feat: expose secret values (#225)

Author: sebastiendan

charts/aggkit/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 4.4.0
+version: 5.0.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/aggkit/templates/configmap.yaml

@@ -1,4 +1,4 @@
-{{- $opSecrets := (lookup "v1" "Secret" .Release.Namespace "op-secrets") }}
+{{- $opSecrets := (lookup "v1" "Secret" .Release.Namespace .Values.existingSecret) }}
 
 apiVersion: v1
 kind: ConfigMap
@@ -46,66 +46,66 @@ data:
     {{- if has "aggsender" .Values.config.components }}
 
     [AggSender]
-    {{ if .Values.config.aggSender.privateKey.keyName }}
-    AggsenderPrivateKey = {Method ="GCP", KeyName={{ .Values.config.aggSender.privateKey.keyName | quote }}}
+    {{ if .Values.config.aggsender.privateKey.keyName }}
+    AggsenderPrivateKey = {Method ="GCP", KeyName={{ .Values.config.aggsender.privateKey.keyName | quote }}}
     {{ else }}
-    AggsenderPrivateKey = {Path = "/etc/aggkit/sequencer.keystore", Password = {{ index $opSecrets.data "sequencerPrivateKeyPassword" | b64dec | quote }}}
+    AggsenderPrivateKey = {Path = "/etc/aggkit/{{ .Values.config.aggsender.privateKey.keystoreFileName }}", Password = {{ index $opSecrets.data (.Values.config.aggsender.privateKey.keystoreFilePasswordSecretFieldName) | b64dec | quote }}}
     {{ end }}
 
-    CertificateSendInterval = {{ .Values.config.aggSender.certificateSendInterval | quote }}
-    CheckSettledInterval = {{ .Values.config.aggSender.checkSettledInterval | quote }}
-    MaxCertSize = {{ .Values.config.aggSender.maxCertSize | int }}
-    SaveCertificatesToFilesPath = {{ .Values.config.aggSender.saveCertificatesToFilesPath | quote }}
-    Mode={{ .Values.config.aggSender.mode | quote }}
+    CertificateSendInterval = {{ .Values.config.aggsender.certificateSendInterval | quote }}
+    CheckSettledInterval = {{ .Values.config.aggsender.checkSettledInterval | quote }}
+    MaxCertSize = {{ .Values.config.aggsender.maxCertSize | int }}
+    SaveCertificatesToFilesPath = {{ .Values.config.aggsender.saveCertificatesToFilesPath | quote }}
+    Mode={{ .Values.config.aggsender.mode | quote }}
     RequireNoFEPBlockGap = true
-    DryRun = {{ .Values.config.aggSender.dryRun }}
-    MaxL2BlockNumber = {{ .Values.config.aggSender.maxL2BlockNumber | int }}
+    DryRun = {{ .Values.config.aggsender.dryRun }}
+    MaxL2BlockNumber = {{ .Values.config.aggsender.maxL2BlockNumber | int }}
 
-    {{ if .Values.config.aggSender.optimisticModeEnabled }}
+    {{ if .Values.config.aggsender.optimisticModeEnabled }}
     [AggSender.OptimisticModeConfig]
     SovereignRollupAddr = {{ .Values.config.l1.rollupAddress | quote }}
     # By default use the same key that aggsender  sign certs
-    {{ if .Values.config.aggSender.privateKey.keyName }}
-    TrustedSequencerKey = {Method ="GCP", KeyName={{ .Values.config.aggSender.privateKey.keyName | quote }}}
+    {{ if .Values.config.aggsender.privateKey.keyName }}
+    TrustedSequencerKey = {Method ="GCP", KeyName={{ .Values.config.aggsender.privateKey.keyName | quote }}}
     {{ else }}
-    TrustedSequencerKey = {Path = "/etc/aggkit/sequencer.keystore", Password = {{ index $opSecrets.data "sequencerPrivateKeyPassword" | b64dec | quote }}}
+    TrustedSequencerKey = {Path = "/etc/aggkit/{{ .Values.config.aggsender.privateKey.keystoreFileName }}", Password = {{ index $opSecrets.data (.Values.config.aggsender.privateKey.keystoreFilePasswordSecretFieldName) | b64dec | quote }}}
     {{ end }}
     OpNodeURL = "http://op-node:9545"
     RequireKeyMatchTrustedSequencer = true
     {{ end }}
 
-    {{ if .Values.config.aggSender.mode | eq "AggchainProof" }}
+    {{ if .Values.config.aggsender.mode | eq "AggchainProof" }}
     [AggSender.AggkitProverClient]
-    URL = {{ .Values.config.aggSender.aggkitProverClient.url | quote }}
-    UseTLS = {{ .Values.config.aggSender.aggkitProverClient.useTLS | quote }}
+    URL = {{ .Values.config.aggsender.aggkitProverClient.url | quote }}
+    UseTLS = {{ .Values.config.aggsender.aggkitProverClient.useTLS | quote }}
     {{ end }}
 
     [AggSender.AgglayerClient.GRPC]
-    URL = {{ .Values.config.aggSender.agglayerClient.url | quote }}
-    UseTLS = {{ .Values.config.aggSender.agglayerClient.useTLS | quote }}
+    URL = {{ .Values.config.aggsender.agglayerClient.url | quote }}
+    UseTLS = {{ .Values.config.aggsender.agglayerClient.useTLS | quote }}
 
     [AggSender.ValidatorClient]
-    URL = {{ .Values.config.aggSender.validatorClient.url | quote }}
+    URL = {{ .Values.config.aggsender.validatorClient.url | quote }}
 
     {{- end }}
 
     {{- if has "aggoracle" .Values.config.components }}
 
     [AggOracle]
-    EnableAggOracleCommittee = {{ .Values.config.aggOracle.enableAggOracleCommittee }}
+    EnableAggOracleCommittee = {{ .Values.config.aggoracle.enableAggOracleCommittee }}
 
     [AggOracle.EVMSender]
     GlobalExitRootL2 = {{ .Values.config.l2.globalExitRootAddress | quote }}
 
-    {{ if .Values.config.aggOracle.enableAggOracleCommittee }}
-    AggOracleCommitteeAddr = {{ .Values.config.aggOracle.aggOracleCommitteeAddr | quote }}
+    {{ if .Values.config.aggoracle.enableAggOracleCommittee }}
+    AggOracleCommitteeAddr = {{ .Values.config.aggoracle.aggoracleCommitteeAddr | quote }}
     {{ end }}
 
     [AggOracle.EVMSender.EthTxManager]
-    {{ if .Values.config.aggOracle.privateKey.keyName }}
-    PrivateKeys = [{Method ="GCP", KeyName={{ .Values.config.aggOracle.privateKey.keyName | quote }}}]
+    {{ if .Values.config.aggoracle.privateKey.keyName }}
+    PrivateKeys = [{Method ="GCP", KeyName={{ .Values.config.aggoracle.privateKey.keyName | quote }}}]
     {{ else }}
-    PrivateKeys = [{Path = "/etc/aggkit/aggoracle.keystore", Password = {{ index $opSecrets.data "aggoraclePrivateKeyPassword" | b64dec | quote }}}]
+    PrivateKeys = [{Path = "/etc/aggkit/{{ .Values.config.aggoracle.privateKey.keystoreFileName }}", Password = {{ index $opSecrets.data (.Values.config.aggoracle.privateKey.keystoreFilePasswordSecretFieldName) | b64dec | quote }}}]
     {{ end }}
 
     [AggOracle.EVMSender.EthTxManager.Etherman]
@@ -132,12 +132,16 @@ data:
     [L2GERSync]
     BlockFinality = "LatestBlock"
 
