From 59a615a6a6163c5adae22cbba9d000681ae4ec99 Mon Sep 17 00:00:00 2001
From: Jordan Oroshiba <jordan@astria.org>
Date: Wed, 21 Aug 2024 08:56:40 -0700
Subject: [PATCH] feat(conductor)!: support disabled celestia auth (#1372)

## Summary
Updates conductor celestia client to support using no auth token, adds a
config field to specify using no token.

## Background
When originally built celestia-node required an auth token, it can now
be run with the auth token disabled. We do this by default in our
charts, but our code always specifies an auth header which will still be
rejected if empty by celestia node.

## Changes
- Add `ASTRIA_CONDUCTOR_NO_CELESTIA_AUTH` config env var
- When `no_celestia_auth` is true, makes celestia node requests without
auth header.

## Testing
CI/CD smoke tests use no token, blockbox tests use a token to verify
both paths still work.

## Breaking Changelist
- ASTRIA_CONDUCTOR_NO_CELESTIA_AUTH config env var added

## Related Issues
closes https://github.com/astriaorg/astria/issues/1370
---
 charts/evm-rollup/Chart.yaml                  |  2 +-
 charts/evm-rollup/templates/configmap.yaml    |  1 +
 charts/evm-stack/Chart.lock                   |  6 +++---
 charts/evm-stack/Chart.yaml                   |  4 ++--
 crates/astria-conductor/local.env.example     |  8 +++++++-
 .../astria-conductor/src/celestia/builder.rs  | 19 ++++++++++++-------
 crates/astria-conductor/src/conductor.rs      |  8 +++++++-
 crates/astria-conductor/src/config.rs         |  3 +++
 .../tests/blackbox/helpers/mod.rs             |  1 +
 dev/values/rollup/dev.yaml                    |  2 +-
 10 files changed, 38 insertions(+), 16 deletions(-)

diff --git a/charts/evm-rollup/Chart.yaml b/charts/evm-rollup/Chart.yaml
index 096c152ff7..d2f2154d51 100644
--- a/charts/evm-rollup/Chart.yaml
+++ b/charts/evm-rollup/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.25.3
+version: 0.25.4
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/evm-rollup/templates/configmap.yaml b/charts/evm-rollup/templates/configmap.yaml
index 10fc39d5fa..21fd5df39c 100644
--- a/charts/evm-rollup/templates/configmap.yaml
+++ b/charts/evm-rollup/templates/configmap.yaml
@@ -35,6 +35,7 @@ data:
   OTEL_SERVICE_NAME: "{{ tpl .Values.otel.serviceNamePrefix . }}-conductor"
   {{- if not .Values.global.dev }}
   {{- else }}
+  ASTRIA_CONDUCTOR_NO_CELESTIA_AUTH: "{{ not .Values.config.celestia.token }}"
   {{- end }}
 ---
 apiVersion: v1
diff --git a/charts/evm-stack/Chart.lock b/charts/evm-stack/Chart.lock
index 0721955d81..b531f1528a 100644
--- a/charts/evm-stack/Chart.lock
+++ b/charts/evm-stack/Chart.lock
@@ -1,7 +1,7 @@
 dependencies:
 - name: evm-rollup
   repository: file://../evm-rollup
-  version: 0.25.3
+  version: 0.25.4
 - name: composer
   repository: file://../composer
   version: 0.1.1
@@ -17,5 +17,5 @@ dependencies:
 - name: blockscout-stack
   repository: https://blockscout.github.io/helm-charts
   version: 1.6.2
-digest: sha256:75189d68ee2ddbb135ec487b4aee663fd2d096ae19608efc2d6ebfdec9d8c4a0
-generated: "2024-08-12T22:12:07.880246+03:00"
+digest: sha256:695498fcbe82a100ca333b058196730eed9173df8528871585f40453c182d964
+generated: "2024-08-15T12:40:34.762702-07:00"
diff --git a/charts/evm-stack/Chart.yaml b/charts/evm-stack/Chart.yaml
index e1cc2a2465..ec97e8def6 100644
--- a/charts/evm-stack/Chart.yaml
+++ b/charts/evm-stack/Chart.yaml
@@ -15,11 +15,11 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.2
+version: 0.3.3
 
 dependencies:
   - name: evm-rollup
-    version: 0.25.3
+    version: 0.25.4
     repository: "file://../evm-rollup"
   - name: composer
     version: 0.1.1
diff --git a/crates/astria-conductor/local.env.example b/crates/astria-conductor/local.env.example
index ee3c50e7f6..6237d3109b 100644
--- a/crates/astria-conductor/local.env.example
+++ b/crates/astria-conductor/local.env.example
@@ -6,9 +6,15 @@
 # 12000 milliseconds is the default Celestia block time.
 ASTRIA_CONDUCTOR_CELESTIA_BLOCK_TIME_MS=12000
 
+# Disable using the auth header with celestia jsonrpc. Celestia nodes can be run
+# without authentication, in which case this should be set to true.
+ASTRIA_CONDUCTOR_NO_CELESTIA_AUTH=false
+
 # The bearer token to retrieve sequencer blocks as blobs from Celestia.
 # The token is obtained by running `celestia bridge auth <permissions>`
-# on the host running the celestia node.
+# on the host running the celestia node. 
+#
+# Only used if ASTRIA_CONDUCTOR_NO_CELESTIA_AUTH is set to false
 ASTRIA_CONDUCTOR_CELESTIA_BEARER_TOKEN="<JWT Bearer token>"
 
