ci: add relayer deployment

Adds a new "relayer" helm chart for deploying the custom relayer
container image for penumbra preview <-> testnet paths.

In the process, reorganizes the helm charts for ci into a subdir.

Towards #465.

Author: conorsch

.github/workflows/deploy-preview.yml

@@ -74,3 +74,9 @@ jobs:
           export PENUMBRA_UID_GID='${{ github.event.inputs.image_uid_gid }}'
           export HELM_RELEASE='penumbra-testnet-preview'
           ./ci.sh
+
+      # We only run one (1) relayer instance, and re-deploy it as part of the preview update.
+      # The other end of the configured path is the long-running testnet.
+      - name: deploy relayer
+        run: |-
+          ./deployments/scripts/bounce-relayer

deployments/README.md

@@ -16,7 +16,7 @@ The networks are completely separate.
 ```
 .
 ├── ci.sh # runner script for executing a deploy against k8s
-├── helm/ # helm chart used to configure full-node/validator layout
+├── charts/ # helm charts used to configure full-node/validator layout
 ├── networks/ # logic specific to network, e.g. "testnet" or "testnet-preview"
 │  └── testnet/
 └── terraform/ # server and cluster provisioning logic

deployments/helm/.gitignore deployments/charts/penumbra/.gitignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

deployments/helm/.helmignore deployments/charts/penumbra/.helmignore

@@ -0,0 +1,16 @@
+apiVersion: v2
+name: relayer
+description: Run the Cosmos relayer against Penumbra chains
+
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"

deployments/helm/Chart.yaml deployments/charts/penumbra/Chart.yaml

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "relayer.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "relayer.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "relayer.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "relayer.labels" -}}
+helm.sh/chart: {{ include "relayer.chart" . }}
+{{ include "relayer.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "relayer.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "relayer.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "relayer.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "relayer.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

deployments/helm/templates/_helpers.tpl deployments/charts/penumbra/templates/_helpers.tpl

@@ -0,0 +1,60 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "relayer.fullname" . }}
+  labels:
+    {{- include "relayer.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "relayer.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "relayer.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          # The relayer exposes an API by default on localhost:5183; in our container entrypoint,
+          # we set localhost:5100 on the `rly start` command. Doing so allows us to check
+          # sockets on the container; if 5183 is open, it's still configuring; if 5100 is open,
+          # then the service is actually running.
+          ports:
+            - containerPort: 5100
+          startupProbe:
+            tcpSocket:
+              port: 5100
+            # The container entrypoint will block for a while, building relayer config
+            # from remote chain info. Let's give the relayer 10m to start up.
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            failureThreshold: 60
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

deployments/helm/templates/backend-svc.yaml deployments/charts/penumbra/templates/backend-svc.yaml

@@ -0,0 +1,48 @@
+# Default values for relayer.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: ghcr.io/penumbra-zone/relayer
+  # always pull, because we'll be reusing "main" (i.e. latest) tag for now,
+  # frequently redeploying preview.
+  pullPolicy: Always
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: "main"
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}

deployments/helm/templates/fn-deployments.yaml deployments/charts/penumbra/templates/fn-deployments.yaml

@@ -15,7 +15,7 @@ set -euo pipefail
 # The following env vars can be used to override config fars
 # for the helm chart. N.B. these env vars are also configured
 # in GitHub Actions, so the values below may be out of date.
-WORKDIR="${WORKDIR:=$(pwd)/helm/pdcli}"
+WORKDIR="${WORKDIR:=$(pwd)/charts/penumbra/pdcli}"
 IMAGE="${IMAGE:-ghcr.io/penumbra-zone/penumbra}"
 PENUMBRA_VERSION="${PENUMBRA_VERSION:-main}"
 PENUMBRA_UID_GID="${PENUMBRA_UID_GID:-1000\:1000}"
@@ -118,7 +118,7 @@ done
 # as necessary. Will *not* replace certain durable resources like
 # the ManagedCertificate, which is annotated with helm.sh/resource-policy=keep.
 function helm_install() {
-    helm upgrade --install "$HELM_RELEASE" ./helm \
+    helm upgrade --install "$HELM_RELEASE" ./charts/penumbra \
         --set "numValidators=$NVALS" \
         --set "numFullNodes=$NFULLNODES" \
         --set "penumbra.image=$IMAGE" \

deployments/helm/templates/fn-p2p-svcs.yaml deployments/charts/penumbra/templates/fn-p2p-svcs.yaml

@@ -18,5 +18,7 @@ Finished configuring the relayer for Penumbra!
 Starting service...
 ##############################################
 EOM
-# Run the relayer as a blocking service
-exec rly start penumbra_path
+# Run the relayer as a blocking service.
+# We set a custom debug address (default is 5183) to support
+# healthchecks determining whether it's running.
+exec rly start penumbra_path --debug-addr 127.0.0.1:5100

deployments/helm/templates/fn-pvcs.yaml deployments/charts/penumbra/templates/fn-pvcs.yaml

@@ -0,0 +1,38 @@
+#!/bin/bash
+# CI script to handle re-deploying the IBC relayer deployment.
+# Unlike most of our CI deployments, we only run one (1) relayer instance.
+# It's deployed right after a new preview deploy goes out, referencing the
+# freshly generated preview chain, as well as the currently running testnet.
+#
+# At all times, we expect there to be one (1) relayer deployment, and we're
+# currently deploying the latest image built from "main". Therefore we cannot
+# expect helm to handle resetting the deployment, because on the surface,
+# the config looks identical: same container tag, same vars, same number of replicas.
+# To accommodate, we'll look up whether a relayer deployment exists, and if so,
+# bounce it via `rollout deployment restart`, which will trigger a new image pull
+# due to the chart's `image.pull=Always` setting. If and when we decide to redeploy
+# the relayer as part of the testnets, rather than preview, we should modify this
+# logic to set a specific version, e.g. `image.tag=049-pasiphae.1` or similar.
+set -euo pipefail
+
+
+# Set name for expected deployment.
+relayer_deployment="relayer-preview"
+
+# If any deployments with the string "relayer" in the name are found,
+# consider the relayer to be running already, in which case we'll bounce.
+if kubectl get deployments --output json | jq .items[].metadata.name -r | grep -q "$relayer_deployment" ; then
+    >&2 echo "Found existing relayer deployment, bouncing it..."
+    kubectl rollout restart deployment "$relayer_deployment"
+    # Block until deployment is complete. The entrypoint script builds configs,
+    # and blocks for a while. The helm chart waits 10m before giving up, so let's
+    # wait slightly longer than that on this timeout.
+    kubectl rollout status deployment "$relayer_deployment" --timeout=15m
+# Otherwise, relayer is not running. Maybe it was manually destroyed?
+# Enforce state again by applying the helm chart.
+else
+    >&2 echo "Relayer NOT currently running. Deploying it..."
+    repo_root="$(git rev-parse --show-toplevel)"
+    cd "${repo_root}/deployments" || exit 1
+    helm upgrade --install "$relayer_deployment" ./charts/relayer
+fi