diff --git a/charts/tezos/values.yaml b/charts/tezos/values.yaml index 50970aafe..4a94a190f 100644 --- a/charts/tezos/values.yaml +++ b/charts/tezos/values.yaml @@ -171,11 +171,6 @@ should_generate_unsafe_deterministic_data: false # Don't also set `bake_using_accounts`. # - `bake_using_accounts`: List of account names that should be used for baking. # Don't also set `bake_using_account`. -# - `authorized_keys`: List of account names that should be used as keys to -# authenticate a baker to a signer. -# When a baker uses a remote signer that requires -# authentication, the relevant key from this list -# will be used to sign every signature request. # - `config`: Same as the outer statefulset level `config`. It overrides the # statefulset level. # - `is_bootstrap_node`: Boolean for is this node a bootstrap peer. @@ -329,9 +324,10 @@ octezSigners: {} # - baker0 # authorized_keys: # # Names of accounts used to authenticate the baker to the signer. -# # The baker must have the private key for one of the listed -# # accounts. The signer will only sign a request from a baker -# # authenticated by an allowed key. +# # The signer will only sign a request from a baker authenticated +# # by an allowed key. + # If set, any baker targeting this signer will automatically have + # the associated private key accessible locally. # - authorized-key-0 # ``` # diff --git a/utils/config-generator.py b/utils/config-generator.py index 85d0a4f6e..3086aa3bd 100755 --- a/utils/config-generator.py +++ b/utils/config-generator.py @@ -323,30 +323,28 @@ def fill_in_missing_keys(all_accounts): account_values["key"] = sk_b58 account_values["type"] = "secret" +def authorized_key_for(account_name): + """ + If `account_name` has a remote signer and this remote signer + requires an authorized key, returns it. + """ + for signer_val in OCTEZ_SIGNERS.values(): + if account_name in signer_val.accounts: + return signer_val.authorized_keys.get(0) + return def expose_secret_key(account_name): """ Decides if an account needs to have its secret key exposed on the current - pod. It returns the obvious Boolean. + pod. + Returns true if the pod bakes for this address, signer signs for this address, + or if the address is an authorized key necessary for perforing baking. + Note: in some cases, "secret key" is a URL to a remote signer rather than a key, + as is the case in Octez client's "secret_keys" file. """ if MY_POD_TYPE == "activating": - all_authorized_keys = [ - key - for node in NODES.values() - for instance in node["instances"] - for key in instance.get("authorized_keys", []) - ] - all_authorized_keys.append([ - key - for baker in OCTEZ_BAKERS.values() - for key in baker.get("authorized_keys", []) - ]) - if account_name in all_authorized_keys: - # Populate authorized keys known by all bakers in the activation account. - # This ensures that activation will succeed with a remote signer that requires auth, - # regardless of which baker does it. - return True - return NETWORK_CONFIG["activation_account_name"] == account_name + activation_account = NETWORK_CONFIG["activation_account_name"] + return account_name in [ activation_account, authorized_key_for(activation_account)] if MY_POD_TYPE == "signing": return account_name in MY_POD_CONFIG.get("accounts") @@ -355,11 +353,12 @@ def expose_secret_key(account_name): return account_name == MY_POD_CONFIG.get("operator_account") if MY_POD_TYPE in [ "node", "baker" ]: - if MY_POD_CONFIG.get("bake_using_account", "") == account_name: - return True - if account_name in MY_POD_CONFIG.get("authorized_keys", {}): + baking_account = MY_POD_CONFIG.get("bake_using_account", "") + if account_name in [ baking_account, authorized_key_for(baking_account)]: return True - return account_name in MY_POD_CONFIG.get("bake_using_accounts", {}) + for baking_account in MY_POD_CONFIG.get("bake_using_accounts", {}): + if account_name in [ baking_account, authorized_key_for(baking_account)]: + return True return False