local:8080/auth - nginx.ingress.kubernetes.io/auth-snippet: | - # Bug with nginx setting auth-url annotation port with a variable. - # Service name and namespace variables work. - # https://github.com/kubernetes/ingress-nginx/issues/6427 - set $service_name "rpc-auth"; -spec: - rules: - - http: - paths: - # Client uses secret url to access the RPC endpoint - - path: /tezos-node-rpc/(.*?)/(.*) - pathType: Exact - backend: - serviceName: tezos-node-rpc - servicePort: 8732 diff --git a/charts/rpc-auth/values.yaml b/charts/rpc-auth/values.yaml deleted file mode 100644 index 79a4a86dc..000000000 --- a/charts/rpc-auth/values.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# Images not part of the tezos-k8s repo go here -images: - -# Images that are part of the tezos-k8s repo go here -tezos_k8s_images: - rpc_auth: tezos-k8s-rpc-auth:dev - -redis: - host: redis-service - port: 6379 diff --git a/charts/tezos/templates/_containers.tpl b/charts/tezos/templates/_containers.tpl index 79e6f5c92..20d45d357 100644 --- a/charts/tezos/templates/_containers.tpl +++ b/charts/tezos/templates/_containers.tpl @@ -279,11 +279,7 @@ {{/* calculate the max number of bakers accross instances */}} {{- $max_baker_num := 0 }} {{- range $i := $.node_vals.instances }} - {{- if hasKey $i "bake_using_account" }} - {{- $max_baker_num = max 1 $max_baker_num }} - {{- else }} - {{- $max_baker_num = max (len (get $i "bake_using_accounts")) $max_baker_num }} - {{- end }} + {{- $max_baker_num = max (len (get $i "bake_using_accounts")) $max_baker_num }} {{- end }} {{- range $n := until (int $max_baker_num) }} {{- range $.Values.protocols }} diff --git a/charts/tezos/templates/_helpers.tpl b/charts/tezos/templates/_helpers.tpl index b4db4db3b..dae29943d 100644 --- a/charts/tezos/templates/_helpers.tpl +++ b/charts/tezos/templates/_helpers.tpl @@ -117,8 +117,6 @@ metadata: {{- range $instance := $node.instances }} {{- if and .bake_using_accounts (kindIs "slice" .bake_using_accounts) }} {{- $allAccounts = concat $allAccounts .bake_using_accounts }} - {{- else if and .bake_using_account (kindIs "string" .bake_using_account) }} - {{- $allAccounts = append $allAccounts .bake_using_account }} {{- end }} {{- end }} {{- end }} diff --git a/charts/tezos/templates/configs.yaml b/charts/tezos/templates/configs.yaml index 4d55eb82b..20bb66a74 100644 --- a/charts/tezos/templates/configs.yaml +++ b/charts/tezos/templates/configs.yaml @@ -10,8 +10,6 @@ data: "bootstrap_peers": {{ toJson .Values.bootstrap_peers }}, "default_bootstrap_mutez": "{{ .Values.bootstrap_mutez }}", "expected-proof-of-work": {{ toJson .Values.expected_proof_of_work }}, - - "should_generate_unsafe_deterministic_data": {{ toJson .Values.should_generate_unsafe_deterministic_data }}, "network": {{ mustToPrettyJson .Values.node_config_network | indent 8 | trim }}, "protocol_activation": {{ .Values.activation | mustToPrettyJson | indent 8 | trim }} } diff --git a/charts/tezos/values.yaml b/charts/tezos/values.yaml index b1cbcaa0b..0cb34316c 100644 --- a/charts/tezos/values.yaml +++ b/charts/tezos/values.yaml @@ -101,12 +101,6 @@ accounts: {} # bootstrap_balance: "4000000000000" # ``` # -# When running bakers for a public net, you must provide your own secret keys. -# For non public networks you can change the -# `should_generate_unsafe_deterministic_data` setting to true, and deterministic -# keys will be generated for your nodes automatically. This is helpful to spin up -# local testnets. -should_generate_unsafe_deterministic_data: false # # End Accounts # # Nodes @@ -164,10 +158,7 @@ should_generate_unsafe_deterministic_data: false # Otherwise, the chain may become unreachable externally # while waiting for other nodes to come online. # - `instances`: A list of nodes to fire up, each is a dictionary defining: -# - `bake_using_account`: Account name that should be used for baking. -# Don't also set `bake_using_accounts`. # - `bake_using_accounts`: List of account names that should be used for baking. -# Don't also set `bake_using_account`. # - `authorized_keys`: List of account names that should be used as keys to # authenticate a baker to a signer. # When a baker uses a remote signer that requires @@ -226,7 +217,7 @@ should_generate_unsafe_deterministic_data: false # limits: # memory: 16192Mi # instances: -# - bake_using_account: baker0 +# - bake_using_accounts: [baker0] # is_bootstrap_node: true # # Note the following config section overrides the above one even # # if we make them the same in this example. diff --git a/devspace.yaml b/devspace.yaml deleted file mode 100755 index 65e6af506..000000000 --- a/devspace.yaml +++ /dev/null @@ -1,101 +0,0 @@ -version: v1beta9 -deployments: - - name: chain - helm: - chart: - name: ./charts/tezos - valuesFiles: - - ./${CHAIN_NAME}_values.yaml - -images: - utils: - image: tezos-k8s-utils - dockerfile: ./utils/Dockerfile - context: ./utils - -dev: - ports: - - labelSelector: - app: tezos-baking-node - forward: - - port: 8732 - remotePort: 8732 - logs: - disabled: true - autoReload: - deployments: - - chain - -hooks: - - command: minikube - args: - - addons - - enable - - ingress - when: - before: - pullSecrets: all - - command: sh - args: - - -c - - minikube ssh "sudo sysctl fs.inotify.max_user_watches=1048576" - when: - before: - pullSecrets: all - -vars: - - name: CHAIN_NAME - question: Name of the chain as passed to generate-constants - default: "devspace" - source: env - - name: FLASK_ENV # development | production - question: Deployment env to run RPC authentication - default: development - source: env - -profiles: - - name: rpc-auth - strategicMerge: - images: - rpc-auth: - image: tezos-k8s-rpc-auth - dockerfile: ./rpc-auth/Dockerfile - context: ./rpc-auth - build: - docker: - options: - buildArgs: - FLASK_ENV: ${FLASK_ENV} - dev: - logs: - disabled: false - images: - - rpc-auth - sync: - - imageName: rpc-auth - localSubPath: ./rpc-auth/server - patches: - - op: add - path: deployments - value: - name: rpc-auth - helm: - chart: - name: ./charts/rpc-auth - - op: add - path: dev.autoReload.deployments - value: rpc-auth - - op: add - path: dev.autoReload.paths - value: ./rpc-auth/Dockerfile - - op: add - path: dev.autoReload.paths - value: ./rpc-auth/server/requirements.txt - - op: add - path: dev.ports - value: - labelSelector: - app: rpc-auth - forward: - - port: 8080 - remotePort: 8080 diff --git a/docs/04-other-helm-charts.md b/docs/04-other-helm-charts.md index 755fcc5cb..9da20d999 100644 --- a/docs/04-other-helm-charts.md +++ b/docs/04-other-helm-charts.md @@ -3,7 +3,6 @@ The Tezos-k8s project also maintains several other helm charts: * **[pyrometer](https://github.com/oxheadalpha/tezos-k8s/tree/master/charts/pyrometer)**: a chart to deploy the [Pyrometer Tezos monitoring tool](https://gitlab.com/tezos-kiln/pyrometer) -* **[rpc-auth](https://github.com/oxheadalpha/tezos-k8s/tree/master/charts/rpc-auth)**: a vending-machine to dispense Tezos RPC access * **[tezos-faucet](https://github.com/oxheadalpha/tezos-k8s/tree/master/charts/tezos-faucet)**: a faucet to dispense testnet funds * **[snapshotEngine](https://github.com/oxheadalpha/tezos-k8s/tree/master/charts/snapshotEngine)**: an utility to generate Tezos snapshots from running nodes, using Kubernetes CSI driver * **[tezos-reward-distributor](https://github.com/oxheadalpha/tezos-k8s/tree/master/charts/tezos-reward-distributor)**: a chart to deploy [TRD](https://tezos-reward-distributor-organization.github.io/tezos-reward-distributor/) diff --git a/docs/Prerequisites.md b/docs/Prerequisites.md index 63b81b214..5661df298 100644 --- a/docs/Prerequisites.md +++ b/docs/Prerequisites.md @@ -64,8 +64,6 @@ Make hyperkit the default minikube driver: minikube config set driver hyperkit ``` -(Note: We do not use Docker itself as the minikube driver due to an [issue](https://github.com/kubernetes/minikube/issues/7332) regarding the minikube ingress addon that is required by rpc-auth.) - ### Other Operating Systems If in the next step minikube does not start correctly, you may need to configure a different driver for it. Please see the minikube docs [here](https://minikube.sigs.k8s.io/docs/drivers/) for more information. diff --git a/docs/Private-Chain.md b/docs/Private-Chain.md index 68b8a1b23..1ef03164f 100644 --- a/docs/Private-Chain.md +++ b/docs/Private-Chain.md @@ -89,8 +89,8 @@ At the statefulset level, the following parameters are allowed: - runs: a list of containers to run, e.g. "baker", "accuser" - instances: a list of nodes to fire up, each is a dictionary defining: - - `bake_using_account`: The name of the account that should be used - for baking. + - `bake_using_accounts`: The name of the accounts that should be used + for baking. - `is_bootstrap_node`: Is this node a bootstrap peer. - config: The `config` property should mimic the structure of a node's config.json. @@ -108,7 +108,7 @@ nodes: - baker - logger instances: - - bake_using_account: baker0 + - bake_using_accounts: [baker0] is_bootstrap_node: true config: shell: diff --git a/docs/RPC-Auth.md b/docs/RPC-Auth.md deleted file mode 100644 index ce8d359f5..000000000 --- a/docs/RPC-Auth.md +++ /dev/null @@ -1,5 +0,0 @@ -## RPC Authentication - -You can optionally spin up an RPC authentication backend allowing trusted users to make RPC requests to your cluster. - -Follow the steps at [rpc-auth/README.md](https://github.com/oxheadalpha/tezos-k8s/blob/master/rpc-auth/README.md). diff --git a/rpc-auth/.dockerignore b/rpc-auth/.dockerignore deleted file mode 100644 index 8bf81bf5a..000000000 --- a/rpc-auth/.dockerignore +++ /dev/null @@ -1,2 +0,0 @@ -client -README.md diff --git a/rpc-auth/Dockerfile b/rpc-auth/Dockerfile deleted file mode 100644 index df4b8af6d..000000000 --- a/rpc-auth/Dockerfile +++ /dev/null @@ -1,66 +0,0 @@ -FROM python:3.9.6-slim as builder - -RUN mkdir -p /var/rpc-auth/ - -WORKDIR /var/rpc-auth/ - -# Installing pytezos deps -RUN apt-get update -y \ - && apt-get install --no-install-recommends -y \ - automake \ - build-essential \ - libffi-dev \ - libgmp-dev \ - libsecp256k1-dev \ - libsodium-dev \ - libtool \ - pkg-config \ - && echo - -COPY ./requirements.txt . -RUN mkdir wheels \ - && pip wheel -r requirements.txt \ - --wheel-dir ./wheels --no-cache-dir - -FROM python:3.9-slim AS src - -WORKDIR /var/rpc-auth/ - -# Installing pytezos deps -RUN apt-get update -y \ - && apt-get install --no-install-recommends -y \ - libffi-dev \ - libgmp-dev \ - libsecp256k1-dev \ - libsodium-dev \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -# Installing python dependencies -COPY --from=builder /var/rpc-auth/wheels wheels -COPY ./requirements.txt . -RUN pip install -r requirements.txt \ - --no-index --find-links ./wheels \ - && rm -rf ./wheels ./requirements.txt - -RUN groupadd -g 999 appuser && \ - useradd -r -u 999 -g appuser appuser - -COPY --chown=appuser:appuser ./server/index.py . - -ARG FLASK_ENV=production -ENV FLASK_ENV=$FLASK_ENV -ENV PYTHONUNBUFFERED=x - -EXPOSE 8080 - -USER appuser - -CMD uwsgi \ - --http-socket 0.0.0.0:8080 \ - --callable app \ - --threads 100 \ - --processes 1 \ - --wsgi-file index.py \ - --worker-reload-mercy 0 \ - $(if [ "${FLASK_ENV}" = "development" ] ; then echo "--touch-reload index.py" ; else : ; fi) diff --git a/rpc-auth/README.md b/rpc-auth/README.md deleted file mode 100644 index dd6835ffd..000000000 --- a/rpc-auth/README.md +++ /dev/null @@ -1,82 +0,0 @@ -- [Tezos RPC Authentication](#tezos-rpc-authentication) - - [Deploy RPC Auth Backend](#deploy-rpc-auth-backend) - - [Client Authentication](#client-authentication) - - [Prerequisites](#prerequisites) - - [Authentication flow](#authentication-flow) - -# Tezos RPC Authentication - -`rpc-auth` provides a mechanism where a user authenticates themselves and will receive a secret url that they then use to make RPC calls. - -## Deploy RPC Auth Backend - -Install this chart to deploy an RPC Authentication backend for your private chain. - -This assumes that you have followed the steps [here](../README.md) necessary to deploy a Tezos private chain. - -Make sure you have the Tezos Helm chart repo: - -```shell -helm repo add oxheadalpha https://oxheadalpha.github.io/tezos-helm-charts -``` - -If you don't currently have a chain running, run the following command to start it: - -```shell -helm install $CHAIN_NAME oxheadalpha/tezos-chain \ ---values ./${CHAIN_NAME}_values.yaml \ ---namespace oxheadalpha --create-namespace -``` - -If you already have a chain running, you need to use Helm's `upgrade` cmd instead of `install`: - -```shell -helm upgrade $CHAIN_NAME oxheadalpha/tezos-chain \ ---values ./${CHAIN_NAME}_values.yaml \ ---namespace oxheadalpha -``` - -## Client Authentication - -### Prerequisites - -- [tezos-client](https://assets.tqtezos.com/docs/setup/1-tezos-client/) - -## Authentication flow - -1. You provide a trusted user with your cluster ip/address and your private tezos chain id. - To see your chain id, either: - - - Run - ```shell - kubectl exec -it -n oxheadalpha statefulset/tezos-baking-node -c octez-node -- octez-client rpc get /chains/main/chain_id - ``` - - Use a tool like [Lens](https://k8slens.dev/) to view the logs of the Tezos node. (As well as the rest of your k8s infrastructure) - - Manually run the logs command `kubectl logs -n oxheadalpha statefulset/tezos-baking-node -c octez-node`. The top of the logs should look similar to: - ``` - Dec 21 19:42:08 - node.main: starting the Tezos node (chain = my-chain) - Dec 21 19:42:08 - node.main: disabled local peer discovery - Dec 21 19:42:08 - node.main: read identity file (peer_id = idsbTksk6cHggEndHLQBAJvxaViUnz) - Dec 21 19:42:08 - main: shell-node initialization: bootstrapping - Dec 21 19:42:08 - main: shell-node initialization: p2p_maintain_started - Dec 21 19:42:08 - block_validator_process_external: Initialized - Dec 21 19:42:08 - block_validator_process_external: Block validator started on pid 11 - Dec 21 19:42:08 - validator.block: Worker started - Dec 21 19:42:08 - node.validator: activate chain NetXitypWekag8Z - ``` - The chain id is printed on the last line: `NetXitypWekag8Z`. - -2. The user needs to have a Tezos secret key either generated or imported by `octez-client`. The user's secret key is used to sign some data for the server to then verify. - -3. The user runs: `rpc-auth/client/init.sh --cluster-address $CLUSTER_IP --tz-alias $TZ_ALIAS --chain-id $CHAIN_ID` - - - `TZ_ALIAS` is the alias of a user's tz address secret key. - -4. If the user is authenticated, the response should contain a secret url that looks like `http://192.168.64.51/tezos-node-rpc/ffff3eb3d7dd4f6bbff3f2fd096722ae/` - -5. Client can then make RPC requests: - - `curl http://192.168.64.51/tezos-node-rpc/ffff3eb3d7dd4f6bbff3f2fd096722ae/chains/main/chain_id` - - As of docker image `tezos/tezos:v9-release`: - ```shell - octez-client --endpoint http://192.168.64.51/tezos-node-rpc/ffff3eb3d7dd4f6bbff3f2fd096722ae/ rpc get chains/main/chain_id - ``` diff --git a/rpc-auth/client/init.sh b/rpc-auth/client/init.sh deleted file mode 100755 index d7f0ecaca..000000000 --- a/rpc-auth/client/init.sh +++ /dev/null @@ -1,104 +0,0 @@ -#!