[WIP] Add support for using yubiHSM with TMKMS #2
@ -8,6 +8,7 @@ services:
|
||||
NODE_IP: ${NODE_IP}
|
||||
NODE_PORT: ${NODE_PORT:-26659}
|
||||
KEY_PREFIX: ${KEY_PREFIX}
|
||||
TMKMS_MODE: ${TMKMS_MODE:-softsign}
|
||||
volumes:
|
||||
- tmkms-data:/root/tmkms
|
||||
- ../config/tmkms/run.sh:/opt/run.sh
|
||||
|
||||
@ -11,50 +11,72 @@ INPUT_PRIV_KEY_FILE=$TMKMS_HOME/tmp/priv_validator_key.json
|
||||
TMKMS_SECRETS_DIR=$TMKMS_HOME/secrets
|
||||
TMKMS_STATE_DIR=$TMKMS_HOME/state
|
||||
|
||||
# Check if priv_validator_key in SECRETS_DIR exists
|
||||
if [[ ! -f "$TMKMS_SECRETS_DIR/priv_validator_key" ]]; then
|
||||
# Initialize tmkms config
|
||||
# Initialize tmkms config if priv_validator_key does not exist
|
||||
if [[ ! -f "$TMKMS_HOME/tmkms.toml" ]]; then
|
||||
echo "Initializing tmkms configuration..."
|
||||
|
||||
tmkms init $TMKMS_HOME
|
||||
|
||||
# Import the private validator key into tmkms
|
||||
echo "Importing private validator key into tmkms..."
|
||||
tmkms softsign import $INPUT_PRIV_KEY_FILE $TMKMS_SECRETS_DIR/priv_validator_key
|
||||
|
||||
# Remove the original private validator key
|
||||
rm -rf $INPUT_PRIV_KEY_FILE
|
||||
|
||||
else
|
||||
echo "tmkms configuration already exists. Skipping initialization and cleaning up any existing input private validator key files..."
|
||||
# Remove the original private validator key as it is not needed
|
||||
if [[ -f "$INPUT_PRIV_KEY_FILE" ]]; then
|
||||
rm -rf $INPUT_PRIV_KEY_FILE
|
||||
fi
|
||||
echo "tmkms configuration already exists. Skipping initialization."
|
||||
fi
|
||||
|
||||
# Update tmkms.toml
|
||||
echo "Updating tmkms.toml with chain_id, node IP, and key prefixes..."
|
||||
# Configure tmkms.toml and handle key import/copy based on TMKMS_MODE
|
||||
case "$TMKMS_MODE" in
|
||||
"yubihsm")
|
||||
# Add chain configuration for yubihsm
|
||||
# TODO: Allow users to edit config toml
|
||||
|
||||
# Add chain configuration
|
||||
cat <<EOF > $TMKMS_HOME/tmkms.toml
|
||||
# Import the private validator key into tmkms for yubihsm (only if not already present)
|
||||
if ! tmkms yubihsm keys list | grep -q "0x0001:"; then
|
||||
echo "Importing private validator key into tmkms for yubihsm..."
|
||||
tmkms yubihsm keys import -i 1 $INPUT_PRIV_KEY_FILE -c $TMKMS_HOME/tmkms.toml
|
||||
else
|
||||
echo "Key 0x0001 already present in YubiHSM. Skipping import."
|
||||
fi
|
||||
;;
|
||||
|
||||
[[chain]]
|
||||
id = "$CHAIN_ID"
|
||||
key_format = { type = "cosmos-json", account_key_prefix = "${KEY_PREFIX}pub", consensus_key_prefix = "${KEY_PREFIX}valconspub" }
|
||||
state_file = "$TMKMS_STATE_DIR/priv_validator_state.json"
|
||||
"softsign")
|
||||
# Add chain configuration for softsign
|
||||
cat <<EOF > $TMKMS_HOME/tmkms.toml
|
||||
|
||||
[[validator]]
|
||||
chain_id = "$CHAIN_ID"
|
||||
addr = "tcp://$NODE_IP:$NODE_PORT"
|
||||
secret_key = "$TMKMS_SECRETS_DIR/kms-identity.key"
|
||||
protocol_version = "v0.34"
|
||||
reconnect = true
|
||||
[[chain]]
|
||||
id = "$CHAIN_ID"
|
||||
key_format = { type = "cosmos-json", account_key_prefix = "${KEY_PREFIX}pub", consensus_key_prefix = "${KEY_PREFIX}valconspub" }
|
||||
state_file = "$TMKMS_STATE_DIR/priv_validator_state.json"
|
||||
|
||||
[[providers.softsign]]
|
||||
key_type = "consensus"
|
||||
path = "$TMKMS_SECRETS_DIR/priv_validator_key"
|
||||
chain_ids = ["$CHAIN_ID"]
|
||||
[[validator]]
|
||||
chain_id = "$CHAIN_ID"
|
||||
addr = "tcp://$NODE_IP:$NODE_PORT"
|
||||
secret_key = "$TMKMS_SECRETS_DIR/kms-identity.key"
|
||||
protocol_version = "v0.34"
|
||||
reconnect = true
|
||||
|
||||
[[providers.softsign]]
|
||||
key_type = "consensus"
|
||||
path = "$TMKMS_SECRETS_DIR/priv_validator_key"
|
||||
chain_ids = ["$CHAIN_ID"]
|
||||
EOF
|
||||
|
||||
# Import the private validator key into tmkms for softsign (only if not already present)
|
||||
if [[ ! -f "$TMKMS_SECRETS_DIR/priv_validator_key" ]]; then
|
||||
echo "Importing private validator key into tmkms for softsign..."
|
||||
tmkms softsign import $INPUT_PRIV_KEY_FILE $TMKMS_SECRETS_DIR/priv_validator_key
|
||||
else
|
||||
echo "Softsign key already present. Skipping import."
|
||||
fi
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "Error: TMKMS_MODE environment variable not set or invalid. Please set it to 'yubihsm' or 'softsign'."
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
# Remove the original input private validator key file after processing
|
||||
if [[ -f "$INPUT_PRIV_KEY_FILE" ]]; then
|
||||
rm -rf $INPUT_PRIV_KEY_FILE
|
||||
fi
|
||||
|
||||
# Start tmkms
|
||||
echo "Starting tmkms..."
|
||||
tmkms start --config $TMKMS_HOME/tmkms.toml
|
||||
|
||||
33
stack-orchestrator/config/tmkms/setup-yubihsm.sh
Executable file
33
stack-orchestrator/config/tmkms/setup-yubihsm.sh
Executable file
@ -0,0 +1,33 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [[ -n "$CERC_SCRIPT_DEBUG" ]]; then
|
||||
set -x
|
||||
fi
|
||||
|
||||
set -e
|
||||
|
||||
TMKMS_HOME=/home/tmkmsuser/tmkms
|
||||
TMKMS_SECRETS_DIR=$TMKMS_HOME/secrets
|
||||
TMKMS_STATE_DIR=$TMKMS_HOME/state
|
||||
|
||||
tmkms init $TMKMS_HOME
|
||||
|
||||
cat <<EOF > $TMKMS_HOME/tmkms.toml
|
||||
[[chain]]
|
||||
id = "$CHAIN_ID"
|
||||
key_format = { type = "cosmos-json", account_key_prefix = "${KEY_PREFIX}pub", consensus_key_prefix = "${KEY_PREFIX}valconspub" }
|
||||
state_file = "$TMKMS_STATE_DIR/priv_validator_state.json"
|
||||
|
||||
[[validator]]
|
||||
chain_id = "$CHAIN_ID"
|
||||
addr = "tcp://$NODE_IP:$NODE_PORT"
|
||||
secret_key = "$TMKMS_SECRETS_DIR/kms-identity.key"
|
||||
protocol_version = "v0.34"
|
||||
reconnect = true
|
||||
|
||||
[[providers.yubihsm]]
|
||||
adapter = { type = "usb" }
|
||||
auth = { key = 1, password = "$PASSWORD" }
|
||||
EOF
|
||||
|
||||
tmkms yubihsm setup -c $TMKMS_HOME/tmkms.toml
|
||||
Loading…
Reference in New Issue
Block a user