diff --git a/docker-compose.yml b/docker-compose.yml index 04aeda1..83654b6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -15,6 +15,7 @@ services: SETUP_MODE: "" EXTRA_OPTS: "" EXISTING_PASSWORD: "" + NEW_PASSWORD: "" volumes: operator-data: {} operator-keys: {} diff --git a/operator/entrypoint.sh b/operator/entrypoint.sh index bf2b2f5..f567d8f 100755 --- a/operator/entrypoint.sh +++ b/operator/entrypoint.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # shellcheck disable=SC1091 # Path is relative to the Dockerfile @@ -11,29 +11,34 @@ BEACON_NODES=$(get_beacon_api_url_from_global_env "$NETWORK") PASSWORD_FILE_PATH="/root/keys/password.txt" KEY_FILE_PATH="/root/keys/encrypted_private_key.json" -sleep 1 +sleep 5 # If Import Operator, save the EXISTING_PASSWORD to the password.txt, # Later when Anchor is starting it will use --password-file flag to decrypt the private key if [ "${SETUP_MODE}" = "Import Operator" ]; then - echo "$EXISTING_PASSWORD" > "$PASSWORD_FILE_PATH" - echo "[INFO - entrypoint] Using existing password to import operator" - if [ ! -f $KEY_FILE_PATH ]; then + if [ ! -f "$KEY_FILE_PATH" ]; then echo "[DEBUG] encrypted_private_key.json doesn't exist, restarting" exit 1 - fi + fi + if [ -z "$EXISTING_PASSWORD" ]; then + echo "[ERROR - entrypoint] EXISTING_PASSWORD is required in Import Operator mode" + exit 1 + fi + echo "$EXISTING_PASSWORD" > "$PASSWORD_FILE_PATH" fi -# If New Operator, generate a new public-private key pair -if [ "${SETUP_MODE}" = "New Operator" ]; then - echo "$NEW_PASSWORD" > "$PASSWORD_FILE_PATH" - - # Check if the key file exists +# New install or update flow. +# Keep existing key+password pairing on updates; only require NEW_PASSWORD for first-time key generation. +if [ "${SETUP_MODE}" = "New Operator / Update" ] || [ "${SETUP_MODE}" = "New Operator" ]; then if [ -f "$KEY_FILE_PATH" ]; then - echo "[INFO - entrypoint] Key already exists, skipping key generation" + echo "[INFO - entrypoint] Key already exists, preserving existing password and skipping key generation" else - # If key file does not exist, generate a new key pair + if [ -z "$NEW_PASSWORD" ]; then + echo "[ERROR - entrypoint] NEW_PASSWORD is required when generating a new operator key" + exit 1 + fi + echo "$NEW_PASSWORD" > "$PASSWORD_FILE_PATH" echo "[INFO - entrypoint] Generating new public-private key pair" anchor keygen --encrypt --password-file="$PASSWORD_FILE_PATH" --data-dir /root/keys fi diff --git a/setup-wizard.yml b/setup-wizard.yml index d7a244b..8389cff 100644 --- a/setup-wizard.yml +++ b/setup-wizard.yml @@ -7,9 +7,10 @@ fields: service: operator title: Setup Mode description: |- - If this is the first install, choose "New operator". If you have an existing operator key, choose "Import Operator". + If this is the first install or a regular update, choose "New Operator / Update". + If you have an existing operator key from another installation, choose "Import Operator". enum: - - "New Operator" + - "New Operator / Update" - "Import Operator" required: true @@ -35,7 +36,7 @@ fields: description: | Enter the password for the existing private key inputType: password - required: false + required: true if: { "setup-mode": { "enum": ["Import Operator"] } } - id: new-private-key-password @@ -46,9 +47,10 @@ fields: title: Password for the new private key secret: true description: | - Enter a password to encrypt your private key + Enter a password to encrypt your private key. + This is required only when creating a brand-new operator. (Note: This password will be used to decrypt the private key. If you loss the password, you can no longer decrypt the operator private key) inputType: password - required: true - if: { "setup-mode": { "enum": ["New Operator"] } } + required: false + if: { "setup-mode": { "enum": ["New Operator / Update"] } }