feat(conductor)!: support disabled celestia auth (#1372)

## Summary Updates conductor celestia client to support using no auth token, adds a config field to specify using no token. ## Background When originally built celestia-node required an auth token, it can now be run with the auth token disabled. We do this by default in our charts, but our code always specifies an auth header which will still be rejected if empty by celestia node. ## Changes - Add `ASTRIA_CONDUCTOR_NO_CELESTIA_AUTH` config env var - When `no_celestia_auth` is true, makes celestia node requests without auth header. ## Testing CI/CD smoke tests use no token, blockbox tests use a token to verify both paths still work. ## Breaking Changelist - ASTRIA_CONDUCTOR_NO_CELESTIA_AUTH config env var added ## Related Issues closes #1370
astriaorg · Aug 21, 2024 · 59a615a · 59a615a
1 parent 781c4c5
commit 59a615a
Show file tree

Hide file tree

Showing 10 changed files with 38 additions and 16 deletions.
diff --git a/charts/evm-rollup/Chart.yaml b/charts/evm-rollup/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.25.3
+version: 0.25.4
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/evm-rollup/templates/configmap.yaml b/charts/evm-rollup/templates/configmap.yaml
@@ -35,6 +35,7 @@ data:
   OTEL_SERVICE_NAME: "{{ tpl .Values.otel.serviceNamePrefix . }}-conductor"
   {{- if not .Values.global.dev }}
   {{- else }}
+  ASTRIA_CONDUCTOR_NO_CELESTIA_AUTH: "{{ not .Values.config.celestia.token }}"
   {{- end }}
 ---
 apiVersion: v1

diff --git a/charts/evm-stack/Chart.lock b/charts/evm-stack/Chart.lock
@@ -1,7 +1,7 @@
 dependencies:
 - name: evm-rollup
   repository: file://../evm-rollup
-  version: 0.25.3
+  version: 0.25.4
 - name: composer
   repository: file://../composer
   version: 0.1.1
@@ -17,5 +17,5 @@ dependencies:
 - name: blockscout-stack
   repository: https://blockscout.github.io/helm-charts
   version: 1.6.2
-digest: sha256:75189d68ee2ddbb135ec487b4aee663fd2d096ae19608efc2d6ebfdec9d8c4a0
-generated: "2024-08-12T22:12:07.880246+03:00"
+digest: sha256:695498fcbe82a100ca333b058196730eed9173df8528871585f40453c182d964
+generated: "2024-08-15T12:40:34.762702-07:00"
diff --git a/charts/evm-stack/Chart.yaml b/charts/evm-stack/Chart.yaml
@@ -15,11 +15,11 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.2
+version: 0.3.3
 
 dependencies:
   - name: evm-rollup
-    version: 0.25.3
+    version: 0.25.4
     repository: "file://../evm-rollup"
   - name: composer
     version: 0.1.1

diff --git a/crates/astria-conductor/local.env.example b/crates/astria-conductor/local.env.example
@@ -6,9 +6,15 @@
 # 12000 milliseconds is the default Celestia block time.
 ASTRIA_CONDUCTOR_CELESTIA_BLOCK_TIME_MS=12000
 
+# Disable using the auth header with celestia jsonrpc. Celestia nodes can be run
+# without authentication, in which case this should be set to true.
+ASTRIA_CONDUCTOR_NO_CELESTIA_AUTH=false
+
 # The bearer token to retrieve sequencer blocks as blobs from Celestia.
 # The token is obtained by running `celestia bridge auth <permissions>`
-# on the host running the celestia node.
+# on the host running the celestia node. 
+#
+# Only used if ASTRIA_CONDUCTOR_NO_CELESTIA_AUTH is set to false
 ASTRIA_CONDUCTOR_CELESTIA_BEARER_TOKEN="<JWT Bearer token>"
 
