From 7b841e7ed14c7c7a833b1c981d738d4bbfcdd4f0 Mon Sep 17 00:00:00 2001 From: Artem <48246993+quertc@users.noreply.github.com> Date: Mon, 19 Aug 2024 19:56:18 +0300 Subject: [PATCH 01/11] feat: add signer-proxy service --- Dockerfile.proxy | 12 ++++++++++++ docker-compose.yml | 28 ++++++++++++++++++++++++++++ opbatcher.env | 4 ++++ opproposer.env | 4 ++++ 4 files changed, 48 insertions(+) create mode 100644 Dockerfile.proxy diff --git a/Dockerfile.proxy b/Dockerfile.proxy new file mode 100644 index 0000000..5cebe7d --- /dev/null +++ b/Dockerfile.proxy @@ -0,0 +1,12 @@ +FROM rust:1.79 + +# Set the working directory inside the container +WORKDIR /app + +# Clone the repository and build the project +RUN git clone --branch debug --single-branch https://github.com/quertc/signer-proxy.git && \ + cd signer-proxy && \ + cargo build --release && \ + mv ./target/release/signer-proxy /app/ + +CMD ["/app/signer-proxy", "yubihsm", "-d", "0018951531", "-a", "4", "-p", "123", "serve"] diff --git a/docker-compose.yml b/docker-compose.yml index 84834ff..61fa654 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -51,6 +51,28 @@ services: - "host.docker.internal:host-gateway" profiles: ["celestia"] + signer-proxy: + user: root + build: + context: . + dockerfile: Dockerfile.proxy + command: ["/bin/bash", "-c", "/app/proxy.sh"] + env_file: + - .env + - signerproxy.env + expose: + - 3005 + healthcheck: + test: ["CMD-SHELL", "curl -f http://localhost:3005 || exit 1"] + interval: 30s + timeout: 10s + retries: 15 + stop_grace_period: 10m + restart: always + extra_hosts: + - "host.docker.internal:host-gateway" + profiles: ["signer-proxy"] + op-geth: build: context: . @@ -130,6 +152,9 @@ services: condition: service_healthy op-node: condition: service_healthy + signer-proxy: + condition: service_healthy + required: false env_file: - .env - paths.env @@ -157,6 +182,9 @@ services: condition: service_healthy op-node: condition: service_healthy + signer-proxy: + condition: service_healthy + required: false env_file: - .env - paths.env diff --git a/opbatcher.env b/opbatcher.env index d5b32af..d30d3ab 100644 --- a/opbatcher.env +++ b/opbatcher.env @@ -17,6 +17,10 @@ OP_BATCHER_PRIVATE_KEY=$BATCHER_PRIVATE_KEY OP_BATCHER_DA_RPC=celestia-da:26650 OP_BATCHER_BATCH_TYPE=${OP_BATCHER_BATCH_TYPE:-1} OP_BATCHER_DATA_AVAILABILITY_TYPE=calldata +OP_BATCHER_SIGNER_ENDPOINT=http://signer-proxy:3005/key/1 +OP_BATCHER_SIGNER_TLS_CA= +OP_BATCHER_SIGNER_TLS_CERT= +OP_BATCHER_SIGNER_TLS_KEY= OP_BATCHER_METRICS_ENABLED=true OP_BATCHER_METRICS_ADDR=0.0.0.0 diff --git a/opproposer.env b/opproposer.env index 6bb4f16..c425984 100644 --- a/opproposer.env +++ b/opproposer.env @@ -9,6 +9,10 @@ OP_PROPOSER_ROLLUP_RPC=http://op-node:8547 OP_PROPOSER_L2OO_ADDRESS=$L2OO_ADDRESS OP_PROPOSER_PRIVATE_KEY=$PROPOSER_PRIVATE_KEY OP_PROPOSER_L1_ETH_RPC=$L1_RPC_URL +OP_PROPOSER_SIGNER_ENDPOINT=http://signer-proxy:3005/key/2 +OP_PROPOSER_SIGNER_TLS_CA= +OP_PROPOSER_SIGNER_TLS_CERT= +OP_PROPOSER_SIGNER_TLS_KEY= OP_PROPOSER_METRICS_ENABLED=true OP_PROPOSER_METRICS_ADDR=0.0.0.0 From 452d432797b7a2e7517a3270c572906a7517ec22 Mon Sep 17 00:00:00 2001 From: Artem <48246993+quertc@users.noreply.github.com> Date: Mon, 19 Aug 2024 20:07:04 +0300 Subject: [PATCH 02/11] fix: spaces --- docker-compose.yml | 41 ++++++++++++++++++++--------------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 61fa654..af99ab1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -51,27 +51,26 @@ services: - "host.docker.internal:host-gateway" profiles: ["celestia"] - signer-proxy: - user: root - build: - context: . - dockerfile: Dockerfile.proxy - command: ["/bin/bash", "-c", "/app/proxy.sh"] - env_file: - - .env - - signerproxy.env - expose: - - 3005 - healthcheck: - test: ["CMD-SHELL", "curl -f http://localhost:3005 || exit 1"] - interval: 30s - timeout: 10s - retries: 15 - stop_grace_period: 10m - restart: always - extra_hosts: - - "host.docker.internal:host-gateway" - profiles: ["signer-proxy"] + signer-proxy: + build: + context: . + dockerfile: Dockerfile.proxy + command: ["/bin/bash", "-c", "/app/proxy.sh"] + env_file: + - .env + - signerproxy.env + expose: + - 3005 + healthcheck: + test: ["CMD-SHELL", "curl -f http://localhost:3005 || exit 1"] + interval: 30s + timeout: 10s + retries: 15 + stop_grace_period: 10m + restart: always + extra_hosts: + - "host.docker.internal:host-gateway" + profiles: ["signer-proxy"] op-geth: build: From b5cff60b53af6fc1c6c9c78bc2ea6b49d730ab7d Mon Sep 17 00:00:00 2001 From: Artem <48246993+quertc@users.noreply.github.com> Date: Mon, 19 Aug 2024 20:15:23 +0300 Subject: [PATCH 03/11] fix: rm extra env and cmd --- docker-compose.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index af99ab1..1a50749 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -55,10 +55,8 @@ services: build: context: . dockerfile: Dockerfile.proxy - command: ["/bin/bash", "-c", "/app/proxy.sh"] env_file: - .env - - signerproxy.env expose: - 3005 healthcheck: From 42f658224ed5174a522f1011ecc81274a62a67b8 Mon Sep 17 00:00:00 2001 From: Artem <48246993+quertc@users.noreply.github.com> Date: Thu, 22 Aug 2024 16:38:20 +0300 Subject: [PATCH 04/11] feat: improve signer-proxy service --- .env.example | 5 ++++- Dockerfile.proxy | 12 ----------- Dockerfile.signer-proxy | 18 ++++++++++++++++ docker-compose.yml | 14 +++++++------ run | 3 ++- signer-proxy.env | 46 +++++++++++++++++++++++++++++++++++++++++ 6 files changed, 78 insertions(+), 20 deletions(-) delete mode 100644 Dockerfile.proxy create mode 100644 Dockerfile.signer-proxy create mode 100644 signer-proxy.env diff --git a/.env.example b/.env.example index 2d18a8b..22e0680 100644 --- a/.env.example +++ b/.env.example @@ -8,9 +8,12 @@ SKIP_DEPLOYMENT_CHECK=false # SEQUENCER_MODE: 'true' enables sequencer, runs op-batcher/op-proposer; 'false' disables them. Default: true. SEQUENCER_MODE=true -# CELESTIA_MODE: 'true' runs celestia-da service; 'false' disables it. Default: true. +# CELESTIA_MODE: 'true' runs celestia-da service; 'false' disables it. Default: false. CELESTIA_MODE=false +# SIGNER_PROXY: 'true' runs signer-proxy service; 'false' disables it. Default: false. +SIGNER_PROXY=false + ################################################## # Cloning Configuration # ################################################## diff --git a/Dockerfile.proxy b/Dockerfile.proxy deleted file mode 100644 index 5cebe7d..0000000 --- a/Dockerfile.proxy +++ /dev/null @@ -1,12 +0,0 @@ -FROM rust:1.79 - -# Set the working directory inside the container -WORKDIR /app - -# Clone the repository and build the project -RUN git clone --branch debug --single-branch https://github.com/quertc/signer-proxy.git && \ - cd signer-proxy && \ - cargo build --release && \ - mv ./target/release/signer-proxy /app/ - -CMD ["/app/signer-proxy", "yubihsm", "-d", "0018951531", "-a", "4", "-p", "123", "serve"] diff --git a/Dockerfile.signer-proxy b/Dockerfile.signer-proxy new file mode 100644 index 0000000..2971848 --- /dev/null +++ b/Dockerfile.signer-proxy @@ -0,0 +1,18 @@ +FROM rust:1.80.1 as builder + +ARG REPO_URL +ARG TAG + +WORKDIR /app + +RUN git clone -b ${TAG} --depth 1 ${REPO_URL} . && \ + cargo build --release --no-default-features + +FROM debian:buster-slim + +WORKDIR /app + +COPY --from=builder /app/target/release/signer-proxy /usr/local/bin/signer-proxy + +CMD ["signer-proxy", "${SIGNER_MODE:-yubihsm}", "serve"] + diff --git a/docker-compose.yml b/docker-compose.yml index 1a50749..bc94d16 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -54,20 +54,22 @@ services: signer-proxy: build: context: . - dockerfile: Dockerfile.proxy + dockerfile: Dockerfile.signer-proxy + args: + REPO_URL: https://github.com/quertc/signer-proxy.git + TAG: v1.0.0-rc.1 env_file: - .env + - signer-proxy.env expose: - - 3005 + - 4000 healthcheck: - test: ["CMD-SHELL", "curl -f http://localhost:3005 || exit 1"] + test: ["CMD-SHELL", "curl -f http://localhost:4000 || exit 1"] interval: 30s timeout: 10s - retries: 15 + retries: 5 stop_grace_period: 10m restart: always - extra_hosts: - - "host.docker.internal:host-gateway" profiles: ["signer-proxy"] op-geth: diff --git a/run b/run index 36380ca..2eddbcd 100755 --- a/run +++ b/run @@ -36,6 +36,7 @@ command="docker compose" # Add profiles based on SEQUENCER_MODE and Celestia support [ "$SEQUENCER_MODE" = "true" ] && command+=" --profile sequencer" [ "$CELESTIA_MODE" = "true" ] && command+=" --profile celestia" +[ "$SIGNER_PROXY" = "true" ] && command+=" --profile signer-proxy" if [ "$SKIP_DEPLOYMENT_CHECK" = "true" ]; then echo -e "${ORANGE}NOTE${NC}: Only genesis.json and rollup.json will be checked (SKIP_DEPLOYMENT_CHECK=$SKIP_DEPLOYMENT_CHECK)." @@ -49,7 +50,7 @@ fi command+=" up --build -d" # Confirm before running the command -echo -ne "About to run: ${BLUE}$command${NC} (SEQUENCER_MODE: $SEQUENCER_MODE, CELESTIA_MODE: $CELESTIA_MODE). Do you want to continue? (yes/no): " +echo -ne "About to run: ${BLUE}$command${NC} (SEQUENCER_MODE: $SEQUENCER_MODE, CELESTIA_MODE: $CELESTIA_MODE, SIGNER_PROXY: $SIGNER_PROXY). Do you want to continue? (yes/no): " read -r confirm if [[ "$confirm" =~ ^(yes|y)$ ]]; then eval "$command" diff --git a/signer-proxy.env b/signer-proxy.env new file mode 100644 index 0000000..9137e88 --- /dev/null +++ b/signer-proxy.env @@ -0,0 +1,46 @@ +############################################################################### +# SIGNER PROXY CONFIGURATION # +############################################################################### + +# Operational mode for the signer proxy: "yubihsm" or "aws-kms" +SIGNER_PROXY_MODE=yubihsm + +############################################################################### +# ↓ YUBIHSM MODE ↓ # +############################################################################### + +# Connection mode for YubiHSM: "usb" or "http" +YUBIHSM_MODE=usb + +# --------------------------------------------------------------------------- +# Required YubiHSM Settings (for both "usb" and "http" modes) +# --------------------------------------------------------------------------- + +# YubiHSM authentication key ID +YUBIHSM_AUTH_KEY_ID= + +# YubiHSM authentication key password +YUBIHSM_PASSWORD= + +# --------------------------------------------------------------------------- +# USB Mode Settings (only required for "usb" mode) +# --------------------------------------------------------------------------- + +# YubiHSM device serial ID +YUBIHSM_DEVICE_SERIAL_ID= + +# --------------------------------------------------------------------------- +# HTTP Mode Settings (only required for "http" mode) +# --------------------------------------------------------------------------- + +# YubiHSM HTTP address +YUBIHSM_HTTP_ADDRESS= + +# YubiHSM HTTP port +YUBIHSM_HTTP_PORT= + +############################################################################### +# ↓ AWS-KMS MODE ↓ # +############################################################################### + +# UNDER WORK From 4c179034f5d3a8fceda007c640b07ee8fc8bfcf5 Mon Sep 17 00:00:00 2001 From: Artem <48246993+quertc@users.noreply.github.com> Date: Thu, 22 Aug 2024 16:42:49 +0300 Subject: [PATCH 05/11] chore: add OP_BATCHER_SIGNER_ADDRESS, OP_PROPOSER_SIGNER_ADDRESS --- opbatcher.env | 3 ++- opproposer.env | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/opbatcher.env b/opbatcher.env index d30d3ab..77766f2 100644 --- a/opbatcher.env +++ b/opbatcher.env @@ -17,7 +17,8 @@ OP_BATCHER_PRIVATE_KEY=$BATCHER_PRIVATE_KEY OP_BATCHER_DA_RPC=celestia-da:26650 OP_BATCHER_BATCH_TYPE=${OP_BATCHER_BATCH_TYPE:-1} OP_BATCHER_DATA_AVAILABILITY_TYPE=calldata -OP_BATCHER_SIGNER_ENDPOINT=http://signer-proxy:3005/key/1 +OP_BATCHER_SIGNER_ADDRESS=0x1 +OP_BATCHER_SIGNER_ENDPOINT=http://signer-proxy:4000/key/1 OP_BATCHER_SIGNER_TLS_CA= OP_BATCHER_SIGNER_TLS_CERT= OP_BATCHER_SIGNER_TLS_KEY= diff --git a/opproposer.env b/opproposer.env index c425984..14d870a 100644 --- a/opproposer.env +++ b/opproposer.env @@ -9,7 +9,8 @@ OP_PROPOSER_ROLLUP_RPC=http://op-node:8547 OP_PROPOSER_L2OO_ADDRESS=$L2OO_ADDRESS OP_PROPOSER_PRIVATE_KEY=$PROPOSER_PRIVATE_KEY OP_PROPOSER_L1_ETH_RPC=$L1_RPC_URL -OP_PROPOSER_SIGNER_ENDPOINT=http://signer-proxy:3005/key/2 +OP_PROPOSER_SIGNER_ADDRESS=0x2 +OP_PROPOSER_SIGNER_ENDPOINT=http://signer-proxy:4000/key/2 OP_PROPOSER_SIGNER_TLS_CA= OP_PROPOSER_SIGNER_TLS_CERT= OP_PROPOSER_SIGNER_TLS_KEY= From d6fe5f31d3defc070ef16ab0d56cb4e926fe6d97 Mon Sep 17 00:00:00 2001 From: Artem <48246993+quertc@users.noreply.github.com> Date: Fri, 23 Aug 2024 22:23:27 +0300 Subject: [PATCH 06/11] fix: signer proxy dockerfile & update version --- Dockerfile.signer-proxy | 7 ++++--- docker-compose.yml | 4 ++-- signer-proxy.env | 4 ++-- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/Dockerfile.signer-proxy b/Dockerfile.signer-proxy index 2971848..5d0f8d8 100644 --- a/Dockerfile.signer-proxy +++ b/Dockerfile.signer-proxy @@ -8,11 +8,12 @@ WORKDIR /app RUN git clone -b ${TAG} --depth 1 ${REPO_URL} . && \ cargo build --release --no-default-features -FROM debian:buster-slim +FROM debian:bookworm-slim WORKDIR /app -COPY --from=builder /app/target/release/signer-proxy /usr/local/bin/signer-proxy +RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/* -CMD ["signer-proxy", "${SIGNER_MODE:-yubihsm}", "serve"] +COPY --from=builder /app/target/release/signer-proxy /usr/local/bin/signer-proxy +CMD ["sh", "-c", "signer-proxy ${SIGNER_PROXY_MODE} serve"] diff --git a/docker-compose.yml b/docker-compose.yml index bc94d16..c92b076 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -57,14 +57,14 @@ services: dockerfile: Dockerfile.signer-proxy args: REPO_URL: https://github.com/quertc/signer-proxy.git - TAG: v1.0.0-rc.1 + TAG: v1.0.0-rc.7 env_file: - .env - signer-proxy.env expose: - 4000 healthcheck: - test: ["CMD-SHELL", "curl -f http://localhost:4000 || exit 1"] + test: ["CMD-SHELL", "curl -f http://localhost:4000/ping || exit 1"] interval: 30s timeout: 10s retries: 5 diff --git a/signer-proxy.env b/signer-proxy.env index 9137e88..76b52da 100644 --- a/signer-proxy.env +++ b/signer-proxy.env @@ -34,10 +34,10 @@ YUBIHSM_DEVICE_SERIAL_ID= # --------------------------------------------------------------------------- # YubiHSM HTTP address -YUBIHSM_HTTP_ADDRESS= +# YUBIHSM_HTTP_ADDRESS= # YubiHSM HTTP port -YUBIHSM_HTTP_PORT= +# YUBIHSM_HTTP_PORT= ############################################################################### # ↓ AWS-KMS MODE ↓ # From f18488b643460f0098e1a4e893ced08fe5ee9bd3 Mon Sep 17 00:00:00 2001 From: Artem <48246993+quertc@users.noreply.github.com> Date: Fri, 23 Aug 2024 23:15:48 +0300 Subject: [PATCH 07/11] feat: function for receive signer address --- Dockerfile.services | 1 + Dockerfile.signer-proxy | 5 ++++- docker-compose.yml | 2 ++ entrypoints/op-batcher.sh | 19 +++++++++++++++++++ entrypoints/op-proposer.sh | 19 +++++++++++++++++++ opbatcher.env | 14 +++++++++----- opproposer.env | 14 +++++++++----- scripts/signer-proxy.sh | 14 ++++++++++++++ scripts/utils.sh | 16 ++++++++++++++++ signer-proxy.env | 6 ++++++ 10 files changed, 99 insertions(+), 11 deletions(-) create mode 100644 scripts/signer-proxy.sh diff --git a/Dockerfile.services b/Dockerfile.services index 2b888a0..d39fdf4 100644 --- a/Dockerfile.services +++ b/Dockerfile.services @@ -21,6 +21,7 @@ RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2 # Define work directory WORKDIR /app +COPY scripts/utils.sh /app/utils.sh COPY ./entrypoints/${ENTRYPOINT_SCRIPT} /app/entrypoint.sh RUN chmod +x /app/entrypoint.sh diff --git a/Dockerfile.signer-proxy b/Dockerfile.signer-proxy index 5d0f8d8..9edba2b 100644 --- a/Dockerfile.signer-proxy +++ b/Dockerfile.signer-proxy @@ -16,4 +16,7 @@ RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/* COPY --from=builder /app/target/release/signer-proxy /usr/local/bin/signer-proxy -CMD ["sh", "-c", "signer-proxy ${SIGNER_PROXY_MODE} serve"] +COPY ./entrypoints/signer-proxy.sh /app/entrypoint.sh +RUN chmod +x /app/entrypoint.sh + +ENTRYPOINT ["/app/entrypoint.sh"] diff --git a/docker-compose.yml b/docker-compose.yml index c92b076..dc8fd28 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -157,6 +157,7 @@ services: env_file: - .env - paths.env + - signer-proxy.env - opbatcher.env ports: - "8548:8548" @@ -187,6 +188,7 @@ services: env_file: - .env - paths.env + - signer-proxy.env - opproposer.env ports: - "8560:8560" diff --git a/entrypoints/op-batcher.sh b/entrypoints/op-batcher.sh index 2be6a13..81599aa 100644 --- a/entrypoints/op-batcher.sh +++ b/entrypoints/op-batcher.sh @@ -1,5 +1,24 @@ #!/bin/sh +# Check if SIGNER_PROXY environment variable is set to false +if [ "$SIGNER_PROXY" != "true" ]; then + unset OP_BATCHER_SIGNER_ENDPOINT + unset OP_BATCHER_SIGNER_TLS_CA + unset OP_BATCHER_SIGNER_TLS_CERT + unset OP_BATCHER_SIGNER_TLS_KEY +else + # shellcheck disable=SC1091 + . /app/utils.sh + + batcher_address=$(get_address "$OP_BATCHER_SIGNER_ENDPOINT") + if [ -z "$OP_BATCHER_SIGNER_ADDRESS" ]; then + export OP_BATCHER_SIGNER_ADDRESS=$batcher_address + elif [ "$OP_BATCHER_SIGNER_ADDRESS" != "$batcher_address" ]; then + echo "Error: OP_BATCHER_SIGNER_ADDRESS does not match the fetched address." + exit 1 + fi +fi + # Check if OP_BATCHER_PRIVATE_KEY environment variable is set if [ -z "$OP_BATCHER_PRIVATE_KEY" ]; then echo "OP_BATCHER_PRIVATE_KEY are missing, fetching from AWS Secrets Manager..." diff --git a/entrypoints/op-proposer.sh b/entrypoints/op-proposer.sh index a5e33f2..3903e24 100644 --- a/entrypoints/op-proposer.sh +++ b/entrypoints/op-proposer.sh @@ -1,5 +1,24 @@ #!/bin/sh +# Check if SIGNER_PROXY environment variable is set to false +if [ "$SIGNER_PROXY" != "true" ]; then + unset OP_PROPOSER_SIGNER_ENDPOINT + unset OP_PROPOSER_SIGNER_TLS_CA + unset OP_PROPOSER_SIGNER_TLS_CERT + unset OP_PROPOSER_SIGNER_TLS_KEY +else + # shellcheck disable=SC1091 + . /app/utils.sh + + proposer_address=$(get_address "$OP_PROPOSER_SIGNER_ENDPOINT") + if [ -z "$OP_PROPOSER_SIGNER_ADDRESS" ]; then + export OP_PROPOSER_SIGNER_ADDRESS="$proposer_address" + elif [ "$OP_PROPOSER_SIGNER_ADDRESS" != "$proposer_address" ]; then + echo "Error: OP_PROPOSER_SIGNER_ADDRESS does not match the fetched address." + exit 1 + fi +fi + # Check if OP_PROPOSER_PRIVATE_KEY environment variable is set if [ -z "$OP_PROPOSER_PRIVATE_KEY" ]; then echo "OP_PROPOSER_PRIVATE_KEY are missing, fetching from AWS Secrets Manager..." diff --git a/opbatcher.env b/opbatcher.env index 77766f2..48a2be6 100644 --- a/opbatcher.env +++ b/opbatcher.env @@ -17,12 +17,16 @@ OP_BATCHER_PRIVATE_KEY=$BATCHER_PRIVATE_KEY OP_BATCHER_DA_RPC=celestia-da:26650 OP_BATCHER_BATCH_TYPE=${OP_BATCHER_BATCH_TYPE:-1} OP_BATCHER_DATA_AVAILABILITY_TYPE=calldata -OP_BATCHER_SIGNER_ADDRESS=0x1 -OP_BATCHER_SIGNER_ENDPOINT=http://signer-proxy:4000/key/1 -OP_BATCHER_SIGNER_TLS_CA= -OP_BATCHER_SIGNER_TLS_CERT= -OP_BATCHER_SIGNER_TLS_KEY= OP_BATCHER_METRICS_ENABLED=true OP_BATCHER_METRICS_ADDR=0.0.0.0 OP_BATCHER_METRICS_PORT=7301 + +# --------------------------------------------------------------------------- +# Signer proxy service configuration +# --------------------------------------------------------------------------- + +OP_BATCHER_SIGNER_ENDPOINT=http://signer-proxy:4000/key/$OP_BATCHER_SIGNER_KEY_ID # You can safely omit OP_BATCHER_SIGNER_ADDRESS +OP_BATCHER_SIGNER_TLS_CA= +OP_BATCHER_SIGNER_TLS_CERT= +OP_BATCHER_SIGNER_TLS_KEY= diff --git a/opproposer.env b/opproposer.env index 14d870a..5380d67 100644 --- a/opproposer.env +++ b/opproposer.env @@ -9,12 +9,16 @@ OP_PROPOSER_ROLLUP_RPC=http://op-node:8547 OP_PROPOSER_L2OO_ADDRESS=$L2OO_ADDRESS OP_PROPOSER_PRIVATE_KEY=$PROPOSER_PRIVATE_KEY OP_PROPOSER_L1_ETH_RPC=$L1_RPC_URL -OP_PROPOSER_SIGNER_ADDRESS=0x2 -OP_PROPOSER_SIGNER_ENDPOINT=http://signer-proxy:4000/key/2 -OP_PROPOSER_SIGNER_TLS_CA= -OP_PROPOSER_SIGNER_TLS_CERT= -OP_PROPOSER_SIGNER_TLS_KEY= OP_PROPOSER_METRICS_ENABLED=true OP_PROPOSER_METRICS_ADDR=0.0.0.0 OP_PROPOSER_METRICS_PORT=7302 + +# --------------------------------------------------------------------------- +# Signer proxy service configuration +# --------------------------------------------------------------------------- + +OP_PROPOSER_SIGNER_ENDPOINT=http://signer-proxy:4000/key/$OP_PROPOSER_SIGNER_KEY_ID # You can safely omit OP_PROPOSER_SIGNER_ADDRESS +OP_PROPOSER_SIGNER_TLS_CA= +OP_PROPOSER_SIGNER_TLS_CERT= +OP_PROPOSER_SIGNER_TLS_KEY= diff --git a/scripts/signer-proxy.sh b/scripts/signer-proxy.sh new file mode 100644 index 0000000..9907cd5 --- /dev/null +++ b/scripts/signer-proxy.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +reqenv() { + if [ -z "${!1}" ]; then + echo "Error: environment variable '$1' is undefined" + exit 1 + fi +} + +reqenv "SIGNER_PROXY_MODE" +reqenv "OP_BATCHER_SIGNER_KEY_ID" +reqenv "OP_PROPOSER_SIGNER_KEY_ID" + +exec signer-proxy "${SIGNER_PROXY_MODE}" serve diff --git a/scripts/utils.sh b/scripts/utils.sh index 7878b9f..8803334 100644 --- a/scripts/utils.sh +++ b/scripts/utils.sh @@ -20,3 +20,19 @@ derive_and_check() { export "$addr_var_name"="$derived_address" fi } + +function get_address() { + local endpoint=$1 + local response + response=$(curl -s "${endpoint}/address") + + local address + address=$(echo "$response" | jq -r '.address') + + if [ -z "$address" ]; then + echo "Error: Unable to fetch address from ${endpoint}/address" + exit 1 + fi + + echo "$address" +} diff --git a/signer-proxy.env b/signer-proxy.env index 76b52da..529e3c0 100644 --- a/signer-proxy.env +++ b/signer-proxy.env @@ -5,6 +5,12 @@ # Operational mode for the signer proxy: "yubihsm" or "aws-kms" SIGNER_PROXY_MODE=yubihsm +# Key id used for op-batcher +OP_BATCHER_SIGNER_KEY_ID= + +# Key id used for op-proposer +OP_PROPOSER_SIGNER_KEY_ID= + ############################################################################### # ↓ YUBIHSM MODE ↓ # ############################################################################### From c219716738ec85399da95f8882ec7ed97acc3112 Mon Sep 17 00:00:00 2001 From: Artem <48246993+quertc@users.noreply.github.com> Date: Fri, 23 Aug 2024 23:21:52 +0300 Subject: [PATCH 08/11] fix: mv signer-proxy.sh and improve run script --- {scripts => entrypoints}/signer-proxy.sh | 0 run | 7 +++++-- 2 files changed, 5 insertions(+), 2 deletions(-) rename {scripts => entrypoints}/signer-proxy.sh (100%) diff --git a/scripts/signer-proxy.sh b/entrypoints/signer-proxy.sh similarity index 100% rename from scripts/signer-proxy.sh rename to entrypoints/signer-proxy.sh diff --git a/run b/run index 2eddbcd..e6169d2 100755 --- a/run +++ b/run @@ -33,10 +33,13 @@ source .env # Initialize the command command="docker compose" -# Add profiles based on SEQUENCER_MODE and Celestia support +# Add profiles based on SEQUENCER_MODE, SIGNER_PROXY and Celestia support [ "$SEQUENCER_MODE" = "true" ] && command+=" --profile sequencer" [ "$CELESTIA_MODE" = "true" ] && command+=" --profile celestia" -[ "$SIGNER_PROXY" = "true" ] && command+=" --profile signer-proxy" + +if [ "$SEQUENCER_MODE" = "true" ] && [ "$SIGNER_PROXY" = "true" ]; then + command+=" --profile signer-proxy" +fi if [ "$SKIP_DEPLOYMENT_CHECK" = "true" ]; then echo -e "${ORANGE}NOTE${NC}: Only genesis.json and rollup.json will be checked (SKIP_DEPLOYMENT_CHECK=$SKIP_DEPLOYMENT_CHECK)." From acd71d75d547e1602a4a0071078c6a9cd3eb2c00 Mon Sep 17 00:00:00 2001 From: Artem <48246993+quertc@users.noreply.github.com> Date: Fri, 23 Aug 2024 23:36:01 +0300 Subject: [PATCH 09/11] fix: bash instead sh --- entrypoints/op-batcher.sh | 2 +- entrypoints/op-geth.sh | 2 +- entrypoints/op-node.sh | 2 +- entrypoints/op-proposer.sh | 2 +- scripts/utils.sh | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/entrypoints/op-batcher.sh b/entrypoints/op-batcher.sh index 81599aa..3da2813 100644 --- a/entrypoints/op-batcher.sh +++ b/entrypoints/op-batcher.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # Check if SIGNER_PROXY environment variable is set to false if [ "$SIGNER_PROXY" != "true" ]; then diff --git a/entrypoints/op-geth.sh b/entrypoints/op-geth.sh index 9b511d4..630b569 100644 --- a/entrypoints/op-geth.sh +++ b/entrypoints/op-geth.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # Initialize op-geth if datadir is empty if [ -d "$DATADIR_DIR" ] && [ -z "$(ls -A "$DATADIR_DIR")" ]; then diff --git a/entrypoints/op-node.sh b/entrypoints/op-node.sh index b54b27a..afbb37e 100644 --- a/entrypoints/op-node.sh +++ b/entrypoints/op-node.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # Check if SEQUENCER_MODE environment variable is set to false if [ "$SEQUENCER_MODE" != "true" ]; then diff --git a/entrypoints/op-proposer.sh b/entrypoints/op-proposer.sh index 3903e24..2149b9c 100644 --- a/entrypoints/op-proposer.sh +++ b/entrypoints/op-proposer.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # Check if SIGNER_PROXY environment variable is set to false if [ "$SIGNER_PROXY" != "true" ]; then diff --git a/scripts/utils.sh b/scripts/utils.sh index 8803334..6795a49 100644 --- a/scripts/utils.sh +++ b/scripts/utils.sh @@ -21,7 +21,7 @@ derive_and_check() { fi } -function get_address() { +get_address() { local endpoint=$1 local response response=$(curl -s "${endpoint}/address") From 5eb59038d7aa6b41199e5b3f5cbdd278b0101762 Mon Sep 17 00:00:00 2001 From: Artem <48246993+quertc@users.noreply.github.com> Date: Tue, 3 Sep 2024 14:03:06 +0300 Subject: [PATCH 10/11] feat: change signer-proxy version --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index dc8fd28..0f1d624 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -57,7 +57,7 @@ services: dockerfile: Dockerfile.signer-proxy args: REPO_URL: https://github.com/quertc/signer-proxy.git - TAG: v1.0.0-rc.7 + TAG: v1.0.0-rc.1 env_file: - .env - signer-proxy.env From 605b40e1b65d685afc35fafc62f07b3c286ada67 Mon Sep 17 00:00:00 2001 From: Artem <48246993+quertc@users.noreply.github.com> Date: Tue, 3 Sep 2024 16:03:13 +0300 Subject: [PATCH 11/11] chore: add aws kms vars --- signer-proxy.env | 3 +++ 1 file changed, 3 insertions(+) diff --git a/signer-proxy.env b/signer-proxy.env index 529e3c0..74639cc 100644 --- a/signer-proxy.env +++ b/signer-proxy.env @@ -50,3 +50,6 @@ YUBIHSM_DEVICE_SERIAL_ID= ############################################################################### # UNDER WORK +AWS_ACCESS_KEY_ID= +AWS_SECRET_ACCESS_KEY= +AWS_REGION=