Skip to content

Latest commit

 

History

History
212 lines (184 loc) · 10.6 KB

README.md

File metadata and controls

212 lines (184 loc) · 10.6 KB

teku

Version: 1.1.3 Type: application

An open-source Ethereum 2.0 client, written in Java

Homepage: https://consensys.net/knowledge-base/ethereum-2/teku/

Source Code

Values

Key Type Default Description
affinity object {} Affinity configuration for pods
annotations object {} Annotations for the StatefulSet
checkpointSync object {"enabled":false,"url":""} Checkpoint Sync
containerSecurityContext object See values.yaml The security context for containers
customCommand list [] Legacy way of overwriting the default command. You may prefer to change defaultCommandTemplates instead.
defaultBeaconCommandTemplate string See values.yaml Template used for the default beacon command
defaultValidatorCommandTemplate string See values.yaml Template used for the default validator command
extraArgs list [] Extra args for the teku container
extraContainers list [] Additional containers
extraEnv list [] Additional env variables
extraPorts list [] Additional ports. Useful when using extraContainers
extraVolumeMounts list [] Additional volume mounts
extraVolumes list [] Additional volumes
fullnameOverride string "" Overrides the chart's computed fullname
httpPort int 5051 HTTP Port
image.pullPolicy string "IfNotPresent" teku container pull policy
image.repository string "consensys/teku" teku container image repository
image.tag string "latest" teku container image tag
imagePullSecrets list [] Image pull secrets for Docker images
ingress.annotations object {} Annotations for Ingress
ingress.enabled bool false Ingress resource for the HTTP API
ingress.hosts[0].host string "chart-example.local"
ingress.hosts[0].paths list []
ingress.tls list [] Ingress TLS
initChownData.enabled bool true Init container to set the correct permissions to access data directories
initChownData.image.pullPolicy string "IfNotPresent" Container pull policy
initChownData.image.repository string "busybox" Container repository
initChownData.image.tag string "1.34.0" Container tag
initChownData.resources object {} Resource requests and limits
initContainers list [] Additional init containers
jwt string "ecb22bc24e7d4061f7ed690ccd5846d7d73f5d2b9733267e12f56790398d908a" JWT secret used by client as a secret. Change this value.
livenessProbe object See values.yaml Liveness probe
metricsPort int 8008 Metrics Port
mode string "beacon" Mode can be 'beacon' or 'validator'
nameOverride string "" Overrides the chart's name
nodeSelector object {} Node selector for pods
p2pNodePort.enabled bool false Expose P2P port via NodePort
p2pNodePort.initContainer.image.pullPolicy string "IfNotPresent" Container pull policy
p2pNodePort.initContainer.image.repository string "lachlanevenson/k8s-kubectl" Container image to fetch nodeport information
p2pNodePort.initContainer.image.tag string "v1.25.4" Container tag
p2pNodePort.port int 31000 NodePort to be used
p2pPort int 9000 P2P Port
persistence.accessModes list ["ReadWriteOnce"] Access mode for the volume claim template
persistence.annotations object {} Annotations for volume claim template
persistence.enabled bool false Uses an EmptyDir when not enabled
persistence.existingClaim string nil Use an existing PVC when persistence.enabled
persistence.selector object {} Selector for volume claim template
persistence.size string "20Gi" Requested size for volume claim template
persistence.storageClassName string nil Use a specific storage class E.g 'local-path' for local storage to achieve best performance Read more (https://github.com/rancher/local-path-provisioner)
podAnnotations object {} Pod annotations
podDisruptionBudget object {} Define the PodDisruptionBudget spec If not set then a PodDisruptionBudget will not be created
podLabels object {} Pod labels
podManagementPolicy string "OrderedReady" Pod management policy
priorityClassName string nil Pod priority class
rbac.clusterRules list See values.yaml Required ClusterRole rules
rbac.create bool true Specifies whether RBAC resources are to be created
rbac.rules list See values.yaml Required ClusterRole rules
readinessProbe object See values.yaml Readiness probe
replicas int 1 Number of replicas
resources object {} Resource requests and limits
secretEnv object {} Additional env variables injected via a created secret
securityContext object See values.yaml The security context for pods
serviceAccount.annotations object {} Annotations to add to the service account
serviceAccount.create bool true Specifies whether a service account should be created
serviceAccount.name string "" The name of the service account to use. If not set and create is true, a name is generated using the fullname template
serviceMonitor.annotations object {} Additional ServiceMonitor annotations
serviceMonitor.enabled bool false If true, a ServiceMonitor CRD is created for a prometheus operator https://github.com/coreos/prometheus-operator
serviceMonitor.interval string "1m" ServiceMonitor scrape interval
serviceMonitor.labels object {} Additional ServiceMonitor labels
serviceMonitor.namespace string nil Alternative namespace for ServiceMonitor
serviceMonitor.path string "/metrics" Path to scrape
serviceMonitor.relabelings list [] ServiceMonitor relabelings
serviceMonitor.scheme string "http" ServiceMonitor scheme
serviceMonitor.scrapeTimeout string "30s" ServiceMonitor scrape timeout
serviceMonitor.tlsConfig object {} ServiceMonitor TLS configuration
terminationGracePeriodSeconds int 300 How long to wait until the pod is forcefully terminated
tolerations list [] Tolerations for pods
topologySpreadConstraints list [] Topology Spread Constraints for pods
updateStrategy object {"type":"RollingUpdate"} Update stategy for the Statefulset
updateStrategy.type string "RollingUpdate" Update stategy type

