chore: use non default mnemonic for releases

.github/workflows/network-deploy.yml

@@ -12,6 +12,14 @@ on:
       aztec_docker_image:
         description: The Aztec Docker image to use, e.g. aztecprotocol/aztec:da809c58290f9590836f45ec59376cbf04d3c4ce-x86_64
         required: true
+      deployment_mnemonic_secret_name:
+        description: The name of the secret which holds the boot node's contract deployment mnemonic
+        required: true
+        default: testnet-deployment-mnemonic
+      respect_tf_lock:
+        description: Whether to respect the Terraform lock
+        required: false
+        default: "true"
 
 jobs:
   network_deployment:
@@ -26,6 +34,7 @@ jobs:
       AZTEC_DOCKER_IMAGE: ${{ inputs.aztec_docker_image }}
       NAMESPACE: ${{ inputs.namespace }}
       VALUES_FILE: ${{ inputs.values_file }}
+      DEPLOYMENT_MNEMONIC_SECRET_NAME: ${{ inputs.deployment_mnemonic_secret_name }}
       CHART_PATH: ./spartan/aztec-network
       CLUSTER_NAME: aztec-gke
       REGION: us-west1-a
@@ -62,6 +71,12 @@ jobs:
             echo "Terraform state bucket already exists"
           fi
 
+      - name: Grab the boot node deployment mnemonic
+        id: get-mnemonic
+        run: |
+          echo "::add-mask::$(gcloud secrets versions access latest --secret=${{ env.DEPLOYMENT_MNEMONIC_SECRET_NAME }})"
+          echo "mnemonic=$(gcloud secrets versions access latest --secret=${{ env.DEPLOYMENT_MNEMONIC_SECRET_NAME }})" >> "$GITHUB_OUTPUT"
+
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v2
         with:
@@ -82,8 +97,10 @@ jobs:
             -var="values_file=${{ env.VALUES_FILE }}" \
             -var="gke_cluster_context=${{ env.GKE_CLUSTER_CONTEXT }}" \
             -var="aztec_docker_image=${{ env.AZTEC_DOCKER_IMAGE }}" \
-            -out=tfplan
+            -var="l1_deployment_mnemonic=${{ steps.get-mnemonic.outputs.mnemonic }}" \
+            -out=tfplan \
+            -lock=${{ inputs.respect_tf_lock }}
 
       - name: Terraform Apply
         working-directory: ./spartan/terraform/deploy-release
-        run: terraform apply -auto-approve tfplan
+        run: terraform apply -lock=${{ inputs.respect_tf_lock }} -auto-approve tfplan

spartan/aztec-network/files/config/deploy-l1-contracts.sh

@@ -4,16 +4,13 @@ set -exu
 CHAIN_ID=$1
 
 
-# Use default account, it is funded on our dev machine
-export PRIVATE_KEY="0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80"
-
 # Run the deploy-l1-contracts command and capture the output
 output=""
 # if INIT_VALIDATORS is true, then we need to pass the validators flag to the deploy-l1-contracts command
 if [ "$INIT_VALIDATORS" = "true" ]; then
-  output=$(node --no-warnings /usr/src/yarn-project/aztec/dest/bin/index.js deploy-l1-contracts --validators $2 --l1-chain-id $CHAIN_ID)
+  output=$(node --no-warnings /usr/src/yarn-project/aztec/dest/bin/index.js deploy-l1-contracts --mnemonic "$MNEMONIC" --validators $2 --l1-chain-id $CHAIN_ID)
 else
-  output=$(node --no-warnings /usr/src/yarn-project/aztec/dest/bin/index.js deploy-l1-contracts --l1-chain-id $CHAIN_ID)
+  output=$(node --no-warnings /usr/src/yarn-project/aztec/dest/bin/index.js deploy-l1-contracts --mnemonic "$MNEMONIC" --l1-chain-id $CHAIN_ID)
 fi
 
 echo "$output"

spartan/aztec-network/templates/boot-node.yaml

@@ -72,6 +72,8 @@ spec:
           env:
             - name: INIT_VALIDATORS
               value: "true"
+            - name: MNEMONIC
+              value: "{{ .Values.aztec.l1DeploymentMnemonic }}"
             - name: ETHEREUM_SLOT_DURATION
               value: "{{ .Values.ethereum.blockTime }}"
             - name: AZTEC_SLOT_DURATION

spartan/aztec-network/templates/reth.yaml

@@ -19,6 +19,43 @@ spec:
       {{- if .Values.network.public }}
       hostNetwork: true
       {{- end }}
+      initContainers:
+        - name: prepare-genesis
+          image: node:18-alpine
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              cd /tmp
+              npm init -y
+              npm install ethers@6
+              cat > derive.js << 'EOF'
+              const { ethers } = require('ethers');
+              const fs = require('fs');
+
+              async function main() {
+                const mnemonic = process.env.DEPLOYMENT_MNEMONIC;
+                const wallet = ethers.Wallet.fromPhrase(mnemonic);
+
+                const genesis = JSON.parse(fs.readFileSync('/genesis-template/genesis.json', 'utf8'));
+
+                genesis.alloc[wallet.address] = {
+                  balance: '0x3635c9adc5dea00000' // 1000 ETH in wei
+                };
+
+                fs.writeFileSync('/genesis-output/genesis.json', JSON.stringify(genesis, null, 2));
+              }
+
+              main().catch(console.error);
+              EOF
+              node derive.js
+          env:
+            - name: DEPLOYMENT_MNEMONIC
+              value: {{ .Values.aztec.l1DeploymentMnemonic }}
+          volumeMounts:
+            - name: genesis-template
+              mountPath: /genesis-template
+            - name: genesis-output
+              mountPath: /genesis-output
       containers:
         - name: ethereum
           image: "{{ .Values.images.reth.image }}"
@@ -40,17 +77,19 @@ spec:
           volumeMounts:
             - name: shared-volume
               mountPath: /data
-            - name: genesis
+            - name: genesis-output
               mountPath: /genesis
           resources:
             {{- toYaml .Values.ethereum.resources | nindent 12 }}
       volumes:
         - name: shared-volume
           persistentVolumeClaim:
             claimName: {{ include "aztec-network.fullname" . }}-ethereum-pvc
-        - name: genesis
+        - name: genesis-template
           configMap:
             name: {{ include "aztec-network.fullname" . }}-reth-genesis
+        - name: genesis-output
+          emptyDir: {}
 {{if not .Values.network.public }}
 ---
 apiVersion: v1

spartan/aztec-network/values.yaml

@@ -34,6 +34,7 @@ aztec:
   epochDuration: 16 # how many L2 slots in an epoch
   epochProofClaimWindow: 13 # in L2 slots
   realProofs: false
+  l1DeploymentMnemonic: "test test test test test test test test test test test junk" # the mnemonic used when deploying contracts
 
 bootNode:
   peerIdPrivateKey: ""

spartan/terraform/deploy-release/main.tf

@@ -46,6 +46,11 @@ resource "helm_release" "aztec-gke-cluster" {
     value = var.AZTEC_DOCKER_IMAGE
   }
 
+  set {
+    name  = "aztec.l1DeploymentMnemonic"
+    value = var.l1_deployment_mnemonic
+  }
+
   # Setting timeout and wait conditions
   timeout       = 1200 # 20 minutes in seconds
   wait          = true

spartan/terraform/deploy-release/variables.tf

@@ -18,3 +18,9 @@ variable "AZTEC_DOCKER_IMAGE" {
   description = "Docker image to use for the aztec network"
   type        = string
 }
+
+variable "l1_deployment_mnemonic" {
+  description = "Mnemonic to use for the L1 contract deployments"
+  type        = string
+  sensitive   = true
+}

spartan/terraform/gke-cluster/main.tf

@@ -1,7 +1,7 @@
 terraform {
   backend "s3" {
     bucket = "aztec-terraform"
-    key    = "spartan-gke-cluster/terraform.tfstate"
+    key    = "aztec-gke-cluster/terraform.tfstate"
     region = "eu-west-2"
   }
   required_providers {
@@ -49,7 +49,8 @@ resource "google_service_account" "helm_sa" {
 resource "google_project_iam_member" "helm_sa_roles" {
   for_each = toset([
     "roles/container.admin",
-    "roles/storage.admin"
+    "roles/storage.admin",
+    "roles/secretmanager.admin"
   ])
   project = var.project
   role    = each.key
@@ -58,7 +59,7 @@ resource "google_project_iam_member" "helm_sa_roles" {
 
 # Create a GKE cluster
 resource "google_container_cluster" "primary" {
-  name     = "spartan-gke"
+  name     = var.cluster_name
   location = var.zone
 
   initial_node_count = 1

spartan/terraform/gke-cluster/variables.tf

@@ -3,9 +3,13 @@ variable "project" {
 }
 
 variable "region" {
-  default = "us-east4"
+  default = "us-west1"
 }
 
 variable "zone" {
-  default = "us-east4-a"
+  default = "us-west1-a"
+}
+
+variable "cluster_name" {
+  default = "aztec-gke"
 }