midl-dev / tezos-on-gke

A secure, turn-key public Tezos baking service on Kubernetes
Apache License 2.0
32 stars 15 forks source link

Tezos-on-GKE is DEPRECATED

Note that this project has now be superceded by tezos-k8s, a collection of helm charts to bake tezos on k8s on any cloud.

Tezos-on-GKE

Tezos is a delegated proof of stake blockchain protocol.

This deploys:

The private baking key can be managed two ways:

Features:

Brought to you by MIDL.dev

MIDL.dev

We maintain Tezos Suite, a complete baking suite, free for anyone to use.

We help you deploy and manage a complete Tezos baking operation. Hire us.

Architecture

This is a Kubernetes private cluster with Tezos nodes located in two Google Cloud zones, in the same region.

The setup is production hardened:

See full documentation

Cost

Deploying will incur Google Compute Engine charges, specifically:

How to deploy

WARNING: Use judgement and care in your network interactions, otherwise loss of funds may occur.

Prerequisites

  1. Download and install Terraform

  2. Download, install, and configure the Google Cloud SDK.

  3. Install the kubernetes CLI (aka kubectl)

Authentication

Using your Google account, active your Google Cloud access.

Login to gcloud using gcloud auth login

Set up Google Default Application Credentials by issuing the command:

gcloud auth application-default login

NOTE: for production deployments, the method above is not recommended. Instead, you should use a Terraform service account following these instructions.

Populate terraform variables

All custom values unique to your deployment are set as terraform variables. You must populate these variables manually before deploying the setup.

A simple way is to populate a file called terraform.tfvars.

NOTE: terraform.tfvars is not recommended for a production deployment. See production hardening.

(1) Clone the repository https://github.com/midl-dev/tezos-on-gke

(2) Go to terraform folder in the cloned repository:

cd terraform

Below is a list of variables you can set.

Name Description Type Default Required
baking_nodes Structured data related to baking, including public key and signer configuration. map {} no
billing_account Google Cloud billing account ID. string "" no
cluster_ca_certificate Kubernetes cluster certificate. string "" no
cluster_name Name of the Kubernetes cluster. string "" no
experimental_active_standby_mode Enable exeprimental active-standby mode (https://tezos-docs.midl.dev/active-standby.html). bool false no
history_mode History mode of the Tezos nodes (rolling, full or archive). string "rolling" no
kubernetes_access_token Access token for the kubernetes endpoint string "" no
kubernetes_endpoint Name of the Kubernetes endpoint. string "" no
kubernetes_name_prefix Kubernetes name prefix to prepend to all resources (should be short, like xtz). string "xtz" no
kubernetes_namespace Kubernetes namespace to deploy the resource into. string "tezos" no
kubernetes_pool_name When Kubernetes cluster has several node pools, specify which ones to deploy the baking setup into. Only effective when deploying on an external cluster with terraform_no_cluster_create string "blockchain-pool" no
monitoring_slack_url Slack API URL to send prometheus alerts to. string "" no
node_locations Zones in which to create the nodes. list
[
"us-central1-b",
"us-central1-f"
]
no
node_storage_size Storage size for the nodes, in gibibytes (GiB). string "15" no
org_id Google Cloud organization ID. string "" no
project Project ID where Terraform is authenticated to run to create additional projects. If provided, Terraform will great the GKE and Tezos cluster inside this project. If not given, Terraform will generate a new project. string "" no
protocols The list of Tezos protocols currently in use, following the naming convention used in the baker binary names, for example 007-PsDELPH1. Baking and endorsing daemons will be spun up for every protocol provided in the list, which helps for seamless protocol updates. list
[
"007-PsDELPH1",
"008-PtEdoTez"
]
no
region Region in which to create the cluster, or region where the cluster exists. string "us-central1" no
rpc_public_hostname If set, expose the RPC of the public node through a load balancer and create a certificate for the given hostname. string "" no
rpc_subnet_whitelist IP address whitelisting for the public RPC. Open to everyone by default. list
[
"0.0.0.0/0"
]
no
signer_target_host_key SSH host key for the SSH endpoint the remote signer connects to. If left empty, sshd will generate it but it may change, cutting your access to the remote signers. string "" no
snapshot_url URL of the snapshot of type rolling to download. string "https://mainnet.xtz-shots.io/rolling" no
terraform_service_account_credentials Path to terraform service account file, created following the instructions in https://cloud.google.com/community/tutorials/managing-gcp-projects-with-terraform string "~/.config/gcloud/application_default_credentials.json" no
tezos_network The Tezos network such as mainnet, edonet, etc. string "mainnet" no
tezos_version The Tezos container version for node. Should be hard-coded to a version from https://hub.docker.com/r/tezos/tezos/tags. Not recommended to set to a rolling tag like 'mainnet', because it may break unexpectedly. Example: v9.2. string "latest-release" no

Baking nodes

The baking_nodes parameter lets you deploy one or several bakers declaratively by passing structured data describing the bakers.

You may specify:

The variables needed to spin up the baking or endorsing processes are:

Attention! Leaving a private baking key on a cloud platform is not recommended when funds are present. For production bakers, leave this variable empty and use a remote signer. See documentation.

To generate a public/private keypair, you can use the tezos client:

tezos-client gen keys insecure-baker
# if you do not have a node running locally, there will be an error, but the key was created anyway
tezos-client show address insecure-baker -S

Set public_baking_key_hash to the value displayed after Hash:, public_baking_key to the value displayed after Public key: and insecure_private_baking_key to the value displayed after Secret key: unencrypted:.

If you do not have the tezos client installed locally, you can use the docker Tezos container:

docker run --name=my-tezos-client tezos/tezos:latest-release tezos-client gen keys insecure-baker
# again, if you do not have a node running locally, there will be an error, but the key was created anyway
docker commit my-tezos-client my-tezos-client
docker run my-tezos-client tezos-client show address insecure-baker -S

Full example of baking_nodes parameter:

mybaker = {
  public_baking_key="edpkup8PaxJYrUcXUEBEufekgqMaodyKLKwHqbtkQVAudiJ7nmrS2o"
  public_baking_key_hash="tz1YmsrYxQFJo5nGj4MEaXMPdLrcRf2a5mAU"
  insecure_private_baking_key="edsk3cftTNcJnxb7ehCxYeCaKPT7mjycdMxgFisLixrQ9bZuTG2yZK"
}

If you do not want to bake (for example, if you want to deploy a RPC node only), configure just one node with no baker:

baking_nodes = { "mynode": {} }

Payouts

Tezos-on-GKE supports the Tezos Rewards Distributor (TRD) running as a cronjob alongside the baker node, sharing the same remote signing infrastructure.

All details are in the tezos-suite documentation.

Full example

Here is a full example terraform.tfvars configuration. This private key is provided only as an example, generate your own instead.

project="<your Google project name>"
tezos_network="florencenet"
snapshot_url="https://florencenet.xtz-shots.io/rolling"
baking_nodes = {
  mynode = {
    mybaker = {
      public_baking_key="edpkup8PaxJYrUcXUEBEufekgqMaodyKLKwHqbtkQVAudiJ7nmrS2o"
      public_baking_key_hash="tz1YmsrYxQFJo5nGj4MEaXMPdLrcRf2a5mAU"
      insecure_private_baking_key="edsk3cftTNcJnxb7ehCxYeCaKPT7mjycdMxgFisLixrQ9bZuTG2yZK"
    }
  }
}

Deploy!

  1. Run the following:
terraform init
terraform plan -out plan.out
terraform apply plan.out

This will take time as it will:

In case of error, run the plan and apply steps again:

terraform plan -out plan.out
terraform apply plan.out

Connect to the cluster

Once the command returns, you can verify that the pods are up by running:

kubectl get pods

You should see the tezos node.

Display the log of a public node and observe it sync:

kubectl logs -f tezos-public-node-0 --tail=10

Use with a remote signer

It is not recommended to run a production baker with cloud-hosted private keys.

Follow our guide to configure a hardware remote signer connected to a Ledger.

When using this mode, you must pass a baking_nodes map with the following parameters:

Day 2 operations

See documentation

Wrapping up

To delete everything and terminate all the charges, issue the command:

terraform destroy

Alternatively, go to the GCP console and delete the project.