89eedd2123
* Remove custody (#3986)
* Update proto fields
* Updated block operations
* Fixed all block operation tests
* Fixed tests part 1
* Fixed tests part 1
* All tests pass
* Clean up
* Skip spec test
* Fixed ssz test
* Skip ssz test
* Skip mainnet tests
* Update beacon-chain/operations/attestation.go
* Update beacon-chain/operations/attestation.go
* Decoy flip flop check (#3987)
* Bounce attack check (#3989)
* New store values
* Update process block
* Update process attestation
* Update tests
* Helper
* Fixed blockchain package tests
* Update beacon-chain/blockchain/forkchoice/process_block.go
* Conflict
* Unskip mainnet spec tests (#3998)
* Starting
* Fixed attestation mainnet test
* Unskip ssz static and block processing tests
* Fixed workspace
* fixed workspace
* fixed workspace
* Update beacon-chain/core/blocks/block_operations.go
* Unskip minimal spec tests (#3999)
* Starting
* Fixed attestation mainnet test
* Unskip ssz static and block processing tests
* Fixed workspace
* fixed workspace
* fixed workspace
* Update workspace
* Unskip all minimal spec tests
* Update workspace for general test
* Unskip test (#4001)
* Update minimal seconds per slot to 6 (#3978)
* Bounce attack tests (#3993)
* New store values
* Update process block
* Update process attestation
* Update tests
* Helper
* Fixed blockchain package tests
* Slots since epoch starts tests
* Update justified checkpt tests
* Conflict
* Fixed logic
* Update process_block.go
* Use helper
* Conflict
* Merge branch 'master' of https://github.com/prysmaticlabs/prysm into v0.9.1
* Conflict
* Fixed failed tests
* Lower MinGenesisActiveValidatorCount to 16384 (#4100)
* Fork choice beacon block checks (#4107)
* Prevent future blocks check and test
* Removed old code
* Update aggregation proto (#4121)
* Update def
* Update spec test
* Conflict
* Update workspace
* patch
* Resolve conflict
* Patch
* Change workspace
* Update ethereumapis to a forked branch at commit
|
||
---|---|---|
.. | ||
client | ||
server | ||
README.md |
Cluster private key management tool
This is a primative tool for managing and delegating validator private key assigments within the kubernetes cluster.
Design
When a validator pod is initializing within the cluster, it requests a private key for a deposited validator. Since pods are epheremal, scale up/down quickly, there needs to be some service to manage private key allocations, validator deposits, and re-allocations of previously in-use private keys from terminated pods.
Workflow for bootstraping a validator pod
- Request
n
private keys from the pk manager. - If unallocated private keys exist (from previously terminated pods), assign to the requesting pod.
- If there are not at least
n
keys not in use, generate new private keys, and make the deposits on behalf of these newly generated private keys. - Write the key allocations to a persistent datastore and fulfill the request.
- The client uses these private keys to act as deposited validators in the system.
Server
The server manages the private key database, allocates new private keys, makes validator deposits, and fulfills requests from pods for private key allocation.
Database structure
There are two buckets for the server, unallocated keys and allocated keys.
Unallocated keys bucket:
key | value |
---|---|
private key | nil |
Allocated keys bucket:
key | value |
---|---|
pod name | list of private keys |
Key management design
There are two types of operations with regards to private keys:
- Allocate(podName, keys)
- UnallocateAllKeys(podName)
Allocating keys will first check and attempt to recycle existing, unused keys. If there are no unused keys available (or not enough), new keys are deposited.
Unallocating keys happens when a pod is destroyed. This should return all of that's pods' keys to the unallocated keys bucket.
Assignments HTTP Page /assignments
The server exposes an HTTP page which maps pod names to public keys. This may be useful for determining which logs to follow for a given validator.
Client
The client makes the private key request with a given pod name and generates a keystore with the server response.