[TF] Import latest version of the Helm charts from internal-ops

aptos-labs · Dec 1, 2023 · 1bdd348 · 1bdd348
1 parent f4f49d5
commit 1bdd348
Show file tree

Hide file tree

Showing 66 changed files with 519 additions and 2,081 deletions.
diff --git a/terraform/helm/aptos-node/README.md b/terraform/helm/aptos-node/README.md
@@ -53,19 +53,19 @@ Aptos blockchain node deployment
 | labels | string | `nil` |  |
 | loadTestGenesis | bool | `false` | Load test-data for starting a test network |
 | manageImages | bool | `true` | If true, helm will always override the deployed image with what is configured in the helm values. If not, helm will take the latest image from the currently running workloads, which is useful if you have a separate procedure to update images (e.g. rollout) |
-| multicluster | object | `{"enabled":false,"targetClusters":["cluster1","cluster2","cluster3"]}` | Options for multicluster mode. This is *experimental only*. |
+| multicluster | object | `{"enabled":false,"targetClusters":["forge-multiregion-1","forge-multiregion-2","forge-multiregion-3"]}` | Options for multicluster mode. This is *experimental only*. |
 | numFullnodeGroups | int | `1` | Total number of fullnode groups to deploy |
 | numValidators | int | `1` | Number of validators to deploy |
 | overrideNodeConfig | bool | `false` | Specify validator and fullnode NodeConfigs via named ConfigMaps, rather than the generated ones from this chart. |
 | service.domain | string | `nil` | If set, the base domain name to use for External DNS |
-| service.fullnode.enableMetricsPort | bool | `true` | Enable the metrics port on fullnodes |
+| service.fullnode.enableMetricsPort | bool | `false` | Enable the metrics port on fullnodes |
 | service.fullnode.enableRestApi | bool | `true` | Enable the REST API on fullnodes |
 | service.fullnode.external.type | string | `"LoadBalancer"` | The Kubernetes ServiceType to use for fullnodes' HAProxy |
 | service.fullnode.externalTrafficPolicy | string | `"Local"` | The externalTrafficPolicy for the fullnode service |
 | service.fullnode.internal.headless | bool | `false` |  |
 | service.fullnode.internal.type | string | `"ClusterIP"` | The Kubernetes ServiceType to use for fullnodes |
 | service.fullnode.loadBalancerSourceRanges | string | `nil` | If set and if the ServiceType is LoadBalancer, allow traffic to fullnodes from these CIDRs |
-| service.validator.enableMetricsPort | bool | `true` | Enable the metrics port on the validator |
+| service.validator.enableMetricsPort | bool | `false` | Enable the metrics port on the validator |
 | service.validator.enableRestApi | bool | `true` | Enable the REST API on the validator |
 | service.validator.external.type | string | `"LoadBalancer"` | The Kubernetes ServiceType to use for validator's HAProxy |
 | service.validator.externalTrafficPolicy | string | `"Local"` | The externalTrafficPolicy for the validator service |
@@ -83,7 +83,6 @@ Aptos blockchain node deployment
 | validator.image.tag | string | `nil` | Image tag to use for validator images. If set, overrides `imageTag` |
 | validator.name | string | `nil` | Internal: name of your validator for use in labels |
 | validator.nodeSelector | object | `{}` |  |
-| validator.remoteLogAddress | string | `nil` | Address for remote logging. See `logger` helm chart |
 | validator.resources.limits.cpu | float | `15.5` |  |
 | validator.resources.limits.memory | string | `"26Gi"` |  |
 | validator.resources.requests.cpu | int | `15` |  |

diff --git a/terraform/helm/aptos-node/files/haproxy.cfg b/terraform/helm/aptos-node/files/haproxy.cfg
@@ -144,6 +144,21 @@ backend validator-metrics
     default-server maxconn 16
     server {{ include "aptos-validator.fullname" $ }}-{{ $.Values.i }}-validator {{ include "aptos-validator.fullname" $ }}-{{ $.Values.i }}-validator:9101
 