Examples

Beacon node on the Holesky testnet connected to Holesky via Infura

mode: "beacon"

extraArgs:
  - --network=holesky
  - --ee-endpoint=<EXECUTION-ENDPOINT>

Exposing the P2P service via NodePort

This will make your node accessible via the Internet using a service of type NodePort. When using p2pNodePort.enabled the exposed IP address on your ENR record will be the "External IP" of the node where the pod is running.

Limitations: You can only run a single replica per chart deployment when using p2pNodePort.enabled=true.If you need N nodes, simply deploy the chart N times.

replicas: 1

p2pNodePort:
  enabled: true
  port: 31000

This would create 5 beacon nodes, exposed via Node Port services with the following configuration:

  • Node 0: 30000
  • Node 1: 30001
  • Node 2: 30002
  • Node 3: 32000
  • Node 4: 30004

Validator node targeting a beacon node service

This example runs a validator on the holesky network that targets a pre-existing teku-beacon service by injecting the all-accounts.keystore.json` file via a secret ENV var. You could use a similar approach to fetch your secrets from some external secret management system (Hashicorp Vault, Azure key vault, etc.):

replicas: 1

mode: validator

initContainers:
  - name: init-keystore
    image: bash:latest
    imagePullPolicy: IfNotPresent
    securityContext:
      runAsNonRoot: false
      runAsUser: 0
    command:
    - bash
    - -c
    - >
      apk add jq;
      export INDEX=$(echo $(hostname)| rev | cut -d'-' -f 1 | rev);
      mkdir -p /data/validator/keys;
      mkdir -p /data/validator/secrets;
      KEY_COUNT="NODE_${INDEX}_KEY_COUNT";
      for ((i = 0 ; i < "${!KEY_COUNT}" ; i++ ));
      do
        key="NODE_${INDEX}_KEY_${i}";
        PUBKEY=$(echo ${!key} | jq '.pubkey' -j);
        echo ${!key} > "/data/validator/keys/0x${PUBKEY}.json";
        secret="NODE_${INDEX}_SECRET_${i}";
        echo ${!secret} > "/data/validator/secrets/0x${PUBKEY}.txt";
        echo "Added 0x${PUBKEY}";
      done
    volumeMounts:
      - name: storage
        mountPath: "/data"
        readOnly:
    env:
      - name: NODE_0_KEY_COUNT
        value: "1"
      - name: NODE_0_SECRET_0
        valueFrom:
          secretKeyRef:
            # Name of the secret that will be generated for you. This is normally `${RELEASE-name}-env`
            # You might need to change this
            name: teku-env
            key: NODE_0_SECRET_0
      - name: NODE_0_KEY_0
        valueFrom:
          secretKeyRef:
            # See comment on the previous secretKeyRef
            name: teku-env
            key: NODE_0_KEY_0

extraArgs:
  - --validator-keys=/data/validator/keys:/data/validator/secrets
  - --beacon-node-api-endpoint=http://teku-beacon:5051
  - --network=auto

livenessProbe:
  tcpSocket: null
  httpGet:
    path: /metrics
    port: 8008

readinessProbe:
  tcpSocket: null
  httpGet:
    path: /metrics
    port: 8008

secretEnv:
  # Note: Never publish any of your production secrets online. These are just used for testing purposes.
  NODE_0_SECRET_0: Mrc085nWbjTc1mhAPt_Ukj4m_vui2iUQWr6TwNRq_4k=
  NODE_0_KEY_0: {"crypto":{"checksum":{"function":"sha256","message":"7bbdd8cda652d792dceae7477b911106296620c44a6c1d0356c6ff52daca2b5b","params":{}},"cipher":{"function":"aes-128-ctr","message":"689f5c97fad87665e2fe8acbc0aad91bdc85de7756ebdc496f1373bae01c02c8","params":{"iv":"7b8e1ed4480dee19cbb1528394ad2095"}},"kdf":{"function":"pbkdf2","message":"","params":{"c":262144,"dklen":32,"prf":"hmac-sha256","salt":"bb560dfbb56016e0630e4415b74d86ede9090c0545854ed7c0ad921047a39cef"}}},"path":"","pubkey":"8e48cbd28d25847a6b122a62179b6ac11ee7877a4c489799918308e6252b7f6601f969179ac7465e256c01815b71b6d1","uuid":"f13ece4f-d57e-4789-accc-ad50f0fef882","version":4}