github.com/hyperledger/burrow@v0.34.5-0.20220512172541-77f09336001d/helm/burrow/README.md

github.com/hyperledger/burrow@v0.34.5-0.20220512172541-77f09336001d/helm/burrow/README.md (about)

     1  # Burrow
     2  
     3  [Burrow](https://github.com/hyperledger/burrow) is a permissioned Ethereum smart-contract blockchain node which provides transaction finality and high transaction throughput 
     4  on a proof-of-stake [Tendermint](https://tendermint.com) consensus engine.
     5  
     6  ## Introduction
     7  
     8  This chart bootstraps a burrow network on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
     9  
    10  ## Installation
    11  
    12  ### Prerequisites
    13  
    14  To deploy a new blockchain network, this chart requires that two objects be present in the same Kubernetes namespace: a configmap should house the genesis file and each node should 
    15  have a secret to hold any validator keys. The provided script, `addresses.sh` automatically provisions a number of files using the [burrow](https://github.com/hyperledger/burrow) toolkit, 
    16  so please first ensure that `burrow --version` matches the `image.tag` in the [configuration](#configuration). This sequence also requires that the [jq](https://stedolan.github.io/jq/) binary 
    17  is installed. Two files will be generated, the first of note is `setup.yaml` which contains the two necessary Kubernetes specifications to be added to the cluster:
    18  
    19  ```bash
    20  curl -LO https://raw.githubusercontent.com/helm/charts/master/stable/burrow/initialize.sh
    21  CHAIN_NODES=4 CHAIN_NAME="my-release-burrow" ./initialize.sh
    22  kubectl apply --filename setup.yaml
    23  ```
    24  
    25  Please note that the variable `$CHAIN_NAME` should be the same as the helm release name specified below with the `-burrow` suffix. 
    26  Another file, `addresses.yaml` contains the the equivalent validator addresses to set in the charts.
    27  
    28  ### Deployment
    29  
    30  To install the chart with the release name `my-release` with the set of custom validator addresses:
    31  
    32  ```bash
    33  helm install stable/burrow --name my-release --values addresses.yaml
    34  ```
    35  
    36  The [configuration](#configuration) section below lists all possible parameters that can be configured during installation. Please also see the [runtime configuration](#runtime) 
    37  section for more information on how to setup your network properly.
    38  
    39  ## Uninstall
    40  
    41  To uninstall/delete the `my-release` deployment:
    42  
    43  ```console
    44  $ helm delete my-release
    45  ```
    46  
    47  This command removes all the Kubernetes components associated with the chart and deletes the release. To remove the configmap and secret created in the [prerequisites](#prerequisites), follow these steps:
    48  
    49  ```bash
    50  kubectl delete secret ${CHAIN_NAME}-keys
    51  kubectl delete configmap ${CHAIN_NAME}-genesis
    52  ```
    53  
    54  ## Configuration
    55  
    56  The following table lists the configurable parameters of the Burrow chart and its default values.
    57  
    58  | Parameter | Description | Default |
    59  | --------- | ----------- | ------- |
    60  | `affinity` | node/pod affinities | `{}` |
    61  | `chain.nodes` | number of nodes for the blockchain network | `1` |
    62  | `chain.logLevel` | log level for the nodes (`debug`, `info`, `warn`) | `"info"` |
    63  | `chain.extraSeeds` | network seeds to dial in addition to the cluster booted by the chart; each entry in the array should be in the form `ip:port` (note: because P2P connects over tcp, the port is absolutely required) | `[]` |
    64  | `restore.enabled` | toggle chain restore mechanism | `false` |
    65  | `chain.testing` | toggle pre-generated keys & genesis for ci testing | `false` |
    66  | `config` | the [burrow configuration file](https://github.com/hyperledger/burrow/blob/develop/tests/chain/burrow.toml) | `{}` |
    67  | `config.Tendermint.ListenPort` | peer port | `26656` |
    68  | `contracts.enabled` | toggle post-install contract deployment | `false` |
    69  | `contracts.image` | contract deployer image | `""` |
    70  | `contracts.tag` | contract deployer tag | `""` |
    71  | `contracts.deploy` | command to run in post-install hook | `""` |
    72  | `env` | environment variables to configure burrow | `{}` |
    73  | `extraArgs` | extra arguments to give to the build in `burrow start` command | `{}` |
    74  | `image.repository` | image repository | `"hyperledger/burrow"` |
    75  | `image.tag` | image tag | `"0.29.4"` |
    76  | `image.pullPolicy` | image pull policy | `"IfNotPresent"` |
    77  | `livenessProbe.enabled` | enable liveness checks | `true` |
    78  | `livenessProbe.path` | http endpoint | `"/status?block_seen_time_within=3m"` |
    79  | `livenessProbe.initialDelaySeconds` | start after | `240` |
    80  | `livenessProbe.timeoutSeconds` | retry after | `1` |
    81  | `livenessProbe.periodSeconds` | check every | `30` |
    82  | `nodeSelector` | node labels for pod assignment | `{}` |
    83  | `organization` | name of the organization running these nodes (used in the peer's moniker) | `""` |
    84  | `persistence.enabled` | enable pvc for the chain data | `true` |
    85  | `persistence.size` | size of the chain data pvc | `"80Gi"` |
    86  | `persistence.storageClass` | storage class for the chain data pvc | `"standard"` |
    87  | `persistence.accessMode` | access mode for the chain data pvc | `"ReadWriteOnce"` |
    88  | `persistence.persistentVolumeReclaimPolicy` | does not delete on node restart | `"Retain"` |
    89  | `podAnnotations` | annotations to add to each pod | `{}` |
    90  | `podLabels` | labels to add to each pod | `{}` |
    91  | `readinessProbe.enabled` | enable readiness checks | `true` |
    92  | `readinessProbe.path` | http endpoint | `"/status"` |
    93  | `readinessProbe.initialDelaySeconds` | start after | `5` |
    94  | `resources.limits.cpu` | - | `"500m"` |
    95  | `resources.limits.memory` | - | `"1Gi"` |
    96  | `resources.requests.cpu` | - | `"100m"` |
    97  | `resources.requests.memory` | - | `"256Mi"` |
    98  | `grpc.service.type` | service type | `"ClusterIP"` |
    99  | `grpc.service.loadBalance` | enable load balancing across nodes | `true` |
   100  | `grpc.ingress.enabled` | expose port | `false` |
   101  | `grpc.ingress.hosts` | - | `[]` |
   102  | `grpc.ingress.annotations` | extra annotations | `` |
   103  | `grpc.ingress.tls` | - | `` |
   104  | `info.service.type` | service type | `"ClusterIP"` |
   105  | `info.service.loadBalance` | enable load balancing across nodes | `true` |
   106  | `info.ingress.enabled` | expose port | `false` |
   107  | `info.ingress.partial` | exposes the `/accounts` and `/blocks` paths externally | `false` |
   108  | `info.ingress.pathLeader` | - | `"/"` |
   109  | `info.ingress.annotations` | extra annotations | `` |
   110  | `info.ingress.hosts` | - | `[]` |
   111  | `info.ingress.tls` | - | `` |
   112  | `peer.service.type` | service type | `"ClusterIP"` |
   113  | `peer.ingress.enabled` | expose port | `false` |
   114  | `peer.ingress.hosts` | - | `[]` |
   115  | `tolerations` | list of node taints to tolerate | `[]` |
   116  | `validatorAddresses` | list of validators to deploy | `[]` |
   117  
   118  
   119  Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
   120  
   121  ```bash
   122  helm install stable/burrow --name my-release \
   123    --set=image.tag=0.23.2,resources.limits.cpu=200m -f addresses.yaml
   124  ```
   125  
   126  Alternatively, append additional values to the YAML file generated in the [prerequisites](#prerequisites). For example,
   127  
   128  ```bash
   129  helm install stable/burrow --name my-release -f addresses.yaml
   130  ```
   131  
   132  ## Runtime
   133  
   134  It is unlikely that you will want to deploy this chart with the default runtime configuration. When booting permissioned blockchains in a cloud environment there are three predominant considerations in addition to the normal configuration of any cloud application.
   135  
   136  1. What access rights to place on the ports?
   137  2. What is the set of initial accounts and validators for the chain?
   138  3. What keys should the validating nodes have?
   139  
   140  Each of these considerations will be dealt with in more detail below.
   141  
   142  ### Port Configuration
   143  
   144  Burrow utilizes three different ports by default:
   145  
   146  * `Peer`: Burrow's peer port is used for P2P communication within the blockchain network as part of the consensus engine ([Tendermint](https://github.com/tendermint/tendermint)) to perform bilateral gossiping communication.
   147  * `Info`: Burrow's info port is used for conducting remote procedures.
   148  * `GRPC`: Burrow's grpc port can be used by JavaScript libraries to interact with the chain over websockets.
   149  
   150  The default configuration for the chart sets up the port access rights in the following manner:
   151  
   152  * `Peer`: Peer ports are **only** opened within the cluster. By default, there is no P2P communication exposed to the general internet. Each node within the cluster has its own distinct peer service built by the chart which utilizes a `ClusterIP` service type.
   153  * `Info`: The info port is **only** opened within the cluster. By default, there is no info communication exposed to the general internet. There is **one** info service built by the chart which utilizes a `ClusterIP` service type. The default info service used by the chart is strongly linked to node number `000` and is not load balanced across the nodes by default so as to reduce any challenges with tooling that conduct long-polling after sending transactions. The chart offers an ingress which is connected to the info service, but this is `disabled` by default.
   154  * `GRPC`: The grpc port is **only** opened within the cluster. By default, there is no grpc communication exposed to the general internet. There is **one** grpc service built by the chart which utilizes a `ClusterIP` service type. The default grpc service used by the chart is load balanced across the nodes within the cluster by default because libraries which utilize this port typical do so on websockets and the service is able to utilize a sessionAffinity setting.
   155  
   156  In order to expose the peers to the general internet change the `peer.service.type` to `NodePort`. It is not advised to run P2P traffic through an ingress or other load balancing service as there is uncertainty with respect to the IP address which the blockchain node advertises and gossips. As such, the best way to expose P2P traffic to the internet is to utilize a `NodePort` service type. While such service types can be a challenge to work with in many instances, the P2P libraries that these blockchains utilize are very resilient to movement between machine nodes. The biggest gotcha with `NodePort` service types is to ensure that the machine nodes have proper egress within the cloud or data center provider. As long as the machine nodes do not have egress restrictions disabling the utilization of `NodePort` service types, the P2P traffic will be exposed fluidly.
   157  
   158  To expose the info service to the general internet change the default `rpcInfo.ingress.enabled` to `true` and add the appropriate fields to the ingress for your Kubernetes cluster. This will allow developers to connect to the info service from their local machines.
   159  
   160  To disable load balancing on the grpc service, change the `rpcGRPC.service.loadBalance` to `false`.
   161  
   162  ### Genesis
   163  
   164  Burrow initializes any single blockchain via use of a `genesis.json` which defines what validators and accounts are given access to the permissioned blockchain when it is booted. The chart imports the `genesis.json` file as a Kubernetes configmap and then mounts it in each node deployment.
   165  
   166  ### Validator Keys
   167  
   168  **NOTE: The chart has not been security audited and as such one should use the validator keys functionality of the chart at one's own risk.**
   169  
   170  Burrow blockchain nodes need to have a key available to them which has been properly registered within the `genesis.json` initial state. The registered key is what enables a blockchain node to participate in the P2P validation of the network. The chart imports the validator key files as Kubernetes secrets, so the security of the blockchain is only as strong as the cluster's integrity.