d-bis/smom-dbis-138
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
smom-dbis-138/scripts/deployment/update-rpc-security.sh
defiQUG 2a4753eb2d feat: restore operator WIP — PMM JSON sync entrypoint, dotenv RPC trim + secrets, pool env alignment 
- Resolve stash: merge load_deployment_env path with secure-secrets and CR/LF RPC strip
- create-pmm-full-mesh-chain138.sh delegates to sync-chain138-pmm-pools-from-json.sh
- env.additions.example: canonical PMM pool defaults (cUSDT/USDT per crosscheck)
- Include Chain138 scripts, official mirror deploy scaffolding, and prior staged changes

Made-with: Cursor
2026-03-27 19:02:30 -07:00

101 lines
3.3 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
# Update RPC Security Configuration
# Run this after DNS is configured to restrict CORS and host allowlist
set -e
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/../lib/init.sh"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
cd "$PROJECT_ROOT"
# Load .env via dotenv (RPC CR/LF trim). Fallback: raw source.
if [[ -f "$SCRIPT_DIR/../lib/deployment/dotenv.sh" ]]; then
# shellcheck disable=SC1090
source "$SCRIPT_DIR/../lib/deployment/dotenv.sh"
load_deployment_env --repo-root "${PROJECT_ROOT:-$REPO_ROOT}"
elif [[ -n "${PROJECT_ROOT:-}" && -f "$PROJECT_ROOT/.env" ]]; then
set -a
# shellcheck disable=SC1090
source "$PROJECT_ROOT/.env"
set +a
elif [[ -n "${REPO_ROOT:-}" && -f "$REPO_ROOT/.env" ]]; then
set -a
# shellcheck disable=SC1090
source "$REPO_ROOT/.env"
set +a
fi
log_info "=== Updating RPC Security Configuration ==="
# Default domains (update these after DNS deployment)
RPC_DOMAINS=(
"https://rpc.d-bis.org"
"https://rpc2.d-bis.org"
"https://explorer.d-bis.org"
)
RPC_HOSTS=(
"rpc.d-bis.org"
"rpc2.d-bis.org"
"localhost"
"127.0.0.1"
)
echo "Updating RPC security with domains: ${RPC_DOMAINS[*]}"
# Update config/rpc/besu-config.toml
if [ -f "config/rpc/besu-config.toml" ]; then
# Create CORS array string
CORS_STR=$(printf '"%s",' "${RPC_DOMAINS[@]}" | sed 's/,$//')
CORS_STR="[$CORS_STR]"
# Create host allowlist string
HOSTS_STR=$(printf '"%s",' "${RPC_HOSTS[@]}" | sed 's/,$//')
HOSTS_STR="[$HOSTS_STR]"
# Update CORS
sed -i "s|rpc-http-cors-origins=\[\".*\"\]|rpc-http-cors-origins=$CORS_STR|g" config/rpc/besu-config.toml
sed -i "s|rpc-ws-origins=\[\".*\"\]|rpc-ws-origins=$CORS_STR|g" config/rpc/besu-config.toml
# Update host allowlist
sed -i "s|rpc-http-host-allowlist=\[.*\]|rpc-http-host-allowlist=$HOSTS_STR|g" config/rpc/besu-config.toml
log_success "✅ Updated config/rpc/besu-config.toml"
fi
# Update k8s/base/rpc/statefulset.yaml
if [ -f "k8s/base/rpc/statefulset.yaml" ]; then
CORS_STR=$(printf '"%s",' "${RPC_DOMAINS[@]}" | sed 's/,$//')
CORS_STR="[$CORS_STR]"
HOSTS_STR=$(printf '"%s",' "${RPC_HOSTS[@]}" | sed 's/,$//')
HOSTS_STR="[$HOSTS_STR]"
sed -i "s|rpc-http-cors-origins=\[\".*\"\]|rpc-http-cors-origins=$CORS_STR|g" k8s/base/rpc/statefulset.yaml
sed -i "s|rpc-ws-origins=\[\".*\"\]|rpc-ws-origins=$CORS_STR|g" k8s/base/rpc/statefulset.yaml
sed -i "s|rpc-http-host-allowlist=\[.*\]|rpc-http-host-allowlist=$HOSTS_STR|g" k8s/base/rpc/statefulset.yaml
log_success "✅ Updated k8s/base/rpc/statefulset.yaml"
fi
# Update helm/besu-network/values-rpc.yaml
if [ -f "helm/besu-network/values-rpc.yaml" ]; then
CORS_STR=$(printf ' - "%s"\n' "${RPC_DOMAINS[@]}" | sed 's|https://||g')
HOSTS_STR=$(printf ' - "%s"\n' "${RPC_HOSTS[@]}")
# Note: Helm values use YAML array format
log_warn "⚠️ Helm values need manual update (YAML format)"
echo "Update helm/besu-network/values-rpc.yaml:"
echo " corsOrigins:"
for domain in "${RPC_DOMAINS[@]}"; do
echo " - \"$domain\"
done
echo " hostAllowlist:"
for host in "${RPC_HOSTS[@]}"; do
echo " - \"$host\"
done
fi
log_success "✅ RPC security configuration updated"
log_warn "Note: Restart RPC pods after updating configuration"
Reference in New Issue View Git Blame Copy Permalink