-    {{- if has "aggsender-validator" .Values.config.components }}
-
     [Validator]
-    EnableRPC = true
-    Signer = {Method ="GCP", KeyName={{ .Values.config.validator.privateKey.keyName | quote }}}
-    Mode={{ .Values.config.validator.mode | quote }}
+    EnableRPC = {{ has "aggsender-validator" .Values.config.components }}
+    {{- $pk := ternary .Values.config.aggsenderValidator.privateKey .Values.config.aggsender.privateKey (has "aggsender-validator" .Values.config.components) }}
+    {{- $mode := ternary .Values.config.aggsenderValidator.mode .Values.config.aggsender.mode (has "aggsender-validator" .Values.config.components) }}
+    {{ if $pk.keyName }}
+    Signer = {Method ="GCP", KeyName={{ $pk.keyName | quote }}}
+    {{ else }}
+    Signer = {Path = "/etc/aggkit/{{ $pk.keystoreFileName }}", Password = {{ index $opSecrets.data ($pk.keystoreFilePasswordSecretFieldName) | b64dec | quote }}}
+    {{ end }}
+    Mode={{ $mode | quote }}
 
     [Validator.ServerConfig]
     Host = "0.0.0.0"
@@ -156,9 +160,13 @@ data:
     Capacity = 100
 
     [Validator.AgglayerClient.GRPC]
-    URL = {{ .Values.config.validator.agglayerClient.url | quote }}
-    UseTLS = {{ .Values.config.validator.agglayerClient.useTLS | quote }}
-    {{ end }}
+    {{- if has "aggsender-validator" .Values.config.components }}
+    URL = {{ .Values.config.aggsenderValidator.agglayerClient.url | quote }}
+    UseTLS = {{ .Values.config.aggsenderValidator.agglayerClient.useTLS | quote }}
+    {{- else }}
+    URL = {{ .Values.config.aggsender.agglayerClient.url | quote }}
+    UseTLS = {{ .Values.config.aggsender.agglayerClient.useTLS | quote }}
+    {{- end }}
 
     [Prometheus]
     Enabled = {{ .Values.config.prometheus.enabled }}

charts/aggkit/templates/ingress.yaml

@@ -64,11 +64,11 @@ spec:
                   name: bridge
 {{- end }}
 ---
-{{- if .Values.ingresses.validator.create -}}
+{{- if .Values.ingresses.aggsenderValidator.create -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: {{ include "aggkit.fullname" . }}-validator
+  name: {{ include "aggkit.fullname" . }}-aggsenderValidator
   annotations:
     cert-manager.io/issuer: gcp-cas-issuer
     cert-manager.io/issuer-kind: GoogleCASClusterIssuer
@@ -78,14 +78,14 @@ metadata:
     # protocol for the GCP-managed load balancer
     # See https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balance-ingress#https_between_client_and_load_balancer
     kubernetes.io/ingress.allow-http: "false"
-    external-dns.alpha.kubernetes.io/hostname: "{{ .Values.ingresses.validator.hostname }}"
+    external-dns.alpha.kubernetes.io/hostname: "{{ .Values.ingresses.aggsenderValidator.hostname }}"
 spec:
   tls:
     - hosts:
-        - {{ .Values.ingresses.validator.hostname }}
-      secretName: "{{ .Values.ingresses.validator.hostname }}-secret-tls"
+        - {{ .Values.ingresses.aggsenderValidator.hostname }}
+      secretName: "{{ .Values.ingresses.aggsenderValidator.hostname }}-secret-tls"
   rules:
-    - host: {{ .Values.ingresses.validator.hostname }}
+    - host: {{ .Values.ingresses.aggsenderValidator.hostname }}
       http:
         paths:
           - path: /

charts/aggkit/templates/statefulset.yaml

@@ -121,15 +121,19 @@ spec:
                   - key: "config.toml"
                     path: "config.toml"
             - secret:
-                name: op-secrets
+                name: {{ .Values.existingSecret }}
                 items:
-                  {{- if has "aggsender" .Values.config.components }}
-                  - key: sequencer.keystore
-                    path: sequencer.keystore
+                  {{- if and (has "aggsender" .Values.config.components) (eq .Values.config.aggsender.privateKey.keyName "") }}
+                  - key: {{ .Values.config.aggsender.privateKey.keystoreFileName }}
+                    path: {{ .Values.config.aggsender.privateKey.keystoreFileName }}
                   {{- end }}
-                  {{- if has "aggoracle" .Values.config.components }}
-                  - key: aggoracle.keystore
-                    path: aggoracle.keystore
+                  {{- if and (has "aggsender-validator" .Values.config.components) (eq .Values.config.aggsenderValidator.privateKey.keyName "") }}
+                  - key: {{ .Values.config.aggsenderValidator.privateKey.keystoreFileName }}
+                    path: {{ .Values.config.aggsenderValidator.privateKey.keystoreFileName }}
+                  {{- end }}
+                  {{- if and (has "aggoracle" .Values.config.components) (eq .Values.config.aggoracle.privateKey.keyName "") }}
+                  - key: {{ .Values.config.aggoracle.privateKey.keystoreFileName }}
+                    path: {{ .Values.config.aggoracle.privateKey.keystoreFileName }}
                   {{- end }}
         {{- end }}
   volumeClaimTemplates:

charts/aggkit/values.yaml

@@ -16,6 +16,8 @@ podLabels:
   partner: Polygon
   network: mynetwork
 
+existingSecret: op-secrets
+
 nodeSelector: {}
 
 tolerations: []
@@ -39,7 +41,7 @@ container:
   ports:
     aggsender: 5576
     bridge: 5577
-    validator: 5578
+    validator: 5578 # named validator as is common to aggsender and aggsender-validator
     prometheus: 9091
 
 service:
@@ -53,7 +55,7 @@ ingresses:
   bridge:
     create: false
     hostname: "something-else.dev.polygon"
-  validator:
+  aggsenderValidator:
     create: false
     hostname: "something-else-else.dev.polygon"
 
@@ -75,7 +77,7 @@ config:
     - aggsender
     - aggoracle
 
-  aggSender:
+  aggsender:
     certificateSendInterval: 1m
     checkSettledInterval: 5s
     maxCertSize: 8388608
@@ -84,7 +86,7 @@ config:
     maxL2BlockNumber: 0
     dryRun: false
 
-    # Set this if aggSender.mode is AggchainProof
+    # Set this if aggsender.mode is AggchainProof
     # aggkitProverClient:
     #   url: "http://aggkit-prover:4446"
     #   useTLS: true
@@ -97,22 +99,32 @@ config:
       url: "http://localhost:5578"
 
     privateKey:
-      keyName: "" # if this string is not empty, aggSender will try to use KMS
+      keyName: "" # if this string is not empty, aggsender will try to use KMS
+      keystoreFileName: "aggsender.keystore"
+      keystoreFilePasswordSecretFieldName: "aggsenderKeystorePassword"
+
     optimisticModeEnabled: false
 
-  validator:
+  aggsenderValidator:
+    mode: "PessimisticProof" # PessimisticProof (PP) or AggchainProof (FEP)
+
     agglayerClient:
       url: "http://agglayer:4444"
       useTLS: true
 
     privateKey:
-      keyName: "" # KMS key name
+      keyName: "" # if this string is not empty, aggsender-validator will try to use KMS
+      keystoreFileName: "aggsenderValidator.keystore"
+      keystoreFilePasswordSecretFieldName: "aggsenderValidatorKeystorePassword"
 
-  aggOracle:
+  aggoracle:
     enableAggOracleCommittee: false
-    aggOracleCommitteeAddr: "0x"
+    aggoracleCommitteeAddr: "0x"
+
     privateKey:
-      keyName: "" # if this string is not empty, aggOracle will try to use KMS
+      keyName: "" # if this string is not empty, aggoracle will try to use KMS
+      keystoreFileName: "aggoracle.keystore"
+      keystoreFilePasswordSecretFieldName: "aggoracleKeystorePassword"
 
   reorgDetectorL1:
     blockFinality: "FinalizedBlock"