Prepare for V3 (#465)

* Prepare for V3

* Update image tag

* Update charts/web3signer/values.yaml

Co-authored-by: Dmitri Tsumak <[email protected]>
Signed-off-by: antares-sw <[email protected]>

* Update charts/v3-operator/values.yaml

Co-authored-by: Dmitri Tsumak <[email protected]>
Signed-off-by: antares-sw <[email protected]>

* Update charts/web3signer-validators/values.yaml

Co-authored-by: Dmitri Tsumak <[email protected]>
Signed-off-by: antares-sw <[email protected]>

---------

Signed-off-by: antares-sw <[email protected]>
Co-authored-by: Dmitri Tsumak <[email protected]>

charts/v3-operator/templates/configmap.yaml

@@ -6,7 +6,12 @@ metadata:
     {{- include "common.labels.standard" . | nindent 4 }}
 data:
   DATA_DIR: "/data"
+  {{- if .Values.settings.remoteDbConfig.enabled }}
+  DEPOSIT_DATA_FILE: "/data/{{ .Values.settings.vault }}/deposit_data.json"
+  REMOTE_SIGNER_URL: {{ .Values.settings.remoteDbConfig.remoteSignerUrl | quote }}
+  {{- else }}
   DEPOSIT_DATA_FILE: "/data/{{ .Values.settings.vault }}/deposit/deposit_data.json"
+  {{- end }}
   DATABASE_DIR: "/data"
   VERBOSE: {{ .Values.settings.verbose | quote }}
   NETWORK: {{ .Values.settings.network | quote }}
@@ -18,6 +23,3 @@ data:
   METRICS_HOST: {{ .Values.serviceMonitor.host | quote }}
   METRICS_PORT: {{ .Values.metrics.port | quote }}
   MAX_FEE_PER_GAS_GWEI: {{ .Values.settings.maxFeePerGasGwei | quote }}
-  {{- if .Values.settings.remoteSigner.enabled }}
-  REMOTE_SIGNER_URL: {{ .Values.settings.remoteSigner.url | quote }}
-  {{- end }}

charts/v3-operator/templates/statefulset.yaml

@@ -49,11 +49,39 @@ spec:
             - sh
             - -c
             - >
-              mkdir /data/{{ .Values.settings.vault }} || true;
+              mkdir -p /data/{{ .Values.settings.vault }}/keystores || true;
               chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsUser }} /data
           volumeMounts:
             - name: data
               mountPath: /data
+    {{- end }}
+    {{- if .Values.settings.remoteDbConfig.enabled }}
+        - name: fetch-configs
+          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.initImage.pullPolicy }}
+          securityContext:
+            runAsUser: 0
+          command:
+            - python
+          args:
+            - src/main.py
+            - remote-db
+            - --network
+            - {{ .Values.settings.network }}
+            - --db-url
+            - {{ .Values.settings.remoteDbConfig.dbUrl }}
+            - --vault
+            - {{ .Values.settings.vault }}
+            - setup-operator
+          env:
+            - name: PYTHONPATH
+              value: "."
+          envFrom:
+            - configMapRef:
+                name: {{ include "common.names.fullname" . }}
+          volumeMounts:
+            - name: data
+              mountPath: /data
     {{- end }}
       containers:
         - name: v3-operator
@@ -64,6 +92,13 @@ spec:
           args:
             - src/main.py
             - start
+          {{- if .Values.settings.remoteDbConfig.enabled }}
+            - --remote-signer-url
+            - {{ .Values.settings.remoteDbConfig.remoteSignerUrl }}
+          {{- end }}
+          {{- range .Values.settings.extraFlags }}
+            - {{ . }}
+          {{- end }}
           env:
             - name: PYTHONPATH
               value: "."
@@ -80,28 +115,44 @@ spec:
               protocol: TCP
             {{- end }}
           volumeMounts:
+        {{- if or .Values.settings.depositDataSecretName .Values.settings.keystoresSecretName .Values.settings.walletSecretName }}
+          {{- if .Values.settings.depositDataSecretName }}
             - name: deposit-data
               mountPath: /data/{{ .Values.settings.vault }}/deposit
+          {{- end }}
+          {{- if .Values.settings.keystoresSecretName }}
             - name: keystores
               mountPath: /data/{{ .Values.settings.vault }}/keystores
+          {{- end }}
+          {{- if .Values.settings.walletSecretName }}
             - name: wallet
               mountPath: /data/{{ .Values.settings.vault }}/wallet
+          {{- end }}
+        {{- end }}
             - name: data
               mountPath: /data
           {{- with .Values.resources }}
           resources:
             {{ toYaml . | nindent 12 | trim }}
           {{- end }}
+    {{- if or .Values.settings.depositDataSecretName .Values.settings.keystoresSecretName .Values.settings.walletSecretName }}
       volumes:
+      {{- if .Values.settings.depositDataSecretName }}
         - name: deposit-data
           secret:
             secretName: {{ .Values.settings.depositDataSecretName }}
+      {{- end }}
+      {{- if .Values.settings.keystoresSecretName }}
         - name: keystores
           secret:
             secretName: {{ .Values.settings.keystoresSecretName }}
+      {{- end }}
+      {{- if .Values.settings.walletSecretName }}
         - name: wallet
           secret:
             secretName: {{ .Values.settings.walletSecretName }}
+      {{- end }}
+    {{- end}}
   volumeClaimTemplates:
     - metadata:
         name: data

charts/v3-operator/values.yaml

@@ -57,7 +57,7 @@ serviceAccount:
 image:
   registry: "europe-west4-docker.pkg.dev"
   repository: "stakewiselabs/public/v3-operator"
-  tag: "v0.2.5"
+  tag: "v0.3.4"
   pullPolicy: IfNotPresent
   pullSecrets: [ ]
 
@@ -94,17 +94,27 @@ settings:
 
   # Comma separated list of endpoints for the execution node
   executionEndpoints: ""
+
   # Comma separated list of endpoints for the consensus node
   consensusEndpoints: ""
-  # endpoint of the remote signer
-  remoteSigner:
+
+  # Whether to receive configuration files from database
+  # and to receive keyshares from web3signer
+  remoteDbConfig:
     enabled: false
-    url: ""
+    dbUrl: "postgresql://postgres:postgres@localhost/operator"
+    remoteSignerUrl: "http://web3signer:6174"
 
+  # If specified, deposit data will be obtained from the secret
   depositDataSecretName: ""
+  # If specified, keystores will be obtained from the secret
   keystoresSecretName: ""
+  # If specified, wallet will be obtained from the secret
   walletSecretName: ""
 
+  # Additional arguments to path to operator
+  extraFlags: []
+
 ## If false, data ownership will not be reset at startup
 ## This allows the geth node to be run with an arbitrary user
 ##

charts/web3signer-validators/Chart.yaml

@@ -15,14 +15,14 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 4.1.2
+version: 5.1.0
 
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v4.1.2"
+appVersion: "v5.1.0"
 
 keywords:
   - ethereum

charts/web3signer-validators/templates/statefulset.yaml

@@ -67,13 +67,23 @@ spec:
           imagePullPolicy: {{ $root.Values.cliImage.pullPolicy }}
           securityContext:
             runAsUser: 0
+          env:
+            - name: PYTHONPATH
+              value: "."
+          command:
+            - python
           args:
-            - "key_manager/main.py"
-            - "sync-validator"
-            - "--web3signer-endpoint"
-            - "{{ $root.Values.web3signerEndpoint }}"
+            - src/main.py
+            - remote-db
+            - --network
+            - {{ $root.Values.global.network }}
+            - --vault
+            - {{ $root.Values.global.vault }}
             - "--db-url"
             - "{{ $root.Values.dbKeystoreUrl }}"
+            - setup-validator
+            - "--web3signer-endpoint"
+            - "{{ $root.Values.web3signerEndpoint }}"
             - "--output-dir"
             - "/data"
             - "--total-validators"
@@ -117,11 +127,11 @@ spec:
             {{- end -}}
 
             {{- if eq $root.Values.type "prysm" }}
-            - "--{{ $root.Values.network }}"
+            - "--{{ $root.Values.global.network }}"
             - "--config-file=/data/config"
             - "--validators-external-signer-url={{ $.Values.web3signerEndpoint }}"
             {{- else if eq $root.Values.type "lighthouse" }}
-            - "--network={{ $root.Values.network }}"
+            - "--network={{ $root.Values.global.network }}"
             {{- else if eq $root.Values.type "teku" }}
             - "--network=auto"
             - "--config-file=/data/config"

charts/web3signer-validators/values.yaml

@@ -4,7 +4,13 @@
 
 global:
   imagePullSecrets: []
+  ## Network ID
+  ## Options for Ethereum: mainnet, goerli
+  ## Options for Gnosis: gnosis
+  ##
   network: mainnet
+  # StakeWise V3 Vault contract address
+  vault: ""
 
 ## Provide a name in place of operator for `app:` labels
 ##
@@ -39,8 +45,8 @@ initImageBusybox:
 ##
 cliImage:
   registry: "europe-west4-docker.pkg.dev"
-  repository: "stakewiselabs/public/key-manager"
-  tag: "v0.2.1"
+  repository: "stakewiselabs/public/v3-operator"
+  tag: "v0.3.4"
   pullPolicy: IfNotPresent
 
 ## Database connection string, ex. 'postgresql://username:pass@hostname/dbname'
@@ -153,12 +159,6 @@ affinity: {}
 ##
 priorityClassName: ""
 
-## Network ID
-## Options for Ethereum: mainnet, goerli
-## Options for Gnosis: gnosis
-##
-network: "mainnet"
-
 ## Validators flags
 ##
 flags:

charts/web3signer/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 4.1.2
+version: 4.1.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/web3signer/migrations/V00012__add_highwatermark_metadata.sql

@@ -0,0 +1,63 @@
+ALTER TABLE metadata
+    ADD COLUMN high_watermark_epoch NUMERIC(20),
+    ADD COLUMN high_watermark_slot NUMERIC(20);
+
+-- inserted high watermark should be above low watermark
+
+CREATE OR REPLACE FUNCTION check_high_watermarks() RETURNS TRIGGER AS $$
+DECLARE
+    max_slot NUMERIC(20);
+    max_epoch NUMERIC(20);
+BEGIN
+SELECT MAX(slot) INTO max_slot FROM low_watermarks;
+SELECT GREATEST(MAX(target_epoch), MAX(source_epoch)) INTO max_epoch FROM low_watermarks;
+
+IF NEW.high_watermark_slot <= max_slot THEN
+        RAISE EXCEPTION 'Insert/Update violates constraint: high_watermark_slot must be greater than max slot in low_watermarks table';
+END IF;
+
+IF NEW.high_watermark_epoch <= max_epoch THEN
+        RAISE EXCEPTION 'Insert/Update violates constraint: high_watermark_epoch must be greater than max epoch in low_watermarks table';
+END IF;
+
+RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER check_before_insert_or_update_high_watermarks
+    BEFORE INSERT OR UPDATE ON metadata
+                         FOR EACH ROW EXECUTE PROCEDURE check_high_watermarks();
+
+
+-- inserted low watermark should be below or the same as high watermark
+
+CREATE OR REPLACE FUNCTION check_low_watermarks() RETURNS TRIGGER AS $$
+DECLARE
+    high_slot NUMERIC(20);
+    high_epoch NUMERIC(20);
+BEGIN
+SELECT MIN(high_watermark_slot) INTO high_slot FROM metadata;
+SELECT MIN(high_watermark_epoch) INTO high_epoch FROM metadata;
+
+IF NEW.slot > high_slot THEN
+        RAISE EXCEPTION 'Insert/Update violates constraint: low_watermark slot must be less than or equal to high_watermark_slot in the metadata table';
+END IF;
+
+IF NEW.source_epoch > high_epoch THEN
+        RAISE EXCEPTION 'Insert/Update violates constraint: low_watermark source epoch must be less than or equal to high_watermark_epoch in the metadata table';
+END IF;
+
+IF NEW.target_epoch > high_epoch THEN
+        RAISE EXCEPTION 'Insert/Update violates constraint: low_watermark target epoch must be less than or equal to high_watermark_epoch in the metadata table';
+END IF;
+
+RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER check_before_insert_or_update_low_watermarks
+    BEFORE INSERT OR UPDATE ON low_watermarks
+                         FOR EACH ROW EXECUTE PROCEDURE check_low_watermarks();
+
+
+UPDATE database_version SET version = 12 WHERE id = 1;

charts/web3signer/templates/secret.yaml

@@ -37,4 +37,4 @@ metadata:
   labels:
     {{- include "common.labels.standard" . | nindent 4 }}
 data:
-    DECRYPTION_KEY: {{ .Values.decryptionKey | b64enc | quote }}
+    DECRYPTION_KEY: {{ .Values.decryptionKey | b64enc | quote }}

charts/web3signer/templates/statefulset.yaml

@@ -56,12 +56,34 @@ spec:
         - name: fetch-keys
           image: "{{ .Values.cliImage.registry }}/{{ .Values.cliImage.repository }}:{{ .Values.cliImage.tag }}"
           imagePullPolicy: {{ .Values.cliImage.pullPolicy }}
+          command:
+            - python
+          args:
+            - src/main.py
+            - remote-db
+            - --network
+          {{ if eq .Values.network "prater"}}
+            - goerli
+          {{- else }}
+            - {{ .Values.network }}
+          {{- end }}
+            - --db-url
+            - {{ .Values.dbKeystoreUrl }}
+            - --vault
+            - {{ .Values.vault }}
+            - setup-web3signer
+            - --encrypt-key
+            - {{ .Values.decryptionKey }}
+            - --output-dir
+            - /data/keystore
           securityContext:
             runAsUser: 0
+          env:
+            - name: PYTHONPATH
+              value: "."
           envFrom:
             - secretRef:
                 name: {{ include "common.names.fullname" . }}
-          args: ["key_manager/main.py", "sync-web3signer", "--db-url", "{{ .Values.dbKeystoreUrl }}", "--output-dir", "/data/keystore"]
           volumeMounts:
             - name: data
               mountPath: /data

charts/web3signer/values.yaml

@@ -27,8 +27,8 @@ initImage:
 ##
 cliImage:
   registry: "europe-west4-docker.pkg.dev"
-  repository: "stakewiselabs/public/key-manager"
-  tag: "v0.2.1"
+  repository: "stakewiselabs/public/v3-operator"
+  tag: "v0.3.4"
   pullPolicy: IfNotPresent
 
 ## Database connection string, ex. 'postgresql://username:pass@hostname/dbname'
@@ -62,6 +62,9 @@ fullnameOverride: ""
 ## ref: https://docs.web3signer.consensys.net/en/latest/Reference/CLI/CLI-Syntax/
 ##
 
+# StakeWise V3 Vault contract address
+vault: ""
+
 ## Network
 ## Options: mainnet, prater, gnosis
 network: "mainnet"