Bake remotely (#1)

* Dedicated RPC-baking baker pod

* expose secret key

* add authorized key

* ensure baker authorized keys are populated

* deploy authorized keys automatically where they are needed

* fix object prop access

* no get for list

* fix old mkchain terminology

* mkchain with new model

* decouple baker name and baking account name

* rename bakers

* rename nodes

* round robin the bakers and nodes

* support multiple protos, simplify params of mkchain

* wip dal

* move to oxford

* point DAL to l1

* right values for mock srs

* utils for DAL node

* black + lower expected pow for dal

* add right volume to dal init container

* don't do anything special with dal in config-gen, just populate accts

* get DAL pod to derive a list of pkh from a list of named accounts

* fix typo

* black

* fix wrong key

* switch to coma separated

* fix signers

* rename to DAL_NODE_RPC_URL

* simpler name for dal

* rename dal service, add node

* round robin the DALs to bakers

* round robin baker and dal to nodes

* restore bootstrap

* smaller slot size for injector

* add slot pusher (temporary)

* add slot activator

* lint

* slot injector supports configurable endpoints

* only load needed private key in injector

* add slot size as param

* specify injector account

* fix wrong case statement

* make slot injector optional

* simplify ingress name

* emptyDir for slot-injector, remove sleep 3

* add servicemonitor for dal node

* make sure it scrapes

* fix issue when using local chart

* re-add explicit authorized key

* perhaps authorized_key is absent for activation account

* pull most recent container

* typo

* remove DAL slot injector - was temporary

* Always => IfNotPresent

* add experimental label to bake_remotely

* fix activation with authorized_key

* black

* fix tests & lint

* add a global pull policy setting in tezos chart

* improve logging, remove duplicate key import

* fix activation

* remove temp mkchain change

* nairobi => oxford in values.yaml commented out examples

charts/tezos-signer-forwarder/values.yaml

@@ -1,6 +1,6 @@
 tezos_k8s_images:
   utils: ghcr.io/tacoinfra/tezos-k8s-utils:main
-  tezos_signer_forwarder: ghcr.io/tacoinfra/tezos-k8s-signerforwarder:dev
+  tezos_signer_forwarder: ghcr.io/tacoinfra/tezos-k8s-signerforwarder:main
 
 # List the endpoints below.
 # Each endpoint represents a ssh server.

charts/tezos/scripts/baker.sh

@@ -42,8 +42,8 @@ if [ -f /etc/tezos/baker-config/${my_baker_account}_operations_pool ]; then
   extra_args="${extra_args} --operations-pool $(cat /etc/tezos/baker-config/${my_baker_account}_operations_pool)"
 fi
 
-if [ -f /etc/tezos/baker-config/${my_baker_account}_dal_node ]; then
-  extra_args="${extra_args} --dal-node $(cat /etc/tezos/baker-config/${my_baker_account}_dal_node)"
+if [ -f /etc/tezos/baker-config/${my_baker_account}_dal_node_rpc_url ]; then
+  extra_args="${extra_args} --dal-node $(cat /etc/tezos/baker-config/${my_baker_account}_dal_node_rpc_url)"
 fi
 
 CLIENT="$TEZ_BIN/octez-client -d $CLIENT_DIR"

charts/tezos/scripts/dal-node.sh

@@ -10,8 +10,9 @@ extra_args=""
 if [ "${BOOTSTRAP_PROFILE}" == "true" ]; then
   extra_args="--bootstrap-profile"
 fi
-if [ "${ATTESTER_PROFILES}" != "" ]; then
-  extra_args="${extra_args} --attester-profiles ${ATTESTER_PROFILES}"
+if [ -s "${TEZ_VAR}/dal_attester_config" ]; then
+  attester_config=$(cat "/var/tezos/dal_attester_config")
+  extra_args="${extra_args} --attester-profiles ${attester_config}"
 fi
 if [ "${PEER}" != "" ]; then
   extra_args="${extra_args} --peer ${PEER}"
@@ -28,7 +29,9 @@ fi
 #
 
 CMD="$TEZ_BIN/octez-dal-node run ${extra_args} --data-dir ${DAL_DATA_DIR} \
-  --endpoint http://tezos-node-rpc:8732 \
+  --expected-pow 0 \
+  --endpoint ${NODE_RPC_URL} \
+  --metrics-addr 0.0.0.0:11733 \
   --net-addr 0.0.0.0:11732 \
   --rpc-addr 0.0.0.0:10732"
 

charts/tezos/scripts/rpc-baker.sh

@@ -0,0 +1,33 @@
+set -ex
+
+TEZ_VAR=/var/tezos
+TEZ_BIN=/usr/local/bin
+CLIENT_DIR="$TEZ_VAR/client"
+NODE_DIR="$TEZ_VAR/node"
+BAKER_EXTRA_ARGS_FROM_ENV=${BAKER_EXTRA_ARGS}
+mkdir -p $CLIENT_DIR
+
+per_block_vote_file=/etc/tezos/baker-config/${BAKER_NAME}-${PROTO_COMMAND}-per-block-votes.json
+
+if [ ! -f "$per_block_vote_file" ]; then
+  echo "Error: $per_block_vote_file not found" >&2
+  exit 1
+fi
+
+extra_args="--votefile ${per_block_vote_file}"
+
+if [ "${OPERATIONS_POOL}" != "" ]; then
+  extra_args="${extra_args} --operations-pool ${OPERATIONS_POOL}"
+fi
+
+if [ "${DAL_NODE_RPC_URL}" != "" ]; then
+  extra_args="${extra_args} --dal-node ${DAL_NODE_RPC_URL}"
+fi
+
+CLIENT="$TEZ_BIN/octez-client -d $CLIENT_DIR"
+CMD="$TEZ_BIN/octez-baker-${PROTO_COMMAND} -d $CLIENT_DIR"
+
+# ensure we can run octez-client commands without specifying client dir
+ln -s /var/tezos/client /home/tezos/.tezos-client
+
+exec $CMD --endpoint ${NODE_RPC_URL} run remotely  ${extra_args} ${BAKER_EXTRA_ARGS_FROM_ENV} ${BAKE_USING_ACCOUNTS}

charts/tezos/templates/_containers.tpl

@@ -88,10 +88,11 @@
 {{- $node_vals_images := $.node_vals.images | default dict }}
 {{- if eq .image "octez" }}
   image: "{{ or $node_vals_images.octez $.Values.images.octez }}"
+  imagePullPolicy: {{ $.Values.images_pull_policy }}
 {{- else }}
   image: "{{ $.Values.tezos_k8s_images.utils }}"
+  imagePullPolicy: {{ $.Values.tezos_k8s_images_pull_policy }}
 {{- end }}
-  imagePullPolicy: IfNotPresent
 {{- if .run_script }}
   command:
     - /bin/sh
@@ -308,7 +309,7 @@
     {{- range .Values.protocols }}
 - name: accuser-{{ lower .command }}
   image: "{{ or $node_vals_images.octez $.Values.images.octez }}"
-  imagePullPolicy: IfNotPresent
+  imagePullPolicy: {{ $.Values.images_pull_policy }}
   command:
     - /usr/local/bin/tezos-accuser-{{ .command }}
   args:
@@ -323,7 +324,7 @@
     {{- range .Values.protocols }}
 - name: vdf-{{ lower .command }}
   image: "{{ or $node_vals_images.octez $.Values.images.octez }}"
-  imagePullPolicy: IfNotPresent
+  imagePullPolicy: {{ $.Values.images_pull_policy }}
   command:
     - /usr/local/bin/octez-baker-{{ .command }}
   args:

charts/tezos/templates/_helpers.tpl

@@ -86,34 +86,44 @@ metadata:
   {{- end }}
 {{- end }}
 
-{{/*
-  Is there a baker?
+{{/* 
+  Is there a baker in nodes or is the bakers object not empty?
 */}}
 {{- define "tezos.shouldDeployBakerConfig" }}
+  {{- $hasBakerInNodes := false }}
   {{- range .Values.nodes }}
     {{- if (has "baker" .runs) }}
-      {{- "true" }}
+      {{- $hasBakerInNodes = true }}
     {{- end }}
   {{- end }}
+  {{- $hasBakersObject := ne (len .Values.bakers) 0 }}
+  {{- if or $hasBakerInNodes $hasBakersObject }}
+    {{- "true" }}
+  {{- else }}
+    {{- "false" }}
+  {{- end }}
 {{- end }}
 
-{{/*
-  Get list of accounts that are being used to bake. Returned as a json
-  serialized dict because of how Helm renders everything returned from
-  a template as string. Function callers need to parse the returned
-  value like so: `fromJson | values | first`. A dict and not list is
-  returned because of the way `fromJson` works which expects a type of
-  map[string]interface {}.
+{{/* 
+  Get list of accounts that are being used to bake, including bake_using_accounts lists from bakers
+  object if it is non-empty. Returned as a json serialized dict.
 */}}
 {{- define "tezos.getAccountsBaking" }}
   {{- $allAccounts := list }}
   {{- range $node := .Values.nodes }}
     {{- range $instance := $node.instances }}
-    {{- if and .bake_using_accounts (kindIs "slice" .bake_using_accounts) }}
+      {{- if and .bake_using_accounts (kindIs "slice" .bake_using_accounts) }}
         {{- $allAccounts = concat $allAccounts .bake_using_accounts }}
       {{- end }}
     {{- end }}
   {{- end }}
+  {{- if ne (len .Values.bakers) 0 }}
+    {{- range $baker := .Values.bakers }}
+      {{- if and $baker.bake_using_accounts (kindIs "slice" $baker.bake_using_accounts) }}
+        {{- $allAccounts = concat $allAccounts $baker.bake_using_accounts }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
   {{- dict "data" (uniq $allAccounts) | toJson }}
 {{- end }}
 

charts/tezos/templates/activate-job.yaml

@@ -13,7 +13,7 @@ spec:
 {{- include "tezos.init_container.chain_initiator"    $ | indent 8 }}
       initContainers:
         - image: {{ .Values.tezos_k8s_images.utils }}
-          imagePullPolicy: IfNotPresent
+          imagePullPolicy: {{ $.Values.tezos_k8s_images_pull_policy }}
           name: config-generator
           args:
             - config-generator

charts/tezos/templates/configs.yaml

@@ -59,6 +59,8 @@ data:
 {{ $tacoinfraSigners | default dict | mustToPrettyJson | indent 4 }}
   OCTEZ_ROLLUP_NODES: |
 {{ $.Values.smartRollupNodes | default dict | mustToPrettyJson | indent 4 }}
+  OCTEZ_BAKERS: |
+{{ $.Values.bakers | default dict | mustToPrettyJson | indent 4 }}
 
 ---
 
@@ -94,8 +96,8 @@ data:
   {{- if $account.operations_pool }}
     {{ $accountName }}_operations_pool: {{ $account.operations_pool | quote }}
   {{- end }}
-  {{- if $account.dal_node }}
-    {{ $accountName }}_dal_node: {{ $account.dal_node | quote }}
+  {{- if $account.dal_node_rpc_url }}
+    {{ $accountName }}_dal_node_rpc_url: {{ $account.dal_node_rpc_url | quote }}
   {{- end }}
 {{- end }}
 kind: ConfigMap

charts/tezos/templates/octez-baker.yaml

@@ -0,0 +1,93 @@
+{{- range $k, $v := .Values.bakers }}
+
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: baker-{{ $k }}
+spec:
+  podManagementPolicy: Parallel
+  replicas: 1
+  serviceName: baker-{{ $k }}
+  selector:
+    matchLabels:
+      app: baker-{{ $k }}
+  template:
+    metadata:
+      labels:
+        app: baker-{{ $k }}
+    spec:
+      initContainers:
+      - image: {{ $.Values.tezos_k8s_images.utils }}
+        imagePullPolicy: {{ $.Values.tezos_k8s_images_pull_policy }}
+        name: config-generator
+        args:
+          - config-generator
+        envFrom:
+          - configMapRef:
+              name: tezos-config
+        env:
+          - name: MY_POD_NAME
+            value: {{ $k }}
+          - name: MY_POD_TYPE
+            value: baker
+        volumeMounts:
+          - mountPath: /var/tezos
+            name: baker-volume
+          - mountPath: /etc/secret-volume
+            name: tezos-accounts
+      containers:
+{{- $baker_name := index $v.bake_using_accounts 0 }}
+{{- $account := get $.Values.accounts $baker_name | default dict }}
+{{- range ( $account.protocols | default $.Values.protocols ) }}
+      - name: octez-baker-{{ lower .command  }}
+        image: "{{ $.Values.images.octez }}"
+        imagePullPolicy: {{ $.Values.images_pull_policy }}
+        volumeMounts:
+        - mountPath: /var/tezos
+          name: baker-volume
+        - mountPath: /etc/tezos/baker-config
+          name: baker-config
+        command:
+          - /bin/sh
+        args:
+          - "-c"
+          - |
+{{ tpl ($.Files.Get "scripts/rpc-baker.sh") $ | indent 12 }}
+        env:
+        - name: NODE_RPC_URL
+          value: "{{ $v.node_rpc_url }}"
+        - name: PROTO_COMMAND
+          value: "{{ .command }}"
+        - name: BAKER_NAME
+          value: {{ $baker_name }}
+        - name: BAKE_USING_ACCOUNTS
+          value: {{ join " " $v.bake_using_accounts }}
+{{- if $v.operations_pool | default false }}
+        - name: OPERATIONS_POOL
+          value: "{{ $v.operations_pool }}"
+{{- end }}
+{{- if $v.dal_node_rpc_url | default false }}
+        - name: DAL_NODE_RPC_URL
+          value: "{{ $v.dal_node_rpc_url }}"
+{{- end }}
+{{- end }}
+      securityContext:
+        fsGroup: 1000
+      volumes:
+        - name: baker-config
+          configMap:
+            name: baker-config
+        - name: tezos-accounts
+          secret:
+            secretName: tezos-secret
+  volumeClaimTemplates:
+    - metadata:
+        name: baker-volume
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: "1Gi"
+---
+{{- end }}