diff --git a/.github/workflows/build-deploy.yml b/.github/workflows/build-deploy.yml index 554e889..1e2b2f6 100644 --- a/.github/workflows/build-deploy.yml +++ b/.github/workflows/build-deploy.yml @@ -23,11 +23,22 @@ jobs: alternate-latest-mode: true deploy: + name: Deploy ${{ matrix.colo.region }} needs: - package - runs-on: [k8s-public] + runs-on: "k8s-public-${{ matrix.colo.region }}" container: image: registry.gitlab.com/cmmarslender/kubectl-helm:v3 + strategy: + fail-fast: false + matrix: + colo: + - region: fmt + - region: msp + - region: ldn + - region: sin + env: + REGION: ${{ matrix.colo.region }} steps: - uses: actions/checkout@v4 @@ -43,31 +54,31 @@ jobs: url: ${{ secrets.VAULT_URL }} token: ${{ env.VAULT_TOKEN }} secrets: | - secret/data/pub-metrics-eks/rds/rds-info db_host | BLOCK_METRICS_DB_HOST; - secret/data/pub-metrics-eks/rds/blocks-read-user username | BLOCK_METRICS_USER; - secret/data/pub-metrics-eks/rds/blocks-read-user password | BLOCK_METRICS_PASSWORD; + secret/data/${{ matrix.colo.region }}/k8s/k8s-${{ matrix.colo.region }} api_server_url | K8S_API_SERVER_URL; + secret/data/${{ matrix.colo.region }}/mysql/db-info host | DB_HOST; + secret/data/${{ matrix.colo.region }}/mysql/users/grafana-read-pub username | GRAFANA_PUB_READ_USERNAME; + secret/data/${{ matrix.colo.region }}/mysql/users/grafana-read-pub password | GRAFANA_PUB_READ_PASSWORD; - name: Template grafana configs run: | j2 templates/datasources.yaml.j2 -o helm/pub-metrics-grafana/datasources - - name: Get ephemeral aws credentials - uses: Chia-Network/actions/vault/aws-sts@main + - name: Login to k8s cluster + uses: Chia-Network/actions/vault/k8s-login@main with: vault_url: ${{ secrets.VAULT_URL }} vault_token: ${{ env.VAULT_TOKEN }} - role_name: pub-metrics-deploy - - - name: Log in to cluster - run: aws eks update-kubeconfig --name pub-metrics --region us-west-2 + backend_name: k8s-${{ matrix.colo.region }} + role_name: github-actions + cluster_url: ${{ env.K8S_API_SERVER_URL }} - uses: Chia-Network/actions/helm/deploy@main env: REPLICAS: 3 - HOSTNAME: "dashboard.chia.net" + HOSTNAME: "dashboard-${{ matrix.colo.region }}.chia.net" IMAGE_TAG: "sha-${{ github.sha }}" with: - namespace: grafana + namespace: grafana-pub app_name: grafana helm_chart: "./helm/pub-metrics-grafana" helm_values: "./helm/values.yaml" diff --git a/helm/pub-metrics-grafana/templates/network-policy.yaml b/helm/pub-metrics-grafana/templates/network-policy.yaml new file mode 100644 index 0000000..87bf908 --- /dev/null +++ b/helm/pub-metrics-grafana/templates/network-policy.yaml @@ -0,0 +1,35 @@ +{{- if .Values.networkPolicy.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "pub-metrics-grafana.fullname" . }} + labels: + {{- include "pub-metrics-grafana.labels" . | nindent 4 }} +spec: + podSelector: + matchExpressions: + - key: app.kubernetes.io/instance + operator: In + values: + - {{ .Release.Name }} + - key: app.kubernetes.io/name + operator: In + values: + - {{ include "pub-metrics-grafana.name" . }} + policyTypes: + {{- with .Values.networkPolicy.policyTypes }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{if has "Ingress" .Values.networkPolicy.policyTypes }} + ingress: + {{- with .Values.networkPolicy.ingressRules }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{if has "Egress" .Values.networkPolicy.policyTypes }} + egress: + {{- with .Values.networkPolicy.egressRules }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/helm/pub-metrics-grafana/values.yaml b/helm/pub-metrics-grafana/values.yaml index 7a21a74..80e8a66 100644 --- a/helm/pub-metrics-grafana/values.yaml +++ b/helm/pub-metrics-grafana/values.yaml @@ -85,3 +85,26 @@ nodeSelector: {} tolerations: [] affinity: {} + +networkPolicy: + enabled: false + policyTypes: [] + # - Egress + # - Ingress + egressRules: [] + # - to: + # - namespaceSelector: + # matchLabels: + # name: chia-blockchain + # ports: + # - protocol: TCP + # port: 8555 + ingressRules: [] +# - from: +# - namespaceSelector: +# matchLabels: +# kubernetes.io/metadata.name: chia-blockchain +# ports: +# - protocol: TCP +# port: 8555 +# port: 8555 diff --git a/helm/values.yaml.j2 b/helm/values.yaml.j2 index b402d66..3af5d00 100644 --- a/helm/values.yaml.j2 +++ b/helm/values.yaml.j2 @@ -6,12 +6,9 @@ image: ingress: enabled: true - className: alb + className: nginx annotations: external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" - alb.ingress.kubernetes.io/target-type: "ip" - alb.ingress.kubernetes.io/scheme: "internet-facing" - alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' hosts: - host: {{ HOSTNAME }} paths: @@ -20,6 +17,7 @@ ingress: tls: - hosts: - dashboard.chia.net + - dashboard-{{ REGION }}.chia.net env: - name: GF_SERVER_ROOT_URL @@ -54,3 +52,26 @@ affinity: - pub-metrics-grafana topologyKey: kubernetes.io/hostname weight: 100 + +networkPolicy: + enabled: true + policyTypes: + - Egress + egressRules: + - to: + - ipBlock: + cidr: "{{ DB_HOST }}/32" + ports: + - protocol: TCP + port: 3306 + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: pub-metrics + ports: + - protocol: TCP + port: 8480 + - protocol: TCP + port: 9090 + - protocol: TCP + port: 9093 diff --git a/templates/datasources.yaml.j2 b/templates/datasources.yaml.j2 index 4b38f83..1ca60c7 100644 --- a/templates/datasources.yaml.j2 +++ b/templates/datasources.yaml.j2 @@ -22,10 +22,10 @@ datasources: editable: False - name: block-data type: mysql - url: {{ BLOCK_METRICS_DB_HOST }}:3306 + url: {{ DB_HOST }}:3306 uid: P00A25F4DA48796D5 - user: '{{ BLOCK_METRICS_USER }}' + user: '{{ GRAFANA_PUB_READ_USERNAME }}' jsonData: database: blocks secureJsonData: - password: '{{ BLOCK_METRICS_PASSWORD }}' + password: '{{ GRAFANA_PUB_READ_PASSWORD }}'