deploy pipeline

.github/workflows/relayer.yml

@@ -67,3 +67,73 @@ jobs:
 
       - name: Run tests with coverage
         run: yarn test:cov
+  push-staging:
+    if: github.ref == 'refs/heads/main'
+    name: Push Image to Staging
+    runs-on: ubuntu-latest
+    permissions: 
+      id-token: write
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Google Auth
+        id: auth
+        uses: 'google-github-actions/auth@v2'
+        with:
+          token_format: 'access_token'
+          workload_identity_provider: '${{ vars.WIF_PROVIDER_ID }}'
+          service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
+      - name: Docker Auth
+        id: docker-auth
+        uses: 'docker/login-action@v3'
+        with:
+          username: 'oauth2accesstoken'
+          password: '${{ steps.auth.outputs.access_token }}'
+          registry: 'us-central1-docker.pkg.dev'
+      - name: Build, tag and push container
+        id: build-image
+        uses: docker/build-push-action@v5
+        with:
+          context: ./requests
+          file: ./requests/Dockerfile
+          push: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: |
+            us-central1-docker.pkg.dev/${{ vars.GCP_PROJECT }}/privacy-pools-core/staging/relayer:${{ github.sha }}
+            us-central1-docker.pkg.dev/${{ vars.GCP_PROJECT }}/privacy-pools-core/staging/relayer:latest
+  deploy-staging:
+    if: github.ref == 'refs/heads/main'
+    name: Deploy to Staging 
+    runs-on: ubuntu-latest
+    needs: [push-dw, unit]
+    permissions: 
+      id-token: write
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.1.0
+        with:
+          version: v3.16.1
+      - name: Google Auth
+        id: auth
+        uses: 'google-github-actions/auth@v2'
+        with:
+          token_format: 'access_token'
+          workload_identity_provider: '${{ vars.WIF_PROVIDER_ID }}'
+          service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
+      - name: 'Set up Cloud SDK'
+        uses: 'google-github-actions/setup-gcloud@v2'
+        with:
+          version: '>= 494.0.0'
+      - name: 'Install kubectl'
+        run: 'gcloud components install kubectl'
+      - name: 'Get cluster credentials'
+        run: 'gcloud container clusters get-credentials ${{ vars.CLUSTER_NAME }} --region ${{ vars.REGION }}'
+      - name: 'Deploy'
+        run: 'helm upgrade --install ${{ vars.SERVICE_NAME }}-requests ./chart --set version=${{ github.sha }} --values ./chart/values.requests.yaml'

ops/chart/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: Privacy Pool Core
+name: privacy-pool-core
+version: 0.1.0

ops/chart/templates/_helpers.tpl

@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

ops/chart/templates/deployment.yaml

@@ -0,0 +1,88 @@
+{{- $name := include "name" . -}}
+{{- $chart := include "chart" . -}}
+
+{{- range $service, $val := $.Values.services }}
+{{- if not .disabled }}
+{{- $serviceName := printf "%s-%s" $name $service -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ $serviceName }}
+  namespace: {{ $.Values.namespace }}
+  labels:
+    app.kubernetes.io/name: {{ $serviceName }}
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+    app.kubernetes.io/managed-by: {{ $.Release.Service }}
+    app.kubernetes.io/version: {{ $.Values.version | quote }}
+    app.kubernetes.io/component: {{ $service }}
+    helm.sh/chart: {{ $chart }}
+    {{- if .labels}}
+{{ toYaml .labels | nindent 4 }}
+    {{- end }}
+spec:
+  replicas: {{ default 1 .replicas}}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ $serviceName }}
+      app.kubernetes.io/instance: {{ $.Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ $serviceName }}
+        app.kubernetes.io/instance: {{ $.Release.Name }}
+        app.kubernetes.io/version: {{ $.Values.version | quote }}
+        app.kubernetes.io/component: {{ $service }}
+        helm.sh/chart: {{ $chart }}
+        {{- if .labels}}
+{{ toYaml .labels | indent 8 }}
+        {{- end }}
+    spec:
+    {{- if .serviceAccount}}
+      serviceAccountName: {{ .serviceAccount }}
+    {{- end }}
+      # securityContext:
+      #   runAsNonRoot: true
+      #   seccompProfile:
+      #     type: RuntimeDefault
+      containers:
+        - name: {{ $service }}
+          image: "{{ .image }}:{{ $.Values.version }}"
+          {{- if .command }}
+          command: [{{ .command }}]
+          {{- if .args }}
+          args: {{- range .args }}
+            - {{.}}
+            {{- end }}
+          {{- end }}
+          {{- end }}
+          # securityContext:
+          #   allowPrivilegeEscalation: false
+          #   runAsUser: 1001
+          #   runAsNonRoot: true
+          #   capabilities:
+          #     drop:
+          #       - ALL
+          env:
+            - name: NAME
+              value: {{ $service }}
+            - name: VERSION
+              value: {{ $.Values.version | quote }}
+            - name: VERBOSITY
+              value: {{ $.Values.verbosity }}
+            - name: SECRETS
+              value: {{ join "," .secrets | quote }}
+            - name: PROJECT_ID
+              value: {{ $.Values.projectId }}
+{{ toYaml $.Values.environment | indent 12 }}
+{{- if .environment }}
+{{ toYaml .environment | indent 12 }}
+{{- end }}
+
+          resources:
+            limits:
+              {{- toYaml .resources | nindent 14 }}
+            requests:
+              {{- toYaml .resources | nindent 14 }}
+---
+{{ end }}
+{{ end }}

ops/chart/templates/ingress.yaml

@@ -0,0 +1,52 @@
+{{- $chart := include "chart" . }}
+{{- $name := include "name" . -}}
+
+{{- range $service, $val := $.Values.services }}
+{{- if and .ingress (not .disabled) }}
+{{- $serviceName := printf "%s-%s" $name $service -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $serviceName }}
+  namespace: {{ $.Values.namespace }}
+  labels:
+    app.kubernetes.io/name: {{ $serviceName }}
+    app.kubernetes.io/component: {{ $service }}
+    helm.sh/chart: {{ $chart }}
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+    app.kubernetes.io/managed-by: {{ $.Release.Service }}
+    app.kubernetes.io/version: {{ $.Values.version | quote }}
+    {{- if .labels}}
+    {{- toYaml .labels | nindent 4 }}
+    {{- end }}
+  {{- if $.Values.ingress.annotations }}
+  {{- with $.Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- end }}
+spec:
+  tls:
+  {{- range .ingress.tls }}
+    - hosts:
+      {{- range .hosts }}
+        - {{ . | quote }}
+      {{- end }}
+      secretName: {{ .secretName }}
+  {{- end }}
+  rules:
+    - host: {{ .ingress.host}}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ . }}
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ $serviceName }}
+                port:
+                  number: {{ $.Values.service.port }}
+          {{- end }}
+---
+{{- end }}
+{{- end }}

ops/chart/templates/service-account.yaml

@@ -0,0 +1,21 @@
+{{- $name := include "name" . -}}
+{{- $chart := include "chart" . -}}
+
+{{- range $service, $val := $.Values.services }}
+{{- if and $val.serviceAccount (not $val.disabled) }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $val.serviceAccount }}
+  namespace: {{ $.Values.namespace }}
+  annotations:
+    iam.gke.io/gcp-service-account: "{{$val.serviceAccount }}@{{ $.Values.projectId}}.iam.gserviceaccount.com"
+  labels:
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+    app.kubernetes.io/managed-by: {{ $.Release.Service }}
+    app.kubernetes.io/version: {{ $.Values.version | quote }}
+    app.kubernetes.io/component: {{ $service }}
+    helm.sh/chart: {{ $chart }}
+---
+{{ end }}
+{{- end }}

ops/chart/templates/service.yaml

@@ -0,0 +1,35 @@
+{{- $chart := include "chart" . }}
+{{- $name := include "name" . -}}
+
+{{- range $service, $val := .Values.services }}
+{{- $serviceName := printf "%s-%s" $name $service -}}
+{{- if and .service (not .disabled) }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ $serviceName }}
+  namespace: {{ $.Values.namespace }}
+  labels:
+    app.kubernetes.io/name: {{ $serviceName }}
+    app.kubernetes.io/component: {{ $service }}
+    helm.sh/chart: {{ $chart }}
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+    app.kubernetes.io/managed-by: {{ $.Release.Service }}
+    app.kubernetes.io/version: {{ $.Values.version | quote }}
+    {{- if .labels}}
+    {{- toYaml .labels | nindent 4 }}
+    {{- end }}
+spec:
+  type: {{ .service.type }}
+  ports:
+    - port: {{ .service.port }}
+      targetPort: {{ .targetPort }}
+      protocol: {{ .protocol }}
+      name: http
+  selector:
+    app.kubernetes.io/name: {{ $serviceName }}
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+---
+
+{{- end }}
+{{- end }}

ops/chart/values.staging.relayer.yaml

@@ -0,0 +1,24 @@
+services: 
+  relayer:
+    image: us-central1-docker.pkg.dev/oxbow-406621/privacy-pools-core/staging/relayer
+    serviceAccount: relayer-staging
+    command: python3
+    args: ["/app/main.py"]
+    resources:
+      cpu: 100m
+      memory: 2Gi
+    
+    service:
+      type: ClusterIP
+      port: 80
+      protocol: TCP
+      targetPort: 3000
+
+    ingress:
+      host: testnet-relayer.privacypools.com
+      paths:
+      - /
+      tls:
+        - secretName: privacypools-tls
+          hosts:
+            - testnet-relayer.privacypools.com

ops/chart/values.staging.yaml

@@ -0,0 +1,3 @@
+
+
+namespace: staging

ops/chart/values.yaml

@@ -0,0 +1,22 @@
+
+services:
+
+version: latest
+
+replicaCount: 1
+
+ingress:
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.org/mergeable-ingress-type: "minion"
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/cors-allow-origin: "*"
+verbosity: WARN
+
+# Shared environment variables
+environment:
+- name: PORT
+  value: "8080"
+
+projectId: oxbow-406621
+namespace: default