diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index b3118076c..cbbe225f0 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -1,11 +1,8 @@ - [Helm Chart Development](#helm-chart-development) - [Prerequisites](#prerequisites) -- [Using devspace](#using-devspace) - - [Notes](#notes) - [Helm Charts](#helm-charts) - [Creating Charts](#creating-charts) - [Run local development chart](#run-local-development-chart) - - [Notes](#notes-1) - [Creating Docker Images](#creating-docker-images) - [Releases](#releases) @@ -13,8 +10,6 @@ ## Prerequisites -- Install [devspace](https://devspace.sh/cli/docs/introduction). - - Ensure minikube is running: ```shell @@ -27,42 +22,6 @@ eval $(minikube docker-env) ``` -# Using devspace - -- Tell devspace which namespace to use: - - ```shell - devspace use namespace oxheadalpha - ``` - -- Run `mkchain` to generate your Helm values. (Note: Devspace will only deploy `rpc-auth` if you use the `rpc-auth` profile, regardless if you set it in mkchain. This is to avoid devspace deployment issues. See more below.) - -- Set a `CHAIN_NAME` env var. - -- Run `devspace dev --var CHAIN_NAME=$CHAIN_NAME` (you can leave out the `--var` flag if you used `export CHAIN_NAME=my-chain`). - -- You may add the `rpc-auth` devspace [profile](https://devspace.sh/cli/docs/configuration/profiles/basics) by using the `-p rpc-auth` flag in the `devspace dev` command. This tells devspace deploy `rpc-auth` and to redeploy it if its files change. You can also pass another `--var` flag for `rpc-auth` like so: `--var FLASK_ENV=`. Devpsace defaults it to `development`. Running with `development` will allow the python server to hot reload on file changes. Devspace does not need to restart the pod on file changes as the python server file is [synced](https://devspace.sh/cli/docs/configuration/development/file-synchronization) to the container. - -Devspace will now do a few things: - -- Create namespace if it doesn't already exist. -- Runs a hook to enable the minikube nginx ingress addon. This is the gateway for external users to access the `rpc-auth` backend and to then make RPC calls to the Tezos node. -- Runs a hook to increase `fs.inotify.max_user_watches` to 1048576 in minikube. This is to avoid a "no space left on device" error. See [here](https://serverfault.com/questions/963529/minikube-k8s-kubectl-failed-to-watch-file-no-space-left-on-device) for more. -- Builds docker images and tags them. -- Deploys Helm charts. -- Starts [sync](https://devspace.sh/cli/docs/configuration/development/file-synchronization), [logging](https://devspace.sh/cli/docs/configuration/development/log-streaming), and [port-forwarding](https://devspace.sh/cli/docs/configuration/development/port-forwarding) services. - - Right now just `rpc-auth` produces logs from the python server. - - Port-forwarding allows you to directly communicate with containers, allowing for easy bootstrap node RPC calls, as well as requests to the `rpc-auth` server instead of having to go through the NGINX ingress. Example: `curl localhost:8732/chains/main/chain_id` -- Will automatically redeploy Helm charts and rebuild docker images depending upon the files you modify. - -## Notes - -- Devspace recommends to run [devspace purge](https://devspace.sh/cli/docs/commands/devspace_purge) to delete deployments. Keep in mind though that it currently does not delete persistent volumes and claims. They currently don't mention this in their docs. If you want to delete all resources including persistent volumes and claims, run `kubectl delete namespace `. Even with this