add web3signer helm chart (ethpandaops#130)

* add web3signer helm chart

Co-authored-by: Rafael Matias <[email protected]>

Author: barnabasbusa

README.md

@@ -53,23 +53,24 @@ Consensus layer clients
 - [`teku`](charts/teku)
 
 Tooling
-- [`beaconchain-explorer`](charts/beaconchain-explorer) - Beacon chain block explorer
-- [`blockscout`](charts/blockscout) - Execution layer block explorer
-- [`consensus-monitor`](charts/consensus-monitor) - Web UI to check your ethereum consensus layer nodes via their beacon APIs
-- [`dshackle`](charts/dshackle) - Fault tolerant load balancer for blockchain apis, including Ethereum RPC
-- [`eth2-fork-mon`](charts/eth2-fork-mon) - Fork monitor for a configurable set of beacon nodes
-- [`ethstats`](charts/ethstats) - Web UI to track execution layer node status
+- [`beaconchain-explorer`](charts/beaconchain-explorer) - Beacon chain block explorer.
+- [`blockscout`](charts/blockscout) - Execution layer block explorer.
+- [`consensus-monitor`](charts/consensus-monitor) - Web UI to check your ethereum consensus layer nodes via their beacon APIs.
+- [`dshackle`](charts/dshackle) - Fault tolerant load balancer for blockchain apis, including Ethereum RPC.
+- [`eth2-fork-mon`](charts/eth2-fork-mon) - Fork monitor for a configurable set of beacon nodes.
+- [`ethstats`](charts/ethstats) - Web UI to track execution layer node status.
 - [`fauceth`](charts/fauceth) - EIP1559 compatible web faucet using Hcaptcha.
-- [`forkmon`](charts/forkmon) - Fork monitor for execution layer nodes
-- [`ganache`](charts/ganache) - Simulator for development and testing purposes of the execution layer
-- [`genesis-generator`](charts/genesis-generator) - A tool to generate and expose genesis files for the execution and consensus layer clients
+- [`forkmon`](charts/forkmon) - Fork monitor for execution layer nodes.
+- [`ganache`](charts/ganache) - Simulator for development and testing purposes of the execution layer.
+- [`genesis-generator`](charts/genesis-generator) - A tool to generate and expose genesis files for the execution and consensus layer clients.
 - [`rpc-proxy`](charts/rpc-proxy) - A proxy for web3 JSONRPC. Rate limiting and method filtering.
-- [`testnet-faucet`](charts/testnet-faucet) - Web faucet that can be used to distribute testnet ETH to users
+- [`testnet-faucet`](charts/testnet-faucet) - Web faucet that can be used to distribute testnet ETH to users.
 - [`testnet-homepage`](charts/testnet-homepage) - Simple website that can be used to display useful information about your testnet.
 - [`ethereum-metrics-exporter`](charts/ethereum-metrics-exporter) - A prometheus exporter for Ethereum execution and consensus clients.
 - [`checkpointz`](charts/checkpointz) - A beacon chain Checkpoint Sync provider.
 - [`ethereum-address-metrics-exporter`](charts/ethereum-address-metrics-exporter) - A prometheus exporter for Ethereum externally owned account and contract addresses.
 - [`smart-contract-verifier-http`](charts/smart-contract-verifier-http) - Smart contract verification service.
+- [`web3signer`](charts/web3signer) - An open-source remote signing service.
 
 ## Development
 

charts/web3signer/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/web3signer/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 11.9.13
+digest: sha256:d0e9612833647ddb6d1d4a911f52a6609fe556aab7a757c1cf722a74accdb9fc
+generated: "2022-10-27T11:48:07.327750574+02:00"

charts/web3signer/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v2
+name: web3signer
+description: Web3Signer is capable of signing on multiple platforms using private keys stored in an external vault, or encrypted on a disk.
+home: https://github.com/Consensys/web3signer/
+type: application
+version: 0.1.0
+maintainers:
+  - name: barnabasbusa
+    email: [email protected]
+  - name: skylenet
+    email: [email protected]
+dependencies:
+- name: postgresql
+  version: "11.x.x"
+  repository: "https://charts.bitnami.com/bitnami"
+  condition: slashingprotectiondb.enabled
+  alias: slashingprotectiondb

charts/web3signer/README.md

@@ -0,0 +1,123 @@
+
+# web3signer
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+
+Web3Signer is capable of signing on multiple platforms using private keys stored in an external vault, or encrypted on a disk.
+
+**Homepage:** <https://github.com/Consensys/web3signer/>
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://charts.bitnami.com/bitnami | slashingprotectiondb(postgresql) | 11.x.x |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` | Affinity configuration for pods |
+| annotations | object | `{}` | Annotations for the StatefulSet |
+| config | string | See `values.yaml` | Config file |
+| containerSecurityContext | object | See `values.yaml` | The security context for containers |
+| customCommand | list | `[]` | Command replacement for the web3signer container |
+| extraArgs | list | `[]` | Extra args for the web3signer container |
+| extraContainers | list | `[]` | Additional containers |
+| extraEnv | list | `[]` | Additional env variables |
+| extraPorts | list | `[]` | Additional ports. Useful when using extraContainers |
+| extraVolumeMounts | list | `[]` | Additional volume mounts |
+| extraVolumes | list | `[]` | Additional volumes |
+| fullnameOverride | string | `""` | Overrides the chart's computed fullname |
+| httpPort | int | `9000` |  |
+| image.pullPolicy | string | `"IfNotPresent"` | web3signer container pull policy |
+| image.repository | string | `"consensys/web3signer"` | web3signer container image repository |
+| image.tag | string | `"22.10.0"` | web3signer container image tag |
+| imagePullSecrets | list | `[]` | Image pull secrets for Docker images |
+| ingress.annotations | object | `{}` | Annotations for Ingress |
+| ingress.enabled | bool | `false` | Ingress resource for the HTTP API |
+| ingress.hosts[0].host | string | `"chart-example.local"` |  |
+| ingress.hosts[0].paths | list | `[]` |  |
+| ingress.tls | list | `[]` | Ingress TLS |
+| initChownData.enabled | bool | `true` | Init container to set the correct permissions to access data directories |
+| initChownData.image.pullPolicy | string | `"IfNotPresent"` | Container pull policy |
+| initChownData.image.repository | string | `"busybox"` | Container repository |
+| initChownData.image.tag | string | `"1.34.1"` | Container tag |
+| initChownData.resources | object | `{}` | Resource requests and limits |
+| initContainers | list | `[]` | Additional init containers |
+| livenessProbe | object | See `values.yaml` | Liveness probe |
+| metricsPort | int | `9001` |  |
+| nameOverride | string | `""` | Overrides the chart's name |
+| nodeSelector | object | `{}` | Node selector for pods |
+| persistence.accessModes | list | `["ReadWriteOnce"]` | Access mode for the volume claim template |
+| persistence.annotations | object | `{}` | Annotations for volume claim template |
+| persistence.enabled | bool | `true` | Uses an EmptyDir when not enabled |
+| persistence.existingClaim | string | `nil` | Use an existing PVC when persistence.enabled |
+| persistence.selector | object | `{}` | Selector for volume claim template |
+| persistence.size | string | `"1Gi"` | Requested size for volume claim template |
+| persistence.storageClassName | string | `nil` | Use a specific storage class E.g 'local-path' for local storage to achieve best performance Read more (https://github.com/rancher/local-path-provisioner) |
+| podAnnotations | object | `{}` | Pod annotations |
+| podDisruptionBudget | object | `{}` | Define the PodDisruptionBudget spec If not set then a PodDisruptionBudget will not be created |
+| podLabels | object | `{}` | Pod labels |
+| podManagementPolicy | string | `"OrderedReady"` | Pod management policy |
+| priorityClassName | string | `nil` | Pod priority class |
+| readinessProbe | object | See `values.yaml` | Readiness probe |
+| replicas | int | `1` | Number of replicas |
+| resources | object | `{}` | Resource requests and limits |
+| secretEnv | object | `{}` | Additional env variables injected via a created secret |
+| securityContext | object | See `values.yaml` | The security context for pods |
+| service.type | string | `"ClusterIP"` | Service type |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
+| serviceMonitor.annotations | object | `{}` | Additional ServiceMonitor annotations |
+| serviceMonitor.enabled | bool | `false` | If true, a ServiceMonitor CRD is created for a prometheus operator https://github.com/coreos/prometheus-operator |
+| serviceMonitor.interval | string | `"1m"` | ServiceMonitor scrape interval |
+| serviceMonitor.labels | object | `{}` | Additional ServiceMonitor labels |
+| serviceMonitor.namespace | string | `nil` | Alternative namespace for ServiceMonitor |
+| serviceMonitor.path | string | `"/metrics"` | Path to scrape |
+| serviceMonitor.relabelings | list | `[]` | ServiceMonitor relabelings |
