oxheadalpha · nicolasochem · Nov 6, 2023 · Oct 23, 2023 · Oct 25, 2023 · Oct 25, 2023
diff --git a/charts/tezos/scripts/remote-signer.sh b/charts/tezos/scripts/remote-signer.sh
@@ -6,7 +6,11 @@ CLIENT_DIR="$TEZ_VAR/client"
 NODE_DIR="$TEZ_VAR/node"
 NODE_DATA_DIR="$TEZ_VAR/node/data"
 
-CMD="$TEZ_BIN/octez-signer -d $CLIENT_DIR launch http signer --magic-bytes 0x11,0x12,0x13 --check-high-watermark -a 0.0.0.0 -p 6732"
+extra_args=""
+if [ -f ${CLIENT_DIR}/authorized_keys ]; then
+ extra_args="${extra_args} --require-authentication"
+fi
+CMD="$TEZ_BIN/octez-signer -d $CLIENT_DIR ${extra_args} launch http signer -a 0.0.0.0 -p 6732"
 
 # ensure we can run tezos-signer commands without specifying client dir
 ln -s /var/tezos/client /home/tezos/.tezos-signer

diff --git a/charts/tezos/values.yaml b/charts/tezos/values.yaml
@@ -8,7 +8,7 @@ is_invitation: false
 
 # Images not part of the tezos-k8s repo go here
 images:
- octez: tezos/tezos:v17.1
+ octez: tezos/tezos:v17.3
  tacoinfraRemoteSigner: ghcr.io/oxheadalpha/tacoinfra-remote-signer:0.1.0
 # Images that are part of the tezos-k8s repo go here with 'dev' tag
 tezos_k8s_images:
@@ -174,6 +174,7 @@ should_generate_unsafe_deterministic_data: false
 # Don't also set `bake_using_accounts`.
 # - `bake_using_accounts`: List of account names that should be used for baking.
 # Don't also set `bake_using_account`.
+# - `authorized_keys`: List of account names available to the baker to sign signature requests.
 # - `config`: Same as the outer statefulset level `config`. It overrides the
 # statefulset level.
 # - `is_bootstrap_node`: Boolean for is this node a bootstrap peer.
@@ -314,6 +315,9 @@ octezSigners: {}
 # tezos-signer-0:
 # accounts:
 # - baker0
+# authorized_keys:
+# # if set, baker will only sign request authenticated by one of the authorized_keys
+# - authorized_key0
 # ```
 #
 # Deploys a signer using AWS KMS to sign operations.

diff --git a/mkchain/README.md b/mkchain/README.md
@@ -86,7 +86,7 @@ You can explicitly specify some values by:
 | | --number-of-nodes | Number of non-baking nodes in the cluster | 0 |
 | bootstrap_peers | --bootstrap-peers | Peer ips to connect to | [] |
 | expected_proof_of_work | --expected-proof-of-work | Node identity generation difficulty | 0 |
-| images.octez | --octez-docker-image | Version of the Octez docker image to run | tezos/tezos:v17.1 |
+| images.octez | --octez-docker-image | Version of the Octez docker image to run | tezos/tezos:v17.3 |
 | | --use-docker (--no...) | Use (or don't use) docker to generate keys rather than pytezos | autodetect |
 | zerotier_config.zerotier_network | --zerotier-network | Zerotier network id for external chain access | |
 | zerotier_config.zerotier_token | --zerotier-token | Zerotier token for external chain access | |

diff --git a/mkchain/tqchain/mkchain.py b/mkchain/tqchain/mkchain.py
@@ -70,7 +70,7 @@ def quoted_scalar(dumper, data): # a representer to force quotations on scalars
  },
  "octez_docker_image": {
  "help": "Version of the Octez docker image",
- "default": "tezos/tezos:v17.1",
+ "default": "tezos/tezos:v17.3",
  },
  "use_docker": {
  "action": "store_true",
@@ -154,6 +154,7 @@ def node_config(name, n, is_baker):
  "shell": {"history_mode": "rolling"},
  "metrics_addr": [":9932"],
  },
+ "authorized_keys": ["authorized-key-0"],
  }
  if is_baker:
  ret["bake_using_accounts"] = [f"{name}-{n}"]
@@ -243,7 +244,7 @@ def main():
  baking_accounts = {
  f"{ARCHIVE_BAKER_NODE_NAME}-{n}": {} for n in range(args.number_of_bakers)
  }
- for account in baking_accounts:
+ for account in [*baking_accounts, *["authorized-key-0"]]:
  print(f"Generating keys for account {account}")
  keys = gen_key(args.octez_docker_image)
  for key_type in keys:
@@ -275,11 +276,12 @@ def main():
  ],
  }
 
- signers = {
+ octezSigners = {
  "tezos-signer-0": {
- "sign_for_accounts": [
+ "accounts": [
  f"{ARCHIVE_BAKER_NODE_NAME}-{n}" for n in range(args.number_of_bakers)
- ]
+ ],
+ "authorized_keys": ["authorized-key-0"],
  }
  }
 
@@ -308,7 +310,7 @@ def main():
  **base_constants,
  "bootstrap_peers": bootstrap_peers,
  "accounts": accounts["secret"],
- "signers": signers,
+ "octezSigners": octezSigners,
  "nodes": creation_nodes,
  **activation,
  }

diff --git a/test/charts/mainnet.expect.yaml b/test/charts/mainnet.expect.yaml
@@ -38,7 +38,7 @@ data:
  ARCHIVE_TARBALL_URL: ""
  PREFER_TARBALLS: "false"
  SNAPSHOT_SOURCE: "https://xtz-shots.io/tezos-snapshots.json"
- OCTEZ_VERSION: "tezos/tezos:v17.1"
+ OCTEZ_VERSION: "tezos/tezos:v17.3"
  NODE_GLOBALS: |
  {
  "config": {},
@@ -128,7 +128,7 @@ spec:
  spec:
  containers: 
  - name: octez-node
- image: "tezos/tezos:v17.1"
+ image: "tezos/tezos:v17.3"
  imagePullPolicy: IfNotPresent
  command:
  - /bin/sh
@@ -213,7 +213,7 @@ spec:
  memory: 80Mi 
  initContainers: 
  - name: config-init
- image: "tezos/tezos:v17.1"
+ image: "tezos/tezos:v17.3"
  imagePullPolicy: IfNotPresent
  command:
  - /bin/sh
@@ -324,7 +324,7 @@ spec:
  - mountPath: /var/tezos
  name: var-volume 
  - name: snapshot-importer
- image: "tezos/tezos:v17.1"
+ image: "tezos/tezos:v17.3"
  imagePullPolicy: IfNotPresent
  command:
  - /bin/sh
@@ -387,7 +387,7 @@ spec:
  - mountPath: /var/tezos
  name: var-volume 
  - name: upgrade-storage
- image: "tezos/tezos:v17.1"
+ image: "tezos/tezos:v17.3"
  imagePullPolicy: IfNotPresent
  command:
  - /bin/sh

diff --git a/test/charts/mainnet2.expect.yaml b/test/charts/mainnet2.expect.yaml
@@ -38,7 +38,7 @@ data:
  ARCHIVE_TARBALL_URL: ""
  PREFER_TARBALLS: "false"
  SNAPSHOT_SOURCE: "https://xtz-shots.io/tezos-snapshots.json"
- OCTEZ_VERSION: "tezos/tezos:v17.1"
+ OCTEZ_VERSION: "tezos/tezos:v17.3"
  NODE_GLOBALS: |
  {
  "config": {},
@@ -195,7 +195,7 @@ spec:
  spec:
  containers: 
  - name: octez-node
- image: "tezos/tezos:v17.1"
+ image: "tezos/tezos:v17.3"
  imagePullPolicy: IfNotPresent
  command:
  - /bin/sh
@@ -316,7 +316,7 @@ spec:
  memory: 80Mi 
  initContainers: 
  - name: config-init
- image: "tezos/tezos:v17.1"
+ image: "tezos/tezos:v17.3"
  imagePullPolicy: IfNotPresent
  command:
  - /bin/sh
@@ -433,7 +433,7 @@ spec:
  - mountPath: /var/tezos
  name: var-volume 
  - name: snapshot-importer
- image: "tezos/tezos:v17.1"
+ image: "tezos/tezos:v17.3"
  imagePullPolicy: IfNotPresent
  command:
  - /bin/sh
@@ -498,7 +498,7 @@ spec:
  - mountPath: /var/tezos
  name: var-volume 
  - name: upgrade-storage
- image: "tezos/tezos:v17.1"
+ image: "tezos/tezos:v17.3"
  imagePullPolicy: IfNotPresent
  command:
  - /bin/sh

diff --git a/test/charts/private-chain.expect.yaml b/test/charts/private-chain.expect.yaml
@@ -1561,7 +1561,11 @@ spec:
  NODE_DIR="$TEZ_VAR/node"
  NODE_DATA_DIR="$TEZ_VAR/node/data"
 