/bin/bash - -while test $# -gt 0; do - case "$1" in - -h | --help) - echo "options:" - echo "-h, --help show brief help" - echo "--cluster-address specify ip or url for requesting nonce" - echo "--chain-id specify chain id of permission chain" - echo "--tz-alias specify tz alias of your key" - exit 0 - ;; - --cluster-address) - shift - if test $# -gt 0; then - export CLUSTER_ADDRESS=$1 - else - echo "no address specified" - exit 1 - fi - shift - ;; - --chain-id) - shift - if test $# -gt 0; then - export CHAIN_ID=$1 - else - echo "no chain id specified" - exit 1 - fi - shift - ;; - --tz-alias) - shift - if test $# -gt 0; then - export TZ_ALIAS=$1 - else - echo "no tz alias specified" - exit 1 - fi - shift - ;; - *) - break - ;; - esac -done - -if [ -z "$CLUSTER_ADDRESS" ]; then - echo "--cluster-address flag is required" - exit 1 -elif [ -z "$CHAIN_ID" ]; then - echo "--chain-id flag is required" - exit 1 -elif [ -z "$TZ_ALIAS" ]; then - echo "--tz-alias flag is required" - exit 1 -fi - -if ! tezos-client show address $TZ_ALIAS >/dev/null 2>&1; then - echo "no public key hash alias named $TZ_ALIAS" - exit 1 -fi - -get_response_body() { - echo $1 | sed -e 's/ HTTPSTATUS\:.*//g' -} -get_response_status() { - printf '%q' $1 | sed -e 's/.*HTTPSTATUS://' -} - -echo "Requesting data to sign..." -nonce_res=$(curl -s -X GET http://$CLUSTER_ADDRESS/vending-machine/$CHAIN_ID -w " HTTPSTATUS:%{http_code}") -NONCE=$(get_response_body "$nonce_res") -nonce_res_status=$(get_response_status "$nonce_res") - -if [ "$nonce_res_status" != "200" ]; then - echo "Failed to get nonce. [HTTP status: $nonce_res_status]" - echo "$nonce_res" - exit 1 -fi - -# echo NONCE: "$NONCE" - -echo "Signing data..." -SIGNATURE=$(tezos-client -p PsDELPH1Kxsx sign bytes 0x05${NONCE} for ${TZ_ALIAS} | cut -f 2 -d " ") -PUBLIC_KEY=$(tezos-client show address ${TZ_ALIAS} 2>/dev/null | grep "Public Key: " | awk '{print $3}') - -# echo SIGNATURE: "$SIGNATURE" -# echo PUBLIC_KEY: "$PUBLIC_KEY" - -echo "Sending request for RPC url..." -secret_url_res=$(curl -s -X POST -d "nonce=${NONCE}" -d "signature=${SIGNATURE}" -d "public_key=${PUBLIC_KEY}" http://$CLUSTER_ADDRESS/vending-machine -w " HTTPSTATUS:%{http_code}") -SECRET_URL=$(get_response_body "$secret_url_res") -secret_url_status=$(get_response_status "$secret_url_res") - -if [ "$secret_url_status" != "200" ]; then - echo "Failed to get secret url. [HTTP status: $secret_url_status]" - echo "$secret_url_res" - exit 1 -fi - -echo "Your secret tezos node RPC url: $SECRET_URL" - diff --git a/rpc-auth/requirements.txt b/rpc-auth/requirements.txt deleted file mode 100644 index 7df6cc352..000000000 --- a/rpc-auth/requirements.txt +++ /dev/null @@ -1,35 +0,0 @@ -base58==1.0.3 -bson==0.5.10 -certifi==2020.6.20 -cffi==1.14.3 -chardet==3.0.4 -click==7.1.2 -fastecdsa==1.7.5 -fire==0.3.1 -Flask==1.1.2 -idna==2.10 -itsdangerous==1.1.0 -Jinja2==2.11.3 -loguru==0.5.3 -MarkupSafe==1.1.1 -mnemonic==0.19 -netstruct==1.1.2 -pendulum==2.1.2 -ply==3.11 -pyblake2==1.1.2 -pycparser==2.20 -pysodium==0.7.5 -pytezos==2.5.11 -python-dateutil==2.8.1 -pytzdata==2020.1 -PyYAML==6.0.1 -redis==3.5.3 -requests==2.26.0 -secp256k1==0.13.2 -simplejson==3.17.2 -six==1.15.0 -termcolor==1.1.0 -tqdm==4.51.0 -urllib3==1.26.5 -uWSGI==2.0.19.1 -Werkzeug==1.0.1 diff --git a/rpc-auth/server/index.py b/rpc-auth/server/index.py deleted file mode 100755 index d4e16af67..000000000 --- a/rpc-auth/server/index.py +++ /dev/null @@ -1,167 +0,0 @@ -import os -import re -import time -from functools import cache -from urllib.parse import urljoin -from uuid import uuid4 - -import requests -from flask import Flask, abort, request -from pytezos.crypto import Key -from redis import StrictRedis, WatchError - -TEZOS_RPC_SERVICE_URL = ( - f"http://{os.getenv('TEZOS_RPC_SERVICE')}:{os.getenv('TEZOS_RPC_SERVICE_PORT')}" -) - -app = Flask(__name__) -redis = StrictRedis(host=os.getenv("REDIS_HOST"), port=os.getenv("REDIS_PORT")) - -## ROUTES - - -@app.route("/vending-machine/") -def get_nonce(chain_id): - try: - is_correct_chain_id = verify_chain_id(chain_id) - if not is_correct_chain_id: - abort(401) - except