From 554807a93f72d85b8a45e930cf1cf3d1d2e16ddb Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Mon, 5 Feb 2024 14:58:06 -0500 Subject: [PATCH] Make CRIB demo work (#11927) * temp CRIB workshop * tested script + build/deploy separation * check images in ECR, fail if no image built * another try with ecr * force login to registry --------- Co-authored-by: skudasov --- charts/chainlink-cluster/README.md | 23 ++++++- charts/chainlink-cluster/devspace.yaml | 64 ++++++++++++++----- charts/chainlink-cluster/setup.sh | 37 +++++++++++ .../templates/chainlink-db-networkpolicy.yaml | 23 ------- .../chainlink-node-networkpolicy.yaml | 19 ------ .../templates/geth-networkpolicy.yaml | 25 -------- .../templates/mockserver-networkpolicy.yaml | 23 ------- .../templates/networkpolicy-default.yaml | 41 ------------ .../templates/runner-networkpolicy.yaml | 19 ------ shell.nix | 1 + 10 files changed, 106 insertions(+), 169 deletions(-) create mode 100755 charts/chainlink-cluster/setup.sh delete mode 100644 charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml delete mode 100644 charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml delete mode 100644 charts/chainlink-cluster/templates/geth-networkpolicy.yaml delete mode 100644 charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml delete mode 100644 charts/chainlink-cluster/templates/networkpolicy-default.yaml delete mode 100644 charts/chainlink-cluster/templates/runner-networkpolicy.yaml diff --git a/charts/chainlink-cluster/README.md b/charts/chainlink-cluster/README.md index 3deb37794a6..7f2736034a7 100644 --- a/charts/chainlink-cluster/README.md +++ b/charts/chainlink-cluster/README.md @@ -5,6 +5,7 @@ Install `kubefwd` (no nixpkg for it yet, planned) ``` brew install txn2/tap/kubefwd ``` +If you want to build images you need [docker](https://docs.docker.com/engine/install/) service running Enter the shell (from the root project dir) ``` @@ -18,17 +19,33 @@ We are using [devspace](https://www.devspace.sh/docs/getting-started/installatio Configure the cluster, see `deployments.app.helm.values` and [values.yaml](./values.yaml) comments for more details -Enter the shell and deploy +Configure your `cluster` setup (one time setup, internal usage only) +``` +export DEVSPACE_IMAGE="..." +cd charts/chainlink-cluster +./setup.sh ${my-personal-namespace-name-crib} +``` + +Build and deploy current commit ``` -# set your unique namespace if it's a new cluster -devspace use namespace cl-cluster devspace deploy ``` + If you don't need a build use ``` devspace deploy --skip-build ``` +To deploy particular commit (must be in registry) use +``` +devspace deploy --skip-build ${short_sha_of_image} +``` + +Forward ports to check UI or run tests +``` +devspace run connect ${my-personal-namespace-name-crib} +``` + Connect to your environment, by replacing container with label `node-1` with your local repository files ``` devspace dev -p node diff --git a/charts/chainlink-cluster/devspace.yaml b/charts/chainlink-cluster/devspace.yaml index 0157ce7451c..545923d4124 100644 --- a/charts/chainlink-cluster/devspace.yaml +++ b/charts/chainlink-cluster/devspace.yaml @@ -4,26 +4,64 @@ name: chainlink vars: NS_TTL: 72h DEVSPACE_IMAGE: + noCache: true source: env # This is a list of `pipelines` that DevSpace can execute (you can define your own) pipelines: - # create_deployments --all can be used to apply manifests again - # This is the pipeline for the main command: `devspace dev` (or `devspace run-pipeline dev`) dev: run: |- run_dependencies --all # 1. Deploy any projects this project needs (see "dependencies") ensure_pull_secrets --all # 2. Ensure pull secrets start_dev app # 3. Start dev mode "app" (see "dev" section) - # You can run this pipeline via `devspace deploy` (or `devspace run-pipeline deploy`) deploy: run: |- + set -o pipefail + echo "Removing .devspace cache!" + rm -rf .devspace/ || true + registry_id=$(echo "$DEVSPACE_IMAGE" | cut -d'.' -f1) + + # Login into registry + echo "Authorizing into ECR registry" + aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin ${registry_id}.dkr.ecr.us-west-2.amazonaws.com + run_dependencies --all ensure_pull_secrets --all build_images ---var DOCKER_DEFAULT_PLATFORM=linux/amd64 --all -t $(git rev-parse --short HEAD) kubectl annotate namespace ${DEVSPACE_NAMESPACE} janitor/ttl=${NS_TTL} || true