Merge pull request #2433 from input-output-hk/jpraynaud/2362-ancillary-signature-infra

Feat: support GCP KMS ancillary signature in infrastructure

Author: jpraynaud

.github/workflows/actions/deploy-terraform-infrastructure/action.yml

@@ -149,6 +149,21 @@ inputs:
     description: Mithril aggregator leader aggregator endpoint to follow.
     required: false
     default: ""
+  mithril_aggregator_ancillary_signer_type:
+    description: Mithril aggregator ancillary signer type ('secret-key' or 'gcp-kms').
+    required: true
+  mithril_aggregator_ancillary_signer_secret_key:
+    description: Mithril aggregator ancillary signer secret key used to sign ancillary files (used with mithril_aggregator_ancillary_signer_type='secret-key').
+    required: false
+    default: ""
+  mithril_aggregator_ancillary_signer_gcp_kms_resource_name:
+    description: Mithril aggregator ancillary signer GCP KMS resource name used to sign ancillary files (used with mithril_aggregator_ancillary_signer_type='gcp-kms').
+    required: false
+    default: ""
+  mithril_aggregator_ancillary_signer_gcp_kms_credentials:
+    description: Mithril aggregator ancillary signer JSON credentials to access GCP KMS (used with mithril_aggregator_ancillary_signer_type='gcp-kms').
+    required: false
+    default: ""
   prometheus_auth_username:
     description: Prometheus metrics endpoint username.
     required: false
@@ -199,6 +214,14 @@ runs:
         chmod u+x ./assets/tools/utils/google-credentials-public-key.sh
         ./assets/tools/utils/google-credentials-public-key.sh ./google-application-credentials.json ./assets/ssh_keys-${{ inputs.google_compute_instance_ssh_keys_environment }} curry
 
+    - name: Prepare variables
+      shell: bash
+      id: prepare
+      run: |
+        MITHRIL_AGGREGATOR_ANCILLARY_SIGNER_GCP_KMS_CREDENTIALS_BASE64=$(echo '${{ inputs.mithril_aggregator_ancillary_signer_gcp_kms_credentials }}' | base64 -w 0)
+        echo "::add-mask::$MITHRIL_AGGREGATOR_ANCILLARY_SIGNER_GCP_KMS_CREDENTIALS_BASE64"
+        echo "mithril_aggregator_ancillary_signer_gcp_kms_credentials_base64=$MITHRIL_AGGREGATOR_ANCILLARY_SIGNER_GCP_KMS_CREDENTIALS_BASE64" >> $GITHUB_OUTPUT
+
     - name: Prepare terraform variables
       shell: bash
       working-directory: mithril-infra
@@ -246,6 +269,10 @@ runs:
           mithril_aggregator_cardano_transactions_signing_config_security_parameter = "${{ inputs.mithril_aggregator_cardano_transactions_signing_config_security_parameter }}"
           mithril_aggregator_cardano_transactions_signing_config_step               = "${{ inputs.mithril_aggregator_cardano_transactions_signing_config_step }}"
           mithril_aggregator_leader_aggregator_endpoint                             = "${{ inputs.mithril_aggregator_leader_aggregator_endpoint }}"
+          mithril_aggregator_ancillary_signer_type                                  = "${{ inputs.mithril_aggregator_ancillary_signer_type }}"
+          mithril_aggregator_ancillary_signer_secret_key                            = "${{ inputs.mithril_aggregator_ancillary_signer_secret_key }}"
+          mithril_aggregator_ancillary_signer_gcp_kms_resource_name                 = "${{ inputs.mithril_aggregator_ancillary_signer_gcp_kms_resource_name }}"
+          mithril_aggregator_ancillary_signer_gcp_kms_credentials                   = "${{ steps.prepare.outputs.mithril_aggregator_ancillary_signer_gcp_kms_credentials_base64 }}"
           prometheus_auth_username                                                  = "${{ inputs.prometheus_auth_username }}"
           prometheus_auth_password                                                  = "${{ inputs.prometheus_auth_password }}"
           prometheus_ingest_host                                                    = "${{ inputs.prometheus_ingest_host }}"

