feat(infra): migrate to standalone keyfunder package with ExternalSecrets

Author: paulbalaji

pnpm-lock.yaml

@@ -1,10 +1,24 @@
-export const DockerImageRepos = {
-  AGENT: 'gcr.io/abacus-labs-dev/hyperlane-agent',
-  MONOREPO: 'gcr.io/abacus-labs-dev/hyperlane-monorepo',
-  WARP_MONITOR: 'gcr.io/abacus-labs-dev/hyperlane-warp-monitor',
-  REBALANCER: 'gcr.io/abacus-labs-dev/hyperlane-rebalancer',
+const GCR_REGISTRY = 'gcr.io/abacus-labs-dev';
+
+export const DockerImageNames = {
+  AGENT: 'hyperlane-agent',
+  MONOREPO: 'hyperlane-monorepo',
+  KEY_FUNDER: 'hyperlane-key-funder',
+  WARP_MONITOR: 'hyperlane-warp-monitor',
+  REBALANCER: 'hyperlane-rebalancer',
 } as const;
 
+type DockerImageReposType = {
+  [K in keyof typeof DockerImageNames]: `${typeof GCR_REGISTRY}/${(typeof DockerImageNames)[K]}`;
+};
+
+export const DockerImageRepos = Object.fromEntries(
+  Object.entries(DockerImageNames).map(([key, name]) => [
+    key,
+    `${GCR_REGISTRY}/${name}`,
+  ]),
+) as DockerImageReposType;
+
 interface AgentDockerTags {
   relayer: string;
   relayerRC: string;

typescript/infra/config/docker.ts

@@ -36,7 +36,7 @@ export const keyFunderConfig: KeyFunderConfig<
   typeof mainnet3SupportedChainNames
 > = {
   docker: {
-    repo: DockerImageRepos.MONOREPO,
+    repo: DockerImageRepos.KEY_FUNDER,
     tag: mainnetDockerTags.keyFunder,
   },
   // We're currently using the same deployer/key funder key as mainnet2.

typescript/infra/config/environments/mainnet3/funding.ts

@@ -10,7 +10,7 @@ export const keyFunderConfig: KeyFunderConfig<
   typeof testnet4SupportedChainNames
 > = {
   docker: {
-    repo: DockerImageRepos.MONOREPO,
+    repo: DockerImageRepos.KEY_FUNDER,
     tag: testnetDockerTags.keyFunder,
   },
   // We're currently using the same deployer key as testnet2.

typescript/infra/config/environments/testnet4/funding.ts

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: key-funder-config
+  labels:
+    {{- include "hyperlane.labels" . | nindent 4 }}
+data:
+  keyfunder.yaml: |
+{{ .Values.hyperlane.keyfunderConfig | indent 4 }}

typescript/infra/helm/key-funder/templates/addresses-external-secret.yaml

@@ -10,7 +10,7 @@ spec:
   jobTemplate:
     spec:
       backoffLimit: 0
-      activeDeadlineSeconds: 14400 # 60 * 60 * 4 seconds = 4 hours
+      activeDeadlineSeconds: 14400
       template:
         metadata:
           labels:
@@ -21,52 +21,33 @@ spec:
           - name: key-funder
             image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
             imagePullPolicy: IfNotPresent
-            command:
-            - pnpm
-            - exec
-            - tsx
-            - ./typescript/infra/scripts/funding/fund-keys-from-deployer.ts
-            - -e
-            - {{ .Values.hyperlane.runEnv }}
-            - --context
-            - {{ .Values.hyperlane.contextFundingFrom }}
-{{- range $context, $roles := .Values.hyperlane.contextsAndRolesToFund }}
-            - --contexts-and-roles
-            - {{ $context }}={{ join "," $roles }}
-{{- end }}
-{{- range $chain, $balance := .Values.hyperlane.desiredBalancePerChain }}
-            - --desired-balance-per-chain
-            - {{ $chain }}={{ $balance }}
-{{- end }}
-{{- range $chain, $balance := .Values.hyperlane.desiredKathyBalancePerChain }}
-            - --desired-kathy-balance-per-chain
-            - {{ $chain }}={{ $balance }}
-{{- end }}
-{{- range $chain, $balance := .Values.hyperlane.desiredRebalancerBalancePerChain }}
-            - --desired-rebalancer-balance-per-chain
-            - {{ $chain }}={{ $balance }}
-{{- end }}
-{{- range $chain, $balance := .Values.hyperlane.igpClaimThresholdPerChain }}
-            - --igp-claim-threshold-per-chain
-            - {{ $chain }}={{ $balance }}
-{{- end }}
-{{- if .Values.hyperlane.chainsToSkip }}
-            - --chain-skip-override
-{{- range $index, $chain := .Values.hyperlane.chainsToSkip }}
-            - {{ $chain }}
-{{- end }}
-{{- end }}
             env:
+            - name: LOG_FORMAT
+              value: json
+            - name: LOG_LEVEL
+              value: info
+            - name: KEYFUNDER_CONFIG_FILE
+              value: /config/keyfunder.yaml
+            {{- if .Values.hyperlane.registryUri }}
+            - name: REGISTRY_URI
+              value: {{ .Values.hyperlane.registryUri }}
+            {{- end }}
+            {{- if .Values.hyperlane.skipIgpClaim }}
+            - name: SKIP_IGP_CLAIM
+              value: "true"
+            {{- end }}
+            {{- if .Values.hyperlane.prometheusPushGateway }}
             - name: PROMETHEUS_PUSH_GATEWAY
-              value: {{ .Values.infra.prometheusPushGateway }}
+              value: {{ .Values.hyperlane.prometheusPushGateway }}
+            {{- end }}
             envFrom:
             - secretRef:
                 name: key-funder-env-var-secret
             volumeMounts:
-            - name: key-funder-addresses-secret
-              mountPath: /addresses-secret
+            - name: config
+              mountPath: /config
+              readOnly: true
           volumes:
-          - name: key-funder-addresses-secret
-            secret:
-              secretName: key-funder-addresses-secret
-              defaultMode: 0400
+          - name: config
+            configMap:
+              name: key-funder-config

typescript/infra/helm/key-funder/templates/configmap.yaml

@@ -9,7 +9,6 @@ spec:
     name: {{ include "hyperlane.cluster-secret-store.name" . }}
     kind: ClusterSecretStore
   refreshInterval: "1h"
-  # The secret that will be created
   target:
     name: key-funder-env-var-secret
     template:
@@ -20,24 +19,14 @@ spec:
         annotations:
           update-on-redeploy: "{{ now }}"
       data:
-        GCP_SECRET_OVERRIDES_ENABLED: "true"
-        GCP_SECRET_OVERRIDE_HYPERLANE_{{ .Values.hyperlane.runEnv | upper }}_KEY_DEPLOYER: {{ print "'{{ .deployer_key | toString }}'" }}
-{{/*
-   * For each network, create an environment variable with the RPC endpoint.
-   * The templating of external-secrets will use the data section below to know how
-   * to replace the correct value in the created secret.
-   */}}
+        HYP_KEY: {{ print "'{{ $json := .funder_key | fromJson }}{{ $json.privateKey }}'" }}
         {{- range .Values.hyperlane.chains }}
-        GCP_SECRET_OVERRIDE_{{ $.Values.hyperlane.runEnv | upper }}_RPC_ENDPOINTS_{{ . | upper }}: {{ printf "'{{ .%s_rpcs | toString }}'" . }}
+        RPC_URL_{{ . | upper | replace "-" "_" }}: {{ printf "'{{ index (.%s_rpcs | fromJson) 0 }}'" . }}
         {{- end }}
   data:
-  - secretKey: deployer_key
+  - secretKey: funder_key
     remoteRef:
       key: {{ printf "hyperlane-%s-key-deployer" .Values.hyperlane.runEnv }}
-{{/*
-   * For each network, load the secret in GCP secret manager with the form: environment-rpc-endpoint-network,
-   * and associate it with the secret key networkname_rpc.
-   */}}
   {{- range .Values.hyperlane.chains }}
   - secretKey: {{ printf "%s_rpcs" . }}
     remoteRef:

typescript/infra/helm/key-funder/templates/cron-job.yaml

@@ -1,18 +1,16 @@
 image:
-  repository: gcr.io/hyperlane-labs-dev/hyperlane-monorepo
-  tag:
+  repository: gcr.io/abacus-labs-dev/hyperlane-key-funder
+  tag: latest
 hyperlane:
-  runEnv: testnet2
-  # Used for fetching secrets
+  runEnv: testnet4
   chains: []
   chainsToSkip: []
-  contextFundingFrom: hyperlane
-  # key = context, value = array of roles to fund
-  contextsAndRolesToFund:
-    hyperlane:
-      - relayer
+  registryUri: ''
+  keyfunderConfig: ''
+  skipIgpClaim: false
+  prometheusPushGateway: ''
 cronjob:
-  schedule: '*/10 * * * *' # Every 10 minutes
+  schedule: '*/10 * * * *'
   successfulJobsHistoryLimit: 6
   failedJobsHistoryLimit: 10
 externalSecrets:

typescript/infra/helm/key-funder/templates/env-var-external-secret.yaml

@@ -18,6 +18,7 @@
     "@hyperlane-xyz/core": "workspace:*",
     "@hyperlane-xyz/helloworld": "workspace:*",
     "@hyperlane-xyz/http-registry-server": "workspace:*",
+    "@hyperlane-xyz/keyfunder": "workspace:*",
     "@hyperlane-xyz/metrics": "workspace:*",
     "@hyperlane-xyz/rebalancer": "workspace:*",
     "@hyperlane-xyz/registry": "catalog:",