kubectl label namespace/${DEVSPACE_NAMESPACE} network=crib || true - create_deployments --all + if [ -n "$1" ]; then + echo "Deploying tag $1" + tag=$1 + image=${DEVSPACE_IMAGE}:$tag + else + echo "Deploying current commit tag: $(git rev-parse --short HEAD)" + tag=$(git rev-parse --short HEAD) + image=${DEVSPACE_IMAGE}:$tag + fi + + echo "Checking tag: $tag" + repository_name="chainlink-devspace" + desired_tag=$tag + + # Check if the desired tag is present in the repository + image_list=$(aws ecr list-images --repository-name "$repository_name") + tag_exists=$(echo "$image_list" | jq -e '.imageIds[] | select(.imageTag == "'"${desired_tag}"'")' >/dev/null && echo true || echo false) + + # Check the value of the tag_exists variable + if [ "$tag_exists" = "true" ]; then + echo "Image tag '$tag' found." + else + echo "Image tag '$tag' not found. Please build the image using 'devspace deploy'" + exit 1 + fi + create_deployments app \ + --set=helm.values.chainlink.nodes[0].image=$image \ + --set=helm.values.chainlink.nodes[1].image=$image \ + --set=helm.values.chainlink.nodes[2].image=$image \ + --set=helm.values.chainlink.nodes[3].image=$image \ + --set=helm.values.chainlink.nodes[4].image=$image \ + --set=helm.values.chainlink.nodes[5].image=$image echo "Namespace ${DEVSPACE_NAMESPACE} will be deleted in ${NS_TTL}" purge: run: |- @@ -31,7 +69,7 @@ pipelines: commands: connect: |- - sudo kubefwd svc -n ${DEVSPACE_NAMESPACE} + sudo kubefwd svc -n $1 images: app: @@ -50,7 +88,7 @@ hooks: labelSelector: # vars don't work here, = releaseName release: "app" - events: ["after:deploy:app"] + events: [ "after:deploy:app" ] name: "wait-for-pod-hook" # This is a list of `deployments` that DevSpace can create for this project @@ -83,7 +121,6 @@ deployments: nodes: - name: node-1 image: ${DEVSPACE_IMAGE} - version: latest # default resources are 300m/1Gi # first node need more resources to build faster inside container # at least 2Gi of memory is required otherwise build will fail (OOM) @@ -128,19 +165,14 @@ deployments: # overridesToml: | - name: node-2 image: ${DEVSPACE_IMAGE} - version: latest - name: node-3 image: ${DEVSPACE_IMAGE} - version: latest - name: node-4 image: ${DEVSPACE_IMAGE} - version: latest - name: node-5 image: ${DEVSPACE_IMAGE} - version: latest - name: node-6 image: ${DEVSPACE_IMAGE} - version: latest # each CL node have a dedicated PostgreSQL 11.15 # use StatefulSet by setting: @@ -314,10 +346,10 @@ dev: ssh: enabled: true proxyCommands: -# TODO: access issues -# - command: devspace -# - command: kubectl -# - command: helm + # TODO: access issues + # - command: devspace + # - command: kubectl + # - command: helm - gitCredentials: true ports: - port: "2345" diff --git a/charts/chainlink-cluster/setup.sh b/charts/chainlink-cluster/setup.sh new file mode 100755 index 00000000000..536bef57c75 --- /dev/null +++ b/charts/chainlink-cluster/setup.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash + +set -e +user_home="$HOME" +file_path="$user_home/.aws/config" +image="" +registry_id=$(echo "$DEVSPACE_IMAGE" | cut -d'.' -f1) + +if grep -q "staging-crib" "$file_path"; then + echo "Staging AWS config is already applied, role is 'staging-crib'" +else + cat <> "$file_path" +[profile staging-crib] +region=us-west-2 +sso_start_url=https://smartcontract.awsapps.com/start +sso_region=us-west-2 +sso_account_id=${registry_id} +sso_role_name=CRIB-ECR-Power +EOF + echo "~/.aws/config modified, added 'staging-crib" +fi + +# Login through SSO +aws sso login --profile staging-crib +# Update kubeconfig and switch context +export AWS_PROFILE=staging-crib +aws eks update-kubeconfig --name main-stage-cluster --alias main-stage-cluster-crib --profile staging-crib + +# Check if the Docker daemon is running +if docker info > /dev/null 2>&1; then + echo "Docker daemon is running, authorizing registry" +else + echo "Docker daemon is not running, exiting" + exit 1 +fi +aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin ${registry_id}.dkr.ecr.us-west-2.amazonaws.com +devspace use namespace $1 diff --git a/charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml b/charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml deleted file mode 100644 index e5d029b7865..00000000000 --- a/charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ $.Release.Name }}-db -spec: - podSelector: - matchLabels: - app: {{ $.Release.Name }}-db - policyTypes: - - Ingress - ingress: - - from: - # Allow all node pods to access the database pods. - - podSelector: - matchLabels: - app: {{ $.Release.Name }} - # Allow all runner pods to access the database pods. - - podSelector: - matchLabels: - app: runner - ports: - - protocol: TCP - port: 5432 diff --git a/charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml b/charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml deleted file mode 100644 index 321bc531626..00000000000 --- a/charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ $.Release.Name }}-node -spec: - podSelector: - matchLabels: - app: {{ $.Release.Name }} - policyTypes: - - Ingress - ingress: - # Allow all ingress traffic between the node pods and from runner pod. - - from: - - podSelector: - matchLabels: - app: {{ $.Release.Name }} - - podSelector: - matchLabels: - app: runner diff --git a/charts/chainlink-cluster/templates/geth-networkpolicy.yaml b/charts/chainlink-cluster/templates/geth-networkpolicy.yaml deleted file mode 100644 index 5be59136251..00000000000 --- a/charts/chainlink-cluster/templates/geth-networkpolicy.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ $.Release.Name }}-geth -spec: - podSelector: - matchLabels: - app: geth - policyTypes: - - Ingress - ingress: - - from: - # Allow http and websocket connections from the node pods. - - podSelector: - matchLabels: - app: {{ $.Release.Name }} - # Allow http and websocket connections from the runner pods. - - podSelector: - matchLabels: - app: runner - ports: - - protocol: TCP - port: 8544 - - protocol: TCP - port: 8546 diff --git a/charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml b/charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml deleted file mode 100644 index 074b1ab089a..00000000000 --- a/charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ $.Release.Name }}-mockserver -spec: - podSelector: - matchLabels: - app: mockserver - policyTypes: - - Ingress - ingress: - - from: - # Allow http traffic from the node pods. - - podSelector: - matchLabels: - app: {{ $.Release.Name }} - # Allow http traffic from the runner pods. - - podSelector: - matchLabels: - app: runner - ports: - - protocol: TCP - port: 1080 diff --git a/charts/chainlink-cluster/templates/networkpolicy-default.yaml b/charts/chainlink-cluster/templates/networkpolicy-default.yaml deleted file mode 100644 index f2d9416cf15..00000000000 --- a/charts/chainlink-cluster/templates/networkpolicy-default.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: default -spec: - podSelector: - matchLabels: {} - policyTypes: - - Ingress - - Egress - ingress: - {{- if and .Values.networkPolicyDefault.ingress.allowCustomCidrs (not (empty .Values.networkPolicyDefault.ingress.customCidrs)) }} - # Using a comma separated list to make it easy to pass in with: - # `helm template ... --set networkPolicyDefault.ingress.customCidrs=...` - {{- $cidrs := splitList "," .Values.networkPolicyDefault.ingress.customCidrs }} - - from: - {{- range $cidr := $cidrs }} - - ipBlock: - cidr: {{ $cidr | quote }} - {{- end }} - {{- else }} - # Deny all ingress if no rules are specified. Rules can still be specified in other templates. - - {} - {{- end }} - egress: - - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: "{{ $.Release.Namespace }}" - - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: kube-system - podSelector: - matchLabels: - k8s-app: kube-dns - ports: - - protocol: TCP - port: 53 - - protocol: UDP - port: 53 diff --git a/charts/chainlink-cluster/templates/runner-networkpolicy.yaml b/charts/chainlink-cluster/templates/runner-networkpolicy.yaml deleted file mode 100644 index 2bb6ac98625..00000000000 --- a/charts/chainlink-cluster/templates/runner-networkpolicy.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ $.Release.Name }}-runner -spec: - podSelector: - matchLabels: - app: runner - policyTypes: - - Ingress - ingress: - # Allow all ingress traffic between the node pods and from runner pod. - - from: - - podSelector: - matchLabels: - app: {{ $.Release.Name }} - - podSelector: - matchLabels: - app: runner diff --git a/shell.nix b/shell.nix index ff4381b49c1..7881af59ba2 100644 --- a/shell.nix +++ b/shell.nix @@ -30,6 +30,7 @@ mkShell { delve golangci-lint github-cli + jq # deployment devspace