diff --git a/spartan/environments/ignition-fisherman.env b/spartan/environments/ignition-fisherman.env index 1b5c0de06c84..e182eac2f8c3 100644 --- a/spartan/environments/ignition-fisherman.env +++ b/spartan/environments/ignition-fisherman.env @@ -21,14 +21,15 @@ ETHEREUM_RPC_URLS=REPLACE_WITH_GCP_SECRET ETHEREUM_CONSENSUS_HOST_URLS=REPLACE_WITH_GCP_SECRET ETHEREUM_CONSENSUS_HOST_API_KEYS=REPLACE_WITH_GCP_SECRET ETHEREUM_CONSENSUS_HOST_API_KEY_HEADERS=REPLACE_WITH_GCP_SECRET -FUNDING_PRIVATE_KEY=REPLACE_WITH_GCP_SECRET +FUNDING_PRIVATE_KEY="" +LABS_INFRA_MNEMONIC_SECRET_NAME=sepolia-labs-ignition-fisherman-mnemonic LABS_INFRA_MNEMONIC=REPLACE_WITH_GCP_SECRET -ROLLUP_DEPLOYMENT_PRIVATE_KEY=REPLACE_WITH_GCP_SECRET +ROLLUP_DEPLOYMENT_PRIVATE_KEY="" OTEL_COLLECTOR_ENDPOINT=REPLACE_WITH_GCP_SECRET SNAPSHOT_BUCKET_DIRECTORY=${SNAPSHOT_BUCKET_DIRECTORY:-ignition-sepolia} -ETHERSCAN_API_KEY=REPLACE_WITH_GCP_SECRET +ETHERSCAN_API_KEY="" R2_ACCESS_KEY_ID=REPLACE_WITH_GCP_SECRET R2_SECRET_ACCESS_KEY=REPLACE_WITH_GCP_SECRET BOT_TRANSFERS_REPLICAS=0 diff --git a/spartan/environments/staging-ignition.env b/spartan/environments/staging-ignition.env index 966a88625773..c86466d1d1eb 100644 --- a/spartan/environments/staging-ignition.env +++ b/spartan/environments/staging-ignition.env @@ -17,6 +17,7 @@ ETHEREUM_CONSENSUS_HOST_API_KEYS=REPLACE_WITH_GCP_SECRET ETHEREUM_CONSENSUS_HOST_API_KEY_HEADERS=REPLACE_WITH_GCP_SECRET FUNDING_PRIVATE_KEY=REPLACE_WITH_GCP_SECRET LABS_INFRA_MNEMONIC=REPLACE_WITH_GCP_SECRET +LABS_INFRA_MNEMONIC_SECRET_NAME=sepolia-labs-staging-ignition-mnemonic ROLLUP_DEPLOYMENT_PRIVATE_KEY=REPLACE_WITH_GCP_SECRET OTEL_COLLECTOR_ENDPOINT=REPLACE_WITH_GCP_SECRET VERIFY_CONTRACTS=true diff --git a/spartan/scripts/deploy_network.sh b/spartan/scripts/deploy_network.sh index 69b9be51e886..aa898c5e6bca 100755 --- a/spartan/scripts/deploy_network.sh +++ b/spartan/scripts/deploy_network.sh @@ -108,9 +108,14 @@ DESTROY_CHAOS_MESH=${DESTROY_CHAOS_MESH:-false} CREATE_CHAOS_MESH=${CREATE_CHAOS_MESH:-false} -# Compute validator addresses -VALIDATOR_ADDRESSES=$(echo "$VALIDATOR_INDICES" | tr ',' '\n' | xargs -I{} cast wallet address --mnemonic "$LABS_INFRA_MNEMONIC" --mnemonic-index {} | tr '\n' ',' | sed 's/,$//') -log "VALIDATOR_ADDRESSES: ${VALIDATOR_ADDRESSES}" +# Compute validator addresses (skip if no validators) +if [[ $VALIDATOR_REPLICAS -gt 0 ]]; then + VALIDATOR_ADDRESSES=$(echo "$VALIDATOR_INDICES" | tr ',' '\n' | xargs -I{} cast wallet address --mnemonic "$LABS_INFRA_MNEMONIC" --mnemonic-index {} | tr '\n' ',' | sed 's/,$//') + log "VALIDATOR_ADDRESSES: ${VALIDATOR_ADDRESSES}" +else + VALIDATOR_ADDRESSES="" + log "VALIDATOR_ADDRESSES: (none - no validators)" +fi # Compute and include publisher indices in prefunding list # Uses env overrides when provided, otherwise falls back to values.yaml defaults diff --git a/spartan/scripts/setup_gcp_secrets.sh b/spartan/scripts/setup_gcp_secrets.sh index f5f1aeaba908..544d1aa0c813 100755 --- a/spartan/scripts/setup_gcp_secrets.sh +++ b/spartan/scripts/setup_gcp_secrets.sh @@ -17,6 +17,9 @@ NETWORK=${NETWORK:-} L1_NETWORK=${L1_NETWORK:-sepolia} +# Read optional custom secret name for LABS_INFRA_MNEMONIC +LABS_INFRA_MNEMONIC_SECRET_NAME=${LABS_INFRA_MNEMONIC_SECRET_NAME:-} + echo "Setting up GCP secrets for network: $NETWORK" # Create secure temporary directory for secrets @@ -67,6 +70,13 @@ mask_secret_value() { fi } +# Determine the mnemonic secret name: use custom if provided, otherwise use default pattern +if [[ -n "$LABS_INFRA_MNEMONIC_SECRET_NAME" ]]; then + MNEMONIC_SECRET="${LABS_INFRA_MNEMONIC_SECRET_NAME}" +else + MNEMONIC_SECRET="${L1_NETWORK}-labs-${NETWORK}-mnemonic" +fi + # Map of environment variables to GCP secret names # Generic mappings - network-specific secrets use ${NETWORK} in the name declare -A SECRET_MAPPINGS=( @@ -78,7 +88,7 @@ declare -A SECRET_MAPPINGS=( ["ROLLUP_DEPLOYMENT_PRIVATE_KEY"]="${L1_NETWORK}-labs-rollup-private-key" ["OTEL_COLLECTOR_ENDPOINT"]="otel-collector-url" ["ETHERSCAN_API_KEY"]="etherscan-api-key" - ["LABS_INFRA_MNEMONIC"]="${L1_NETWORK}-labs-${NETWORK}-mnemonic" + ["LABS_INFRA_MNEMONIC"]="${MNEMONIC_SECRET}" ["STORE_SNAPSHOT_URL"]="r2-account-id" ["R2_ACCESS_KEY_ID"]="r2-access-key-id" ["R2_SECRET_ACCESS_KEY"]="r2-secret-access-key" @@ -95,6 +105,13 @@ JSON_SECRETS=( # Replace placeholders with actual secrets for env_var in "${!SECRET_MAPPINGS[@]}"; do secret_name="${SECRET_MAPPINGS[$env_var]}" + + # Skip if the variable doesn't contain REPLACE_WITH_GCP_SECRET at all + if ! grep -q "^${env_var}=.*REPLACE_WITH_GCP_SECRET" "$ENV_FILE"; then + echo "Skipping $env_var (no placeholder value)" + continue + fi + echo "Fetching secret: $secret_name for $env_var" if grep -q "^${env_var}=REPLACE_WITH_GCP_SECRET" "$ENV_FILE"; then diff --git a/spartan/terraform/deploy-aztec-infra/main.tf b/spartan/terraform/deploy-aztec-infra/main.tf index a87fad98865b..48f514059b5f 100644 --- a/spartan/terraform/deploy-aztec-infra/main.tf +++ b/spartan/terraform/deploy-aztec-infra/main.tf @@ -36,6 +36,9 @@ provider "helm" { } module "web3signer" { + # Only deploy web3signer if we have validators or provers that need to publish to L1 + count = tonumber(var.VALIDATOR_REPLICAS) > 0 || (tonumber(var.PROVER_REPLICAS) > 0 && !var.PROVER_NODE_DISABLE_PROOF_PUBLISH) ? 1 : 0 + source = "../modules/web3signer" NAMESPACE = var.NAMESPACE RELEASE_NAME = var.RELEASE_PREFIX @@ -122,7 +125,7 @@ locals { wait = true } : null - validators = { + validators = tonumber(var.VALIDATOR_REPLICAS) > 0 ? { name = "${var.RELEASE_PREFIX}-validator" chart = "aztec-validator" values = [ @@ -152,7 +155,6 @@ locals { "validator.slash.offenseExpirationRounds" = var.SLASH_OFFENSE_EXPIRATION_ROUNDS "validator.slash.maxPayloadSize" = var.SLASH_MAX_PAYLOAD_SIZE "validator.node.env.TRANSACTIONS_DISABLED" = var.TRANSACTIONS_DISABLED - "validator.node.env.NETWORK" = var.NETWORK "validator.node.env.KEY_INDEX_START" = var.VALIDATOR_MNEMONIC_START_INDEX "validator.node.env.PUBLISHER_KEY_INDEX_START" = var.VALIDATOR_PUBLISHER_MNEMONIC_START_INDEX "validator.node.env.VALIDATORS_PER_NODE" = var.VALIDATORS_PER_NODE @@ -166,7 +168,7 @@ locals { boot_node_host_path = "validator.node.env.BOOT_NODE_HOST" bootstrap_nodes_path = "validator.node.env.BOOTSTRAP_NODES" wait = true - } + } : null prover = { name = "${var.RELEASE_PREFIX}-prover" @@ -176,27 +178,29 @@ locals { "prover.yaml", "prover-resources-${var.PROVER_RESOURCE_PROFILE}.yaml" ] - custom_settings = { - "node.mnemonic" = var.PROVER_MNEMONIC - "node.mnemonicStartIndex" = var.PROVER_PUBLISHER_MNEMONIC_START_INDEX - "node.node.proverRealProofs" = var.PROVER_REAL_PROOFS - "node.web3signerUrl" = "http://${var.RELEASE_PREFIX}-signer-web3signer.${var.NAMESPACE}.svc.cluster.local:9000/" - "node.node.env.NETWORK" = var.NETWORK - "node.node.env.PROVER_FAILED_PROOF_STORE" = var.PROVER_FAILED_PROOF_STORE - "node.node.env.KEY_INDEX_START" = var.PROVER_PUBLISHER_MNEMONIC_START_INDEX - "node.node.env.PUBLISHER_KEY_INDEX_START" = var.PROVER_PUBLISHER_MNEMONIC_START_INDEX - "node.node.env.PUBLISHERS_PER_PROVER" = var.PROVER_PUBLISHERS_PER_PROVER - "node.node.env.PROVER_NODE_DISABLE_PROOF_PUBLISH" = var.PROVER_NODE_DISABLE_PROOF_PUBLISH - "node.node.env.P2P_TX_POOL_DELETE_TXS_AFTER_REORG" = var.P2P_TX_POOL_DELETE_TXS_AFTER_REORG - "broker.node.proverRealProofs" = var.PROVER_REAL_PROOFS - "broker.node.env.NETWORK" = var.NETWORK - "broker.node.env.BOOTSTRAP_NODES" = "asdf" - "agent.node.proverRealProofs" = var.PROVER_REAL_PROOFS - "agent.node.env.NETWORK" = var.NETWORK - "agent.replicaCount" = var.PROVER_REPLICAS - "agent.node.env.BOOTSTRAP_NODES" = "asdf" - "agent.node.env.AGENT_COUNT" = var.PROVER_AGENTS_PER_PROVER - } + custom_settings = merge( + { + "node.mnemonic" = var.PROVER_MNEMONIC + "node.mnemonicStartIndex" = var.PROVER_PUBLISHER_MNEMONIC_START_INDEX + "node.node.proverRealProofs" = var.PROVER_REAL_PROOFS + "node.node.env.PROVER_FAILED_PROOF_STORE" = var.PROVER_FAILED_PROOF_STORE + "node.node.env.KEY_INDEX_START" = var.PROVER_PUBLISHER_MNEMONIC_START_INDEX + "node.node.env.PUBLISHER_KEY_INDEX_START" = var.PROVER_PUBLISHER_MNEMONIC_START_INDEX + "node.node.env.PUBLISHERS_PER_PROVER" = var.PROVER_PUBLISHERS_PER_PROVER + "node.node.env.PROVER_NODE_DISABLE_PROOF_PUBLISH" = var.PROVER_NODE_DISABLE_PROOF_PUBLISH + "node.node.env.P2P_TX_POOL_DELETE_TXS_AFTER_REORG" = var.P2P_TX_POOL_DELETE_TXS_AFTER_REORG + "broker.node.proverRealProofs" = var.PROVER_REAL_PROOFS + "broker.node.env.BOOTSTRAP_NODES" = "asdf" + "agent.node.proverRealProofs" = var.PROVER_REAL_PROOFS + "agent.replicaCount" = var.PROVER_REPLICAS + "agent.node.env.BOOTSTRAP_NODES" = "asdf" + "agent.node.env.AGENT_COUNT" = var.PROVER_AGENTS_PER_PROVER + }, + # Only set web3signerUrl if proof publishing is enabled + !var.PROVER_NODE_DISABLE_PROOF_PUBLISH ? { + "node.web3signerUrl" = "http://${var.RELEASE_PREFIX}-signer-web3signer.${var.NAMESPACE}.svc.cluster.local:9000/" + } : {} + ) boot_node_host_path = "node.node.env.BOOT_NODE_HOST" bootstrap_nodes_path = "node.node.env.BOOTSTRAP_NODES" wait = true @@ -235,7 +239,6 @@ locals { custom_settings = { "nodeType" = "rpc" "replicaCount" = var.RPC_REPLICAS - "node.env.NETWORK" = var.NETWORK "node.proverRealProofs" = var.PROVER_REAL_PROOFS "ingress.rpc.enabled" = var.RPC_INGRESS_ENABLED "ingress.rpc.host" = var.RPC_INGRESS_HOST @@ -258,7 +261,6 @@ locals { ] custom_settings = { "nodeType" = "archive" - "node.env.NETWORK" = var.NETWORK "node.env.P2P_ARCHIVED_TX_LIMIT" = "10000000" "node.env.P2P_TX_POOL_DELETE_TXS_AFTER_REORG" = var.P2P_TX_POOL_DELETE_TXS_AFTER_REORG }