├── LICENSE ├── README.md └── ethereum-2 ├── beacon-chain ├── cert-beacon-chain-tls.yaml ├── fw-beacon-chain.yaml ├── np-beacon-chain.yaml ├── sa-beacon-chain.yaml ├── sts-beacon-chain.yaml ├── svc-beacon-chain-external.yaml ├── svc-beacon-chain.yaml └── vpa-beacon-chain.yaml ├── cert-manager ├── crd-certificaterequests.yaml ├── crd-certificates.yaml ├── crd-challenges.yaml ├── crd-issuers.yaml ├── crd-orders.yaml ├── depl-cert-manager.yaml ├── iss-cert-manager.yaml ├── iss-letsencrypt.yaml └── sa-cert-manager.yaml ├── encrypted-secrets ├── crd-encrypted-secrets.yaml ├── depl-encrypted-secrets.yaml ├── sa-encrypted-secrets.yaml └── vpa-encrypted-secrets.yaml ├── eth2stats ├── cert-eth2stats-tls.yaml ├── sa-ethstats.yaml ├── sts-ethstats.yaml ├── svc-ethstats.yaml └── vpa-ethstats.yaml ├── external-dns ├── depl-external-dns.yaml ├── sa-external-dns.yaml └── vpa-external-dns.yaml ├── flux ├── depl-flux.yaml ├── sa-flux.yaml ├── sec-flux.yaml └── vpa-flux.yaml ├── grafana ├── cert-grafana.yaml ├── fw-grafana.yaml ├── sa-grafana.yaml ├── sts-grafana.yaml ├── svc-grafana.yaml └── vpa-grafana.yaml ├── jaeger ├── cm-jaeger.yaml ├── depl-jaeger.yaml ├── sa-jaeger.yaml ├── svc-jaeger.yaml └── vpa-jaeger.yaml ├── kube-state-metrics ├── depl-kube-state-metrics.yaml ├── np-kube-state-metrics.yaml ├── sa-kube-state-metrics.yaml ├── svc-kube-state-metrics.yaml └── vpa-kube-state-metrics.yaml ├── prometheus-to-sd ├── depl-prometheus-to-sd.yaml ├── sa-prometheus-to-sd.yaml └── vpa-prometheus-to-sd.yaml ├── prometheus ├── cm-prometheus.yaml ├── np-prometheus.yaml ├── sa-prometheus.yaml ├── sts-prometheus.yaml ├── svc-prometheus.yaml └── vpa-prometheus.yaml ├── slasher ├── cert-slasher-tls.yaml ├── np-slasher.yaml ├── sa-slasher.yaml ├── sts-slasher.yaml ├── svc-slasher.yaml └── vpa-slasher.yaml └── validator ├── cert-validator-tls.yaml ├── np-validator.yaml ├── sa-validator.yaml ├── sec-validator.yaml ├── sts-validator.yaml ├── svc-validator.yaml └── vpa-validator.yaml /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Martin Linkhorst 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ethereum-deploy -------------------------------------------------------------------------------- /ethereum-2/beacon-chain/cert-beacon-chain-tls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1alpha2 2 | kind: Certificate 3 | metadata: 4 | name: beacon-chain-tls 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: beacon-chain 8 | spec: 9 | secretName: beacon-chain-tls 10 | dnsNames: 11 | - beacon-chain 12 | issuerRef: 13 | name: cert-manager 14 | -------------------------------------------------------------------------------- /ethereum-2/beacon-chain/fw-beacon-chain.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: compute.cnrm.cloud.google.com/v1beta1 2 | kind: ComputeFirewall 3 | metadata: 4 | name: beacon-chain 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: beacon-chain 8 | spec: 9 | allow: 10 | - protocol: tcp 11 | ports: 12 | - "31300" 13 | - protocol: udp 14 | ports: 15 | - "31200" 16 | networkRef: 17 | external: allyoucanstake-dev 18 | targetServiceAccounts: 19 | - external: allyoucanstake-dev@allyoucanstake-dev.iam.gserviceaccount.com 20 | -------------------------------------------------------------------------------- /ethereum-2/beacon-chain/np-beacon-chain.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: beacon-chain 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: beacon-chain 8 | spec: 9 | podSelector: 10 | matchLabels: 11 | app.kubernetes.io/name: beacon-chain 12 | policyTypes: 13 | - Ingress 14 | ingress: 15 | # allow the world to connect to beacon chain's p2p endpoints 16 | - from: 17 | - ipBlock: 18 | cidr: 0.0.0.0/0 19 | ports: 20 | - protocol: TCP 21 | port: 31300 22 | - protocol: UDP 23 | port: 31200 24 | # allow eth2stats to connect to rpc and metrics endpoints 25 | - from: 26 | - podSelector: 27 | matchLabels: 28 | app.kubernetes.io/name: eth2stats 29 | ports: 30 | - protocol: TCP 31 | port: 4000 32 | - protocol: TCP 33 | port: 8080 34 | # allow the slasher to connect to the rpc endpoint 35 | - from: 36 | - podSelector: 37 | matchLabels: 38 | app.kubernetes.io/name: slasher 39 | ports: 40 | - protocol: TCP 41 | port: 4000 42 | # allow the validator to connect to the rpc endpoint 43 | - from: 44 | - podSelector: 45 | matchLabels: 46 | app.kubernetes.io/name: validator 47 | ports: 48 | - protocol: TCP 49 | port: 4000 50 | # allow prometheus to scrape the metrics endpoint 51 | - from: 52 | - podSelector: 53 | matchLabels: 54 | app.kubernetes.io/name: prometheus 55 | ports: 56 | - protocol: TCP 57 | port: 8080 58 | # allow prometheus-to-sd to scrape the metrics endpoint 59 | - from: 60 | - podSelector: 61 | matchLabels: 62 | app.kubernetes.io/name: prometheus-to-sd 63 | ports: 64 | - protocol: TCP 65 | port: 8080 66 | -------------------------------------------------------------------------------- /ethereum-2/beacon-chain/sa-beacon-chain.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: beacon-chain 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: beacon-chain 8 | automountServiceAccountToken: false 9 | -------------------------------------------------------------------------------- /ethereum-2/beacon-chain/sts-beacon-chain.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: beacon-chain 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: beacon-chain 8 | app.kubernetes.io/version: v1.0.0-beta.2 9 | spec: 10 | serviceName: beacon-chain 11 | selector: 12 | matchLabels: 13 | app.kubernetes.io/name: beacon-chain 14 | template: 15 | metadata: 16 | labels: 17 | app.kubernetes.io/name: beacon-chain 18 | app.kubernetes.io/version: v1.0.0-beta.2 19 | annotations: 20 | prometheus.io/scrape: 'true' 21 | prometheus.io/port: '8080' 22 | spec: 23 | serviceAccountName: beacon-chain 24 | containers: 25 | - name: beacon-chain 26 | image: gcr.io/prysmaticlabs/prysm/beacon-chain:v1.0.0-beta.2 27 | args: 28 | - --medalla 29 | - --accept-terms-of-use 30 | - --datadir=/var/lib/beacon-chain 31 | - --p2p-host-dns=ethereum-2.allyoucanstake.com 32 | - --p2p-tcp-port=31300 33 | - --p2p-udp-port=31200 34 | - --rpc-host=$(POD_IP) 35 | - --tls-key=/etc/tls/tls.key 36 | - --tls-cert=/etc/tls/tls.crt 37 | - --monitoring-host=$(POD_IP) 38 | - --disable-grpc-gateway # to avoid /healthz reporting unhealthy 39 | - --enable-tracing 40 | - --tracing-endpoint=http://jaeger-collector:14268/api/traces 41 | env: 42 | - name: POD_IP 43 | valueFrom: 44 | fieldRef: 45 | fieldPath: status.podIP 46 | ports: 47 | - name: rpc 48 | containerPort: 4000 49 | - name: metrics 50 | containerPort: 8080 51 | - name: p2p 52 | containerPort: 31300 53 | - name: discv5 54 | containerPort: 31200 55 | protocol: UDP 56 | resources: 57 | requests: 58 | cpu: 250m 59 | memory: 1Gi 60 | limits: 61 | cpu: 500m 62 | memory: 2Gi 63 | volumeMounts: 64 | - mountPath: /etc/tls 65 | name: tls 66 | readOnly: true 67 | - mountPath: /var/lib/beacon-chain 68 | name: data 69 | readinessProbe: 70 | httpGet: 71 | path: /healthz 72 | port: metrics 73 | failureThreshold: 5 74 | initialDelaySeconds: 60 75 | periodSeconds: 10 76 | successThreshold: 1 77 | timeoutSeconds: 30 78 | livenessProbe: 79 | httpGet: 80 | path: /healthz 81 | port: metrics 82 | failureThreshold: 5 83 | initialDelaySeconds: 600 84 | periodSeconds: 60 85 | successThreshold: 1 86 | timeoutSeconds: 30 87 | securityContext: 88 | runAsNonRoot: true 89 | runAsUser: 65534 90 | readOnlyRootFilesystem: true 91 | capabilities: 92 | drop: ["ALL"] 93 | securityContext: 94 | fsGroup: 65534 95 | terminationGracePeriodSeconds: 300 96 | volumes: 97 | - name: tls 98 | secret: 99 | secretName: beacon-chain-tls 100 | volumeClaimTemplates: 101 | - metadata: 102 | name: data 103 | spec: 104 | storageClassName: standard-rwo 105 | accessModes: 106 | - ReadWriteOnce 107 | volumeMode: Filesystem 108 | resources: 109 | requests: 110 | storage: 20Gi 111 | -------------------------------------------------------------------------------- /ethereum-2/beacon-chain/svc-beacon-chain-external.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: beacon-chain-external 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: beacon-chain 8 | spec: 9 | type: NodePort 10 | selector: 11 | app.kubernetes.io/name: beacon-chain 12 | ports: 13 | - name: p2p 14 | port: 31300 15 | nodePort: 31300 16 | targetPort: p2p 17 | - name: discv5 18 | port: 31200 19 | nodePort: 31200 20 | targetPort: discv5 21 | protocol: UDP 22 | -------------------------------------------------------------------------------- /ethereum-2/beacon-chain/svc-beacon-chain.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: beacon-chain 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: beacon-chain 8 | spec: 9 | selector: 10 | app.kubernetes.io/name: beacon-chain 11 | ports: 12 | - name: rpc 13 | port: 4000 14 | targetPort: rpc 15 | - name: metrics 16 | port: 8080 17 | targetPort: metrics 18 | -------------------------------------------------------------------------------- /ethereum-2/beacon-chain/vpa-beacon-chain.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: autoscaling.k8s.io/v1 2 | kind: VerticalPodAutoscaler 3 | metadata: 4 | name: beacon-chain 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: beacon-chain 8 | spec: 9 | targetRef: 10 | apiVersion: apps/v1 11 | kind: StatefulSet 12 | name: beacon-chain 13 | updatePolicy: 14 | updateMode: Auto 15 | -------------------------------------------------------------------------------- /ethereum-2/cert-manager/crd-certificaterequests.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1beta1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: certificaterequests.cert-manager.io 5 | labels: 6 | app.kubernetes.io/name: cert-manager 7 | spec: 8 | additionalPrinterColumns: 9 | - JSONPath: .status.conditions[?(@.type=="Ready")].status 10 | name: Ready 11 | type: string 12 | - JSONPath: .spec.issuerRef.name 13 | name: Issuer 14 | priority: 1 15 | type: string 16 | - JSONPath: .status.conditions[?(@.type=="Ready")].message 17 | name: Status 18 | priority: 1 19 | type: string 20 | - JSONPath: .metadata.creationTimestamp 21 | description: CreationTimestamp is a timestamp representing the server time when 22 | this object was created. It is not guaranteed to be set in happens-before order 23 | across separate operations. Clients may not set this value. It is represented 24 | in RFC3339 form and is in UTC. 25 | name: Age 26 | type: date 27 | group: cert-manager.io 28 | preserveUnknownFields: false 29 | names: 30 | kind: CertificateRequest 31 | listKind: CertificateRequestList 32 | plural: certificaterequests 33 | shortNames: 34 | - cr 35 | - crs 36 | singular: certificaterequest 37 | scope: Namespaced 38 | subresources: 39 | status: {} 40 | versions: 41 | - name: v1alpha2 42 | served: true 43 | storage: true 44 | - name: v1alpha3 45 | served: true 46 | storage: false 47 | "validation": 48 | "openAPIV3Schema": 49 | description: CertificateRequest is a type to represent a Certificate Signing 50 | Request 51 | type: object 52 | properties: 53 | apiVersion: 54 | description: 'APIVersion defines the versioned schema of this representation 55 | of an object. Servers should convert recognized schemas to the latest 56 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 57 | type: string 58 | kind: 59 | description: 'Kind is a string value representing the REST resource this 60 | object represents. Servers may infer this from the endpoint the client 61 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 62 | type: string 63 | metadata: 64 | type: object 65 | spec: 66 | description: CertificateRequestSpec defines the desired state of CertificateRequest 67 | type: object 68 | required: 69 | - csr 70 | - issuerRef 71 | properties: 72 | csr: 73 | description: Byte slice containing the PEM encoded CertificateSigningRequest 74 | type: string 75 | format: byte 76 | duration: 77 | description: Requested certificate default Duration 78 | type: string 79 | isCA: 80 | description: IsCA will mark the resulting certificate as valid for signing. 81 | This implies that the 'cert sign' usage is set 82 | type: boolean 83 | issuerRef: 84 | description: IssuerRef is a reference to the issuer for this CertificateRequest. If 85 | the 'kind' field is not set, or set to 'Issuer', an Issuer resource 86 | with the given name in the same namespace as the CertificateRequest 87 | will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer 88 | with the provided name will be used. The 'name' field in this stanza 89 | is required at all times. The group field refers to the API group 90 | of the issuer which defaults to 'cert-manager.io' if empty. 91 | type: object 92 | required: 93 | - name 94 | properties: 95 | group: 96 | type: string 97 | kind: 98 | type: string 99 | name: 100 | type: string 101 | usages: 102 | description: Usages is the set of x509 actions that are enabled for 103 | a given key. Defaults are ('digital signature', 'key encipherment') 104 | if empty 105 | type: array 106 | items: 107 | description: 'KeyUsage specifies valid usage contexts for keys. See: 108 | https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 109 | Valid KeyUsage values are as follows: "signing", "digital signature", 110 | "content commitment", "key encipherment", "key agreement", "data 111 | encipherment", "cert sign", "crl sign", "encipher only", "decipher 112 | only", "any", "server auth", "client auth", "code signing", "email 113 | protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec 114 | user", "timestamping", "ocsp signing", "microsoft sgc", "netscape 115 | sgc"' 116 | type: string 117 | enum: 118 | - signing 119 | - digital signature 120 | - content commitment 121 | - key encipherment 122 | - key agreement 123 | - data encipherment 124 | - cert sign 125 | - crl sign 126 | - encipher only 127 | - decipher only 128 | - any 129 | - server auth 130 | - client auth 131 | - code signing 132 | - email protection 133 | - s/mime 134 | - ipsec end system 135 | - ipsec tunnel 136 | - ipsec user 137 | - timestamping 138 | - ocsp signing 139 | - microsoft sgc 140 | - netscape sgc 141 | status: 142 | description: CertificateStatus defines the observed state of CertificateRequest 143 | and resulting signed certificate. 144 | type: object 145 | properties: 146 | ca: 147 | description: Byte slice containing the PEM encoded certificate authority 148 | of the signed certificate. 149 | type: string 150 | format: byte 151 | certificate: 152 | description: Byte slice containing a PEM encoded signed certificate 153 | resulting from the given certificate signing request. 154 | type: string 155 | format: byte 156 | conditions: 157 | type: array 158 | items: 159 | description: CertificateRequestCondition contains condition information 160 | for a CertificateRequest. 161 | type: object 162 | required: 163 | - status 164 | - type 165 | properties: 166 | lastTransitionTime: 167 | description: LastTransitionTime is the timestamp corresponding 168 | to the last status change of this condition. 169 | type: string 170 | format: date-time 171 | message: 172 | description: Message is a human readable description of the details 173 | of the last transition, complementing reason. 174 | type: string 175 | reason: 176 | description: Reason is a brief machine readable explanation for 177 | the condition's last transition. 178 | type: string 179 | status: 180 | description: Status of the condition, one of ('True', 'False', 181 | 'Unknown'). 182 | type: string 183 | enum: 184 | - "True" 185 | - "False" 186 | - Unknown 187 | type: 188 | description: Type of the condition, currently ('Ready', 'InvalidRequest'). 189 | type: string 190 | failureTime: 191 | description: FailureTime stores the time that this CertificateRequest 192 | failed. This is used to influence garbage collection and back-off. 193 | type: string 194 | format: date-time 195 | -------------------------------------------------------------------------------- /ethereum-2/cert-manager/crd-certificates.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1beta1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: certificates.cert-manager.io 5 | labels: 6 | app.kubernetes.io/name: cert-manager 7 | spec: 8 | additionalPrinterColumns: 9 | - JSONPath: .status.conditions[?(@.type=="Ready")].status 10 | name: Ready 11 | type: string 12 | - JSONPath: .spec.secretName 13 | name: Secret 14 | type: string 15 | - JSONPath: .spec.issuerRef.name 16 | name: Issuer 17 | priority: 1 18 | type: string 19 | - JSONPath: .status.conditions[?(@.type=="Ready")].message 20 | name: Status 21 | priority: 1 22 | type: string 23 | - JSONPath: .metadata.creationTimestamp 24 | description: CreationTimestamp is a timestamp representing the server time when 25 | this object was created. It is not guaranteed to be set in happens-before order 26 | across separate operations. Clients may not set this value. It is represented 27 | in RFC3339 form and is in UTC. 28 | name: Age 29 | type: date 30 | group: cert-manager.io 31 | preserveUnknownFields: false 32 | names: 33 | kind: Certificate 34 | listKind: CertificateList 35 | plural: certificates 36 | shortNames: 37 | - cert 38 | - certs 39 | singular: certificate 40 | scope: Namespaced 41 | subresources: 42 | status: {} 43 | versions: 44 | - name: v1alpha2 45 | served: true 46 | storage: true 47 | "schema": 48 | "openAPIV3Schema": 49 | description: Certificate is a type to represent a Certificate from ACME 50 | type: object 51 | properties: 52 | apiVersion: 53 | description: 'APIVersion defines the versioned schema of this representation 54 | of an object. Servers should convert recognized schemas to the latest 55 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 56 | type: string 57 | kind: 58 | description: 'Kind is a string value representing the REST resource this 59 | object represents. Servers may infer this from the endpoint the client 60 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 61 | type: string 62 | metadata: 63 | type: object 64 | spec: 65 | description: CertificateSpec defines the desired state of Certificate. 66 | A valid Certificate requires at least one of a CommonName, DNSName, 67 | or URISAN to be valid. 68 | type: object 69 | required: 70 | - issuerRef 71 | - secretName 72 | properties: 73 | commonName: 74 | description: 'CommonName is a common name to be used on the Certificate. 75 | The CommonName should have a length of 64 characters or fewer to 76 | avoid generating invalid CSRs. This value is ignored by TLS clients 77 | when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' 78 | type: string 79 | dnsNames: 80 | description: DNSNames is a list of subject alt names to be used on 81 | the Certificate. 82 | type: array 83 | items: 84 | type: string 85 | duration: 86 | description: Certificate default Duration 87 | type: string 88 | emailSANs: 89 | description: EmailSANs is a list of Email Subject Alternative Names 90 | to be set on this Certificate. 91 | type: array 92 | items: 93 | type: string 94 | ipAddresses: 95 | description: IPAddresses is a list of IP addresses to be used on the 96 | Certificate 97 | type: array 98 | items: 99 | type: string 100 | isCA: 101 | description: IsCA will mark this Certificate as valid for signing. 102 | This implies that the 'cert sign' usage is set 103 | type: boolean 104 | issuerRef: 105 | description: IssuerRef is a reference to the issuer for this certificate. 106 | If the 'kind' field is not set, or set to 'Issuer', an Issuer resource 107 | with the given name in the same namespace as the Certificate will 108 | be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer 109 | with the provided name will be used. The 'name' field in this stanza 110 | is required at all times. 111 | type: object 112 | required: 113 | - name 114 | properties: 115 | group: 116 | type: string 117 | kind: 118 | type: string 119 | name: 120 | type: string 121 | keyAlgorithm: 122 | description: KeyAlgorithm is the private key algorithm of the corresponding 123 | private key for this certificate. If provided, allowed values are 124 | either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize 125 | is not provided, key size of 256 will be used for "ecdsa" key algorithm 126 | and key size of 2048 will be used for "rsa" key algorithm. 127 | type: string 128 | enum: 129 | - rsa 130 | - ecdsa 131 | keyEncoding: 132 | description: KeyEncoding is the private key cryptography standards 133 | (PKCS) for this certificate's private key to be encoded in. If provided, 134 | allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, 135 | respectively. If KeyEncoding is not specified, then PKCS#1 will 136 | be used by default. 137 | type: string 138 | enum: 139 | - pkcs1 140 | - pkcs8 141 | keySize: 142 | description: KeySize is the key bit size of the corresponding private 143 | key for this certificate. If provided, value must be between 2048 144 | and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", 145 | and value must be one of (256, 384, 521) when KeyAlgorithm is set 146 | to "ecdsa". 147 | type: integer 148 | maximum: 8192 149 | minimum: 0 150 | keystores: 151 | description: Keystores configures additional keystore output formats 152 | stored in the `secretName` Secret resource. 153 | type: object 154 | properties: 155 | jks: 156 | description: JKS configures options for storing a JKS keystore 157 | in the `spec.secretName` Secret resource. 158 | type: object 159 | required: 160 | - create 161 | - passwordSecretRef 162 | properties: 163 | create: 164 | description: Create enables JKS keystore creation for the 165 | Certificate. If true, a file named `keystore.jks` will be 166 | created in the target Secret resource, encrypted using the 167 | password stored in `passwordSecretRef`. The keystore file 168 | will only be updated upon re-issuance. 169 | type: boolean 170 | passwordSecretRef: 171 | description: PasswordSecretRef is a reference to a key in 172 | a Secret resource containing the password used to encrypt 173 | the JKS keystore. 174 | type: object 175 | required: 176 | - name 177 | properties: 178 | key: 179 | description: The key of the secret to select from. Must 180 | be a valid secret key. 181 | type: string 182 | name: 183 | description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 184 | TODO: Add other useful fields. apiVersion, kind, uid?' 185 | type: string 186 | pkcs12: 187 | description: PKCS12 configures options for storing a PKCS12 keystore 188 | in the `spec.secretName` Secret resource. 189 | type: object 190 | required: 191 | - create 192 | - passwordSecretRef 193 | properties: 194 | create: 195 | description: Create enables PKCS12 keystore creation for the 196 | Certificate. If true, a file named `keystore.p12` will be 197 | created in the target Secret resource, encrypted using the 198 | password stored in `passwordSecretRef`. The keystore file 199 | will only be updated upon re-issuance. 200 | type: boolean 201 | passwordSecretRef: 202 | description: PasswordSecretRef is a reference to a key in 203 | a Secret resource containing the password used to encrypt 204 | the PKCS12 keystore. 205 | type: object 206 | required: 207 | - name 208 | properties: 209 | key: 210 | description: The key of the secret to select from. Must 211 | be a valid secret key. 212 | type: string 213 | name: 214 | description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 215 | TODO: Add other useful fields. apiVersion, kind, uid?' 216 | type: string 217 | organization: 218 | description: Organization is the organization to be used on the Certificate 219 | type: array 220 | items: 221 | type: string 222 | privateKey: 223 | description: Options to control private keys used for the Certificate. 224 | type: object 225 | properties: 226 | rotationPolicy: 227 | description: RotationPolicy controls how private keys should be 228 | regenerated when a re-issuance is being processed. If set to 229 | Never, a private key will only be generated if one does not 230 | already exist in the target `spec.secretName`. If one does exists 231 | but it does not have the correct algorithm or size, a warning 232 | will be raised to await user intervention. If set to Always, 233 | a private key matching the specified requirements will be generated 234 | whenever a re-issuance occurs. Default is 'Never' for backward 235 | compatibility. 236 | type: string 237 | renewBefore: 238 | description: Certificate renew before expiration duration 239 | type: string 240 | secretName: 241 | description: SecretName is the name of the secret resource to store 242 | this secret in 243 | type: string 244 | subject: 245 | description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). 246 | type: object 247 | properties: 248 | countries: 249 | description: Countries to be used on the Certificate. 250 | type: array 251 | items: 252 | type: string 253 | localities: 254 | description: Cities to be used on the Certificate. 255 | type: array 256 | items: 257 | type: string 258 | organizationalUnits: 259 | description: Organizational Units to be used on the Certificate. 260 | type: array 261 | items: 262 | type: string 263 | postalCodes: 264 | description: Postal codes to be used on the Certificate. 265 | type: array 266 | items: 267 | type: string 268 | provinces: 269 | description: State/Provinces to be used on the Certificate. 270 | type: array 271 | items: 272 | type: string 273 | serialNumber: 274 | description: Serial number to be used on the Certificate. 275 | type: string 276 | streetAddresses: 277 | description: Street addresses to be used on the Certificate. 278 | type: array 279 | items: 280 | type: string 281 | uriSANs: 282 | description: URISANs is a list of URI Subject Alternative Names to 283 | be set on this Certificate. 284 | type: array 285 | items: 286 | type: string 287 | usages: 288 | description: Usages is the set of x509 actions that are enabled for 289 | a given key. Defaults are ('digital signature', 'key encipherment') 290 | if empty 291 | type: array 292 | items: 293 | description: 'KeyUsage specifies valid usage contexts for keys. 294 | See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 295 | Valid KeyUsage values are as follows: "signing", "digital signature", 296 | "content commitment", "key encipherment", "key agreement", "data 297 | encipherment", "cert sign", "crl sign", "encipher only", "decipher 298 | only", "any", "server auth", "client auth", "code signing", "email 299 | protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec 300 | user", "timestamping", "ocsp signing", "microsoft sgc", "netscape 301 | sgc"' 302 | type: string 303 | enum: 304 | - signing 305 | - digital signature 306 | - content commitment 307 | - key encipherment 308 | - key agreement 309 | - data encipherment 310 | - cert sign 311 | - crl sign 312 | - encipher only 313 | - decipher only 314 | - any 315 | - server auth 316 | - client auth 317 | - code signing 318 | - email protection 319 | - s/mime 320 | - ipsec end system 321 | - ipsec tunnel 322 | - ipsec user 323 | - timestamping 324 | - ocsp signing 325 | - microsoft sgc 326 | - netscape sgc 327 | status: 328 | description: CertificateStatus defines the observed state of Certificate 329 | type: object 330 | properties: 331 | conditions: 332 | type: array 333 | items: 334 | description: CertificateCondition contains condition information 335 | for an Certificate. 336 | type: object 337 | required: 338 | - status 339 | - type 340 | properties: 341 | lastTransitionTime: 342 | description: LastTransitionTime is the timestamp corresponding 343 | to the last status change of this condition. 344 | type: string 345 | format: date-time 346 | message: 347 | description: Message is a human readable description of the 348 | details of the last transition, complementing reason. 349 | type: string 350 | reason: 351 | description: Reason is a brief machine readable explanation 352 | for the condition's last transition. 353 | type: string 354 | status: 355 | description: Status of the condition, one of ('True', 'False', 356 | 'Unknown'). 357 | type: string 358 | enum: 359 | - "True" 360 | - "False" 361 | - Unknown 362 | type: 363 | description: Type of the condition, currently ('Ready'). 364 | type: string 365 | lastFailureTime: 366 | type: string 367 | format: date-time 368 | nextPrivateKeySecretName: 369 | description: The name of the Secret resource containing the private 370 | key to be used for the next certificate iteration. The keymanager 371 | controller will automatically set this field if the `Issuing` condition 372 | is set to `True`. It will automatically unset this field when the 373 | Issuing condition is not set or False. 374 | type: string 375 | notAfter: 376 | description: The expiration time of the certificate stored in the 377 | secret named by this resource in spec.secretName. 378 | type: string 379 | format: date-time 380 | revision: 381 | description: "The current 'revision' of the certificate as issued. 382 | \n When a CertificateRequest resource is created, it will have the 383 | `cert-manager.io/certificate-revision` set to one greater than the 384 | current value of this field. \n Upon issuance, this field will be 385 | set to the value of the annotation on the CertificateRequest resource 386 | used to issue the certificate. \n Persisting the value on the CertificateRequest 387 | resource allows the certificates controller to know whether a request 388 | is part of an old issuance or if it is part of the ongoing revision's 389 | issuance by checking if the revision value in the annotation is 390 | greater than this field." 391 | type: integer 392 | - name: v1alpha3 393 | served: true 394 | storage: false 395 | "schema": 396 | "openAPIV3Schema": 397 | description: Certificate is a type to represent a Certificate from ACME 398 | type: object 399 | properties: 400 | apiVersion: 401 | description: 'APIVersion defines the versioned schema of this representation 402 | of an object. Servers should convert recognized schemas to the latest 403 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 404 | type: string 405 | kind: 406 | description: 'Kind is a string value representing the REST resource this 407 | object represents. Servers may infer this from the endpoint the client 408 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 409 | type: string 410 | metadata: 411 | type: object 412 | spec: 413 | description: CertificateSpec defines the desired state of Certificate. 414 | A valid Certificate requires at least one of a CommonName, DNSName, 415 | or URISAN to be valid. 416 | type: object 417 | required: 418 | - issuerRef 419 | - secretName 420 | properties: 421 | commonName: 422 | description: 'CommonName is a common name to be used on the Certificate. 423 | The CommonName should have a length of 64 characters or fewer to 424 | avoid generating invalid CSRs. This value is ignored by TLS clients 425 | when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' 426 | type: string 427 | dnsNames: 428 | description: DNSNames is a list of subject alt names to be used on 429 | the Certificate. 430 | type: array 431 | items: 432 | type: string 433 | duration: 434 | description: Certificate default Duration 435 | type: string 436 | emailSANs: 437 | description: EmailSANs is a list of Email Subject Alternative Names 438 | to be set on this Certificate. 439 | type: array 440 | items: 441 | type: string 442 | ipAddresses: 443 | description: IPAddresses is a list of IP addresses to be used on the 444 | Certificate 445 | type: array 446 | items: 447 | type: string 448 | isCA: 449 | description: IsCA will mark this Certificate as valid for signing. 450 | This implies that the 'cert sign' usage is set 451 | type: boolean 452 | issuerRef: 453 | description: IssuerRef is a reference to the issuer for this certificate. 454 | If the 'kind' field is not set, or set to 'Issuer', an Issuer resource 455 | with the given name in the same namespace as the Certificate will 456 | be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer 457 | with the provided name will be used. The 'name' field in this stanza 458 | is required at all times. 459 | type: object 460 | required: 461 | - name 462 | properties: 463 | group: 464 | type: string 465 | kind: 466 | type: string 467 | name: 468 | type: string 469 | keyAlgorithm: 470 | description: KeyAlgorithm is the private key algorithm of the corresponding 471 | private key for this certificate. If provided, allowed values are 472 | either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize 473 | is not provided, key size of 256 will be used for "ecdsa" key algorithm 474 | and key size of 2048 will be used for "rsa" key algorithm. 475 | type: string 476 | enum: 477 | - rsa 478 | - ecdsa 479 | keyEncoding: 480 | description: KeyEncoding is the private key cryptography standards 481 | (PKCS) for this certificate's private key to be encoded in. If provided, 482 | allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, 483 | respectively. If KeyEncoding is not specified, then PKCS#1 will 484 | be used by default. 485 | type: string 486 | enum: 487 | - pkcs1 488 | - pkcs8 489 | keySize: 490 | description: KeySize is the key bit size of the corresponding private 491 | key for this certificate. If provided, value must be between 2048 492 | and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", 493 | and value must be one of (256, 384, 521) when KeyAlgorithm is set 494 | to "ecdsa". 495 | type: integer 496 | maximum: 8192 497 | minimum: 0 498 | keystores: 499 | description: Keystores configures additional keystore output formats 500 | stored in the `secretName` Secret resource. 501 | type: object 502 | properties: 503 | jks: 504 | description: JKS configures options for storing a JKS keystore 505 | in the `spec.secretName` Secret resource. 506 | type: object 507 | required: 508 | - create 509 | - passwordSecretRef 510 | properties: 511 | create: 512 | description: Create enables JKS keystore creation for the 513 | Certificate. If true, a file named `keystore.jks` will be 514 | created in the target Secret resource, encrypted using the 515 | password stored in `passwordSecretRef`. The keystore file 516 | will only be updated upon re-issuance. 517 | type: boolean 518 | passwordSecretRef: 519 | description: PasswordSecretRef is a reference to a key in 520 | a Secret resource containing the password used to encrypt 521 | the JKS keystore. 522 | type: object 523 | required: 524 | - name 525 | properties: 526 | key: 527 | description: The key of the secret to select from. Must 528 | be a valid secret key. 529 | type: string 530 | name: 531 | description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 532 | TODO: Add other useful fields. apiVersion, kind, uid?' 533 | type: string 534 | pkcs12: 535 | description: PKCS12 configures options for storing a PKCS12 keystore 536 | in the `spec.secretName` Secret resource. 537 | type: object 538 | required: 539 | - create 540 | - passwordSecretRef 541 | properties: 542 | create: 543 | description: Create enables PKCS12 keystore creation for the 544 | Certificate. If true, a file named `keystore.p12` will be 545 | created in the target Secret resource, encrypted using the 546 | password stored in `passwordSecretRef`. The keystore file 547 | will only be updated upon re-issuance. 548 | type: boolean 549 | passwordSecretRef: 550 | description: PasswordSecretRef is a reference to a key in 551 | a Secret resource containing the password used to encrypt 552 | the PKCS12 keystore. 553 | type: object 554 | required: 555 | - name 556 | properties: 557 | key: 558 | description: The key of the secret to select from. Must 559 | be a valid secret key. 560 | type: string 561 | name: 562 | description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 563 | TODO: Add other useful fields. apiVersion, kind, uid?' 564 | type: string 565 | privateKey: 566 | description: Options to control private keys used for the Certificate. 567 | type: object 568 | properties: 569 | rotationPolicy: 570 | description: RotationPolicy controls how private keys should be 571 | regenerated when a re-issuance is being processed. If set to 572 | Never, a private key will only be generated if one does not 573 | already exist in the target `spec.secretName`. If one does exists 574 | but it does not have the correct algorithm or size, a warning 575 | will be raised to await user intervention. If set to Always, 576 | a private key matching the specified requirements will be generated 577 | whenever a re-issuance occurs. Default is 'Never' for backward 578 | compatibility. 579 | type: string 580 | renewBefore: 581 | description: Certificate renew before expiration duration 582 | type: string 583 | secretName: 584 | description: SecretName is the name of the secret resource to store 585 | this secret in 586 | type: string 587 | subject: 588 | description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). 589 | type: object 590 | properties: 591 | countries: 592 | description: Countries to be used on the Certificate. 593 | type: array 594 | items: 595 | type: string 596 | localities: 597 | description: Cities to be used on the Certificate. 598 | type: array 599 | items: 600 | type: string 601 | organizationalUnits: 602 | description: Organizational Units to be used on the Certificate. 603 | type: array 604 | items: 605 | type: string 606 | organizations: 607 | description: Organizations to be used on the Certificate. 608 | type: array 609 | items: 610 | type: string 611 | postalCodes: 612 | description: Postal codes to be used on the Certificate. 613 | type: array 614 | items: 615 | type: string 616 | provinces: 617 | description: State/Provinces to be used on the Certificate. 618 | type: array 619 | items: 620 | type: string 621 | serialNumber: 622 | description: Serial number to be used on the Certificate. 623 | type: string 624 | streetAddresses: 625 | description: Street addresses to be used on the Certificate. 626 | type: array 627 | items: 628 | type: string 629 | uriSANs: 630 | description: URISANs is a list of URI Subject Alternative Names to 631 | be set on this Certificate. 632 | type: array 633 | items: 634 | type: string 635 | usages: 636 | description: Usages is the set of x509 actions that are enabled for 637 | a given key. Defaults are ('digital signature', 'key encipherment') 638 | if empty 639 | type: array 640 | items: 641 | description: 'KeyUsage specifies valid usage contexts for keys. 642 | See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 643 | Valid KeyUsage values are as follows: "signing", "digital signature", 644 | "content commitment", "key encipherment", "key agreement", "data 645 | encipherment", "cert sign", "crl sign", "encipher only", "decipher 646 | only", "any", "server auth", "client auth", "code signing", "email 647 | protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec 648 | user", "timestamping", "ocsp signing", "microsoft sgc", "netscape 649 | sgc"' 650 | type: string 651 | enum: 652 | - signing 653 | - digital signature 654 | - content commitment 655 | - key encipherment 656 | - key agreement 657 | - data encipherment 658 | - cert sign 659 | - crl sign 660 | - encipher only 661 | - decipher only 662 | - any 663 | - server auth 664 | - client auth 665 | - code signing 666 | - email protection 667 | - s/mime 668 | - ipsec end system 669 | - ipsec tunnel 670 | - ipsec user 671 | - timestamping 672 | - ocsp signing 673 | - microsoft sgc 674 | - netscape sgc 675 | status: 676 | description: CertificateStatus defines the observed state of Certificate 677 | type: object 678 | properties: 679 | conditions: 680 | type: array 681 | items: 682 | description: CertificateCondition contains condition information 683 | for an Certificate. 684 | type: object 685 | required: 686 | - status 687 | - type 688 | properties: 689 | lastTransitionTime: 690 | description: LastTransitionTime is the timestamp corresponding 691 | to the last status change of this condition. 692 | type: string 693 | format: date-time 694 | message: 695 | description: Message is a human readable description of the 696 | details of the last transition, complementing reason. 697 | type: string 698 | reason: 699 | description: Reason is a brief machine readable explanation 700 | for the condition's last transition. 701 | type: string 702 | status: 703 | description: Status of the condition, one of ('True', 'False', 704 | 'Unknown'). 705 | type: string 706 | enum: 707 | - "True" 708 | - "False" 709 | - Unknown 710 | type: 711 | description: Type of the condition, currently ('Ready'). 712 | type: string 713 | lastFailureTime: 714 | type: string 715 | format: date-time 716 | nextPrivateKeySecretName: 717 | description: The name of the Secret resource containing the private 718 | key to be used for the next certificate iteration. The keymanager 719 | controller will automatically set this field if the `Issuing` condition 720 | is set to `True`. It will automatically unset this field when the 721 | Issuing condition is not set or False. 722 | type: string 723 | notAfter: 724 | description: The expiration time of the certificate stored in the 725 | secret named by this resource in spec.secretName. 726 | type: string 727 | format: date-time 728 | revision: 729 | description: "The current 'revision' of the certificate as issued. 730 | \n When a CertificateRequest resource is created, it will have the 731 | `cert-manager.io/certificate-revision` set to one greater than the 732 | current value of this field. \n Upon issuance, this field will be 733 | set to the value of the annotation on the CertificateRequest resource 734 | used to issue the certificate. \n Persisting the value on the CertificateRequest 735 | resource allows the certificates controller to know whether a request 736 | is part of an old issuance or if it is part of the ongoing revision's 737 | issuance by checking if the revision value in the annotation is 738 | greater than this field." 739 | type: integer 740 | -------------------------------------------------------------------------------- /ethereum-2/cert-manager/crd-orders.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1beta1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: orders.acme.cert-manager.io 5 | labels: 6 | app.kubernetes.io/name: cert-manager 7 | spec: 8 | additionalPrinterColumns: 9 | - JSONPath: .status.state 10 | name: State 11 | type: string 12 | - JSONPath: .spec.issuerRef.name 13 | name: Issuer 14 | priority: 1 15 | type: string 16 | - JSONPath: .status.reason 17 | name: Reason 18 | priority: 1 19 | type: string 20 | - JSONPath: .metadata.creationTimestamp 21 | description: CreationTimestamp is a timestamp representing the server time when 22 | this object was created. It is not guaranteed to be set in happens-before order 23 | across separate operations. Clients may not set this value. It is represented 24 | in RFC3339 form and is in UTC. 25 | name: Age 26 | type: date 27 | group: acme.cert-manager.io 28 | preserveUnknownFields: false 29 | names: 30 | kind: Order 31 | listKind: OrderList 32 | plural: orders 33 | singular: order 34 | scope: Namespaced 35 | subresources: 36 | status: {} 37 | versions: 38 | - name: v1alpha2 39 | served: true 40 | storage: true 41 | - name: v1alpha3 42 | served: true 43 | storage: false 44 | "validation": 45 | "openAPIV3Schema": 46 | description: Order is a type to represent an Order with an ACME server 47 | type: object 48 | required: 49 | - metadata 50 | properties: 51 | apiVersion: 52 | description: 'APIVersion defines the versioned schema of this representation 53 | of an object. Servers should convert recognized schemas to the latest 54 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 55 | type: string 56 | kind: 57 | description: 'Kind is a string value representing the REST resource this 58 | object represents. Servers may infer this from the endpoint the client 59 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 60 | type: string 61 | metadata: 62 | type: object 63 | spec: 64 | type: object 65 | required: 66 | - csr 67 | - issuerRef 68 | properties: 69 | commonName: 70 | description: CommonName is the common name as specified on the DER encoded 71 | CSR. If CommonName is not specified, the first DNSName specified will 72 | be used as the CommonName. At least one of CommonName or a DNSNames 73 | must be set. This field must match the corresponding field on the 74 | DER encoded CSR. 75 | type: string 76 | csr: 77 | description: Certificate signing request bytes in DER encoding. This 78 | will be used when finalizing the order. This field must be set on 79 | the order. 80 | type: string 81 | format: byte 82 | dnsNames: 83 | description: DNSNames is a list of DNS names that should be included 84 | as part of the Order validation process. If CommonName is not specified, 85 | the first DNSName specified will be used as the CommonName. At least 86 | one of CommonName or a DNSNames must be set. This field must match 87 | the corresponding field on the DER encoded CSR. 88 | type: array 89 | items: 90 | type: string 91 | issuerRef: 92 | description: IssuerRef references a properly configured ACME-type Issuer 93 | which should be used to create this Order. If the Issuer does not 94 | exist, processing will be retried. If the Issuer is not an 'ACME' 95 | Issuer, an error will be returned and the Order will be marked as 96 | failed. 97 | type: object 98 | required: 99 | - name 100 | properties: 101 | group: 102 | type: string 103 | kind: 104 | type: string 105 | name: 106 | type: string 107 | status: 108 | type: object 109 | properties: 110 | authorizations: 111 | description: Authorizations contains data returned from the ACME server 112 | on what authorizations must be completed in order to validate the 113 | DNS names specified on the Order. 114 | type: array 115 | items: 116 | description: ACMEAuthorization contains data returned from the ACME 117 | server on an authorization that must be completed in order validate 118 | a DNS name on an ACME Order resource. 119 | type: object 120 | required: 121 | - url 122 | properties: 123 | challenges: 124 | description: Challenges specifies the challenge types offered 125 | by the ACME server. One of these challenge types will be selected 126 | when validating the DNS name and an appropriate Challenge resource 127 | will be created to perform the ACME challenge process. 128 | type: array 129 | items: 130 | description: Challenge specifies a challenge offered by the 131 | ACME server for an Order. An appropriate Challenge resource 132 | can be created to perform the ACME challenge process. 133 | type: object 134 | required: 135 | - token 136 | - type 137 | - url 138 | properties: 139 | token: 140 | description: Token is the token that must be presented for 141 | this challenge. This is used to compute the 'key' that 142 | must also be presented. 143 | type: string 144 | type: 145 | description: Type is the type of challenge being offered, 146 | e.g. http-01, dns-01 147 | type: string 148 | url: 149 | description: URL is the URL of this challenge. It can be 150 | used to retrieve additional metadata about the Challenge 151 | from the ACME server. 152 | type: string 153 | identifier: 154 | description: Identifier is the DNS name to be validated as part 155 | of this authorization 156 | type: string 157 | initialState: 158 | description: InitialState is the initial state of the ACME authorization 159 | when first fetched from the ACME server. If an Authorization 160 | is already 'valid', the Order controller will not create a Challenge 161 | resource for the authorization. This will occur when working 162 | with an ACME server that enables 'authz reuse' (such as Let's 163 | Encrypt's production endpoint). If not set and 'identifier' 164 | is set, the state is assumed to be pending and a Challenge will 165 | be created. 