diff --git a/charts/evm-rollup/Chart.yaml b/charts/evm-rollup/Chart.yaml index d0d6f65..707797f 100644 --- a/charts/evm-rollup/Chart.yaml +++ b/charts/evm-rollup/Chart.yaml @@ -16,7 +16,7 @@ type: application # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.12.3 +version: 0.13.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/evm-rollup/files/genesis/geth-genesis.json b/charts/evm-rollup/files/genesis/geth-genesis.json index 65143a5..5f8cc0c 100644 --- a/charts/evm-rollup/files/genesis/geth-genesis.json +++ b/charts/evm-rollup/files/genesis/geth-genesis.json @@ -11,6 +11,18 @@ "istanbulBlock": 0, "berlinBlock": 0, "londonBlock": 0, + {{- if .Values.config.rollup.genesis.shanghaiTime}} + "shanghaiTime": {{ toString .Values.config.rollup.genesis.shanghaiTime | replace "\"" "" }}, + {{- end }} + {{- if .Values.config.rollup.genesis.cancunTime }} + "cancunTime": {{ toString .Values.config.rollup.genesis.cancunTime | replace "\"" "" }}, + {{- end }} + {{- if .Values.config.rollup.genesis.cancunTime }} + "pragueTime": {{ toString .Values.config.rollup.genesis.pragueTime | replace "\"" "" }}, + {{- end }} + {{- if .Values.config.rollup.genesis.cancunTime }} + "verkleTime": {{ toString .Values.config.rollup.genesis.verkleTime | replace "\"" "" }}, + {{- end }} "terminalTotalDifficulty": 0, "terminalTotalDifficultyPassed": true, "ethash": {}, @@ -28,8 +40,8 @@ {{- else }} {{- end }} }, - "difficulty": "10000000", - "gasLimit": "8000000", + "difficulty": "0", + "gasLimit": "{{ .Values.config.rollup.genesis.gasLimit }}", "alloc": { {{- range $index, $value := .Values.config.rollup.genesis.alloc }} {{- if $index }},{{- end }} diff --git a/charts/evm-rollup/files/scripts/init-geth.sh b/charts/evm-rollup/files/scripts/init-geth.sh index c5e9932..cc28bee 100755 --- a/charts/evm-rollup/files/scripts/init-geth.sh +++ b/charts/evm-rollup/files/scripts/init-geth.sh @@ -2,10 +2,18 @@ set -o errexit -o nounset -if [ -z "$(ls -A $data_dir/)" ]; then +if [ ! -d "$data_dir/" ]; then echo "Initializing geth db..." + cp /scripts/geth-genesis.json $home_dir/genesis.json + exec geth --datadir "$data_dir/" --db.engine {{ .Values.config.rollup.dbEngine }} \ {{ if not .Values.config.rollup.archiveNode }}--state.scheme=path {{- end }} \ - init /scripts/geth-genesis.json + init $home_dir/genesis.json +elif ! cmp -s "/scripts/geth-genesis.json" "$home_dir/genesis.json"; then + echo "Geth DB already initialized, but genesis file upgraded..." + + cp /scripts/geth-genesis.json $home_dir/genesis.json + + exec geth --datadir "$data_dir/" init $home_dir/genesis.json fi diff --git a/charts/evm-rollup/values.yaml b/charts/evm-rollup/values.yaml index 786dc6b..c3193a6 100644 --- a/charts/evm-rollup/values.yaml +++ b/charts/evm-rollup/values.yaml @@ -55,6 +55,14 @@ config: maxSubmitInterval: 2000 # Configuration specific to EVM rollup genesis genesis: + # Configuration of Eth forks, setting to 0 will enable form height, + # left as is these forks will not activate. + shanghaiTime: "" + cancunTime: "" + pragueTime: "" + verkleTime: "" + # Configure the gas Limit + gasLimit: "8000000" # Set to a hex set of bytes if your rollup has manually configured extra data extraDataOverride: "" # If set to true the genesis block will contain extra data @@ -63,11 +71,20 @@ config: # the astria canonical bridge. Recommend removing alloc values if so. bridgeAddress: "" bridgeAllowedAssetDenom: nria + # Can configure the genesis allocs for the chain alloc: - address: "0xaC21B97d35Bf75A7dAb16f35b111a50e78A72F30" value: # The balance must be a string due to size balance: "1000000000000000000000000000" + # Deploying the deterministic deploy proxy contract in genesis + # Forge and other tools use this for their CREATE2 usage, but + # can only be included through the genesis block after EIP-155 + # https://github.com/Arachnid/deterministic-deployment-proxy + - address: "0x4e59b44847b379578588920cA78FbF26c0B4956C" + value: + balance: "0" + data: "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe03601600081602082378035828234f58015156039578182fd5b8082525050506014600cf3" metrics: # set to enable prometheus metrics enabled: false @@ -269,25 +286,22 @@ ingress: resources: conductor: requests: - cpu: 0.01 - memory: 1Mi - limits: cpu: 0.1 memory: 20Mi + limits: + cpu: 1 + memory: 200Mi composer: requests: - cpu: 0.01 - memory: 1Mi - limits: cpu: 0.1 memory: 20Mi + limits: + cpu: 1 + memory: 200Mi geth: requests: - cpu: 0.25 - memory: 256Mi - limits: - cpu: 2 - memory: 1Gi + cpu: 4 + memory: 16Gi storage: enabled: false diff --git a/charts/hermes/Chart.yaml b/charts/hermes/Chart.yaml index 23951e5..0d942c6 100644 --- a/charts/hermes/Chart.yaml +++ b/charts/hermes/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 0.2.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/hermes/templates/secretproviderclass.yaml b/charts/hermes/templates/secretproviderclass.yaml index 5c669a8..7bf06a4 100644 --- a/charts/hermes/templates/secretproviderclass.yaml +++ b/charts/hermes/templates/secretproviderclass.yaml @@ -1,21 +1,14 @@ {{- if .Values.secretProvider.enabled }} {{- range $chainId, $chain := .Values.chains }} + {{- $_ := set $ "key" $chain.key }} --- apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: {{ include "hermes.fullname" $ }}-{{ $chainId }}-secrets-store spec: - provider: {{ .Values.secretProvider.provider }} - secretObjects: - - secretName: {{ include "hermes.fullname" $ }}-{{ $chainId }}-key - type: Opaque - data: - - objectName: {{ $chain.key.name }}.json - key: {{ $chain.key.secret.key }} + provider: {{ $.Values.secretProvider.provider }} parameters: - secrets: | - - resourceName: {{ $chain.key.secret.resourceName }} - fileName: "{{ $chain.key.secret.filename }}" + {{- tpl $.Values.secretProvider.parametersTemplate $ | nindent 4 }} {{- end }} {{- end }} diff --git a/charts/hermes/values.yaml b/charts/hermes/values.yaml index efa84c3..05cba6b 100644 --- a/charts/hermes/values.yaml +++ b/charts/hermes/values.yaml @@ -68,15 +68,13 @@ chains: # address_type: Astria # secret: # resourceName: projects/$PROJECT_ID/secrets/astria-ibc-relay-key/versions/latest - # filename: astria-wallet.json - # key: token # eventSource: # mode: pull # interval: 1s # gasPrice: 1 # gasDenom: nria # trustThreshold: 2/3 - + # # celestia-local-0: # type: CosmosSdk # compatMode: '0.34' @@ -118,8 +116,6 @@ chains: # account: celestia1y7ndhu6fs06c7qkwgr9anf0uc27st27uwdj6vq # secret: # resourceName: projects/$PROJECT_ID/secrets/celestia-ibc-relay-key/versions/latest - # filename: celestia.json - # key: token # gasPrice: 0.12 # denom: 'utia' # gasMultiplier: 1.1 @@ -127,9 +123,27 @@ chains: # maxBlockTime: 10s # trustThreshold: 2/3 +# When deploying in a production environment should use a secret provider +# This is configured for use with GCP, need to set own resource names +# and keys secretProvider: - enabled: false + enabled: true provider: gcp + # May need to update this template to match the secret provider + # it will be passed an object of the form: + # { key: { + # name: , + # secret: { resourceName: } + # } + # } + # + # Can update set the source of each chain key at chain..key.secret to + # match the secret provider's requirements. The default works for GCP. + # The secret file must be mapped to the .json. + parametersTemplate: |- + secrets: | + - resourceName: {{ .key.secret.resourceName }} + fileName: "{{ .key.name }}.json" ports: rest: 3000 diff --git a/charts/sequencer-faucet/Chart.yaml b/charts/sequencer-faucet/Chart.yaml index 41e2714..497c62d 100644 --- a/charts/sequencer-faucet/Chart.yaml +++ b/charts/sequencer-faucet/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.5.1 +version: 0.6.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/sequencer-faucet/templates/configmap.yaml b/charts/sequencer-faucet/templates/configmap.yaml index 1647f80..766df6a 100644 --- a/charts/sequencer-faucet/templates/configmap.yaml +++ b/charts/sequencer-faucet/templates/configmap.yaml @@ -9,6 +9,6 @@ data: SEQUENCER_FAUCET_SEQUENCER_RPC_URL: "{{ .Values.config.sequencerRpcUrl}}" SEQUENCER_FAUCET_AMOUNT: "{{ .Values.config.amount }}" {{- if not .Values.secretProvider.enabled }} - SEQUENCER_FAUCET_PRIVATE_KEY: "{{ .Values.config.fundingPrivateKey }}" + SEQUENCER_FAUCET_PRIVATE_KEY: "{{ .Values.config.fundingPrivateKey.content }}" {{- end }} --- diff --git a/charts/sequencer-faucet/templates/deployment.yaml b/charts/sequencer-faucet/templates/deployment.yaml index 919859e..5e911f4 100644 --- a/charts/sequencer-faucet/templates/deployment.yaml +++ b/charts/sequencer-faucet/templates/deployment.yaml @@ -35,7 +35,7 @@ spec: valueFrom: secretKeyRef: name: sequencer-private-key-faucet - key: {{ .Values.secretProvider.secrets.sequencerPrivateKey.key }} + key: {{ .Values.config.fundingPrivateKey.secret.key }} {{- end }} volumeMounts: {{- if .Values.secretProvider.enabled }} diff --git a/charts/sequencer-faucet/templates/secretproviderclass.yaml b/charts/sequencer-faucet/templates/secretproviderclass.yaml index 1d44aba..5e6d3b3 100644 --- a/charts/sequencer-faucet/templates/secretproviderclass.yaml +++ b/charts/sequencer-faucet/templates/secretproviderclass.yaml @@ -1,21 +1,18 @@ {{- if .Values.secretProvider.enabled }} - {{- range $key, $value := .Values.secretProvider.secrets }} --- apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: - name: {{ kebabcase $key }}-faucet + name: sequencer-private-key-faucet spec: provider: gcp secretObjects: - - secretName: {{ kebabcase $key }}-faucet + - secretName: sequencer-private-key-faucet type: Opaque data: - - objectName: {{ $value.filename }} - key: {{ $value.key }} + - objectName: {{ .Values.config.fundingPrivateKey.secret.filename }} + key: {{ .Values.config.fundingPrivateKey.secret.key }} parameters: - secrets: | - - resourceName: {{ $value.resourceName }} - fileName: "{{ $value.filename }}" - {{- end }} + {{- $_ := set $ "key" .Values.config.fundingPrivateKey.secret }} + {{- tpl $.Values.secretProvider.parametersTemplate $ | nindent 4 }} {{- end }} diff --git a/charts/sequencer-faucet/values.yaml b/charts/sequencer-faucet/values.yaml index 4edc5c7..f031528 100644 --- a/charts/sequencer-faucet/values.yaml +++ b/charts/sequencer-faucet/values.yaml @@ -10,7 +10,12 @@ config: # it corresponds with the following account: # address: 00d75b270542084a54fcf0d0f6eab0402982d156 # pubKey: db617d4ec61726efc4d993488931b37f7774bf04ad916b8f974d33c9241ee762 - fundingPrivateKey: 934ab488f9e1900f6a08f50605ce1409ca9d95ebdc400dafc2e8a4306419fd52 + fundingPrivateKey: + devContent: 934ab488f9e1900f6a08f50605ce1409ca9d95ebdc400dafc2e8a4306419fd52 + secret: + filename: sequencerPrivateKey.txt + resourceName: "projects/$PROJECT_ID/secrets/sequencerPrivateKey/versions/latest" + key: token # The amount of token to give per request amount: 1800 @@ -21,14 +26,25 @@ images: # This is configured for use with GCP, need to set own resource names # and keys secretProvider: - enabled: false + enabled: true provider: gcp - secrets: - # Used in place of config.fundingPrivateKey value when provider enabled - sequencerPrivateKey: - filename: sequencerPrivateKey.txt - resourceName: "projects/$PROJECT_ID/secrets/sequencerPrivateKey/versions/latest" - key: token + # May need to update this template to match the secret provider + # it will be passed an object containing: + # { + # key: { + # resourceName: , + # filename: , + # key: + # } + # } + # + # Can update set the source of each chain key at chain..key.secret to + # match the secret provider's requirements. The default works for GCP. + # The secret file must be mapped to the + parametersTemplate: |- + secrets: | + - resourceName: {{ .key.resourceName }} + fileName: "{{ .key.filename }}" ports: faucet: 8080 diff --git a/charts/sequencer/Chart.yaml b/charts/sequencer/Chart.yaml index 0202ba1..13d0fe1 100644 --- a/charts/sequencer/Chart.yaml +++ b/charts/sequencer/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.11.7 +version: 0.12.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/sequencer/files/cometbft/config/config.toml b/charts/sequencer/files/cometbft/config/config.toml index e9934f9..b1080c9 100644 --- a/charts/sequencer/files/cometbft/config/config.toml +++ b/charts/sequencer/files/cometbft/config/config.toml @@ -6,6 +6,10 @@ # "$HOME/.cometbft" by default, but could be changed via $CMTHOME env variable # or --home cmd flag. +# The version of the CometBFT binary that created or +# last modified the config file. Do not modify this. +version = "0.38.6" +# edit ####################################################################### ### Main Base Config Options ### ####################################################################### @@ -17,14 +21,6 @@ proxy_app = "tcp://127.0.0.1:{{ .Values.ports.sequencerABCI }}" # A custom human readable name for this node moniker = "{{ .Values.config.moniker }}" -# If this node is many blocks behind the tip of the chain, BlockSync -# allows them to catchup quickly by downloading blocks in parallel -# and verifying their commits -# -# Deprecated: this key will be removed and BlockSync will be enabled -# unconditionally in the next major release. -block_sync = true - # Database backend: goleveldb | cleveldb | boltdb | rocksdb | badgerdb # * goleveldb (github.com/syndtr/goleveldb - most popular implementation) # - pure go @@ -60,12 +56,8 @@ log_format = "plain" # Path to the JSON file containing the initial validator set and other meta data genesis_file = "config/genesis.json" -{{- if .Values.secretProvider.enabled }} -priv_validator_key_file = "/secrets/priv-validator-key/{{ .Values.secretProvider.secrets.privValidatorKey.filename }}" -{{- else }} # Path to the JSON file containing the private key to use as a validator in the consensus protocol -priv_validator_key_file = "config/priv_validator_key.json" -{{- end }} +priv_validator_key_file = "/secrets/{{ .Values.config.cometBFT.secrets.privValidatorKey.filename }}" # Path to the JSON file containing the last sign state of a validator priv_validator_state_file = "data/priv_validator_state.json" @@ -74,12 +66,8 @@ priv_validator_state_file = "data/priv_validator_state.json" # connections from an external PrivValidator process priv_validator_laddr = "" -{{- if .Values.secretProvider.enabled }} -node_key_file = "/secrets/node-key/{{ .Values.secretProvider.secrets.nodeKey.filename }}" -{{- else }} # Path to the JSON file containing the private key to use for node authentication in the p2p protocol -node_key_file = "config/node_key.json" -{{- end }} +node_key_file = "/secrets/{{ .Values.config.cometBFT.secrets.nodeKey.filename }}" # Mechanism to connect to the ABCI application: socket | grpc abci = "socket" @@ -140,7 +128,7 @@ max_open_connections = 900 # Maximum number of unique clientIDs that can /subscribe # If you're using /broadcast_tx_commit, set to the estimated maximum number # of broadcast_tx_commit calls per block. -max_subscription_clients = 10000 +max_subscription_clients = 100 # Maximum number of unique queries a given client can /subscribe to # If you're using GRPC (or Local RPC client) and /broadcast_tx_commit, set to @@ -278,13 +266,34 @@ dial_timeout = "3s" ####################################################### [mempool] -# Mempool version to use: -# 1) "v0" - (default) FIFO mempool. -# 2) "v1" - prioritized mempool (deprecated; will be removed in the next release). -version = "v0" - +# The type of mempool for this node to use. +# +# Possible types: +# - "flood" : concurrent linked list mempool with flooding gossip protocol +# (default) +# - "nop" : nop-mempool (short for no operation; the ABCI app is responsible +# for storing, disseminating and proposing txs). "create_empty_blocks=false" is +# not supported. +type = "flood" + +# Recheck (default: true) defines whether CometBFT should recheck the +# validity for all remaining transaction in the mempool after a block. +# Since a block affects the application state, some transactions in the +# mempool may become invalid. If this does not apply to your application, +# you can disable rechecking. recheck = true + +# Broadcast (default: true) defines whether the mempool should relay +# transactions to other peers. Setting this to false will stop the mempool +# from relaying transactions to other peers until they are included in a +# block. In other words, if Broadcast is disabled, only the peer you send +# the tx to will see it until it is included in a block. broadcast = true + +# WalPath (default: "") configures the location of the Write Ahead Log +# (WAL) for the mempool. The WAL is disabled by default. To enable, set +# WalPath to where you want the WAL to be written (e.g. +# "data/mempool.wal"). wal_dir = "" # Maximum number of transactions in the mempool @@ -312,21 +321,20 @@ max_tx_bytes = 1048576 # XXX: Unused due to https://github.com/tendermint/tendermint/issues/5796 max_batch_bytes = 0 -# ttl-duration, if non-zero, defines the maximum amount of time a transaction -# can exist for in the mempool. -# -# Note, if ttl-num-blocks is also defined, a transaction will be removed if it -# has existed in the mempool at least ttl-num-blocks number of blocks or if it's -# insertion time into the mempool is beyond ttl-duration. -ttl-duration = "0s" - -# ttl-num-blocks, if non-zero, defines the maximum number of blocks a transaction -# can exist for in the mempool. -# -# Note, if ttl-duration is also defined, a transaction will be removed if it -# has existed in the mempool at least ttl-num-blocks number of blocks or if -# it's insertion time into the mempool is beyond ttl-duration. -ttl-num-blocks = 0 +# Experimental parameters to limit gossiping txs to up to the specified number of peers. +# We use two independent upper values for persistent and non-persistent peers. +# Unconditional peers are not affected by this feature. +# If we are connected to more than the specified number of persistent peers, only send txs to +# ExperimentalMaxGossipConnectionsToPersistentPeers of them. If one of those +# persistent peers disconnects, activate another persistent peer. +# Similarly for non-persistent peers, with an upper limit of +# ExperimentalMaxGossipConnectionsToNonPersistentPeers. +# If set to 0, the feature is disabled for the corresponding group of peers, that is, the +# number of active connections to that group of peers is not bounded. +# For non-persistent peers, if enabled, a value of 10 is recommended based on experimental +# performance results using the default P2P configuration. +experimental_max_gossip_connections_to_persistent_peers = 0 +experimental_max_gossip_connections_to_non_persistent_peers = 0 ####################################################### ### State Sync Configuration Options ### @@ -370,7 +378,7 @@ chunk_fetchers = "4" [blocksync] # Block Sync version to use: -# +# # In v0.37, v1 and v2 of the block sync protocols were deprecated. # Please use v0 instead. # @@ -447,15 +455,17 @@ discard_abci_responses = false # When "kv" or "psql" is chosen "tx.height" and "tx.hash" will always be indexed. {{- if .Values.config.cometBFT.psql.enabled }} indexer = "psql" +{{- else }} +indexer = "kv" +{{- end }} # The PostgreSQL connection configuration, the connection format: # postgresql://:@:/? +{{- if .Values.config.cometBFT.psql.enabled }} psql-conn = "{{ .Values.config.cometBFt.psql.conn }}" {{- else }} -indexer = "kv" psql-conn = "" {{- end }} - ####################################################### ### Instrumentation Configuration Options ### ####################################################### diff --git a/charts/sequencer/files/cometbft/config/genesis.json b/charts/sequencer/files/cometbft/config/genesis.json index e2c17e7..a7b0575 100644 --- a/charts/sequencer/files/cometbft/config/genesis.json +++ b/charts/sequencer/files/cometbft/config/genesis.json @@ -54,7 +54,7 @@ "app": "0" } }, - "genesis_time": "2023-09-22T17:22:35.092832Z", + "genesis_time": "{{ .Values.config.cometBFT.genesisTime }}", "initial_height": "0", "validators": [ {{- range $index, $value := .Values.config.cometBFT.validators }} diff --git a/charts/sequencer/files/scripts/init-cometbft.sh b/charts/sequencer/files/scripts/init-cometbft.sh index bcb7ffd..9cc643f 100644 --- a/charts/sequencer/files/scripts/init-cometbft.sh +++ b/charts/sequencer/files/scripts/init-cometbft.sh @@ -3,12 +3,12 @@ set -o errexit -o nounset # Only need to configure cometbft data if not already initialized -if [ -z "$(ls -A /cometbft/data)" ]; then +if [ ! -d "/cometbft/data" ]; then cp -LR /data/ /cometbft/data fi # Don't replace the config directory if it already exists -if [ -z "$(ls -A /cometbft/config)" ]; then +if [ ! -d "/cometbft/config" ]; then cp -LR /config/ /cometbft/config else cp /config/* /cometbft/config/ diff --git a/charts/sequencer/templates/configmaps.yaml b/charts/sequencer/templates/configmaps.yaml index 633e0ab..0706e65 100644 --- a/charts/sequencer/templates/configmaps.yaml +++ b/charts/sequencer/templates/configmaps.yaml @@ -8,13 +8,20 @@ data: {{- tpl (.Files.Get "files/cometbft/config/genesis.json") $ | nindent 4 }} config.toml: | {{- tpl (.Files.Get "files/cometbft/config/config.toml") $ | nindent 4 }} - {{- if not .Values.secretProvider.enabled }} - node_key.json: | - {{- tpl (.Files.Get "files/cometbft/config/node_key.json") $ | nindent 4 }} - priv_validator_key.json: | - {{- tpl (.Files.Get "files/cometbft/config/priv_validator_key.json") $ | nindent 4 }} +--- +{{- if not .Values.secretProvider.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.config.moniker }}-cometbft-secrets + namespace: {{ include "sequencer.namespace" . }} +data: + {{- range $secret := .Values.config.cometBFT.secrets }} + {{ $secret.filename }}: | + {{- toJson $secret.devContent | nindent 4 }} {{- end }} --- +{{- end }} apiVersion: v1 kind: ConfigMap metadata: diff --git a/charts/sequencer/templates/secretproviderclass.yaml b/charts/sequencer/templates/secretproviderclass.yaml index e1b5ef2..5ac6bc0 100644 --- a/charts/sequencer/templates/secretproviderclass.yaml +++ b/charts/sequencer/templates/secretproviderclass.yaml @@ -1,24 +1,11 @@ {{- if .Values.secretProvider.enabled }} - --- apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: sequencer-keys-provider spec: - provider: gcp - secretObjects: - {{- range $key, $value := .Values.secretProvider.secrets }} - - secretName: {{ kebabcase $key }} - type: Opaque - data: - - objectName: {{ $value.filename }} - key: {{ $value.key }} - {{- end }} + provider: {{ .Values.secretProvider.provider }} parameters: - secrets: | - {{- range $key, $value := .Values.secretProvider.secrets }} - - resourceName: {{ $value.resourceName }} - fileName: "{{ $value.filename }}" - {{- end }} + {{- tpl $.Values.secretProvider.parametersTemplate $ | nindent 4 }} {{- end }} diff --git a/charts/sequencer/templates/statefulsets.yaml b/charts/sequencer/templates/statefulsets.yaml index 8765000..ac14ec7 100644 --- a/charts/sequencer/templates/statefulsets.yaml +++ b/charts/sequencer/templates/statefulsets.yaml @@ -66,10 +66,9 @@ spec: - mountPath: /cometbft name: sequencer-shared-storage-vol subPath: {{ .Values.config.moniker }}/cometbft - {{- if .Values.secretProvider.enabled }} - - mountPath: "/secrets" - name: sequencer-keys-provider - {{- end }} + - mountPath: /secrets + readOnly: true + name: sequencer-secret-keys-vol ports: - containerPort: {{ .Values.ports.cometBFTP2P }} name: cometbft-p2p @@ -99,11 +98,14 @@ spec: {{- else }} emptyDir: {} {{- end }} - {{- if .Values.secretProvider.enabled }} - name: sequencer-secret-keys-vol + {{- if .Values.secretProvider.enabled }} csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: sequencer-keys-provider - {{- end }} + {{- else }} + configMap: + name: {{ .Values.config.moniker }}-cometbft-secrets + {{- end }} diff --git a/charts/sequencer/values.yaml b/charts/sequencer/values.yaml index c11a0a0..82ac71b 100644 --- a/charts/sequencer/values.yaml +++ b/charts/sequencer/values.yaml @@ -62,15 +62,11 @@ config: # Values for CometBFT node configuration cometBFT: chainId: 'sequencer-test-chain-0' - + genesisTime: '2023-09-22T17:22:35.092832Z' # If using postgres for indexing, update to enabled and set the connection psql: enabled: false conn: postgresql://:@:/? - - # CometBFT P2P Private key. - # This is a secret key, should use a secret manager for production deployments - privNodeKey: HGWRtLbV8WLGFgbYhaGyaLe++DC+DBoc7O3bri81vs2ZlpR28IFfQScoO1aNOE/ygs8LIPM9UzLzbaab4VMggQ== p2p: # Address to listen for incoming connections, port is inferred from ports.cometBFTP2P laddr: "tcp://0.0.0.0" @@ -90,14 +86,35 @@ config: # Seed mode, in which node constantly crawls the network and looks for # peers. If another node asks it for addresses, it responds and disconnects. seed_mode: false - validator: - # Ed25519 address of validator - address: 091E47761C58C474534F4D414AF104A6CAF90C22 - # public key for the validator address - pubKey: lV57+rGs2vac7mvkGHP1oBFGHPJM3a+WoAzeFDCJDNU= - # private key for the validator address - # This is a secret key, should use a secret manager for production deployments - privKey: dGOTAweQV8Do9P2n+A8m5EnboDrlxgD3dg4vrYpdIRqVXnv6saza9pzua+QYc/WgEUYc8kzdr5agDN4UMIkM1Q== + # These secrets will be generated using the devContent values turned into JSON + # and stored unsafely as config maps. Unless SecretProvider is enabled. + # Where the secret parameters should be then updated to suit your secret provider + # parameter template. + secrets: + nodeKey: + filename: nodeKey.json + devContent: + priv_key: + type: tendermint/PrivKeyEd25519 + value: HGWRtLbV8WLGFgbYhaGyaLe++DC+DBoc7O3bri81vs2ZlpR28IFfQScoO1aNOE/ygs8LIPM9UzLzbaab4VMggQ== + secret: + resourceName: "projects/$PROJECT_ID/secrets/privValidatorKey/versions/latest" + privValidatorKey: + filename: privValidatorKey.json + devContent: + # Ed25519 address of validator + address: 091E47761C58C474534F4D414AF104A6CAF90C22 + # public key for the validator address + pub_key: + type: tendermint/PubKeyEd25519 + value: lV57+rGs2vac7mvkGHP1oBFGHPJM3a+WoAzeFDCJDNU= + # private key for the validator address + # This is a secret key, should use a secret manager for production deployments + priv_key: + type: tendermint/PrivKeyEd25519 + value: dGOTAweQV8Do9P2n+A8m5EnboDrlxgD3dg4vrYpdIRqVXnv6saza9pzua+QYc/WgEUYc8kzdr5agDN4UMIkM1Q== + secret: + resourceName: "projects/$PROJECT_ID/secrets/privValidatorKey/versions/latest" validators: - name: core power: '1' @@ -113,16 +130,23 @@ sequencer-relayer: secretProvider: enabled: false provider: gcp - secrets: - # Used in place of config.fundingPrivateKey value when provider enabled - privValidatorKey: - filename: privValidatorKey.json - resourceName: "projects/$PROJECT_ID/secrets/privValidatorKey/versions/latest" - key: token - nodeKey: - filename: nodeKey.json - resourceName: "projects/$PROJECT_ID/secrets/privValidatorKey/versions/latest" - key: token + # May need to update this template to match the secret provider + # it will be passed an object of the form: + # { : { + # filename: , + # secret: { resourceName: } + # } + # } + # + # Can update the source of the secrets at config.cometBFT.secrets to + # match the secret provider's requirements. The default works for GCP. + # The secret file must be mapped to the .filename value. + parametersTemplate: |- + secrets: | + {{- range $value := .Values.config.cometBFT.secrets }} + - resourceName: {{ $value.secret.resourceName }} + fileName: "{{ $value.filename }}" + {{- end }} ports: cometBFTP2P: 26656