requests.exceptions.RequestException as e: - print("Failed to verify chain id.", e) - abort(500) - - # Tezos client requires the data to be signed in hex format - nonce = uuid4().hex - redis.set(nonce, "", ex=3) - return nonce - - -@app.route("/vending-machine", methods=["POST"]) -def generate_tezos_rpc_url(): - try: - nonce, signature, public_key = [ - request.values[k] for k in ("nonce", "signature", "public_key") - ] - except KeyError as e: - print("Request data:", request.values) - print(e) - abort(400) - - if not is_valid_nonce(nonce): - abort(401) - - tezos_key_object = get_tezos_key_object(public_key) - if not is_valid_signature(tezos_key_object, signature, nonce): - abort(401) - - access_token = uuid4().hex - secret_url = create_secret_url(access_token) - save_access_token(tezos_key_object.public_key_hash(), access_token) - return secret_url - - -@app.route("/auth") -def rpc_auth(): - access_token = extract_access_token(request.headers) - if not is_valid_access_token(access_token): - abort(401) - return "OK", 200 - - -## HELPER FUNCTIONS - - -def verify_chain_id(chain_id): - if chain_id != get_tezos_chain_id(): - return False - return True - - -@cache -def get_tezos_chain_id(): - tezos_chain_id = os.getenv("TEZOS_CHAIN_ID") - if tezos_chain_id: - return tezos_chain_id - chain_id_response = requests.get( - urljoin(TEZOS_RPC_SERVICE_URL, "chains/main/chain_id") - ) - return chain_id_response.text.strip('\n"') - - -def is_valid_nonce(nonce): - with redis.pipeline() as pipeline: - try: - pipeline.watch(nonce) - redis_nonce = pipeline.get(nonce) - pipeline.multi() - pipeline.delete(nonce) - pipeline.execute() - if redis_nonce != None: - return True - except WatchError: - print("Nonce was already validated.") - - return False - - -def get_tezos_key_object(public_key): - try: - return Key.from_encoded_key(public_key) - except ValueError as e: - print("Something is wrong with the public_key provided:", e) - abort(401) - - -def is_valid_signature(key_object, signature, nonce): - try: - bytes_prefix = "0x05" - key_object.verify(signature, bytes_prefix + nonce) - return True - except ValueError as e: - print("Error verifying signature:", e) - return False - - -def create_secret_url(access_token): - return urljoin(request.url_root, f"tezos-node-rpc/{access_token}") - - -def create_redis_access_token_key(access_token, hash=False): - return f"access_token{':hash' if hash else ''}:{access_token}" - - -def save_access_token(tz_address, access_token): - access_token_key = create_redis_access_token_key(access_token) - with redis.pipeline() as pipeline: - # Create redis hash of access token with timestamp and tz address - pipeline.hset( - access_token_key, mapping={"timestamp": time.time(), "address": tz_address} - ) - # Add access token to list of this tz address's tokens - pipeline.sadd(tz_address, access_token_key) - pipeline.execute() - - -def extract_access_token(headers): - original_url = headers.get("X-Original-Url") - regex_obj = re.search(r"tezos-node-rpc/(.*?)/", original_url) - if regex_obj: - return regex_obj.group(1) - - -def is_valid_access_token(access_token): - if ( - access_token - and len(access_token) == 32 # Should be 32 char hex string - and redis.exists(create_redis_access_token_key(access_token)) == 1 - ): - return True - return False - - -if __name__ == "__main__": - app.run( - host="0.0.0.0", - port=8080, - debug=(True if os.getenv("FLASK_ENV") == "development" else False), - ) diff --git a/test/charts/mainnet.expect.yaml b/test/charts/mainnet.expect.yaml index a8e58abbd..0e5050f14 100644 --- a/test/charts/mainnet.expect.yaml +++ b/test/charts/mainnet.expect.yaml @@ -22,8 +22,6 @@ data: "bootstrap_peers": [], "default_bootstrap_mutez": "4000000000000", "expected-proof-of-work": 26, - - "should_generate_unsafe_deterministic_data": false, "network": { "chain_name": "mainnet" }, diff --git a/test/charts/mainnet2.expect.yaml b/test/charts/mainnet2.expect.yaml index b1d7a1b67..79a53eb26 100644 --- a/test/charts/mainnet2.expect.yaml +++ b/test/charts/mainnet2.expect.yaml @@ -22,8 +22,6 @@ data: "bootstrap_peers": [], "default_bootstrap_mutez": "4000000000000", "expected-proof-of-work": 26, - - "should_generate_unsafe_deterministic_data": false, "network": { "chain_name": "mainnet" }, diff --git a/test/charts/private-chain.expect.yaml b/test/charts/private-chain.expect.yaml index 5329868dc..874c4e196 100644 --- a/test/charts/private-chain.expect.yaml +++ b/test/charts/private-chain.expect.yaml @@ -43,8 +43,6 @@ data: "bootstrap_peers": [], "default_bootstrap_mutez": "4000000000000", "expected-proof-of-work": 0, - - "should_generate_unsafe_deterministic_data": true, "network": { "activation_account_name": "tezos-baking-node-0", "chain_name": "elric", @@ -227,7 +225,6 @@ data: b-013-PtJakart-per-block-votes.json: "{\"liquidity_baking_toggle_vote\":\"pass\"}" c-013-PtJakart-per-block-votes.json: "{\"liquidity_baking_toggle_vote\":\"pass\"}" d-013-PtJakart-per-block-votes.json: "{\"liquidity_baking_toggle_vote\":\"pass\"}" - tacoinfraSigner-013-PtJakart-per-block-votes.json: "{\"liquidity_baking_toggle_vote\":\"pass\"}" kind: ConfigMap metadata: name: baker-config diff --git a/utils/config-generator.py b/utils/config-generator.py index 7c5a6feb3..beca081af 100755 --- a/utils/config-generator.py +++ b/utils/config-generator.py @@ -65,10 +65,6 @@ NETWORK_CONFIG = CHAIN_PARAMS["network"] -SHOULD_GENERATE_UNSAFE_DETERMINISTIC_DATA = CHAIN_PARAMS.get( - "should_generate_unsafe_deterministic_data" -) - # If there are no genesis params, we are dealing with a public network. THIS_IS_A_PUBLIC_NET = True if not NETWORK_CONFIG.get("genesis") else False # Even if we are dealing with a public network, we may not want to join it in a @@ -83,14 +79,6 @@ def main(): all_accounts = ACCOUNTS - if not THIS_IS_A_PUBLIC_NET: - fill_in_missing_genesis_block() - - if SHOULD_GENERATE_UNSAFE_DETERMINISTIC_DATA: - all_accounts = fill_in_missing_accounts() - fill_in_missing_keys(all_accounts) - - fill_in_activation_account(all_accounts) all_accounts = import_keys(all_accounts) if MY_POD_NAME in BAKING_NODES: @@ -183,92 +171,12 @@ def main(): print("Generated dal attester account list for this node: %s" % attester_list) -# If NETWORK_CONFIG["genesis"]["block"] hasn't been specified, we generate a -# deterministic one. -def fill_in_missing_genesis_block(): - genesis_config = NETWORK_CONFIG["genesis"] - if not genesis_config.get("block"): - print("Deterministically generating missing genesis_block") - if not NETWORK_CONFIG.get("chain_name"): - raise Exception("Genesis config is missing 'chain_name'.") - seed = NETWORK_CONFIG["chain_name"] - gbk = blake2b(seed.encode(), digest_size=32).digest() - gbk_b58 = b58encode_check(b"\x01\x34" + gbk).decode("utf-8") - genesis_config["block"] = gbk_b58 - - -def fill_in_activation_account(accts): - if "activation_account_name" not in NETWORK_CONFIG: - print("Activation account missing:") - for name, val in accts.items(): - if val.get("is_bootstrap_baker_account", False): - print(f" Setting activation account to {name}") - NETWORK_CONFIG["activation_account_name"] = name - return - print(" failed to find one") - - -def get_baking_accounts(baker_values): - acct = baker_values.get("bake_using_account") - accts = baker_values.get("bake_using_accounts") - - if acct and accts: - raise ValueError( - 'Mustn\'t specify both "bake_using_account" and "bake_using_accounts"' - ) - - if acct: - accts = [acct] - - return accts - - -# Secret and public keys are matches and need be processed together. Neither key -# must be specified, as later code will fill in the details if they are not. -# -# We create any missing accounts that are referred to by a node at -# BAKING_NODES to ensure that all named accounts exist. -def fill_in_missing_accounts(): - print("\nFilling in any missing accounts...") - new_accounts = {} - init_balance = CHAIN_PARAMS["default_bootstrap_mutez"] - for baker_name, baker_values in BAKING_NODES.items(): - accts = get_baking_accounts(baker_values) - - if not accts: - print(f"Defaulting to baking with account: {baker_name}") - accts = [baker_name] - - baker_values["bake_using_account"] = None - baker_values["bake_using_accounts"] = accts - - for acct in accts: - if acct not in ACCOUNTS: - print(f"Creating account: {acct}") - new_accounts[acct] = { - "bootstrap_balance": init_balance, - "is_bootstrap_baker_account": True, - } - - try: - acct = NETWORK_CONFIG["activation_account_name"] - if acct not in ACCOUNTS and acct not in new_accounts: - print(f"Creating activation account: {acct}") - new_accounts[acct] = { - "bootstrap_balance": CHAIN_PARAMS["default_bootstrap_mutez"], - } - except: - pass - - return {**new_accounts, **ACCOUNTS} - - def verify_this_bakers_account(accounts): """ Verify the current baker pod has an account with a secret key, unless the account is signed for via an external remote signer (e.g. Tacoinfra). """ - accts = get_baking_accounts(MY_POD_CONFIG) + accts = MY_POD_CONFIG.get("bake_using_accounts") if not accts or len(accts) < 1: raise Exception("ERROR: No baker accounts specified") @@ -294,47 +202,13 @@ def verify_this_bakers_account(accounts): # the keys for each of the accounts: secret_keys, public_keys, and # public_key_hashs. # -# We iterate over fill_in_missing_baker_accounts() which ensures that we -# have a full set of accounts for which to write keys. -# # If the account has a private key specified, we parse it and use it to # derive the public key and its hash. If a public key is also specified, -# we check to ensure that it matches the secret key. If neither a secret -# nor a public key are specified, then we derive one from a hash of -# the account name and the gensis_block (which may be generated above.) -# -# Both specified and generated keys are stable for the same _values.yaml -# files. The specified keys for obvious reasons. The generated keys -# are stable because we take care not to use any information that is not -# specified in the _values.yaml file in the seed used to generate them. +# we check to ensure that it matches the secret key. # # import_keys() also fills in "pk" and "pkh" as the public key and # public key hash as a side-effect. These are used later. -edsk = b"\x0d\x0f\x3a\x07" - - -def fill_in_missing_keys(all_accounts): - print("\nFill in missing keys") - - for account_name, account_values in all_accounts.items(): - if "type" in account_values: - raise Exception( - "Deprecated field 'type' passed by helm, but helm should have pruned it." - ) - account_key = account_values.get("key") - - if account_key == None: - print( - f" Deriving secret key for account " - + f"{account_name} from genesis_block" - ) - seed = account_name + ":" + NETWORK_CONFIG["genesis"]["block"] - sk = blake2b(seed.encode(), digest_size=32).digest() - sk_b58 = b58encode_check(edsk + sk).decode("utf-8") - account_values["key"] = sk_b58 - account_values["type"] = "secret" - def expose_secret_key(account_name): diff --git a/utils/config-generator.sh b/utils/config-generator.sh index 5ca085e11..78a96e708 100755 --- a/utils/config-generator.sh +++ b/utils/config-generator.sh @@ -34,11 +34,7 @@ fi if [ "$AM_I_BAKER" -eq 1 ]; then my_baker_account=$(echo $MY_CLASS | \ - jq -r ".instances[${MY_POD_NAME#$MY_NODE_CLASS-}] - |if .bake_using_accounts - then .bake_using_accounts[] - else .bake_using_account - end") + jq -r ".instances[${MY_POD_NAME#$MY_NODE_CLASS-}].bake_using_accounts[]") # If no account to bake for was specified in the node's settings, # config-generator defaults the account name to the pod's name.