166 | type: string 167 | enum: 168 | - valid 169 | - ready 170 | - pending 171 | - processing 172 | - invalid 173 | - expired 174 | - errored 175 | url: 176 | description: URL is the URL of the Authorization that must be 177 | completed 178 | type: string 179 | wildcard: 180 | description: Wildcard will be true if this authorization is for 181 | a wildcard DNS name. If this is true, the identifier will be 182 | the *non-wildcard* version of the DNS name. For example, if 183 | '*.example.com' is the DNS name being validated, this field 184 | will be 'true' and the 'identifier' field will be 'example.com'. 185 | type: boolean 186 | certificate: 187 | description: Certificate is a copy of the PEM encoded certificate for 188 | this Order. This field will be populated after the order has been 189 | successfully finalized with the ACME server, and the order has transitioned 190 | to the 'valid' state. 191 | type: string 192 | format: byte 193 | failureTime: 194 | description: FailureTime stores the time that this order failed. This 195 | is used to influence garbage collection and back-off. 196 | type: string 197 | format: date-time 198 | finalizeURL: 199 | description: FinalizeURL of the Order. This is used to obtain certificates 200 | for this order once it has been completed. 201 | type: string 202 | reason: 203 | description: Reason optionally provides more information about a why 204 | the order is in the current state. 205 | type: string 206 | state: 207 | description: State contains the current state of this Order resource. 208 | States 'success' and 'expired' are 'final' 209 | type: string 210 | enum: 211 | - valid 212 | - ready 213 | - pending 214 | - processing 215 | - invalid 216 | - expired 217 | - errored 218 | url: 219 | description: URL of the Order. This will initially be empty when the 220 | resource is first created. The Order controller will populate this 221 | field when the Order is first processed. This field will be immutable 222 | after it is initially set. 223 | type: string 224 | -------------------------------------------------------------------------------- /ethereum-2/cert-manager/depl-cert-manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: cert-manager 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: cert-manager 8 | app.kubernetes.io/version: v0.16.1 9 | spec: 10 | selector: 11 | matchLabels: 12 | app.kubernetes.io/name: cert-manager 13 | template: 14 | metadata: 15 | labels: 16 | app.kubernetes.io/name: cert-manager 17 | app.kubernetes.io/version: v0.16.1 18 | spec: 19 | serviceAccountName: cert-manager 20 | containers: 21 | - name: cert-manager 22 | image: quay.io/jetstack/cert-manager-controller:v0.16.1 23 | args: 24 | - --namespace=ethereum-2 25 | - --controllers=challenges,certificates,certificaterequests-issuer-acme,certificaterequests-issuer-ca,issuers,orders 26 | - --cluster-resource-namespace=$(POD_NAMESPACE) 27 | - --enable-certificate-owner-ref 28 | - --issuer-ambient-credentials 29 | - --leader-elect=false 30 | - --v=2 31 | ports: 32 | - containerPort: 9402 33 | protocol: TCP 34 | env: 35 | - name: POD_NAMESPACE 36 | valueFrom: 37 | fieldRef: 38 | fieldPath: metadata.namespace 39 | -------------------------------------------------------------------------------- /ethereum-2/cert-manager/iss-cert-manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1alpha2 2 | kind: Issuer 3 | metadata: 4 | name: cert-manager 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: cert-manager 8 | spec: 9 | ca: 10 | secretName: cert-manager-key-pair 11 | 12 | --- 13 | 14 | apiVersion: k8s.linki.space/v1alpha1 15 | kind: EncryptedSecret 16 | metadata: 17 | name: cert-manager-key-pair 18 | namespace: ethereum-2 19 | labels: 20 | app.kubernetes.io/name: cert-manager 21 | spec: 22 | provider: GCP 23 | keyID: keyRings/ethereum-2/cryptoKeys/cert-manager 24 | data: 25 | tls.crt: CiQAdBCWKGmK+8w/FpgK3DL6yTZHmii+gdvk1G+j30BGJBqgwSUSswYqsAYKFAoMCQEGnX4ceP9/ihhsEOKGsqAGEv0FCvUFAOs/de1s6wk2RTT8Qap87LUjwPVcZsEqNVCqtNqAWl9jrQz7TpDiMCGczi9Cot0fiJeJ7RbMs/IJL+Y7RHYzfL5W7O64+A3qG1vQaI6B31yYl2lTLirvREM+qP4yDdpG3gbzQSbGxaDUZNsjpYnGtu8CVN1Pc/61iMSdzZRmPP7sqbgyYgEIaVK1m6izysmd3f58sVkBJ9vOcBORbC5aQ4diNyDeozH7aCikxJ6NGT0FTDsaHE9Q2qmOUoazumZ0hS4Njdx5wuXJJ3DTLHRKzQ/60J0doYlsIJSGfM9NrcGgNBLl9WYXLEfk+txZC7XQGtFERNtmdYKBvEToE3gmUl/s7gSFkEKCaV56Nh08kM0QX6Pp/2tAeJMQlUScaM1b/VaE+92G/rADlrDTAV3G919OvWo0PUehzBrYMbXBXpDuFrt3Eru7l9XME3T4fzBkoOvzZV8nCF/Zjz9clIGpYBoOsJ9plQmrozg0dbQHp6jHC8Ef+UR683l1jeXkYAvoD0ax2D8+L+xfCazOTn1g65F1PDEb4Lbx+pyDzOhfYo8I1Qv7T9mpyfZaUxXeepWB6irTBcfNWPuhcbddHMRTLJbc0WMLygBk9HqA8q+av65XQGDpzXeyDYw3Tt6IhmCHTTXBp4jfwzgvhDXjHgXM2vaEcOPOS5OSyrLzr1GCyD9bOkjBi+syY8HbhEUQ8saOgP9HhsIiyjGosmhagiiahR80FJJNK4Yfejrb126wiOjvJJf8Z6DnaleMrr5+K/UzIxd5UXWr8A7tCWQjMSHDTtbD7n/+M1/0sflB4on8Ia8+U4/iuF5jwOqusN1/92Pqo2+NOPtmIuUi1RklLKyTBlGX58QHw4qRXtwwF6AmU9K01shMtjh/Bzb9e1MUH2+MYSw01JdIIfXiyqwjLLXrV8ro7997OTzGpNWUNnoTrxAH98l0Xu/VZ9/+omkGaP/o2YU6ffZPN/DtgYwoxgMryqfYxHjc79L4plOPpelQyj1MxAdxuRDjs/9kGhgKEGvZC59g2yINsiqMjwwBwOwQteeT8QI= 26 | tls.key: CiQAdBCWKIV+42tfGtalTmJ+0Ybn+Qk5Y4+1+UYSEgNBg43y5I4S5wIq5AIKFAoM37iZ6NX5X0sfkv6VENrI8cQIErICCqkCpYWaArgisORjlgDElYeuuYex3A+VZIaBQO9lEbpGygQt6WPYGLyrYF8Hdqt4l0GDXaAoSAnLPohAo2ZHBNw54T7PNizZ33qpqnDrAyqQAUmmLgtKPrj7gaoS2zesFUv0y2zdE93UuDipu8aWy3/d6g5IfnKsWORh5Af4eNHXSOq0L6pst5mgLJ3/ptQ2fqkUNg+kaULtxG5ODtijlOidZ/AXdWz6Sxxgg7LeuzPDFrBzPjPCk3PWTcPicL7n+1i80pdezacA2EYjnnsxn9vTgy5qy5Ry/SfB5DNe3D0nykT0Mnuu09ZgNr1ZG0CrCObM4hUht98fLew2N70/hE9vg/N+9581PNjA/bwCQqwZm26XYNVATKb16oYkcjXkUub17+iVeC4CHdBYEKv0gLkMGhcKEGvJVVsiuqB7nZdXwKBov8YQm+KQPA== 27 | -------------------------------------------------------------------------------- /ethereum-2/cert-manager/iss-letsencrypt.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1alpha2 2 | kind: Issuer 3 | metadata: 4 | name: letsencrypt 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: cert-manager 8 | spec: 9 | acme: 10 | server: https://acme-v02.api.letsencrypt.org/directory 11 | email: allyoucanstake+letsencrypt.org@gmail.com 12 | privateKeySecretRef: 13 | name: letsencrypt 14 | solvers: 15 | - dns01: 16 | clouddns: 17 | project: allyoucanstake-dev 18 | -------------------------------------------------------------------------------- /ethereum-2/cert-manager/sa-cert-manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: cert-manager 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: cert-manager 8 | annotations: 9 | iam.gke.io/gcp-service-account: cert-manager@allyoucanstake-dev.iam.gserviceaccount.com 10 | 11 | --- 12 | 13 | apiVersion: rbac.authorization.k8s.io/v1 14 | kind: Role 15 | metadata: 16 | name: cert-manager-view 17 | namespace: ethereum-2 18 | labels: 19 | app.kubernetes.io/name: cert-manager 20 | rules: 21 | - apiGroups: ["cert-manager.io"] 22 | resources: ["certificates", "certificaterequests", "issuers"] 23 | verbs: ["get", "list", "watch"] 24 | 25 | --- 26 | 27 | apiVersion: rbac.authorization.k8s.io/v1 28 | kind: RoleBinding 29 | metadata: 30 | name: cert-manager-view 31 | namespace: ethereum-2 32 | labels: 33 | app.kubernetes.io/name: cert-manager 34 | roleRef: 35 | apiGroup: rbac.authorization.k8s.io 36 | kind: Role 37 | name: cert-manager-view 38 | subjects: 39 | - name: cert-manager 40 | kind: ServiceAccount 41 | 42 | --- 43 | 44 | apiVersion: rbac.authorization.k8s.io/v1 45 | kind: Role 46 | metadata: 47 | name: cert-manager-edit 48 | namespace: ethereum-2 49 | labels: 50 | app.kubernetes.io/name: cert-manager 51 | rules: 52 | - apiGroups: ["cert-manager.io"] 53 | resources: ["certificates", "certificaterequests", "issuers"] 54 | verbs: ["create", "delete", "deletecollection", "patch", "update"] 55 | 56 | --- 57 | 58 | apiVersion: rbac.authorization.k8s.io/v1 59 | kind: RoleBinding 60 | metadata: 61 | name: cert-manager-edit 62 | namespace: ethereum-2 63 | labels: 64 | app.kubernetes.io/name: cert-manager 65 | roleRef: 66 | apiGroup: rbac.authorization.k8s.io 67 | kind: Role 68 | name: cert-manager-edit 69 | subjects: 70 | - name: cert-manager 71 | kind: ServiceAccount 72 | 73 | --- 74 | 75 | apiVersion: rbac.authorization.k8s.io/v1 76 | kind: Role 77 | metadata: 78 | name: cert-manager-controller-issuers 79 | namespace: ethereum-2 80 | labels: 81 | app.kubernetes.io/name: cert-manager 82 | rules: 83 | - apiGroups: ["cert-manager.io"] 84 | resources: ["issuers", "issuers/status"] 85 | verbs: ["update"] 86 | - apiGroups: ["cert-manager.io"] 87 | resources: ["issuers"] 88 | verbs: ["get", "list", "watch"] 89 | - apiGroups: [""] 90 | resources: ["secrets"] 91 | verbs: ["get", "list", "watch", "create", "update", "delete"] 92 | - apiGroups: [""] 93 | resources: ["events"] 94 | verbs: ["create", "patch"] 95 | 96 | --- 97 | 98 | apiVersion: rbac.authorization.k8s.io/v1 99 | kind: RoleBinding 100 | metadata: 101 | name: cert-manager-controller-issuers 102 | namespace: ethereum-2 103 | labels: 104 | app.kubernetes.io/name: cert-manager 105 | roleRef: 106 | apiGroup: rbac.authorization.k8s.io 107 | kind: Role 108 | name: cert-manager-controller-issuers 109 | subjects: 110 | - name: cert-manager 111 | kind: ServiceAccount 112 | 113 | --- 114 | 115 | apiVersion: rbac.authorization.k8s.io/v1 116 | kind: Role 117 | metadata: 118 | name: cert-manager-controller-certificates 119 | namespace: ethereum-2 120 | labels: 121 | app.kubernetes.io/name: cert-manager 122 | rules: 123 | - apiGroups: ["cert-manager.io"] 124 | resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] 125 | verbs: ["update"] 126 | - apiGroups: ["cert-manager.io"] 127 | resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] 128 | verbs: ["get", "list", "watch"] 129 | - apiGroups: ["cert-manager.io"] 130 | resources: ["certificates/finalizers", "certificaterequests/finalizers"] 131 | verbs: ["update"] 132 | - apiGroups: ["acme.cert-manager.io"] 133 | resources: ["orders"] 134 | verbs: ["create", "delete", "get", "list", "watch"] 135 | - apiGroups: [""] 136 | resources: ["secrets"] 137 | verbs: ["get", "list", "watch", "create", "update", "delete"] 138 | - apiGroups: [""] 139 | resources: ["events"] 140 | verbs: ["create", "patch"] 141 | 142 | --- 143 | 144 | apiVersion: rbac.authorization.k8s.io/v1 145 | kind: RoleBinding 146 | metadata: 147 | name: cert-manager-controller-certificates 148 | namespace: ethereum-2 149 | labels: 150 | app.kubernetes.io/name: cert-manager 151 | roleRef: 152 | apiGroup: rbac.authorization.k8s.io 153 | kind: Role 154 | name: cert-manager-controller-certificates 155 | subjects: 156 | - name: cert-manager 157 | kind: ServiceAccount 158 | 159 | --- 160 | 161 | apiVersion: rbac.authorization.k8s.io/v1 162 | kind: Role 163 | metadata: 164 | name: cert-manager-controller-orders 165 | namespace: ethereum-2 166 | labels: 167 | app.kubernetes.io/name: cert-manager 168 | rules: 169 | - apiGroups: ["acme.cert-manager.io"] 170 | resources: ["orders", "orders/status"] 171 | verbs: ["update"] 172 | - apiGroups: ["acme.cert-manager.io"] 173 | resources: ["orders", "challenges"] 174 | verbs: ["get", "list", "watch"] 175 | - apiGroups: ["cert-manager.io"] 176 | resources: ["clusterissuers", "issuers"] 177 | verbs: ["get", "list", "watch"] 178 | - apiGroups: ["acme.cert-manager.io"] 179 | resources: ["challenges"] 180 | verbs: ["create", "delete"] 181 | - apiGroups: ["acme.cert-manager.io"] 182 | resources: ["orders/finalizers"] 183 | verbs: ["update"] 184 | - apiGroups: [""] 185 | resources: ["secrets"] 186 | verbs: ["get", "list", "watch"] 187 | - apiGroups: [""] 188 | resources: ["events"] 189 | verbs: ["create", "patch"] 190 | 191 | --- 192 | 193 | apiVersion: rbac.authorization.k8s.io/v1 194 | kind: RoleBinding 195 | metadata: 196 | name: cert-manager-controller-orders 197 | namespace: ethereum-2 198 | labels: 199 | app.kubernetes.io/name: cert-manager 200 | roleRef: 201 | apiGroup: rbac.authorization.k8s.io 202 | kind: Role 203 | name: cert-manager-controller-orders 204 | subjects: 205 | - name: cert-manager 206 | kind: ServiceAccount 207 | 208 | --- 209 | 210 | apiVersion: rbac.authorization.k8s.io/v1 211 | kind: Role 212 | metadata: 213 | name: cert-manager-controller-challenges 214 | namespace: ethereum-2 215 | labels: 216 | app.kubernetes.io/name: cert-manager 217 | rules: 218 | - apiGroups: ["acme.cert-manager.io"] 219 | resources: ["challenges", "challenges/status"] 220 | verbs: ["update"] 221 | - apiGroups: ["acme.cert-manager.io"] 222 | resources: ["challenges"] 223 | verbs: ["get", "list", "watch"] 224 | - apiGroups: ["cert-manager.io"] 225 | resources: ["issuers", "clusterissuers"] 226 | verbs: ["get", "list", "watch"] 227 | - apiGroups: [""] 228 | resources: ["secrets"] 229 | verbs: ["get", "list", "watch"] 230 | - apiGroups: [""] 231 | resources: ["events"] 232 | verbs: ["create", "patch"] 233 | - apiGroups: [""] 234 | resources: ["pods", "services"] 235 | verbs: ["get", "list", "watch", "create", "delete"] 236 | - apiGroups: ["extensions"] 237 | resources: ["ingresses"] 238 | verbs: ["get", "list", "watch", "create", "delete", "update"] 239 | - apiGroups: ["acme.cert-manager.io"] 240 | resources: ["challenges/finalizers"] 241 | verbs: ["update"] 242 | 243 | --- 244 | 245 | apiVersion: rbac.authorization.k8s.io/v1 246 | kind: RoleBinding 247 | metadata: 248 | name: cert-manager-controller-challenges 249 | namespace: ethereum-2 250 | labels: 251 | app.kubernetes.io/name: cert-manager 252 | roleRef: 253 | apiGroup: rbac.authorization.k8s.io 254 | kind: Role 255 | name: cert-manager-controller-challenges 256 | subjects: 257 | - name: cert-manager 258 | kind: ServiceAccount 259 | 260 | --- 261 | 262 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 263 | kind: IAMServiceAccount 264 | metadata: 265 | name: cert-manager 266 | namespace: ethereum-2 267 | labels: 268 | app.kubernetes.io/name: cert-manager 269 | spec: 270 | displayName: CertManager 271 | 272 | --- 273 | 274 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 275 | kind: IAMPolicyMember 276 | metadata: 277 | name: cert-manager 278 | namespace: ethereum-2 279 | labels: 280 | app.kubernetes.io/name: cert-manager 281 | spec: 282 | member: serviceAccount:cert-manager@allyoucanstake-dev.iam.gserviceaccount.com 283 | role: roles/dns.admin 284 | resourceRef: 285 | apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 286 | kind: Project 287 | external: projects/allyoucanstake-dev 288 | 289 | --- 290 | 291 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 292 | kind: IAMPolicy 293 | metadata: 294 | name: cert-manager 295 | namespace: ethereum-2 296 | labels: 297 | app.kubernetes.io/name: cert-manager 298 | spec: 299 | resourceRef: 300 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 301 | kind: IAMServiceAccount 302 | name: cert-manager 303 | bindings: 304 | - role: roles/iam.workloadIdentityUser 305 | members: 306 | - serviceAccount:allyoucanstake-dev.svc.id.goog[ethereum-2/cert-manager] 307 | -------------------------------------------------------------------------------- /ethereum-2/encrypted-secrets/crd-encrypted-secrets.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1beta1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: encryptedsecrets.k8s.linki.space 5 | spec: 6 | group: k8s.linki.space 7 | names: 8 | kind: EncryptedSecret 9 | listKind: EncryptedSecretList 10 | plural: encryptedsecrets 11 | singular: encryptedsecret 12 | scope: Namespaced 13 | subresources: 14 | status: {} 15 | validation: 16 | openAPIV3Schema: 17 | description: EncryptedSecret is the Schema for the encryptedsecrets API 18 | properties: 19 | apiVersion: 20 | description: 'APIVersion defines the versioned schema of this representation 21 | of an object. Servers should convert recognized schemas to the latest 22 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 23 | type: string 24 | kind: 25 | description: 'Kind is a string value representing the REST resource this 26 | object represents. Servers may infer this from the endpoint the client 27 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 28 | type: string 29 | metadata: 30 | type: object 31 | spec: 32 | description: EncryptedSecretSpec defines the desired state of EncryptedSecret 33 | properties: 34 | data: 35 | additionalProperties: 36 | format: byte 37 | type: string 38 | type: object 39 | keyID: 40 | type: string 41 | provider: 42 | enum: 43 | - AWS 44 | - GCP 45 | - Identity 46 | type: string 47 | required: 48 | - data 49 | - provider 50 | type: object 51 | status: 52 | description: EncryptedSecretStatus defines the observed state of EncryptedSecret 53 | type: object 54 | type: object 55 | version: v1alpha1 56 | versions: 57 | - name: v1alpha1 58 | served: true 59 | storage: true 60 | -------------------------------------------------------------------------------- /ethereum-2/encrypted-secrets/depl-encrypted-secrets.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: encrypted-secrets 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: encrypted-secrets 8 | app.kubernetes.io/version: v0.1.0-alpha.5 9 | spec: 10 | strategy: 11 | type: Recreate 12 | selector: 13 | matchLabels: 14 | app.kubernetes.io/name: encrypted-secrets 15 | template: 16 | metadata: 17 | labels: 18 | app.kubernetes.io/name: encrypted-secrets 19 | app.kubernetes.io/version: v0.1.0-alpha.5 20 | spec: 21 | serviceAccountName: encrypted-secrets 22 | containers: 23 | - name: encrypted-secrets 24 | image: quay.io/linki/encrypted-secrets:v0.1.0-alpha.5 25 | args: 26 | - --zap-devel 27 | env: 28 | - name: WATCH_NAMESPACE 29 | valueFrom: 30 | fieldRef: 31 | fieldPath: metadata.namespace 32 | - name: POD_NAME 33 | valueFrom: 34 | fieldRef: 35 | fieldPath: metadata.name 36 | - name: OPERATOR_NAME 37 | value: encrypted-secrets 38 | ports: 39 | - name: metrics 40 | containerPort: 8383 41 | readinessProbe: 42 | httpGet: 43 | path: /metrics 44 | port: metrics 45 | failureThreshold: 5 46 | initialDelaySeconds: 5 47 | periodSeconds: 10 48 | successThreshold: 1 49 | timeoutSeconds: 10 50 | livenessProbe: 51 | httpGet: 52 | path: /metrics 53 | port: metrics 54 | failureThreshold: 5 55 | initialDelaySeconds: 5 56 | periodSeconds: 60 57 | successThreshold: 1 58 | timeoutSeconds: 30 59 | resources: 60 | requests: 61 | cpu: 10m 62 | memory: 16Mi 63 | limits: 64 | cpu: 20m 65 | memory: 32Mi 66 | securityContext: 67 | runAsNonRoot: true 68 | runAsUser: 65534 69 | readOnlyRootFilesystem: true 70 | capabilities: 71 | drop: ["ALL"] 72 | -------------------------------------------------------------------------------- /ethereum-2/encrypted-secrets/sa-encrypted-secrets.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: encrypted-secrets 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: encrypted-secrets 8 | annotations: 9 | iam.gke.io/gcp-service-account: encrypted-secrets@allyoucanstake-dev.iam.gserviceaccount.com 10 | 11 | --- 12 | 13 | apiVersion: rbac.authorization.k8s.io/v1 14 | kind: Role 15 | metadata: 16 | name: encrypted-secrets 17 | namespace: ethereum-2 18 | labels: 19 | app.kubernetes.io/name: encrypted-secrets 20 | rules: 21 | # main functionality 22 | - apiGroups: [""] 23 | resources: ["secrets"] 24 | verbs: ["create", "list", "update", "watch"] 25 | - apiGroups: ["k8s.linki.space"] 26 | resources: ["encryptedsecrets"] 27 | verbs: ["list", "watch"] 28 | # sending events 29 | - apiGroups: [""] 30 | resources: ["events"] 31 | verbs: ["create", "patch"] 32 | # leader election 33 | - apiGroups: [""] 34 | resources: ["pods"] 35 | verbs: ["delete", "get"] 36 | - apiGroups: [""] 37 | resources: ["services"] 38 | verbs: ["create"] 39 | - apiGroups: [""] 40 | resources: ["configmaps"] 41 | verbs: ["create", "get"] 42 | - apiGroups: ["apps"] 43 | resources: ["deployments", "replicasets"] 44 | verbs: ["get"] 45 | 46 | --- 47 | 48 | apiVersion: rbac.authorization.k8s.io/v1 49 | kind: RoleBinding 50 | metadata: 51 | name: encrypted-secrets 52 | namespace: ethereum-2 53 | labels: 54 | app.kubernetes.io/name: encrypted-secrets 55 | roleRef: 56 | kind: Role 57 | name: encrypted-secrets 58 | apiGroup: rbac.authorization.k8s.io 59 | subjects: 60 | - kind: ServiceAccount 61 | name: encrypted-secrets 62 | 63 | --- 64 | 65 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 66 | kind: IAMServiceAccount 67 | metadata: 68 | name: encrypted-secrets 69 | namespace: ethereum-2 70 | labels: 71 | app.kubernetes.io/name: encrypted-secrets 72 | spec: 73 | displayName: Encrypted Secrets 74 | 75 | --- 76 | 77 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 78 | kind: IAMPolicyMember 79 | metadata: 80 | name: encrypted-secrets 81 | namespace: ethereum-2 82 | labels: 83 | app.kubernetes.io/name: encrypted-secrets 84 | spec: 85 | member: serviceAccount:encrypted-secrets@allyoucanstake-dev.iam.gserviceaccount.com 86 | role: roles/cloudkms.cryptoKeyDecrypter 87 | resourceRef: 88 | apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 89 | kind: Project 90 | external: projects/allyoucanstake-dev 91 | 92 | --- 93 | 94 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 95 | kind: IAMPolicy 96 | metadata: 97 | name: encrypted-secrets 98 | namespace: ethereum-2 99 | labels: 100 | app.kubernetes.io/name: encrypted-secrets 101 | spec: 102 | resourceRef: 103 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 104 | kind: IAMServiceAccount 105 | name: encrypted-secrets 106 | bindings: 107 | - role: roles/iam.workloadIdentityUser 108 | members: 109 | - serviceAccount:allyoucanstake-dev.svc.id.goog[ethereum-2/encrypted-secrets] 110 | - serviceAccount:allyoucanstake-dev.svc.id.goog[wanchain-2/encrypted-secrets] 111 | -------------------------------------------------------------------------------- /ethereum-2/encrypted-secrets/vpa-encrypted-secrets.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: autoscaling.k8s.io/v1 2 | kind: VerticalPodAutoscaler 3 | metadata: 4 | name: encrypted-secrets 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: encrypted-secrets 8 | spec: 9 | targetRef: 10 | apiVersion: apps/v1 11 | kind: Deployment 12 | name: encrypted-secrets 13 | updatePolicy: 14 | updateMode: Auto 15 | -------------------------------------------------------------------------------- /ethereum-2/eth2stats/cert-eth2stats-tls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1alpha2 2 | kind: Certificate 3 | metadata: 4 | name: eth2stats-tls 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: eth2stats 8 | spec: 9 | secretName: eth2stats-tls 10 | dnsNames: 11 | - eth2stats 12 | issuerRef: 13 | name: cert-manager 14 | -------------------------------------------------------------------------------- /ethereum-2/eth2stats/sa-ethstats.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: eth2stats 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: eth2stats 8 | automountServiceAccountToken: false 9 | -------------------------------------------------------------------------------- /ethereum-2/eth2stats/sts-ethstats.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: eth2stats 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: eth2stats 8 | app.kubernetes.io/version: v0.0.16 9 | spec: 10 | serviceName: eth2stats 11 | selector: 12 | matchLabels: 13 | app.kubernetes.io/name: eth2stats 14 | template: 15 | metadata: 16 | labels: 17 | app.kubernetes.io/name: eth2stats 18 | app.kubernetes.io/version: v0.0.16 19 | spec: 20 | serviceAccountName: eth2stats 21 | containers: 22 | - name: eth2stats 23 | image: docker.io/alethio/eth2stats-client:v0.0.16 24 | imagePullPolicy: Always 25 | args: 26 | - run 27 | - --eth2stats.node-name=AllYouCanStake.de 28 | - --data.folder=/var/lib/eth2stats 29 | - --eth2stats.addr=grpc.medalla.eth2stats.io:443 30 | - --eth2stats.tls=true 31 | - --beacon.type=prysm 32 | - --beacon.addr=beacon-chain:4000 33 | - --beacon.tls-cert=/etc/tls/ca.crt 34 | - --beacon.metrics-addr=http://beacon-chain:8080/metrics 35 | resources: 36 | requests: 37 | cpu: 10m 38 | memory: 32Mi 39 | limits: 40 | cpu: 20m 41 | memory: 64Mi 42 | volumeMounts: 43 | - mountPath: /etc/tls 44 | name: tls 45 | readOnly: true 46 | - mountPath: /var/lib/eth2stats 47 | name: data 48 | securityContext: 49 | runAsNonRoot: true 50 | runAsUser: 65534 51 | readOnlyRootFilesystem: true 52 | capabilities: 53 | drop: ["ALL"] 54 | securityContext: 55 | fsGroup: 65534 56 | volumes: 57 | - name: tls 58 | secret: 59 | secretName: eth2stats-tls 60 | volumeClaimTemplates: 61 | - metadata: 62 | name: data 63 | spec: 64 | storageClassName: standard-rwo 65 | accessModes: 66 | - ReadWriteOnce 67 | volumeMode: Filesystem 68 | resources: 69 | requests: 70 | storage: 1Gi 71 | -------------------------------------------------------------------------------- /ethereum-2/eth2stats/svc-ethstats.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: eth2stats 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: eth2stats 8 | spec: 9 | clusterIP: None 10 | selector: 11 | app.kubernetes.io/name: eth2stats -------------------------------------------------------------------------------- /ethereum-2/eth2stats/vpa-ethstats.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: autoscaling.k8s.io/v1 2 | kind: VerticalPodAutoscaler 3 | metadata: 4 | name: eth2stats 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: eth2stats 8 | spec: 9 | targetRef: 10 | apiVersion: apps/v1 11 | kind: StatefulSet 12 | name: eth2stats 13 | updatePolicy: 14 | updateMode: Auto 15 | -------------------------------------------------------------------------------- /ethereum-2/external-dns/depl-external-dns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: external-dns 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: external-dns 8 | app.kubernetes.io/version: v0.7.6 9 | spec: 10 | strategy: 11 | type: Recreate 12 | selector: 13 | matchLabels: 14 | app.kubernetes.io/name: external-dns 15 | template: 16 | metadata: 17 | labels: 18 | app.kubernetes.io/name: external-dns 19 | app.kubernetes.io/version: v0.7.6 20 | spec: 21 | serviceAccountName: external-dns 22 | containers: 23 | - name: external-dns 24 | image: k8s.gcr.io/external-dns/external-dns:v0.7.6 25 | args: 26 | - --source=node 27 | - --fqdn-template=ethereum-2.allyoucanstake.com 28 | - --provider=google 29 | - --policy=sync 30 | - --registry=txt 31 | - --txt-owner-id=kubernetes.io/cluster/ethereum-2 32 | - --interval=5m 33 | ports: 34 | - name: metrics 35 | containerPort: 7979 36 | readinessProbe: 37 | httpGet: 38 | path: /healthz 39 | port: metrics 40 | failureThreshold: 5 41 | initialDelaySeconds: 5 42 | periodSeconds: 10 43 | successThreshold: 1 44 | timeoutSeconds: 10 45 | livenessProbe: 46 | httpGet: 47 | path: /healthz 48 | port: metrics 49 | failureThreshold: 5 50 | initialDelaySeconds: 5 51 | periodSeconds: 60 52 | successThreshold: 1 53 | timeoutSeconds: 30 54 | resources: 55 | requests: 56 | cpu: 10m 57 | memory: 16Mi 58 | limits: 59 | cpu: 50m 60 | memory: 64Mi 61 | securityContext: 62 | runAsNonRoot: true 63 | runAsUser: 65534 64 | readOnlyRootFilesystem: true 65 | capabilities: 66 | drop: ["ALL"] 67 | -------------------------------------------------------------------------------- /ethereum-2/external-dns/sa-external-dns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: external-dns 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: external-dns 8 | annotations: 9 | iam.gke.io/gcp-service-account: external-dns@allyoucanstake-dev.iam.gserviceaccount.com 10 | 11 | --- 12 | 13 | apiVersion: rbac.authorization.k8s.io/v1 14 | kind: ClusterRole 15 | metadata: 16 | name: external-dns-2 17 | labels: 18 | app.kubernetes.io/name: external-dns 19 | rules: 20 | - apiGroups: [""] 21 | resources: ["nodes"] 22 | verbs: ["list"] 23 | 24 | --- 25 | 26 | apiVersion: rbac.authorization.k8s.io/v1 27 | kind: ClusterRoleBinding 28 | metadata: 29 | name: external-dns-2 30 | labels: 31 | app.kubernetes.io/name: external-dns 32 | roleRef: 33 | apiGroup: rbac.authorization.k8s.io 34 | kind: ClusterRole 35 | name: external-dns-2 36 | subjects: 37 | - kind: ServiceAccount 38 | name: external-dns 39 | namespace: ethereum-2 40 | 41 | --- 42 | 43 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 44 | kind: IAMServiceAccount 45 | metadata: 46 | name: external-dns 47 | namespace: ethereum-2 48 | labels: 49 | app.kubernetes.io/name: external-dns 50 | spec: 51 | displayName: ExternalDNS 52 | 53 | --- 54 | 55 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 56 | kind: IAMPolicyMember 57 | metadata: 58 | name: external-dns 59 | namespace: ethereum-2 60 | labels: 61 | app.kubernetes.io/name: external-dns 62 | spec: 63 | member: serviceAccount:external-dns@allyoucanstake-dev.iam.gserviceaccount.com 64 | role: roles/dns.admin 65 | resourceRef: 66 | apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 67 | kind: Project 68 | external: projects/allyoucanstake-dev 69 | 70 | --- 71 | 72 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 73 | kind: IAMPolicy 74 | metadata: 75 | name: external-dns 76 | namespace: ethereum-2 77 | labels: 78 | app.kubernetes.io/name: external-dns 79 | spec: 80 | resourceRef: 81 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 82 | kind: IAMServiceAccount 83 | name: external-dns 84 | bindings: 85 | - role: roles/iam.workloadIdentityUser 86 | members: 87 | - serviceAccount:allyoucanstake-dev.svc.id.goog[ethereum-2/external-dns] 88 | -------------------------------------------------------------------------------- /ethereum-2/external-dns/vpa-external-dns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: autoscaling.k8s.io/v1 2 | kind: VerticalPodAutoscaler 3 | metadata: 4 | name: external-dns 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: external-dns 8 | spec: 9 | targetRef: 10 | apiVersion: apps/v1 11 | kind: Deployment 12 | name: external-dns 13 | resourcePolicy: 14 | containerPolicies: 15 | - containerName: external-dns 16 | minAllowed: 17 | cpu: 10m 18 | memory: 10Mi 19 | updatePolicy: 20 | updateMode: Auto 21 | -------------------------------------------------------------------------------- /ethereum-2/flux/depl-flux.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: flux 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: flux 8 | app.kubernetes.io/version: "1.22.0" 9 | spec: 10 | strategy: 11 | type: Recreate 12 | selector: 13 | matchLabels: 14 | app.kubernetes.io/name: flux 15 | template: 16 | metadata: 17 | labels: 18 | app.kubernetes.io/name: flux 19 | app.kubernetes.io/version: "1.22.0" 20 | spec: 21 | serviceAccountName: flux 22 | containers: 23 | - name: flux 24 | image: docker.io/fluxcd/flux:1.22.0 25 | args: 26 | - --git-url=git@github.com:linki/ethereum-deploy 27 | - --git-branch=master 28 | - --git-path=ethereum-2 29 | - --git-label=flux-sync 30 | - --git-user=Flux automation 31 | - --git-email=linki@users.noreply.github.com 32 | - --git-readonly 33 | - --k8s-secret-name=flux 34 | - --sync-garbage-collection 35 | - --registry-disable-scanning 36 | - --listen-metrics=:3031 37 | ports: 38 | - name: api 39 | containerPort: 3030 40 | - name: metrics 41 | containerPort: 3031 42 | readinessProbe: 43 | httpGet: 44 | path: /api/flux/v6/identity.pub 45 | port: api 46 | failureThreshold: 5 47 | initialDelaySeconds: 5 48 | periodSeconds: 10 49 | successThreshold: 1 50 | timeoutSeconds: 10 51 | livenessProbe: 52 | httpGet: 53 | path: /api/flux/v6/identity.pub 54 | port: api 55 | failureThreshold: 5 56 | initialDelaySeconds: 5 57 | periodSeconds: 60 58 | successThreshold: 1 59 | timeoutSeconds: 30 60 | resources: 61 | requests: 62 | cpu: 10m 63 | memory: 32Mi 64 | limits: 65 | cpu: 20m 66 | memory: 64Mi 67 | volumeMounts: 68 | - name: git-key 69 | mountPath: /etc/fluxd/ssh 70 | readOnly: true 71 | volumes: 72 | - name: git-key 73 | secret: 74 | secretName: flux 75 | defaultMode: 0400 76 | -------------------------------------------------------------------------------- /ethereum-2/flux/sa-flux.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: flux 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: flux 8 | 9 | --- 10 | 11 | apiVersion: rbac.authorization.k8s.io/v1 12 | kind: ClusterRole 13 | metadata: 14 | name: flux-2 15 | labels: 16 | app.kubernetes.io/name: flux 17 | rules: 18 | - apiGroups: ['*'] 19 | resources: ['*'] 20 | verbs: ['*'] 21 | - nonResourceURLs: ['*'] 22 | verbs: ['*'] 23 | 24 | --- 25 | 26 | apiVersion: rbac.authorization.k8s.io/v1 27 | kind: ClusterRoleBinding 28 | metadata: 29 | name: flux-2 30 | labels: 31 | app.kubernetes.io/name: flux 32 | roleRef: 33 | apiGroup: rbac.authorization.k8s.io 34 | kind: ClusterRole 35 | name: flux-2 36 | subjects: 37 | - kind: ServiceAccount 38 | name: flux 39 | namespace: ethereum-2 40 | -------------------------------------------------------------------------------- /ethereum-2/flux/sec-flux.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.linki.space/v1alpha1 2 | kind: EncryptedSecret 3 | metadata: 4 | name: flux 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: flux 8 | spec: 9 | provider: GCP 10 | keyID: keyRings/ethereum-2/cryptoKeys/flux 11 | data: 12 | identity: CiQASG787/bDNIEK0zO46QT8Uk57dwP3s8sE5pMX0hoj14BAWPsS3BQAUn6ao3CZrCeuQVputtwM+DYJMXRBhPkWix5A4vZwtImCIQM5apJtYHrvOKnO4/rc/ao1ViOn4d6bHhA0oaoRvuDs719zd6sqMIo6V31yAnHukpVvIzcUnmfAD/1tfLpJRufr37eU0XRhSw97/QxAqxn59lPP9hNCnUL7r5A4P+LBo31kJtKkr1YtALRrqZ3yH14BGAZxnsc5Mcu9Vf5WGHFNtPzA0Y9sHxkWWe0oX0dQLruMwWII19HDlqRWP3S6+agDWhRTl2AX3KXbR2Pu76Ihs4yyCq6w3PaprOqD+NDx0Awd1nju57Dz3yr087qLxSzPS65TPBzt9EuNlanQvEfYM5bVpSjTQetgCEsIugFZmECQRCrD8htrsYjBguqoNBD+gPieznbA3jxmHSLUk77DYgz1VC4daooaezYnQHC2olvdgIxYSnopUeVH50gGEDU/aJdPWnjTLL1Ef1oVhLDKVWC9zUcCx0th9DHmXlJ5HtGswaNoSvdpVX2x5gFC2Go6zzN2vp0m2KFDVCMgzojk1Hw9QdMTH/l73CVzIhCbK9Wvd/TaC7PGPwv7AovrGIs2GNxhGS2nzgDNoAcGkw3+JldOqqDYbxrf1ECrhQ6ApDpwW45wPsn7NrPg7HG8kjY+BNHDR2T6mh5ats+URD4OEa//n9Q2fsI09uXD6WE+R5/wHyZr9J6v+N2B6z1AYwaGRFN1Ep0xELByDcHAc0OzCKVw3+rwIii4FsLg3H5KXetSoTew6nsj8iLD0O9kYnQ90HemkkVs8FJi7DNnrVS4aHqoOctopn5G/ScZqkFTh0AQiyLbFtQ1C1NRpcLElcFp0ResxCIQvDPD1pDjvb6J6/oH+lqiqr1B3EWlosPH7DoaluDEVj5rMhU7CkIaS+DHt595YeP/11ginYklYjQQ2ZLXdkAvtIR9X7Toh41OCfQq+mAo7XKxx/VliPoIb5pPydYRXbdMYap/12HbRMRc67YHeogVKQDopHtlmfLLkDAmTnT7vN8fPmITRO9QlpO0hEsRbNru7BrksNwb82NxEL8TYVBAJaM87FZlq4F9DDSwpZTaBK1bwDzaA2CcieRaRQe5Z039xRlsh/+JDtqLayG8SG+JtQe6YCt4S0soGL9Kg7TnlZ1Cjs8vSIMJR2Z1pE/N8E2Uip3cTy/XsqYFYyrk7bweu2kUDpz/fkN5IJCZ9TUNN55NDhRyDVdebYaoFPM9a64ZAaazFNUn51B7OIdgW2auOxAZHYvU5+vd/Lspb6w9uohnZH7RRviLljEha1yJagKvY7AYSyq6E8Cb/QrV31qIcq9kVcvWXRSP9NxMdD/yUCMpSA23vUCDV6uUQ143dlZAMNsGyLLdMBSUTKWMMLBOlqf1rIwW/xzNSI9+Cgkl/Df2YV1ptVxhWXFfhnxr6KDp+Gxa9UgBeYnY1YKXSdg2+ssyF+ac2dOJYer3WY4A5TUdd8zwyX3mGYQ1V3ZWbROz4IJloBkzZ03NE2co4BlYMGczJSyr4lhOQbv1FGjnXXyGyuk/FJFNypWIC/KXj2l9+2XWoZryyWog4YSWFBUoJG2sH2CPzmrZsQp4HdGk8HewdVOpcXMRu2uIDzvLH0d5q0f/hQibMt8iuH3HGa1BUTf0uJW+wK8LmD8x5OwlyQe/oYN/UN43izlZyggs7E+CysVOFH3hk8k+zfG77kGWOqaifBX66mhiYsQEJ0hqf3I5p2CknvwNnBFyHd1xpajN8zcHzQolONV3iYC3bEsOFsRRsRg5bNKpXfaBBDditGj9tr39QQ0tJ/WSs2gh5phOvd0RFeT61PYO7WXl6BiyPbHnNrKFO2bOuOh87s6LYKyvnJRJgQUOHgdGxthzzuznDDnjbxAtra9dV/do0ezHfyArbIMdqbG8YpDX7aaRoddQFy4pJy833E3Rv09E3X77fAcy5Mfjw387IZiog4Og3NP4qssJ4vuqQjlRjarWdmJsYQnrIAYJNpI2XG4AdVyKsLAskdRp5Uoodsl3TQQme/quuWdo/GJIWLf51lpYay8qgKKBm3WISWd+RdvESEMslFHOkkzejvSypPBWN8DcdBv43ZMkz6YaV6J0Wa7pErTqXPrTrO8r+xHVtezcggRuN6WoR2y25RDV+SHNb5y2UpyWHo8vtj6hkIclhMZytoQ52swk5OsoSwrljaDDWA4dp/SGbXqX4n5Wp27DNcmH/BsF2IVo897jKLhd1rfl18dYE3l5+7ccRW4Ksc/uKIzDRa5YQJU/ScxZgI24bhqCFLlF9eScrtN7CNBs6tCs+bCM1C12qiexx8DGcWzDx/ujI9G/sKHNCbU1NDERFr4G798Wj7usppFPhJQvtbNCWBnd3Ok0T6B68YiHupXn5EIwF8C0BPTdrjbZQkRP12D0mZwT2r5BWvB6ZfqupcTzsO1BXiy4Iutmg0+7/BDG04+TtWv2fQKxhXlEkPCaViHI/SzltQXBvfe39CZ0sD73zcavxblG68RCHjfqt3OLltqkpPK5j+HXE1i4q0+/sUNtv8akg0xGiU9azMOkqm8nA7J4nQtiofFQfL4lnnG8tW2D4SivSz0AIMKoxkzcMJXiLgwfXitSVczRHo5QXW6LbnjZ4/roATTxbpZ7z6YD/6pbLOhWSY+lUvrYaAcXHz7qrraM/miIQelp352BAR1HBerqgcYowXIHUIOUGdT9EJ+/y1mq3GmESVgWKG4laUutJLHQVqZ66kqEXynYRGhGyG5LSDpWXDSSHdg+/3uV5Cc+hqsCpl8ifMw0EdA91CjydfBVpHthlpndMh92+0gicOAr6Zda9tp9NfH5ps2SjGv0mry0RXwpwZNgJHTeH7EYWdBAIqpQgat6MIEUSWgdiNRG/CkRe2lxK29C8mdwBLN3AvY4Ah/LWJTgEtKnqm2cUa3/uqY8ORvzzCxOlzFtnSNjDJ8FeXadCt4QoQDA1kx8ia0nH5cRww13VI3baKytw148bW/i4FGWU7nQzHcl1GvZWieRCX3x90LjljVPXi1AauIcBIfyy2p8neel+JPSehndVBST8j01IpWl1LCKtQjBGLBqgmpC3qVxQwEmxfWMPZ8vUnD0vgQg6f119MGwzGYYItfjGTeEJZNdAfs7gsU+ehZvdNRFDHf/sfBYj7CXEMKvyuKnNsRQKEppHbsQs/pi+TbJF2oL5jO+qZzgwC22pY8LkB4YkPRd5TyWdwL87evJOaF9zhsywb6YAkcUkI1yuHfCfVS/duSYFGT9gHQQfCHQzx3IEY2QNhHuXZ3Zn/aVWIVr5nMg9fgjiMyvZUDn0ugxz6yHhVzXxIFyzSDkKx3qrprQ/y4wPHPKrX97uBLK59yULAKj9uKOm9xr0NU6CdgikkrswhP8q5+pX9Y/B8dmBPWP/drD3qk3XrFy8oAbd78uww74p4V/v7XuHHAOZ9aCb8Uwrl2pUV0JMTstUL9BnBFkHoFGOlZc99arefMLXuioQ5cuSYQtfjWB/iQaL1byw+iNsq/geyT8qoO4ckBO95V8Y8ePSorP3hLwvnE= 13 | -------------------------------------------------------------------------------- /ethereum-2/flux/vpa-flux.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: autoscaling.k8s.io/v1 2 | kind: VerticalPodAutoscaler 3 | metadata: 4 | name: flux 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: flux 8 | spec: 9 | targetRef: 10 | apiVersion: apps/v1 11 | kind: Deployment 12 | name: flux 13 | updatePolicy: 14 | updateMode: Auto 15 | -------------------------------------------------------------------------------- /ethereum-2/grafana/cert-grafana.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1alpha2 2 | kind: Certificate 3 | metadata: 4 | name: grafana-tls 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: grafana 8 | spec: 9 | secretName: grafana-tls 10 | dnsNames: 11 | - grafana.allyoucanstake.com 12 | issuerRef: 13 | name: letsencrypt 14 | -------------------------------------------------------------------------------- /ethereum-2/grafana/fw-grafana.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: compute.cnrm.cloud.google.com/v1beta1 2 | kind: ComputeFirewall 3 | metadata: 4 | name: grafana 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: grafana 8 | spec: 9 | allow: 10 | - protocol: tcp 11 | ports: 12 | - "30300" 13 | networkRef: 14 | external: allyoucanstake-dev 15 | targetServiceAccounts: 16 | - external: allyoucanstake-dev@allyoucanstake-dev.iam.gserviceaccount.com 17 | -------------------------------------------------------------------------------- /ethereum-2/grafana/sa-grafana.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: grafana 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: grafana 8 | annotations: 9 | iam.gke.io/gcp-service-account: grafana@allyoucanstake-dev.iam.gserviceaccount.com 10 | automountServiceAccountToken: false 11 | 12 | --- 13 | 14 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 15 | kind: IAMServiceAccount 16 | metadata: 17 | name: grafana 18 | namespace: ethereum-2 19 | labels: 20 | app.kubernetes.io/name: grafana 21 | spec: 22 | displayName: Grafana 23 | 24 | --- 25 | 26 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 27 | kind: IAMPolicyMember 28 | metadata: 29 | name: grafana 30 | namespace: ethereum-2 31 | labels: 32 | app.kubernetes.io/name: grafana 33 | spec: 34 | member: serviceAccount:grafana@allyoucanstake-dev.iam.gserviceaccount.com 35 | role: roles/monitoring.viewer 36 | resourceRef: 37 | apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 38 | kind: Project 39 | external: projects/allyoucanstake-dev 40 | 41 | --- 42 | 43 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 44 | kind: IAMPolicy 45 | metadata: 46 | name: grafana 47 | namespace: ethereum-2 48 | labels: 49 | app.kubernetes.io/name: grafana 50 | spec: 51 | resourceRef: 52 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 53 | kind: IAMServiceAccount 54 | name: grafana 55 | bindings: 56 | - role: roles/iam.workloadIdentityUser 57 | members: 58 | - serviceAccount:allyoucanstake-dev.svc.id.goog[ethereum-2/grafana] 59 | -------------------------------------------------------------------------------- /ethereum-2/grafana/sts-grafana.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: grafana 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: grafana 8 | app.kubernetes.io/version: "7.5.0" 9 | spec: 10 | serviceName: grafana 11 | selector: 12 | matchLabels: 13 | app.kubernetes.io/name: grafana 14 | template: 15 | metadata: 16 | labels: 17 | app.kubernetes.io/name: grafana 18 | app.kubernetes.io/version: "7.5.0" 19 | spec: 20 | serviceAccountName: grafana 21 | containers: 22 | - name: grafana 23 | image: docker.io/grafana/grafana:7.5.0 24 | env: 25 | - name: GF_SERVER_PROTOCOL 26 | value: h2 27 | - name: GF_SERVER_CERT_KEY 28 | value: /etc/tls/tls.key 29 | - name: GF_SERVER_CERT_FILE 30 | value: /etc/tls/tls.crt 31 | ports: 32 | - name: http 33 | containerPort: 3000 34 | resources: 35 | requests: 36 | cpu: 50m 37 | memory: 50Mi 38 | limits: 39 | cpu: 100m 40 | memory: 100Mi 41 | volumeMounts: 42 | - mountPath: /etc/tls 43 | name: tls 44 | readOnly: true 45 | - mountPath: /var/lib/grafana 46 | name: data 47 | readinessProbe: 48 | httpGet: 49 | path: /api/health 50 | port: http 51 | scheme: HTTPS 52 | failureThreshold: 5 53 | initialDelaySeconds: 60 54 | periodSeconds: 10 55 | successThreshold: 1 56 | timeoutSeconds: 30 57 | livenessProbe: 58 | httpGet: 59 | path: /api/health 60 | port: http 61 | scheme: HTTPS 62 | failureThreshold: 5 63 | initialDelaySeconds: 600 64 | periodSeconds: 60 65 | successThreshold: 1 66 | timeoutSeconds: 30 67 | securityContext: 68 | runAsNonRoot: true 69 | runAsUser: 65534 70 | readOnlyRootFilesystem: true 71 | capabilities: 72 | drop: ["ALL"] 73 | securityContext: 74 | fsGroup: 65534 75 | terminationGracePeriodSeconds: 300 76 | volumes: 77 | - name: tls 78 | secret: 79 | secretName: grafana-tls 80 | volumeClaimTemplates: 81 | - metadata: 82 | name: data 83 | spec: 84 | storageClassName: standard-rwo 85 | accessModes: 86 | - ReadWriteOnce 87 | volumeMode: Filesystem 88 | resources: 89 | requests: 90 | storage: 1Gi 91 | -------------------------------------------------------------------------------- /ethereum-2/grafana/svc-grafana.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: grafana 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: grafana 8 | spec: 9 | type: NodePort 10 | selector: 11 | app.kubernetes.io/name: grafana 12 | ports: 13 | - name: http 14 | port: 3000 15 | nodePort: 30300 16 | targetPort: http 17 | -------------------------------------------------------------------------------- /ethereum-2/grafana/vpa-grafana.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: autoscaling.k8s.io/v1 2 | kind: VerticalPodAutoscaler 3 | metadata: 4 | name: grafana 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: grafana 8 | spec: 9 | targetRef: 10 | apiVersion: apps/v1 11 | kind: StatefulSet 12 | name: grafana 13 | updatePolicy: 14 | updateMode: Auto 15 | -------------------------------------------------------------------------------- /ethereum-2/jaeger/cm-jaeger.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: jaeger-ui-configuration 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: jaeger 8 | data: 9 | ui: '{"menu":[{"items":[{"label":"Documentation","url":"https://www.jaegertracing.io/docs/1.18"}],"label":"About"}]}' 10 | 11 | --- 12 | 13 | apiVersion: v1 14 | kind: ConfigMap 15 | metadata: 16 | name: jaeger-sampling-configuration 17 | namespace: ethereum-2 18 | labels: 19 | app.kubernetes.io/name: jaeger 20 | data: 21 | sampling: '{"default_strategy":{"param":1,"type":"probabilistic"}}' 22 | -------------------------------------------------------------------------------- /ethereum-2/jaeger/depl-jaeger.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: jaeger 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: jaeger 8 | app.kubernetes.io/version: "1.22.0" 9 | spec: 10 | selector: 11 | matchLabels: 12 | app.kubernetes.io/name: jaeger 13 | template: 14 | metadata: 15 | labels: 16 | app.kubernetes.io/name: jaeger 17 | app.kubernetes.io/version: "1.22.0" 18 | annotations: 19 | prometheus.io/scrape: "true" 20 | prometheus.io/port: "14269" 21 | spec: 22 | containers: 23 | - args: 24 | - --query.ui-config=/etc/config/ui.json 25 | - --sampling.strategies-file=/etc/jaeger/sampling/sampling.json 26 | env: 27 | - name: SPAN_STORAGE_TYPE 28 | value: memory 29 | - name: COLLECTOR_ZIPKIN_HTTP_PORT 30 | value: "9411" 31 | image: docker.io/jaegertracing/all-in-one:1.22.0 32 | livenessProbe: 33 | failureThreshold: 5 34 | httpGet: 35 | path: / 36 | port: 14269 37 | initialDelaySeconds: 5 38 | periodSeconds: 15 39 | name: jaeger 40 | ports: 41 | - containerPort: 5775 42 | name: zk-compact-trft 43 | protocol: UDP 44 | - containerPort: 5778 45 | name: config-rest 46 | - containerPort: 6831 47 | name: jg-compact-trft 48 | protocol: UDP 49 | - containerPort: 6832 50 | name: jg-binary-trft 51 | protocol: UDP 52 | - containerPort: 9411 53 | name: zipkin 54 | - containerPort: 14267 55 | name: c-tchan-trft 56 | - containerPort: 14268 57 | name: c-binary-trft 58 | - containerPort: 16686 59 | name: query 60 | - containerPort: 14269 61 | name: admin-http 62 | - containerPort: 14250 63 | name: grpc 64 | readinessProbe: 65 | httpGet: 66 | path: / 67 | port: 14269 68 | initialDelaySeconds: 1 69 | resources: 70 | requests: 71 | cpu: 10m 72 | memory: 32Mi 73 | limits: 74 | cpu: 50m 75 | memory: 128Mi 76 | volumeMounts: 77 | - mountPath: /etc/config 78 | name: jaeger-ui-configuration-volume 79 | readOnly: true 80 | - mountPath: /etc/jaeger/sampling 81 | name: jaeger-sampling-configuration-volume 82 | readOnly: true 83 | serviceAccountName: jaeger 84 | volumes: 85 | - configMap: 86 | items: 87 | - key: ui 88 | path: ui.json 89 | name: jaeger-ui-configuration 90 | name: jaeger-ui-configuration-volume 91 | - configMap: 92 | items: 93 | - key: sampling 94 | path: sampling.json 95 | name: jaeger-sampling-configuration 96 | name: jaeger-sampling-configuration-volume 97 | -------------------------------------------------------------------------------- /ethereum-2/jaeger/sa-jaeger.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: jaeger 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: jaeger 8 | -------------------------------------------------------------------------------- /ethereum-2/jaeger/svc-jaeger.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: jaeger-collector-headless 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: jaeger 8 | spec: 9 | clusterIP: None 10 | ports: 11 | - name: http-zipkin 12 | port: 9411 13 | targetPort: 0 14 | - name: http-grpc 15 | port: 14250 16 | targetPort: 0 17 | - name: c-tchan-trft 18 | port: 14267 19 | targetPort: 0 20 | - name: http-c-binary-trft 21 | port: 14268 22 | targetPort: 0 23 | selector: 24 | app.kubernetes.io/name: jaeger 25 | 26 | --- 27 | 28 | apiVersion: v1 29 | kind: Service 30 | metadata: 31 | name: jaeger-collector 32 | namespace: ethereum-2 33 | labels: 34 | app.kubernetes.io/name: jaeger 35 | spec: 36 | ports: 37 | - name: http-zipkin 38 | port: 9411 39 | targetPort: 0 40 | - name: http-grpc 41 | port: 14250 42 | targetPort: 0 43 | - name: c-tchan-trft 44 | port: 14267 45 | targetPort: 0 46 | - name: http-c-binary-trft 47 | port: 14268 48 | targetPort: 0 49 | selector: 50 | app.kubernetes.io/name: jaeger 51 | 52 | --- 53 | 54 | apiVersion: v1 55 | kind: Service 56 | metadata: 57 | name: jaeger-query 58 | namespace: ethereum-2 59 | labels: 60 | app.kubernetes.io/name: jaeger 61 | spec: 62 | ports: 63 | - name: http-query 64 | port: 16686 65 | targetPort: 16686 66 | selector: 67 | app.kubernetes.io/name: jaeger 68 | 69 | --- 70 | 71 | apiVersion: v1 72 | kind: Service 73 | metadata: 74 | name: jaeger-agent 75 | namespace: ethereum-2 76 | labels: 77 | app.kubernetes.io/name: jaeger 78 | spec: 79 | clusterIP: None 80 | ports: 81 | - name: zk-compact-trft 82 | port: 5775 83 | protocol: UDP 84 | targetPort: 0 85 | - name: config-rest 86 | port: 5778 87 | targetPort: 0 88 | - name: jg-compact-trft 89 | port: 6831 90 | protocol: UDP 91 | targetPort: 0 92 | - name: jg-binary-trft 93 | port: 6832 94 | protocol: UDP 95 | targetPort: 0 96 | selector: 97 | app.kubernetes.io/name: jaeger 98 | -------------------------------------------------------------------------------- /ethereum-2/jaeger/vpa-jaeger.