command, there are times where PV's/PVC's do not get deleted. This is important to know because you may be spinning up nodes that get old volumes attached with old state, and you may encounter Tezos pod errors. I have experienced this in situations where I left my cluster running for a long time, say overnight, and I shut my laptop and/or it went to sleep. After logging back in and deleting the namespace, the PV's/PVC's are still there and need to be manually deleted. - -- If you would like to build all of our images without using Devspace to deploy (you might want to do a `helm install` instead), you can run `devspace build -t dev --skip-push`. - -- If you find that you have images built but Devspace is having a hard time getting them and/or is producing errors that don't seem to make sense, you can try `rm -rf .devspace` to remove any potentially wrong state. - # Helm Charts ## Creating Charts @@ -83,10 +42,6 @@ Instructions as per README install the latest release of tezos-k8s helm chart fr helm install tezos-mainnet charts/tezos --namespace oxheadalpha --create-namespace ``` -## Notes - -If you use `helm install|upgrade` (instead of devspace) for local charts, make sure you `helm dependency update ` to get the latest local dependency chart changes that you've made packaged into the parent chart. - # Creating Docker Images Currently, we are placing all docker images in the root level directory. The name of the folder is treated as the name of the image being created. diff --git a/charts/rpc-auth/.helmignore b/charts/rpc-auth/.helmignore deleted file mode 100644 index 0e8a0eb36..000000000 --- a/charts/rpc-auth/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/rpc-auth/Chart.yaml b/charts/rpc-auth/Chart.yaml deleted file mode 100644 index 033da15be..000000000 --- a/charts/rpc-auth/Chart.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v2 -name: authenticated-rpc-tezos-chain -description: A Helm chart for Tezos RPC authentication for a private chain -type: application -version: 0.0.0 -keywords: - - tezos - - blockchain -home: https://github.com/oxheadalpha/tezos-k8s diff --git a/charts/rpc-auth/templates/_helpers.tpl b/charts/rpc-auth/templates/_helpers.tpl deleted file mode 100644 index b059a2f81..000000000 --- a/charts/rpc-auth/templates/_helpers.tpl +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "my-chart.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "my-chart.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "my-chart.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "my-chart.labels" -}} -helm.sh/chart: {{ include "my-chart.chart" . }} -{{ include "my-chart.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "my-chart.selectorLabels" -}} -app.kubernetes.io/name: {{ include "my-chart.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "my-chart.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "my-chart.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/charts/rpc-auth/templates/rpc-auth.yaml b/charts/rpc-auth/templates/rpc-auth.yaml deleted file mode 100644 index 9a50536f2..000000000 --- a/charts/rpc-auth/templates/rpc-auth.yaml +++ /dev/null @@ -1,189 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: redis-service - namespace: {{ .Release.Namespace }} - labels: - app: redis -spec: - ports: - - name: redis - port: 6379 - selector: - app: redis ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: redis-pv-claim - namespace: {{ .Release.Namespace }} - labels: - app: redis -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: redis-config - namespace: {{ .Release.Namespace }} -data: - redis.conf: | - appendonly yes - appendfsync always ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: redis - namespace: {{ .Release.Namespace }} - labels: - app: redis -spec: - selector: - matchLabels: - app: redis - template: - metadata: - labels: - app: redis - spec: - containers: - - name: master - image: redis - command: - - redis-server - - "/redis/redis.conf" - readinessProbe: - exec: - command: - - sh - - -c - - "redis-cli -h $(hostname) ping" - initialDelaySeconds: 5 - timeoutSeconds: 5 - livenessProbe: - exec: - command: - - sh - - -c - - "redis-cli -h $(hostname) ping" - initialDelaySeconds: 5 - periodSeconds: 3 - # resources: - # requests: - # cpu: 100m - # memory: 100Mi - ports: - - containerPort: 6379 - volumeMounts: - - mountPath: /data - name: redis-data - - mountPath: /redis - name: redis-config - - volumes: - - name: redis-data - persistentVolumeClaim: - claimName: redis-pv-claim - - name: redis-config - configMap: - name: redis-config ---- -apiVersion: v1 -kind: Service -metadata: - name: rpc-auth - namespace: {{ .Release.Namespace }} -spec: - selector: - app: rpc-auth - ports: - - name: rpc-auth - port: 8080 - targetPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: rpc-auth - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - app: rpc-auth - template: - metadata: - labels: - app: rpc-auth - appType: rpc-auth - spec: - containers: - - name: rpc-auth - image: {{ .Values.tezos_k8s_images.rpc_auth | quote }} - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8080 - env: - - name: REDIS_HOST - value: {{ .Values.redis.host | quote }} - - name: REDIS_PORT - value: {{ .Values.redis.port | quote }} - - name: TEZOS_RPC_SERVICE - value: tezos-node-rpc - - name: TEZOS_RPC_SERVICE_PORT - value: "8732" ---- -apiVersion: networking.k8s.io/v1beta1 -kind: Ingress -metadata: - name: rpc-vending-machine-ingress - namespace: {{ .Release.Namespace }} - annotations: - nginx.ingress.kubernetes.io/use-regex: "true" -spec: - rules: - - http: - paths: - # Client provides chain id and gets back a nonce - - path: /vending-machine/(.*) - pathType: Exact - backend: - serviceName: rpc-auth - servicePort: 8080 - # Client provides signed data and gets back a secret url - - path: /vending-machine - pathType: Exact - backend: - serviceName: rpc-auth - servicePort: 8080 ---- -apiVersion: networking.k8s.io/v1beta1 -kind: Ingress -metadata: - name: tezos-rpc-ingress - namespace: {{ .Release.Namespace }} - annotations: - nginx.ingress.kubernetes.io/use-regex: "true" - nginx.ingress.kubernetes.io/rewrite-target: /$2 - # https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#external-authentication - nginx.ingress.kubernetes.io/auth-url: http://$service_name.$namespace.svc.cluster.local:8080/auth - nginx.ingress.kubernetes.io/auth-snippet: | - # Bug with nginx setting auth-url annotation port with a variable. - # Service name and namespace variables work. - # https://github.com/kubernetes/ingress-nginx/issues/6427 - set $service_name "rpc-auth"; -spec: - rules: - - http: - paths: - # Client uses secret url to access the RPC endpoint - - path: /tezos-node-rpc/(.*?)/(.*) - pathType: Exact - backend: - serviceName: tezos-node-rpc - servicePort: 8732 diff --git a/charts/rpc-auth/values.yaml b/charts/rpc-auth/values.yaml deleted file mode 100644 index 79a4a86dc..000000000 --- a/charts/rpc-auth/values.