polkadot builds (gitlab), releases (docker) and deployment (kubernetes) (#48)

* ci: add Dockerfile and its build

* make docker version tag

* polkadot with static ip address in nodeport stateful set on kubernetes

* use helm for templating

* enable rbac for polkadot

polkadot/scripts/docker/Dockerfile

@@ -0,0 +1,29 @@
+FROM ubuntu:xenial
+LABEL maintainer "devops-team@parity.io"
+LABEL description="Paritytech Polkadot Node Implementation"
+
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y \
+        libssl1.0.0 \
+        ca-certificates \
+        curl && \
+    apt-get autoremove -y && \
+    apt-get clean
+    
+RUN find /var/lib/apt/lists/ -type f -not -name lock -delete
+
+COPY ./polkadot /usr/local/bin
+
+
+
+RUN useradd -m -u 1000 -U -s /bin/sh -d /polkadot polkadot
+USER polkadot
+
+ENV RUST_BACKTRACE 1
+
+EXPOSE 30333 9933 9944
+VOLUME ["/polkadot"]
+
+ENTRYPOINT ["/usr/local/bin/polkadot"]
+

polkadot/scripts/kubernetes/Chart.yaml

@@ -0,0 +1,12 @@
+name: polkadot
+version: 0.1
+appVersion: 0.2.0
+description: Polkadot Node Implementation
+home: https://polkadot.network/
+icon: https://polkadot.network/favicon.ico
+sources:
+  - https://github.com/paritytech/polkadot/
+maintainers:
+  - name: Paritytech Devops Team
+    email: devops-team@parity.io
+tillerVersion: ">=2.8.0"

polkadot/scripts/kubernetes/README.md

@@ -0,0 +1,47 @@
+
+
+# Polkadot Kubernetes Helm Chart
+
+This [Helm Chart](https://helm.sh/) can be used for deploying containerized 
+**Polkadot** to a [Kubernetes](https://kubernetes.io/) cluster.
+
+
+## Prerequisites
+
+- Tested on Kubernetes 1.10.7-gke.6
+
+## Installation
+
+To install the chart with the release name `my-release` into namespace 
+`my-namespace` from within this directory:
+
+```console
+$ helm install --namespace my-namespace --name my-release --values values.yaml ./
+```
+
+The command deploys Polkadot on the Kubernetes cluster in the configuration 
+given in `values.yaml`. When the namespace is omitted it'll be installed in 
+the default one.
+
+
+## Removal of the Chart
+
+To uninstall/delete the `my-release` deployment:
+
+```console
+$ helm delete --namespace my-namespace my-release
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+
+## Upgrading
+
+Once the chart is installed and a new version should be deployed helm takes 
+care of this by
+
+```console
+$ helm upgrade --namespace my-namespace --values values.yaml my-release ./
+```
+
+

polkadot/scripts/kubernetes/templates/poddisruptionbudget.yaml

@@ -0,0 +1,10 @@
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: polkadot
+spec:
+  selector:
+    matchLabels:
+      app: polkadot
+  maxUnavailable: 1
+

polkadot/scripts/kubernetes/templates/service.yaml

@@ -0,0 +1,39 @@
+# see:
+# https://kubernetes.io/docs/tutorials/services/
+# https://kubernetes.io/docs/concepts/services-networking/service/
+# headless service for rpc
+apiVersion: v1
+kind: Service
+metadata:
+  name: polkadot-rpc
+  labels:
+    app: polkadot
+spec:
+  ports:
+  - port: 9933
+    name: http-rpc
+  - port: 9944
+    name: websocket-rpc
+  selector:
+    app: polkadot
+  sessionAffinity: None
+  type: ClusterIP
+  clusterIP: None
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: polkadot
+spec:
+  ports:
+  - port: 30333
+    name: p2p
+    nodePort: 30333
+    protocol: TCP
+  selector:
+    app: polkadot
+  sessionAffinity: None
+  type: NodePort
+  # don't route exteral traffic to non-local pods
+  externalTrafficPolicy: Local
+

polkadot/scripts/kubernetes/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.rbac.enable }}
+# service account for polkadot pods themselves
+# no permissions for the api are required
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: polkadot
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    release: {{ .Release.Name }}
+  name: {{ .Values.rbac.name }}
+{{- end }}

polkadot/scripts/kubernetes/templates/statefulset.yaml

@@ -0,0 +1,102 @@
+# https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/
+# https://cloud.google.com/kubernetes-engine/docs/concepts/statefulset
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: polkadot
+spec:
+  selector:
+    matchLabels:
+      app: polkadot
+  serviceName: polkadot
+  replicas: {{ .Values.nodes.replicas }}
+  updateStrategy:
+    type: RollingUpdate
+  podManagementPolicy: Parallel
+  template:
+    metadata:
+      labels:
+        app: polkadot
+    spec:
+      {{- if .Values.rbac.enable }}
+      serviceAccountName: {{ .Values.rbac.name }}
+      {{- else }}
+      serviceAccountName: default
+      {{- end }}
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+                - key: node
+                  operator: In
+                  values:
+                  - polkadot
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: "app"
+                    operator: In
+                    values:
+                    - polkadot
+              topologyKey: "kubernetes.io/hostname"
+      terminationGracePeriodSeconds: 300
+      containers:
+      - name: polkapod
+        imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        {{- if .Values.resources }}
+        resources:
+          requests:
+            memory: {{ .Values.resources.memory }}
+            cpu: {{ .Values.resources.cpu }}
+        {{- end }}
+        ports:
+        - containerPort: 30333
+          name: p2p
+        - containerPort: 9933
+          name: http-rpc
+        - containerPort: 9944
+          name: websocket-rpc
+        args:
+          - --base-path
+          - {{ .Values.image.basepath }}
+          - --name
+          - $(MY_POD_NAME)
+        {{- range .Values.nodes.args }}
+          - {{ . }}
+        {{- end }}
+        env:
+          # from (workaround for hostname)
+          # https://kubernetes.io/docs/tasks/inject-data-application/environment-variable-expose-pod-information/
+          - name: MY_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+        volumeMounts:
+        - name: polkadir
+          mountPath: {{ .Values.image.basepath }}
+        readinessProbe:
+          tcpSocket:
+            port: http-rpc
+          initialDelaySeconds: 30
+          periodSeconds: 30
+        livenessProbe:
+          tcpSocket:
+            port: http-rpc
+          initialDelaySeconds: 30
+          periodSeconds: 30
+      securityContext:
+        runAsUser: 1000
+        fsGroup: 1000
+  volumeClaimTemplates:
+  - metadata:
+      name: polkadir
+    spec:
+      accessModes: [ "ReadWriteOnce" ]
+      storageClassName: ssd
+      resources:
+        requests:
+          storage: 32Gi
+

polkadot/scripts/kubernetes/values.yaml

@@ -0,0 +1,37 @@
+# set tag manually --set image.tag=latest
+image:
+  repository: parity/polkadot
+  tag: latest
+  pullPolicy: Always
+  basepath: /polkadot
+
+
+# if set to true a service account for polkadot will be created
+rbac:
+  enable: true
+  name: polkadot
+
+
+nodes:
+  replicas: 2
+  args:
+    - --chain
+    - krummelanke
+    # serve rpc within the local network
+    # - fenced off the world via firewall
+    # - used for health checks
+    - --rpc-external
+    - --ws-external
+    # - --log
+    # - sub-libp2p=trace
+    # - --validator
+    # - --key
+    # - key_name
+
+
+
+# maybe adopt resource limits here to the nodes of the pool
+# resources:
+#   memory: "5Gi"
+#   cpu: "1.5"
+