From 8dda2abf694b2d89e61b1c4ca8f7b11bb7e8f363 Mon Sep 17 00:00:00 2001 From: Smuu <18609909+Smuu@users.noreply.github.com> Date: Mon, 12 Aug 2024 08:24:28 +0200 Subject: [PATCH] feat: improve way to mount keys Signed-off-by: Smuu <18609909+Smuu@users.noreply.github.com> --- charts/celestia-node/templates/_helpers.tpl | 8 +++- .../templates/configmap-address.yaml | 12 ------ .../celestia-node/templates/statefulset.yaml | 38 ++++++------------- charts/celestia-node/values.yaml | 12 ++---- scripts/create_new_key_upload_1pass.sh | 22 ++++++----- 5 files changed, 34 insertions(+), 58 deletions(-) delete mode 100644 charts/celestia-node/templates/configmap-address.yaml diff --git a/charts/celestia-node/templates/_helpers.tpl b/charts/celestia-node/templates/_helpers.tpl index 111fae3..654bd51 100644 --- a/charts/celestia-node/templates/_helpers.tpl +++ b/charts/celestia-node/templates/_helpers.tpl @@ -80,7 +80,7 @@ Compile all deprecation warnings into a single message. {{- define "node.deprecationWarnings" -}} {{- $warnings := list -}} {{- if .Values.node.args -}} - DEPRECATION WARNING: The use of node.args is deprecated. Please configure container args using node.settings.nodeType and node.extraArgs. + {{- $warnings = append $warnings "DEPRECATION WARNING: The use of node.args is deprecated. Please configure container args using node.settings.nodeType and node.extraArgs." -}} {{- end -}} {{- $warnings := without $warnings "" -}} {{- $warning := join "\n" $warnings -}} @@ -98,6 +98,12 @@ Compile all validation messages into a single message and fail the deployment if {{- define "node.validateValues" -}} {{- $messages := list -}} {{- $messages := append $messages (include "node.validateValues.nodeType" .) -}} +{{- if .Values.node.settings.node_id -}} + {{- $messages = append $messages "ERROR: The use of node.settings.node_id is not allowed. Please use the secret specified in node.settings.secret." -}} +{{- end -}} +{{- if .Values.node.settings.address -}} + {{- $messages = append $messages "ERROR: The use of node.settings.address is not allowed. Please use the secret specified in node.settings.secret." -}} +{{- end -}} {{- $messages := without $messages "" -}} {{- $message := join "\n" $messages -}} diff --git a/charts/celestia-node/templates/configmap-address.yaml b/charts/celestia-node/templates/configmap-address.yaml deleted file mode 100644 index fdf3b29..0000000 --- a/charts/celestia-node/templates/configmap-address.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "common.names.fullname" . }}-address - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: node - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - {{ .Values.node.settings.node_id }}.address: {{ .Values.node.settings.address }} diff --git a/charts/celestia-node/templates/statefulset.yaml b/charts/celestia-node/templates/statefulset.yaml index d357d3a..6c17b3e 100644 --- a/charts/celestia-node/templates/statefulset.yaml +++ b/charts/celestia-node/templates/statefulset.yaml @@ -124,7 +124,7 @@ spec: - name: home-dir # This is needed so that the process has permissions to create files in the home directory mountPath: /home readOnly: false - - name: keys-permission + - name: keys image: busybox command: - "sh" @@ -132,24 +132,16 @@ spec: - | set -ex mkdir -p /keys-volume/keyring-test - cp /keys/* /keys-volume/ - cp /address/* /keys-volume/keyring-test/ - cp /celes-key/* /keys-volume/keyring-test/ - printf "%s" "$(cat /celes-key/my_celes_key.info)" > /keys-volume/keyring-test/my_celes_key.info - rm /keys-volume/my_celes_key.info - chown -R {{ .Values.node.containerSecurityContext.runAsUser }}:{{ .Values.node.containerSecurityContext.runAsGroup }} /keys-volume/* /keys-volume/keyring-test/ - find /keys-volume/ -type f -exec chmod 0400 {} \; + cp /keys/NJ3XILLTMVRXEZLUFZVHO5A /keys-volume/ + cp /keys/OAZHALLLMV4Q /keys-volume/ + cp /keys/my_celes_key.info /keys-volume/keyring-test/ + printf "%s" "$(cat /keys/address)" > /keys-volume/keyring-test/$(cat /keys/uid).address + chown -R {{ .Values.node.containerSecurityContext.runAsUser }}:{{ .Values.node.containerSecurityContext.runAsGroup }} /keys-volume/ + find /keys-volume/ -type f -exec chmod 0600 {} \; volumeMounts: - name: keys mountPath: /keys readOnly: true - - name: address - mountPath: /address/{{ .Values.node.settings.node_id }}.address - subPath: {{ .Values.node.settings.node_id }}.address - readOnly: true - - name: celes-key - mountPath: /celes-key - readOnly: true - name: keys-volume mountPath: /keys-volume {{- if .Values.node.initContainers }} @@ -351,18 +343,10 @@ spec: path: OAZHALLLMV4Q - key: my_celes_key_info path: my_celes_key.info - - name: address - configMap: - name: {{ template "common.names.fullname" . }}-address - items: - - key: {{ .Values.node.settings.node_id }}.address - path: {{ .Values.node.settings.node_id }}.address - - name: celes-key - secret: - secretName: {{ .Values.node.settings.secret.name }} - items: - - key: my_celes_key_info - path: my_celes_key.info + - key: uid + path: uid + - key: address + path: address - name: keys-volume emptyDir: {} - name: home-dir diff --git a/charts/celestia-node/values.yaml b/charts/celestia-node/values.yaml index c62f7ed..7b90a7a 100644 --- a/charts/celestia-node/values.yaml +++ b/charts/celestia-node/values.yaml @@ -118,22 +118,16 @@ node: ## # -- home directory for the celestia-node, defaults to /home/celestia home: "/home/celestia" - ## @param node.settings.node_id Node ID for the celestia-node - ## - # -- node ID for the celestia-node, it must be set - node_id: "SET_IT" - ## @param node.settings.address Address for the celestia-node - ## - # -- address for the celestia-node, it must be set - address: "SET_IT" ## @param node.settings.secret Secret for the celestia-node ## ## A secret must be available in the cluster with the following format: ## - name: ## - items: + ## - key: my_celes_key_info + ## - key: uid + ## - key: address ## - key: NJ3XILLTMVRXEZLUFZVHO5A ## - key: OAZHALLLMV4Q - ## - key: my_celes_key_info secret: # -- name of the secret, it must be set name: SET_IT diff --git a/scripts/create_new_key_upload_1pass.sh b/scripts/create_new_key_upload_1pass.sh index dc353e3..b0666e6 100755 --- a/scripts/create_new_key_upload_1pass.sh +++ b/scripts/create_new_key_upload_1pass.sh @@ -24,19 +24,22 @@ NODE_CONTAINER_NAME="celestia-node-container-$(date +%s)" # Start the celestia-node container with the specified version and keep it running docker run -d --name $NODE_CONTAINER_NAME --entrypoint tail ghcr.io/celestiaorg/celestia-node:$CELESTIA_NODE_VERSION -f /dev/null -# Execute the command in the celestia-node container +# Execute the command in the celestia-node container to create a new key +MNEMONIC=$(docker exec $NODE_CONTAINER_NAME cel-key mnemonic --node.type bridge 2>&1 >/dev/null) +KEY_NAME="my_celes_key" +docker exec -i $NODE_CONTAINER_NAME cel-key add $KEY_NAME --node.type bridge --recover --keyring-backend test --output json <<< "$MNEMONIC" + docker exec $NODE_CONTAINER_NAME celestia bridge init docker exec $NODE_CONTAINER_NAME celestia bridge start # Function to get keys from the running container and upload to 1password upload_keys_to_1password() { NJ=$(docker exec $NODE_CONTAINER_NAME cat /home/celestia/.celestia-bridge/keys/NJ3XILLTMVRXEZLUFZVHO5A) - AA=$(docker exec $NODE_CONTAINER_NAME cat /home/celestia/.celestia-bridge/keys/OAZHALLLMV4Q) - ADDR_ID=$(docker exec $NODE_CONTAINER_NAME ls /home/celestia/.celestia-bridge/keys/keyring-test | grep address | tr '.' '_') - ADDR_IN=$(docker exec $NODE_CONTAINER_NAME ls /home/celestia/.celestia-bridge/keys/keyring-test | grep info | tr '.' '_') + OA=$(docker exec $NODE_CONTAINER_NAME cat /home/celestia/.celestia-bridge/keys/OAZHALLLMV4Q) + KEY_UID=$(docker exec $NODE_CONTAINER_NAME ls /home/celestia/.celestia-bridge/keys/keyring-test | grep address | cut -d '.' -f 1) + KEY_NAME=$(docker exec $NODE_CONTAINER_NAME ls /home/celestia/.celestia-bridge/keys/keyring-test | grep info | tr '.' '_') ADDR=$(docker exec $NODE_CONTAINER_NAME bash -c "ls /home/celestia/.celestia-bridge/keys/keyring-test | grep address | xargs -I {} cat /home/celestia/.celestia-bridge/keys/keyring-test/{}") ADDR_INFO=$(docker exec $NODE_CONTAINER_NAME bash -c "ls /home/celestia/.celestia-bridge/keys/keyring-test | grep info | xargs -I {} cat /home/celestia/.celestia-bridge/keys/keyring-test/{}") - ADR_ID=$(echo $ADDR_ID | cut -d '_' -f 1) read -p "Do you want to add the node to 1Pass? (y/n): " confirm case $confirm in @@ -46,11 +49,12 @@ upload_keys_to_1password() { --category password \ --title "$SECRET_NAME" \ --vault $VAULT_NAME \ - "NJ3XILLTMVRXEZLUFZVHO5A=${NJ}" \ - "OAZHALLLMV4Q=${AA}" \ + "mnemonic=${MNEMONIC}" \ + "uid=${KEY_UID}" \ "address=${ADDR}" \ - "${ADDR_IN}=${ADDR_INFO}" \ - "id=${ADR_ID}" \ + "${KEY_NAME}=${ADDR_INFO}" \ + "NJ3XILLTMVRXEZLUFZVHO5A=${NJ}" \ + "OAZHALLLMV4Q=${OA}" \ --tags ${CHAIN},kubernetes ;; *)