migrate to gcp

deploy/prod/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - txs
+  - cfg-web-deployment.yaml
+  - cgw-web-deployment.yaml
+  - ui-deployment.yaml
+  - secret

deploy/prod/secret/cfg.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: safe-cfg
+  namespace: crossbell
+type: Opaque
+stringData:
+  # CGW_FLUSH_TOKEN and WEBHOOK_TOKEN must be the same
+  CGW_FLUSH_TOKEN: "<WEBHOOK_TOKEN>"
+  CGW_URL: "https://safe-client.crossbell.io"
+  CSRF_TRUSTED_ORIGINS: "http://localhost:8000,https://*.crossbell.io,https://crossbell.io,https://xlog.app,https://*.xlog.app"
+  DEBUG: "false"
+  DEFAULT_FILE_STORAGE: "django.core.files.storage.FileSystemStorage"
+  DJANGO_ALLOWED_HOSTS: "*"
+  DOCKER_NGINX_VOLUME_ROOT: "/nginx"
+  DOCKER_WEB_VOLUME: ".:/app"
+  FORCE_SCRIPT_NAME: "/cfg/"
+  GUNICORN_BIND_PORT: "8001"
+  GUNICORN_BIND_SOCKET: "unix:/nginx/gunicorn.socket"
+  GUNICORN_WEB_RELOAD: "false"
+  NGINX_ENVSUBST_OUTPUT_DIR: "/etc/nginx/"
+  POSTGRES_HOST: "<POSTGRES_HOST>"
+  POSTGRES_NAME: "safe_cfg"
+  POSTGRES_PASSWORD: "<POSTGRES_PASSWORD>"
+  POSTGRES_PORT: "5432"
+  POSTGRES_USER: "postgres"
+  ROOT_LOG_LEVEL: "WARNING"
+  SECRET_KEY: "<SECRET_KEY>"

deploy/prod/secret/cgw.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+stringData:
+  CHAIN_INFO_REQUEST_TIMEOUT: "15000"
+  CONFIG_SERVICE_URI: "https://safe.crossbell.io/cfg"
+  EXCHANGE_API_BASE_URI: "http://api.exchangeratesapi.io/latest"
+  EXCHANGE_API_KEY: "<EXCHANGE_API_KEY>"
+  FEATURE_FLAG_NESTED_DECODING: "true"
+  INTERNAL_CLIENT_CONNECT_TIMEOUT: "10000"
+  LOG_ALL_ERROR_RESPONSES: "true"
+  REDIS_URI: "<REDIS_URI_PREFIX>/0"
+  REDIS_URI_MAINNET: "<REDIS_URI_PREFIX>/0"
+  ROCKET_ADDRESS: "0.0.0.0"
+  ROCKET_LOG_LEVEL: "normal"
+  ROCKET_PORT: "3666"
+  ROCKET_SECRET_KEY: "<ROCKET_SECRET_KEY>"
+  RUST_LOG: "warn"
+  SAFE_APP_INFO_REQUEST_TIMEOUT: "10000"
+  SCHEME: "http"
+  WEBHOOK_TOKEN: "<WEBHOOK_TOKEN>"
+kind: Secret
+metadata:
+  name: safe-cgw
+  namespace: crossbell
+type: Opaque

deploy/prod/secret/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - cfg.yaml
+  - cgw.yaml
+  - txs.yaml
+
+commonAnnotations:
+  avp.kubernetes.io/path: "kv/data/crossbell/safe"

deploy/prod/secret/txs.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: safe-txs
+  namespace: crossbell
+type: Opaque
+stringData:
+  CELERY_BROKER_URL: "<CELERY_BROKER_URL>"
+  CSRF_TRUSTED_ORIGINS: "http://localhost:8000,https://*.crossbell.io,https://crossbell.io,https://xlog.app,https://*.xlog.app"
+  DATABASE_URL: "psql://postgres:<POSTGRES_PASSWORD>@<POSTGRES_HOST>:5432/safe_txs"
+  DEBUG: "0"
+  DJANGO_ALLOWED_HOSTS: "*"
+  DJANGO_SECRET_KEY: "<DJANGO_SECRET_KEY>"
+  DJANGO_SETTINGS_MODULE: "config.settings.production"
+  ETHEREUM_NODE_URL: "https://rpc.crossbell.io"
+  ETH_L2_NETWORK: "1"
+  FORCE_SCRIPT_NAME: "/txs/"
+  PYTHONPATH: "/app/"
+  REDIS_URL: "<REDIS_URI_PREFIX>/1"

deploy/prod/txs/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - txs-scheduler-deployment.yaml
+  - txs-web-deployment.yaml
+  - txs-worker-contracts-tokens-deployment.yaml
+  - txs-worker-indexer-deployment.yaml
+  - txs-worker-notifications-webhooks-deployment.yaml

deploy/prod/txs/txs-scheduler-deployment.yaml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: safe-txs-scheduler
+  name: safe-txs-scheduler
+  namespace: crossbell
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: safe-txs-scheduler
+  template:
+    metadata:
+      labels:
+        app: safe-txs-scheduler
+    spec:
+      containers:
+        - args:
+            - docker/web/celery/scheduler/run.sh
+          envFrom:
+            - secretRef:
+                name: safe-txs
+          env:
+            - name: RUN_MIGRATIONS
+              value: "1"
+            - name: WORKER_QUEUES
+              value: default,indexing
+          image: safeglobal/safe-transaction-service:latest
+          name: txs-scheduler
+          resources: {}
+      restartPolicy: Always

deploy/prod/txs/txs-web-deployment.yaml

@@ -0,0 +1,130 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: safe-txs-web
+  namespace: crossbell
+spec:
+  selector:
+    app: safe-txs-web
+  ports:
+    - name: http
+      protocol: TCP
+      port: 8000
+      targetPort: 8000
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app: safe-txs-web
+  name: safe-txs-web
+  namespace: crossbell
+spec:
+  replicas: 1
+  serviceName: "safe-txs-web"
+  selector:
+    matchLabels:
+      app: safe-txs-web
+  template:
+    metadata:
+      labels:
+        app: safe-txs-web
+    spec:
+      containers:
+        - image: nginx:alpine
+          name: txs-web-nginx
+          ports:
+            - containerPort: 8000
+          volumeMounts:
+            - mountPath: /etc/nginx/nginx.conf
+              name: nginx-txs-web
+              subPath: nginx.conf
+              readOnly: true
+            - mountPath: /nginx-txs
+              name: nginx-shared-txs
+        - args:
+            - docker/web/run_web.sh
+          envFrom:
+            - secretRef:
+                name: safe-txs
+          image: safeglobal/safe-transaction-service:latest
+          name: txs-web
+          resources: {}
+          volumeMounts:
+            - mountPath: /nginx
+              name: nginx-shared-txs
+          workingDir: /app
+      restartPolicy: Always
+      volumes:
+        - name: nginx-txs-web
+          configMap:
+            name: nginx-txs-web
+  volumeClaimTemplates:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
+        name: nginx-shared-txs
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: "standard"
+        resources:
+          requests:
+            storage: 20Gi
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-txs-web
+  namespace: crossbell
+data:
+  nginx.conf: |
+    worker_processes 1;
+
+    events {
+      worker_connections 2000; # increase if you have lots of clients
+      accept_mutex off; # set to 'on' if nginx worker_processes > 1
+      use epoll; # Enable epoll for Linux 2.6+
+    }
+
+    http {
+        include mime.types;
+        default_type application/octet-stream;
+        sendfile on;
+
+        upstream txs_app_server {
+          server unix:/nginx-txs/gunicorn.socket fail_timeout=0;
+          keepalive 32;
+        }
+
+       server {
+            access_log off;
+            listen 8000 deferred;
+            charset utf-8;
+            keepalive_timeout 75s;
+
+            gzip             on;
+            gzip_min_length 1000;
+            gzip_comp_level  2;
+            gzip_types text/plain text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml;
+            gzip_disable "MSIE [1-6]\.";
+
+            location /txs/static {
+                alias /nginx-txs/staticfiles;
+                expires 365d;
+            }
+
+            location /txs/ {
+                proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+                proxy_set_header    X-Forwarded-Proto   $scheme;
+                proxy_set_header    Host                $host;
+                # we don't want nginx trying to do something clever with
+                # redirects, we set the Host: header above already.
+                proxy_redirect off;
+                proxy_pass http://txs_app_server/;
+
+                proxy_set_header X-Forwarded-Host $server_name;
+                proxy_set_header X-Real-IP $remote_addr;
+                add_header              Front-End-Https   on;
+            }
+        }
+    }

deploy/prod/txs/txs-worker-contracts-tokens-deployment.yaml

@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: safe-txs-worker-contracts-tokens
+  name: safe-txs-worker-contracts-tokens
+  namespace: crossbell
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: safe-txs-worker-contracts-tokens
+  template:
+    metadata:
+      labels:
+        app: safe-txs-worker-contracts-tokens
+    spec:
+      containers:
+        - args:
+            - docker/web/celery/worker/run.sh
+          envFrom:
+            - secretRef:
+                name: safe-txs
+          env:
+            - name: WORKER_QUEUES
+              value: contracts,tokens
+          image: safeglobal/safe-transaction-service:latest
+          name: txs-worker-contracts-tokens
+          resources: {}
+      restartPolicy: Always

deploy/prod/txs/txs-worker-indexer-deployment.yaml

@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: safe-txs-worker-indexer
+  name: safe-txs-worker-indexer
+  namespace: crossbell
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: safe-txs-worker-indexer
+  template:
+    metadata:
+      labels:
+        app: safe-txs-worker-indexer
+    spec:
+      containers:
+        - args:
+            - docker/web/celery/worker/run.sh
+          envFrom:
+            - secretRef:
+                name: safe-txs
+          env:
+            - name: RUN_MIGRATIONS
+              value: "1"
+            - name: WORKER_QUEUES
+              value: default,indexing
+          image: safeglobal/safe-transaction-service:latest
+          name: txs-worker-indexer
+          resources:
+            requests:
+              cpu: "1000m"
+              memory: "4000Mi"
+            limits:
+              cpu: "2000m"
+              memory: "8000Mi"
+      restartPolicy: Always

deploy/prod/txs/txs-worker-notifications-webhooks-deployment.yaml

@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: safe-txs-worker-notifications-webhooks
+  name: safe-txs-worker-notifications-webhooks
+  namespace: crossbell
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: safe-txs-worker-notifications-webhooks
+  template:
+    metadata:
+      labels:
+        app: safe-txs-worker-notifications-webhooks
+    spec:
+      containers:
+        - args:
+            - docker/web/celery/worker/run.sh
+          envFrom:
+            - secretRef:
+                name: safe-txs
+          env:
+            - name: WORKER_QUEUES
+              value: notifications,webhooks
+          image: safeglobal/safe-transaction-service:latest
+          name: txs-worker-notifications-webhooks
+          resources: {}
+      restartPolicy: Always