[CLI] Cannot run make localnet_client_debug: Cannot initialise the keybase with the validator keys: Unable to find YAML file

app/client/cli/debug.go

@@ -49,17 +49,10 @@ var (
 	// HACK(#416): This is a temporary solution that guarantees backward compatibility while we implement peer discovery
 	validators []*coreTypes.Actor
 
-	configPath  string = getEnv("CONFIG_PATH", "build/config/config1.json")
-	genesisPath string = getEnv("GENESIS_PATH", "build/config/genesis.json")
+	configPath  string = runtime.GetEnv("CONFIG_PATH", "build/config/config1.json")
+	genesisPath string = runtime.GetEnv("GENESIS_PATH", "build/config/genesis.json")
 )
 
-func getEnv(key, defaultValue string) string {
-	if value, ok := os.LookupEnv(key); ok {
-		return value
-	}
-	return defaultValue
-}
-
 func init() {
 	debugCmd := NewDebugCommand()
 	rootCmd.AddCommand(debugCmd)

app/client/doc/CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.0.0.14] - 2023-02-16
+
+- Introduced logical switch to handle parsing of the debug private keys from a local file OR from Kubernetes secret
+
 ## [0.0.0.13] - 2023-02-14
 
 - Fixed `docgen` to work from the root of the repository

app/client/keybase/debug/keystore.go

@@ -7,11 +7,15 @@ import (
 	"log"
 	"os"
 	"path/filepath"
-	"runtime"
+	r "runtime"
 
 	"github.com/pokt-network/pocket/app/client/keybase"
-	"github.com/pokt-network/pocket/shared/crypto"
+	"github.com/pokt-network/pocket/runtime"
+	cryptoPocket "github.com/pokt-network/pocket/shared/crypto"
+	"github.com/pokt-network/pocket/shared/k8s"
 	"gopkg.in/yaml.v2"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 )
 
 const (
@@ -34,43 +38,26 @@ func init() {
 	}
 	debugKeybasePath = homeDir + debugKeybaseSuffix
 
-	if err := InitialiseDebugKeybase(); err != nil { // Initialise the debug keybase with the 999 validators
+	if err := initializeDebugKeybase(); err != nil { // Initialise the debug keybase with the 999 validators
 		log.Fatalf("[ERROR] Cannot initialise the keybase with the validator keys: %s", err.Error())
 	}
 }
 
-// Struct to process the yaml file of pre-generated private-keys
-type yamlConfig struct {
-	ApiVersion string            `yaml:"apiVersion"`
-	Kind       string            `yaml:"kind"`
-	MetaData   map[string]string `yaml:"metadata"`
-	Type       string            `yaml:"type"`
-	StringData map[string]string `yaml:"stringData"`
-}
-
-// Creates/Opens the DB and initialises the keys from the pre-generated YAML file of private keys
-func InitialiseDebugKeybase() error {
-	// BUG: When running the CLI using the build binary (i.e. `p1`), it searched for the private-keys.yaml file in `github.com/pokt-network/pocket/build/localnet/manifests/private-keys.yaml`
-	// Get private keys from manifest file
-	_, current, _, _ := runtime.Caller(0)
-	//nolint:gocritic // Use path to find private-keys yaml file from being called in any location in the repo
-	yamlFile := filepath.Join(current, privateKeysYamlFile)
+func initializeDebugKeybase() error {
+	var (
+		validatorKeysPairMap map[string]string
+		err                  error
+	)
 
-	if exists, err := fileExists(yamlFile); !exists || err != nil {
-		return fmt.Errorf("Unable to find YAML file: %s", yamlFile)
+	if runtime.IsProcessRunningInsideKubernetes() {
+		validatorKeysPairMap, err = fetchValidatorPrivateKeysFromK8S()
+	} else {
+		validatorKeysPairMap, err = fetchValidatorPrivateKeysFromFile()
 	}
-
-	// Parse the YAML file and load into the yamlConfig struct
-	yamlData, err := os.ReadFile(yamlFile)
 	if err != nil {
 		return err
 	}
 
-	var config yamlConfig
-	if err := yaml.Unmarshal(yamlData, &config); err != nil {
-		return err
-	}
-
 	// Create/Open the keybase at `$HOME/.pocket/keys`
 	kb, err := keybase.NewKeybase(debugKeybasePath)
 	if err != nil {
@@ -86,11 +73,12 @@ func InitialiseDebugKeybase() error {
 
 	// Add validator addresses if not present
 	if len(curAddr) < numValidators {
+		fmt.Println("Rehydrating keybase from private-keys.yaml ...")
 		// Use writebatch to speed up bulk insert
 		wb := db.NewWriteBatch()
-		for _, privHexString := range config.StringData {
+		for _, privHexString := range validatorKeysPairMap {
 			// Import the keys into the keybase with no passphrase or hint as these are for debug purposes
-			keyPair, err := crypto.CreateNewKeyFromString(privHexString, "", "")
+			keyPair, err := cryptoPocket.CreateNewKeyFromString(privHexString, "", "")
 			if err != nil {
 				return err
 			}
@@ -120,6 +108,58 @@ func InitialiseDebugKeybase() error {
 	return nil
 }
 
