chore(spartan): remove hardcoded keys and addresses - derive all from mnemonic

spartan/aztec-network/eth-devnet/create.sh

@@ -5,7 +5,7 @@ set -euo pipefail
 DIR_PATH=$(git rev-parse --show-toplevel)/spartan/aztec-network/eth-devnet
 
 ## Genesis configuration values are provided as environment variables
-NUMBER_OF_KEYS=${NUMBER_OF_KEYS:-16}
+PREFUNDED_MNEMONIC_INDICES=${PREFUNDED_MNEMONIC_INDICES:-"0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,1000,1001,1002,1003"}
 MNEMONIC=${MNEMONIC:-"test test test test test test test test test test test junk"}
 BLOCK_TIME=${BLOCK_TIME:-"12"}
 GAS_LIMIT=${GAS_LIMIT:-"1000000000"}
@@ -43,9 +43,11 @@ function create_execution_genesis {
   # If mnemonic is provided, add prefunded accounts
   if [[ -n "${MNEMONIC:-}" ]]; then
     echo "Prefunding accounts with mnemonic: $MNEMONIC"
-    echo "Number of keys: $NUMBER_OF_KEYS"
+    echo "Key indices: $PREFUNDED_MNEMONIC_INDICES"
 
-    updated_json=$(prefund_accounts "$updated_json" "$MNEMONIC" "$NUMBER_OF_KEYS")
+    updated_json=$(prefund_accounts "$updated_json" "$MNEMONIC" "$PREFUNDED_MNEMONIC_INDICES")
+  else
+    echo "No mnemonic provided, skipping prefunding"
   fi
 
   # Update the gas limit to the configured value
@@ -65,14 +67,16 @@ function create_execution_genesis {
 function prefund_accounts {
   local genesis_json="$1"
   local mnemonic="$2"
-  local number_of_keys="$3"
+  local key_indices="$3"
   local updated_json="$genesis_json"
 
   # Initialize array to store addresses
   declare -a VALIDATOR_ADDRESSES_LIST
 
-  # Generate addresses from mnemonic
-  for i in $(seq 0 $(($number_of_keys - 1))); do
+  # Generate addresses from key indices from mnemonic
+  # Creates an array of key_indices
+  IFS=',' read -ra INDICES <<< "$key_indices"
+  for i in "${INDICES[@]}"; do
     # Get private key and address
     PRIVATE_KEY=$(cast wallet private-key "$MNEMONIC" --mnemonic-index $i)
     ADDRESS=$(cast wallet address "$PRIVATE_KEY")

spartan/aztec-network/files/config/config-validator-env.sh

@@ -20,11 +20,6 @@ reward_distributor_address=$(echo "$output" | grep -oP 'RewardDistributor Addres
 governance_proposer_address=$(echo "$output" | grep -oP 'GovernanceProposer Address: \K0x[a-fA-F0-9]{40}')
 governance_address=$(echo "$output" | grep -oP 'Governance Address: \K0x[a-fA-F0-9]{40}')
 slash_factory_address=$(echo "$output" | grep -oP 'SlashFactory Address: \K0x[a-fA-F0-9]{40}')
-# We assume that there is an env var set for validator keys from the config map
-# We get the index in the config map from the pod name, which will have the validator index within it
-
-INDEX=$(echo $POD_NAME | awk -F'-' '{print $NF}')
-private_key=$(jq -r ".[$INDEX]" /app/config/keys.json)
 
 # Write the addresses to a file in the shared volume
 cat <<EOF >/shared/contracts/contracts.env
@@ -41,9 +36,6 @@ export REWARD_DISTRIBUTOR_CONTRACT_ADDRESS=$reward_distributor_address
 export GOVERNANCE_PROPOSER_CONTRACT_ADDRESS=$governance_proposer_address
 export GOVERNANCE_CONTRACT_ADDRESS=$governance_address
 export SLASH_FACTORY_CONTRACT_ADDRESS=$slash_factory_address
-export VALIDATOR_PRIVATE_KEY=$private_key
-export L1_PRIVATE_KEY=$private_key
-export SEQ_PUBLISHER_PRIVATE_KEY=$private_key
 EOF
 
 cat /shared/contracts/contracts.env

spartan/aztec-network/files/config/deploy-l1-contracts.sh

@@ -3,6 +3,7 @@ set -exu
 
 SALT=${1:-$RANDOM}
 CHAIN_ID=$2
+VALIDATOR_ADDRESSES=$3
 
 # Run the deploy-l1-contracts command and capture the output
 output=""
@@ -22,7 +23,7 @@ for attempt in $(seq 1 $MAX_RETRIES); do
 
   # Add validators if INIT_VALIDATORS is true
   if [ "${INIT_VALIDATORS:-false}" = "true" ]; then
-    output=$(eval $base_cmd --validators $3 --l1-chain-id $CHAIN_ID --salt $SALT) && break
+    output=$(eval $base_cmd --validators $VALIDATOR_ADDRESSES --l1-chain-id $CHAIN_ID --salt $SALT) && break
   else
     output=$(eval $base_cmd --l1-chain-id $CHAIN_ID --salt $SALT) && break
   fi

spartan/aztec-network/files/config/get-private-key.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+set -eu
+
+# We get the index in the config map from the pod name, which will have the validator index within it
+KEY_INDEX=$(echo $POD_NAME | awk -F'-' '{print $NF}')
+# Add the index to the start index to get the private key index
+PRIVATE_KEY_INDEX=$((KEY_INDEX_START + KEY_INDEX))
+
+# Get the private key from the mnemonic
+private_key=$(cast wallet private-key "$MNEMONIC" --mnemonic-index $PRIVATE_KEY_INDEX)
+
+# Note, currently writing both prover and sequencer keys for all nodes for convinience
+cat <<EOF >/shared/config/keys.env
+export VALIDATOR_PRIVATE_KEY=$private_key
+export L1_PRIVATE_KEY=$private_key
+export SEQ_PUBLISHER_PRIVATE_KEY=$private_key
+export PROVER_PUBLISHER_PRIVATE_KEY=$private_key
+EOF
+
+cat /shared/config/keys.env

spartan/aztec-network/files/config/get-validator-addresses.sh

@@ -0,0 +1,37 @@
+#!/bin/sh
+
+set -eu
+
+# Given a mnemonic and a start index, generate the validator addresses
+# (the number of replicas is given by the NUMBER_OF_VALIDATORS env variable)
+# Usage:
+# Requires:
+# - MNEMONIC
+# - KEY_INDEX_START
+# - NUMBER_OF_VALIDATORS
+# source /scripts/get-validator-addresses.sh
+
+# Initialize empty string for validator addresses
+VALIDATOR_ADDRESSES_LIST=""
+
+i=$KEY_INDEX_START
+while [ $i -lt $NUMBER_OF_VALIDATORS ]; do
+  # Get the private key from the mnemonic
+  private_key=$(cast wallet private-key "$MNEMONIC" --mnemonic-index $i)
+  address=$(cast wallet address "$private_key")
+
+  # Append address with comma if not first address
+  if [ -n "$VALIDATOR_ADDRESSES_LIST" ]; then
+    VALIDATOR_ADDRESSES_LIST="$VALIDATOR_ADDRESSES_LIST,$address"
+  else
+    VALIDATOR_ADDRESSES_LIST="$address"
+  fi
+
+  i=$((i + 1))
+done
+
+cat <<EOF >./shared/config/validator-addresses
+export VALIDATOR_ADDRESSES=$VALIDATOR_ADDRESSES_LIST
+EOF
+
+cat ./shared/config/validator-addresses

spartan/aztec-network/templates/boot-node.yaml

@@ -39,6 +39,29 @@ spec:
       initContainers:
         {{- include "aztec-network.p2pSetupContainer" . | nindent 8 }}
         {{- include "aztec-network.serviceAddressSetupContainer" . | nindent 8 }}
+
+        # Generate the validator addresses; used in the deploy-l1-contracts step
+        - name: generate-validator-addresses
+          image: {{ .Values.images.foundry.image }}
+          imagePullPolicy: {{ .Values.images.foundry.pullPolicy }}
+          command:
+            - /bin/sh
+            - -c
+            - |
+              source /scripts/get-validator-addresses.sh
+          volumeMounts:
+            - name: scripts
+              mountPath: /scripts
+            - name: config
+              mountPath: /shared/config
+          env:
+            - name: KEY_INDEX_START
+              value: {{ .Values.aztec.validatorKeyIndexStart | quote }}
+            - name: MNEMONIC
+              value: {{ .Values.aztec.l1DeploymentMnemonic }}
+            - name: NUMBER_OF_VALIDATORS
+              value: {{ .Values.validator.replicas | quote }}
+
         - name: wait-for-ethereum
           {{- include "aztec-network.image" . | nindent 10 }}
           command:
@@ -61,9 +84,11 @@ spec:
               cp /scripts/deploy-l1-contracts.sh /tmp/deploy-l1-contracts.sh
               chmod +x /tmp/deploy-l1-contracts.sh
               source /shared/config/service-addresses
+              source /shared/config/validator-addresses
               {{- include "aztec-network.waitForEthereum" . | nindent 14 }}
 
