hailin
/
rwadurian
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
rwadurian/backend/mpc-system/k8s
History
hailin e975e9d86c feat(mpc-system): implement party role labels with strict persistent-only default 
Implement Solution 1 (Party Role Labels) to differentiate between persistent
and delegate parties, with strict security guarantees for MPC threshold systems.

Key Features:
- PartyRole enum: persistent, delegate, temporary
- K8s pod labels (party-role) for role identification
- Role-based party filtering and selection
- Strict persistent-only default policy (no fallback)
- Optional PartyComposition for custom party requirements

Security Guarantees:
- Default: MUST use persistent parties (store shares in database)
- Fail fast with clear error if insufficient persistent parties
- No silent fallback to mixed/delegate parties
- Empty PartyComposition validation prevents accidental bypass
- MPC system compatibility maintained

Implementation:
1. Added PartyRole type with persistent/delegate/temporary constants
2. Extended PartyEndpoint with Role field
3. K8s party discovery extracts role from pod labels (defaults to persistent)
4. Session creation logic with strict persistent requirement
5. PartyComposition support for explicit mixed-role sessions
6. K8s deployment files with party-role labels

Files Modified:
- services/session-coordinator/application/ports/output/party_pool_port.go
- services/session-coordinator/infrastructure/k8s/party_discovery.go
- services/session-coordinator/application/ports/input/session_management_port.go
- services/session-coordinator/application/use_cases/create_session.go
- k8s/server-party-deployment.yaml (persistent role)

Files Added:
- k8s/server-party-api-deployment.yaml (delegate role)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 		2025-12-05 07:08:59 -08:00
..
README.md feat(mpc-system): implement Kubernetes-based dynamic party pool architecture 2025-12-05 06:12:49 -08:00
configmap.yaml feat(mpc-system): implement Kubernetes-based dynamic party pool architecture 2025-12-05 06:12:49 -08:00
namespace.yaml feat(mpc-system): implement Kubernetes-based dynamic party pool architecture 2025-12-05 06:12:49 -08:00
secrets-example.yaml feat(mpc-system): implement Kubernetes-based dynamic party pool architecture 2025-12-05 06:12:49 -08:00
server-party-api-deployment.yaml feat(mpc-system): implement party role labels with strict persistent-only default 2025-12-05 07:08:59 -08:00
server-party-deployment.yaml feat(mpc-system): implement party role labels with strict persistent-only default 2025-12-05 07:08:59 -08:00
session-coordinator-deployment.yaml feat(mpc-system): implement Kubernetes-based dynamic party pool architecture 2025-12-05 06:12:49 -08:00

README.md

Kubernetes Deployment for MPC System

This directory contains Kubernetes manifests for deploying the MPC system with dynamic party pool service discovery.

Architecture Overview

The Kubernetes deployment implements a Party Pool architecture where:

  • Server parties are dynamically discovered via Kubernetes service discovery
  • Session coordinator automatically selects available parties from the pool
  • Parties can be scaled up/down without code changes (just scale the deployment)
  • No hardcoded party IDs - each pod gets a unique name as its party ID

Prerequisites

  • Kubernetes cluster (v1.24+)
  • kubectl configured to access your cluster
  • Docker images built for all services
  • PostgreSQL, Redis, and RabbitMQ deployed (see infrastructure/)

Quick Start

1. Create namespace

kubectl apply -f namespace.yaml

2. Create secrets

Copy the example secrets file and fill in your actual values:

cp secrets-example.yaml secrets.yaml
# Edit secrets.yaml with your base64-encoded secrets
# Generate base64: echo -n "your-secret" | base64
kubectl apply -f secrets.yaml

3. Create ConfigMap

kubectl apply -f configmap.yaml

4. Deploy Session Coordinator

kubectl apply -f session-coordinator-deployment.yaml

The session coordinator requires RBAC permissions to discover party pods.

5. Deploy Server Party Pool

kubectl apply -f server-party-deployment.yaml

This creates a deployment with 3 replicas by default. Each pod gets a unique name (e.g., mpc-server-party-0, mpc-server-party-1, etc.) which serves as its party ID.

6. Deploy other services

kubectl apply -f message-router-deployment.yaml
kubectl apply -f account-service-deployment.yaml
kubectl apply -f server-party-api-deployment.yaml

Scaling Server Parties

To scale the party pool, simply adjust the replica count:

# Scale up to 5 parties
kubectl scale deployment mpc-server-party -n mpc-system --replicas=5

# Scale down to 2 parties
kubectl scale deployment mpc-server-party -n mpc-system --replicas=2

The session coordinator will automatically discover new parties within 30 seconds (configurable via MPC_PARTY_DISCOVERY_INTERVAL).

Service Discovery Configuration

The session coordinator uses environment variables to configure party discovery:

  • K8S_NAMESPACE: Namespace to search for parties (auto-detected from pod metadata)
  • MPC_PARTY_SERVICE_NAME: Service name to discover (mpc-server-party)
  • MPC_PARTY_LABEL_SELECTOR: Label selector (app=mpc-server-party)
  • MPC_PARTY_GRPC_PORT: gRPC port for parties (50051)
  • MPC_PARTY_DISCOVERY_INTERVAL: Refresh interval (30s)

RBAC Permissions

The session coordinator requires the following Kubernetes permissions:

  • pods: get, list, watch (to discover party pods)
  • services: get, list, watch (to discover services)

These permissions are granted via the mpc-session-coordinator-role Role and RoleBinding.

Health Checks

All services expose a /health endpoint on their HTTP port (8080) for:

  • Liveness probes: Detects if the service is alive
  • Readiness probes: Detects if the service is ready to accept traffic

Monitoring Party Pool

Check available parties:

# View all party pods
kubectl get pods -n mpc-system -l app=mpc-server-party

# Check party pod logs
kubectl logs -n mpc-system -l app=mpc-server-party --tail=50

# Check session coordinator logs for party discovery
kubectl logs -n mpc-system -l app=mpc-session-coordinator | grep "party"

Troubleshooting

Session coordinator can't discover parties

  1. Check RBAC permissions:
kubectl get role,rolebinding -n mpc-system
  1. Check if service account is correctly assigned:
kubectl get pod -n mpc-system -l app=mpc-session-coordinator -o yaml | grep serviceAccount
  1. Check coordinator logs:
kubectl logs -n mpc-system -l app=mpc-session-coordinator

Parties not showing as ready

  1. Check party pod status:
kubectl get pods -n mpc-system -l app=mpc-server-party
  1. Check readiness probe:
kubectl describe pod -n mpc-system <party-pod-name>
  1. Check party logs:
kubectl logs -n mpc-system <party-pod-name>

Migration from Docker Compose

Key differences from docker-compose deployment:

  1. No hardcoded party IDs: In docker-compose, parties had static IDs (server-party-1, server-party-2, server-party-3). In K8s, pod names are used as party IDs.

  2. Dynamic scaling: Can scale parties up/down without restarting other services.

  3. Service discovery: Automatic discovery via Kubernetes API instead of DNS.

  4. DeviceInfo optional: DeviceInfo is now optional in the protocol layer, aligning with international MPC standards.

Advanced Configuration

Custom party selection strategy

The default selection strategy is "first N available parties". To implement custom strategies (e.g., load-based, geo-aware), modify the SelectParties() method in services/session-coordinator/infrastructure/k8s/party_discovery.go.

Party affinity

To ensure parties run on different nodes for fault tolerance:

spec:
  template:
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchLabels:
                  app: mpc-server-party
              topologyKey: kubernetes.io/hostname

Add this to server-party-deployment.yaml under spec.template.