Merge pull request #50 from ethersphere/clef-keys

ethersphere · Oct 7, 2020 · 186a4bf · 186a4bf
2 parents 96e4362 + a928a7a
commit 186a4bf
Show file tree

Hide file tree

Showing 6 changed files with 97 additions and 39 deletions.
diff --git a/charts/bee/Chart.yaml b/charts/bee/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 appVersion: latest
 name: bee
-version: 0.5.15
+version: 0.5.16
 description: Ethereum Swarm Bee Helm chart for Kubernetes
 home: https://swarm.ethereum.org
 icon: https://swarm-guide.readthedocs.io/en/latest/_images/swarm.png

diff --git a/charts/bee/README.md b/charts/bee/README.md
@@ -86,7 +86,7 @@ apps:
     namespace: bee
     description: "Ethereum Swarm Bee"
     chart: "ethersphere/bee"
-    version: "0.5.14"
+    version: "0.5.16"
     enabled: true
     set:
       beeConfig.bootnode: # bootnode multi address
@@ -118,7 +118,7 @@ apps:
     namespace: bee
     description: "Ethereum Swarm Bee"
     chart: "ethersphere/bee"
-    version: "0.5.14"
+    version: "0.5.16"
     enabled: true
     set:
       beeConfig.bootnode: "/dns4/bee-0-headless.bee.svc.cluster.local/tcp/7070/p2p/16Uiu2HAm6i4dFaJt584m2jubyvnieEECgqM2YMpQ9nusXfy8XFzL"

diff --git a/charts/bee/templates/_helpers.tpl b/charts/bee/templates/_helpers.tpl
@@ -170,3 +170,25 @@ Get the swarm key to be retrieved from the secret.
 {{- printf "swarmKeys" -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Get the clefKeys secret.
+*/}}
+{{- define "bee.clefKeysSecretName" -}}
+{{- if .Values.clefSettings.existingSecret -}}
+{{- printf "%s" .Values.clefSettings.existingSecret -}}
+{{- else -}}
+{{- printf "%s-clef" (include "bee.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the clef key to be retrieved from the secret.
+*/}}
+{{- define "bee.clefKeysSecretKey" -}}
+{{- if and .Values.clefSettings.existingSecret .Values.clefSettings.existingSecretClefKey -}}
+{{- printf "%s" .Values.swarmSettings.existingSecretClefKey -}}
+{{- else -}}
+{{- printf "clefKeys" -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/bee/templates/secret-clefkeys.yaml b/charts/bee/templates/secret-clefkeys.yaml
@@ -0,0 +1,18 @@
+{{- if and .Values.clefSettings.enabled (not .Values.clefSettings.existingSecret) -}}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "bee.fullname" . }}-clef
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "bee.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  clefKeys: |-
+    {{- range $key, $val := .Values.clefSettings.clefKeys }}
+    {{ $key }}: {{ $val }}
+    {{- end }}
+    
+{{- end -}}
diff --git a/charts/bee/templates/statefulset.yaml b/charts/bee/templates/statefulset.yaml
@@ -85,6 +85,26 @@ spec:
             - name: bee-swarm
               mountPath: /tmp/bee
         {{- end }}
+        {{- if .Values.clefSettings.enabled }}
+        - name: init-clef
+          image: ethersphere/clef:latest
+          command:
+            - sh
+            - -c
+            - >
+              export INDEX=$(echo $(hostname) | rev | cut -d'-' -f 1 | rev);
+              mkdir -p /root/.clef/keys;
+              export KEY=$(cat /tmp/bee/clef.map | grep bee-${INDEX}: | cut -d' ' -f2);
+              if [ -z "${KEY}" ]; then exit 0; fi;
+              printf '%s' "${KEY}" > /root/.clef/keys/clef.key;
+              /entrypoint.sh init {{ .Values.clefSettings.keySecret }};
+              echo 'clef initialization done';
+          volumeMounts:
+            - name: clef
+              mountPath: /root/.clef
+            - name: bee-clef
+              mountPath: /tmp/bee
+        {{- end }}
         {{- if .Values.p2pFixedPort.enabled }}
         - name: init-natport
           image: busybox:1.28
@@ -167,39 +187,22 @@ spec:
               mountPath: /home/bee/.secret
               readOnly: true
             {{- end }}
-        {{- if .Values.clefSidecar.enabled }}
+        {{- if .Values.clefSettings.enabled }}
         - name: clef
-          image: "ethereum/client-go:alltools-stable"
+          image: ethersphere/clef:latest
           imagePullPolicy: IfNotPresent
-          env:
-          {{- if .Values.beeConfig.usePasswordFile }}
-          - name: SECRET_FILE
-            value: /secret/password
-          {{- else }}
-          - name: SECRET
-            value: {{ include "bee.password" . }}
-          {{- end }}
           command:
-            - sh
-            - -c
-            - >
-              if [ -n "${SECRET_FILE+x}" ]; then export SECRET=$(cat $SECRET_FILE); fi;
-              wget -q https://gist.githubusercontent.com/vandot/5063ca7ac3e845261faa5b04053d0a10/raw/50cdcb350fd137e5985b48dc9ac4d8f33217706a -O /clef.sh;
-              chmod +x /clef.sh;
-              /clef.sh ${SECRET};
+            - /entrypoint.sh
+            - run
+            - {{ .Values.clefSettings.keySecret }}
           ports:
             - containerPort: 8550
               name: api
               protocol: TCP
           volumeMounts:
-            - name: data
-              mountPath: /bee
-              readOnly: true
-            {{- if .Values.beeConfig.usePasswordFile }}
-            - name: bee-secret
-              mountPath: /secret
-              readOnly: true
-            {{- end }}
+            - name: clef
+              mountPath: /root/.clef
+              readOnly: false
         {{- end }}
       volumes:
         - name: config-file
@@ -231,6 +234,16 @@ spec:
               - key: {{ template "bee.swarmKeysSecretKey" . }}
                 path: swarm.map
         {{- end }}
+        {{- if .Values.clefSettings.enabled }}
+        - name: clef
+          emptyDir: {}
+        - name: bee-clef
+          secret:
+            secretName: {{ template "bee.clefKeysSecretName" . }}
+            items:
+              - key: {{ template "bee.clefKeysSecretKey" . }}
+                path: clef.map
+        {{- end }}
   {{- if not .Values.persistence.enabled }}
         - name: data
           emptyDir: {}
@@ -241,7 +254,7 @@ spec:
       labels:
         {{- include "bee.labelsVCT" . | nindent 8 }}
     spec:
-      accessModes: 
+      accessModes:
         - {{ .Values.persistence.accessMode | quote }}
       resources:
         requests:

diff --git a/charts/bee/values.yaml b/charts/bee/values.yaml
@@ -49,11 +49,6 @@ p2pFixedPort:
   enabled: false
   nodePortStart: 31000
 
-## If enabled it will start clef sidecar container that will auto approve every request
-## Use only for testing
-clefSidecar:
-  enabled: false
-
 ## If enabled, creates ingress for HTTP api
 ## Creates one ingress per pod and additionally one common ingress for all pods
 ## Total number of created ingress objects is: replicaCount + 1
@@ -224,8 +219,8 @@ beeConfig:
   ## Send a welcome message string during handshakes
   welcomeMessage: "Welcome to the Swarm, you are Bee-ing connected!"
 
-## if enabled, configures pods with defined libp2p keys
-## libp2p keys are pregenerated examples and can be replaced with other values
+## If enabled, configures pods with defined libp2p keys
+## Libp2p keys are pregenerated examples and can be replaced with other values
 ## pods without specified key will autogenerate it during start
 libp2pSettings:
   enabled: false
@@ -234,12 +229,22 @@ libp2pSettings:
   ## Use existing secret (ignores previous libp2pKeys)
   # existingSecret:
 
-## if enabled, configures pods with defined swarm keys
-## swarm keys are pregenerated examples and can be replaced with other values
-## pods without specified key will autogenerate it during start
+## If enabled, configures pods with defined swarm keys
+## Swarm keys are pregenerated examples and can be replaced with other values
+## Pods without specified key will autogenerate it during start
 swarmSettings:
   enabled: false
   swarmKeys:
     bee-0: '{"address":"f176839c150e52fe30e5c2b5c648465c6fdfa532","crypto":{"cipher":"aes-128-ctr","ciphertext":"352af096f0fca9dfbd20a6861bde43d988efe7f179e0a9ffd812a285fdcd63b9","cipherparams":{"iv":"613003f1f1bf93430c92629da33f8828"},"kdf":"scrypt","kdfparams":{"n":32768,"r":8,"p":1,"dklen":32,"salt":"ad1d99a4c64c95c26131e079e8c8a82221d58bf66a7ceb767c33a4c376c564b8"},"mac":"cafda1bc8ca0ffc2b22eb69afd1cf5072fd09412243443be1b0c6832f57924b6"},"version":3}'
   ## Use existing secret (ignores previous swarmKeys)
   # existingSecret:
+
+## If enabled it will start clef sidecar container that will auto approve every request
+## Clef keys are pregenerated examples and can be replaced with other values
+clefSettings:
+  enabled: false
+  clefKeys:
+    bee-0: '{"address":"fd50ede4954655b993ed69238c55219da7e81acf","crypto":{"cipher":"aes-128-ctr","ciphertext":"1c0f603b0dffe53294c7ca02c1a2800d81d855970db0df1a84cc11bc1d6cf364","cipherparams":{"iv":"11c9ac512348d7ccfe5ee59d9c9388d3"},"kdf":"scrypt","kdfparams":{"dklen":32,"n":262144,"p":1,"r":8,"salt":"f6d7a0947da105fa5ef70fa298f65409d12967108c0e6260f847dc2b10455b89"},"mac":"fc6585e300ad3cb21c5f648b16b8a59ca33bcf13c58197176ffee4786628eaeb"},"id":"4911f965-b425-4011-895d-a2008f859859","version":3}'
+  keySecret: clefbeesecret
+  ## Use existing secret (ignores previous clefKeys)
+  # existingSecret: