feat(mpc-operator-check): adapt the check to aws-kms key for txsender

Author: piizama

charts/mpc-operator-check/Chart.yaml

@@ -2,4 +2,4 @@ apiVersion: v2
 name: mpc-operator-check
 description: A Helm chart to execute the MPC-Operator check Job
 type: application
-version: 1.2.0
+version: 1.3.0

charts/mpc-operator-check/templates/NOTES.txt

@@ -1,3 +1,3 @@
 Successfully executed mpc-operator-check, job logs will be available for {{ .Values.job.ttlSecondsAfterFinished }}s by executing:
 
-    kubectl logs -n {{ .Release.Namespace }} jobs/mpc-operator-check --all-containers
+    kubectl logs -n {{ .Release.Namespace }} -l app=mpc-operator-check --all-containers --tail=-1

…ck/templates/mpc-operator-check-job.yaml …tes/mpc-operator-check-job-kms-core.yamlcharts/mpc-operator-check/templates/mpc-operator-check-job.yaml renamed to charts/mpc-operator-check/templates/mpc-operator-check-job-kms-core.yaml charts/mpc-operator-check/templates/mpc-operator-check-job.yaml renamed to charts/mpc-operator-check/templates/mpc-operator-check-job-kms-core.yaml

@@ -1,7 +1,8 @@
+{{- if .Values.mpcOperatorCheck.kmsCore.enabled }}
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mpc-operator-check
+  name: mpc-operator-check-kms-core
   annotations:
     "helm.sh/hook": "pre-install,pre-upgrade"
     "helm.sh/hook-weight": "-1"
@@ -13,6 +14,9 @@ spec:
   maxFailedIndexes: 1
   ttlSecondsAfterFinished: {{ .Values.job.ttlSecondsAfterFinished | int }}
   template:
+    metadata:
+      labels:
+        app: mpc-operator-check
     spec:
       serviceAccountName: {{ .Values.serviceAccount.name }}
       {{- with .Values.podSecurityContext }}
@@ -38,41 +42,6 @@ spec:
             - configMapRef:
                 name: {{ .Values.configmap.name }}
         {{- end }}
-        {{- if .Values.gatewayNode.enabled }}
-        - name: gateway-node-check
-          image: {{ .Values.gatewayNode.image.repository }}:{{ .Values.gatewayNode.image.tag }}
-          imagePullPolicy: Always
-          command:
-            - /bin/sh
-            - -c
-            - |
-              echo "=================================================="
-              {{- .Values.gatewayNode.script | nindent 14 }}
-          envFrom:
-            - configMapRef:
-                name: {{ .Values.configmap.name }}
-        {{- end }}
-        {{- if .Values.ethWallet.enabled }}
-        - name: eth-wallet-check
-          image: {{ .Values.ethWallet.image.repository }}:{{ .Values.ethWallet.image.tag }}
-          imagePullPolicy: Always
-          command:
-            - /bin/sh
-            - -c
-            - |
-              cast wallet address --private-key $KMS_CONNECTOR_PRIVATE_KEY > /config/connector-wallet-address
-              echo "=================================================="
-              {{- .Values.ethWallet.script | nindent 14 }}
-          env:
-            - name: KMS_CONNECTOR_PRIVATE_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.ethWallet.secret.name }}
-                  key: {{ .Values.ethWallet.secret.key }}
-          volumeMounts:
-            - name: config
-              mountPath: /config
-        {{- end }}
         {{- if .Values.kubectl.enabled }}
         - name: kubernetes-namespace-check
           image: {{ .Values.kubectl.image.repository }}:{{ .Values.kubectl.image.tag }}
@@ -83,35 +52,12 @@ spec:
             - |
               echo "=================================================="
               {{- .Values.kubectl.script | nindent 14 }}
-        {{- end }}
-        {{- if .Values.postgres.enabled }}
-        - name: postgres-check
-          image: {{ .Values.postgres.image.repository }}:{{ .Values.postgres.image.tag }}
-          imagePullPolicy: Always
-          command:
-            - /bin/sh
-            - -c
-            - |
               echo "=================================================="
-              {{- .Values.postgres.script | nindent 14 }}
-          env:
-            - name: DATABASE_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: connector-database
-                  key: endpoint
-            - name: DATABASE_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: connector-database
-                  key: username
-            - name: DATABASE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: connector-database
-                  key: password
-            - name: DATABASE_URL
-              value: "postgresql://$(DATABASE_USERNAME):$(DATABASE_PASSWORD)@$(DATABASE_ENDPOINT)/kmsconnector"
+              echo "Kubernetes enclave nodes check"
+              kubectl describe node -l node.kubernetes.io/enclave-enabled=true
+              echo "=================================================="
+              echo "Check kms-core logs"
+              kubectl logs -l app=kms-core --prefix -c kms-core-enclave-logger
         {{- end }}
         {{- if .Values.netcat.enabled }}
         - name: netcat-check
@@ -135,8 +81,6 @@ spec:
               # Substitute env vars into kms-server.toml
               envsubst < /chart-config/kms-server.toml > /config/kms-server.toml
               envsubst < /chart-config/vaults.toml >> /config/kms-server.toml
-              # Fetch KMS Signer address from KMS Public bucket
-              curl -sS "${CORE_CLIENT__S3_ENDPOINT}${KMS_CORE__PRIVATE_VAULT__STORAGE__S3__PREFIX}/PUB-p${KMS_CORE__THRESHOLD__MY_ID}/VerfAddress/60b7070add74be3827160aa635fb255eeeeb88586c4debf7ab1134ddceb4beee" > /config/kms-signer-address
               # Copy enclave config to config workdir
               cp /chart-config/enclave.json /config/enclave.json
           envFrom:
@@ -160,22 +104,6 @@ spec:
               echo "Executing {{ .Chart.Name }}:{{ .Chart.Version }}"
               echo "=================================================="
               {{- .Values.kmsCoreClient.script | nindent 14 }}
-              if [[ ! $KMS_CORE__THRESHOLD__MY_ID =~ ^-?[0-9]+$ ]]; then
-                echo "Error: $KMS_CORE__THRESHOLD__MY_ID must be an integer, got: '$KMS_CORE__THRESHOLD__MY_ID'"
-                exit 1
-              fi
-              if [[ -z "connector-wallet-address" ]]; then
-                echo "Error: cannot get connector wallet address, ensure it is created in the secret: {{ .Values.ethWallet.secret.name }}, key: {{ .Values.ethWallet.secret.key }}"
-                exit 1
-              fi
-              if [[ -z "kms-signer-address" ]]; then
-                echo "Error: cannot get KMS signer address, ensure it is created in the public bucket VerfAddress folder"
-                exit 1
-              fi
-              echo "Gateway Contract Configuration for Party #${KMS_CORE__THRESHOLD__MY_ID} (to share with Zama Governance)"
-              echo "KMS_NODE_STORAGE_URL_${KMS_CORE__THRESHOLD__MY_ID}=${CORE_CLIENT__S3_ENDPOINT}"
-              echo "KMS_TX_SENDER_ADDRESS_${KMS_CORE__THRESHOLD__MY_ID}=$(cat /config/connector-wallet-address)"
-              echo "KMS_SIGNER_ADDRESS_${KMS_CORE__THRESHOLD__MY_ID}=$(cat /config/kms-signer-address)"
           envFrom:
             - configMapRef:
                 name: {{ .Values.configmap.name }}
@@ -220,3 +148,4 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+{{- end }}

