[tf] local TCB

Closes: aptos-labs#489
ta2bss · Apr 13, 2022 · d424832 · d424832
1 parent e20b2fd
commit d424832
Show file tree

Hide file tree

Showing 14 changed files with 1 addition and 168 deletions.
diff --git a/terraform/helm/validator/files/configs/safetyrules.yaml b/terraform/helm/validator/files/configs/safetyrules.yaml
diff --git a/terraform/helm/validator/templates/psp.yaml b/terraform/helm/validator/templates/psp.yaml
@@ -70,9 +70,6 @@ subjects:
 - kind: ServiceAccount
   namespace: {{ .Release.Namespace }}
   name: {{ include "aptos-validator.fullname" . }}-prometheus
-- kind: ServiceAccount
-  namespace: {{ .Release.Namespace }}
-  name: {{ include "aptos-validator.fullname" . }}-safety-rules
 - kind: ServiceAccount
   namespace: {{ .Release.Namespace }}
   name: {{ include "aptos-validator.fullname" . }}-validator

diff --git a/terraform/helm/validator/templates/vault.yaml b/terraform/helm/validator/templates/vault.yaml
@@ -41,9 +41,6 @@ roleRef:
   kind: ClusterRole
   name: {{ include "aptos-validator.fullname" . }}-tokenreview
 subjects:
-- kind: ServiceAccount
-  name: {{ include "aptos-validator.fullname" . }}-safety-rules
-  namespace: {{ .Release.Namespace }}
 - kind: ServiceAccount
   name: {{ include "aptos-validator.fullname" . }}-validator
   namespace: {{ .Release.Namespace }}

diff --git a/terraform/helm/validator/values.yaml b/terraform/helm/validator/values.yaml
@@ -127,24 +127,6 @@ restore:
     concurrent_downloads: 2
     restore_era:
 
-safetyrules:
-  image:
-    repo: aptoslab/validator_tcb
-    tag:
-    pullPolicy: IfNotPresent
-  resources:
-    limits:
-      cpu: 1
-      memory: 512Mi
-    requests:
-      cpu: 1
-      memory: 512Mi
-  rust_log: debug
-  rust_log_remote: debug,hyper=off
-  nodeSelector: {}
-  tolerations: []
-  affinity: {}
-
 fullnode:
   groups:
   - name: fullnode
@@ -268,7 +250,7 @@ monitoring:
   pushgateway:
     image:
       repo: prom/pushgateway
-      tag: v1.4.2@sha256:0604285851ff4871d2bd740a89c00e49098939f5f648f78f42c0a450a7a987fc
+      tag: v1.4.1@sha256:b561435cb17ee816c5d90c2408bcc1ffe25304f1608e18db16a3969f6cc44626
       pullPolicy: IfNotPresent
     resources:
       limits:

diff --git a/terraform/testnet/main.tf b/terraform/testnet/main.tf
@@ -44,7 +44,6 @@ module "validator" {
   node_pool_sizes = {
     utilities  = var.num_utilities_instance > 0 ? var.num_utilities_instance : 3 * var.num_validators
     validators = var.num_validator_instance > 0 ? var.num_validator_instance : 3 * var.num_validators + var.num_public_fullnodes + 1
-    trusted    = var.num_trusted_instance > 0 ? var.num_trusted_instance : 1 * var.num_validators
   }
   vault_lb_internal       = false
   utility_instance_type   = var.utility_instance_type

diff --git a/terraform/validator/aws/cluster.tf b/terraform/validator/aws/cluster.tf
@@ -23,10 +23,6 @@ resource "aws_eks_cluster" "aptos" {
     aws_iam_role_policy_attachment.cluster-service,
     aws_cloudwatch_log_group.eks,
   ]
-
-  lifecycle {
-    prevent_destroy = true
-  }
 }
 
 data "aws_eks_cluster_auth" "aptos" {
@@ -45,11 +41,6 @@ locals {
       size          = 3
       taint         = true
     }
-    trusted = {
-      instance_type = var.trusted_instance_type
-      size          = 1
-      taint         = true
-    }
   }
 }
 

diff --git a/terraform/validator/aws/kubernetes.tf b/terraform/validator/aws/kubernetes.tf
@@ -111,16 +111,6 @@ locals {
         effect = "NoExecute"
       }]
     }
-    safetyrules = {
-      nodeSelector = {
-        "eks.amazonaws.com/nodegroup" = "trusted"
-      }
-      tolerations = [{
-        key    = "aptos.org/nodepool"
-        value  = "trusted"
-        effect = "NoExecute"
-      }]
-    }
     keymanager = {
       nodeSelector = {
         "eks.amazonaws.com/nodegroup" = "trusted"

diff --git a/terraform/validator/aws/vault.tf b/terraform/validator/aws/vault.tf
@@ -105,10 +105,6 @@ resource "aws_dynamodb_table" "vault" {
   point_in_time_recovery {
     enabled = true
   }
-
-  lifecycle {
-    prevent_destroy = true
-  }
 }
 
 resource "aws_kms_key" "vault" {

diff --git a/terraform/validator/azure/cluster.tf b/terraform/validator/azure/cluster.tf
@@ -33,10 +33,6 @@ resource "azurerm_kubernetes_cluster" "aptos" {
     client_id     = azuread_service_principal.aptos.application_id
     client_secret = azuread_application_password.aptos.value
   }
-
-  lifecycle {
-    prevent_destroy = true
-  }
 }
 
 resource "azurerm_kubernetes_cluster_node_pool" "validators" {
@@ -51,18 +47,6 @@ resource "azurerm_kubernetes_cluster_node_pool" "validators" {
   node_taints     = ["aptos.org/nodepool=validators:NoExecute"]
 }
 
-resource "azurerm_kubernetes_cluster_node_pool" "trusted" {
-  kubernetes_cluster_id = azurerm_kubernetes_cluster.aptos.id
-  orchestrator_version  = azurerm_kubernetes_cluster.aptos.kubernetes_version
-
-  name            = "trusted"
-  vm_size         = "Standard_F2s_v2"
-  vnet_subnet_id  = azurerm_subnet.nodes.id
-  node_count      = lookup(var.node_pool_sizes, "trusted", 1)
-  os_disk_size_gb = 30
-  node_taints     = ["aptos.org/nodepool=trusted:NoExecute"]
-}
-
 resource "azurerm_log_analytics_workspace" "aptos" {
   name                = "aptos-${terraform.workspace}"
   resource_group_name = azurerm_resource_group.aptos.name

diff --git a/terraform/validator/gcp/cluster.tf b/terraform/validator/gcp/cluster.tf
@@ -58,10 +58,6 @@ resource "google_container_cluster" "aptos" {
   pod_security_policy_config {
     enabled = true
   }
-
-  lifecycle {
-    prevent_destroy = true
-  }
 }
 
 resource "google_container_node_pool" "utilities" {
@@ -117,33 +113,3 @@ resource "google_container_node_pool" "validators" {
     }
   }
 }
-
-resource "google_container_node_pool" "trusted" {
-  provider   = google-beta
-  name       = "trusted"
-  location   = local.zone
-  cluster    = google_container_cluster.aptos.name
-  node_count = lookup(var.node_pool_sizes, "trusted", 1)
-
-  node_config {
-    machine_type    = "n2-custom-2-4096"
-    image_type      = "COS_CONTAINERD"
-    disk_size_gb    = 20
-    service_account = google_service_account.gke.email
-    tags            = ["trusted"]
-
-    shielded_instance_config {
-      enable_secure_boot = true
-    }
-
-    workload_metadata_config {
-      node_metadata = "GKE_METADATA_SERVER"
-    }
-
-    taint {
-      key    = "aptos.org/nodepool"
-      value  = "trusted"
-      effect = "NO_EXECUTE"
-    }
-  }
-}
diff --git a/terraform/validator/gcp/kubernetes.tf b/terraform/validator/gcp/kubernetes.tf
@@ -50,16 +50,6 @@ resource "helm_release" "validator" {
           effect = "NoExecute"
         }]
       }
-      safetyrules = {
-        nodeSelector = {
-          "cloud.google.com/gke-nodepool" = google_container_node_pool.trusted.name
-        }
-        tolerations = [{
-          key    = google_container_node_pool.trusted.node_config[0].taint[0].key
-          value  = google_container_node_pool.trusted.node_config[0].taint[0].value
-          effect = "NoExecute"
-        }]
-      }
       keymanager = {
         nodeSelector = {
           "cloud.google.com/gke-nodepool" = google_container_node_pool.trusted.name

diff --git a/terraform/validator/gcp/vault.tf b/terraform/validator/gcp/vault.tf
@@ -106,10 +106,6 @@ resource "google_spanner_database" "vault" {
     "CREATE TABLE Vault (Key STRING(MAX) NOT NULL, Value BYTES(MAX)) PRIMARY KEY (Key)",
     "CREATE TABLE VaultHA (Key STRING(MAX) NOT NULL, Value STRING(MAX), Identity STRING(36) NOT NULL, Timestamp TIMESTAMP NOT NULL) PRIMARY KEY (Key)",
   ]
-
-  lifecycle {
-    prevent_destroy = true
-  }
 }
 
 resource "google_spanner_database_iam_member" "vault" {

diff --git a/terraform/validator/vault-init/kubernetes.tf b/terraform/validator/vault-init/kubernetes.tf
@@ -35,16 +35,6 @@ resource "vault_kubernetes_auth_backend_config" "kubernetes" {
   issuer             = var.issuer
 }
 
-resource "vault_kubernetes_auth_backend_role" "safety-rules" {
-  backend                          = vault_auth_backend.kubernetes.path
-  role_name                        = "${var.namespace}-safety-rules"
-  bound_service_account_names      = ["${var.service_account_prefix}-safety-rules"]
-  bound_service_account_namespaces = ["*"]
-  token_bound_cidrs                = var.pod_cidrs
-  token_period                     = 3600
-  token_policies                   = [vault_policy.safety-rules.name]
-}
-
 resource "vault_kubernetes_auth_backend_role" "validator" {
   backend                          = vault_auth_backend.kubernetes.path
   role_name                        = "${var.namespace}-validator"

diff --git a/terraform/validator/vault-init/policy.tf b/terraform/validator/vault-init/policy.tf
@@ -1,36 +1,3 @@
-data "vault_policy_document" "safety-rules" {
-  rule {
-    path         = "${var.kv_v2_mount}/data/${var.namespace}/*"
-    capabilities = ["read", "update", "create"]
-    description  = "Allow read and write on safety-rules secure data"
-  }
-  rule {
-    path         = "${var.transit_mount}/keys/${vault_transit_secret_backend_key.consensus.name}"
-    capabilities = ["read"]
-    description  = "Allow reading the consensus public key"
-  }
-  rule {
-    path         = "${var.transit_mount}/export/signing-key/${vault_transit_secret_backend_key.consensus.name}"
-    capabilities = ["read"]
-    description  = "Allow reading the consensus private key"
-  }
-  rule {
-    path         = "${var.transit_mount}/sign/${vault_transit_secret_backend_key.consensus.name}"
-    capabilities = ["update"]
-    description  = "Allow signing with the consensus key"
-  }
-  rule {
-    path         = "${var.transit_mount}/keys/${vault_transit_secret_backend_key.execution.name}"
-    capabilities = ["read"]
-    description  = "Allow reading the execution public key"
-  }
-}
-
-resource "vault_policy" "safety-rules" {
-  name   = "${var.namespace}-safety-rules"
-  policy = data.vault_policy_document.safety-rules.hcl
-}
-
 data "vault_policy_document" "validator" {
   rule {
     path         = "${var.transit_mount}/export/signing-key/${vault_transit_secret_backend_key.execution.name}"