feat(firehose-ethereum): rework JWT without lookup (#361)

graphops · Sep 20, 2024 · c474375 · c474375
1 parent 62d1aaf
commit c474375
Show file tree

Hide file tree

Showing 7 changed files with 78 additions and 17 deletions.
diff --git a/charts/firehose-ethereum/Chart.yaml b/charts/firehose-ethereum/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0-canary.1
+version: 0.1.0-canary.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/firehose-ethereum/README.md b/charts/firehose-ethereum/README.md
diff --git a/charts/firehose-ethereum/templates/resources/job.yaml b/charts/firehose-ethereum/templates/resources/job.yaml
@@ -0,0 +1,59 @@
+{{ define "templates.jwtJob" }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "metadata.fullname" $ }}-{{ .componentName }}-generate-jwt-{{ .Root.Release.Revision }}
+  {{- $labels := include "metadata.allLabels" ( set ( deepCopy $ ) "labels" dict ) | fromYaml }}
+  {{- $annotations := include "metadata.allAnnotations" ( set ( deepCopy $ ) "annotations" dict ) | fromYaml }}
+  labels:
+  {{- range $key, $value := $labels }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/resource-policy": keep
+  {{- range $key, $value := $annotations }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
+  namespace: {{ .Root.Release.Namespace }}
+spec:
+  ttlSecondsAfterFinished: 100
+  template:
+    metadata:
+      name: {{ include "metadata.fullname" $ }}-{{ .componentName }}-generate-jwt-{{ .Root.Release.Revision }}
+      {{- $labels := include "metadata.allLabels" ( set ( deepCopy $ ) "labels" dict ) | fromYaml }}
+      {{- $annotations := include "metadata.allAnnotations" ( set ( deepCopy $ ) "annotations" dict ) | fromYaml }}
+      labels:
+      {{- range $key, $value := $labels }}
+        {{ $key }}: {{ $value | quote }}
+      {{- end }}
+      annotations:
+      {{- range $key, $value := $annotations }}
+        {{ $key }}: {{ $value | quote }}
+      {{- end }}
+    spec:
+      serviceAccountName: {{ include "metadata.serviceAccountName" $ }}
+      restartPolicy: OnFailure
+      containers:
+        - name: generate-jwt-secret
+          image: bitnami/kubectl:latest
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: SECRET_NAME
+              value: {{ printf "%s-%s-jwt" (include "metadata.fullname" $) .componentName | quote }}
+          command:
+            - /bin/sh
+            - -c
+            - |
+              if kubectl -n ${NAMESPACE} get secret ${SECRET_NAME}; then
+                echo "Secret $SECRET_NAME already exists. Skipping creation."
+              else
+                echo "Creating new secret $SECRET_NAME"
+                kubectl -n ${NAMESPACE} create secret generic ${SECRET_NAME} --from-literal=jwt.hex=$(openssl rand -hex 32)
+              fi
+{{- end }}
diff --git a/charts/firehose-ethereum/templates/resources/render.yaml b/charts/firehose-ethereum/templates/resources/render.yaml
@@ -9,8 +9,6 @@
 {{- $finalConfigMap := list $baseConfigMap (omit $values.configMap "enabled" "options") | include "utils.deepMerge" | fromYaml }}
 ---
 {{ $finalConfigMap | toYaml }}
----
-{{ $values.configMap | toYaml }}
 {{- end -}}
 
 {{- if $values.enabled }}
@@ -85,10 +83,16 @@
 {{ $renderedServiceMonitor | toYaml }}
 {{- end -}}
 
-{{- if and ($values.fireeth.jwt.enabled) (empty $values.fireeth.jwt.existingSecret.name) (empty $values.fireeth.jwt.existingSecret.key) }}
+{{- if and ($values.fireeth.jwt.enabled) (empty $values.fireeth.jwt.existingSecret.name) (empty $values.fireeth.jwt.existingSecret.key) (not (empty $values.fireeth.jwt.fromLiteral)) }}
 {{- $renderedSecret := include "templates.Secret" $templateCtx | fromYaml }}
 ---
 {{ $renderedSecret | toYaml }}
 {{- end -}}
 
+{{- if and ($values.fireeth.jwt.enabled) (empty $values.fireeth.jwt.existingSecret.name) (empty $values.fireeth.jwt.existingSecret.key) (empty $values.fireeth.jwt.fromLiteral) }}
+{{- $renderedJob := include "templates.jwtJob" $templateCtx | fromYaml }}
+---
+{{ $renderedJob | toYaml }}
+{{- end -}}
+
 {{- end }}
diff --git a/charts/firehose-ethereum/templates/resources/secret.yaml b/charts/firehose-ethereum/templates/resources/secret.yaml
@@ -1,6 +1,5 @@
 {{ define "templates.Secret" }}
 {{- $secretName := printf "%s-%s-jwt" (include "metadata.fullname" $) .componentName -}}
-{{- $secret := lookup "v1" "Secret" .Root.Release.Namespace $secretName }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -18,13 +17,6 @@ metadata:
   namespace: {{ .Root.Release.Namespace }}
 type: Opaque
 data:
-  {{/* randAlphaNum 44 has slightly over 256 bits of entropy so it's enough */}}
   jwt.hex: |-
-    {{- if not (empty .Pod.fireeth.jwt.fromLiteral) }}
     {{ .Pod.fireeth.jwt.fromLiteral | b64enc }}
-    {{- else if $secret }}
-    {{ index $secret.data "jwt.hex" }}
-    {{- else }}
-    {{ randAlphaNum 44 | sha256sum | lower | b64enc }}
-    {{- end }}
 {{- end }}
diff --git a/charts/firehose-ethereum/values.yaml b/charts/firehose-ethereum/values.yaml
@@ -632,6 +632,12 @@ firehoseServiceDefaults:
               - "get"
               - "list"
               - "watch"
+          - apiGroups: [""]
+            resources:
+              - "secrets"
+            verbs:
+              - "get"
+              - "create"
 
     clusterRbac:
       enabled: '{{ .Pod.fireeth.p2p.enabled }}'

diff --git a/charts/graph-toolbox/README.md b/charts/graph-toolbox/README.md
@@ -1,8 +1,8 @@
 # Graph-Toolbox Helm Chart
 
-Deploy a preconfigured toolbox container for to be used alongside the
+Deploy a preconfigured toolbox container for to be used alongside the Graph Network Indexer stack
 
-[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) ![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: main](https://img.shields.io/badge/AppVersion-main-informational?style=flat-square)
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) ![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: main](https://img.shields.io/badge/AppVersion-main-informational?style=flat-square)
 
 ## Introduction