.github/workflows/ci.yml

@@ -728,6 +728,10 @@ jobs:
           mithril_aggregator_cardano_transactions_database_connection_pool_size: ${{ vars.AGGREGATOR_CARDANO_TRANSACTIONS_DATABASE_CONNECTION_POOL_SIZE }}
           mithril_aggregator_cardano_transactions_signing_config_security_parameter: ${{ vars.AGGREGATOR_CARDANO_TRANSACTIONS_SIGNING_CONFIG_SECURITY_PARAMETER }}
           mithril_aggregator_cardano_transactions_signing_config_step: ${{ vars.AGGREGATOR_CARDANO_TRANSACTIONS_SIGNING_CONFIG_STEP }}
+          mithril_aggregator_ancillary_signer_type: ${{ vars.AGGREGATOR_ANCILLARY_SIGNER_TYPE }}
+          mithril_aggregator_ancillary_signer_secret_key: ${{ secrets.AGGREGATOR_ANCILLARY_SIGNER_SECRET_KEY }}
+          mithril_aggregator_ancillary_signer_gcp_kms_resource_name: ${{ secrets.AGGREGATOR_ANCILLARY_SIGNER_GCP_KMS_RESOURCE_NAME }}
+          mithril_aggregator_ancillary_signer_gcp_kms_credentials: ${{ secrets.AGGREGATOR_ANCILLARY_SIGNER_GCP_KMS_CREDENTIALS }}
           prometheus_auth_username: ${{ secrets.PROMETHEUS_AUTH_USERNAME }}
           prometheus_auth_password: ${{ secrets.PROMETHEUS_AUTH_PASSWORD }}
           prometheus_ingest_host: ${{ vars.PROMETHEUS_INGEST_HOST }}

.github/workflows/pre-release.yml

@@ -230,6 +230,10 @@ jobs:
           mithril_aggregator_cardano_transactions_database_connection_pool_size: ${{ vars.AGGREGATOR_CARDANO_TRANSACTIONS_DATABASE_CONNECTION_POOL_SIZE }}
           mithril_aggregator_cardano_transactions_signing_config_security_parameter: ${{ vars.AGGREGATOR_CARDANO_TRANSACTIONS_SIGNING_CONFIG_SECURITY_PARAMETER }}
           mithril_aggregator_cardano_transactions_signing_config_step: ${{ vars.AGGREGATOR_CARDANO_TRANSACTIONS_SIGNING_CONFIG_STEP }}
+          mithril_aggregator_ancillary_signer_type: ${{ vars.AGGREGATOR_ANCILLARY_SIGNER_TYPE }}
+          mithril_aggregator_ancillary_signer_secret_key: ${{ secrets.AGGREGATOR_ANCILLARY_SIGNER_SECRET_KEY }}
+          mithril_aggregator_ancillary_signer_gcp_kms_resource_name: ${{ secrets.AGGREGATOR_ANCILLARY_SIGNER_GCP_KMS_RESOURCE_NAME }}
+          mithril_aggregator_ancillary_signer_gcp_kms_credentials: ${{ secrets.AGGREGATOR_ANCILLARY_SIGNER_GCP_KMS_CREDENTIALS }}
           prometheus_auth_username: ${{ secrets.PROMETHEUS_AUTH_USERNAME }}
           prometheus_auth_password: ${{ secrets.PROMETHEUS_AUTH_PASSWORD }}
           prometheus_ingest_host: ${{ vars.PROMETHEUS_INGEST_HOST }}

.github/workflows/release.yml

@@ -168,6 +168,10 @@ jobs:
           mithril_aggregator_cardano_transactions_database_connection_pool_size: ${{ vars.AGGREGATOR_CARDANO_TRANSACTIONS_DATABASE_CONNECTION_POOL_SIZE }}
           mithril_aggregator_cardano_transactions_signing_config_security_parameter: ${{ vars.AGGREGATOR_CARDANO_TRANSACTIONS_SIGNING_CONFIG_SECURITY_PARAMETER }}
           mithril_aggregator_cardano_transactions_signing_config_step: ${{ vars.AGGREGATOR_CARDANO_TRANSACTIONS_SIGNING_CONFIG_STEP }}
+          mithril_aggregator_ancillary_signer_type: ${{ vars.AGGREGATOR_ANCILLARY_SIGNER_TYPE }}
+          mithril_aggregator_ancillary_signer_secret_key: ${{ secrets.AGGREGATOR_ANCILLARY_SIGNER_SECRET_KEY }}
+          mithril_aggregator_ancillary_signer_gcp_kms_resource_name: ${{ secrets.AGGREGATOR_ANCILLARY_SIGNER_GCP_KMS_RESOURCE_NAME }}
+          mithril_aggregator_ancillary_signer_gcp_kms_credentials: ${{ secrets.AGGREGATOR_ANCILLARY_SIGNER_GCP_KMS_CREDENTIALS }}
           prometheus_auth_username: ${{ secrets.PROMETHEUS_AUTH_USERNAME }}
           prometheus_auth_password: ${{ secrets.PROMETHEUS_AUTH_PASSWORD }}
           prometheus_ingest_host: ${{ vars.PROMETHEUS_INGEST_HOST }}

.github/workflows/test-deploy-network.yml

@@ -77,10 +77,11 @@ jobs:
             mithril_p2p_signer_relay_signature_registration_mode: p2p
             mithril_api_domain: api.mithril.network
             mithril_era_reader_adapter_type: cardano-chain
-            mithril_protocol_parameters: {
-                k     = 5
-                m     = 100
-                phi_f = 0.65,
+            mithril_protocol_parameters: |
+              {
+                 k     = 5
+                 m     = 100
+                 phi_f = 0.65,
               }
             mithril_signers: |
               {
@@ -183,6 +184,10 @@ jobs:
           mithril_aggregator_cardano_transactions_signing_config_security_parameter: ${{ vars.AGGREGATOR_CARDANO_TRANSACTIONS_SIGNING_CONFIG_SECURITY_PARAMETER }}
           mithril_aggregator_cardano_transactions_signing_config_step: ${{ vars.AGGREGATOR_CARDANO_TRANSACTIONS_SIGNING_CONFIG_STEP }}
           mithril_aggregator_leader_aggregator_endpoint: ${{ matrix.mithril_leader_aggregator_endpoint }}
+          mithril_aggregator_ancillary_signer_type: ${{ vars.AGGREGATOR_ANCILLARY_SIGNER_TYPE }}
+          mithril_aggregator_ancillary_signer_secret_key: ${{ secrets.AGGREGATOR_ANCILLARY_SIGNER_SECRET_KEY }}
+          mithril_aggregator_ancillary_signer_gcp_kms_resource_name: ${{ secrets.AGGREGATOR_ANCILLARY_SIGNER_GCP_KMS_RESOURCE_NAME }}
+          mithril_aggregator_ancillary_signer_gcp_kms_credentials: ${{ secrets.AGGREGATOR_ANCILLARY_SIGNER_GCP_KMS_CREDENTIALS }}
           prometheus_auth_username: ${{ secrets.PROMETHEUS_AUTH_USERNAME }}
           prometheus_auth_password: ${{ secrets.PROMETHEUS_AUTH_PASSWORD }}
           prometheus_ingest_host: ${{ vars.PROMETHEUS_INGEST_HOST }}

CHANGELOG.md

@@ -9,6 +9,14 @@ As a minor extension, we have adopted a slightly different versioning convention
 
 ## Mithril Distribution [XXXX] - UNRELEASED
 
+- **BREAKING** changes in Mithril client CLI:
+
+  - To fast bootstrap a Cardano node, the new `--include-ancillary` option has been added to the _Cardano node database_ command in the Mithril client CLI.
+  - Without this option, only final immutable files are downloaded and the ledger state must be computed from the genesis block.
+  - The `--include-ancillary` option requires the usage of an **ancillary verification key** (`--ancillary-verification-key` or `ANCILLARY_VERIFICATION_KEY`) which is specified in the [Networks configuration](https://mithril.network/doc/manual/getting-started/network-configurations) page.
+
+- Support for ancillary files signature for _Cardano node database_ and _Cardano node database v2_ certification with IOG key.
+
 - Add `with_origin_tag` function to the Mithril client library to record the origin of client requests.
 
 - **UNSTABLE** implement support for leader/follower registration in the infrastructure.