Merge pull request #2108 from valory-xyz/docs/pwd-security-kubernetes

Private key security updates/fixes
valory-xyz · Nov 20, 2023 · 777973d · 777973d
2 parents fbb43b6 + 73037ec
commit 777973d
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 3 deletions.
diff --git a/deployments/Dockerfiles/autonomy/Dockerfile b/deployments/Dockerfiles/autonomy/Dockerfile
@@ -2,6 +2,8 @@ ARG AEA_VERSION=latest
 
 FROM valory/open-aea-user:${AEA_VERSION}
 
+RUN apt update
+
 RUN apt install git net-tools sudo -y
 
 COPY scripts /root/scripts

diff --git a/deployments/Dockerfiles/autonomy/scripts/start.sh b/deployments/Dockerfiles/autonomy/scripts/start.sh
@@ -52,8 +52,16 @@ function handleCosmosConnectionKeyAndCerts() {
     if [ ! -f "cosmos_private_key.txt" ]; then
         generateKey cosmos
     fi
-    aea add-key cosmos --connection
-    aea issue-certificates
+
+    if [[ "$AEA_PASSWORD" != "" ]]; then
+        echo "Issuing certificates with password"
+        aea add-key cosmos --connection --password $AEA_PASSWORD
+        aea issue-certificates --password $AEA_PASSWORD
+    else
+        echo "Issuing certificates without password"
+        aea add-key cosmos --connection
+        aea issue-certificates
+    fi
 }
 
 function runAgent() {

diff --git a/docs/advanced_reference/commands/autonomy_deploy.md b/docs/advanced_reference/commands/autonomy_deploy.md
@@ -114,6 +114,34 @@ autonomy deploy build keys.json -ltm
 
 Builds a service deployment using the keys stored in the file `keys.json` and applying environment variables to the service configuration file. The deployment will be generated by default for as many agents as keys are stored in `keys.json`. By default, the command searches for the file `keys.json`, if no file name is provided.
 
+### Private key security
+
+When building deployments, you can use password protected privates keys (eg. generated using `autonomy generate-key LEDGER --password PASSWORD`) to avoid exposing them. 
+
+#### Docker Compose
+
+In a `docker-compose` deployment you can just export `OPEN_AUTONOMY_PRIVATE_KEY_PASSWORD` environment variable before running the deployment like
+
+```bash
+export OPEN_AUTONOMY_PRIVATE_KEY_PASSWORD=PASSWORD
+autonomy deploy run --build-dir PATH_TO_BUILD_DIR
+```
+
+or 
+
+```bash
+export OPEN_AUTONOMY_PRIVATE_KEY_PASSWORD=PASSWORD
+docker-compose -f PATH_TO_BUILD_DIR/docker-compose.yaml up
+```
+
+#### Kubernetes
+
+In a `kubernetes` deployment, you'll have to export the `OPEN_AUTONOMY_PRIVATE_KEY_PASSWORD` variable when building the deployment, not when running.
+
+```bash
+export OPEN_AUTONOMY_PRIVATE_KEY_PASSWORD=PASSWORD
+autonomy deploy build (...)
+```
 
 ## `autonomy deploy run`
 
@@ -155,7 +183,8 @@ Runs the service deployment stored locally in the directory `./abci_build`.
 To provide password for the private keys
 
 ```bash
-OPEN_AUTONOMY_PRIVATE_KEY_PASSWORD=PASSWORD autonomy deploy run --build-dir ./abci_build
+export OPEN_AUTONOMY_PRIVATE_KEY_PASSWORD=PASSWORD
+autonomy deploy run --build-dir ./abci_build
 ```
 
 ## `autonomy deploy from-token`