diff --git a/charts/tezos-faucet/Chart.yaml b/charts/tezos-faucet/Chart.yaml index 1c0cb6237..6391f6af2 100644 --- a/charts/tezos-faucet/Chart.yaml +++ b/charts/tezos-faucet/Chart.yaml @@ -15,9 +15,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 2.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 1.16.0 +appVersion: 2.0.0 diff --git a/charts/tezos-faucet/templates/configmap.yaml b/charts/tezos-faucet/templates/configmap.yaml index ced1f7b96..743276714 100644 --- a/charts/tezos-faucet/templates/configmap.yaml +++ b/charts/tezos-faucet/templates/configmap.yaml @@ -1,21 +1,32 @@ +{{- if .Values.enableUI }} apiVersion: v1 -data: - config.json: | -{{ .Values.config | mustToPrettyJson | indent 4 }} kind: ConfigMap metadata: name: faucet-config namespace: {{ .Release.Namespace }} +data: + config.json: | +{{- $newProfiles := dict }} +{{- range $key, $value := .Values.profiles }} + {{- $newProfiles = set $newProfiles $key (pick $value "amount" "profile") }} +{{- end }} +{{- $_ := set .Values.config.application "profiles" $newProfiles }} +{{- $_ := set .Values.config.application "disableChallenges" .Values.disableChallenges }} +{{ .Values.config | mustToPrettyJson | indent 4 }} --- +{{- end }} + apiVersion: v1 kind: ConfigMap metadata: name: faucet-backend-config namespace: {{ .Release.Namespace }} data: - FAUCET_ADDRESS: {{ .Values.config.network.faucetAddress }} - RPC_URL: {{ .Values.config.network.rpcUrl }} - AUTHORIZED_HOST: {{ .Values.authorizedHost }} - FAUCET_AMOUNT_USER: "{{ .Values.config.application.profiles.user.amount}}" - FAUCET_AMOUNT_BAKER: "{{ .Values.config.application.profiles.baker.amount}}" + profiles.json: {{ .Values.profiles | mustToPrettyJson | quote }} + + AUTHORIZED_HOST: "{{ .Values.authorizedHost }}" + DISABLE_CHALLENGES: "{{ .Values.disableChallenges }}" + ENABLE_CAPTCHA: "{{ .Values.enableCaptcha }}" MAX_BALANCE: "{{ .Values.maxBalance }}" + REDIS_URL: "{{ .Values.redis.url }}" + RPC_URL: "{{ .Values.backendRpcUrl | default .Values.config.network.rpcUrl | required "An rpc url is required." }}" diff --git a/charts/tezos-faucet/templates/deployment.yaml b/charts/tezos-faucet/templates/deployment.yaml index 3ead2bb9d..448741519 100644 --- a/charts/tezos-faucet/templates/deployment.yaml +++ b/charts/tezos-faucet/templates/deployment.yaml @@ -15,34 +15,77 @@ spec: annotations: # ensure that the pod bounces each time configmap changes # https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} spec: + restartPolicy: Always + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "tezos-faucet.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - - image: {{ .Values.images.tezos_faucet_backend }} - name: faucet-backend - ports: - - name: backend - containerPort: 3000 - protocol: TCP - envFrom: - - configMapRef: + - name: faucet-backend + image: {{ .Values.images.tezosFaucetBackend }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + ports: + - name: backend + containerPort: 3000 + protocol: TCP + envFrom: + - configMapRef: + name: faucet-backend-config + - secretRef: + name: faucet-backend-secret + env: + # profiles.json is stored in faucet-backend-config instead of in a new + # dedicated configmap. We don't need it to be an env var so we make it + # empty here to counteract envFrom. + - name: profiles.json + value: "" + volumeMounts: + - name: faucet-backend-config + mountPath: /app/dist/profiles.json + subPath: profiles.json + readOnly: true + {{- if .Values.enableUI }} + - name: faucet + image: {{ .Values.images.tezosFaucet }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + ports: + - name: frontend + containerPort: 8080 + protocol: TCP + volumeMounts: + - name: faucet-config + mountPath: /app/public/config.json + subPath: config.json + readOnly: true + {{- end }} + volumes: + - name: faucet-backend-config + configMap: name: faucet-backend-config - - secretRef: - name: faucet-backend-secret - - image: {{ .Values.images.tezos_faucet }} - name: faucet - ports: - - name: frontend - containerPort: 8080 - protocol: TCP - volumeMounts: + {{- if .Values.enableUI }} - name: faucet-config - mountPath: "/app/src/config.json" - subPath: "config.json" - readOnly: true - restartPolicy: Always - volumes: - - name: faucet-config - configMap: - name: faucet-config -status: {} + configMap: + name: faucet-config + {{- end }} + + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/tezos-faucet/templates/ingress.yaml b/charts/tezos-faucet/templates/ingress.yaml index 435392dbe..9beb63c4d 100644 --- a/charts/tezos-faucet/templates/ingress.yaml +++ b/charts/tezos-faucet/templates/ingress.yaml @@ -1,6 +1,5 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := "tezos-faucet" -}} -{{- $svcPort := .Values.service.port -}} {{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} @@ -16,6 +15,7 @@ apiVersion: extensions/v1beta1 kind: Ingress metadata: name: {{ $fullName }} + namespace: {{ .Release.Namespace }} labels: {{- include "tezos-faucet.labels" . | nindent 4 }} {{- with .Values.ingress.annotations }} @@ -40,25 +40,23 @@ spec: - host: {{ .Values.ingress.host | quote }} http: paths: - - path: "/info" - pathType: 'Prefix' - backend: - service: - name: {{ $fullName }} - port: - number: 3000 - - path: "/send" - pathType: 'Prefix' - backend: - service: - name: {{ $fullName }} - port: - number: 3000 - - path: "/" - pathType: 'Prefix' - backend: - service: - name: {{ $fullName }} - port: - number: 8080 + {{- range $path := list "/info" "/challenge" "/verify" }} + - path: {{ $path }} + pathType: Exact + backend: + service: + name: {{ $fullName }} + port: + number: 3000 + {{- end }} + + {{- if .Values.enableUI }} + - path: / + pathType: Prefix + backend: + service: + name: {{ $fullName }} + port: + number: 8080 + {{- end }} {{- end }} diff --git a/charts/tezos-faucet/templates/secret.yaml b/charts/tezos-faucet/templates/secret.yaml index d91a64b03..6cfd0dad6 100644 --- a/charts/tezos-faucet/templates/secret.yaml +++ b/charts/tezos-faucet/templates/secret.yaml @@ -1,17 +1,9 @@ apiVersion: v1 kind: Secret -metadata: - name: faucet-secret - namespace: {{ .Release.Namespace }} -data: - recaptcha_keys.json: | -{{ .Values.recaptcha_keys | toJson | b64enc | indent 4 }} ---- -apiVersion: v1 -kind: Secret metadata: name: faucet-backend-secret namespace: {{ .Release.Namespace }} data: - FAUCET_PRIVATE_KEY: {{ .Values.faucetPrivateKey | b64enc }} - FAUCET_CAPTCHA_SECRET: {{ .Values.googleCaptchaSecretKey | b64enc }} + CAPTCHA_SECRET: {{ .Values.googleCaptchaSecretKey | b64enc }} + FAUCET_PRIVATE_KEY: {{ required "faucetPrivateKey is required." .Values.faucetPrivateKey | b64enc }} + REDIS_PASSWORD: {{ .Values.redis.password | b64enc }} diff --git a/charts/tezos-faucet/templates/service.yaml b/charts/tezos-faucet/templates/service.yaml index 564c7678a..69f6bc290 100644 --- a/charts/tezos-faucet/templates/service.yaml +++ b/charts/tezos-faucet/templates/service.yaml @@ -7,14 +7,16 @@ metadata: namespace: {{ .Release.Namespace }} spec: type: NodePort + selector: + app: tezos-faucet ports: + {{- if .Values.enableUI }} - name: frontend port: 8080 targetPort: frontend protocol: TCP + {{- end }} - name: backend port: 3000 targetPort: backend protocol: TCP - selector: - app: tezos-faucet diff --git a/charts/tezos-faucet/templates/serviceaccount.yaml b/charts/tezos-faucet/templates/serviceaccount.yaml new file mode 100644 index 000000000..48ec2104a --- /dev/null +++ b/charts/tezos-faucet/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "tezos-faucet.serviceAccountName" . }} + labels: + {{- include "tezos-faucet.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/tezos-faucet/values.yaml b/charts/tezos-faucet/values.yaml index 8d5d78b05..8eab46a36 100644 --- a/charts/tezos-faucet/values.yaml +++ b/charts/tezos-faucet/values.yaml @@ -1,33 +1,72 @@ -images: - tezos_faucet: ghcr.io/oxheadalpha/tezos-faucet:latest - tezos_faucet_backend: ghcr.io/oxheadalpha/tezos-faucet-backend:latest -authorizedHost: "'*'" +# Faucet backend: https://github.com/oxheadalpha/tezos-faucet-backend +# Faucet frontend: https://github.com/oxheadalpha/tezos-faucet -# if your balance is over the max, the faucet won't give you more tokens -maxBalance: 12000 +images: + tezosFaucet: ghcr.io/oxheadalpha/tezos-faucet:2.0.0 + tezosFaucetBackend: ghcr.io/oxheadalpha/tezos-faucet-backend:2.0.0 +# Frontend app configuration. You can optionally deploy only the faucet backend. +enableUI: true config: application: - name: "Tezos Jakartanet faucet" - googleCaptchaSiteKey: #6LeiK14fAAAAAPptX4v49I4wSrHjOrU2cb_y5oII - backendUrl: "http://localhost:3000" - githubRepo: "https://github.com/oxheadalpha/tezos-faucet" - profiles: - user: - profile: USER - amount: 1 - baker: - profile: BAKER - amount: 6000 + name: "Tezos Faucet" + googleCaptchaSiteKey: "" # 6LefC8QmAAAAAIX... + # Default value assumes faucet backend is available on localhost. + backendUrl: http://localhost:3000 + githubRepo: https://github.com/oxheadalpha/tezos-faucet network: - name: #Jakartanet - rpcUrl: #https://jakartanet.tezos.marigold.dev/ - faucetAddress: #tz1cpdS3qoQBYCGohszPWS8Gdya6Wg2e4JnL - viewer: #https://jakarta.tzstats.com - allowSendButton: true -service: - type: ClusterIP - port: 8080 + name: Custom + # Default value assumes node RPC is available on localhost. + rpcUrl: http://localhost:8732 + faucetAddress: "" # tz1PW... + viewer: "" # https://network.tzstats.com + +# Value the server sets for the "Access-Control-Allow-Origin" header for CORS. +authorizedHost: "*" +# RPC url for the faucet backend. Default value assumes tezos-k8s created an RPC +# service in the same namespace. If not set, defaults to `config.network.rpcUrl`. +backendRpcUrl: http://tezos-node-rpc:8732 +# If the backend requires CAPTCHA tokens to be submitted. +enableCaptcha: true +# Faucet won't dispense to an address if its balance exceeds this. +maxBalance: 6000 + +# Configuration for the faucet profiles. To prevent spamming and abuse, each +# profile has specific parameters that control the distribution of Tez and the +# complexity and number of PoW challenges needed. +# - `profile`: The name of the profile. +# - `amount`: Amount of Tez to be distributed for this profile. +# - `challengesNeeded`: Number of challenges given when CAPTCHA isn't used. +# - `challengesNeededWithCaptcha`: Number of challenges given when CAPTCHA is used. +# - `difficulty`: Challenge difficulty level when CAPTCHA isn't used. +# - `difficultyWithCaptcha`: Challenge difficulty level when CAPTCHA is used. +profiles: + user: + amount: 1 + challengesNeeded: 5 + challengesNeededWithCaptcha: 4 + difficulty: 4 + difficultyWithCaptcha: 3 + baker: + amount: 6000 + challengesNeeded: 6 + challengesNeededWithCaptcha: 5 + difficulty: 5 + difficultyWithCaptcha: 4 + +# Set to true to disable the requirement of solving PoW challenges. +disableChallenges: false + +# Config for the Redis backend for the PoW challenges. Redis is not needed if +# challenges are disabled. +redis: + url: "" # redis://redis-master.redis:6379 + password: "" + +# Secrets +googleCaptchaSecretKey: "" # 6LefC8QmAAAAAPH... +faucetPrivateKey: "" # edsk3X... + ingress: enabled: false className: "" @@ -40,6 +79,30 @@ ingress: # hosts: # - chart-example-frontend.local -# Secrets -googleCaptchaSecretKey: secret_key_goes_here -faucetPrivateKey: edsk*** +imagePullPolicy: IfNotPresent +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +podSecurityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + +serviceAccount: + create: true + annotations: {} + name: tezos-faucet + +nodeSelector: {} + +tolerations: [] + +affinity: {}