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# Images not part of the tezos-k8s repo go here -images: - -# Images that are part of the tezos-k8s repo go here -tezos_k8s_images: - rpc_auth: tezos-k8s-rpc-auth:dev - -redis: - host: redis-service - port: 6379 diff --git a/devspace.yaml b/devspace.yaml deleted file mode 100755 index 65e6af506..000000000 --- a/devspace.yaml +++ /dev/null @@ -1,101 +0,0 @@ -version: v1beta9 -deployments: - - name: chain - helm: - chart: - name: ./charts/tezos - valuesFiles: - - ./${CHAIN_NAME}_values.yaml - -images: - utils: - image: tezos-k8s-utils - dockerfile: ./utils/Dockerfile - context: ./utils - -dev: - ports: - - labelSelector: - app: tezos-baking-node - forward: - - port: 8732 - remotePort: 8732 - logs: - disabled: true - autoReload: - deployments: - - chain - -hooks: - - command: minikube - args: - - addons - - enable - - ingress - when: - before: - pullSecrets: all - - command: sh - args: - - -c - - minikube ssh "sudo sysctl fs.inotify.max_user_watches=1048576" - when: - before: - pullSecrets: all - -vars: - - name: CHAIN_NAME - question: Name of the chain as passed to generate-constants - default: "devspace" - source: env - - name: FLASK_ENV # development | production - question: Deployment env to run RPC authentication - default: development - source: env - -profiles: - - name: rpc-auth - strategicMerge: - images: - rpc-auth: - image: tezos-k8s-rpc-auth - dockerfile: ./rpc-auth/Dockerfile - context: ./rpc-auth - build: - docker: - options: - buildArgs: - FLASK_ENV: ${FLASK_ENV} - dev: - logs: - disabled: false - images: - - rpc-auth - sync: - - imageName: rpc-auth - localSubPath: ./rpc-auth/server - patches: - - op: add - path: deployments - value: - name: rpc-auth - helm: - chart: - name: ./charts/rpc-auth - - op: add - path: dev.autoReload.deployments - value: rpc-auth - - op: add - path: dev.autoReload.paths - value: ./rpc-auth/Dockerfile - - op: add - path: dev.autoReload.paths - value: ./rpc-auth/server/requirements.txt - - op: add - path: dev.ports - value: - labelSelector: - app: rpc-auth - forward: - - port: 8080 - remotePort: 8080 diff --git a/docs/04-other-helm-charts.md b/docs/04-other-helm-charts.md index 755fcc5cb..9da20d999 100644 --- a/docs/04-other-helm-charts.md +++ b/docs/04-other-helm-charts.md @@ -3,7 +3,6 @@ The Tezos-k8s project also maintains several other helm charts: * **[pyrometer](https://github.com/oxheadalpha/tezos-k8s/tree/master/charts/pyrometer)**: a chart to deploy the [Pyrometer Tezos monitoring tool](https://gitlab.com/tezos-kiln/pyrometer) -* **[rpc-auth](https://github.com/oxheadalpha/tezos-k8s/tree/master/charts/rpc-auth)**: a vending-machine to dispense Tezos RPC access * **[tezos-faucet](https://github.com/oxheadalpha/tezos-k8s/tree/master/charts/tezos-faucet)**: a faucet to dispense testnet funds * **[snapshotEngine](https://github.com/oxheadalpha/tezos-k8s/tree/master/charts/snapshotEngine)**: an utility to generate Tezos snapshots from running nodes, using Kubernetes CSI driver * **[tezos-reward-distributor](https://github.com/oxheadalpha/tezos-k8s/tree/master/charts/tezos-reward-distributor)**: a chart to deploy [TRD](https://tezos-reward-distributor-organization.github.io/tezos-reward-distributor/) diff --git a/docs/Prerequisites.md b/docs/Prerequisites.md index 63b81b214..5661df298 100644 --- a/docs/Prerequisites.md +++ b/docs/Prerequisites.md @@ -64,8 +64,6 @@ Make hyperkit the default minikube driver: minikube config set driver hyperkit ``` -(Note: We do not use Docker itself as the minikube driver due to an [issue](https://github.com/kubernetes/minikube/issues/7332) regarding the minikube ingress addon that is required by rpc-auth.) - ### Other Operating Systems If in the next step minikube does not start correctly, you may need to configure a different driver for it. Please see the minikube docs [here](https://minikube.sigs.k8s.io/docs/drivers/) for more information. diff --git a/docs/RPC-Auth.md b/docs/RPC-Auth.md deleted file mode 100644 index ce8d359f5..000000000 --- a/docs/RPC-Auth.md +++ /dev/null @@ -1,5 +0,0 @@ -## RPC Authentication - -You can optionally spin up an RPC authentication backend allowing trusted users to make RPC requests to your cluster. - -Follow the steps at [rpc-auth/README.md](https://github.com/oxheadalpha/tezos-k8s/blob/master/rpc-auth/README.md). diff --git a/rpc-auth/.dockerignore b/rpc-auth/.dockerignore deleted file mode 100644 index 8bf81bf5a..000000000 --- a/rpc-auth/.dockerignore +++ /dev/null @@ -1,2 +0,0 @@ -client -README.md diff --git a/rpc-auth/Dockerfile b/rpc-auth/Dockerfile deleted file mode 100644 index df4b8af6d..000000000 --- a/rpc-auth/Dockerfile +++ /dev/null @@ -1,66 +0,0 @@ -FROM python:3.9.6-slim as builder - -RUN mkdir -p /var/rpc-auth/ - -WORKDIR /var/rpc-auth/ - -# Installing pytezos deps -RUN apt-get update -y \ - && apt-get install --no-install-recommends -y \ - automake \ - build-essential \ - libffi-dev \ - libgmp-dev \ - libsecp256k1-dev \ - libsodium-dev \ - libtool \ - pkg-config \ - && echo - -COPY ./requirements.txt . -RUN mkdir wheels \ - && pip wheel -r requirements.txt \ - --wheel-dir ./wheels --no-cache-dir - -FROM python:3.9-slim AS src - -WORKDIR /var/rpc-auth/ - -# Installing pytezos deps -RUN apt-get update -y \ - && apt-get install --no-install-recommends -y \ - libffi-dev \ - libgmp-dev \ - libsecp256k1-dev \ - libsodium-dev \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -# Installing python dependencies -COPY --from=builder /var/rpc-auth/wheels wheels -COPY ./requirements.txt . -RUN pip install -r requirements.txt \ - --no-index --find-links ./wheels \ - && rm -rf ./wheels ./requirements.txt - -RUN groupadd -g 999 appuser && \ - useradd -r -u 999 -g appuser appuser - -COPY --chown=appuser:appuser ./server/index.py . - -ARG FLASK_ENV=production -ENV FLASK_ENV=$FLASK_ENV -ENV PYTHONUNBUFFERED=x - -EXPOSE 8080 - -USER appuser - -CMD uwsgi \ - --http-socket 0.0.0.0:8080 \ - --callable app \ - --threads 100 \ - --processes 1 \ - --wsgi-file index.py \ - --worker-reload-mercy 0 \ - $(if [ "${FLASK_ENV}" = "development" ] ; then echo "--touch-reload index.py" ; else : ; fi) diff --git a/rpc-auth/README.md b/rpc-auth/README.md deleted file mode 100644 index dd6835ffd..000000000 --- a/rpc-auth/README.md +++ /dev/null @@ -1,82 +0,0 @@ -- [Tezos RPC Authentication](#tezos-rpc-authentication) - - [Deploy RPC Auth Backend](#deploy-rpc-auth-backend) - - [Client Authentication](#client-authentication) - - [Prerequisites](#prerequisites) - - [Authentication flow](#authentication-flow) - -# Tezos RPC Authentication - -`rpc-auth` provides a mechanism where a user authenticates themselves and will receive a secret url that they then use to make RPC calls. - -## Deploy RPC Auth Backend - -Install this chart to deploy an RPC Authentication backend for your private chain. - -This assumes that you have followed the steps [here](../README.md) necessary to deploy a Tezos private chain. - -Make sure you have the Tezos Helm chart repo: - -```shell -helm repo add oxheadalpha https://oxheadalpha.github.io/tezos-helm-charts -``` - -If you don't currently have a chain running, run the following command to start it: - -```shell -helm install $CHAIN_NAME oxheadalpha/tezos-chain \ ---values ./${CHAIN_NAME}_values.yaml \ ---namespace oxheadalpha --create-namespace -``` - -If