+func fetchValidatorPrivateKeysFromK8S() (map[string]string, error) {
+	// Initialize Kubernetes client
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize Kubernetes config: %w", err)
+	}
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize Kubernetes client: %w", err)
+	}
+
+	// Fetch validator private keys from Kubernetes
+	validatorKeysPairMap, err := k8s.FetchValidatorPrivateKeys(clientset)
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch validator private keys from Kubernetes: %w", err)
+	}
+	return validatorKeysPairMap, nil
+}
+
+func fetchValidatorPrivateKeysFromFile() (map[string]string, error) {
+	// BUG: When running the CLI using the build binary (i.e. `p1`), it searched for the private-keys.yaml file in `github.com/pokt-network/pocket/build/localnet/manifests/private-keys.yaml`
+	// Get private keys from manifest file
+	_, current, _, _ := r.Caller(0)
+	//nolint:gocritic // Use path to find private-keys yaml file from being called in any location in the repo
+	yamlFile := filepath.Join(current, privateKeysYamlFile)
+	if exists, err := fileExists(yamlFile); !exists || err != nil {
+		return nil, fmt.Errorf("unable to find YAML file: %s", yamlFile)
+	}
+
+	// Parse the YAML file and load into the config struct
+	yamlData, err := os.ReadFile(yamlFile)
+	if err != nil {
+		return nil, err
+	}
+	var config struct {
+		ApiVersion string            `yaml:"apiVersion"`
+		Kind       string            `yaml:"kind"`
+		MetaData   map[string]string `yaml:"metadata"`
+		Type       string            `yaml:"type"`
+		StringData map[string]string `yaml:"stringData"`
+	}
+	if err := yaml.Unmarshal(yamlData, &config); err != nil {
+		return nil, err
+	}
+	validatorKeysMap := make(map[string]string)
+
+	for id, privHexString := range config.StringData {
+		validatorKeysMap[id] = privHexString
+	}
+	return validatorKeysMap, nil
+}
+
 // Check file at the given path exists
 func fileExists(path string) (bool, error) {
 	_, err := os.Stat(path)

build/docs/CHANGELOG.md

@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.0.0.15] - 2023-02-16
+
+- Added manifests to handle `Roles`, `RoleBindings` and `ServiceAccounts` and referenced them in the `Tiltfile`
+- Updated `cli-client.yaml` to bind the `debug-client-account` `ServiceAccount` that has permissions to read the private keys from the `Secret`
+
 ## [0.0.0.14] - 2023-02-09
 
 - Updated all `config*.json` files with new `server_mode_enabled` field (for state sync)

build/localnet/Tiltfile

@@ -120,6 +120,9 @@ k8s_yaml(
         "manifests/configs.yaml",
         "manifests/cli-client.yaml",
         "manifests/network.yaml",
+        "manifests/roles.yaml",
+        "manifests/service-accounts.yaml",
+        "manifests/role-bindings.yaml",
         local(
             "templates/v1-validator-template.sh %s"
             % localnet_config["validators"]["count"],

build/localnet/manifests/cli-client.yaml

@@ -15,6 +15,7 @@ spec:
       labels:
         app: v1-cli-client
     spec:
+      serviceAccountName: debug-client-account
       containers:
         - name: pocket
           image: client-image

build/localnet/manifests/role-bindings.yaml

@@ -0,0 +1,13 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: debug-client-binding
+  namespace: default
+subjects:
+  - kind: ServiceAccount
+    name: debug-client-account
+    apiGroup: ""
+roleRef:
+  kind: Role
+  name: private-keys-viewer
+  apiGroup: ""

build/localnet/manifests/roles.yaml

@@ -0,0 +1,10 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: private-keys-viewer
+  namespace: default
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["v1-localnet-validators-private-keys"]
+    verbs: ["get"]

build/localnet/manifests/service-accounts.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: debug-client-account
+  namespace: default

go.mod

@@ -31,8 +31,10 @@ require (
 	github.com/rs/zerolog v1.27.0
 	github.com/spf13/cobra v1.6.0
 	github.com/spf13/viper v1.13.0
-	golang.org/x/term v0.2.0
+	golang.org/x/term v0.3.0
 	gopkg.in/yaml.v2 v2.4.0
+	k8s.io/apimachinery v0.26.1
+	k8s.io/client-go v0.26.1
 )
 
 require (
@@ -60,25 +62,45 @@ require (
 	github.com/prometheus/client_golang v1.13.0
 	github.com/sirupsen/logrus v1.9.0 // indirect
 	go.opencensus.io v0.23.0 // indirect
-	golang.org/x/net v0.2.0 // indirect
+	golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 // indirect
 )
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
+	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-openapi/jsonreference v0.20.0 // indirect
+	github.com/google/gnostic v0.5.7-v3refs // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/gotestyourself/gotestyourself v2.2.0+incompatible // indirect
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/jackc/puddle/v2 v2.1.2 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/lib/pq v1.10.6 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.37.0 // indirect
 	github.com/prometheus/procfs v0.8.0 // indirect
 	github.com/rogpeppe/go-internal v1.8.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
+	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
 	golang.org/x/sync v0.1.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
 	gotest.tools v2.2.0+incompatible // indirect
+	k8s.io/api v0.26.1 // indirect
+	k8s.io/klog/v2 v2.80.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
+	k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect
+	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 
 require (
@@ -116,8 +138,8 @@ require (
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fasttemplate v1.2.2 // indirect
 	golang.org/x/mod v0.7.0 // indirect
-	golang.org/x/sys v0.2.0 // indirect
-	golang.org/x/text v0.4.0 // indirect
+	golang.org/x/sys v0.3.0 // indirect
+	golang.org/x/text v0.5.0 // indirect
 	golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
 	golang.org/x/tools v0.3.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect