After checking with <a class="user-mention notranslate" data-hovercard-type="user" dat

For instance this is how we used to include an init : <a href=

I think this is now solved through pod's lifecycle only (PR <a class="issue-link js-is

<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="15

do not create a new cert each time akash-provider gets restarted about helm-charts HOT 10 CLOSED

akash-network commented on August 31, 2024

do not create a new cert each time akash-provider gets restarted

from helm-charts.

Comments (10)

boz commented on August 31, 2024 1

For instance this is how we used to include an init script:

https://github.com/ovrclk/akash/blob/v0.5.0/_run/multi/akash-provider/templates/configmaps.yaml#L11-L12

from helm-charts.

88plug commented on August 31, 2024

Already solved in new fork -

from helm-charts.

boz commented on August 31, 2024

I think we should create the state that's needed before running helm and then have helm package it up into secrets/config, where we can mount it into the pod.

create keys
create certificate
fund account
create/update provider attributes

can all be done locally, before installing onto helm.

Local storage works well but it depends on node affinity, which can be cumbersome and/or problematic.

from helm-charts.

arno01 commented on August 31, 2024

Since we can query the blockchain before invoking the akash provider run, I don't see the need of adding any additional manual steps.

create keys

That's already done locally and injected upon helm install.

create certificate

The already existing run.sh would just need to check the cert's validity and SAN before invoking akash tx cert create server provider.{{ .Values.domain }} ...

This can be used:

it gets the last available valid cert.

$ akash query cert list --state=valid --owner=akash10fl5f6ukr8kc03mtmf8vckm6kqqwqpc04eruqa | jq -r '.certificates[-1].certificate.cert | @base64d' | openssl x509 -noout -enddate -ext subjectAltName
notAfter=Feb 18 17:49:57 2023 GMT
X509v3 Subject Alternative Name: 
    DNS:provider.akash.world

fund account

run.sh can also check the balance akash query bank balances $ACCOUNT before starting the provider and get into a loop saying echo "Please fund provider account: $ACCOUNT"; sleep 30; in case the balance is low (i.e. < 10 AKT).

create/update provider attributes

Same here, just check the diff between new values in provider.yaml against what's seen on the blockchain:

akash query provider get akash10fl5f6ukr8kc03mtmf8vckm6kqqwqpc04eruqa

More ideas:

We can add an Akash RPC time check, so provider won't run until Akash RPC node is synced.
Can re-use the code I've added here https://github.com/arno01/akash-tools/blob/58cfbd37/cli-booster/akash.source#L69-L87

Local storage works well but it depends on node affinity, which can be cumbersome and/or problematic.

Akash allows multiple valid certs unless they expire or manually revoked, so this is going to work as we don't revoke old certs.
And then, should one worker node die / go into maintenance, the akash provider will just spawn at the next available worker node. Yes, it will create the new cert if it is absent there locally but it won't keep creating them again until the cert gets expired (current cert validity is 1 year) / manually revoked.
Akash provider will use already generated cert there should it return back to its original worker node.

I do not really see any issues with using the local volumes nor the need to deal with the node affinity.
This will limit the amount of new certs to the number of worker nodes.

@boz let me know WDYT.

from helm-charts.

sacreman commented on August 31, 2024

I'd like to at some point default persistent storage in this chart to enabled. This is the very simple helm chart persistent storage which uses local-storage (not Ceph).

With persistent storage and a statefulset we know if the chart is installing for the first time or not because we have a disk we can query for the config.

This config could also be compared against the chain if it exists and update commands only run if they are needed.

We are constantly conscious about not extending the initial install documentation at all. Enabling persistent storage in this chart means 2 additional steps. 1. finding a node name to bind the pod to and 2. creating a directory on that node to hold the data. We'll get feedback on whether this over complicated the instructions and if not I think that's the preferred way to go.

from helm-charts.

arno01 commented on August 31, 2024

I think this is now solved through pod's lifecycle only (PR #36), which should be sufficient as we don't expect this pod to be recreated often to cause any significant issue such as AKT drainage.

I'm going to keep this issue open until I confirm the fix (PR #36) is working as expected by only restarting the pod (via kill cpid 1) instead of recreating it (kubectl delete pod).

from helm-charts.

arno01 commented on August 31, 2024

Have just tested this now, so it appears that everything gets removed even on a simple pod restart.
We should probably enable the persistent storage similarly to how it was done for akash-node by the use of K8s's local storage PersistentVolume.

Evidence

Pod akash-provider-774c47d94-h9vkt:

root@node1:~# kubectl get pods -A |grep akash-provi
akash-services                                  akash-provider-774c47d94-h9vkt             1/1     Running   0          4m7s

Making pod akash-provider-774c47d94-h9vkt restart:

root@node1:~# kubectl -n akash-services exec -ti $(kubectl -n akash-services get pods -l app=akash-provider --output jsonpath='{.items[0].metadata.name}') -- bash
root@akash-provider-774c47d94-h9vkt:/# ps -ef
UID          PID    PPID  C STIME TTY          TIME CMD
root           1       0  0 17:12 ?        00:00:00 /bin/bash /boot/run.sh
root        2971       1  0 17:13 ?        00:00:02 /bin/akash provider run --cluster-k8s
root        2988       0  0 17:17 pts/0    00:00:00 bash
root        3063    2988  0 17:17 pts/0    00:00:00 ps -ef
root@akash-provider-774c47d94-h9vkt:/# kill 2971
root@akash-provider-774c47d94-h9vkt:/# command terminated with exit code 137

Pod is still same akash-provider-774c47d94-h9vkt:

root@node1:~# kubectl get pods -A |grep akash-provi
akash-services                                  akash-provider-774c47d94-h9vkt             1/1     Running   1 (3s ago)   4m30s

But the cert is gone now...

root@node1:~# kubectl -n akash-services logs $(kubectl -n akash-services get pods -l app=akash-provider --output jsonpath='{.items[0].metadata.name}') --tail=10 -f

...
/root/.akash/akash1nxq8gmsw2vlz3m68qvyvcf3kh6q269ajvqw6y0.pem file is missing.

from helm-charts.

andy108369 commented on August 31, 2024

See if we can leverage the configmap to store & restore the cert.

from helm-charts.

andy108369 commented on August 31, 2024

See if we can leverage the configmap to store & restore the cert.

configmap & secrets are for consuming only (i.e. they are always readonly) - ref kubernetes/kubernetes#62099

The easiest and straightforward way is to use a hostPath (/root/.akash/k8s-provider) for this purpose.
I've prepared the PR that I've tested, going to push in few minutes.

from helm-charts.

andy108369 commented on August 31, 2024

#177

from helm-charts.

do not create a new cert each time akash-provider gets restarted about helm-charts HOT 10 CLOSED

Comments (10)

Evidence

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent