Initial

.gitignore

@@ -0,0 +1 @@
+.DS_Store

Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v2
+name: zcash-stack
+description: Zcash node (Zebra, Zcashd) with lightwalletd
+type: application
+version: 0.0.1

README.md

@@ -0,0 +1,73 @@
+# Zcash Stack Helm Chart
+
+This chart is a work in progress and has only been tested on Vultr Kubernetes Engine as of writing.
+
+All of the "zec.rocks" Lightwalletd servers are provisioned using this.
+
+## Prerequisites
+
+1. A running Kubernetes cluster (this is currently tested on Vultr Kubernetes Engine)
+2. The KUBECONFIG env variable set to your cluster's Kubernetes credentials file
+3. Helm installed in your local environment
+
+## Usage
+
+1. Traefik is required to auto-provision LetsEncrypt SSL certificates.
+
+1a. Edit ```install-traefik.sh``` to specify your real email address.
+
+2b. Install Traefik on your cluster:
+
+```
+sh ./install-traefik.sh
+```
+
+2. Edit an example values file from the ```./examples``` folder. Specify the domain name that you intend to host a lightwalletd instance on. View the ```values.yaml``` file to see all of the configuration options possible.
+
+3. Install the chart on your cluster: (execute from this project's directory, specify your own yaml file if you did not modify an example in-place)
+
+```
+helm install zcash . -f examples/zebra-mainnet.yaml
+```
+
+### Upgrading
+
+We highly recommend installing the "helm-diff" plugin.
+
+Verify changes before you upgrade:
+```
+KUBECONFIG=~/.kube/config-eu1 helm diff upgrade zec-eu1 ~/dev/zcash-stack -f ./values-eu1.yaml
+```
+
+Then apply the upgrade:
+```
+KUBECONFIG=~/.kube/config-eu1 helm upgrade zec-eu1 ~/dev/zcash-stack -f ./values-eu1.yaml
+```
+
+### Kubernetes Cheat Sheet
+
+If you're new to Kubernetes, here is a list of commands that you might find useful for operating this chart:
+
+```
+# See what is running in your cluster's default namespace
+kubectl get all
+
+# Watch logs
+kubectl logs -f statefulset/lightwalletd
+kubectl logs -f statefulset/zebra
+kubectl logs -f statefulset/zcashd
+
+# Open a shell in a running container
+kubectl exec statefulset/zebra -ti -- bash
+
+# Restart a part of the stack
+kubectl rollout restart statefulset/lightwalletd
+kubectl rollout restart statefulset/zebra
+kubectl rollout restart statefulset/zcashd
+```
+
+## Works in progress
+
+- Updated documentation to launch on AWS, GCP, and self-hosted (k3s)
+- Support for hosting a block explorer
+- Contribute to the P2P network by allowing inbound connections via a Kubernetes Service, only possible on Zcashd at the moment.

examples/zcashd-mainnet.yaml

@@ -0,0 +1,21 @@
+ingress:
+  domains:
+    - mainnet-example.your.domain
+
+zcashd:
+  enabled: true
+  # Optionally enable this to bootstrap the blockchain from a known state faster than a full P2P sync
+  initSnapshot:
+    enabled: false
+
+zebra:
+  enabled: false
+
+lightwalletd:
+  rpcService: zcashd
+
+# RPC is only accessible from within the cluster, not exposed to the internet
+rpc:
+  credentials:
+    rpcUser: changeThisPossibly
+    rpcPassword: toYourLiking123

examples/zcashd-testnet.yaml

@@ -0,0 +1,27 @@
+ingress:
+  domains:
+    - testnet-example.your.domain
+  # Respond to all inbound requests regardless of the domain specified in SNI
+  sniCatchallEnabled: true
+
+zcashd:
+  enabled: true
+  testnet: true
+  # Optionally enable this to bootstrap the blockchain from a known state faster than a full P2P sync
+  initSnapshot:
+    enabled: false
+
+zebra:
+  enabled: false
+
+lightwalletd:
+  rpcService: zcashd
+  # Optionally enable gRPC logging for troubleshooting. User IPs will not be visible, internal k8s IPs will be shown.
+  # additionalArgs:
+  #   - --grpc-logging-insecure
+
+# RPC is only accessible from within the cluster, not exposed to the internet
+rpc:
+  credentials:
+    rpcUser: changeThisPossibly
+    rpcPassword: toYourLiking123

examples/zebra-and-zcashd.yaml

@@ -0,0 +1,42 @@
+ingress:
+  domains:
+    - mainnet-example.your.domain
+  # Respond to all inbound requests regardless of the domain specified in SNI
+  sniCatchallEnabled: true
+
+zebra:
+  enabled: true
+  # Optionally enable this to bootstrap the blockchain from a known state faster than a full P2P sync
+  initSnapshot:
+    enabled: false
+  # image:
+  #   repository: zfnd/zebra
+  #   tag: v1.6.1
+  #   hash: 639154fe2584633821cc434f96dceab2b9047969478c651ca96ab981ca025007
+
+zcashd:
+  enabled: true
+  # Optionally enable this to bootstrap the blockchain from a known state faster than a full P2P sync
+  initSnapshot:
+    enabled: false
+  # image:
+  #   repository: electriccoinco/zcashd
+  #   tag: v5.9.0
+  #   hash: 859be28b91592c4765783ccfea947145b3cc08902ee71ae52ef9205eaabe0194
+
+lightwalletd:
+  # Change the rpcService to "zebrad" and run "helm update" in the event that Zebra has a major issue
+  rpcService: zebra
+  volumes:
+    data:
+      size: 10Gi
+  # image:
+  #   repository: electriccoinco/lightwalletd
+  #   tag: v0.4.17
+  #   hash: 906942c30d84a017e76ce72c4d59787aa5208b87a4af1b724e700f8524ab4fd1
+
+# RPC is only accessible from within the cluster, not exposed to the internet
+rpc:
+  credentials:
+    rpcUser: changeThisPossibly
+    rpcPassword: toYourLiking123

examples/zebra-mainnet.yaml

@@ -0,0 +1,23 @@
+ingress:
+  domains:
+    - mainnet-example.your.domain
+  # Respond to all inbound requests regardless of the domain specified in SNI
+  sniCatchallEnabled: true
+
+zebra:
+  enabled: true
+  # Optionally enable this to bootstrap the blockchain from a known state faster than a full P2P sync
+  initSnapshot:
+    enabled: false
+
+lightwalletd:
+  rpcService: zebra
+  volumes:
+    data:
+      size: 10Gi
+
+# RPC is only accessible from within the cluster, not exposed to the internet
+rpc:
+  credentials:
+    rpcUser: changeThisPossibly
+    rpcPassword: toYourLiking123

examples/zebra-testnet.yaml

@@ -0,0 +1,35 @@
+ingress:
+  domains:
+    - testnet-example.your.domain
+  # Respond to all inbound requests regardless of the domain specified in SNI
+  sniCatchallEnabled: true
+
+zebra:
+  enabled: true
+  testnet: true
+  volumes:
+    data:
+      size: 50Gi
+  # Optionally enable this to bootstrap the blockchain from a known state faster than a full P2P sync
+  initSnapshot:
+    enabled: false
+    url: https://link.storjshare.io/s/jvbcllf2rpohtqhwiget5pkcvyca/nodedumps/zec/zebra-testnet-2024-04-22.tar?download=1
+
+lightwalletd:
+  rpcService: zebra
+  volumes:
+    data:
+      # Vultr's minimum magnetic storage size is 40Gi, adjust this to 10Gi if you are not using Vultr
+      size: 40Gi
+  # Optionally enable gRPC logging for troubleshooting. User IPs will not be visible, internal k8s IPs will be shown.
+  # additionalArgs:
+  #   - --grpc-logging-insecure
+
+zcashd:
+  enabled: false
+
+# RPC is only accessible from within the cluster, not exposed to the internet
+rpc:
+  credentials:
+    rpcUser: changeThisPossibly
+    rpcPassword: toYourLiking123

install-traefik.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# Note: Vultr's minimum volume size on magnetic storage is 40Gi.
+# Adjust below if you are not using Vultr, a very small volume is fine for storing the SSL certs.
+
+helm upgrade --install traefik traefik/traefik --namespace=traefik --create-namespace -f <(echo '
+certResolvers:
+  letsencrypt:
+    email: [email protected]
+    tlsChallenge: true
+    httpChallenge:
+      entryPoint: "web"
+    storage: /data/acme.json
+persistence:
+  enabled: true
+  storageClassName: "standard"
+  accessMode: "ReadWriteOnce"
+  size: "40Gi"
+  path: "/data"
+deployment:
+  initContainers:
+    - name: volume-permissions
+      image: busybox:1.36
+      command:
+        ["sh", "-c", "touch /data/acme.json; chown -v 65532 /data/acme.json; chmod -v 600 /data/acme.json"]
+      securityContext:
+        runAsNonRoot: false
+        runAsGroup: 0
+        runAsUser: 0
+      volumeMounts:
+        - name: data
+          mountPath: /data
+')

templates/lightwalletd-configmap.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.lightwalletd.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.lightwalletd.name }}-config
+data:
+  zcash.conf: |
+    rpcbind={{ .Values.lightwalletd.rpcService }}
+    rpcuser={{ .Values.rpc.credentials.rpcUser }}
+    rpcpassword={{ .Values.rpc.credentials.rpcPassword }}
+{{- end }}

templates/lightwalletd-service.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.lightwalletd.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.lightwalletd.name }}
+spec:
+  type: {{ .Values.lightwalletd.service.type }}
+  selector:
+    app: {{ .Values.lightwalletd.name }}
+  ports:
+    - protocol: TCP
+      port: 9067
+      targetPort: 9067
+{{- end }}