charts/mpc-operator-check/templates/mpc-operator-check-kms-connector-job.yaml

@@ -0,0 +1,106 @@
+{{- if .Values.mpcOperatorCheck.kmsConnector.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: mpc-operator-check-kms-connector
+  annotations:
+    "helm.sh/hook": "pre-install,pre-upgrade"
+    "helm.sh/hook-weight": "-1"
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  backoffLimit: 0
+  completionMode: Indexed
+  backoffLimitPerIndex: 1
+  maxFailedIndexes: 1
+  ttlSecondsAfterFinished: {{ .Values.job.ttlSecondsAfterFinished | int }}
+  template:
+    metadata:
+      labels:
+        app: mpc-operator-check
+    spec:
+      serviceAccountName: {{ .Values.serviceAccount.name }}-connector
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      initContainers:
+        {{- if .Values.gatewayNode.enabled }}
+        - name: gateway-node-check
+          image: {{ .Values.gatewayNode.image.repository }}:{{ .Values.gatewayNode.image.tag }}
+          imagePullPolicy: Always
+          command:
+            - /bin/sh
+            - -c
+            - |
+              echo "=================================================="
+              {{- .Values.gatewayNode.script | nindent 14 }}
+          envFrom:
+            - configMapRef:
+                name: {{ .Values.configmap.name }}
+        {{- end }}
+        {{- if .Values.postgres.enabled }}
+        - name: postgres-check
+          image: {{ .Values.postgres.image.repository }}:{{ .Values.postgres.image.tag }}
+          imagePullPolicy: Always
+          command:
+            - /bin/sh
+            - -c
+            - |
+              echo "=================================================="
+              {{- .Values.postgres.script | nindent 14 }}
+          env:
+            - name: DATABASE_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: connector-database
+                  key: endpoint
+            - name: DATABASE_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: connector-database
+                  key: username
+            - name: DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: connector-database
+                  key: password
+            - name: DATABASE_URL
+              value: "postgresql://$(DATABASE_USERNAME):$(DATABASE_PASSWORD)@$(DATABASE_ENDPOINT)/kmsconnector"
+        {{- end }}
+      containers:
+        - name: kube-utils
+          image: {{ .Values.ethWallet.image.repository }}:{{ .Values.ethWallet.image.tag }}
+          imagePullPolicy: Always
+          command:
+            - /bin/sh
+            - -c
+            - |
+              echo "=================================================="
+              echo "Check kms-connector services /healthz endpoint"
+              curl kms-connector-gw-listener:9100/healtz
+              curl kms-connector-kms-worker:9100/healtz
+              curl kms-connector-tx-sender:9100/healtz
+              echo "=================================================="
+              echo "Check kms-connector logs"
+              kubectl logs -l app=kms-connector-gw-listener --prefix
+              kubectl logs -l app=kms-connector-kms-worker --prefix
+              kubectl logs -l app=kms-connector-tx-sender --prefix
+
+      restartPolicy: Never
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

charts/mpc-operator-check/templates/mpc-operator-check-kms-keys-job.yaml

@@ -0,0 +1,121 @@
+{{- if .Values.mpcOperatorCheck.kmsKeys.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: mpc-operator-check-kms-keys
+  annotations:
+    "helm.sh/hook": "pre-install,pre-upgrade"
+    "helm.sh/hook-weight": "-1"
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  backoffLimit: 0
+  completionMode: Indexed
+  backoffLimitPerIndex: 1
+  maxFailedIndexes: 1
+  ttlSecondsAfterFinished: {{ .Values.job.ttlSecondsAfterFinished | int }}
+  template:
+    metadata:
+      labels:
+        app: mpc-operator-check
+    spec:
+      serviceAccountName: {{ .Values.serviceAccount.name }}-connector
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      initContainers:
+        - name: run-kms-cert-check
+          image: {{ .Values.kmsCoreClient.image.repository }}:{{ .Values.kmsCoreClient.image.tag }}
+          imagePullPolicy: Always
+          workingDir: /config
+          command:
+            - /bin/sh
+            - -c
+            - |
+              echo "=================================================="
+              echo "Executing {{ .Chart.Name }}:{{ .Chart.Version }}"
+              echo "=================================================="
+              echo "Check KMS Core #${KMS_CORE__THRESHOLD__MY_ID} Certificate"
+              echo "=================================================="
+              wget -nv -O certificate.crt "${CORE_CLIENT__S3_ENDPOINT}${KMS_CORE__PRIVATE_VAULT__STORAGE__S3__PREFIX}/PUB-p${KMS_CORE__THRESHOLD__MY_ID}/CACert/60b7070add74be3827160aa635fb255eeeeb88586c4debf7ab1134ddceb4beee"
+              openssl x509 -in certificate.crt -text -noout
+          envFrom:
+            - configMapRef:
+                name: {{ .Values.configmap.name }}
+          volumeMounts:
+            - name: config
+              mountPath: /config
+        - name: eth-wallet-check
+          image: {{ .Values.ethWallet.image.repository }}:{{ .Values.ethWallet.image.tag }}
+          imagePullPolicy: Always
+          command:
+            - /bin/sh
+            - -c
+            - |
+              echo "=================================================="
+              cast wallet address --aws > /config/connector-wallet-address
+              {{- .Values.ethWallet.script | nindent 14 }}
+          env:
+            - name: AWS_KMS_KEY_ID
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ .Values.configmap.name }}
+                  key: KMS_CONNECTOR__TX_SENDER_AWS_KMS_KEY_ID
+          volumeMounts:
+            - name: config
+              mountPath: /config
+      containers:
+        - name: kube-utils
+          image: {{ .Values.ethWallet.image.repository }}:{{ .Values.ethWallet.image.tag }}
+          imagePullPolicy: Always
+          workingDir: /config
+          command:
+            - /bin/sh
+            - -c
+            - |
+              echo "=================================================="
+              if [[ ! $KMS_CORE__THRESHOLD__MY_ID =~ ^-?[0-9]+$ ]]; then
+                echo "Error: ${KMS_CORE__THRESHOLD__MY_ID} must be an integer, got: '${KMS_CORE__THRESHOLD__MY_ID}'"
+                exit 1
+              fi
+              if [[ -z "kms-signer-address" ]]; then
+                echo "Error: cannot get KMS signer address, ensure it is created in the public bucket VerfAddress folder"
+                exit 1
+              fi
+              echo "Gateway Contract Configuration for Party #${KMS_CORE__THRESHOLD__MY_ID} (to share with Zama Governance)"
+              echo "KMS_NODE_STORAGE_URL_${KMS_CORE__THRESHOLD__MY_ID}=${CORE_CLIENT__S3_ENDPOINT}"
+              # Fetch KMS Signer address from KMS Public bucket
+              curl -sS "${CORE_CLIENT__S3_ENDPOINT}${KMS_CORE__PRIVATE_VAULT__STORAGE__S3__PREFIX}/PUB-p${KMS_CORE__THRESHOLD__MY_ID}/VerfAddress/60b7070add74be3827160aa635fb255eeeeb88586c4debf7ab1134ddceb4beee" > /config/kms-signer-address
+              echo "KMS_SIGNER_ADDRESS_${KMS_CORE__THRESHOLD__MY_ID}=$(cat /config/kms-signer-address)"
+              if [[ -z "connector-wallet-address" ]]; then
+                echo "Error: cannot get connector wallet address, ensure the KMS-Connector Eth wallet is created in AWS KMS Key ID: ${KMS_CONNECTOR__TX_SENDER_AWS_KMS_KEY_ID}"
+                exit 1
+              fi
+              echo "KMS_TX_SENDER_ADDRESS_${KMS_CORE__THRESHOLD__MY_ID}=$(cat /config/connector-wallet-address)"
+          envFrom:
+            - configMapRef:
+                name: {{ .Values.configmap.name }}
+          volumeMounts:
+            - name: config
+              mountPath: /config
+      volumes:
+        - name: config
+          emptyDir: {}
+      restartPolicy: Never
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}