diff --git a/DEPLOYMENT_GUIDE.md b/DEPLOYMENT_GUIDE.md index ecb3557..87bd3cc 100644 --- a/DEPLOYMENT_GUIDE.md +++ b/DEPLOYMENT_GUIDE.md @@ -26,13 +26,15 @@ This guide will walk you through the process of deploying wPOKT Validators on Go 4. Update the MintController Smart Contract on the Ethereum network with the Ethereum addresses of the N validators. The MintController Smart Contract will utilize these addresses to validate signatures from the deployed validators during the bridging process. -### Step 4: Store Private Keys in Secret Manager +### Step 4: Store Secrets in Secret Manager 1. Add all the Ethereum and Pocket private keys to the Secret Manager on GCP. Ensure you securely store these keys as they are crucial for your validator's operation. -2. Note down the names of all the secrets created in Secret Manager. You will use these secret names during the deployment process. +2. Also add the MongoDB URI with read-and-write permissions to the Secret Manager. This URI will be used to connect to the MongoDB cluster. -3. Additionally, consider storing copies of the private keys in other secure places for additional redundancy and security. You might want to use hardware wallets, cold storage devices, or other secure offline storage methods to safeguard your validator's private keys. +3. Note down the names of all the secrets created in Secret Manager. You will use these secret names during the deployment process. + +4. Additionally, consider storing copies of the private keys in other secure places for additional redundancy and security. You might want to use hardware wallets, cold storage devices, or other secure offline storage methods to safeguard your validator's private keys. ### Step 5: Optional - Create Service Accounts and Separate Key Pairs @@ -44,15 +46,13 @@ This guide will walk you through the process of deploying wPOKT Validators on Go 1. Create a VM template on GCP's "Compute Engine" that includes the docker image for the wPOKT Validator and valid environment variables. -2. Set the following environment variables: - - - MongoDB URI with read-and-write permissions: Provide the URI to access the MongoDB cluster with read-and-write permissions. +2. Set the default environment variables for: - - Ethereum network configuration: Use the valid Ethereum private key secret name from Secret Manager, Ethereum RPC URL, and chain ID. + - Ethereum network configuration - - Pocket network configuration: Utilize the valid Pocket private key secret name from Secret Manager, Pocket RPC URL, chain ID, and the generated Pocket multisig address. + - Pocket network configuration - - Google Cloud Project ID: Add the project ID for your GCP project to ensure proper authentication and billing. + - Google secret manager configuration Refer to the sample `config.sample.yml` or `sample.env` files for reference on how to structure the environment variables. diff --git a/Dockerfile b/Dockerfile index 53b20a7..5ba632b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -46,7 +46,7 @@ ENV POKT_MULTISIG_PUBLIC_KEYS ${POKT_MULTISIG_PUBLIC_KEYS} # google secret manager ENV GOOGLE_SECRET_MANAGER_ENABLED ${GOOGLE_SECRET_MANAGER_ENABLED} -ENV GOOGLE_PROJECT_ID ${GOOGLE_PROJECT_ID} +ENV GOOGLE_MONGO_SECRET_NAME ${GOOGLE_MONGO_SECRET_NAME} ENV GOOGLE_POKT_SECRET_NAME ${GOOGLE_POKT_SECRET_NAME} ENV GOOGLE_ETH_SECRET_NAME ${GOOGLE_ETH_SECRET_NAME} diff --git a/README.md b/README.md index b31d74e..9a9c363 100644 --- a/README.md +++ b/README.md @@ -69,14 +69,14 @@ The wPOKT Validator can be configured in the following ways: ETH_PRIVATE_KEY="your_eth_private_key" ETH_RPC_URL="your_eth_rpc_url" ... go run . ``` -If both a config file and an env file are provided, the `config.yml` file will be loaded first, and then the env file will be read. Any falsy values in the config will be updated with corresponding values from the env file. +If both a config file and an env file are provided, the config file will be loaded first, followed by the env file. Non-empty values from the env file or provided through environment variables will take precedence over the corresponding values from the config file. ### Using Docker Compose -You can also run the wPOKT Validator using `docker-compose` with the provided `.env` file. Execute the following command in the project directory: +You can also run the wPOKT Validator using `docker-compose`. Execute the following command in the project directory: ```bash -docker-compose --env-file .env up +docker-compose --env-file .env up --build ``` ## Valid Memo @@ -94,7 +94,7 @@ Transactions with memos not conforming to this format will not be processed by t ## Docker Image -The wPOKT Validator is also available as a Docker image hosted on Docker Hub. You can run the validator in a Docker container using the following command: +The wPOKT Validator is also available as a Docker image hosted on [Docker Hub](https://hub.docker.com/r/dan13ram/wpokt-validator). You can run the validator in a Docker container using the following command: ```bash docker run -d --env-file .env docker.io/dan13ram/wpokt-validator:latest diff --git a/app/env.go b/app/env.go index 225814a..782dc53 100644 --- a/app/env.go +++ b/app/env.go @@ -127,7 +127,7 @@ func readConfigFromENV(envFile string) { if os.Getenv("POKT_VAULT_ADDRESS") != "" { Config.Pocket.VaultAddress = os.Getenv("POKT_VAULT_ADDRESS") } - if Config.Pocket.MultisigPublicKeys == nil || len(Config.Pocket.MultisigPublicKeys) == 0 { + if os.Getenv("POKT_MULTISIG_PUBLIC_KEYS") != "" { multisigPublicKeys := os.Getenv("POKT_MULTISIG_PUBLIC_KEYS") Config.Pocket.MultisigPublicKeys = strings.Split(multisigPublicKeys, ",") } @@ -241,7 +241,7 @@ func readConfigFromENV(envFile string) { } // health check - if Config.HealthCheck.IntervalSecs == 0 { + if os.Getenv("HEALTH_CHECK_INTERVAL_SECS") != "" { intervalSecs, err := strconv.ParseInt(os.Getenv("HEALTH_CHECK_INTERVAL_SECS"), 10, 64) if err != nil { log.Warn("[ENV] Error parsing HEALTH_CHECK_INTERVAL_SECS: ", err.Error()) @@ -251,7 +251,7 @@ func readConfigFromENV(envFile string) { } // logging - if Config.Logger.Level == "" { + if os.Getenv("LOG_LEVEL") != "" { logLevel := os.Getenv("LOG_LEVEL") if logLevel == "" { log.Warn("[ENV] Setting LogLevel to debug") @@ -262,7 +262,7 @@ func readConfigFromENV(envFile string) { } // google secret manager - if Config.GoogleSecretManager.Enabled == false && os.Getenv("GOOGLE_SECRET_MANAGER_ENABLED") != "" { + if os.Getenv("GOOGLE_SECRET_MANAGER_ENABLED") != "" { enabled, err := strconv.ParseBool(os.Getenv("GOOGLE_SECRET_MANAGER_ENABLED")) if err != nil { log.Warn("[ENV] Error parsing GOOGLE_SECRET_MANAGER_ENABLED: ", err.Error()) @@ -270,16 +270,13 @@ func readConfigFromENV(envFile string) { Config.GoogleSecretManager.Enabled = enabled } } - if Config.GoogleSecretManager.ProjectId == "" { - Config.GoogleSecretManager.ProjectId = os.Getenv("GOOGLE_PROJECT_ID") - } - if Config.GoogleSecretManager.MongoSecretName == "" { + if os.Getenv("GOOGLE_MONGO_SECRET_NAME") != "" { Config.GoogleSecretManager.MongoSecretName = os.Getenv("GOOGLE_MONGO_SECRET_NAME") } - if Config.GoogleSecretManager.PoktSecretName == "" { + if os.Getenv("GOOGLE_POKT_SECRET_NAME") != "" { Config.GoogleSecretManager.PoktSecretName = os.Getenv("GOOGLE_POKT_SECRET_NAME") } - if Config.GoogleSecretManager.EthSecretName == "" { + if os.Getenv("GOOGLE_ETH_SECRET_NAME") != "" { Config.GoogleSecretManager.EthSecretName = os.Getenv("GOOGLE_ETH_SECRET_NAME") } diff --git a/app/gsm.go b/app/gsm.go index 41c04c6..60dc6d4 100644 --- a/app/gsm.go +++ b/app/gsm.go @@ -2,7 +2,6 @@ package app import ( "context" - "fmt" secretmanager "cloud.google.com/go/secretmanager/apiv1" "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb" @@ -11,7 +10,7 @@ import ( func accessSecretVersion(client *secretmanager.Client, name string) (string, error) { req := &secretmanagerpb.AccessSecretVersionRequest{ - Name: fmt.Sprintf("projects/%s/secrets/%s/versions/latest", Config.GoogleSecretManager.ProjectId, name), + Name: name, } result, err := client.AccessSecretVersion(context.Background(), req) @@ -30,10 +29,6 @@ func readKeysFromGSM() { return } - if Config.GoogleSecretManager.ProjectId == "" { - log.Fatalf("[GSM] ProjectId is empty") - } - ctx := context.Background() client, err := secretmanager.NewClient(ctx) if err != nil { diff --git a/config.sample.yml b/config.sample.yml index 2381a34..1aa8907 100644 --- a/config.sample.yml +++ b/config.sample.yml @@ -63,7 +63,6 @@ logger: google_secret_manager: enabled: false - project_id: "" - mongo_secret_name: "" + mongo_secret_name: "" # projects//secrets//versions/latest pokt_secret_name: "" eth_secret_name: "" diff --git a/docker-compose.yml b/docker-compose.yml index 4437eab..9304c35 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -35,7 +35,7 @@ services: # google secret manager GOOGLE_SECRET_MANAGER_ENABLED: ${GOOGLE_SECRET_MANAGER_ENABLED} - GOOGLE_PROJECT_ID: ${GOOGLE_PROJECT_ID} + GOOGLE_MONGO_SECRET_NAME: ${GOOGLE_MONGO_SECRET_NAME} GOOGLE_POKT_SECRET_NAME: ${GOOGLE_POKT_SECRET_NAME} GOOGLE_ETH_SECRET_NAME: ${GOOGLE_ETH_SECRET_NAME} diff --git a/models/config.go b/models/config.go index 4804387..09bf5ab 100644 --- a/models/config.go +++ b/models/config.go @@ -17,7 +17,6 @@ type Config struct { type GoogleSecretManagerConfig struct { Enabled bool `yaml:"enabled" json:"enabled"` - ProjectId string `yaml:"project_id" json:"project_id"` MongoSecretName string `yaml:"mongo_secret_name" json:"mongo_secret_name"` PoktSecretName string `yaml:"pokt_secret_name" json:"pokt_secret_name"` EthSecretName string `yaml:"eth_secret_name" json:"eth_secret_name"` diff --git a/sample.env b/sample.env index 7ca6e8e..b04b54b 100644 --- a/sample.env +++ b/sample.env @@ -29,8 +29,7 @@ COMPOSE_PROJECT_NAME= # google secret manager GOOGLE_APPLICATION_CREDENTIALS= # only for local development GOOGLE_SECRET_MANAGER_ENABLED= -GOOGLE_PROJECT_ID= -GOOGLE_MONGO_SECRET_NAME= +GOOGLE_MONGO_SECRET_NAME=projects//secrets//versions/latest GOOGLE_POKT_SECRET_NAME= GOOGLE_ETH_SECRET_NAME=