chore: add hi-mem taint (#23828)

.

Author: alexghr

.github/workflows/deploy-network.yml

@@ -17,6 +17,15 @@ on:
         description: "Full Aztec docker image (e.g., aztecprotocol/aztec:2.3.4). If not set, constructed from semver."
         required: false
         type: string
+      prover_docker_image:
+        description: "Full Prover docker image URL. If not set defaults to aztec_docker_image."
+        required: false
+        type: string
+      use_internal_docker_registry:
+        description: "Construct Aztec docker images from INTERNAL_DOCKER_REGISTRY and semver."
+        required: false
+        type: boolean
+        default: false
       ref:
         description: "Git ref to checkout"
         required: false
@@ -62,6 +71,15 @@ on:
         description: "Full Aztec docker image (e.g., aztecprotocol/aztec:2.3.4). If not set, constructed from semver."
         required: false
         type: string
+      prover_docker_image:
+        description: "Full Prover docker image URL. If not set defaults to aztec_docker_image."
+        required: false
+        type: string
+      use_internal_docker_registry:
+        description: "Construct Aztec docker images from INTERNAL_DOCKER_REGISTRY and semver."
+        required: false
+        type: boolean
+        default: false
       namespace:
         description: "Kubernetes namespace override (optional, defaults to env file value)"
         required: false
@@ -123,6 +141,8 @@ jobs:
           node-version: 22
 
       - name: Validate inputs
+        env:
+          INTERNAL_DOCKER_REGISTRY: ${{ secrets.INTERNAL_DOCKER_REGISTRY }}
         run: |
           # Validate network
           if [[ ! -f "spartan/environments/${{ inputs.network }}.env" ]]; then
@@ -146,28 +166,42 @@ jobs:
             fi
           fi
 
-          # Resolve the docker image
-          if [[ -n "${{ inputs.aztec_docker_image }}" ]]; then
-            AZTEC_DOCKER_IMAGE="${{ inputs.aztec_docker_image }}"
-          else
-            AZTEC_DOCKER_IMAGE="aztecprotocol/aztec:${{ inputs.semver }}"
+          if [[ "${{ inputs.use_internal_docker_registry }}" == "true" && -z "${{ inputs.semver }}" ]]; then
+            echo "Error: semver must be provided when use_internal_docker_registry is true"
+            exit 1
           fi
-          echo "AZTEC_DOCKER_IMAGE=$AZTEC_DOCKER_IMAGE" >> $GITHUB_ENV
 
-          # Use the CRS-baked prover-agent image when it exists; otherwise let the
-          # deploy script fall back to AZTEC_DOCKER_IMAGE and download CRS on startup.
-          if [[ -n "${{ inputs.semver }}" ]]; then
-            PROVER_AGENT_DOCKER_IMAGE="aztecprotocol/aztec-prover-agent:${{ inputs.semver }}"
+          # Resolve the docker image
+          AZTEC_DOCKER_IMAGE="${{ inputs.aztec_docker_image }}"
+          PROVER_AGENT_DOCKER_IMAGE="${{ inputs.prover_docker_image }}"
+          INTERNAL_REGISTRY_BASE_URL=""
+
+          if [[ "${{ inputs.use_internal_docker_registry }}" == "true" ]]; then
+            INTERNAL_REGISTRY_BASE_URL="${INTERNAL_DOCKER_REGISTRY%/}"
+            echo "::add-mask::$INTERNAL_REGISTRY_BASE_URL"
+          fi
 
-            echo "Checking if prover agent image exists: $PROVER_AGENT_DOCKER_IMAGE"
-            if docker manifest inspect "$PROVER_AGENT_DOCKER_IMAGE" > /dev/null 2>&1; then
-              echo "PROVER_AGENT_DOCKER_IMAGE=$PROVER_AGENT_DOCKER_IMAGE" >> $GITHUB_ENV
+          if [[ -z "$AZTEC_DOCKER_IMAGE" ]]; then
+            if [[ -n "$INTERNAL_REGISTRY_BASE_URL" ]]; then
+              AZTEC_DOCKER_IMAGE="$INTERNAL_REGISTRY_BASE_URL/aztec:${{ inputs.semver }}"
+              echo "::add-mask::$AZTEC_DOCKER_IMAGE"
             else
-              echo "Prover agent image does not exist: $PROVER_AGENT_DOCKER_IMAGE"
-              echo "Falling back to AZTEC_DOCKER_IMAGE for prover agents."
+              AZTEC_DOCKER_IMAGE="aztecprotocol/aztec:${{ inputs.semver }}"
+            fi
+          fi
+
+          if [[ -z "$PROVER_AGENT_DOCKER_IMAGE" ]]; then
+            if [[ -n "$INTERNAL_REGISTRY_BASE_URL" ]]; then
+              PROVER_AGENT_DOCKER_IMAGE="$INTERNAL_REGISTRY_BASE_URL/aztec-prover-agent:${{ inputs.semver }}"
+              echo "::add-mask::$PROVER_AGENT_DOCKER_IMAGE"
+            elif [[ -z "${{ inputs.aztec_docker_image }}" && -n "${{ inputs.semver }}" ]]; then
+              PROVER_AGENT_DOCKER_IMAGE="aztecprotocol/aztec-prover-agent:${{ inputs.semver }}"
             fi
           fi
 
+          echo "AZTEC_DOCKER_IMAGE=$AZTEC_DOCKER_IMAGE" >> $GITHUB_ENV
+          echo "PROVER_AGENT_DOCKER_IMAGE=$PROVER_AGENT_DOCKER_IMAGE" >> $GITHUB_ENV
+
       - name: Store the GCP key in a file
         env:
           GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}

.github/workflows/deploy-staging.yml

@@ -32,10 +32,10 @@ jobs:
       tag: ${{ steps.resolve.outputs.tag }}
       semver: ${{ steps.resolve.outputs.semver }}
     steps:
-      - name: Checkout v4-next
+      - name: Checkout v5-next
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
-          ref: v4-next
+          ref: v5-next
           token: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
           fetch-depth: 0
 
@@ -82,6 +82,7 @@ jobs:
     with:
       network: staging
       semver: ${{ needs.determine-tag.outputs.semver }}
+      use_internal_docker_registry: true
       source_tag: ${{ needs.determine-tag.outputs.tag }}
       deploy_contracts: ${{ inputs.deploy_contracts == true }}
     secrets: inherit

spartan/terraform/deploy-aztec-infra/values/prover-resources-dev-hi-tps.yaml

@@ -14,6 +14,12 @@ node:
     cores: "8"
     hi-mem: "true"
 
+  tolerations:
+    - key: "hi-mem"
+      operator: "Equal"
+      value: "true"
+      effect: "NoSchedule"
+
   persistence:
     enabled: true
   statefulSet:
@@ -35,6 +41,12 @@ broker:
     cores: "8"
     hi-mem: "true"
 
+  tolerations:
+    - key: "hi-mem"
+      operator: "Equal"
+      value: "true"
+      effect: "NoSchedule"
+
   persistence:
     enabled: true
   statefulSet:

spartan/terraform/deploy-aztec-infra/values/prover-resources-prod-hi-tps.yaml

@@ -14,6 +14,12 @@ node:
     cores: "8"
     hi-mem: "true"
 
+  tolerations:
+    - key: "hi-mem"
+      operator: "Equal"
+      value: "true"
+      effect: "NoSchedule"
+
   persistence:
     enabled: true
   statefulSet:
@@ -35,6 +41,12 @@ broker:
     cores: "8"
     hi-mem: "true"
 
+  tolerations:
+    - key: "hi-mem"
+      operator: "Equal"
+      value: "true"
+      effect: "NoSchedule"
+
   persistence:
     enabled: true
   statefulSet:

spartan/terraform/gke-cluster/cluster/main.tf

@@ -191,6 +191,12 @@ resource "google_container_node_pool" "aztec_nodes-8core-hi-mem" {
       hi-mem    = "true"
     }
     tags = ["aztec-gke-node", "aztec"]
+
+    taint {
+      key    = "hi-mem"
+      value  = "true"
+      effect = "NO_SCHEDULE"
+    }
   }
 
   # Management configuration

spartan/terraform/gke-cluster/docker-registry.tf

@@ -0,0 +1,32 @@
+resource "google_project_service" "artifact_registry" {
+  project = var.project
+  service = "artifactregistry.googleapis.com"
+
+  disable_on_destroy = false
+}
+
+resource "google_artifact_registry_repository" "docker_registry" {
+  project       = var.project
+  location      = var.region
+  repository_id = var.docker_registry_repository_id
+  description   = "Docker repository for Spartan GKE images"
+  format        = "DOCKER"
+
+  depends_on = [google_project_service.artifact_registry]
+}
+
+resource "google_artifact_registry_repository_iam_member" "gke_sa_docker_registry_reader" {
+  project    = google_artifact_registry_repository.docker_registry.project
+  location   = google_artifact_registry_repository.docker_registry.location
+  repository = google_artifact_registry_repository.docker_registry.name
+  role       = "roles/artifactregistry.reader"
+  member     = "serviceAccount:${google_service_account.gke_sa.email}"
+}
+
+resource "google_artifact_registry_repository_iam_member" "ci_docker_registry_writer" {
+  project    = google_artifact_registry_repository.docker_registry.project
+  location   = google_artifact_registry_repository.docker_registry.location
+  repository = google_artifact_registry_repository.docker_registry.name
+  role       = "roles/artifactregistry.writer"
+  member     = "serviceAccount:${google_service_account.ci.email}"
+}

spartan/terraform/gke-cluster/iam.tf

@@ -41,6 +41,13 @@ resource "google_project_iam_member" "helm_sa_roles" {
   member  = "serviceAccount:${google_service_account.helm_sa.email}"
 }
 
+# Create a service account for CI
+resource "google_service_account" "ci" {
+  account_id   = var.ci_service_account_id
+  display_name = "CI Service Account"
+  description  = "Service account for CI jobs that publish Docker images"
+}
+
 # Service account for External Secrets Operator
 resource "google_service_account" "eso" {
   account_id   = "external-secrets-operator"

spartan/terraform/gke-cluster/outputs.tf

@@ -6,11 +6,30 @@ output "eso_service_account_email" {
   value = google_service_account.eso.email
 }
 
+output "ci_service_account_email" {
+  value = google_service_account.ci.email
+}
+
 output "region" {
   description = "Google cloud region"
   value       = var.region
 }
 
+output "docker_registry_hostname" {
+  description = "Artifact Registry Docker hostname"
+  value       = "${var.region}-docker.pkg.dev"
+}
+
+output "docker_registry_repository" {
+  description = "Artifact Registry Docker repository resource name"
+  value       = google_artifact_registry_repository.docker_registry.name
+}
+
+output "docker_registry_repository_url" {
+  description = "Artifact Registry Docker repository URL prefix for image names"
+  value       = "${var.region}-docker.pkg.dev/${var.project}/${google_artifact_registry_repository.docker_registry.repository_id}"
+}
+
 output "devnet_network_rpc_ips" {
   description = "Static IPs and hostnames for v4 devnet networks"
   value = {

spartan/terraform/gke-cluster/variables.tf

@@ -9,3 +9,15 @@ variable "region" {
 variable "zone" {
   default = "us-west1-a"
 }
+
+variable "docker_registry_repository_id" {
+  description = "Artifact Registry Docker repository ID for Spartan images."
+  type        = string
+  default     = "aztec"
+}
+
+variable "ci_service_account_id" {
+  description = "Service account ID for CI jobs that push images to the Docker registry."
+  type        = string
+  default     = "aztec-ci"
+}