[helm] add file based node deployment helm chart

Closes: aptos-labs#755

terraform/helm/aptos-node/.helmignore

@@ -0,0 +1,2 @@
+*~
+*.swp

terraform/helm/aptos-node/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+name: aptos-node
+version: 0.1.0
+appVersion: 0.1.0
+description: Aptos blockchain node deployment
+home: https://aptoslabs.com/
+sources:
+- https://github.com/aptos-labs/aptos-core

terraform/helm/aptos-node/files/configs/fullnode.yaml

@@ -0,0 +1,42 @@
+base:
+  role: "full_node"
+  waypoint:
+    from_file: /opt/aptos/genesis/waypoint.txt
+
+execution:
+  genesis_file_location: /opt/aptos/genesis/genesis.blob
+
+storage:
+  backup_service_address: "0.0.0.0:6186"
+  storage_pruner_config:
+    ledger_prune_window: {{ int .Values.validator.config.ledger_prune_window }}
+    state_store_prune_window: {{ int .Values.validator.config.state_store_prune_window }}
+    pruning_batch_size: {{ int .Values.validator.config.pruning_batch_size }}
+
+full_node_networks:
+- network_id:
+    private: "vfn"
+  listen_address: "/ip4/0.0.0.0/tcp/6181"
+  seeds:
+    00000000000000000000000000000000d58bc7bb154b38039bc9096ce04e1237:
+      addresses:
+      - "/dns4/{{ include "aptos-validator.fullname" . }}-validator/tcp/6181/ln-noise-ik/f0274c2774519281a8332d0bb9d8101bd58bc7bb154b38039bc9096ce04e1237/ln-handshake/0"
+      role: "Validator"
+
+- network_id: "public"
+  discovery_method: "onchain"
+  listen_address: "/ip4/0.0.0.0/tcp/6182"
+  {{- if .Values.haproxy.config.send_proxy_protocol }}
+  enable_proxy_protocol: true
+  {{- end }}
+  max_inbound_connections: 100
+  {{- if .Values.fullnode.identity }}
+  identity:
+    {{- .Values.fullnode.identity | toYaml | nindent 6 }}
+  {{- end }}
+  seeds:
+    {{- .Values.fullnode.config.seeds | default dict | toYaml | nindent 6 }}
+
+api:
+  enabled: true
+  address: "0.0.0.0:8080"

terraform/helm/aptos-node/files/configs/validator.yaml

@@ -0,0 +1,58 @@
+base:
+  role: validator
+  waypoint:
+    from_file: /opt/aptos/genesis/waypoint.txt
+
+consensus:
+  safety_rules:
+    service:
+      type: "local"
+    backend:
+      type: "on_disk_storage"
+      path: /opt/aptos/data/secure-data.json
+      namespace: ~
+    initial_safety_rules_config:
+      from_file:
+        waypoint:
+          from_file: /opt/aptos/genesis/waypoint.txt
+        identity_blob_path: /opt/aptos/genesis/private-keys.yml
+  sync_only: {{ .Values.validator.config.sync_only | default false}}
+  {{- if .Values.validator.config.mempool_poll_count }}
+  mempool_poll_count: {{ .Values.validator.config.mempool_poll_count }}
+  {{- end }}
+  {{- if .Values.validator.config.round_initial_timeout_ms }}
+  round_initial_timeout_ms: {{ .Values.validator.config.round_initial_timeout_ms }}
+  {{- end }}
+
+storage:
+  storage_pruner_config:
+    ledger_prune_window: {{ int .Values.validator.config.ledger_prune_window }}
+    state_store_prune_window: {{ int .Values.validator.config.state_store_prune_window }}
+    pruning_batch_size: {{ int .Values.validator.config.pruning_batch_size }}
+
+execution:
+  genesis_file_location: /opt/aptos/genesis/genesis.blob
+  concurrency_level: {{ int .Values.validator.config.concurrency_level }}
+
+validator_network:
+  discovery_method: "onchain"
+  mutual_authentication: true
+  {{- if .Values.haproxy.config.send_proxy_protocol }}
+  enable_proxy_protocol: true
+  {{- end }}
+  identity:
+    type: "from_file"
+    path: /opt/aptos/genesis/private-keys.yml
+
+full_node_networks:
+- network_id:
+    private: "vfn"
+  listen_address: "/ip4/0.0.0.0/tcp/6181"
+  identity:
+    type: "from_config"
+    key: "b0f405a3e75516763c43a2ae1d70423699f34cd68fa9f8c6bb2d67aa87d0af69"
+    peer_id: "00000000000000000000000000000000d58bc7bb154b38039bc9096ce04e1237"
+
+api:
+  enabled: true
+  address: "0.0.0.0:8080"

terraform/helm/aptos-node/files/haproxy.cfg

@@ -0,0 +1,123 @@
+global
+    log stdout len 10240 format raw local0
+    maxconn 500000
+    nbthread 16
+    user nobody
+
+defaults
+    log global
+    option tcplog
+    maxconn 500000
+    timeout queue 1s
+    timeout connect 10s
+    timeout server 60s
+    timeout client 60s
+    timeout client-fin 5s
+
+frontend validator
+    bind :6180
+    default_backend validator
+
+    # Deny requests from blocked IPs
+    tcp-request connection reject if { src -n -f /usr/local/etc/haproxy/blocked.ips }
+
+    # Limit to N TCP connections per minute per source IP
+    stick-table type ip size 500k expire 1m store gpc0_rate(1m)
+    tcp-request connection track-sc0 src
+    # TODO: Reject at content phase for now so we get logs, but this should be
+    # done at connection phase for higher efficiency
+    tcp-request content reject if { sc_gpc0_rate(0) ge {{ .Values.haproxy.limits.validator.connectionsPerIPPerMin }} }
+    tcp-request content sc-inc-gpc0(0) unless { nbsrv(validator) eq 0 }
+
+backend validator
+    default-server maxconn 1024 {{ if .Values.haproxy.config.send_proxy_protocol }}send-proxy-v2{{ end }}
+    server {{ include "aptos-validator.fullname" . }}-validator {{ include "aptos-validator.fullname" . }}-validator:6180
+
+frontend validator-metrics
+    mode http
+    option httplog
+    bind :9102
+    default_backend validator-metrics
+    http-request add-header Forwarded "for=%ci"
+
+    # Deny requests from blocked IPs
+    tcp-request connection reject if { src -n -f /usr/local/etc/haproxy/blocked.ips }
+
+backend validator-metrics
+    mode http
+    default-server maxconn 1024
+    server {{ include "aptos-validator.fullname" $ }}-validator {{ include "aptos-validator.fullname" $ }}-validator:9101
+
+# Exposes the validator's own REST API
+{{- if .Values.validator.exposeRestApi }}
+frontend validator-api
+    mode http
+    option httplog
+    bind :8180
+    default_backend validator-api
+    http-request add-header Forwarded "for=%ci"
+
+    # Deny requests from blocked IPs
+    tcp-request connection reject if { src -n -f /usr/local/etc/haproxy/blocked.ips }
+
+backend validator-api
+    mode http
+    default-server maxconn 1024
+    server {{ include "aptos-validator.fullname" $ }}-validator {{ include "aptos-validator.fullname" $ }}-validator:8080
+{{- end }}
+
+{{- range $index, $config := $.Values.fullnode.groups }}
+
+frontend {{ $config.name }}-aptosnet
+    bind :{{ add 6182 $index }}
+    default_backend {{ $config.name }}-aptosnet
+
+    # Deny requests from blocked IPs
+    tcp-request connection reject if { src -n -f /usr/local/etc/haproxy/blocked.ips }
+
+backend {{ $config.name }}-aptosnet
+    default-server maxconn {{ $.Values.fullnode.config.max_inbound_connections }} {{ if $.Values.haproxy.config.send_proxy_protocol }}send-proxy-v2{{ end }}
+    server {{ include "aptos-validator.fullname" $ }}-{{ $config.name }} {{ include "aptos-validator.fullname" $ }}-{{ $config.name }}:6182
+
+frontend {{ $config.name }}-api
+    mode http
+    option httplog
+    bind :{{ add 8080 $index }}
+    default_backend {{ $config.name }}-api
+    # add Forwarded header, which behaves differently than X-Forwarded-For
+    # see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
+    http-request add-header Forwarded "for=%ci"
+
+    # Deny requests from blocked IPs
+    tcp-request connection reject if { src -n -f /usr/local/etc/haproxy/blocked.ips }
+
+backend {{ $config.name }}-api
+    mode http
+    default-server maxconn 1024
+    server {{ include "aptos-validator.fullname" $ }}-{{ $config.name }} {{ include "aptos-validator.fullname" $ }}-{{ $config.name }}:8080
+
+frontend {{ $config.name }}-metrics
+    mode http
+    option httplog
+    bind :{{ add 9103 $index }}
+    default_backend {{ $config.name }}-metrics
+    http-request add-header Forwarded "for=%ci"
+
+    # Deny requests from blocked IPs
+    tcp-request connection reject if { src -n -f /usr/local/etc/haproxy/blocked.ips }
+
+backend {{ $config.name }}-metrics
+    mode http
+    default-server maxconn 1024
+    server {{ include "aptos-validator.fullname" $ }}-{{ $config.name }} {{ include "aptos-validator.fullname" $ }}-{{ $config.name }}:9101
+
+{{- end }}
+
+frontend stats
+    mode http
+    bind :9101
+    option http-use-htx
+    http-request use-service prometheus-exporter if { path /metrics }
+    stats enable
+    stats uri /stats
+    monitor-uri /healthy

terraform/helm/aptos-node/files/test-data/private-keys.yml

@@ -0,0 +1,5 @@
+---
+account_address: f63dc5b4b282e8f33f942c0f8a140cea62a2964cf541b48a71da346b76df0cef
+account_key: "0x693e6a788a613478f0412e1ce37f83e78956d5e0bc674534d69df9a357480f98"
+consensus_key: "0x0254d3cd6b865f0b8cb9606eb914a4c11cfb6fd13d561c5306f3cf8e04615c89"
+network_key: "0x2006cf3608fe2a3b0d536d27af59e5e4807ab42a8aa3e90f7cc0d67ac39d5442"

terraform/helm/aptos-node/files/test-data/waypoint.txt

@@ -0,0 +1 @@
+0:e6e36f45847dd18f1461cba6cb492ff2a4edb348df3b9cf81de87aa73e4377f6

terraform/helm/aptos-node/templates/_helpers.tpl

@@ -0,0 +1,63 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "aptos-validator.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "aptos-validator.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "aptos-validator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "aptos-validator.labels" -}}
+helm.sh/chart: {{ include "aptos-validator.chart" . }}
+{{ include "aptos-validator.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "aptos-validator.selectorLabels" -}}
+app.kubernetes.io/part-of: {{ include "aptos-validator.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "aptos-validator.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "aptos-validator.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}

terraform/helm/aptos-node/templates/configmap.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "aptos-validator.fullname" . }}
+  labels:
+    {{- include "aptos-validator.labels" . | nindent 4 }}
+data:
+{{ tpl (.Files.Glob "files/configs/*.yaml").AsConfig . | indent 2 }}
+
+{{- if .Values.loadTestGenesis }}
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "aptos-validator.fullname" . }}-genesis-e{{ .Values.chain.era }}
+  labels:
+    {{- include "aptos-validator.labels" . | nindent 4 }}
+data:
+  waypoint.txt: |-
+{{ .Files.Get "files/test-data/waypoint.txt" | indent 4 }}
+  private-keys.yml: |-
+{{ .Files.Get "files/test-data/private-keys.yml" | indent 4 }}
+binaryData:
+  genesis.blob: {{ .Files.Get "files/test-data/genesis.blob" | b64enc }}
+
+{{- end }}