add da client can init with gcs seed

cronos-labs · Nov 8, 2024 · ba7295d · ba7295d
1 parent 63535ef
commit ba7295d
Show file tree

Hide file tree

Showing 10 changed files with 251 additions and 17 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/core/lib/config/src/configs/da_client/avail.rs b/core/lib/config/src/configs/da_client/avail.rs
@@ -13,4 +13,5 @@ pub struct AvailConfig {
 #[derive(Clone, Debug, PartialEq)]
 pub struct AvailSecrets {
     pub seed_phrase: Option<SeedPhrase>,
+    pub private_key: Option<String>,
 }
diff --git a/core/lib/config/src/testonly.rs b/core/lib/config/src/testonly.rs
@@ -950,6 +950,7 @@ impl Distribution<configs::secrets::DataAvailabilitySecrets> for EncodeDist {
     fn sample<R: Rng + ?Sized>(&self, rng: &mut R) -> configs::secrets::DataAvailabilitySecrets {
         configs::secrets::DataAvailabilitySecrets::Avail(configs::da_client::avail::AvailSecrets {
             seed_phrase: Some(SeedPhrase(Secret::new(self.sample(rng)))),
+            private_key: None,
         })
     }
 }

diff --git a/core/lib/env_config/Cargo.toml b/core/lib/env_config/Cargo.toml
@@ -18,5 +18,11 @@ anyhow.workspace = true
 serde.workspace = true
 envy.workspace = true
 
+google-cloud-kms = "0.5.1"
+google-cloud-storage = "0.22.1"
+hex = "0.4.3"
+tokio = { workspace = true, features = ["rt"] }
+rustls = "0.23"
+
 [dev-dependencies]
 zksync_system_constants.workspace = true
diff --git a/core/lib/env_config/src/da_client.rs b/core/lib/env_config/src/da_client.rs
@@ -8,7 +8,7 @@ use zksync_config::configs::{
     secrets::DataAvailabilitySecrets,
 };
 
-use crate::{envy_load, FromEnv};
+use crate::{envy_load, gcloud_encrypted_seed::retrieve_seed_from_gcloud, FromEnv};
 
 impl FromEnv for DAClientConfig {
     fn from_env() -> anyhow::Result<Self> {
@@ -30,11 +30,31 @@ impl FromEnv for DataAvailabilitySecrets {
         let client_tag = std::env::var("DA_CLIENT")?;
         let secrets = match client_tag.as_str() {
             AVAIL_CLIENT_CONFIG_NAME => {
+                let from_gcs = if let Some(secrets_from_gcs_tag) = env::var("DA_SECRETS_FROM_GCS").ok() {
+                    secrets_from_gcs_tag == "true"
+                } else {
+                    false
+                };
+
+                let _seed = match from_gcs {
+                    true => {
+                       let gcs_bucket_name = std::env::var("DA_SECRETS_GCS_BUCKET_NAME")
+                       .ok()
+                       .expect("Failed to get DA client secrets from GCS bucket");
+                       let decrypt_key_name = std::env::var("DA_SECRETS_KMS_DECRYPT_KEY_NAME")
+                       .ok()
+                       .expect("Failed to get DA client secrets KMS decrypt key");
+
+                       Some(retrieve_seed_from_gcloud(decrypt_key_name, gcs_bucket_name))
+                    },
+                    false => None,
+                };
+
                 let seed_phrase = env::var("DA_SECRETS_SEED_PHRASE")
                     .ok()
                     .map(|s| s.parse())
                     .transpose()?;
-                Self::Avail(AvailSecrets { seed_phrase })
+                Self::Avail(AvailSecrets { seed_phrase: seed_phrase, private_key:  _seed})
             }
             _ => anyhow::bail!("Unknown DA client name: {}", client_tag),
         };