you already have a chain running, you need to use Helm's `upgrade` cmd instead of `install`: - -```shell -helm upgrade $CHAIN_NAME oxheadalpha/tezos-chain \ ---values ./${CHAIN_NAME}_values.yaml \ ---namespace oxheadalpha -``` - -## Client Authentication - -### Prerequisites - -- [tezos-client](https://assets.tqtezos.com/docs/setup/1-tezos-client/) - -## Authentication flow - -1. You provide a trusted user with your cluster ip/address and your private tezos chain id. - To see your chain id, either: - - - Run - ```shell - kubectl exec -it -n oxheadalpha statefulset/tezos-baking-node -c octez-node -- octez-client rpc get /chains/main/chain_id - ``` - - Use a tool like [Lens](https://k8slens.dev/) to view the logs of the Tezos node. (As well as the rest of your k8s infrastructure) - - Manually run the logs command `kubectl logs -n oxheadalpha statefulset/tezos-baking-node -c octez-node`. The top of the logs should look similar to: - ``` - Dec 21 19:42:08 - node.main: starting the Tezos node (chain = my-chain) - Dec 21 19:42:08 - node.main: disabled local peer discovery - Dec 21 19:42:08 - node.main: read identity file (peer_id = idsbTksk6cHggEndHLQBAJvxaViUnz) - Dec 21 19:42:08 - main: shell-node initialization: bootstrapping - Dec 21 19:42:08 - main: shell-node initialization: p2p_maintain_started - Dec 21 19:42:08 - block_validator_process_external: Initialized - Dec 21 19:42:08 - block_validator_process_external: Block validator started on pid 11 - Dec 21 19:42:08 - validator.block: Worker started - Dec 21 19:42:08 - node.validator: activate chain NetXitypWekag8Z - ``` - The chain id is printed on the last line: `NetXitypWekag8Z`. - -2. The user needs to have a Tezos secret key either generated or imported by `octez-client`. The user's secret key is used to sign some data for the server to then verify. - -3. The user runs: `rpc-auth/client/init.sh --cluster-address $CLUSTER_IP --tz-alias $TZ_ALIAS --chain-id $CHAIN_ID` - - - `TZ_ALIAS` is the alias of a user's tz address secret key. - -4. If the user is authenticated, the response should contain a secret url that looks like `http://192.168.64.51/tezos-node-rpc/ffff3eb3d7dd4f6bbff3f2fd096722ae/` - -5. Client can then make RPC requests: - - `curl http://192.168.64.51/tezos-node-rpc/ffff3eb3d7dd4f6bbff3f2fd096722ae/chains/main/chain_id` - - As of docker image `tezos/tezos:v9-release`: - ```shell - octez-client --endpoint http://192.168.64.51/tezos-node-rpc/ffff3eb3d7dd4f6bbff3f2fd096722ae/ rpc get chains/main/chain_id - ``` diff --git a/rpc-auth/client/init.sh b/rpc-auth/client/init.sh deleted file mode 100755 index d7f0ecaca..000000000 --- a/rpc-auth/client/init.sh +++ /dev/null @@ -1,104 +0,0 @@ -#!/bin/bash - -while test $# -gt 0; do - case "$1" in - -h | --help) - echo "options:" - echo "-h, --help show brief help" - echo "--cluster-address specify ip or url for requesting nonce" - echo "--chain-id specify chain id of permission chain" - echo "--tz-alias specify tz alias of your key" - exit 0 - ;; - --cluster-address) - shift - if test $# -gt 0; then - export CLUSTER_ADDRESS=$1 - else - echo "no address specified" - exit 1 - fi - shift - ;; - --chain-id) - shift - if test $# -gt 0; then - export CHAIN_ID=$1 - else - echo "no chain id specified" - exit 1 - fi - shift - ;; - --tz-alias) - shift - if test $# -gt 0; then - export TZ_ALIAS=$1 - else - echo "no tz alias specified" - exit 1 - fi - shift - ;; - *) - break - ;; - esac -done - -if [ -z "$CLUSTER_ADDRESS" ]; then - echo "--cluster-address flag is required" - exit 1 -elif [ -z "$CHAIN_ID" ]; then - echo "--chain-id flag is required" - exit 1 -elif [ -z "$TZ_ALIAS" ]; then - echo "--tz-alias flag is required" - exit 1 -fi - -if ! tezos-client show address $TZ_ALIAS >/dev/null 2>&1; then - echo "no public key hash alias named $TZ_ALIAS" - exit 1 -fi - -get_response_body() { - echo $1 | sed -e 's/ HTTPSTATUS\:.*//g' -} -get_response_status() { - printf '%q' $1 | sed -e 's/.*HTTPSTATUS://' -} - -echo "Requesting data to sign..." -nonce_res=$(curl -s -X GET http://$CLUSTER_ADDRESS/vending-machine/$CHAIN_ID -w " HTTPSTATUS:%{http_code}") -NONCE=$(get_response_body "$nonce_res") -nonce_res_status=$(get_response_status "$nonce_res") - -if [ "$nonce_res_status" != "200" ]; then - echo "Failed to get nonce. [HTTP status: $nonce_res_status]" - echo "$nonce_res" - exit 1 -fi - -# echo NONCE: "$NONCE" - -echo "Signing data..." -SIGNATURE=$(tezos-client -p PsDELPH1Kxsx sign bytes 0x05${NONCE} for ${TZ_ALIAS} | cut -f 2 -d " ") -PUBLIC_KEY=$(tezos-client show address ${TZ_ALIAS} 2>/dev/null | grep "Public Key: " | awk '{print $3}') - -# echo SIGNATURE: "$SIGNATURE" -# echo PUBLIC_KEY: "$PUBLIC_KEY" - -echo "Sending request for RPC url..." -secret_url_res=$(curl -s -X POST -d "nonce=${NONCE}" -d "signature=${SIGNATURE}" -d "public_key=${PUBLIC_KEY}" http://$CLUSTER_ADDRESS/vending-machine -w " HTTPSTATUS:%{http_code}") -SECRET_URL=$(get_response_body "$secret_url_res") -secret_url_status=$(get_response_status "$secret_url_res") - -if [ "$secret_url_status" != "200" ]; then - echo "Failed to get secret url. [HTTP status: $secret_url_status]" - echo "$secret_url_res" - exit 1 -fi - -echo "Your secret tezos node RPC url: $SECRET_URL" - diff --git a/rpc-auth/requirements.txt b/rpc-auth/requirements.txt deleted file mode 100644 index 7df6cc352..000000000 --- a/rpc-auth/requirements.txt +++ /dev/null @@ -1,35 +0,0 @@ -base58==1.0.3 -bson==0.5.10 -certifi==2020.6.20 -cffi==1.14.3 -chardet==3.0.4 -click==7.1.2 -fastecdsa==1.7.5 -fire==0.3.1 -Flask==1.1.2 -idna==2.10 -itsdangerous==1.1.0 -Jinja2==2.11.3 -loguru==0.5.3 -MarkupSafe==1.1.1 -mnemonic==0.19 -netstruct==1.1.2 -pendulum==2.1.2 -ply==3.11 -pyblake2==1.1.2 -pycparser==2.20 -pysodium==0.7.5 -pytezos==2.5.11 -python-dateutil==2.8.1 -pytzdata==2020.1 -PyYAML==6.0.1 -redis==3.5.3 -requests==2.26.0 -secp256k1==0.13.2 -simplejson==3.17.2 -six==1.15.0 -termcolor==1.1.0 -tqdm==4.51.0 -urllib3==1.26.5 -uWSGI==2.0.19.1 -Werkzeug==1.0.1 diff --git a/rpc-auth/server/index.py b/rpc-auth/server/index.py deleted file mode 100755 index d4e16af67..000000000 --- a/rpc-auth/server/index.py +++ /dev/null @@ -1,167 +0,0 @@ -import os -import re -import time -from functools import cache -from urllib.parse import urljoin -from uuid import uuid4 - -import requests -from flask import Flask, abort, request -from pytezos.crypto import Key -from redis import StrictRedis, WatchError - -TEZOS_RPC_SERVICE_URL = ( - f"http://{os.getenv('TEZOS_RPC_SERVICE')}:{os.getenv('TEZOS_RPC_SERVICE_PORT')}" -) - -app = Flask(__name__) -redis = StrictRedis(host=os.getenv("REDIS_HOST"), port=os.getenv("REDIS_PORT")) - -## ROUTES - - -@app.route("/vending-machine/") -def get_nonce(chain_id): - try: - is_correct_chain_id = verify_chain_id(chain_id) - if not is_correct_chain_id: - abort(401) - except requests.exceptions.RequestException as e: - print("Failed to verify chain id.", e) - abort(500) - - # Tezos client requires the data to be signed in hex format - nonce = uuid4().hex - redis.set(nonce, "", ex=3) - return nonce - - -@app.route("/vending-machine", methods=["POST"]) -def generate_tezos_rpc_url(): - try: - nonce, signature, public_key = [ - request.values[k] for k in ("nonce", "signature", "public_key") - ] - except KeyError as e: - print("Request data:", request.values) - print(e) - abort(400) - - if not is_valid_nonce(nonce): - abort(401) - - tezos_key_object = get_tezos_key_object(public_key) - if not is_valid_signature(tezos_key_object, signature, nonce): - abort(401) - - access_token = uuid4().hex - secret_url = create_secret_url(access_token) - save_access_token(tezos_key_object.public_key_hash(), access_token) - return secret_url - - -@app.route("/auth") -def rpc_auth(): - access_token = extract_access_token(request.headers) - if not is_valid_access_token(access_token): - abort(401) - return "OK", 200 - - -## HELPER FUNCTIONS - - -def verify_chain_id(chain_id): - if chain_id != get_tezos_chain_id(): - return False - return True - - -@cache -def get_tezos_chain_id(): - tezos_chain_id = os.getenv("TEZOS_CHAIN_ID") - if tezos_chain_id: - return tezos_chain_id - chain_id_response = requests.get( - urljoin(TEZOS_RPC_SERVICE_URL, "chains/main/chain_id") - ) - return chain_id_response.text.strip('\n"') - - -def is_valid_nonce(nonce): - with redis.pipeline() as pipeline: - try: - pipeline.watch(nonce) - redis_nonce = pipeline.get(nonce) - pipeline.multi() - pipeline.delete(nonce) - pipeline.execute() - if redis_nonce != None: - return True - except WatchError: - print("Nonce was already validated.") - - return False - - -def get_tezos_key_object(public_key): - try: - return Key.from_encoded_key(public_key) - except ValueError as e: - print("Something is wrong with the public_key provided:", e) - abort(401) - - -def is_valid_signature(key_object, signature, nonce): - try: - bytes_prefix = "0x05" - key_object.verify(signature, bytes_prefix + nonce) - return True - except ValueError as e: - print("Error verifying signature:", e) - return False - - -def create_secret_url(access_token): - return urljoin(request.url_root, f"tezos-node-rpc/{access_token}") - - -def create_redis_access_token_key(access_token, hash=False): - return f"access_token{':hash' if hash else ''}:{access_token}" - - -def save_access_token(tz_address, access_token): - access_token_key = create_redis_access_token_key(access_token) - with redis.pipeline() as pipeline: - # Create redis hash of access token with timestamp and tz address - pipeline.hset( - access_token_key, mapping={"timestamp": time.time(), "address": tz_address} - ) - # Add access token to list of this tz address's tokens - pipeline.sadd(tz_address, access_token_key) - pipeline.execute() - - -def extract_access_token(headers): - original_url = headers.get("X-Original-Url") - regex_obj = re.search(r"tezos-node-rpc/(.*?)/", original_url) - if regex_obj: - return regex_obj.group(1) - - -def is_valid_access_token(access_token): - if ( - access_token - and len(access_token) == 32 # Should be 32 char hex string - and redis.exists(create_redis_access_token_key(access_token)) == 1 - ): - return True - return False - - -if __name__ == "__main__": - app.run( - host="0.0.0.0", - port=8080, - debug=(True if os.getenv("FLASK_ENV") == "development" else False), - ) diff --git a/utils/config-generator.py b/utils/config-generator.py index 1dc547701..b02a2912c 100755 --- a/utils/config-generator.py +++ b/utils/config-generator.py @@ -253,6 +253,7 @@ def expose_secret_key(account_name): if MY_POD_TYPE in ["node", "baker"]: for baking_account in MY_POD_CONFIG.get("bake_using_accounts", {}): if account_name in [baking_account, authorized_key_for(baking_account)]: + return True def get_accounts_signer(signers, account_name):