From 493ac16fb89d8b9c3288bc566bcac37472392ca0 Mon Sep 17 00:00:00 2001 From: Madhur Shrimal Date: Wed, 20 Nov 2024 22:53:36 -0800 Subject: [PATCH] docs: add storage docs (#12) --- README.md | 58 ++++++++++++++++++++++++++++++------- cmd/cerberus/main.go | 2 ++ docs/aws_sercret_manager.md | 26 +++++++++++++++++ docs/filesystem.md | 11 +++++++ 4 files changed, 86 insertions(+), 11 deletions(-) create mode 100644 docs/aws_sercret_manager.md create mode 100644 docs/filesystem.md diff --git a/README.md b/README.md index d423e4e..0b5ee0a 100644 --- a/README.md +++ b/README.md @@ -33,18 +33,54 @@ go build -o bin/cerberus cmd/cerberus/main.go ``` ### Usage options -| Options | Description | Default | -|----------------|---------------------------------------------|-----------------| -| keystore-dir | Directory to store encrypted keystore files | ./data/keystore | -| grpc-port | gRPC port for starting signer server | 50051 | -| log-format | format of the logs (text, json) | text | -| log-level | debug, info, warn, error | info | -| metrics-port | port to expose prometheus metrics | 9091 | -| tls-ca-cert | certificate to enable TLS connection | | -| tls-server-key | server key to enable TLS connection | | -| help | show help | | -| version | show version | | +```bash +cerberus --help + + _ + | | + ___ ___ _ __ | |__ ___ _ __ _ _ ___ + / __| / _ \| '__|| '_ \ / _ \| '__|| | | |/ __| +| (__ | __/| | | |_) || __/| | | |_| |\__ \ + \___| \___||_| |_.__/ \___||_| \__,_||___/ + + +NAME: + cerberus - Remote BLS Signer + +USAGE: + cerberus [global options] command [command options] + +VERSION: + development + +COMMANDS: + help, h Shows a list of commands or help for one command + +GLOBAL OPTIONS: + --aws-access-key-id value AWS access key ID [$AWS_ACCESS_KEY_ID] + --aws-authentication-mode value AWS authentication mode - supported modes: environment, specified (default: "environment") [$AWS_AUTHENTICATION_MODE] + --aws-profile value AWS profile (default: "default") [$AWS_PROFILE] + --aws-region value AWS region (default: "us-east-2") [$AWS_REGION] + --aws-secret-access-key value AWS secret access key [$AWS_SECRET_ACCESS_KEY] + --grpc-port value Port for the gRPC server (default: "50051") [$GRPC_PORT] + --keystore-dir value Directory where the keystore files are stored (default: "./data/keystore") [$KEYSTORE_DIR] + --log-format value Log format - supported formats: text, json (default: "text") [$LOG_FORMAT] + --log-level value Log level - supported levels: debug, info, warn, error (default: "info") [$LOG_LEVEL] + --metrics-port value Port for the metrics server (default: "9091") [$METRICS_PORT] + --storage-type value Storage type - supported types: filesystem, aws-secret-manager (default: "filesystem") [$STORAGE_TYPE] + --tls-ca-cert value TLS CA certificate [$TLS_CA_CERT] + --tls-server-key value TLS server key [$TLS_SERVER_KEY] + --help, -h show help + --version, -v print the version + +COPYRIGHT: + (c) 2024 EigenLab +``` +### Storage Backend +We support the following storage backends for storing private keys: +1. [Filesystem](docs/filesystem.md) +2. [AWS Secret Manager](docs/aws_sercret_manager.md) ### Monitoring The signer exposes prometheus metrics on the `/metrics` endpoint. You can scrape these metrics using a prometheus server. diff --git a/cmd/cerberus/main.go b/cmd/cerberus/main.go index c053818..e9638d0 100644 --- a/cmd/cerberus/main.go +++ b/cmd/cerberus/main.go @@ -4,6 +4,7 @@ import ( "fmt" "log/slog" "os" + "sort" "github.com/Layr-Labs/cerberus/internal/configuration" "github.com/Layr-Labs/cerberus/internal/server" @@ -136,6 +137,7 @@ func main() { awsAccessKeyIDFlag, awsSecretAccessKeyFlag, } + sort.Sort(cli.FlagsByName(app.Flags)) app.Action = start diff --git a/docs/aws_sercret_manager.md b/docs/aws_sercret_manager.md new file mode 100644 index 0000000..074eba3 --- /dev/null +++ b/docs/aws_sercret_manager.md @@ -0,0 +1,26 @@ +## Using AWS Secret Manager as a backend for cerberus +You can use AWS Secret Manager as a backend for cerberus. To use AWS Secret Manager as a backend, you need to set the `STORAGE_TYPE` environment variable to `aws-secrets-manager`. +All the public keys are stored in `cerberus/` format. + +You have two options for authenticating with AWS Secret Manager: +### Environment variables +You will need to set the `AWS_AUTHENTICATION_MODE` environment variable to `environment`. This is the default mode. You will also need to set the `AWS_REGION`. If you are using a profile, you can set the `AWS_PROFILE` environment variable. If you are using the default profile, you do not need to set the `AWS_PROFILE` environment variable. + +Example +```bash +cerberus \ + --storage-type aws-secrets-manager \ + --aws-region us-east-2 \ + --aws-profile SomeProfile +``` +### Specified +You will need to set the `AWS_REGION`, `AWS_ACCESS_KEY_ID`, and `AWS_SECRET_ACCESS_KEY` environment variables. + +Example +```bash +cerberus \ + --storage-type aws-secrets-manager \ + --aws-region us-east-2 \ + --aws-access-key-id SomeAccessKey \ + --aws-secret-access-key SomeSecretKey +``` \ No newline at end of file diff --git a/docs/filesystem.md b/docs/filesystem.md new file mode 100644 index 0000000..88f5372 --- /dev/null +++ b/docs/filesystem.md @@ -0,0 +1,11 @@ +## Using Filesystem as a backend for cerberus +You can use Filesystem as a backend for cerberus. To use Filesystem as a backend, you need to set the `STORAGE_TYPE` environment variable to `filesystem`. + +You will need to setup the storage directory where the private keys will be stored. By default, the private keys are stored in the `./data/keystore` directory. You can change this by setting the `KEYSTORE_DIR` environment variable. + +Example +```bash +cerberus \ + --storage-type filesystem \ + --keystore-dir /path/to/keystore +``` \ No newline at end of file