Skip to content

fix: remove secret management #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Sneh1999 wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

fix: remove secret management #26

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 0 additions & 68 deletions aws-nitro/nitro/docker/aws-nitro-entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,53 +42,6 @@ fi
echo "Unmounting config"
umount "${ENCLAVE_CONFIG_SOURCE_DIR}" || echo "WARNING: Failed to unmount config directory" >&2

SECRET=$(aws secretsmanager get-secret-value \
--secret-id "$AWS_SECRET_ID" \
--region "$AWS_REGION" \
--query SecretString \
--output text) || {
echo "ERROR: Failed to retrieve config from Secrets Manager"
exit 1
}

SECRET_JSON=$(echo "$SECRET" | jq -r '.parameters')
if [[ "$SECRET_JSON" == "null" || -z "$SECRET_JSON" ]]; then
echo "ERROR: no parameters found in retrieved secret" >&2
exit 1
fi

echo "Succesfully retrieved secrets from aws"
RPC_URL=$(echo "$SECRET_JSON" | jq -r '."rpc-url"')
if [[ "$RPC_URL" == "null" || -z "$RPC_URL" ]]; then
echo "ERROR: 'rpc-url' is missing or null in config" >&2
exit 1
fi
PRIVATE_KEY=$(echo "$SECRET_JSON" | jq -r '."private-key"')
if [[ "$PRIVATE_KEY" == "null" || -z "$PRIVATE_KEY" ]]; then
echo "ERROR: 'private-key' is missing or null in config" >&2
exit 1
fi
# Set these to default if not present
TXN_MONITOR_INTERVAL=$(echo "$SECRET_JSON" | jq -r '."txn-monitor-interval" // "125ms"')
TXN_RESUBMIT_INTERVAL=$(echo "$SECRET_JSON" | jq -r '."txn-resubmit-interval" // "125ms"')
STREAMER_POLLING_INTERVAL=$(echo "$SECRET_JSON" | jq -r '."streamer-polling-interval" //"10s"')
DA_REST_AGGREGATOR=$(echo "$SECRET_JSON" | jq -c '."da-rest-aggregator" // empty')
DA_RPC_AGGREGATOR=$(echo "$SECRET_JSON" | jq -c '."da-rpc-aggregator" // empty')
CELESTIA_URL=$(echo "$SECRET_JSON" | jq -r '."celestia-url" // empty')
DA_ENABLED=$(jq -r '.node."data-availability".enable // false' "${ENCLAVE_CONFIG_TARGET_DIR}/poster_config.json")
CELESTIA_ENABLED=$(jq -r '.node."celestia-cfg".enable // false' "${ENCLAVE_CONFIG_TARGET_DIR}/poster_config.json")
if [[ "$DA_ENABLED" == "true" ]]; then
if [[ -z "$DA_REST_AGGREGATOR" || -z "$DA_RPC_AGGREGATOR" ]]; then
echo "ERROR: data-availability is enabled but da-rest-aggregator or da-rpc-aggregator are missing from secret config" >&2
exit 1
fi
fi
if [[ "$CELESTIA_ENABLED" == "true" ]]; then
if [[ -z "$CELESTIA_URL" ]]; then
echo "ERROR: celestia is enabled but celestia-url is missing from secret config" >&2
exit 1
fi
fi
CONFIG_SHA=$(jq -cS 'del(
.node."batch-poster"."parent-chain-wallet"."private-key",
.node.espresso."batch-poster"."txns-monitoring-interval",
Expand All @@ -114,22 +67,6 @@ else
echo "Config sha256 verified"
fi

if [[ "$DA_ENABLED" == "true" ]]; then
echo "Injecting data-availability aggregators from aws secrets into config"
jq --argjson rest "$DA_REST_AGGREGATOR" --argjson rpc "$DA_RPC_AGGREGATOR" --arg rpc_url "$RPC_URL" \
'.node["data-availability"]["rest-aggregator"] = $rest | .node["data-availability"]["rpc-aggregator"] = $rpc | .node["data-availability"]["parent-chain-node-url"] = $rpc_url' \
"${ENCLAVE_CONFIG_TARGET_DIR}/poster_config.json" > /tmp/poster_config_patched.json
mv /tmp/poster_config_patched.json "${ENCLAVE_CONFIG_TARGET_DIR}/poster_config.json"
fi

if [[ "$CELESTIA_ENABLED" == "true" ]]; then
echo "Injecting celestia URL from aws secrets into config"
jq --arg url "$CELESTIA_URL" \
'.node["celestia-cfg"]["url"] = $url' \
"${ENCLAVE_CONFIG_TARGET_DIR}/poster_config.json" > /tmp/poster_config_patched.json
mv /tmp/poster_config_patched.json "${ENCLAVE_CONFIG_TARGET_DIR}/poster_config.json"
fi

echo "Starting vsock server"
socat VSOCK-LISTEN:8005,fork,keepalive SYSTEM:./server.sh &
sleep 5
Expand All @@ -143,9 +80,4 @@ mount -t nfs4
exec /usr/local/bin/nitro \
--validation.wasm.enable-wasmroots-check=false \
--conf.file "${ENCLAVE_CONFIG_TARGET_DIR}/poster_config.json" \
--node.batch-poster.parent-chain-wallet.private-key="${PRIVATE_KEY}" \
--parent-chain.connection.url="${RPC_URL}" \
--node.espresso.batch-poster.txns-monitoring-interval="${TXN_MONITOR_INTERVAL}" \
--node.espresso.batch-poster.txns-resubmission-interval="${TXN_RESUBMIT_INTERVAL}" \
--node.espresso.streamer.txns-polling-interval="${STREAMER_POLLING_INTERVAL}" \
2>&1 | while IFS= read -r line || [[ -n "$line" ]]; do [ ${#line} -gt 4096 ] && echo "${line:0:4076}... [line truncated]" || echo "$line"; done
Loading