fix: align operator setup flow for updates

docker-compose.yml

@@ -15,6 +15,7 @@ services:
       SETUP_MODE: ""
       EXTRA_OPTS: ""
       EXISTING_PASSWORD: ""
+      NEW_PASSWORD: ""
 volumes:
   operator-data: {}
   operator-keys: {}

operator/entrypoint.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 # shellcheck disable=SC1091 
 # Path is relative to the Dockerfile
@@ -11,29 +11,34 @@ BEACON_NODES=$(get_beacon_api_url_from_global_env "$NETWORK")
 
 PASSWORD_FILE_PATH="/root/keys/password.txt"
 KEY_FILE_PATH="/root/keys/encrypted_private_key.json"
-sleep 1
+sleep 5
 
 # If Import Operator, save the EXISTING_PASSWORD to the password.txt,
 # Later when Anchor is starting it will use --password-file flag to decrypt the private key
 if [ "${SETUP_MODE}" = "Import Operator" ]; then
-    echo "$EXISTING_PASSWORD" > "$PASSWORD_FILE_PATH"
-
     echo "[INFO - entrypoint] Using existing password to import operator"
-    if [ ! -f $KEY_FILE_PATH ]; then
+    if [ ! -f "$KEY_FILE_PATH" ]; then
         echo "[DEBUG] encrypted_private_key.json doesn't exist, restarting"
         exit 1
-    fi    
+    fi
+    if [ -z "$EXISTING_PASSWORD" ]; then
+        echo "[ERROR - entrypoint] EXISTING_PASSWORD is required in Import Operator mode"
+        exit 1
+    fi
+    echo "$EXISTING_PASSWORD" > "$PASSWORD_FILE_PATH"
 fi
 
-# If New Operator, generate a new public-private key pair
-if [ "${SETUP_MODE}" = "New Operator" ]; then
-    echo "$NEW_PASSWORD" > "$PASSWORD_FILE_PATH"
-
-    # Check if the key file exists
+# New install or update flow.
+# Keep existing key+password pairing on updates; only require NEW_PASSWORD for first-time key generation.
+if [ "${SETUP_MODE}" = "New Operator / Update" ] || [ "${SETUP_MODE}" = "New Operator" ]; then
     if [ -f "$KEY_FILE_PATH" ]; then
-        echo "[INFO - entrypoint] Key already exists, skipping key generation"
+        echo "[INFO - entrypoint] Key already exists, preserving existing password and skipping key generation"
     else
-    # If key file does not exist, generate a new key pair
+        if [ -z "$NEW_PASSWORD" ]; then
+            echo "[ERROR - entrypoint] NEW_PASSWORD is required when generating a new operator key"
+            exit 1
+        fi
+        echo "$NEW_PASSWORD" > "$PASSWORD_FILE_PATH"
         echo "[INFO - entrypoint] Generating new public-private key pair"
         anchor keygen --encrypt --password-file="$PASSWORD_FILE_PATH" --data-dir /root/keys
     fi

setup-wizard.yml

@@ -7,9 +7,10 @@ fields:
       service: operator
     title: Setup Mode
     description: |-
-      If this is the first install, choose "New operator". If you have an existing operator key, choose "Import Operator".
+      If this is the first install or a regular update, choose "New Operator / Update".
+      If you have an existing operator key from another installation, choose "Import Operator".
     enum:
-      - "New Operator"
+      - "New Operator / Update"
       - "Import Operator"
     required: true
 
@@ -35,7 +36,7 @@ fields:
     description: |
       Enter the password for the existing private key
     inputType: password
-    required: false
+    required: true
     if: { "setup-mode": { "enum": ["Import Operator"] } }
 
   - id: new-private-key-password
@@ -46,9 +47,10 @@ fields:
     title: Password for the new private key
     secret: true
     description: |
-      Enter a password to encrypt your private key
+      Enter a password to encrypt your private key.
+      This is required only when creating a brand-new operator.
 
       (Note: This password will be used to decrypt the private key. If you loss the password, you can no longer decrypt the operator private key)
     inputType: password
-    required: true
-    if: { "setup-mode": { "enum": ["New Operator"] } }
+    required: false
+    if: { "setup-mode": { "enum": ["New Operator / Update"] } }