[gcp][tf] add gcp fullnode

Closes: aptos-labs#343
tanqiangyes · Mar 31, 2022 · f07b956 · f07b956
1 parent 2d8b84c
commit f07b956
Show file tree

Hide file tree

Showing 14 changed files with 649 additions and 3 deletions.
diff --git a/terraform/fullnode/gcp/.terraform.lock.hcl b/terraform/fullnode/gcp/.terraform.lock.hcl
diff --git a/terraform/fullnode/gcp/README.md b/terraform/fullnode/gcp/README.md
@@ -0,0 +1,63 @@
+Aptos Fullnodes GCP Deployment
+==============================
+
+This directory contains Terraform configs to deploy a public fullnodes on Google Cloud.
+
+1. Install pre-requisites if needed:
+
+   * Terraform 1.1.7: https://www.terraform.io/downloads.html
+   * Docker: https://www.docker.com/products/docker-desktop
+   * Kubernetes cli: https://kubernetes.io/docs/tasks/tools/
+   * Google Cloud cli: https://cloud.google.com/sdk/docs/install-sdk
+
+2. Create a directory for your configuration:
+
+   * Choose a workspace name e.g. `devnet`. Note: this defines terraform workspace name, which in turn is used to form resource names.
+
+         $ export WORKSPACE=devnet
+
+   * Create a directory for the workspace
+
+         $ mkdir -p ~/$WORKSPACE
+
+3. Create a storage bucket for storing the Terraform state on Google Cloud Storage.
+
+4. Copy `backend.tfvars` to `~/$WORKSPACE/backend.tfvars` and edit to fill in your storage bucket name. For more detail on remote state see the Terraform documentation: https://www.terraform.io/docs/backends/index.html
+
+       $ cp backend.tfvars ~/$WORKSPACE/backend.tfvars
+       $ vi ~/$WORKSPACE/backend.tfvars
+
+5. Initialise Terraform, providing your backend storage configuration:
+
+       $ terraform init -backend-config ~/$WORKSPACE/backend.tfvars
+
+6. Create a new Terraform workspace to isolate your environments:
+
+        $ terraform workspace new $WORKSPACE
+
+7. Copy `terraform.tfvars` to `~/$WORKSPACE/terraform.tfvars` and edit to set your region and project name:
+
+       $ cp terraform.tfvars ~/$WORKSPACE/terraform.tfvars
+       $ vi ~/$WORKSPACE/terraform.tfvars
+
+8. Apply the configuration.
+
+       $ terraform apply -var-file ~/$WORKSPACE/terraform.tfvars
+
+9. Configure your Kubernetes client:
+
+        $ gcloud container clusters get-credentials aptos-$WORKSPACE --zone <region_zone_name> --project <project_name>
+        # for example:
+        $ gcloud container clusters get-credentials aptos-$WORKSPACE --zone us-central1-a --project aptos-fullnode
+
+10. Check that your fullnode pods are now running (this may take a few minutes):
+
+        $ kubectl get pods
+
+11. Get your fullnode IP:
+
+        $ kubectl get svc -o custom-columns=IP:status.loadBalancer.ingress
+
+12. Check REST API, make sure the ledge version is increasing.
+
+        $ curl http://<IP>
diff --git a/terraform/fullnode/gcp/auth.tf b/terraform/fullnode/gcp/auth.tf
@@ -0,0 +1,31 @@
+resource "google_service_account" "gke" {
+  account_id = "aptos-${terraform.workspace}-gke"
+}
+
+resource "google_project_iam_member" "gke-logging" {
+  project = var.project
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.gke.email}"
+}
+
+resource "google_project_iam_member" "gke-metrics" {
+  project = var.project
+  role    = "roles/monitoring.metricWriter"
+  member  = "serviceAccount:${google_service_account.gke.email}"
+}
+
+resource "google_project_iam_member" "gke-monitoring" {
+  project = var.project
+  role    = "roles/monitoring.viewer"
+  member  = "serviceAccount:${google_service_account.gke.email}"
+}
+
+resource "google_project_iam_custom_role" "k8s-debugger" {
+  role_id     = "container.debugger"
+  title       = "Kubernetes Engine Debugger"
+  description = "Additional permissions to debug Kubernetes Engine workloads"
+  permissions = [
+    "container.pods.exec",
+    "container.pods.portForward",
+  ]
+}
diff --git a/terraform/fullnode/gcp/backend.tfvars b/terraform/fullnode/gcp/backend.tfvars
@@ -0,0 +1,2 @@
+# bucket = ""
+# prefix = "state/fullnode"
diff --git a/terraform/fullnode/gcp/cluster.tf b/terraform/fullnode/gcp/cluster.tf
@@ -0,0 +1,83 @@
+resource "google_container_cluster" "aptos" {
+  provider = google-beta
+  name     = "aptos-${terraform.workspace}"
+  location = local.zone
+  network  = google_compute_network.aptos.id
+
+  remove_default_node_pool = true
+  initial_node_count       = 1
+  logging_service          = "none"
+  monitoring_service       = "none"
+
+  release_channel {
+    channel = "REGULAR"
+  }
+
+  master_auth {
+    client_certificate_config {
+      issue_client_certificate = false
+    }
+  }
+
+  master_authorized_networks_config {
+    dynamic "cidr_blocks" {
+      for_each = var.k8s_api_sources
+      content {
+        cidr_block = cidr_blocks.value
+      }
+    }
+  }
+
+  private_cluster_config {
+    enable_private_nodes    = true
+    enable_private_endpoint = false
+    master_ipv4_cidr_block  = "172.16.0.0/28"
+  }
+
+  ip_allocation_policy {
+    cluster_ipv4_cidr_block = ""
+  }
+
+  workload_identity_config {
+    workload_pool = "${var.project}.svc.id.goog"
+  }
+
+  addons_config {
+    network_policy_config {
+      disabled = false
+    }
+  }
+
+  network_policy {
+    enabled  = true
+    provider = "CALICO"
+  }
+
+  pod_security_policy_config {
+    enabled = true
+  }
+}
+
+resource "google_container_node_pool" "fullnodes" {
+  provider   = google-beta
+  name       = "fullnodes"
+  location   = local.zone
+  cluster    = google_container_cluster.aptos.name
+  node_count = var.num_fullnodes
+
+  node_config {
+    machine_type    = var.machine_type
+    image_type      = "COS_CONTAINERD"
+    disk_size_gb    = 20
+    service_account = google_service_account.gke.email
+    tags            = ["fullnodes"]
+
+    shielded_instance_config {
+      enable_secure_boot = true
+    }
+
+    workload_metadata_config {
+      mode = "GKE_METADATA"
+    }
+  }
+}
diff --git a/terraform/fullnode/gcp/kubernetes.tf b/terraform/fullnode/gcp/kubernetes.tf
@@ -0,0 +1,60 @@
+provider "kubernetes" {
+  host                   = "https://${google_container_cluster.aptos.endpoint}"
+  cluster_ca_certificate = base64decode(google_container_cluster.aptos.master_auth[0].cluster_ca_certificate)
+  token                  = data.google_client_config.provider.access_token
+}
+
+resource "kubernetes_storage_class" "ssd" {
+  metadata {
+    name = "ssd"
+  }
+  storage_provisioner = "kubernetes.io/gce-pd"
+  volume_binding_mode = "WaitForFirstConsumer"
+  parameters = {
+    type = "pd-ssd"
+  }
+}
+
+provider "helm" {
+  kubernetes {
+    host                   = "https://${google_container_cluster.aptos.endpoint}"
+    cluster_ca_certificate = base64decode(google_container_cluster.aptos.master_auth[0].cluster_ca_certificate)
+    token                  = data.google_client_config.provider.access_token
+  }
+}
+
+resource "helm_release" "fullnode" {
+  count       = var.num_fullnodes
+  name        = "${terraform.workspace}${count.index}"
+  chart       = var.helm_chart
+  max_history = 100
+  wait        = false
+
+  values = [
+    jsonencode({
+      chain = {
+        era  = var.era
+      }
+      image = {
+        tag = var.image_tag
+      }
+      nodeSelector = {
+        "cloud.google.com/gke-nodepool" = "fullnodes"
+      }
+      storage = {
+        class = kubernetes_storage_class.ssd.metadata[0].name
+      }
+      service = {
+        type = "LoadBalancer"
+      }
+    }),
+    jsonencode(var.fullnode_helm_values),
+    jsonencode(var.fullnode_helm_values_list == {} ? {} : var.fullnode_helm_values_list[count.index]),
+  ]
+
+  set {
+    name  = "timestamp"
+    value = var.helm_force_update ? timestamp() : ""
+  }
+}
+