Skip to content

Commit

Permalink
chore: use non default mnemonic for releases (#10400)
Browse files Browse the repository at this point in the history
Adds a secret in GCP that we read when making network deployments.

Modify reth genesis to fund that account.

Tested by running the deploy network workflow with
[act](https://github.com/nektos/act) and verifying that I couldn't
`add-l1-validator` with the default mnemonic.

---------

Co-authored-by: PhilWindle <[email protected]>
  • Loading branch information
just-mitch and PhilWindle authored Dec 5, 2024
1 parent 41f7645 commit bb5f364
Show file tree
Hide file tree
Showing 16 changed files with 371 additions and 40 deletions.
21 changes: 19 additions & 2 deletions .github/workflows/network-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,14 @@ on:
aztec_docker_image:
description: The Aztec Docker image to use, e.g. aztecprotocol/aztec:da809c58290f9590836f45ec59376cbf04d3c4ce-x86_64
required: true
deployment_mnemonic_secret_name:
description: The name of the secret which holds the boot node's contract deployment mnemonic
required: true
default: testnet-deployment-mnemonic
respect_tf_lock:
description: Whether to respect the Terraform lock
required: false
default: "true"

jobs:
network_deployment:
Expand All @@ -26,6 +34,7 @@ jobs:
AZTEC_DOCKER_IMAGE: ${{ inputs.aztec_docker_image }}
NAMESPACE: ${{ inputs.namespace }}
VALUES_FILE: ${{ inputs.values_file }}
DEPLOYMENT_MNEMONIC_SECRET_NAME: ${{ inputs.deployment_mnemonic_secret_name }}
CHART_PATH: ./spartan/aztec-network
CLUSTER_NAME: aztec-gke
REGION: us-west1-a
Expand Down Expand Up @@ -62,6 +71,12 @@ jobs:
echo "Terraform state bucket already exists"
fi
- name: Grab the boot node deployment mnemonic
id: get-mnemonic
run: |
echo "::add-mask::$(gcloud secrets versions access latest --secret=${{ env.DEPLOYMENT_MNEMONIC_SECRET_NAME }})"
echo "mnemonic=$(gcloud secrets versions access latest --secret=${{ env.DEPLOYMENT_MNEMONIC_SECRET_NAME }})" >> "$GITHUB_OUTPUT"
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
Expand All @@ -82,8 +97,10 @@ jobs:
-var="values_file=${{ env.VALUES_FILE }}" \
-var="gke_cluster_context=${{ env.GKE_CLUSTER_CONTEXT }}" \
-var="aztec_docker_image=${{ env.AZTEC_DOCKER_IMAGE }}" \
-out=tfplan
-var="l1_deployment_mnemonic=${{ steps.get-mnemonic.outputs.mnemonic }}" \
-out=tfplan \
-lock=${{ inputs.respect_tf_lock }}
- name: Terraform Apply
working-directory: ./spartan/terraform/deploy-release
run: terraform apply -auto-approve tfplan
run: terraform apply -lock=${{ inputs.respect_tf_lock }} -auto-approve tfplan
7 changes: 2 additions & 5 deletions spartan/aztec-network/files/config/deploy-l1-contracts.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,16 +4,13 @@ set -exu
CHAIN_ID=$1


# Use default account, it is funded on our dev machine
export PRIVATE_KEY="0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80"

# Run the deploy-l1-contracts command and capture the output
output=""
# if INIT_VALIDATORS is true, then we need to pass the validators flag to the deploy-l1-contracts command
if [ "$INIT_VALIDATORS" = "true" ]; then
output=$(node --no-warnings /usr/src/yarn-project/aztec/dest/bin/index.js deploy-l1-contracts --validators $2 --l1-chain-id $CHAIN_ID)
output=$(node --no-warnings /usr/src/yarn-project/aztec/dest/bin/index.js deploy-l1-contracts --mnemonic "$MNEMONIC" --validators $2 --l1-chain-id $CHAIN_ID)
else
output=$(node --no-warnings /usr/src/yarn-project/aztec/dest/bin/index.js deploy-l1-contracts --l1-chain-id $CHAIN_ID)
output=$(node --no-warnings /usr/src/yarn-project/aztec/dest/bin/index.js deploy-l1-contracts --mnemonic "$MNEMONIC" --l1-chain-id $CHAIN_ID)
fi

