Using Docker secrets

.env.example

@@ -89,5 +89,5 @@ NODE_PUBLIC_IP_PROVIDER=seeip
 
 # TODO: Operators need to add password to decrypt the above keys
 # If you have some special characters in password, make sure to use single quotes
-NODE_ECDSA_KEY_PASSWORD=''
-NODE_BLS_KEY_PASSWORD=''
+NODE_ECDSA_KEY_PASSWORD=/run/secrets/ecdsa_key_password
+NODE_BLS_KEY_PASSWORD=/run/secrets/bls_key_password

README.md

@@ -22,6 +22,11 @@ cp .env.example .env
 ```
 Update the `TODO` sections in the  `.env` file given in the root directory of the repository with your own details.:
 
+### Create Docker Secrets
+```bash
+echo "your_ecdsa_password" | docker secret create ecdsa_key_password -
+echo "your_bls_password" | docker secret create bls_key_password -
+```
 ### Create some local folders which are required by EigenDA
 ```bash
 mkdir -p $HOME/.eigenlayer/eigenda/logs

docker-compose.yml

@@ -20,6 +20,9 @@ services:
   da-node:
     env_file:
       - .env
+    secrets:
+      - ecdsa_key_password
+      - bls_key_password
     container_name: ${MAIN_SERVICE_NAME}
     image: ${MAIN_SERVICE_IMAGE}
     ports:
@@ -36,6 +39,11 @@ services:
       - "${NODE_LOG_PATH_HOST}:/app/logs:rw"
       - "${NODE_DB_PATH_HOST}:/data/operator/db:rw"
     restart: unless-stopped
+secrets:
+  ecdsa_key_password:
+    external: true
+  bls_key_password:
+    external: true
 networks:
   eigenda:
     name: ${NETWORK_NAME}

run.sh

@@ -8,6 +8,18 @@
 # which causes the password to be incorrect.
 # To test that try running `docker run --rm --env-file .env busybox /bin/sh -c 'echo $NODE_ECDSA_KEY_PASSWORD'`
 # This will output password with single quote. Not sure why this happens.
+# Function to read Docker secrets
+read_secret() {
+  secret_name=$1
+  secret_path="/run/secrets/$secret_name"
+  if [ -f "$secret_path" ]; then
+    cat "$secret_path"
+  else
+    echo "Error: Secret $secret_name not found."
+    exit 1
+  fi
+}
+
 optIn() {
   socket="$NODE_HOSTNAME":"${NODE_DISPERSAL_PORT}"\;"${NODE_RETRIEVAL_PORT}"
   echo "using socket: $socket"
@@ -16,9 +28,9 @@ optIn() {
   --volume "${NODE_ECDSA_KEY_FILE_HOST}":/app/operator_keys/ecdsa_key.json \
   --volume "${NODE_BLS_KEY_FILE_HOST}":/app/operator_keys/bls_key.json \
   --volume "${NODE_LOG_PATH_HOST}":/app/logs:rw \
+  --volume "ecdsa_key_password:/run/secrets/ecdsa_key_password:ro" \
+  --volume "bls_key_password:/run/secrets/bls_key_password:ro" \
   ghcr.io/layr-labs/eigenda/opr-nodeplugin:release-0.2.1 \
-  --ecdsa-key-password "$NODE_ECDSA_KEY_PASSWORD" \
-  --bls-key-password "$NODE_BLS_KEY_PASSWORD" \
   --operation opt-in \
   --socket "$socket"
 }
@@ -30,9 +42,9 @@ optOut() {
     --volume "${NODE_ECDSA_KEY_FILE_HOST}":/app/operator_keys/ecdsa_key.json \
     --volume "${NODE_BLS_KEY_FILE_HOST}":/app/operator_keys/bls_key.json \
     --volume "${NODE_LOG_PATH_HOST}":/app/logs:rw \
+    --volume "ecdsa_key_password:/run/secrets/ecdsa_key_password:ro" \
+    --volume "bls_key_password:/run/secrets/bls_key_password:ro" \
     ghcr.io/layr-labs/eigenda/opr-nodeplugin:release-0.2.1 \
-    --ecdsa-key-password "$NODE_ECDSA_KEY_PASSWORD" \
-    --bls-key-password "$NODE_BLS_KEY_PASSWORD" \
     --operation opt-out \
     --socket "$socket"
 }
@@ -43,4 +55,4 @@ elif [ "$1" = "opt-out" ]; then
   optOut
 else
   echo "Invalid command"
-fi
+fi