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: autoscaling.k8s.io/v1 2 | kind: VerticalPodAutoscaler 3 | metadata: 4 | name: jaeger 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: jaeger 8 | spec: 9 | targetRef: 10 | apiVersion: apps/v1 11 | kind: Deployment 12 | name: jaeger 13 | updatePolicy: 14 | updateMode: Auto 15 | -------------------------------------------------------------------------------- /ethereum-2/kube-state-metrics/depl-kube-state-metrics.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: kube-state-metrics 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: kube-state-metrics 8 | app.kubernetes.io/version: v1.9.8 9 | spec: 10 | selector: 11 | matchLabels: 12 | app.kubernetes.io/name: kube-state-metrics 13 | template: 14 | metadata: 15 | labels: 16 | app.kubernetes.io/name: kube-state-metrics 17 | app.kubernetes.io/version: v1.9.8 18 | annotations: 19 | prometheus.io/scrape: 'true' 20 | prometheus.io/port: '8080' 21 | spec: 22 | serviceAccountName: kube-state-metrics 23 | containers: 24 | - name: kube-state-metrics 25 | image: quay.io/coreos/kube-state-metrics:v1.9.8 26 | ports: 27 | - name: metrics 28 | containerPort: 8080 29 | - name: telemetry 30 | containerPort: 8081 31 | readinessProbe: 32 | httpGet: 33 | path: / 34 | port: telemetry 35 | initialDelaySeconds: 5 36 | timeoutSeconds: 5 37 | livenessProbe: 38 | httpGet: 39 | path: /healthz 40 | port: metrics 41 | initialDelaySeconds: 5 42 | timeoutSeconds: 5 43 | resources: 44 | requests: 45 | cpu: 10m 46 | memory: 32Mi 47 | limits: 48 | cpu: 50m 49 | memory: 128Mi 50 | securityContext: 51 | runAsNonRoot: true 52 | runAsUser: 65534 53 | readOnlyRootFilesystem: true 54 | capabilities: 55 | drop: ["ALL"] 56 | -------------------------------------------------------------------------------- /ethereum-2/kube-state-metrics/np-kube-state-metrics.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: kube-state-metrics 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: kube-state-metrics 8 | spec: 9 | podSelector: 10 | matchLabels: 11 | app.kubernetes.io/name: kube-state-metrics 12 | policyTypes: 13 | - Ingress 14 | ingress: 15 | # allow prometheus to scrape the metrics endpoint 16 | - from: 17 | - podSelector: 18 | matchLabels: 19 | app.kubernetes.io/name: prometheus 20 | ports: 21 | - protocol: TCP 22 | port: 8080 23 | -------------------------------------------------------------------------------- /ethereum-2/kube-state-metrics/sa-kube-state-metrics.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: kube-state-metrics 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: kube-state-metrics 8 | 9 | --- 10 | 11 | apiVersion: rbac.authorization.k8s.io/v1 12 | kind: ClusterRole 13 | metadata: 14 | name: kube-state-metrics 15 | labels: 16 | app.kubernetes.io/name: kube-state-metrics 17 | rules: 18 | - apiGroups: 19 | - "" 20 | resources: 21 | - configmaps 22 | - secrets 23 | - nodes 24 | - pods 25 | - services 26 | - resourcequotas 27 | - replicationcontrollers 28 | - limitranges 29 | - persistentvolumeclaims 30 | - persistentvolumes 31 | - namespaces 32 | - endpoints 33 | verbs: 34 | - list 35 | - watch 36 | - apiGroups: 37 | - extensions 38 | resources: 39 | - daemonsets 40 | - deployments 41 | - replicasets 42 | - ingresses 43 | verbs: 44 | - list 45 | - watch 46 | - apiGroups: 47 | - apps 48 | resources: 49 | - statefulsets 50 | - daemonsets 51 | - deployments 52 | - replicasets 53 | verbs: 54 | - list 55 | - watch 56 | - apiGroups: 57 | - batch 58 | resources: 59 | - cronjobs 60 | - jobs 61 | verbs: 62 | - list 63 | - watch 64 | - apiGroups: 65 | - autoscaling 66 | resources: 67 | - horizontalpodautoscalers 68 | verbs: 69 | - list 70 | - watch 71 | - apiGroups: 72 | - authentication.k8s.io 73 | resources: 74 | - tokenreviews 75 | verbs: 76 | - create 77 | - apiGroups: 78 | - authorization.k8s.io 79 | resources: 80 | - subjectaccessreviews 81 | verbs: 82 | - create 83 | - apiGroups: 84 | - policy 85 | resources: 86 | - poddisruptionbudgets 87 | verbs: 88 | - list 89 | - watch 90 | - apiGroups: 91 | - certificates.k8s.io 92 | resources: 93 | - certificatesigningrequests 94 | verbs: 95 | - list 96 | - watch 97 | - apiGroups: 98 | - storage.k8s.io 99 | resources: 100 | - storageclasses 101 | - volumeattachments 102 | verbs: 103 | - list 104 | - watch 105 | - apiGroups: 106 | - admissionregistration.k8s.io 107 | resources: 108 | - mutatingwebhookconfigurations 109 | - validatingwebhookconfigurations 110 | verbs: 111 | - list 112 | - watch 113 | - apiGroups: 114 | - networking.k8s.io 115 | resources: 116 | - networkpolicies 117 | verbs: 118 | - list 119 | - watch 120 | - apiGroups: 121 | - coordination.k8s.io 122 | resources: 123 | - leases 124 | verbs: 125 | - list 126 | - watch 127 | 128 | --- 129 | 130 | apiVersion: rbac.authorization.k8s.io/v1 131 | kind: ClusterRoleBinding 132 | metadata: 133 | name: kube-state-metrics 134 | labels: 135 | app.kubernetes.io/name: kube-state-metrics 136 | roleRef: 137 | apiGroup: rbac.authorization.k8s.io 138 | kind: ClusterRole 139 | name: kube-state-metrics 140 | subjects: 141 | - kind: ServiceAccount 142 | name: kube-state-metrics 143 | namespace: ethereum-2 144 | -------------------------------------------------------------------------------- /ethereum-2/kube-state-metrics/svc-kube-state-metrics.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: kube-state-metrics 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: kube-state-metrics 8 | spec: 9 | clusterIP: None 10 | selector: 11 | app.kubernetes.io/name: kube-state-metrics 12 | ports: 13 | - name: metrics 14 | port: 8080 15 | targetPort: metrics 16 | - name: telemetry 17 | port: 8081 18 | targetPort: telemetry 19 | -------------------------------------------------------------------------------- /ethereum-2/kube-state-metrics/vpa-kube-state-metrics.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: autoscaling.k8s.io/v1 2 | kind: VerticalPodAutoscaler 3 | metadata: 4 | name: kube-state-metrics 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: kube-state-metrics 8 | spec: 9 | targetRef: 10 | apiVersion: apps/v1 11 | kind: Deployment 12 | name: kube-state-metrics 13 | updatePolicy: 14 | updateMode: Auto 15 | -------------------------------------------------------------------------------- /ethereum-2/prometheus-to-sd/depl-prometheus-to-sd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: prometheus-to-sd 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: prometheus-to-sd 8 | app.kubernetes.io/version: v0.9.2 9 | spec: 10 | selector: 11 | matchLabels: 12 | app.kubernetes.io/name: prometheus-to-sd 13 | template: 14 | metadata: 15 | labels: 16 | app.kubernetes.io/name: prometheus-to-sd 17 | app.kubernetes.io/version: v0.9.2 18 | spec: 19 | serviceAccountName: prometheus-to-sd 20 | containers: 21 | - name: prometheus-to-sd 22 | image: k8s.gcr.io/prometheus-to-sd:v0.9.2 23 | ports: 24 | - name: profiler 25 | containerPort: 6060 26 | command: 27 | - /monitor 28 | - --stackdriver-prefix=custom.googleapis.com 29 | - --monitored-resource-type-prefix=k8s_ 30 | - --source=ethereum-beacon-chain:http://beacon-chain:8080/metrics?metricsPrefix=custom.googleapis.com 31 | - --source=ethereum-slasher:http://slasher:8082/metrics?metricsPrefix=custom.googleapis.com 32 | - --source=ethereum-validator:http://validator:8081/metrics?metricsPrefix=custom.googleapis.com 33 | - --pod-id=$(POD_NAME) 34 | - --namespace-id=$(POD_NAMESPACE) 35 | - --delayed-shutdown-timeout=0s 36 | # can probably be removed in v0.9.3 37 | - --cluster-location=europe-west6-c 38 | env: 39 | - name: POD_NAME 40 | valueFrom: 41 | fieldRef: 42 | fieldPath: metadata.name 43 | - name: POD_NAMESPACE 44 | valueFrom: 45 | fieldRef: 46 | fieldPath: metadata.namespace 47 | resources: 48 | requests: 49 | cpu: 10m 50 | memory: 32Mi 51 | limits: 52 | cpu: 20m 53 | memory: 64Mi 54 | securityContext: 55 | runAsNonRoot: true 56 | runAsUser: 65534 57 | readOnlyRootFilesystem: true 58 | capabilities: 59 | drop: ["ALL"] 60 | -------------------------------------------------------------------------------- /ethereum-2/prometheus-to-sd/sa-prometheus-to-sd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: prometheus-to-sd 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: prometheus-to-sd 8 | annotations: 9 | iam.gke.io/gcp-service-account: prometheus-to-sd@allyoucanstake-dev.iam.gserviceaccount.com 10 | automountServiceAccountToken: false 11 | 12 | --- 13 | 14 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 15 | kind: IAMServiceAccount 16 | metadata: 17 | name: prometheus-to-sd 18 | namespace: ethereum-2 19 | labels: 20 | app.kubernetes.io/name: prometheus-to-sd 21 | spec: 22 | displayName: Prometheus to Stackdriver 23 | 24 | --- 25 | 26 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 27 | kind: IAMPolicyMember 28 | metadata: 29 | name: prometheus-to-sd 30 | namespace: ethereum-2 31 | labels: 32 | app.kubernetes.io/name: prometheus-to-sd 33 | spec: 34 | member: serviceAccount:prometheus-to-sd@allyoucanstake-dev.iam.gserviceaccount.com 35 | role: roles/monitoring.metricWriter 36 | resourceRef: 37 | apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 38 | kind: Project 39 | external: projects/allyoucanstake-dev 40 | 41 | --- 42 | 43 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 44 | kind: IAMPolicy 45 | metadata: 46 | name: prometheus-to-sd 47 | namespace: ethereum-2 48 | labels: 49 | app.kubernetes.io/name: prometheus-to-sd 50 | spec: 51 | resourceRef: 52 | apiVersion: iam.cnrm.cloud.google.com/v1beta1 53 | kind: IAMServiceAccount 54 | name: prometheus-to-sd 55 | bindings: 56 | - role: roles/iam.workloadIdentityUser 57 | members: 58 | - serviceAccount:allyoucanstake-dev.svc.id.goog[ethereum-2/prometheus-to-sd] 59 | -------------------------------------------------------------------------------- /ethereum-2/prometheus-to-sd/vpa-prometheus-to-sd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: autoscaling.k8s.io/v1 2 | kind: VerticalPodAutoscaler 3 | metadata: 4 | name: prometheus-to-sd 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: prometheus-to-sd 8 | spec: 9 | targetRef: 10 | apiVersion: apps/v1 11 | kind: Deployment 12 | name: prometheus-to-sd 13 | updatePolicy: 14 | updateMode: Auto 15 | -------------------------------------------------------------------------------- /ethereum-2/prometheus/cm-prometheus.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: prometheus 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: prometheus 8 | data: 9 | alerting_rules.yml: | 10 | groups: 11 | - name: generic 12 | rules: 13 | - alert: PodDown 14 | expr: up == 0 15 | for: 5m 16 | labels: 17 | severity: page 18 | annotations: 19 | summary: "Pod {{ $labels.kubernetes_pod_name }} down" 20 | description: "{{ $labels.kubernetes_pod_name }} of application {{ $labels.app_kubernetes_io_name }} has been down for more than 5 minutes." 21 | 22 | - alert: ContainerNotRunning 23 | expr: | 24 | kube_pod_container_status_running != 1 25 | for: 5m 26 | annotations: 27 | summary: "Container {{ $labels.container }} not running" 28 | description: "{{ $labels.container }} of Pod {{ $labels.pod }} has been down for more than 5 minutes." 29 | 30 | - name: kube-state-metrics 31 | rules: 32 | - alert: KubeStateMetricsListErrors 33 | annotations: 34 | message: kube-state-metrics is experiencing errors at an elevated rate in list 35 | operations. This is likely causing it to not be able to expose metrics about 36 | Kubernetes objects correctly or at all. 37 | expr: | 38 | (sum(rate(kube_state_metrics_list_total{job="kube-state-metrics",result="error"}[5m])) 39 | / 40 | sum(rate(kube_state_metrics_list_total{job="kube-state-metrics"}[5m]))) 41 | > 0.01 42 | for: 15m 43 | labels: 44 | severity: critical 45 | - alert: KubeStateMetricsWatchErrors 46 | annotations: 47 | message: kube-state-metrics is experiencing errors at an elevated rate in watch 48 | operations. This is likely causing it to not be able to expose metrics about 49 | Kubernetes objects correctly or at all. 50 | expr: | 51 | (sum(rate(kube_state_metrics_watch_total{job="kube-state-metrics",result="error"}[5m])) 52 | / 53 | sum(rate(kube_state_metrics_watch_total{job="kube-state-metrics"}[5m]))) 54 | > 0.01 55 | for: 15m 56 | labels: 57 | severity: critical 58 | 59 | 60 | prometheus.yml: | 61 | rule_files: 62 | - /etc/prometheus/alerting_rules.yml 63 | 64 | scrape_configs: 65 | 66 | - job_name: kubernetes-cadvisor 67 | scheme: https 68 | tls_config: 69 | ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 70 | bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token 71 | kubernetes_sd_configs: 72 | - role: node 73 | relabel_configs: 74 | - action: labelmap 75 | regex: __meta_kubernetes_node_label_(.+) 76 | - target_label: __address__ 77 | replacement: kubernetes.default.svc:443 78 | - source_labels: [__meta_kubernetes_node_name] 79 | regex: (.+) 80 | target_label: __metrics_path__ 81 | replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor 82 | 83 | - job_name: kubernetes-pods 84 | kubernetes_sd_configs: 85 | - role: pod 86 | relabel_configs: 87 | - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] 88 | action: keep 89 | regex: true 90 | - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] 91 | action: replace 92 | target_label: __metrics_path__ 93 | regex: (.+) 94 | - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] 95 | action: replace 96 | regex: ([^:]+)(?::\d+)?;(\d+) 97 | replacement: $1:$2 98 | target_label: __address__ 99 | - action: labelmap 100 | regex: __meta_kubernetes_pod_label_(.+) 101 | - source_labels: [__meta_kubernetes_namespace] 102 | action: replace 103 | target_label: kubernetes_namespace 104 | - source_labels: [__meta_kubernetes_pod_name] 105 | action: replace 106 | target_label: kubernetes_pod_name 107 | -------------------------------------------------------------------------------- /ethereum-2/prometheus/np-prometheus.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: prometheus 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: prometheus 8 | spec: 9 | podSelector: 10 | matchLabels: 11 | app.kubernetes.io/name: prometheus 12 | policyTypes: 13 | - Ingress 14 | ingress: 15 | # allow grafana to collect metrics 16 | - from: 17 | - podSelector: 18 | matchLabels: 19 | app.kubernetes.io/name: grafana 20 | ports: 21 | - protocol: TCP 22 | port: 9090 23 | -------------------------------------------------------------------------------- /ethereum-2/prometheus/sa-prometheus.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: prometheus 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: prometheus 8 | 9 | --- 10 | 11 | apiVersion: rbac.authorization.k8s.io/v1 12 | kind: ClusterRole 13 | metadata: 14 | name: prometheus 15 | labels: 16 | app.kubernetes.io/name: prometheus 17 | rules: 18 | - apiGroups: [""] 19 | resources: 20 | - nodes 21 | - nodes/proxy 22 | - services 23 | - endpoints 24 | - pods 25 | verbs: ["get", "list", "watch"] 26 | - apiGroups: 27 | - networking.k8s.io 28 | resources: 29 | - ingresses 30 | verbs: ["get", "list", "watch"] 31 | - nonResourceURLs: ["/metrics"] 32 | verbs: ["get"] 33 | 34 | --- 35 | 36 | apiVersion: rbac.authorization.k8s.io/v1 37 | kind: ClusterRoleBinding 38 | metadata: 39 | name: prometheus 40 | labels: 41 | app.kubernetes.io/name: prometheus 42 | roleRef: 43 | apiGroup: rbac.authorization.k8s.io 44 | kind: ClusterRole 45 | name: prometheus 46 | subjects: 47 | - kind: ServiceAccount 48 | name: prometheus 49 | namespace: ethereum-2 -------------------------------------------------------------------------------- /ethereum-2/prometheus/sts-prometheus.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: prometheus 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: prometheus 8 | app.kubernetes.io/version: v2.25.2 9 | spec: 10 | serviceName: prometheus 11 | selector: 12 | matchLabels: 13 | app.kubernetes.io/name: prometheus 14 | template: 15 | metadata: 16 | labels: 17 | app.kubernetes.io/name: prometheus 18 | app.kubernetes.io/version: v2.25.2 19 | spec: 20 | serviceAccountName: prometheus 21 | containers: 22 | - name: prometheus 23 | image: docker.io/prom/prometheus:v2.25.2 24 | args: 25 | - --config.file=/etc/prometheus/prometheus.yml 26 | - --storage.tsdb.path=/var/lib/prometheus 27 | ports: 28 | - name: metrics 29 | containerPort: 9090 30 | resources: 31 | requests: 32 | cpu: 50m 33 | memory: 250Mi 34 | limits: 35 | cpu: 100m 36 | memory: 500Mi 37 | volumeMounts: 38 | - name: config 39 | mountPath: /etc/prometheus/prometheus.yml 40 | subPath: prometheus.yml 41 | readOnly: true 42 | - name: config 43 | mountPath: /etc/prometheus/alerting_rules.yml 44 | subPath: alerting_rules.yml 45 | readOnly: true 46 | - mountPath: /var/lib/prometheus 47 | name: data 48 | readinessProbe: 49 | httpGet: 50 | path: /-/ready 51 | port: metrics 52 | failureThreshold: 5 53 | initialDelaySeconds: 60 54 | periodSeconds: 10 55 | successThreshold: 1 56 | timeoutSeconds: 30 57 | livenessProbe: 58 | httpGet: 59 | path: /-/healthy 60 | port: metrics 61 | failureThreshold: 5 62 | initialDelaySeconds: 600 63 | periodSeconds: 60 64 | successThreshold: 1 65 | timeoutSeconds: 30 66 | securityContext: 67 | runAsNonRoot: true 68 | runAsUser: 65534 69 | readOnlyRootFilesystem: true 70 | capabilities: 71 | drop: ["ALL"] 72 | securityContext: 73 | fsGroup: 65534 74 | terminationGracePeriodSeconds: 300 75 | volumes: 76 | - name: config 77 | configMap: 78 | name: prometheus 79 | volumeClaimTemplates: 80 | - metadata: 81 | name: data 82 | spec: 83 | storageClassName: standard-rwo 84 | accessModes: 85 | - ReadWriteOnce 86 | volumeMode: Filesystem 87 | resources: 88 | requests: 89 | storage: 2Gi 90 | -------------------------------------------------------------------------------- /ethereum-2/prometheus/svc-prometheus.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: prometheus 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: prometheus 8 | spec: 9 | selector: 10 | app.kubernetes.io/name: prometheus 11 | ports: 12 | - name: metrics 13 | port: 9090 14 | targetPort: metrics 15 | -------------------------------------------------------------------------------- /ethereum-2/prometheus/vpa-prometheus.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: autoscaling.k8s.io/v1 2 | kind: VerticalPodAutoscaler 3 | metadata: 4 | name: prometheus 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: prometheus 8 | spec: 9 | targetRef: 10 | apiVersion: apps/v1 11 | kind: StatefulSet 12 | name: prometheus 13 | updatePolicy: 14 | updateMode: Auto 15 | -------------------------------------------------------------------------------- /ethereum-2/slasher/cert-slasher-tls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1alpha2 2 | kind: Certificate 3 | metadata: 4 | name: slasher-tls 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: slasher 8 | spec: 9 | secretName: slasher-tls 10 | dnsNames: 11 | - slasher 12 | issuerRef: 13 | name: cert-manager 14 | -------------------------------------------------------------------------------- /ethereum-2/slasher/np-slasher.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: slasher 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: slasher 8 | spec: 9 | podSelector: 10 | matchLabels: 11 | app.kubernetes.io/name: slasher 12 | policyTypes: 13 | - Ingress 14 | ingress: 15 | # allow the beacon chain to connect to the rpc endpoint 16 | - from: 17 | - podSelector: 18 | matchLabels: 19 | app.kubernetes.io/name: beacon-chain 20 | ports: 21 | - protocol: TCP 22 | port: 4002 23 | # allow the validator to connect to the rpc endpoint 24 | - from: 25 | - podSelector: 26 | matchLabels: 27 | app.kubernetes.io/name: validator 28 | ports: 29 | - protocol: TCP 30 | port: 4002 31 | # allow prometheus to scrape the metrics endpoint 32 | - from: 33 | - podSelector: 34 | matchLabels: 35 | app.kubernetes.io/name: prometheus 36 | ports: 37 | - protocol: TCP 38 | port: 8082 39 | # allow prometheus-to-sd to scrape the metrics endpoint 40 | - from: 41 | - podSelector: 42 | matchLabels: 43 | app.kubernetes.io/name: prometheus-to-sd 44 | ports: 45 | - protocol: TCP 46 | port: 8082 47 | -------------------------------------------------------------------------------- /ethereum-2/slasher/sa-slasher.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: slasher 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: slasher 8 | automountServiceAccountToken: false 9 | -------------------------------------------------------------------------------- /ethereum-2/slasher/sts-slasher.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: slasher 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: slasher 8 | app.kubernetes.io/version: v1.0.0-beta.3 9 | spec: 10 | serviceName: slasher 11 | selector: 12 | matchLabels: 13 | app.kubernetes.io/name: slasher 14 | template: 15 | metadata: 16 | labels: 17 | app.kubernetes.io/name: slasher 18 | app.kubernetes.io/version: v1.0.0-beta.3 19 | annotations: 20 | prometheus.io/scrape: 'true' 21 | prometheus.io/port: '8082' 22 | spec: 23 | serviceAccountName: slasher 24 | containers: 25 | - name: slasher 26 | image: gcr.io/prysmaticlabs/prysm/slasher:v1.0.0-beta.3 27 | args: 28 | - --accept-terms-of-use 29 | - --beacon-rpc-provider=beacon-chain:4000 30 | - --beacon-tls-cert=/etc/tls/ca.crt 31 | - --datadir=/var/lib/slasher 32 | - --rpc-host=$(POD_IP) 33 | - --tls-key=/etc/tls/tls.key 34 | - --tls-cert=/etc/tls/tls.crt 35 | - --monitoring-host=$(POD_IP) 36 | - --enable-tracing 37 | - --tracing-endpoint=http://jaeger-collector:14268/api/traces 38 | # enabling this requires --enable-new-state-mgmt in beacon-chain 39 | # - --enable-historical-detection 40 | env: 41 | - name: POD_IP 42 | valueFrom: 43 | fieldRef: 44 | fieldPath: status.podIP 45 | ports: 46 | - name: rpc 47 | containerPort: 4002 48 | - name: metrics 49 | containerPort: 8082 50 | resources: 51 | requests: 52 | cpu: 50m 53 | memory: 128Mi 54 | limits: 55 | cpu: 100m 56 | memory: 256Mi 57 | volumeMounts: 58 | - mountPath: /etc/tls 59 | name: tls 60 | readOnly: true 61 | - mountPath: /var/lib/slasher 62 | name: data 63 | readinessProbe: 64 | httpGet: 65 | path: /healthz 66 | port: metrics 67 | failureThreshold: 5 68 | initialDelaySeconds: 5 69 | periodSeconds: 10 70 | successThreshold: 1 71 | timeoutSeconds: 10 72 | livenessProbe: 73 | httpGet: 74 | path: /healthz 75 | port: metrics 76 | failureThreshold: 5 77 | initialDelaySeconds: 5 78 | periodSeconds: 60 79 | successThreshold: 1 80 | timeoutSeconds: 30 81 | securityContext: 82 | runAsNonRoot: true 83 | runAsUser: 65534 84 | readOnlyRootFilesystem: true 85 | capabilities: 86 | drop: ["ALL"] 87 | securityContext: 88 | fsGroup: 65534 89 | terminationGracePeriodSeconds: 300 90 | volumes: 91 | - name: tls 92 | secret: 93 | secretName: slasher-tls 94 | volumeClaimTemplates: 95 | - metadata: 96 | name: data 97 | spec: 98 | storageClassName: standard-rwo 99 | accessModes: 100 | - ReadWriteOnce 101 | volumeMode: Filesystem 102 | resources: 103 | requests: 104 | storage: 3Gi 105 | -------------------------------------------------------------------------------- /ethereum-2/slasher/svc-slasher.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: slasher 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: slasher 8 | spec: 9 | selector: 10 | app.kubernetes.io/name: slasher 11 | ports: 12 | - name: rpc 13 | port: 4002 14 | targetPort: rpc 15 | - name: metrics 16 | port: 8082 17 | targetPort: metrics 18 | -------------------------------------------------------------------------------- /ethereum-2/slasher/vpa-slasher.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: autoscaling.k8s.io/v1 2 | kind: VerticalPodAutoscaler 3 | metadata: 4 | name: slasher 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: slasher 8 | spec: 9 | targetRef: 10 | apiVersion: apps/v1 11 | kind: StatefulSet 12 | name: slasher 13 | updatePolicy: 14 | updateMode: Auto 15 | -------------------------------------------------------------------------------- /ethereum-2/validator/cert-validator-tls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1alpha2 2 | kind: Certificate 3 | metadata: 4 | name: validator-tls 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: validator 8 | spec: 9 | secretName: validator-tls 10 | dnsNames: 11 | - validator 12 | issuerRef: 13 | name: cert-manager 14 | -------------------------------------------------------------------------------- /ethereum-2/validator/np-validator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: validator 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: validator 8 | spec: 9 | podSelector: 10 | matchLabels: 11 | app.kubernetes.io/name: validator 12 | policyTypes: 13 | - Ingress 14 | ingress: 15 | # allow prometheus to scrape the metrics endpoint 16 | - from: 17 | - podSelector: 18 | matchLabels: 19 | app.kubernetes.io/name: prometheus 20 | ports: 21 | - protocol: TCP 22 | port: 8081 23 | # allow prometheus-to-sd to scrape the metrics endpoint 24 | - from: 25 | - podSelector: 26 | matchLabels: 27 | app.kubernetes.io/name: prometheus-to-sd 28 | ports: 29 | - protocol: TCP 30 | port: 8081 31 | -------------------------------------------------------------------------------- /ethereum-2/validator/sa-validator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: validator 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: validator 8 | automountServiceAccountToken: false 9 | -------------------------------------------------------------------------------- /ethereum-2/validator/sec-validator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.linki.space/v1alpha1 2 | kind: EncryptedSecret 3 | metadata: 4 | name: keystore 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: validator 8 | spec: 9 | provider: GCP 10 | keyID: keyRings/ethereum-2/cryptoKeys/validator 11 | data: 12 | keymanageropts.json: CiQAAH9Ik8BJEaPn1tJL1NPvdPuGGc9Fr9LDwEToOhrEr8lNpuQS0QEqzgEKFAoMVwpFIsSUAcVXIqobEP2ThNIHEpsBCpIBa2IS2zTt5aYlaVttq8dd4RgvyhbzeuHee5QChlO5JgukbDLVYDAAcchE1n4F4ZxUF9ZHWhoQtrbZuMJ0aoDAX/li0gBd1EH9u2G7oJLSOpVGcwY1ymsPKRxeOk7g/HCSXnL+qB7NHaLwbDlPsDMPzoY3FRJEWaF7wCVHHY15UeLThyIqFUvoVahC46kIzmeT78IQmKrOrg0aGAoQ3EfFuTgSWnpTUmU9EQx9whDDnt+ABg== 13 | seed.encrypted.json: CiQAAH9Ik2EBwqxdlKhEKHK/xihOAXWEOLkAOoErCBNGsrUJR7wSrQYqqgYKFAoMW5fAlw8b17ghRYhvELGAuPEJEvcFCu4F/JUeJnn2wQUIoH2ZO3HJvT6QMpDln+FaPATV2is2l4aeM8eeL+rAALmyqd1D1TyMpK1hMYxyNosjPaJBzP3nvW9xo6C2wd+e+7FEsklGgpLBscApymejGD3SZJiKfY7oZFEco81NjnmyBRopsvpO1a0DE2nh5uM+TApZE+tm/myfdp3UOZp+zfll4r9atHabxpXb5H3DzamMQtVTHzqLIrG0dOWFGiio5AQkpr2n+siW6hKus84pz9KxHwVTUo53iAcnwu+a1gmC5t0UDTX/oIPCc+JCzCbx32gqy0PkABdevNf5r9OfJELPm95edBTXkjVsVih1uVTSwRWFN5rjtGYfXu8LpniuGJd+sB6IBjC+lJETyZfRcjXlLze3WVETx83MnR7xK90DfXC2pZFRwGG8mn5ZUfmoa1RV3iGT57IocdMA3cFG9YXJrT7Mcd8cmwWFX+qu1d41A4VKDjIQG2ouUpfWioa2+s4m7JEwmbnYKzZcc9QoZcSAiD3ahdE0PRrefpmI3iHrUX5PoHd73qQd+AdCbt6rwiTJws/uLjaw+GKrhyagNiuvskNEyj2Z1mOnHuFgHoDg7zp9X4VnWSKCWiKsPPaElJ/HB4DIt1wAfT78ugQNmcFttscpJKu/RMjzIKu7RoTTRGcumIIdfgCFzE8aHBLBjsAUzmoGuumMkume4V6nPM/ynjmzf+5mrpSzcEmci33i1F7UillRwHoc/ZwLH/UtYPtzYWeLKkijW37Y6RchCcVndfY8Tp0qCEtSReM27tVS3xbaFUiYnz/ufbfutzH9qBjGWYxAlQYnShDBrQU22rCD1ZCgJqkgWzxLD2ltBG8Z5xfzgKubGoN/jKuwt941qPJPJIb4QllPEhN8mizd1inzfVoNDfSvnj/tJjxSNPN6tNPeasESOTCbdIbvlvxx+Rya8BYqieMRp1yAoPF1VQQLX5jAgarK3KVzos+ZqFewhJenpGP+xJm0bz/1RNB+O08emH6cEOXQ5bkPGhgKEEPhsa6eLs8QeVzdENgUfbUQiPr/owg= 14 | password.txt: CiQAAH9Ik2/LpZO3gY6m/WipKVgu70ZnChJ6NBJifVvjQTKmwscSjAEqiQEKFAoMzbhMqkPOjf0OEZSbEJ6MyJEPElcKTwSTFsH6cKdV+w/xYjmS0QG019xPrf2Orm+lwNiUYpD8W197RvYNG8NNcY4JHQ/JUdOExqRBBpstS4p9Ej2BbQspVhEISThAWVa9ZculL9UQo6f56wgaGAoQ/lG9qLCmvVLS/TCA88h93BCqwbWaCw== 15 | -------------------------------------------------------------------------------- /ethereum-2/validator/sts-validator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: validator 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: validator 8 | app.kubernetes.io/version: v1.0.0-beta.3 9 | spec: 10 | serviceName: validator 11 | selector: 12 | matchLabels: 13 | app.kubernetes.io/name: validator 14 | template: 15 | metadata: 16 | labels: 17 | app.kubernetes.io/name: validator 18 | app.kubernetes.io/version: v1.0.0-beta.3 19 | annotations: 20 | prometheus.io/scrape: 'true' 21 | prometheus.io/port: '8081' 22 | spec: 23 | serviceAccountName: validator 24 | containers: 25 | - name: validator 26 | image: gcr.io/prysmaticlabs/prysm/validator:v1.0.0-beta.3 27 | args: 28 | - --accept-terms-of-use 29 | - --beacon-rpc-provider=beacon-chain:4000 30 | - --tls-cert=/etc/tls/ca.crt 31 | - --wallet-dir=/etc/ethereum/keystore 32 | - --wallet-password-file=/etc/ethereum/keystore/derived/password.txt 33 | - --datadir=/var/lib/validator 34 | - --graffiti=AllYouCanStake.de 35 | - --monitoring-host=$(POD_IP) 36 | # - --enable-external-slasher-protection 37 | # - --slasher-rpc-provider=slasher:4002 38 | # - --slasher-tls-cert=/etc/tls/ca.crt 39 | - --enable-tracing 40 | - --tracing-endpoint=http://jaeger-collector:14268/api/traces 41 | env: 42 | - name: POD_IP 43 | valueFrom: 44 | fieldRef: 45 | fieldPath: status.podIP 46 | ports: 47 | - name: metrics 48 | containerPort: 8081 49 | resources: 50 | requests: 51 | cpu: 50m 52 | memory: 128Mi 53 | limits: 54 | cpu: 100m 55 | memory: 256Mi 56 | volumeMounts: 57 | - mountPath: /etc/ethereum/keystore/derived 58 | name: keystore 59 | readOnly: true 60 | - mountPath: /etc/tls 61 | name: tls 62 | readOnly: true 63 | - mountPath: /var/lib/validator 64 | name: data 65 | readinessProbe: 66 | httpGet: 67 | path: /healthz 68 | port: metrics 69 | failureThreshold: 5 70 | initialDelaySeconds: 5 71 | periodSeconds: 10 72 | successThreshold: 1 73 | timeoutSeconds: 10 74 | livenessProbe: 75 | httpGet: 76 | path: /healthz 77 | port: metrics 78 | failureThreshold: 5 79 | initialDelaySeconds: 5 80 | periodSeconds: 60 81 | successThreshold: 1 82 | timeoutSeconds: 30 83 | securityContext: 84 | runAsNonRoot: true 85 | runAsUser: 65534 86 | readOnlyRootFilesystem: true 87 | capabilities: 88 | drop: ["ALL"] 89 | securityContext: 90 | fsGroup: 65534 91 | terminationGracePeriodSeconds: 300 92 | volumes: 93 | - name: keystore 94 | secret: 95 | secretName: keystore 96 | - name: tls 97 | secret: 98 | secretName: validator-tls 99 | volumeClaimTemplates: 100 | - metadata: 101 | name: data 102 | spec: 103 | storageClassName: standard-rwo 104 | accessModes: 105 | - ReadWriteOnce 106 | volumeMode: Filesystem 107 | resources: 108 | requests: 109 | storage: 1Gi 110 | -------------------------------------------------------------------------------- /ethereum-2/validator/svc-validator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: validator 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: validator 8 | spec: 9 | selector: 10 | app.kubernetes.io/name: validator 11 | ports: 12 | - name: metrics 13 | port: 8081 14 | targetPort: metrics 15 | -------------------------------------------------------------------------------- /ethereum-2/validator/vpa-validator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: autoscaling.k8s.io/v1 2 | kind: VerticalPodAutoscaler 3 | metadata: 4 | name: validator 5 | namespace: ethereum-2 6 | labels: 7 | app.kubernetes.io/name: validator 8 | spec: 9 | targetRef: 10 | apiVersion: apps/v1 11 | kind: StatefulSet 12 | name: validator 13 | updatePolicy: 14 | updateMode: Auto 15 | --------------------------------------------------------------------------------