 # The URL of the celestia node to fetch blocks from. This URL must contain
diff --git a/crates/astria-conductor/src/celestia/builder.rs b/crates/astria-conductor/src/celestia/builder.rs
index a14246ddee..7860d439ee 100644
--- a/crates/astria-conductor/src/celestia/builder.rs
+++ b/crates/astria-conductor/src/celestia/builder.rs
@@ -19,7 +19,7 @@ use crate::{
 pub(crate) struct Builder {
     pub(crate) celestia_block_time: Duration,
     pub(crate) celestia_http_endpoint: String,
-    pub(crate) celestia_token: String,
+    pub(crate) celestia_token: Option<String>,
     pub(crate) executor: executor::Handle,
     pub(crate) sequencer_cometbft_client: SequencerClient,
     pub(crate) sequencer_requests_per_second: u32,
@@ -41,7 +41,7 @@ impl Builder {
             metrics,
         } = self;
 
-        let celestia_client = create_celestia_client(celestia_http_endpoint, &celestia_token)
+        let celestia_client = create_celestia_client(celestia_http_endpoint, celestia_token)
             .wrap_err("failed initializing client for Celestia HTTP RPC")?;
 
         Ok(Reader {
@@ -56,16 +56,21 @@ impl Builder {
     }
 }
 
-fn create_celestia_client(endpoint: String, bearer_token: &str) -> eyre::Result<CelestiaClient> {
+fn create_celestia_client(
+    endpoint: String,
+    bearer_token: Option<String>,
+) -> eyre::Result<CelestiaClient> {
     use jsonrpsee::http_client::{
         HeaderMap,
         HttpClientBuilder,
     };
     let mut headers = HeaderMap::new();
-    let auth_value = format!("Bearer {bearer_token}").parse().wrap_err(
-        "failed to construct Authorization header value from provided Celestia bearer token",
-    )?;
-    headers.insert(http::header::AUTHORIZATION, auth_value);
+    if let Some(token) = bearer_token {
+        let auth_value = format!("Bearer {token}").parse().wrap_err(
+            "failed to construct Authorization header value from provided Celestia bearer token",
+        )?;
+        headers.insert(http::header::AUTHORIZATION, auth_value);
+    }
     let client = HttpClientBuilder::default()
         .set_headers(headers)
         .build(endpoint)
diff --git a/crates/astria-conductor/src/conductor.rs b/crates/astria-conductor/src/conductor.rs
index b924294db2..ff857257f3 100644
--- a/crates/astria-conductor/src/conductor.rs
+++ b/crates/astria-conductor/src/conductor.rs
@@ -141,9 +141,15 @@ impl Conductor {
         }
 
         if cfg.execution_commit_level.is_with_firm() {
+            let celestia_token = if cfg.no_celestia_auth {
+                None
+            } else {
+                Some(cfg.celestia_bearer_token)
+            };
+
             let reader = celestia::Builder {
                 celestia_http_endpoint: cfg.celestia_node_http_url,
-                celestia_token: cfg.celestia_bearer_token,
+                celestia_token,
                 celestia_block_time: Duration::from_millis(cfg.celestia_block_time_ms),
                 executor: executor_handle.clone(),
                 sequencer_cometbft_client: sequencer_cometbft_client.clone(),
diff --git a/crates/astria-conductor/src/config.rs b/crates/astria-conductor/src/config.rs
index 699f95f1c9..3ee6a96723 100644
--- a/crates/astria-conductor/src/config.rs
+++ b/crates/astria-conductor/src/config.rs
@@ -44,6 +44,9 @@ pub struct Config {
     /// URL of the Celestia Node HTTP RPC
     pub celestia_node_http_url: String,
 
+    /// Disables using the bearer token auth header for the Celestia jsonrpc
+    pub no_celestia_auth: bool,
+
     /// The JWT bearer token supplied with each jsonrpc call
     pub celestia_bearer_token: String,
 
diff --git a/crates/astria-conductor/tests/blackbox/helpers/mod.rs b/crates/astria-conductor/tests/blackbox/helpers/mod.rs
index 6ea3c75e72..ff07a3b0f6 100644
--- a/crates/astria-conductor/tests/blackbox/helpers/mod.rs
+++ b/crates/astria-conductor/tests/blackbox/helpers/mod.rs
@@ -468,6 +468,7 @@ fn make_config() -> Config {
     Config {
         celestia_block_time_ms: 12000,
         celestia_node_http_url: "http://127.0.0.1:26658".into(),
+        no_celestia_auth: false,
         celestia_bearer_token: CELESTIA_BEARER_TOKEN.into(),
         sequencer_grpc_url: "http://127.0.0.1:8080".into(),
         sequencer_cometbft_url: "http://127.0.0.1:26657".into(),
diff --git a/dev/values/rollup/dev.yaml b/dev/values/rollup/dev.yaml
index d45305ad24..11d8da3f19 100644
--- a/dev/values/rollup/dev.yaml
+++ b/dev/values/rollup/dev.yaml
@@ -100,7 +100,7 @@ evm-rollup:
 
     celestia:
       rpc: "http://celestia-service.astria-dev-cluster.svc.cluster.local:26658"
-      token: "http://celestia-service.astria-dev-cluster.svc.cluster.local:5353"
+      token: ""
 
   resources:
     conductor: