Refactored the signer to support host and port config settings

Author: jclapis

crates/cli/src/docker_init.rs

@@ -14,11 +14,11 @@ use cb_common::{
         PBS_ENDPOINT_ENV, PBS_MODULE_NAME, PROXY_DIR_DEFAULT, PROXY_DIR_ENV,
         PROXY_DIR_KEYS_DEFAULT, PROXY_DIR_KEYS_ENV, PROXY_DIR_SECRETS_DEFAULT,
         PROXY_DIR_SECRETS_ENV, SIGNER_DEFAULT, SIGNER_DIR_KEYS_DEFAULT, SIGNER_DIR_KEYS_ENV,
-        SIGNER_DIR_SECRETS_DEFAULT, SIGNER_DIR_SECRETS_ENV, SIGNER_JWT_SECRET_ENV, SIGNER_KEYS_ENV,
-        SIGNER_MODULE_NAME, SIGNER_PORT_ENV, SIGNER_URL_ENV,
+        SIGNER_DIR_SECRETS_DEFAULT, SIGNER_DIR_SECRETS_ENV, SIGNER_ENDPOINT_ENV,
+        SIGNER_JWT_SECRET_ENV, SIGNER_KEYS_ENV, SIGNER_MODULE_NAME, SIGNER_URL_ENV,
     },
     pbs::{BUILDER_API_PATH, GET_STATUS_PATH},
-    signer::{ProxyStore, SignerLoader},
+    signer::{ProxyStore, SignerLoader, DEFAULT_SIGNER_PORT},
     types::ModuleId,
     utils::random_jwt_secret,
 };
@@ -73,7 +73,11 @@ pub async fn handle_docker_init(config_path: PathBuf, output_dir: PathBuf) -> Re
     let mut targets = Vec::new();
 
     // address for signer API communication
-    let signer_port = 20000;
+    let signer_port = if let Some(signer_config) = &cb_config.signer {
+        signer_config.port
+    } else {
+        DEFAULT_SIGNER_PORT
+    };
     let signer_server =
         if let Some(SignerConfig { inner: SignerType::Remote { url }, .. }) = &cb_config.signer {
             url.to_string()
@@ -334,10 +338,17 @@ pub async fn handle_docker_init(config_path: PathBuf, output_dir: PathBuf) -> Re
                 let mut signer_envs = IndexMap::from([
                     get_env_val(CONFIG_ENV, CONFIG_DEFAULT),
                     get_env_same(JWTS_ENV),
-                    get_env_uval(SIGNER_PORT_ENV, signer_port as u64),
                 ]);
 
-                let mut ports = vec![];
+                // Bind the signer API to 0.0.0.0
+                let container_endpoint =
+                    SocketAddr::from((Ipv4Addr::UNSPECIFIED, signer_config.port));
+                let (key, val) = get_env_val(SIGNER_ENDPOINT_ENV, &container_endpoint.to_string());
+                signer_envs.insert(key, val);
+
+                let host_endpoint = SocketAddr::from((signer_config.host, signer_config.port));
+                let mut ports = vec![format!("{}:{}", host_endpoint, signer_config.port)];
+                warnings.push(format!("cb_signer has an exported port on {}", signer_config.port));
 
                 if let Some((key, val)) = chain_spec_env.clone() {
                     signer_envs.insert(key, val);
@@ -459,13 +470,20 @@ pub async fn handle_docker_init(config_path: PathBuf, output_dir: PathBuf) -> Re
                 let mut signer_envs = IndexMap::from([
                     get_env_val(CONFIG_ENV, CONFIG_DEFAULT),
                     get_env_same(JWTS_ENV),
-                    get_env_uval(SIGNER_PORT_ENV, signer_port as u64),
                     get_env_val(DIRK_CERT_ENV, DIRK_CERT_DEFAULT),
                     get_env_val(DIRK_KEY_ENV, DIRK_KEY_DEFAULT),
                     get_env_val(DIRK_DIR_SECRETS_ENV, DIRK_DIR_SECRETS_DEFAULT),
                 ]);
 
-                let mut ports = vec![];
+                // Bind the signer API to 0.0.0.0
+                let container_endpoint =
+                    SocketAddr::from((Ipv4Addr::UNSPECIFIED, signer_config.port));
+                let (key, val) = get_env_val(SIGNER_ENDPOINT_ENV, &container_endpoint.to_string());
+                signer_envs.insert(key, val);
+
+                let host_endpoint = SocketAddr::from((signer_config.host, signer_config.port));
+                let mut ports = vec![format!("{}:{}", host_endpoint, signer_config.port)];
+                warnings.push(format!("cb_signer has an exported port on {}", signer_config.port));
 
                 if let Some((key, val)) = chain_spec_env.clone() {
                     signer_envs.insert(key, val);

crates/common/src/config/constants.rs

@@ -33,7 +33,7 @@ pub const SIGNER_IMAGE_DEFAULT: &str = "ghcr.io/commit-boost/signer:latest";
 pub const SIGNER_MODULE_NAME: &str = "signer";
 
 /// Where the signer module should open the server
-pub const SIGNER_PORT_ENV: &str = "CB_SIGNER_PORT";
+pub const SIGNER_ENDPOINT_ENV: &str = "CB_SIGNER_ENDPOINT";
 
 /// Comma separated list module_id=jwt_secret
 pub const JWTS_ENV: &str = "CB_JWTS";

crates/common/src/config/signer.rs

@@ -1,23 +1,34 @@
-use std::{collections::HashMap, path::PathBuf};
+use std::{
+    collections::HashMap,
+    net::{Ipv4Addr, SocketAddr},
+    path::PathBuf,
+};
 
 use eyre::{bail, OptionExt, Result};
 use serde::{Deserialize, Serialize};
 use tonic::transport::{Certificate, Identity};
 use url::Url;
 
 use super::{
-    constants::SIGNER_IMAGE_DEFAULT, load_jwt_secrets, utils::load_env_var, CommitBoostConfig,
-    SIGNER_PORT_ENV,
+    load_jwt_secrets, load_optional_env_var, utils::load_env_var, CommitBoostConfig,
+    SIGNER_ENDPOINT_ENV, SIGNER_IMAGE_DEFAULT,
 };
 use crate::{
     config::{DIRK_CA_CERT_ENV, DIRK_CERT_ENV, DIRK_DIR_SECRETS_ENV, DIRK_KEY_ENV},
-    signer::{ProxyStore, SignerLoader},
+    signer::{ProxyStore, SignerLoader, DEFAULT_SIGNER_PORT},
     types::{Chain, ModuleId},
+    utils::{default_host, default_u16},
 };
 
 #[derive(Debug, Serialize, Deserialize, Clone)]
 #[serde(rename_all = "snake_case")]
 pub struct SignerConfig {
+    /// Host address to listen for signer API calls on
+    #[serde(default = "default_host")]
+    pub host: Ipv4Addr,
+    /// Port to listen for signer API calls on
+    #[serde(default = "default_u16::<DEFAULT_SIGNER_PORT>")]
+    pub port: u16,
     /// Docker image of the module
     #[serde(default = "default_signer")]
     pub docker_image: String,
@@ -87,7 +98,7 @@ pub struct StartSignerConfig {
     pub chain: Chain,
     pub loader: Option<SignerLoader>,
     pub store: Option<ProxyStore>,
-    pub server_port: u16,
+    pub endpoint: SocketAddr,
     pub jwts: HashMap<ModuleId, String>,
     pub dirk: Option<DirkConfig>,
 }
@@ -97,15 +108,25 @@ impl StartSignerConfig {
         let config = CommitBoostConfig::from_env_path()?;
 
         let jwts = load_jwt_secrets()?;
-        let server_port = load_env_var(SIGNER_PORT_ENV)?.parse()?;
+
+        // Load the server endpoint first from the env var, then the config, and finally
+        // the defaults
+        let endpoint = if let Some(endpoint) = load_optional_env_var(SIGNER_ENDPOINT_ENV) {
+            endpoint.parse()?
+        } else {
+            match config.signer {
+                Some(ref signer) => SocketAddr::from((signer.host, signer.port)),
+                None => SocketAddr::from((default_host(), DEFAULT_SIGNER_PORT)),
+            }
+        };
 
         let signer = config.signer.ok_or_eyre("Signer config is missing")?.inner;
 
         match signer {
             SignerType::Local { loader, store, .. } => Ok(StartSignerConfig {
                 chain: config.chain,
                 loader: Some(loader),
-                server_port,
+                endpoint,
                 jwts,
                 store,
                 dirk: None,
@@ -133,7 +154,7 @@ impl StartSignerConfig {
 
                 Ok(StartSignerConfig {
                     chain: config.chain,
-                    server_port,
+                    endpoint,
                     jwts,
                     loader: None,
                     store,

crates/common/src/signer/constants.rs

@@ -0,0 +1 @@
+pub const DEFAULT_SIGNER_PORT: u16 = 20000;

crates/common/src/signer/mod.rs

@@ -1,8 +1,10 @@
+mod constants;
 mod loader;
 mod schemes;
 mod store;
 mod types;
 
+pub use constants::*;
 pub use loader::*;
 pub use schemes::*;
 pub use store::*;

crates/signer/src/service.rs

@@ -1,4 +1,4 @@
-use std::{collections::HashMap, net::SocketAddr, sync::Arc};
+use std::{collections::HashMap, sync::Arc};
 
 use axum::{
     extract::{Request, State},
@@ -67,7 +67,7 @@ impl SigningService {
         let loaded_consensus = state.manager.read().await.available_consensus_signers();
         let loaded_proxies = state.manager.read().await.available_proxy_signers();
 
-        info!(version = COMMIT_BOOST_VERSION, commit_hash = COMMIT_BOOST_COMMIT, modules =? module_ids, port =? config.server_port, loaded_consensus, loaded_proxies, "Starting signing service");
+        info!(version = COMMIT_BOOST_VERSION, commit_hash = COMMIT_BOOST_COMMIT, modules =? module_ids, endpoint =? config.endpoint, loaded_consensus, loaded_proxies, "Starting signing service");
 
         SigningService::init_metrics(config.chain)?;
 
@@ -81,8 +81,7 @@ impl SigningService {
             .route_layer(middleware::from_fn(log_request))
             .route(STATUS_PATH, get(handle_status));
 
-        let address = SocketAddr::from(([0, 0, 0, 0], config.server_port));
-        let listener = TcpListener::bind(address).await?;
+        let listener = TcpListener::bind(config.endpoint).await?;
 
         axum::serve(listener, app).await.wrap_err("signer server exited")
     }

docs/docs/get_started/configuration.md

@@ -65,6 +65,8 @@ We currently support Lighthouse, Prysm, Teku and Lodestar's keystores so it's ea
   #### Config:
   ```toml
   [signer]
+  port = 20000
+
   [signer.local.loader]
   format = "lighthouse"
   keys_path = "keys"
@@ -111,6 +113,8 @@ We currently support Lighthouse, Prysm, Teku and Lodestar's keystores so it's ea
   #### Config:
   ```toml
   [signer]
+  port = 20000
+  
   [signer.local.loader]
   format = "teku"
   keys_path = "keys"
@@ -133,6 +137,8 @@ We currently support Lighthouse, Prysm, Teku and Lodestar's keystores so it's ea
   #### Config:
   ```toml
   [signer]
+  port = 20000
+  
   [signer.local.loader]
   format = "lodestar"
   keys_path = "keys"
@@ -299,6 +305,8 @@ port = 18550
 url = ""
 
 [signer]
+port = 20000
+
 [signer.loader]
 format = "lighthouse"
 keys_path = "/path/to/keys"

docs/docs/get_started/running/binary.md

@@ -22,12 +22,12 @@ Modules need some environment variables to work correctly.
 
 ### PBS Module
 - `CB_BUILDER_URLS`: optional, comma-separated list of urls to `events` modules where to post builder events.
-- `CB_PBS_ENDPOINT`: optional, override the endpoint where the PBS module will open the port for the beacon node.
+- `CB_PBS_ENDPOINT`: optional, override to specify the `IP:port` endpoint where the PBS module will open the port for the beacon node.
 - `CB_MUX_PATH_{ID}`: optional, override where to load mux validator keys for mux with `id=\{ID\}`.
 
 ### Signer Module
 - `CB_SIGNER_JWT_SECRET`: secret to use for JWT authentication with the Signer module.
-- `CB_SIGNER_PORT`: required, port to open the signer server on.
+- `CB_SIGNER_ENDPOINT`: optional, override to specify the `IP:port` endpoint to bind the signer server to.
 - For loading keys we currently support:
   - `CB_SIGNER_LOADER_FILE`: path to a `.json` with plaintext keys (for testing purposes only).
   - `CB_SIGNER_LOADER_FORMAT`, `CB_SIGNER_LOADER_KEYS_DIR` and `CB_SIGNER_LOADER_SECRETS_DIR`: paths to the `keys` and `secrets` directories or files (ERC-2335 style keystores, see [Signer config](../configuration/#signer-module) for more info).