echo "$output"
Expand Down
2 changes: 2 additions & 0 deletions spartan/aztec-network/templates/boot-node.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,8 @@ spec:
env:
- name: INIT_VALIDATORS
value: "true"
- name: MNEMONIC
value: "{{ .Values.aztec.l1DeploymentMnemonic }}"
- name: ETHEREUM_SLOT_DURATION
value: "{{ .Values.ethereum.blockTime }}"
- name: AZTEC_SLOT_DURATION
Expand Down
43 changes: 41 additions & 2 deletions spartan/aztec-network/templates/reth.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,43 @@ spec:
{{- if .Values.network.public }}
hostNetwork: true
{{- end }}
initContainers:
- name: prepare-genesis
image: node:18-alpine
command: ["/bin/sh", "-c"]
args:
- |
cd /tmp
npm init -y
npm install ethers@6
cat > derive.js << 'EOF'
const { ethers } = require('ethers');
const fs = require('fs');
async function main() {
const mnemonic = process.env.DEPLOYMENT_MNEMONIC;
const wallet = ethers.Wallet.fromPhrase(mnemonic);
const genesis = JSON.parse(fs.readFileSync('/genesis-template/genesis.json', 'utf8'));
genesis.alloc[wallet.address] = {
balance: '0x3635c9adc5dea00000' // 1000 ETH in wei
};
fs.writeFileSync('/genesis-output/genesis.json', JSON.stringify(genesis, null, 2));
}
main().catch(console.error);
EOF
node derive.js
env:
- name: DEPLOYMENT_MNEMONIC
value: {{ .Values.aztec.l1DeploymentMnemonic }}
volumeMounts:
- name: genesis-template
mountPath: /genesis-template
- name: genesis-output
mountPath: /genesis-output
containers:
- name: ethereum
image: "{{ .Values.images.reth.image }}"
Expand All @@ -40,17 +77,19 @@ spec:
volumeMounts:
- name: shared-volume
mountPath: /data
- name: genesis
- name: genesis-output
mountPath: /genesis
resources:
{{- toYaml .Values.ethereum.resources | nindent 12 }}
volumes:
- name: shared-volume
persistentVolumeClaim:
claimName: {{ include "aztec-network.fullname" . }}-ethereum-pvc
- name: genesis
- name: genesis-template
configMap:
name: {{ include "aztec-network.fullname" . }}-reth-genesis
- name: genesis-output
emptyDir: {}
{{if not .Values.network.public }}
---
apiVersion: v1
Expand Down
1 change: 1 addition & 0 deletions spartan/aztec-network/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ aztec:
epochDuration: 16 # how many L2 slots in an epoch
epochProofClaimWindow: 13 # in L2 slots
realProofs: false
l1DeploymentMnemonic: "test test test test test test test test test test test junk" # the mnemonic used when deploying contracts

bootNode:
peerIdPrivateKey: ""
Expand Down
12 changes: 0 additions & 12 deletions spartan/terraform/deploy-release/deploy.sh

This file was deleted.

5 changes: 5 additions & 0 deletions spartan/terraform/deploy-release/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,11 @@ resource "helm_release" "aztec-gke-cluster" {
value = var.AZTEC_DOCKER_IMAGE
}

set {
name = "aztec.l1DeploymentMnemonic"
value = var.l1_deployment_mnemonic
}

# Setting timeout and wait conditions
timeout = 1200 # 20 minutes in seconds
wait = true
Expand Down
1 change: 0 additions & 1 deletion spartan/terraform/deploy-release/release.tfvars

This file was deleted.

6 changes: 6 additions & 0 deletions spartan/terraform/deploy-release/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,9 @@ variable "AZTEC_DOCKER_IMAGE" {
description = "Docker image to use for the aztec network"
type = string
}

variable "l1_deployment_mnemonic" {
description = "Mnemonic to use for the L1 contract deployments"
type = string
sensitive = true
}
51 changes: 51 additions & 0 deletions spartan/terraform/gke-cluster-old/firewall.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# Create ingress firewall rules for UDP
resource "google_compute_firewall" "udp_ingress" {
name = "allow-udp-ingress-custom"
network = "default"
allow {
protocol = "udp"
ports = ["40400-40499", "8080", "8545"]
}
direction = "INGRESS"
source_ranges = ["0.0.0.0/0"]
target_tags = ["gke-node", "aztec-gke-node"]
}

# Create egress firewall rules for UDP
resource "google_compute_firewall" "udp_egress" {
name = "allow-udp-egress-custom"
network = "default"
allow {
protocol = "udp"
ports = ["40400-40499", "8080", "8545"]
}
direction = "EGRESS"
destination_ranges = ["0.0.0.0/0"]
target_tags = ["gke-node", "aztec-gke-node"]
}

# Create ingress firewall rules for TCP
resource "google_compute_firewall" "tcp_ingress" {
name = "allow-tcp-ingress-custom"
network = "default"
allow {
protocol = "tcp"
ports = ["40400-40499", "8080", "8545"]
}
direction = "INGRESS"
source_ranges = ["0.0.0.0/0"]
target_tags = ["gke-node", "aztec-gke-node"]
}

# Create egress firewall rules for TCP
resource "google_compute_firewall" "tcp_egress" {
name = "allow-tcp-egress-custom"
network = "default"
allow {
protocol = "tcp"
ports = ["40400-40499", "8080", "8545"]
}
direction = "EGRESS"
destination_ranges = ["0.0.0.0/0"]
target_tags = ["gke-node", "aztec-gke-node"]
}
Loading

0 comments on commit bb5f364

Please sign in to comment.