feat: added ceramic-one-mainnet k8s example

k8s/ceramic-one-mainnnet/README.md

@@ -0,0 +1,80 @@
+# ceramic-one-mainnet
+
+This overlay configures the `ceramic-one` deployment to connect to the Ceramic mainnet network.
+
+## Step 1: Create a namespace
+
+The example kustomization uses namespace `ceramic-one-mainnet`.
+
+Update the namespace in the kustomization file to your desired namespace.
+
+Create the namespace with the following command:
+
+```
+export CERAMIC_NAMESPACE=ceramic-one-mainnet
+kubectl create namespace ${CERAMIC_NAMESPACE}
+```
+
+## Step 2: Create secrets
+
+The k8s manifests require 2 secrets to be set up before deploying.
+
+### ceramic-admin
+
+This secret contains the following 3 keys:
+
+#### eth-rpc-urls
+
+This should be a valid Ethereum mainnetRPC URL that the Ceramic node can use to connect to the Ethereum network.
+
+#### node-private-key
+
+A private key for the Ceramic node to authenticate with CAS.
+
+If you don't already have a private key, you can generate one with `openssl rand -hex 32`.
+
+From this key, a DID will be derived. Use the `composedb did:from-private-key` command to derive a DID from the private key.
+
+Use this DID to register with CAS as documented https://developers.ceramic.network/docs/composedb/guides/composedb-server/access-mainnet
+
+#### admin-private-key
+
+A private key for the Admin DID to use the deployed Ceramic API.
+
+If you don't already have a private key, you can generate one with `openssl rand -hex 32`.
+
+#### Create the ceramic-admin secret
+Create the secret with the following command (as example):
+
+```
+kubectl create secret generic ceramic-admin \
+  --namespace ${CERAMIC_NAMESPACE} \
+  --from-literal=admin-private-key=$(openssl rand -hex 32) \
+  --from-literal=node-private-key=$(openssl rand -hex 32) \
+  --from-literal=eth-rpc-urls=<mainnet-rpc-url>
+```
+
+### ceramic-postgres-auth
+
+This example deployment also deploys a postgres instance with a database for the Ceramic node to use.
+
+#### Create the ceramic-postgres-auth secret
+
+Create the secret with the following command (as example):
+
+```
+kubectl create secret generic ceramic-postgres-auth \
+  --namespace ${CERAMIC_NAMESPACE} \
+  --from-literal=db=ceramic-mainnet \
+  --from-literal=host=postgres \
+  --from-literal=password=ceramic \
+  --from-literal=username=ceramic
+```
+
+## Step 3: Deploy
+
+From this directory, apply the kustomization:
+
+```
+kubectl apply -k .
+```

k8s/ceramic-one-mainnnet/envs/ceramic-one.env

@@ -0,0 +1,10 @@
+CERAMIC_ONE_BIND_ADDRESS=0.0.0.0:5101
+CERAMIC_ONE_KADEMLIA_PARALLELISM=1
+CERAMIC_ONE_KADEMLIA_REPLICATION=6
+CERAMIC_ONE_LOCAL_NETWORK_ID=0
+CERAMIC_ONE_METRICS_BIND_ADDRESS=0.0.0.0:9465
+CERAMIC_ONE_NETWORK=mainnet
+CERAMIC_ONE_RECON=true
+CERAMIC_ONE_STORE_DIR=/data/ceramic-one
+CERAMIC_ONE_SWARM_ADDRESSES=/ip4/0.0.0.0/tcp/4001
+RUST_LOG=info,ceramic_one=debug,multipart=error

k8s/ceramic-one-mainnnet/envs/js-ceramic.env

@@ -0,0 +1,6 @@
+CERAMIC_RECON_MODE=true
+CERAMIC_NETWORK=mainnet
+CERAMIC_SQLITE_PATH=/js-ceramic-data/ceramic.db
+CERAMIC_STATE_STORE_PATH=/js-ceramic-data/statestore
+CERAMIC_CORS_ALLOWED_ORIGINS=.*
+CERAMIC_LOG_LEVEL=2

k8s/ceramic-one-mainnnet/files/daemon-config.json

@@ -0,0 +1,40 @@
+{
+    "anchor": {
+        "auth-method": "did"
+    },
+    "http-api": {
+        "cors-allowed-origins": [
+            "${CERAMIC_CORS_ALLOWED_ORIGINS}"
+        ],
+        "admin-dids": [
+            "${CERAMIC_ADMIN_DID}"
+        ]
+    },
+    "ipfs": {
+        "mode": "remote",
+        "host": "${CERAMIC_IPFS_HOST}"
+    },
+    "logger": {
+        "log-level": ${CERAMIC_LOG_LEVEL},
+        "log-to-files": false
+    },
+    "metrics": {
+        "metrics-exporter-enabled": false,
+        "prometheus-exporter-enabled": true,
+        "prometheus-exporter-port": 9464
+    },
+    "network": {
+        "name": "${CERAMIC_NETWORK}"
+    },
+    "node": {
+        "privateSeedUrl": "inplace:ed25519#${CERAMIC_NODE_PRIVATE_SEED}"
+    },
+    "state-store": {
+        "mode": "fs",
+        "local-directory": "${CERAMIC_STATE_STORE_PATH}"
+    },
+    "indexing": {
+        "db": "postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOST}/${POSTGRES_DB}",
+        "allow-queries-before-historical-sync": true
+    }
+}

k8s/ceramic-one-mainnnet/files/js-ceramic-init.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -eo pipefail
+
+export MY_POD_INDEX=$(echo $MY_POD_NAME | grep -o '[0-9]\+$')
+# Assuming http://ceramic-one-1:5101 format
+export CERAMIC_IPFS_HOST=http://ceramic-one-${MY_POD_INDEX}:5101
+export CERAMIC_ADMIN_DID=$(composedb did:from-private-key ${CERAMIC_ADMIN_PRIVATE_KEY})
+
+CERAMIC_ADMIN_DID=$CERAMIC_ADMIN_DID envsubst < /js-ceramic-init/daemon-config.json > /config/daemon-config.json

k8s/ceramic-one-mainnnet/kustomization.yaml

@@ -0,0 +1,34 @@
+namespace: ceramic-one-mainnet
+
+resources:
+  - ./manifests/js-ceramic-sts.yaml
+  - ./manifests/ceramic-one-sts.yaml
+  - ./manifests/ceramic-one-lb.yaml
+  - ./manifests/js-ceramic-lb.yaml
+  - ./manifests/postgres-sts.yaml
+
+images:
+  - name: ceramicnetwork/composedb-cli
+    newName: ceramicnetwork/composedb-cli
+    newTag: "latest"
+  - name: ceramicnetwork/js-ceramic
+    newName: ceramicnetwork/js-ceramic
+    newTag: "latest"
+  - name: ceramicnetwork/ceramic-one
+    newName: public.ecr.aws/r5b3e0r5/3box/ceramic-one
+    newTag: "0.40.0"
+  - name: postgres
+    newName: postgres
+    newTag: 15-alpine
+
+configMapGenerator:
+  - name: js-ceramic-env
+    envs:
+      - ./envs/js-ceramic.env
+  - name: ceramic-one-env
+    envs:
+      - ./envs/ceramic-one.env
+  - name: js-ceramic-init
+    files:
+      - ./files/daemon-config.json
+      - ./files/js-ceramic-init.sh

k8s/ceramic-one-mainnnet/manifests/ceramic-one-lb.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ceramic-one-lb-0
+  annotations:
+    cloud.google.com/l4-rbs: "enabled"
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  selector:
+    app: ceramic-one
+    statefulset.kubernetes.io/pod-name: ceramic-one-0
+  ports:
+  - name: swarm-tcp
+    protocol: TCP
+    port: 4101
+    targetPort: 4101
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ceramic-one-lb-1
+  annotations:
+    cloud.google.com/l4-rbs: "enabled"
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  selector:
+    app: ceramic-one
+    statefulset.kubernetes.io/pod-name: ceramic-one-1
+  ports:
+  - name: swarm-tcp
+    protocol: TCP
+    port: 4101
+    targetPort: 4101

k8s/ceramic-one-mainnnet/manifests/ceramic-one-sts.yaml

@@ -0,0 +1,140 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: ceramic-one
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ceramic-one
+  serviceName: ceramic-one
+  template:
+    metadata:
+      labels:
+        app: ceramic-one
+    spec:
+      containers:
+        - name: ceramic-one
+          envFrom:
+            - configMapRef:
+                name: ceramic-one-env
+          env:
+            - name: CERAMIC_ONE_ETHEREUM_RPC_URLS
+              valueFrom:
+                secretKeyRef:
+                  name: ceramic-admin
+                  key: eth-rpc-urls
+          image: ceramicnetwork/ceramic-one
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 4101
+              name: swarm-tcp
+              protocol: TCP
+            - containerPort: 5101
+              name: rpc
+              protocol: TCP
+            - containerPort: 9465
+              name: metrics
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /ceramic/liveness
+              port: rpc
+              scheme: HTTP
+          readinessProbe:
+            httpGet:
+              path: /ceramic/liveness
+              port: rpc
+              scheme: HTTP
+          resources:
+            limits:
+              cpu: "1"
+              ephemeral-storage: 1Gi
+              memory: 1Gi
+            requests:
+              cpu: "1"
+              ephemeral-storage: 1Gi
+              memory: 1Gi
+          volumeMounts:
+            - mountPath: /data/ceramic-one
+              name: ceramic-one-data
+      volumes:
+        - name: ceramic-one-data
+          persistentVolumeClaim:
+            claimName: ceramic-one-pvc
+  volumeClaimTemplates:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
+        name: ceramic-one-data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 10Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ceramic-one
+spec:
+  ports:
+    - name: swarm-tcp
+      port: 4101
+      protocol: TCP
+      targetPort: swarm-tcp
+    - name: rpc
+      port: 5101
+      protocol: TCP
+      targetPort: rpc
+    - name: metrics
+      port: 9465
+      protocol: TCP
+      targetPort: metrics
+  selector:
+    app: ceramic-one
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ceramic-one-0
+spec:
+  ports:
+    - name: swarm-tcp
+      port: 4101
+      protocol: TCP
+      targetPort: swarm-tcp
+    - name: rpc
+      port: 5101
+      protocol: TCP
+      targetPort: rpc
+    - name: metrics
+      port: 9465
+      protocol: TCP
+      targetPort: metrics
+  selector:
+    app: ceramic-one
+    statefulset.kubernetes.io/pod-name: ceramic-one-0
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ceramic-one-1
+spec:
+  ports:
+    - name: swarm-tcp
+      port: 4101
+      protocol: TCP
+      targetPort: swarm-tcp
+    - name: rpc
+      port: 5101
+      protocol: TCP
+      targetPort: rpc
+    - name: metrics
+      port: 9465
+      protocol: TCP
+      targetPort: metrics
+  selector:
+    app: ceramic-one
+    statefulset.kubernetes.io/pod-name: ceramic-one-1