feat: add web3signer to rc-1 deployments (#16432)

Adds a web3signer deployment for rc-1 style deployments

Author: alexghr

spartan/aztec-network/files/config/get-private-key.sh

@@ -10,23 +10,33 @@ KEY_INDEX=$((POD_INDEX * VALIDATORS_PER_NODE))
 # Add the index to the start index to get the private key index
 PRIVATE_KEY_INDEX=$((KEY_INDEX_START + KEY_INDEX))
 
+WEB3_SIGNER_ENABLED=${WEB3_SIGNER_ENABLED:-false}
+
 echo "POD_INDEX: $POD_INDEX"
 echo "KEY_INDEX: $KEY_INDEX"
 echo "KEY_INDEX_START: $KEY_INDEX_START"
 echo "PRIVATE_KEY_INDEX: $PRIVATE_KEY_INDEX"
+echo "WEB3_SIGNER_ENABLED: ${WEB3_SIGNER_ENABLED}"
 # Specific for validators that can hold multiple keys on one node
 echo "VALIDATORS_PER_NODE: ${VALIDATORS_PER_NODE}"
 echo "MNEMONIC: $(echo $MNEMONIC | cut -d' ' -f1-2)..."
 
 private_keys=()
+addresses=()
+
 for ((i = 0; i < VALIDATORS_PER_NODE; i++)); do
   current_index=$((PRIVATE_KEY_INDEX + i))
   private_key=$(cast wallet private-key "$MNEMONIC" --mnemonic-index $current_index)
-  private_keys+=("$private_key")
+  address=$(cast wallet address --private-key $private_key)
+
+  if [ "$WEB3_SIGNER_ENABLED" == "false" ]; then
+    private_keys+=("$private_key")
+  fi
+  addresses+=("$address")
 done
 
 # Other services will use the first  key
-private_key=${private_keys[0]}
+private_key=$(cast wallet private-key "$MNEMONIC" --mnemonic-index $PRIVATE_KEY_INDEX)
 address=$(cast wallet address "$private_key")
 
 # combine keys
@@ -35,6 +45,11 @@ validator_private_keys=$(
   echo "${private_keys[*]}"
 )
 
+validator_addresses=$(
+  IFS=,
+  echo "${addresses[*]}"
+)
+
 # Compute slasher private key if SLASHER_KEY_INDEX_START is set
 slasher_private_key=""
 if [[ -n "${SLASHER_KEY_INDEX_START:-}" ]]; then
@@ -47,6 +62,7 @@ fi
 # Note, currently writing keys for all services for convenience
 cat <<EOF >/shared/config/keys.env
 export VALIDATOR_PRIVATE_KEYS=$validator_private_keys
+export WEB3_SIGNER_ADDRESSES=$validator_addresses
 export L1_PRIVATE_KEY=$private_key
 export SEQ_PUBLISHER_PRIVATE_KEY=$private_key
 export PROVER_PUBLISHER_PRIVATE_KEY=$private_key

spartan/aztec-network/templates/validator.yaml

@@ -96,7 +96,8 @@ spec:
               value: {{ .Values.validator.keysPerNode | quote }}
             - name: MNEMONIC
               value: {{ .Values.aztec.l1DeploymentMnemonic }}
-
+            - name: WEB3_SIGNER_ENABLED
+              value: {{ .Values.web3signer.enabled | quote }}
             - name: K8S_POD_UID
               valueFrom:
                 fieldRef:
@@ -220,6 +221,10 @@ spec:
               value: {{ .Values.aztec.slash.invalidBlockMaxPenalty | quote }}
             - name: SENTINEL_ENABLED
               value: "{{ .Values.validator.sentinelEnabled }}"
+            {{- if .Values.web3signer.enabled }}
+            - name: WEB3_SIGNER_URL
+              value: "http://{{ include "aztec-network.fullname" . }}-web3signer.{{ .Release.Namespace }}.svc.cluster.local:9000/"
+            {{- end }}
           ports:
             - containerPort: {{ .Values.validator.service.nodePort }}
             - containerPort: {{ .Values.validator.service.p2pPort }}

spartan/aztec-network/templates/web3signer.yaml

@@ -0,0 +1,101 @@
+{{- if .Values.web3signer.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "aztec-network.fullname" . }}-web3signer-config
+  namespace: {{ .Release.Namespace }}
+data:
+  config.yaml: |
+    data-path: "/data"
+    http-host-allowlist: "{{ include "aztec-network.fullname" . }}-web3signer.{{ .Release.Namespace }}.svc.cluster.local"
+    key-store-path: "/shared/key-store"
+    eth1.chain-id: {{ .Values.ethereum.chainId }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "aztec-network.fullname" . }}-web3signer
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: web3signer
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: web3signer
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: web3signer
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      containers:
+        - name: web3signer
+          image: {{ .Values.images.web3signer.image }}
+          imagePullPolicy: {{ .Values.images.web3signer.pullPolicy }}
+          command: ["/bin/bash","-c"]
+          args: ["/opt/web3signer/bin/web3signer --config-file /data/config.yaml eth1"]
+          ports:
+            - name: http
+              containerPort: 9000
+          volumeMounts:
+            - name: config
+              mountPath: /data/config.yaml
+              subPath: config.yaml
+            - name: shared
+              mountPath: /shared
+      initContainers:
+        - name: keys-from-mnemonic
+          image: {{ .Values.images.aztec.image }}
+          imagePullPolicy: {{ .Values.images.aztec.pullPolicy }}
+          command: ["/bin/bash","-c"]
+          args:
+            - |
+              set -euo pipefail
+              KS_DIR=/shared/key-store
+              KS_FILE=$KS_DIR/attesters.yaml
+              mkdir -p "$KS_DIR"; : > "$KS_FILE"
+              for ((i=0;i<VALIDATORS;i++)); do
+                idx=$((KEY_INDEX_START + i))
+                pk="$(cast wallet private-key "$MNEMONIC" --mnemonic-index "$idx")"
+                [[ $i -gt 0 ]] && echo '---' >> "$KS_FILE"
+                cat >> "$KS_FILE" <<EOF
+              type: file-raw
+              keyType: SECP256K1
+              privateKey: "$pk"
+              EOF
+              done
+          env:
+            - name: MNEMONIC
+              value: {{ .Values.aztec.l1DeploymentMnemonic | quote }}
+            - name: VALIDATORS
+              value: {{ mul .Values.validator.replicas .Values.validator.keysPerNode | toString | quote }}
+            - name: KEY_INDEX_START
+              value: {{ .Values.aztec.validatorKeyIndexStart | quote }}
+          volumeMounts:
+            - name: shared
+              mountPath: /shared
+      volumes:
+        - name: config
+          configMap:
+            name: {{ include "aztec-network.fullname" . }}-web3signer-config
+        - name: shared
+          emptyDir: {}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "aztec-network.fullname" . }}-web3signer
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: web3signer
+    app.kubernetes.io/instance: {{ .Release.Name }}
+  ports:
+    - name: http
+      port: 9000
+      targetPort: http
+{{- end }}

spartan/aztec-network/values.yaml

@@ -58,6 +58,24 @@ images:
   nethermind:
     image: nethermind/nethermind:1.32.2
     pullPolicy: IfNotPresent
+  web3signer:
+    image: consensys/web3signer:25.3.0
+    pullPolicy: IfNotPresent
+
+web3signer:
+  enabled: false
+  image:
+    repository: consensys/web3signer
+    tag: 25.3.0
+    pullPolicy: IfNotPresent
+  service:
+    type: ClusterIP
+    port: 9000
+  init:
+    image: aztecprotocol/aztec:latest
+  addresses:
+    validatorsCount: 0
+    keyIndexStart: 2000
 
 aztec:
   bootstrapENRs: ""
@@ -74,6 +92,7 @@ aztec:
   l1Salt: "" # leave empty for random salt
   testAccounts: true
   sponsoredFPC: false
+  # WARNING: this is not a secure way to handle a mnemonic. This value will be stored in plain text in helm state. Instead opt to storing the mnemonic in a secret/external secret manager and mount into pods as needed
   l1DeploymentMnemonic: "test test test test test test test test test test test junk" # the mnemonic used when deploying contracts
   manaTarget: "" # use default value
 

spartan/aztec-network/values/rc-1.yaml

@@ -58,3 +58,6 @@ bot:
     requests:
       memory: 15Gi
       cpu: 7
+
+web3signer:
+  enabled: true

spartan/terraform/deploy-release/main.tf

@@ -140,7 +140,7 @@ resource "helm_release" "aztec-gke-cluster" {
   }
 
   # Setting timeout and wait conditions
-  timeout       = 1200 # 20 minutes in seconds
+  timeout       = 600
   wait          = true
   wait_for_jobs = true