AztecProtocol · PhilWindle · Dec 5, 2024 · Dec 4, 2024 · Dec 5, 2024 · Dec 5, 2024
diff --git a/.github/workflows/network-deploy.yml b/.github/workflows/network-deploy.yml
@@ -12,6 +12,14 @@ on:
       aztec_docker_image:
         description: The Aztec Docker image to use, e.g. aztecprotocol/aztec:da809c58290f9590836f45ec59376cbf04d3c4ce-x86_64
         required: true
+      deployment_mnemonic_secret_name:
+        description: The name of the secret which holds the boot node's contract deployment mnemonic
+        required: true
+        default: testnet-deployment-mnemonic
+      respect_tf_lock:
+        description: Whether to respect the Terraform lock
+        required: false
+        default: "true"
 
 jobs:
   network_deployment:
@@ -26,6 +34,7 @@ jobs:
       AZTEC_DOCKER_IMAGE: ${{ inputs.aztec_docker_image }}
       NAMESPACE: ${{ inputs.namespace }}
       VALUES_FILE: ${{ inputs.values_file }}
+      DEPLOYMENT_MNEMONIC_SECRET_NAME: ${{ inputs.deployment_mnemonic_secret_name }}
       CHART_PATH: ./spartan/aztec-network
       CLUSTER_NAME: aztec-gke
       REGION: us-west1-a
@@ -62,6 +71,12 @@ jobs:
             echo "Terraform state bucket already exists"
           fi
 
+      - name: Grab the boot node deployment mnemonic
+        id: get-mnemonic
+        run: |
+          echo "::add-mask::$(gcloud secrets versions access latest --secret=${{ env.DEPLOYMENT_MNEMONIC_SECRET_NAME }})"
+          echo "mnemonic=$(gcloud secrets versions access latest --secret=${{ env.DEPLOYMENT_MNEMONIC_SECRET_NAME }})" >> "$GITHUB_OUTPUT"
+
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v2
         with:
@@ -82,8 +97,10 @@ jobs:
             -var="values_file=${{ env.VALUES_FILE }}" \
             -var="gke_cluster_context=${{ env.GKE_CLUSTER_CONTEXT }}" \
             -var="aztec_docker_image=${{ env.AZTEC_DOCKER_IMAGE }}" \
-            -out=tfplan
+            -var="l1_deployment_mnemonic=${{ steps.get-mnemonic.outputs.mnemonic }}" \
+            -out=tfplan \
+            -lock=${{ inputs.respect_tf_lock }}
 
       - name: Terraform Apply
         working-directory: ./spartan/terraform/deploy-release
-        run: terraform apply -auto-approve tfplan
+        run: terraform apply -lock=${{ inputs.respect_tf_lock }} -auto-approve tfplan
diff --git a/spartan/aztec-network/files/config/deploy-l1-contracts.sh b/spartan/aztec-network/files/config/deploy-l1-contracts.sh
@@ -4,16 +4,13 @@ set -exu
 CHAIN_ID=$1
 
 
-# Use default account, it is funded on our dev machine
-export PRIVATE_KEY="0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80"
-
 # Run the deploy-l1-contracts command and capture the output
 output=""
 # if INIT_VALIDATORS is true, then we need to pass the validators flag to the deploy-l1-contracts command
 if [ "$INIT_VALIDATORS" = "true" ]; then
-  output=$(node --no-warnings /usr/src/yarn-project/aztec/dest/bin/index.js deploy-l1-contracts --validators $2 --l1-chain-id $CHAIN_ID)
+  output=$(node --no-warnings /usr/src/yarn-project/aztec/dest/bin/index.js deploy-l1-contracts --mnemonic "$MNEMONIC" --validators $2 --l1-chain-id $CHAIN_ID)
 else
-  output=$(node --no-warnings /usr/src/yarn-project/aztec/dest/bin/index.js deploy-l1-contracts --l1-chain-id $CHAIN_ID)
+  output=$(node --no-warnings /usr/src/yarn-project/aztec/dest/bin/index.js deploy-l1-contracts --mnemonic "$MNEMONIC" --l1-chain-id $CHAIN_ID)
 fi
 
 echo "$output"

diff --git a/spartan/aztec-network/templates/boot-node.yaml b/spartan/aztec-network/templates/boot-node.yaml
@@ -72,6 +72,8 @@ spec:
           env:
             - name: INIT_VALIDATORS
               value: "true"
+            - name: MNEMONIC
+              value: "{{ .Values.aztec.l1DeploymentMnemonic }}"
             - name: ETHEREUM_SLOT_DURATION
               value: "{{ .Values.ethereum.blockTime }}"
             - name: AZTEC_SLOT_DURATION

diff --git a/spartan/aztec-network/templates/reth.yaml b/spartan/aztec-network/templates/reth.yaml
@@ -19,6 +19,43 @@ spec:
       {{- if .Values.network.public }}
       hostNetwork: true
       {{- end }}
+      initContainers:
+        - name: prepare-genesis
+          image: node:18-alpine
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              cd /tmp
+              npm init -y
+              npm install ethers@6
+              cat > derive.js << 'EOF'
+              const { ethers } = require('ethers');
+              const fs = require('fs');
+
+              async function main() {
+                const mnemonic = process.env.DEPLOYMENT_MNEMONIC;
+                const wallet = ethers.Wallet.fromPhrase(mnemonic);
+
+                const genesis = JSON.parse(fs.readFileSync('/genesis-template/genesis.json', 'utf8'));
+
+                genesis.alloc[wallet.address] = {
+                  balance: '0x3635c9adc5dea00000' // 1000 ETH in wei
+                };
+
+                fs.writeFileSync('/genesis-output/genesis.json', JSON.stringify(genesis, null, 2));
+              }
+
+              main().catch(console.error);
+              EOF
+              node derive.js
+          env:
+            - name: DEPLOYMENT_MNEMONIC
+              value: {{ .Values.aztec.l1DeploymentMnemonic }}
+          volumeMounts:
+            - name: genesis-template
+              mountPath: /genesis-template
+            - name: genesis-output
+              mountPath: /genesis-output
       containers:
         - name: ethereum
           image: "{{ .Values.images.reth.image }}"
@@ -40,17 +77,19 @@ spec:
           volumeMounts:
             - name: shared-volume
               mountPath: /data
-            - name: genesis
+            - name: genesis-output
               mountPath: /genesis
           resources:
             {{- toYaml .Values.ethereum.resources | nindent 12 }}
       volumes:
         - name: shared-volume
           persistentVolumeClaim:
             claimName: {{ include "aztec-network.fullname" . }}-ethereum-pvc
-        - name: genesis
+        - name: genesis-template
           configMap:
             name: {{ include "aztec-network.fullname" . }}-reth-genesis
+        - name: genesis-output
+          emptyDir: {}
 {{if not .Values.network.public }}
 ---
 apiVersion: v1

diff --git a/spartan/aztec-network/values.yaml b/spartan/aztec-network/values.yaml
@@ -34,6 +34,7 @@ aztec:
   epochDuration: 16 # how many L2 slots in an epoch
   epochProofClaimWindow: 13 # in L2 slots
   realProofs: false
+  l1DeploymentMnemonic: "test test test test test test test test test test test junk" # the mnemonic used when deploying contracts
 
 bootNode:
   peerIdPrivateKey: ""

diff --git a/spartan/terraform/deploy-release/deploy.sh b/spartan/terraform/deploy-release/deploy.sh
diff --git a/spartan/terraform/deploy-release/main.tf b/spartan/terraform/deploy-release/main.tf
@@ -46,6 +46,11 @@ resource "helm_release" "aztec-gke-cluster" {
     value = var.AZTEC_DOCKER_IMAGE
   }
 
+  set {
+    name  = "aztec.l1DeploymentMnemonic"
+    value = var.l1_deployment_mnemonic
+  }
+
   # Setting timeout and wait conditions
   timeout       = 1200 # 20 minutes in seconds
   wait          = true

diff --git a/spartan/terraform/deploy-release/release.tfvars b/spartan/terraform/deploy-release/release.tfvars
diff --git a/spartan/terraform/deploy-release/variables.tf b/spartan/terraform/deploy-release/variables.tf
@@ -18,3 +18,9 @@ variable "AZTEC_DOCKER_IMAGE" {
   description = "Docker image to use for the aztec network"
   type        = string
 }
+
+variable "l1_deployment_mnemonic" {
+  description = "Mnemonic to use for the L1 contract deployments"
+  type        = string
+  sensitive   = true
+}
diff --git a/spartan/terraform/gke-cluster-old/firewall.tf b/spartan/terraform/gke-cluster-old/firewall.tf
@@ -0,0 +1,51 @@
+# Create ingress firewall rules for UDP
+resource "google_compute_firewall" "udp_ingress" {
+  name    = "allow-udp-ingress-custom"
+  network = "default"
+  allow {
+    protocol = "udp"
+    ports    = ["40400-40499", "8080", "8545"]
+  }
+  direction     = "INGRESS"
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["gke-node", "aztec-gke-node"]
+}
+
+# Create egress firewall rules for UDP
+resource "google_compute_firewall" "udp_egress" {
+  name    = "allow-udp-egress-custom"
+  network = "default"
+  allow {
+    protocol = "udp"
+    ports    = ["40400-40499", "8080", "8545"]
+  }
+  direction          = "EGRESS"
+  destination_ranges = ["0.0.0.0/0"]
+  target_tags        = ["gke-node", "aztec-gke-node"]
+}
+
+# Create ingress firewall rules for TCP
+resource "google_compute_firewall" "tcp_ingress" {
+  name    = "allow-tcp-ingress-custom"
+  network = "default"
+  allow {
+    protocol = "tcp"
+    ports    = ["40400-40499", "8080", "8545"]
+  }
+  direction     = "INGRESS"
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["gke-node", "aztec-gke-node"]
+}
+
+# Create egress firewall rules for TCP
+resource "google_compute_firewall" "tcp_egress" {
+  name    = "allow-tcp-egress-custom"
+  network = "default"
+  allow {
+    protocol = "tcp"
+    ports    = ["40400-40499", "8080", "8545"]
+  }
+  direction          = "EGRESS"
+  destination_ranges = ["0.0.0.0/0"]
+  target_tags        = ["gke-node", "aztec-gke-node"]
+}