feat(op-signer/gen-local-creds): parameterize gen script#265
Conversation
|
@edobry have you thought about moving this to the Makefile? I think this is a good candidate because the command generates real targets (files). |
|
|
||
| process_clients() { | ||
| generator="$1" | ||
| for hostname in $CLIENT_HOSTNAMES; do |
There was a problem hiding this comment.
It looks like this will generate a certificate per hostname in the case of process_clients generate_client_tls. Why create a cert per hostname instead of including multiple DNS SAN in the single cert? I think multiple SAN is the real world way a client would be identified by multiple DNS names
There was a problem hiding this comment.
the intention is to create multiple keys to be used by multiple services (see here)
|
|
||
| generate_ca() { | ||
| local force="$1" | ||
| [ "$force" = "true" ] || [ ! -f "$CA_CERT" ] || return 0 |
There was a problem hiding this comment.
Make does this by default, which is why I was thinking it might make sense to move this to the Makefile
There was a problem hiding this comment.
it would probably be good to move to the Makefile and leverage this feature, however I'm loathe to invest in it as most OP Labs projects have transitioned to using just. could be good to migrate this one as well in a future PR
5a903a5 to
0e005dc
Compare
This PR provisions an `op-signer` instance per network in order to support signing batcher/proposer/challenger transactions. It leverages the local KMS support added in [this PR](ethereum-optimism/infra#252) in order to reuse the existing client private keys, which it converts from raw hex strings to PEM format. It uses the `op-signer/gen-local-creds.sh` script (updated in [this PR](ethereum-optimism/infra#265)) to generate mTLS credentials to authenticate connections between `op-signer` and its clients. Resolves https://github.com/ethereum-optimism/platforms-team/issues/581.
* parameterize gen-local-tls further * add cases to enable constrained generation * rename to gen-local-creds * sh compatibility * don't overwrite TLS_DIR * rename client_key to client_signing_key
This PR parameterizes and renames the
gen-local-tls.shscript togen-local-creds.shto enable users to generate a subset of credentials, intended to enable its usage inoptimism-package. It adds a CLI parameter taking one of{ca,client_tls,client_signing_key,all}, determining what the script will do. It also enables generating TLS credentials for multiple client hostnames in a single run, which is useful for Kurtosis.In support of https://github.com/ethereum-optimism/platforms-team/issues/581.