feat: improve way to mount keys

Signed-off-by: Smuu <[email protected]>
celestiaorg · Aug 12, 2024 · 8dda2ab · 8dda2ab
1 parent 554f4e3
commit 8dda2ab
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 58 deletions.
diff --git a/charts/celestia-node/templates/_helpers.tpl b/charts/celestia-node/templates/_helpers.tpl
@@ -80,7 +80,7 @@ Compile all deprecation warnings into a single message.
 {{- define "node.deprecationWarnings" -}}
 {{- $warnings := list -}}
 {{- if .Values.node.args -}}
-  DEPRECATION WARNING: The use of node.args is deprecated. Please configure container args using node.settings.nodeType and node.extraArgs.
+  {{- $warnings = append $warnings "DEPRECATION WARNING: The use of node.args is deprecated. Please configure container args using node.settings.nodeType and node.extraArgs." -}}
 {{- end -}}
 {{- $warnings := without $warnings "" -}}
 {{- $warning := join "\n" $warnings -}}
@@ -98,6 +98,12 @@ Compile all validation messages into a single message and fail the deployment if
 {{- define "node.validateValues" -}}
 {{- $messages := list -}}
 {{- $messages := append $messages (include "node.validateValues.nodeType" .) -}}
+{{- if .Values.node.settings.node_id -}}
+  {{- $messages = append $messages "ERROR: The use of node.settings.node_id is not allowed. Please use the secret specified in node.settings.secret." -}}
+{{- end -}}
+{{- if .Values.node.settings.address -}}
+  {{- $messages = append $messages "ERROR: The use of node.settings.address is not allowed. Please use the secret specified in node.settings.secret." -}}
+{{- end -}}
 {{- $messages := without $messages "" -}}
 {{- $message := join "\n" $messages -}}
 

diff --git a/charts/celestia-node/templates/configmap-address.yaml b/charts/celestia-node/templates/configmap-address.yaml
diff --git a/charts/celestia-node/templates/statefulset.yaml b/charts/celestia-node/templates/statefulset.yaml
@@ -124,32 +124,24 @@ spec:
             - name: home-dir # This is needed so that the process has permissions to create files in the home directory
               mountPath: /home
               readOnly: false
-        - name: keys-permission
+        - name: keys
           image: busybox
           command:
             - "sh"
             - "-c"
             - |
               set -ex
               mkdir -p /keys-volume/keyring-test
-              cp /keys/* /keys-volume/
-              cp /address/* /keys-volume/keyring-test/
-              cp /celes-key/* /keys-volume/keyring-test/
-              printf "%s" "$(cat /celes-key/my_celes_key.info)" > /keys-volume/keyring-test/my_celes_key.info
-              rm /keys-volume/my_celes_key.info
-              chown -R {{ .Values.node.containerSecurityContext.runAsUser }}:{{ .Values.node.containerSecurityContext.runAsGroup }} /keys-volume/* /keys-volume/keyring-test/
-              find /keys-volume/ -type f -exec chmod 0400 {} \;
+              cp /keys/NJ3XILLTMVRXEZLUFZVHO5A /keys-volume/
+              cp /keys/OAZHALLLMV4Q /keys-volume/
+              cp /keys/my_celes_key.info /keys-volume/keyring-test/
+              printf "%s" "$(cat /keys/address)" > /keys-volume/keyring-test/$(cat /keys/uid).address
+              chown -R {{ .Values.node.containerSecurityContext.runAsUser }}:{{ .Values.node.containerSecurityContext.runAsGroup }} /keys-volume/
+              find /keys-volume/ -type f -exec chmod 0600 {} \;
           volumeMounts:
             - name: keys
               mountPath: /keys
               readOnly: true
-            - name: address
-              mountPath: /address/{{ .Values.node.settings.node_id }}.address
-              subPath: {{ .Values.node.settings.node_id }}.address
-              readOnly: true
-            - name: celes-key
-              mountPath: /celes-key
-              readOnly: true
             - name: keys-volume
               mountPath: /keys-volume
         {{- if .Values.node.initContainers }}
@@ -351,18 +343,10 @@ spec:
                 path: OAZHALLLMV4Q
               - key: my_celes_key_info
                 path: my_celes_key.info
-        - name: address
-          configMap:
-            name: {{ template "common.names.fullname" . }}-address
-            items:
-              - key: {{ .Values.node.settings.node_id }}.address
-                path: {{ .Values.node.settings.node_id }}.address
-        - name: celes-key
-          secret:
-            secretName: {{ .Values.node.settings.secret.name }}
-            items:
-              - key: my_celes_key_info
-                path: my_celes_key.info
+              - key: uid
+                path: uid
+              - key: address
+                path: address
         - name: keys-volume
           emptyDir: {}
         - name: home-dir

diff --git a/charts/celestia-node/values.yaml b/charts/celestia-node/values.yaml
@@ -118,22 +118,16 @@ node:
     ##
     # -- home directory for the celestia-node, defaults to /home/celestia
     home: "/home/celestia"
-    ## @param node.settings.node_id Node ID for the celestia-node
-    ##
-    # -- node ID for the celestia-node, it must be set
-    node_id: "SET_IT"
-    ## @param node.settings.address Address for the celestia-node
-    ##
-    # -- address for the celestia-node, it must be set
-    address: "SET_IT"
     ## @param node.settings.secret Secret for the celestia-node
     ##
     ## A secret must be available in the cluster with the following format:
     ## - name: <secret-name>
     ## - items:
+    ##     - key: my_celes_key_info
+    ##     - key: uid
+    ##     - key: address
     ##     - key: NJ3XILLTMVRXEZLUFZVHO5A
     ##     - key: OAZHALLLMV4Q
-    ##     - key: my_celes_key_info
     secret:
       # -- name of the secret, it must be set
       name: SET_IT

diff --git a/scripts/create_new_key_upload_1pass.sh b/scripts/create_new_key_upload_1pass.sh
@@ -24,19 +24,22 @@ NODE_CONTAINER_NAME="celestia-node-container-$(date +%s)"
 # Start the celestia-node container with the specified version and keep it running
 docker run -d --name $NODE_CONTAINER_NAME --entrypoint tail ghcr.io/celestiaorg/celestia-node:$CELESTIA_NODE_VERSION -f /dev/null
 
-# Execute the command in the celestia-node container
+# Execute the command in the celestia-node container to create a new key
+MNEMONIC=$(docker exec $NODE_CONTAINER_NAME cel-key mnemonic --node.type bridge 2>&1 >/dev/null)
+KEY_NAME="my_celes_key"
+docker exec -i $NODE_CONTAINER_NAME cel-key add $KEY_NAME --node.type bridge --recover --keyring-backend test --output json <<< "$MNEMONIC"
+
 docker exec $NODE_CONTAINER_NAME celestia bridge init
 docker exec $NODE_CONTAINER_NAME celestia bridge start
 
 # Function to get keys from the running container and upload to 1password
 upload_keys_to_1password() {
     NJ=$(docker exec $NODE_CONTAINER_NAME cat /home/celestia/.celestia-bridge/keys/NJ3XILLTMVRXEZLUFZVHO5A)
-    AA=$(docker exec $NODE_CONTAINER_NAME cat /home/celestia/.celestia-bridge/keys/OAZHALLLMV4Q)
-    ADDR_ID=$(docker exec $NODE_CONTAINER_NAME ls /home/celestia/.celestia-bridge/keys/keyring-test | grep address | tr '.' '_')
-    ADDR_IN=$(docker exec $NODE_CONTAINER_NAME ls /home/celestia/.celestia-bridge/keys/keyring-test | grep info | tr '.' '_')
+    OA=$(docker exec $NODE_CONTAINER_NAME cat /home/celestia/.celestia-bridge/keys/OAZHALLLMV4Q)
+    KEY_UID=$(docker exec $NODE_CONTAINER_NAME ls /home/celestia/.celestia-bridge/keys/keyring-test | grep address | cut -d '.' -f 1)
+    KEY_NAME=$(docker exec $NODE_CONTAINER_NAME ls /home/celestia/.celestia-bridge/keys/keyring-test | grep info | tr '.' '_')
     ADDR=$(docker exec $NODE_CONTAINER_NAME bash -c "ls /home/celestia/.celestia-bridge/keys/keyring-test | grep address | xargs -I {} cat /home/celestia/.celestia-bridge/keys/keyring-test/{}")
     ADDR_INFO=$(docker exec $NODE_CONTAINER_NAME bash -c "ls /home/celestia/.celestia-bridge/keys/keyring-test | grep info | xargs -I {} cat /home/celestia/.celestia-bridge/keys/keyring-test/{}")
-    ADR_ID=$(echo $ADDR_ID | cut -d '_' -f 1)
 
     read -p "Do you want to add the node to 1Pass? (y/n): " confirm
     case $confirm in
@@ -46,11 +49,12 @@ upload_keys_to_1password() {
                 --category password \
                 --title "$SECRET_NAME" \
                 --vault $VAULT_NAME \
-                "NJ3XILLTMVRXEZLUFZVHO5A=${NJ}" \
-                "OAZHALLLMV4Q=${AA}" \
+                "mnemonic=${MNEMONIC}" \
+                "uid=${KEY_UID}" \
                 "address=${ADDR}" \
-                "${ADDR_IN}=${ADDR_INFO}" \
-                "id=${ADR_ID}" \
+                "${KEY_NAME}=${ADDR_INFO}" \
+                "NJ3XILLTMVRXEZLUFZVHO5A=${NJ}" \
+                "OAZHALLLMV4Q=${OA}" \
                 --tags ${CHAIN},kubernetes
             ;;
         *)