 # The URL of the celestia node to fetch blocks from. This URL must contain

diff --git a/crates/astria-conductor/src/celestia/builder.rs b/crates/astria-conductor/src/celestia/builder.rs
@@ -19,7 +19,7 @@ use crate::{
 pub(crate) struct Builder {
     pub(crate) celestia_block_time: Duration,
     pub(crate) celestia_http_endpoint: String,
-    pub(crate) celestia_token: String,
+    pub(crate) celestia_token: Option<String>,
     pub(crate) executor: executor::Handle,
     pub(crate) sequencer_cometbft_client: SequencerClient,
     pub(crate) sequencer_requests_per_second: u32,
@@ -41,7 +41,7 @@ impl Builder {
             metrics,
         } = self;
 
-        let celestia_client = create_celestia_client(celestia_http_endpoint, &celestia_token)
+        let celestia_client = create_celestia_client(celestia_http_endpoint, celestia_token)
             .wrap_err("failed initializing client for Celestia HTTP RPC")?;
 
         Ok(Reader {
@@ -56,16 +56,21 @@ impl Builder {
     }
 }
 
-fn create_celestia_client(endpoint: String, bearer_token: &str) -> eyre::Result<CelestiaClient> {
+fn create_celestia_client(
+    endpoint: String,
+    bearer_token: Option<String>,
+) -> eyre::Result<CelestiaClient> {
     use jsonrpsee::http_client::{
         HeaderMap,
         HttpClientBuilder,
     };
     let mut headers = HeaderMap::new();
-    let auth_value = format!("Bearer {bearer_token}").parse().wrap_err(
-        "failed to construct Authorization header value from provided Celestia bearer token",
-    )?;
-    headers.insert(http::header::AUTHORIZATION, auth_value);
+    if let Some(token) = bearer_token {
+        let auth_value = format!("Bearer {token}").parse().wrap_err(
+            "failed to construct Authorization header value from provided Celestia bearer token",
+        )?;
+        headers.insert(http::header::AUTHORIZATION, auth_value);
+    }
     let client = HttpClientBuilder::default()
         .set_headers(headers)
         .build(endpoint)

diff --git a/crates/astria-conductor/src/conductor.rs b/crates/astria-conductor/src/conductor.rs
@@ -141,9 +141,15 @@ impl Conductor {
         }
 
         if cfg.execution_commit_level.is_with_firm() {
+            let celestia_token = if cfg.no_celestia_auth {
+                None
+            } else {
+                Some(cfg.celestia_bearer_token)
+            };
+
             let reader = celestia::Builder {
                 celestia_http_endpoint: cfg.celestia_node_http_url,
-                celestia_token: cfg.celestia_bearer_token,
+                celestia_token,
                 celestia_block_time: Duration::from_millis(cfg.celestia_block_time_ms),
                 executor: executor_handle.clone(),
                 sequencer_cometbft_client: sequencer_cometbft_client.clone(),

diff --git a/crates/astria-conductor/src/config.rs b/crates/astria-conductor/src/config.rs
@@ -44,6 +44,9 @@ pub struct Config {
     /// URL of the Celestia Node HTTP RPC
     pub celestia_node_http_url: String,
 
+    /// Disables using the bearer token auth header for the Celestia jsonrpc
+    pub no_celestia_auth: bool,
+
     /// The JWT bearer token supplied with each jsonrpc call
     pub celestia_bearer_token: String,
 

diff --git a/crates/astria-conductor/tests/blackbox/helpers/mod.rs b/crates/astria-conductor/tests/blackbox/helpers/mod.rs
@@ -468,6 +468,7 @@ fn make_config() -> Config {
     Config {
         celestia_block_time_ms: 12000,
         celestia_node_http_url: "http://127.0.0.1:26658".into(),
+        no_celestia_auth: false,
         celestia_bearer_token: CELESTIA_BEARER_TOKEN.into(),
         sequencer_grpc_url: "http://127.0.0.1:8080".into(),
         sequencer_cometbft_url: "http://127.0.0.1:26657".into(),

diff --git a/dev/values/rollup/dev.yaml b/dev/values/rollup/dev.yaml
@@ -100,7 +100,7 @@ evm-rollup:
 
     celestia:
       rpc: "http://celestia-service.astria-dev-cluster.svc.cluster.local:26658"
-      token: "http://celestia-service.astria-dev-cluster.svc.cluster.local:5353"
+      token: ""
 
   resources:
     conductor: