add support for authorized_key on octezSigner end

oxheadalpha · Oct 23, 2023 · de418fe · de418fe
1 parent 9a93bc2
commit de418fe
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 2 deletions.
diff --git a/charts/tezos/scripts/remote-signer.sh b/charts/tezos/scripts/remote-signer.sh
@@ -6,7 +6,11 @@ CLIENT_DIR="$TEZ_VAR/client"
 NODE_DIR="$TEZ_VAR/node"
 NODE_DATA_DIR="$TEZ_VAR/node/data"
 
-CMD="$TEZ_BIN/octez-signer -d $CLIENT_DIR launch http signer --check-high-watermark -a 0.0.0.0 -p 6732"
+extra_args=""
+if [ "${REQUIRE_AUTHENTICATION}" == "true" ]; then
+  extra_args="${extra_args} --require-authentication"
+fi
+CMD="$TEZ_BIN/octez-signer -d $CLIENT_DIR ${extra_args} launch http signer -a 0.0.0.0 -p 6732"
 
 # ensure we can run tezos-signer commands without specifying client dir
 ln -s /var/tezos/client /home/tezos/.tezos-signer

diff --git a/charts/tezos/values.yaml b/charts/tezos/values.yaml
@@ -174,6 +174,7 @@ should_generate_unsafe_deterministic_data: false
 #                            Don't also set `bake_using_accounts`.
 #    - `bake_using_accounts`: List of account names that should be used for baking.
 #                            Don't also set `bake_using_account`.
+#    - `authorized_keys`: List of account names available to the baker to sign signature requests.
 #    - `config`: Same as the outer statefulset level `config`. It overrides the
 #                statefulset level.
 #    - `is_bootstrap_node`: Boolean for is this node a bootstrap peer.
@@ -314,6 +315,9 @@ octezSigners: {}
 #  tezos-signer-0:
 #    accounts:
 #     - baker0
+#    authorized_keys:
+#     # if set, baker will only sign request authenticated by one of the authorized_keys
+#     - authorized_key0
 # ```
 #
 # Deploys a signer using AWS KMS to sign operations.

diff --git a/utils/config-generator.py b/utils/config-generator.py
@@ -426,6 +426,7 @@ def import_keys(all_accounts):
     secret_keys = []
     public_keys = []
     public_key_hashs = []
+    authorized_keys = []
 
     for account_name, account_values in all_accounts.items():
         print("\n  Importing keys for account: " + account_name)
@@ -460,6 +461,11 @@ def import_keys(all_accounts):
         public_key_hashs.append({"name": account_name, "value": pkh_b58})
         account_values["pkh"] = pkh_b58
 
+        if MY_POD_TYPE == "signing" and \
+            account_name in MY_POD_CONFIG["authorized_keys"]:
+            print(f"    Appending authorized key: {pk_b58}")
+            authorized_keys.append({"name": account_name, "value": pk_b58})
+
         print(f"    Account key type: {account_values.get('type')}")
         print(
             f"    Account bootstrap balance: "
@@ -470,17 +476,21 @@ def import_keys(all_accounts):
             + f"{account_values.get('is_bootstrap_baker_account', False)}"
         )
 
-    sk_path, pk_path, pkh_path = (
+    sk_path, pk_path, pkh_path, ak_path = (
         f"{tezdir}/secret_keys",
         f"{tezdir}/public_keys",
         f"{tezdir}/public_key_hashs",
+        f"{tezdir}/authorized_keys",
     )
     print(f"\n  Writing {sk_path}")
     json.dump(secret_keys, open(sk_path, "w"), indent=4)
     print(f"  Writing {pk_path}")
     json.dump(public_keys, open(pk_path, "w"), indent=4)
     print(f"  Writing {pkh_path}")
     json.dump(public_key_hashs, open(pkh_path, "w"), indent=4)
+    if MY_POD_TYPE == "signing":
+        print(f"  Writing {pkh_path}")
+        json.dump(authorized_keys, open(ak_path, "w"), indent=4)
 
 
 def create_node_identity_json():