Skip to content

Commit

Permalink
feat: rekey special accounts at startup so they are not using genesis…
Browse files Browse the repository at this point in the history
… keys (#733)

Signed-off-by: Jeromy Cannon <[email protected]>
  • Loading branch information
jeromy-cannon authored Feb 13, 2024
1 parent 7f45864 commit 096b5c3
Show file tree
Hide file tree
Showing 12 changed files with 778 additions and 427 deletions.
2 changes: 1 addition & 1 deletion charts/fullstack-deployment/config-files/haproxy.cfg
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
global
log 127.0.0.1 local0 info
log stdout local0 debug
maxconn 100000
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options ssl-min-ver TLSv1.1
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ spec:
app: network-{{ $node.name }}
fullstack.hedera.com/type: network-node
fullstack.hedera.com/node-name: {{ $node.name }}
fullstack.hedera.com/account-id: {{ $node.accountId }}
{{- include "fullstack.testLabels" $ | nindent 8 }}
spec:
{{- if $.Values.deployment.nodeSelector }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ metadata:
labels:
fullstack.hedera.com/type: haproxy-svc
fullstack.hedera.com/node-name: {{ $node.name }}
fullstack.hedera.com/account-id: {{ $node.accountId }}
fullstack.hedera.com/prometheus-endpoint: active
{{- include "fullstack.testLabels" $ | nindent 4 }}
spec:
Expand Down
12 changes: 11 additions & 1 deletion solo/src/commands/flags.mjs
Original file line number Diff line number Diff line change
Expand Up @@ -379,6 +379,15 @@ export const log4j2Xml = {
}
}

export const updateAccountKeys = {
name: 'update-account-keys',
definition: {
describe: 'Updates the special account keys to new keys and stores their keys in a corresponding Kubernetes secret',
defaultValue: true,
type: 'boolean'
}
}

export const allFlags = [
devMode,
clusterName,
Expand Down Expand Up @@ -415,7 +424,8 @@ export const allFlags = [
apiPermissionProperties,
bootstrapProperties,
settingTxt,
log4j2Xml
log4j2Xml,
updateAccountKeys
]

export const allFlagsMap = new Map(allFlags.map(f => [f.name, f]))
Expand Down
29 changes: 25 additions & 4 deletions solo/src/commands/node.mjs
Original file line number Diff line number Diff line change
Expand Up @@ -36,10 +36,12 @@ export class NodeCommand extends BaseCommand {
if (!opts || !opts.downloader) throw new IllegalArgumentError('An instance of core/PackageDowner is required', opts.downloader)
if (!opts || !opts.platformInstaller) throw new IllegalArgumentError('An instance of core/PlatformInstaller is required', opts.platformInstaller)
if (!opts || !opts.keyManager) throw new IllegalArgumentError('An instance of core/KeyManager is required', opts.keyManager)
if (!opts || !opts.accountManager) throw new IllegalArgumentError('An instance of core/AccountManager is required', opts.accountManager)

this.downloader = opts.downloader
this.plaformInstaller = opts.platformInstaller
this.keyManager = opts.keyManager
this.accountManager = opts.accountManager
}

async checkNetworkNodePod (namespace, nodeId) {
Expand All @@ -65,6 +67,8 @@ export class NodeCommand extends BaseCommand {
let attempt = 0
let isActive = false

await sleep(10000) // sleep in case this the user ran the start command again at a later time

// check log file is accessible
let logFileAccessible = false
while (attempt++ < maxAttempt) {
Expand All @@ -86,7 +90,8 @@ export class NodeCommand extends BaseCommand {
while (attempt < maxAttempt) {
try {
const output = await this.k8.execContainer(podName, constants.ROOT_CONTAINER, ['tail', '-10', logfilePath])
if (output.indexOf(`Now current platform status = ${status}`) > 0) {
if (output.indexOf(`Terminating Netty = ${status}`) < 0 && // make sure we are not at the beginning of a restart
output.indexOf(`Now current platform status = ${status}`) > 0) {
this.logger.debug(`Node ${nodeId} is ${status} [ attempt: ${attempt}/${maxAttempt}]`)
isActive = true
break
Expand All @@ -105,6 +110,8 @@ export class NodeCommand extends BaseCommand {
await sleep(1000)
}

this.logger.info(`!> -- Node ${nodeId} is ${status} -- <!`)

if (!isActive) {
throw new FullstackTestingError(`node '${nodeId}' is not ${status} [ attempt = ${attempt}/${maxAttempt} ]`)
}
Expand Down Expand Up @@ -412,12 +419,14 @@ export class NodeCommand extends BaseCommand {
self.configManager.load(argv)
await prompts.execute(task, self.configManager, [
flags.namespace,
flags.nodeIDs
flags.nodeIDs,
flags.updateAccountKeys
])

ctx.config = {
namespace: self.configManager.getFlag(flags.namespace),
nodeIds: helpers.parseNodeIDs(self.configManager.getFlag(flags.nodeIDs))
nodeIds: helpers.parseNodeIDs(self.configManager.getFlag(flags.nodeIDs)),
updateAccountKeys: self.configManager.getFlag(flags.updateAccountKeys)
}

if (!await this.k8.hasNamespace(ctx.config.namespace)) {
Expand Down Expand Up @@ -473,6 +482,17 @@ export class NodeCommand extends BaseCommand {
}
})
}
},
{
title: 'Update special account keys',
task: async (ctx, task) => {
if (ctx.config.updateAccountKeys) {
await self.accountManager.prepareAccounts(ctx.config.namespace)
} else {
this.logger.showUser(chalk.yellowBright('> WARNING:'), chalk.yellow(
'skipping special account keys update, special accounts will retain genesis private keys'))
}
}
}
], {
concurrent: false,
Expand Down Expand Up @@ -719,7 +739,8 @@ export class NodeCommand extends BaseCommand {
desc: 'Start a node',
builder: y => flags.setCommandFlags(y,
flags.namespace,
flags.nodeIDs
flags.nodeIDs,
flags.updateAccountKeys
),
handler: argv => {
nodeCmd.logger.debug("==== Running 'node start' ===")
Expand Down
Loading

0 comments on commit 096b5c3

Please sign in to comment.