diff --git a/.env.example b/.env.example index 3bff029..a72a879 100644 --- a/.env.example +++ b/.env.example @@ -89,5 +89,5 @@ NODE_PUBLIC_IP_PROVIDER=seeip # TODO: Operators need to add password to decrypt the above keys # If you have some special characters in password, make sure to use single quotes -NODE_ECDSA_KEY_PASSWORD='' -NODE_BLS_KEY_PASSWORD='' \ No newline at end of file +NODE_ECDSA_KEY_PASSWORD=/run/secrets/ecdsa_key_password +NODE_BLS_KEY_PASSWORD=/run/secrets/bls_key_password diff --git a/README.md b/README.md index 7d21324..5d27b1f 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,11 @@ cp .env.example .env ``` Update the `TODO` sections in the `.env` file given in the root directory of the repository with your own details.: +### Create Docker Secrets +```bash +echo "your_ecdsa_password" | docker secret create ecdsa_key_password - +echo "your_bls_password" | docker secret create bls_key_password - +``` ### Create some local folders which are required by EigenDA ```bash mkdir -p $HOME/.eigenlayer/eigenda/logs diff --git a/docker-compose.yml b/docker-compose.yml index cfc88b0..4755466 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -20,6 +20,9 @@ services: da-node: env_file: - .env + secrets: + - ecdsa_key_password + - bls_key_password container_name: ${MAIN_SERVICE_NAME} image: ${MAIN_SERVICE_IMAGE} ports: @@ -36,6 +39,11 @@ services: - "${NODE_LOG_PATH_HOST}:/app/logs:rw" - "${NODE_DB_PATH_HOST}:/data/operator/db:rw" restart: unless-stopped +secrets: + ecdsa_key_password: + external: true + bls_key_password: + external: true networks: eigenda: name: ${NETWORK_NAME} diff --git a/run.sh b/run.sh index 6d2743e..219270a 100755 --- a/run.sh +++ b/run.sh @@ -8,6 +8,18 @@ # which causes the password to be incorrect. # To test that try running `docker run --rm --env-file .env busybox /bin/sh -c 'echo $NODE_ECDSA_KEY_PASSWORD'` # This will output password with single quote. Not sure why this happens. +# Function to read Docker secrets +read_secret() { + secret_name=$1 + secret_path="/run/secrets/$secret_name" + if [ -f "$secret_path" ]; then + cat "$secret_path" + else + echo "Error: Secret $secret_name not found." + exit 1 + fi +} + optIn() { socket="$NODE_HOSTNAME":"${NODE_DISPERSAL_PORT}"\;"${NODE_RETRIEVAL_PORT}" echo "using socket: $socket" @@ -16,9 +28,9 @@ optIn() { --volume "${NODE_ECDSA_KEY_FILE_HOST}":/app/operator_keys/ecdsa_key.json \ --volume "${NODE_BLS_KEY_FILE_HOST}":/app/operator_keys/bls_key.json \ --volume "${NODE_LOG_PATH_HOST}":/app/logs:rw \ + --volume "ecdsa_key_password:/run/secrets/ecdsa_key_password:ro" \ + --volume "bls_key_password:/run/secrets/bls_key_password:ro" \ ghcr.io/layr-labs/eigenda/opr-nodeplugin:release-0.2.1 \ - --ecdsa-key-password "$NODE_ECDSA_KEY_PASSWORD" \ - --bls-key-password "$NODE_BLS_KEY_PASSWORD" \ --operation opt-in \ --socket "$socket" } @@ -30,9 +42,9 @@ optOut() { --volume "${NODE_ECDSA_KEY_FILE_HOST}":/app/operator_keys/ecdsa_key.json \ --volume "${NODE_BLS_KEY_FILE_HOST}":/app/operator_keys/bls_key.json \ --volume "${NODE_LOG_PATH_HOST}":/app/logs:rw \ + --volume "ecdsa_key_password:/run/secrets/ecdsa_key_password:ro" \ + --volume "bls_key_password:/run/secrets/bls_key_password:ro" \ ghcr.io/layr-labs/eigenda/opr-nodeplugin:release-0.2.1 \ - --ecdsa-key-password "$NODE_ECDSA_KEY_PASSWORD" \ - --bls-key-password "$NODE_BLS_KEY_PASSWORD" \ --operation opt-out \ --socket "$socket" } @@ -43,4 +55,4 @@ elif [ "$1" = "opt-out" ]; then optOut else echo "Invalid command" -fi \ No newline at end of file +fi