From f74ce19385c28c184988d899baec54e7a820faec Mon Sep 17 00:00:00 2001 From: Nicolas Ochem Date: Fri, 15 Dec 2023 22:59:52 -0800 Subject: [PATCH] re-add explicit authorized key --- charts/tezos/values.yaml | 8 ++++++++ utils/config-generator.py | 26 ++++---------------------- 2 files changed, 12 insertions(+), 22 deletions(-) diff --git a/charts/tezos/values.yaml b/charts/tezos/values.yaml index 987af5e72..b1cbcaa0b 100644 --- a/charts/tezos/values.yaml +++ b/charts/tezos/values.yaml @@ -168,6 +168,11 @@ should_generate_unsafe_deterministic_data: false # Don't also set `bake_using_accounts`. # - `bake_using_accounts`: List of account names that should be used for baking. # Don't also set `bake_using_account`. +# - `authorized_keys`: List of account names that should be used as keys to +# authenticate a baker to a signer. +# When a baker uses a remote signer that requires +# authentication, the relevant key from this list +# will be used to sign every signature request. # - `config`: Same as the outer statefulset level `config`. It overrides the # statefulset level. # - `is_bootstrap_node`: Boolean for is this node a bootstrap peer. @@ -470,6 +475,9 @@ expected_proof_of_work: 26 # # The name of the account who's public key will be set downstream in # # config.json at `network.genesis_parameters.values.genesis_pubkey`. # activation_account_name: baker0 +# # if activation account is on a remote signer requiring authorization, +# # put authorized key account here +# activation_account_authorized_key: authorizedKey0 # ## To join a public network you may set `chain_name` in one of two ways: ## - Specify the name of the network which must be recognized by the diff --git a/utils/config-generator.py b/utils/config-generator.py index 0a4b28de3..52a1bfa36 100755 --- a/utils/config-generator.py +++ b/utils/config-generator.py @@ -336,20 +336,6 @@ def fill_in_missing_keys(all_accounts): account_values["type"] = "secret" -def authorized_key_for(account_name): - """ - If `account_name` has a remote signer and this remote signer - requires an authorized key, returns it. - """ - for signer_val in OCTEZ_SIGNERS.values(): - if account_name in signer_val["accounts"]: - return ( - signer_val["authorized_keys"][0] - if signer_val["authorized_keys"] - else None - ) - return - def expose_secret_key(account_name): """ @@ -361,10 +347,9 @@ def expose_secret_key(account_name): as is the case in Octez client's "secret_keys" file. """ if MY_POD_TYPE == "activating": - activation_account = NETWORK_CONFIG["activation_account_name"] return account_name in [ - activation_account, - authorized_key_for(activation_account), + NETWORK_CONFIG["activation_account_name"], + NETWORK_CONFIG["activation_account_authorized_key"] ] if MY_POD_TYPE == "signing": @@ -377,12 +362,9 @@ def expose_secret_key(account_name): return account_name == os.environ["INJECTOR_ACCOUNT"] if MY_POD_TYPE in ["node", "baker"]: - baking_account = MY_POD_CONFIG.get("bake_using_account", "") - if account_name in [baking_account, authorized_key_for(baking_account)]: + if account_name in MY_POD_CONFIG.get("authorized_keys", {}): return True - for baking_account in MY_POD_CONFIG.get("bake_using_accounts", {}): - if account_name in [baking_account, authorized_key_for(baking_account)]: - return True + return account_name in MY_POD_CONFIG.get("bake_using_accounts", {}) return False