+frontend validator-admin
+    mode http
+    option httplog
+    bind :9202
+    default_backend validator-admin
+
+    # Deny requests from blocked IPs
+    tcp-request connection reject if { src -n -f /usr/local/etc/haproxy/blocked.ips }
+    http-request add-header Forwarded "for=%ci"
+
+backend validator-admin
+    mode http
+    default-server maxconn 16
+    server {{ include "aptos-validator.fullname" $ }}-{{ $.Values.i }}-validator {{ include "aptos-validator.fullname" $ }}-{{ $.Values.i }}-validator:9102
+
 # Exposes the validator's own REST API
 {{- if $.Values.service.validator.enableRestApi }}
 frontend validator-api
@@ -235,6 +250,21 @@ backend {{ $config.name }}-metrics
     default-server maxconn 16
     server {{ include "aptos-validator.fullname" $ }}-{{ $.Values.i }}-{{ $config.name }} {{ include "aptos-validator.fullname" $ }}-{{ $.Values.i }}-{{ $config.name }}:9101
 
+frontend {{ $config.name }}-admin
+    mode http
+    option httplog
+    bind :{{ add 9203 $index }}
+    default_backend {{ $config.name }}-admin
+
+    # Deny requests from blocked IPs
+    tcp-request connection reject if { src -n -f /usr/local/etc/haproxy/blocked.ips }
+    http-request add-header Forwarded "for=%ci"
+
+backend {{ $config.name }}-admin
+    mode http
+    default-server maxconn 16
+    server {{ include "aptos-validator.fullname" $ }}-{{ $.Values.i }}-{{ $config.name }} {{ include "aptos-validator.fullname" $ }}-{{ $.Values.i }}-{{ $config.name }}:9102
+
 {{- end }}
 {{- end }}
 

diff --git a/terraform/helm/aptos-node/templates/fullnode.yaml b/terraform/helm/aptos-node/templates/fullnode.yaml
@@ -24,9 +24,33 @@ spec:
     port: 6182
   - name: metrics
     port: 9101
+  - name: admin
+    port: 9102
   - name: api
     port: 8080
 
+{{- if $.Values.migrations.enable_vfn_explicit_pvc }}
+---
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "aptos-validator.fullname" $ }}-{{$i}}-{{ .name }}-e{{ $.Values.chain.era }}
+  labels:
+    {{- include "aptos-validator.labels" $ | nindent 4 }}
+spec:
+  accessModes:
+  - ReadWriteOnce
+  storageClassName: {{ $.Values.fullnode.storage.class }}
+  resources:
+    requests:
+      storage: {{ $.Values.fullnode.storage.size }}
+  {{- if $.Values.fullnode.storage.labels }}
+  selector:
+    matchLabels:
+      {{- toYaml $.Values.fullnode.storage.labels | nindent 6}}
+  {{- end }}
+{{- end }}
 ---
 {{ $fullnode_statefulset := lookup "apps/v1" "StatefulSet" $.Release.Namespace (printf "%s-%d-%s-e%s" (include "aptos-validator.fullname" $) $i .name (toYaml $.Values.chain.era)) }}
 apiVersion: apps/v1
@@ -49,6 +73,7 @@ spec:
       app.kubernetes.io/name: fullnode
       app.kubernetes.io/instance: fullnode-{{$i}}
       group: {{ .name }}
+  {{- if not $.Values.migrations.enable_vfn_explicit_pvc }}
   volumeClaimTemplates:
   - metadata:
       name: fn
@@ -64,6 +89,7 @@ spec:
         matchLabels:
           {{- toYaml $.Values.fullnode.storage.labels | nindent 10}}
       {{- end }}
+    {{- end }}
   template:
     metadata:
       labels:
@@ -86,7 +112,18 @@ spec:
         image: {{ $.Values.validator.image.repo }}:{{ $.Values.validator.image.tag | default $.Values.imageTag }}
         {{- end }}
         imagePullPolicy: {{ $.Values.validator.image.pullPolicy }}
-        command: ["/usr/local/bin/aptos-node", "-f", "/opt/aptos/etc/fullnode.yaml"]
+        command:
+          - /bin/bash
+          - -c
+          - |-
+            set -euxo pipefail
+            if [[ -f /opt/aptos/data/wipe-db ]]; then
+              # Wipe DB
+              rm -rf /opt/aptos/data/db
+              # Delete the command file so we only wipe the DB once
+              rm -vf /opt/aptos/data/wipe-db
+            fi
+            /usr/local/bin/aptos-node -f /opt/aptos/etc/fullnode.yaml
       {{- with $.Values.fullnode }}
         resources:
           {{- toYaml .resources | nindent 10 }}
@@ -113,7 +150,11 @@ spec:
           mountPath: /opt/aptos/etc
         - name: genesis-config
           mountPath: /opt/aptos/genesis
+        {{- if $.Values.migrations.enable_vfn_explicit_pvc }}
+        - name: aptos-data
+        {{- else }}
         - name: fn
+        {{- end }}
           mountPath: /opt/aptos/data
         ports:
         - containerPort: 6181
@@ -122,6 +163,8 @@ spec:
           name: api
         - containerPort: 9101
           name: metrics
+        - containerPort: 9102
+          name: admin
         securityContext:
           {{- if $.Values.enablePrivilegedMode }}
           runAsUser: 0
@@ -165,6 +208,11 @@ spec:
       - name: genesis-config
         secret:
           secretName: {{ include "aptos-validator.fullname" $ }}-{{$i}}-genesis-e{{ $.Values.chain.era }}
+      {{- if $.Values.migrations.enable_vfn_explicit_pvc }}
+      - name: aptos-data
+        persistentVolumeClaim:
+          claimName: {{ include "aptos-validator.fullname" $ }}-{{$i}}-{{ .name }}-e{{ $.Values.chain.era }}
+      {{- end }}
       serviceAccountName: {{ include "aptos-validator.fullname" $ }}-fullnode
       {{- if $.Values.imagePullSecret }}
       imagePullSecrets:

diff --git a/terraform/helm/aptos-node/templates/haproxy.yaml b/terraform/helm/aptos-node/templates/haproxy.yaml
@@ -26,7 +26,7 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
     service.beta.kubernetes.io/oci-load-balancer-security-list-management-mode: All
     {{- if $.Values.service.domain }}
-    external-dns.alpha.kubernetes.io/hostname: val{{$i}}.{{ $.Values.service.domain }}
+    external-dns.alpha.kubernetes.io/hostname: vn{{$i}}.{{ $.Values.service.domain }}
     {{- end }}
 spec:
   selector:
@@ -41,6 +41,11 @@ spec:
     port: 9101
     targetPort: 9102
   {{- end }}
+  {{- if $.Values.service.validator.enableAdminPort }}
+  - name: admin
+    port: 9102
+    targetPort: 9202
+  {{- end }}
   {{- if $.Values.service.validator.enableRestApi }}
   - name: api
     port: 80
@@ -69,7 +74,7 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
     service.beta.kubernetes.io/oci-load-balancer-security-list-management-mode: All
     {{- if $.Values.service.domain }}
-    external-dns.alpha.kubernetes.io/hostname: {{ $config.name }}{{$i}}.{{ $.Values.service.domain }}
+    external-dns.alpha.kubernetes.io/hostname: {{ $config.dns_name }}{{$i}}.{{ $.Values.service.domain }}
     {{- end }}
 spec:
   selector:
@@ -85,6 +90,11 @@ spec:
     port: 9101
     targetPort: {{ add 9103 $index }}
   {{- end }}
+  {{- if $.Values.service.fullnode.enableAdminPort }}
+  - name: admin
+    port: 9102
+    targetPort: {{ add 9203 $index }}
+  {{- end }}
   {{- if $.Values.service.fullnode.enableRestApi }}
   - name: api
     port: 80
@@ -146,14 +156,24 @@ spec:
         imagePullPolicy: {{ .image.pullPolicy }}
         resources:
           {{- toYaml .resources | nindent 10 }}
+        # These ports are exposed by HAProxy. See haproxy.cfg for more details
+        # Fullnode ports are dynamically assigned based on the number of fullnode groups
         ports:
-        - containerPort: 6180
-        - containerPort: 6182
+        # Aptosnet
+        - containerPort: 6180 # validator
+        - containerPort: 6182 # fullnode
+        # Fullnode API
         - containerPort: 8080
+        # Validator API
         - containerPort: 8180
+        # HAProxy metrics port
         - containerPort: 9101
+        # Node ports
         - containerPort: 9102
         - containerPort: 9103
+        # AdminService ports
+        - containerPort: 9202 # validator admin
+        - containerPort: 9203 # fullnode admin
         volumeMounts:
         - name: haproxy-config
           mountPath: /usr/local/etc/haproxy

diff --git a/terraform/helm/aptos-node/templates/validator.yaml b/terraform/helm/aptos-node/templates/validator.yaml
@@ -23,6 +23,8 @@ spec:
     port: 6181
   - name: metrics
     port: 9101
+  - name: admin
+    port: 9102
   {{- if $.Values.service.validator.enableRestApi }}
   - name: api
     port: 8080
@@ -80,6 +82,8 @@ spec:
         checksum/validator.yaml: {{ tpl ($.Files.Get "files/configs/validator.yaml") $ | sha256sum }}
         prometheus.io/scrape: "true"
         prometheus.io/port: "9101"
+    status:
+      qosClass: "Guaranteed"
     spec:
       terminationGracePeriodSeconds: 0
       containers:
@@ -91,7 +95,18 @@ spec:
         {{- end }}
       {{- with $.Values.validator }}
         imagePullPolicy: {{ .image.pullPolicy }}
-        command: ["/usr/local/bin/aptos-node", "-f", "/opt/aptos/etc/validator.yaml"]
+        command:
+          - /bin/bash
+          - -c
+          - |-
+            set -euxo pipefail
+            if [[ -f /opt/aptos/data/wipe-db ]]; then
+              # Wipe DB
+              rm -rf /opt/aptos/data/db
+              # Delete the command file so we only wipe the DB once
+              rm -vf /opt/aptos/data/wipe-db
+            fi
+            /usr/local/bin/aptos-node -f /opt/aptos/etc/validator.yaml
         resources:
           {{- toYaml .resources | nindent 10 }}
         env:
@@ -123,6 +138,8 @@ spec:
           name: api
         - containerPort: 9101
           name: metrics
+        - containerPort: 9102
+          name: admin
         securityContext:
           {{- if $.Values.enablePrivilegedMode }}
           runAsUser: 0

diff --git a/terraform/helm/aptos-node/values.yaml b/terraform/helm/aptos-node/values.yaml
@@ -39,11 +39,11 @@ haproxy:
     pullPolicy: IfNotPresent
   resources:
     limits:
-      cpu: 4
-      memory: 8Gi
+      cpu: 3
+      memory: 6Gi
     requests:
-      cpu: 4
-      memory: 8Gi
+      cpu: 3
+      memory: 6Gi
   nodeSelector: {}
   tolerations: []
   affinity: {}
@@ -74,20 +74,18 @@ validator:
     pullPolicy: IfNotPresent
   resources:
     limits:
-      cpu: 15.5
-      memory: 26Gi
+      cpu: 14
+      memory: 56Gi
     requests:
-      cpu: 15
-      memory: 26Gi
+      cpu: 14
+      memory: 56Gi
   storage:
     # -- Kubernetes storage class to use for validator persistent storage
     class:
     # -- Size of validator persistent storage
     size: 2048Gi
   # -- Log level for the validator
   rust_log: info
-  # -- Address for remote logging. See `logger` helm chart
-  remoteLogAddress:
   # -- Flag to force enable telemetry service (useful for forge tests)
   force_enable_telemetry: false
   nodeSelector: {}
@@ -103,14 +101,15 @@ fullnode:
   # -- Specify fullnode groups by `name` and number of `replicas`
   groups:
     - name: fullnode
+      dns_name: vfn
       replicas: 1
   resources:
     limits:
-      cpu: 15.5
-      memory: 26Gi
+      cpu: 14
+      memory: 56Gi
     requests:
-      cpu: 15
-      memory: 26Gi
+      cpu: 14
+      memory: 56Gi
   storage:
     # -- Kubernetes storage class to use for fullnode persistent storage
     class:
@@ -131,6 +130,7 @@ fullnode:
     full_node_networks:
       # The first item in the array `full_node_networks` must always refer to the public fullnode network
       - network_id: "public"
+        seeds: {}
 
 service:
   # -- If set, the base domain name to use for External DNS
@@ -151,6 +151,8 @@ service:
     enableRestApi: true
     # -- Enable the metrics port on the validator
     enableMetricsPort: false
+    # -- Enable the admin port on the validator
+    enableAdminPort: false
   fullnode:
     external:
       # -- The Kubernetes ServiceType to use for fullnodes' HAProxy
@@ -167,6 +169,8 @@ service:
     enableRestApi: true
     # -- Enable the metrics port on fullnodes
     enableMetricsPort: false
+    # -- Enable the admin port on fullnodes
+    enableAdminPort: false
 
 serviceAccount:
   # -- Specifies whether a service account should be created
@@ -182,3 +186,9 @@ enablePrivilegedMode: false
 
 # Additional labels
 labels:
+
+# Infra migrations
+migrations:
+  # -- Explicitly define a PVC for VFNs.
+  # -- See templates/fullnode.yaml
+  enable_vfn_explicit_pvc: false
diff --git a/terraform/helm/autoscaling/templates/dns.yaml b/terraform/helm/autoscaling/templates/dns.yaml
@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: hpa-coredns