comment phrasing, per review

charts/tezos/values.yaml

@@ -174,7 +174,10 @@ should_generate_unsafe_deterministic_data: false
 #                            Don't also set `bake_using_accounts`.
 #    - `bake_using_accounts`: List of account names that should be used for baking.
 #                            Don't also set `bake_using_account`.
-#    - `authorized_keys`: List of account names available to the baker to sign signature requests.
+#    - `authorized_keys`: Keys used to authenticate a baker to a signer.
+#                         When a baker uses a remote signer that requires
+#                         authentication, the relevant key from this list
+#                         will be used to sign every signature request.
 #    - `config`: Same as the outer statefulset level `config`. It overrides the
 #                statefulset level.
 #    - `is_bootstrap_node`: Boolean for is this node a bootstrap peer.
@@ -316,7 +319,10 @@ octezSigners: {}
 #    accounts:
 #     - baker0
 #    authorized_keys:
-#     # if set, baker will only sign request authenticated by one of the authorized_keys
+#     # Keys used to authenticate the baker to the signer.
+#     # The baker must have the private key for one of the
+#     # listed accounts. The signer will only sign a request
+#     # from a baker authenticated by an allowed key.
 #     - authorized-key-0
 # ```
 #

utils/config-generator.py

@@ -332,10 +332,16 @@ def expose_secret_key(account_name):
     pod.  It returns the obvious Boolean.
     """
     if MY_POD_TYPE == "activating":
-        all_authorized_keys = [key for node in NODES.values() for instance in node['instances'] for key in instance.get('authorized_keys', [])]
+        all_authorized_keys = [
+            key
+            for node in NODES.values()
+            for instance in node["instances"]
+            for key in instance.get("authorized_keys", [])
+        ]
         if account_name in all_authorized_keys:
-            # populate all known authorized keys in the activation account.
-            # This avoids annoying edge cases for activating private chains, when security is not critical.
+            # Populate authorized keys known by all bakers in the activation account.
+            # This ensures that activation will succeed with a remote signer that requires auth,
+            # regardless of which baker does it.
             return True
         return NETWORK_CONFIG["activation_account_name"] == account_name
 
@@ -461,8 +467,9 @@ def import_keys(all_accounts):
         public_key_hashs.append({"name": account_name, "value": pkh_b58})
         account_values["pkh"] = pkh_b58
 
-        if MY_POD_TYPE == "signing" and \
-            account_name in MY_POD_CONFIG.get("authorized_keys", {}):
+        if MY_POD_TYPE == "signing" and account_name in MY_POD_CONFIG.get(
+            "authorized_keys", {}
+        ):
             print(f"    Appending authorized key: {pk_b58}")
             authorized_keys.append({"name": account_name, "value": pk_b58})
 
@@ -756,7 +763,9 @@ def create_node_snapshot_config_json(history_mode):
     ]
     if octez_version:
         matching_snapshots = [
-            s for s in matching_snapshots if int(octez_version) == s.get("tezos_version").get("version").get("major")
+            s
+            for s in matching_snapshots
+            if int(octez_version) == s.get("tezos_version").get("version").get("major")
         ]
     matching_snapshots = sorted(matching_snapshots, key=lambda s: s.get("block_height"))