diff --git a/charts/tezos/values.yaml b/charts/tezos/values.yaml index e0c7377d7..84afa8df0 100644 --- a/charts/tezos/values.yaml +++ b/charts/tezos/values.yaml @@ -174,7 +174,10 @@ should_generate_unsafe_deterministic_data: false # Don't also set `bake_using_accounts`. # - `bake_using_accounts`: List of account names that should be used for baking. # Don't also set `bake_using_account`. -# - `authorized_keys`: List of account names available to the baker to sign signature requests. +# - `authorized_keys`: Keys used to authenticate a baker to a signer. +# When a baker uses a remote signer that requires +# authentication, the relevant key from this list +# will be used to sign every signature request. # - `config`: Same as the outer statefulset level `config`. It overrides the # statefulset level. # - `is_bootstrap_node`: Boolean for is this node a bootstrap peer. @@ -316,7 +319,10 @@ octezSigners: {} # accounts: # - baker0 # authorized_keys: -# # if set, baker will only sign request authenticated by one of the authorized_keys +# # Keys used to authenticate the baker to the signer. +# # The baker must have the private key for one of the +# # listed accounts. The signer will only sign a request +# # from a baker authenticated by an allowed key. # - authorized-key-0 # ``` # diff --git a/utils/config-generator.py b/utils/config-generator.py index 907caee94..46f403c5a 100755 --- a/utils/config-generator.py +++ b/utils/config-generator.py @@ -332,10 +332,16 @@ def expose_secret_key(account_name): pod. It returns the obvious Boolean. """ if MY_POD_TYPE == "activating": - all_authorized_keys = [key for node in NODES.values() for instance in node['instances'] for key in instance.get('authorized_keys', [])] + all_authorized_keys = [ + key + for node in NODES.values() + for instance in node["instances"] + for key in instance.get("authorized_keys", []) + ] if account_name in all_authorized_keys: - # populate all known authorized keys in the activation account. - # This avoids annoying edge cases for activating private chains, when security is not critical. + # Populate authorized keys known by all bakers in the activation account. + # This ensures that activation will succeed with a remote signer that requires auth, + # regardless of which baker does it. return True return NETWORK_CONFIG["activation_account_name"] == account_name @@ -461,8 +467,9 @@ def import_keys(all_accounts): public_key_hashs.append({"name": account_name, "value": pkh_b58}) account_values["pkh"] = pkh_b58 - if MY_POD_TYPE == "signing" and \ - account_name in MY_POD_CONFIG.get("authorized_keys", {}): + if MY_POD_TYPE == "signing" and account_name in MY_POD_CONFIG.get( + "authorized_keys", {} + ): print(f" Appending authorized key: {pk_b58}") authorized_keys.append({"name": account_name, "value": pk_b58}) @@ -756,7 +763,9 @@ def create_node_snapshot_config_json(history_mode): ] if octez_version: matching_snapshots = [ - s for s in matching_snapshots if int(octez_version) == s.get("tezos_version").get("version").get("major") + s + for s in matching_snapshots + if int(octez_version) == s.get("tezos_version").get("version").get("major") ] matching_snapshots = sorted(matching_snapshots, key=lambda s: s.get("block_height"))