- CMD="$TEZ_BIN/octez-signer -d $CLIENT_DIR launch http signer --magic-bytes 0x11,0x12,0x13 --check-high-watermark -a 0.0.0.0 -p 6732"
+ extra_args=""
+ if [ -f ${CLIENT_DIR}/authorized_keys ]; then
+ extra_args="${extra_args} --require-authentication"
+ fi
+ CMD="$TEZ_BIN/octez-signer -d $CLIENT_DIR ${extra_args} launch http signer -a 0.0.0.0 -p 6732"
 
  # ensure we can run tezos-signer commands without specifying client dir
  ln -s /var/tezos/client /home/tezos/.tezos-signer

diff --git a/utils/config-generator.py b/utils/config-generator.py
@@ -332,6 +332,11 @@ def expose_secret_key(account_name):
  pod. It returns the obvious Boolean.
  """
  if MY_POD_TYPE == "activating":
+ all_authorized_keys = [key for node in NODES.values() for instance in node['instances'] for key in instance.get('authorized_keys', [])]
+ if account_name in all_authorized_keys:
+ # populate all known authorized keys in the activation account.
+ # This avoids annoying edge cases for activating private chains, when security is not critical.
+ return True
  return NETWORK_CONFIG["activation_account_name"] == account_name
 
  if MY_POD_TYPE == "signing":
@@ -340,6 +345,8 @@ def expose_secret_key(account_name):
  if MY_POD_TYPE == "node":
  if MY_POD_CONFIG.get("bake_using_account", "") == account_name:
  return True
+ if account_name in MY_POD_CONFIG.get("authorized_keys", {}):
+ return True
  return account_name in MY_POD_CONFIG.get("bake_using_accounts", {})
 
  return False
@@ -419,6 +426,7 @@ def import_keys(all_accounts):
  secret_keys = []
  public_keys = []
  public_key_hashs = []
+ authorized_keys = []
 
  for account_name, account_values in all_accounts.items():
  print("\n Importing keys for account: " + account_name)
@@ -453,6 +461,11 @@ def import_keys(all_accounts):
  public_key_hashs.append({"name": account_name, "value": pkh_b58})
  account_values["pkh"] = pkh_b58
 
+ if MY_POD_TYPE == "signing" and \
+ account_name in MY_POD_CONFIG.get("authorized_keys", {}):
+ print(f" Appending authorized key: {pk_b58}")
+ authorized_keys.append({"name": account_name, "value": pk_b58})
+
  print(f" Account key type: {account_values.get('type')}")
  print(
  f" Account bootstrap balance: "
@@ -463,17 +476,21 @@ def import_keys(all_accounts):
  + f"{account_values.get('is_bootstrap_baker_account', False)}"
  )
 
- sk_path, pk_path, pkh_path = (
+ sk_path, pk_path, pkh_path, ak_path = (
  f"{tezdir}/secret_keys",
  f"{tezdir}/public_keys",
  f"{tezdir}/public_key_hashs",
+ f"{tezdir}/authorized_keys",
  )
  print(f"\n Writing {sk_path}")
  json.dump(secret_keys, open(sk_path, "w"), indent=4)
  print(f" Writing {pk_path}")
  json.dump(public_keys, open(pk_path, "w"), indent=4)
  print(f" Writing {pkh_path}")
  json.dump(public_key_hashs, open(pkh_path, "w"), indent=4)
+ if MY_POD_TYPE == "signing" and len(authorized_keys) > 0:
+ print(f" Writing {ak_path}")
+ json.dump(authorized_keys, open(ak_path, "w"), indent=4)
 
 
 def create_node_identity_json():