consensus-jwt.configmap.yaml

apiVersion: v1
data:
  beacon-jwt-secret: <secret, can be generated with `cat /dev/urandom | head -c 32 | to_hex -in`>
kind: ConfigMap
metadata:
  name: consensus-jwt
  namespace: <namespace>

consensus.sts.yaml

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: consensus
  namespace: <namespace>
spec:
  podManagementPolicy: Parallel
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      name: consensus
  serviceName: consensus
  template:
    metadata:
      labels:
        name: consensus
    spec:
      containers:
      - command:
        - lighthouse
        - beacon
        - --datadir=/data
        - --debug-level=info
        - --network=goerli
        - --listen-address=0.0.0.0
        - --port=9000
        - --http
        - --http-address=0.0.0.0
        - --http-port=5052
        - --metrics-address=0.0.0.0
        - --metrics-port=9102
        - --execution-jwt-id=
        - --execution-endpoint=http://<pod_name>.<service_name>.<namespace>.svc.cluster.local:8551
        - --execution-jwt=/etc/consensus-node/beacon-jwt-secret
        image: sigp/lighthouse:v2.5.1-amd64-modern
        imagePullPolicy: IfNotPresent
        name: lighthouse
        ports:
        - containerPort: 5052
          name: api
          protocol: TCP
        - containerPort: 9000
          name: p2p
          protocol: TCP
        - containerPort: 9102
          name: prometheus
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /eth/v1/node/health
            port: 5052
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources:
          limits:
            cpu: "4"
            memory: 8Gi
          requests:
            cpu: "4"
            memory: 4Gi
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /data
          name: datadir
        - mountPath: /etc/consensus-node
          name: consensus-jwt
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: app-node-backup-writer
      serviceAccountName: app-node-backup-writer
      terminationGracePeriodSeconds: 30
      volumes:
      - configMap:
          defaultMode: 420
          name: consensus-jwt
        name: consensus-jwt
  updateStrategy:
    type: RollingUpdate
  volumeClaimTemplates:
  - apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      annotations:
        resize.topolvm.io/increase: 10%
        resize.topolvm.io/storage_limit: 100Gi
        resize.topolvm.io/threshold: 10%
      creationTimestamp: null
      name: datadir
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 32Gi
      storageClassName: gcpssd-lazy
      volumeMode: Filesystem
    status:
      phase: Pending

instructions.md

Beacon Chain Manifest

The beacon chain node talks to the execution layer pod 1 by 1. The authrpc must be enabled on Geth and JWT secret must be shared between the two nodes.

Here the extra flags neeed on Geth side to enable engine API over authenticated channel:

• -authrpc.addr=0.0.0.0
• --authrpc.port=8551
• --authrpc.jwtsecret=/etc/geth-config/beacon-jwt-secret
• --authrpc.vhosts=*
• --http.api=engine,eth,net,web3 # engine must be enabled, the rest is up to you

The /etc/geth-config/beacon-jwt-secret is from the same consensus-jwt.configmap.yaml file mounted at /etc/geth-config/beacon-jwt-secret.

The geth service must exist and should expose port 8551 now.