+| serviceMonitor.scheme | string | `"http"` | ServiceMonitor scheme |
+| serviceMonitor.scrapeTimeout | string | `"30s"` | ServiceMonitor scrape timeout |
+| serviceMonitor.tlsConfig | object | `{}` | ServiceMonitor TLS configuration |
+| slashingprotectiondb.auth.enablePostgresUser | bool | `true` |  |
+| slashingprotectiondb.auth.postgresPassword | string | `"postgres"` |  |
+| slashingprotectiondb.enabled | bool | `true` | If enabled a postgres chart will be deployed as a dependency to be used as a slashing protection database |
+| slashingprotectiondb.primary.extraVolumeMounts[0].mountPath | string | `"/sql-scripts"` |  |
+| slashingprotectiondb.primary.extraVolumeMounts[0].name | string | `"sql-scripts"` |  |
+| slashingprotectiondb.primary.extraVolumes[0].emptyDir | object | `{}` |  |
+| slashingprotectiondb.primary.extraVolumes[0].name | string | `"sql-scripts"` |  |
+| slashingprotectiondb.primary.initContainers[0].command[0] | string | `"bash"` |  |
+| slashingprotectiondb.primary.initContainers[0].command[1] | string | `"-acex"` |  |
+| slashingprotectiondb.primary.initContainers[0].command[2] | string | `"cd /sql-scripts; wget https://raw.githubusercontent.com/ConsenSys/web3signer/22.10.0/slashing-protection/src/main/resources/migrations/postgresql/V00001__initial.sql; wget https://raw.githubusercontent.com/ConsenSys/web3signer/22.10.0/slashing-protection/src/main/resources/migrations/postgresql/V00002__removeUniqueConstraints.sql; wget https://raw.githubusercontent.com/ConsenSys/web3signer/22.10.0/slashing-protection/src/main/resources/migrations/postgresql/V00003__addLowWatermark.sql; wget https://raw.githubusercontent.com/ConsenSys/web3signer/22.10.0/slashing-protection/src/main/resources/migrations/postgresql/V00004__addGenesisValidatorsRoot.sql; wget https://raw.githubusercontent.com/ConsenSys/web3signer/22.10.0/slashing-protection/src/main/resources/migrations/postgresql/V00005__xnor_source_target_low_watermark.sql; wget https://raw.githubusercontent.com/ConsenSys/web3signer/22.10.0/slashing-protection/src/main/resources/migrations/postgresql/V00006__signed_data_indexes.sql; wget https://raw.githubusercontent.com/ConsenSys/web3signer/22.10.0/slashing-protection/src/main/resources/migrations/postgresql/V00007__add_db_version.sql; wget https://raw.githubusercontent.com/ConsenSys/web3signer/22.10.0/slashing-protection/src/main/resources/migrations/postgresql/V00008__signed_data_unique_constraints.sql; wget https://raw.githubusercontent.com/ConsenSys/web3signer/22.10.0/slashing-protection/src/main/resources/migrations/postgresql/V00009__upsert_validators.sql; wget https://raw.githubusercontent.com/ConsenSys/web3signer/22.10.0/slashing-protection/src/main/resources/migrations/postgresql/V00010__validator_enabled_status.sql;\n"` |  |
+| slashingprotectiondb.primary.initContainers[0].image | string | `"bash:latest"` |  |
+| slashingprotectiondb.primary.initContainers[0].imagePullPolicy | string | `"IfNotPresent"` |  |
+| slashingprotectiondb.primary.initContainers[0].name | string | `"init-sql-migration-scripts"` |  |
+| slashingprotectiondb.primary.initContainers[0].securityContext.runAsNonRoot | bool | `false` |  |
+| slashingprotectiondb.primary.initContainers[0].securityContext.runAsUser | int | `0` |  |
+| slashingprotectiondb.primary.initContainers[0].volumeMounts[0].mountPath | string | `"/sql-scripts"` |  |
+| slashingprotectiondb.primary.initContainers[0].volumeMounts[0].name | string | `"sql-scripts"` |  |
+| slashingprotectiondb.primary.initdb.password | string | `"postgres"` |  |
+| slashingprotectiondb.primary.initdb.scripts."init_00.sql" | string | `"CREATE DATABASE web3signer;\n"` |  |
+| slashingprotectiondb.primary.initdb.scripts."init_02_db.sh" | string | `"#!/bin/sh\nexport PGPASSWORD=postgres\ncd /sql-scripts\nfor FILE in *.sql; do\n  psql -U postgres -h 127.0.0.1 -d web3signer -f $FILE\ndone\n"` |  |
+| slashingprotectiondb.primary.initdb.user | string | `"postgres"` |  |
+| slashingprotectiondb.primary.name | string | `"web3signer"` |  |
+| slashingprotectiondb.primary.persistence.enabled | bool | `true` | Uses an EmptyDir when not enabled |
+| slashingprotectiondb.primary.persistence.size | string | `"1Gi"` |  |
+| terminationGracePeriodSeconds | int | `300` | How long to wait until the pod is forcefully terminated |
+| tolerations | list | `[]` | Tolerations for pods |
+| updateStrategy | object | `{"type":"RollingUpdate"}` | Update stategy for the Statefulset |
+| updateStrategy.type | string | `"RollingUpdate"` | Update stategy type |
+
+# Examples
+
+## Configure Slashing Protection Database
+
+The chart supports a PostgreSQL Database that will be used for slashing protection by default.
+
+```yaml
+slashingprotectiondb:
+  enabled: true
+```
+
+If you would like to disable this feature, you could disable it by setting `slashingprotectiondb.enable=false`. Only do this if you know what you're doing.

charts/web3signer/README.md.gotmpl

@@ -0,0 +1,28 @@
+
+{{ template "chart.header" . }}
+{{ template "chart.deprecationWarning" . }}
+
+{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}
+
+{{ template "chart.description" . }}
+
+{{ template "chart.homepageLine" . }}
+
+{{ template "chart.sourcesSection" . }}
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
+
+# Examples
+
+## Configure Slashing Protection Database
+
+The chart supports a PostgreSQL Database that will be used for slashing protection by default.
+
+```yaml
+slashingprotectiondb:
+  enabled: true
+```
+
+If you would like to disable this feature, you could disable it by setting `slashingprotectiondb.enable=false`. Only do this if you know what you're doing.

charts/web3signer/ci/default-values.yaml

@@ -0,0 +1,14 @@
+{{/*
+# Default command
+*/}}
+{{- define "web3signer.defaultCommand" -}}
+- sh
+- -ac
+- >
+  /opt/web3signer/bin/web3signer
+  --config-file=/data/config.yaml
+  eth2
+{{- range .Values.extraArgs }}
+  {{ . }}
+{{- end }}
+{{- end }}

charts/web3signer/templates/_cmd.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "web3signer.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "web3signer.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "web3signer.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "web3signer.labels" -}}
+helm.sh/chart: {{ include "web3signer.chart" . }}
+{{ include "web3signer.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "web3signer.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "web3signer.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "web3signer.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "web3signer.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/web3signer/templates/_helpers.tpl

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "web3signer.fullname" . }}
+  labels:
+    {{- include "web3signer.labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- tpl .Values.config . | nindent 4 }}

charts/web3signer/templates/configmap.yaml

@@ -0,0 +1,61 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "web3signer.fullname" . -}}
+{{- $svcPort := .Values.httpPort -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "web3signer.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}