-              /tmp/deploy-l1-contracts.sh "{{ .Values.aztec.l1Salt }}" "{{ .Values.ethereum.chainId }}" "{{ join "," .Values.validator.validatorAddresses }}"
+
+              /tmp/deploy-l1-contracts.sh "{{ .Values.aztec.l1Salt }}" "{{ .Values.ethereum.chainId }}" "$VALIDATOR_ADDRESSES"
           volumeMounts:
             - name: scripts-output
               mountPath: /shared/contracts
@@ -186,8 +211,6 @@ spec:
               value: "{{ .Values.bootNode.sequencer.minTxsPerBlock }}"
             - name: VALIDATOR_PRIVATE_KEY
               value: "0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80"
-            - name: SEQ_PUBLISHER_PRIVATE_KEY
-              value: "{{ .Values.bootNode.seqPublisherPrivateKey }}"
             - name: OTEL_RESOURCE_ATTRIBUTES
               value: service.name={{ .Release.Name }},service.namespace={{ .Release.Namespace }},service.version={{ .Chart.AppVersion }},environment={{ .Values.environment | default "production" }}
             - name: PROVER_REAL_PROOFS

spartan/aztec-network/templates/prover-node.yaml

@@ -39,6 +39,30 @@ spec:
       initContainers:
         {{- include "aztec-network.serviceAddressSetupContainer" . | nindent 8 }}
         {{- include "aztec-network.p2pSetupContainer" . | nindent 8 }}
+
+        - name: get-private-key
+          image: {{ .Values.images.foundry.image }}
+          imagePullPolicy: {{ .Values.images.foundry.pullPolicy }}
+          command:
+            - "/bin/sh"
+            - "-c"
+            - |
+              source /scripts/get-private-key.sh
+          volumeMounts:
+            - name: scripts
+              mountPath: /scripts
+            - name: config
+              mountPath: /shared/config
+          env:
+            - name: KEY_INDEX_START
+              value: {{ .Values.aztec.proverKeyIndexStart | quote }}
+            - name: MNEMONIC
+              value: {{ .Values.aztec.l1DeploymentMnemonic }}
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+
         - name: wait-for-services
           {{- include "aztec-network.image" . | nindent 10 }}
           command:
@@ -95,6 +119,7 @@ spec:
             - "/bin/bash"
             - "-c"
             - |
+              source /shared/config/keys.env && \
               source /shared/contracts/contracts.env && \
               source /shared/p2p/p2p-addresses && \
               source /shared/config/service-addresses && \
@@ -152,8 +177,6 @@ spec:
               value: "{{ .Values.proverNode.proverBroker.jobTimeoutMs }}"
             - name: PROVER_BROKER_JOB_MAX_RETRIES
               value: "{{ .Values.proverNode.proverBroker.jobMaxRetries }}"
-            - name: PROVER_PUBLISHER_PRIVATE_KEY
-              value: "{{ .Values.proverNode.proverPublisherPrivateKey }}"
             - name: PROVER_NODE_TX_GATHERING_TIMEOUT_MS
               value: "{{ .Values.proverNode.txGathering.timeoutMs }}"
             - name: PROVER_NODE_TX_GATHERING_INTERVAL_MS

spartan/aztec-network/templates/scripts-configmap.yaml

@@ -15,3 +15,8 @@ data:
     {{ .Files.Get "files/config/config-prover-env.sh" | nindent 4 }}
   deploy-l1-contracts.sh: |
     {{ .Files.Get "files/config/deploy-l1-contracts.sh" | nindent 4 }}
+  get-private-key.sh: |
+    {{ .Files.Get "files/config/get-private-key.sh" | nindent 4 }}
+  get-validator-addresses.sh: |
+    {{ .Files.Get "files/config/get-validator-addresses.sh" | nindent 4 }}
+

spartan/aztec-network/templates/validator.yaml

@@ -41,6 +41,32 @@ spec:
       initContainers:
         {{- include "aztec-network.p2pSetupContainer" . | nindent 8 }}
         {{- include "aztec-network.serviceAddressSetupContainer" . | nindent 8 }}
+
+        # Get the private key from the mnemonic - based on the pod replica index
+        - name: get-private-key
+          image: {{ .Values.images.foundry.image }}
+          imagePullPolicy: {{ .Values.images.foundry.pullPolicy }}
+          command:
+            - "/bin/sh"
+            - "-c"
+            - |
+              source /scripts/get-private-key.sh
+          volumeMounts:
+            - name: scripts
+              mountPath: /scripts
+            - name: config
+              mountPath: /shared/config
+          env:
+            - name: KEY_INDEX_START
+              value: {{ .Values.aztec.validatorKeyIndexStart | quote }}
+            - name: MNEMONIC
+              value: {{ .Values.aztec.l1DeploymentMnemonic }}
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+
+
         - name: wait-for-services
           {{- include "aztec-network.image" . | nindent 10 }}
           command:
@@ -69,6 +95,7 @@ spec:
             - name: config
               mountPath: /shared/config
 
+
         - name: configure-validator-env
           {{- include "aztec-network.image" . | nindent 10 }}
           command:
@@ -86,16 +113,8 @@ spec:
               mountPath: /shared/pxe
             - name: scripts
               mountPath: /scripts
-            - name: validator-keys
-              mountPath: /app/config
-              readOnly: true
             - name: config
               mountPath: /shared/config
-          env:
-            - name: POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
       containers:
         - name: validator
           {{- include "aztec-network.image" . | nindent 10 }}
@@ -107,6 +126,7 @@ spec:
               source /shared/contracts/contracts.env && \
               source /shared/p2p/p2p-addresses && \
               source /shared/config/service-addresses && \
+              source /shared/config/keys.env && \
               env && \
               node --no-warnings /usr/src/yarn-project/aztec/dest/bin/index.js start --node --archiver --sequencer
           startupProbe:
@@ -226,9 +246,6 @@ spec:
         - name: scripts
           configMap:
             name: {{ include "aztec-network.fullname" . }}-scripts
-        - name: validator-keys
-          configMap:
-            name: {{ include "aztec-network.fullname" . }}-validator-keys
         - name: contracts-env
           emptyDir: {}
         - name: p2p-addresses

spartan/aztec-network/values.yaml

@@ -45,10 +45,17 @@ aztec:
   epochProofClaimWindow: 13 # in L2 slots
   realProofs: false
   l1DeploymentMnemonic: "test test test test test test test test test test test junk" # the mnemonic used when deploying contracts
+  # The derivation path of the calcualted private keys
+  # Starting from this index, the number of keys is equal to the number of replicas for the given service
+  validatorKeyIndexStart: 0
+  proverKeyIndexStart: 1000
+
+  ## The number of extra accounts to prefund
+  extraAccountsStartIndex: 2000
+  extraAccounts: 10
   l1Salt: "" # leave empty for random salt
 
 bootNode:
-  seqPublisherPrivateKey: ""
   peerIdPrivateKey: ""
   externalHost: ""
   replicas: 1
@@ -96,10 +103,6 @@ validator:
   # But it must be used if the boot node is killed, and the validator is restarted.
   dynamicBootNode: false
   replicas: 1
-  validatorKeys:
-    - 0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80
-  validatorAddresses:
-    - 0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266
   service:
     p2pTcpPort: 40400
     p2pUdpPort: 40400
@@ -137,7 +140,6 @@ validator:
   l1GasLimitBufferPercentage: ""
 
 proverNode:
-  proverPublisherPrivateKey: "0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80"
   externalHost: ""
   replicas: 1
   p2pEnabled: true
@@ -221,7 +223,6 @@ ethereum:
   replicas: 1
   chainId: 1337
   blockTime: 12
-  extraAccounts: 10
   # 1 billion gas limit
   # helps ensure we can deploy public contracts
   gasLimit: "1000000000"
@@ -267,7 +268,6 @@ ethereum:
       memory: "4Gi"
       cpu: "1"
   storageSize: "80Gi"
-  deployL1ContractsPrivateKey:
 
 proverAgent:
   service: