Configure RLN memberships for Waku nodes

Ivansete-status commented 1 month ago

Background

Light clients cannot generate RLN proofs by themselves. Therefore, this task is delegated to full nwaku nodes. This issue is aimed at allowing light clients to also publish messages in The Waku Network, aka, TWN.

Description

Based on what we do in TWN, each node should run the register_rln.sh script ( see https://github.com/waku-org/nwaku-compose/blob/master/register_rln.sh .) at first.

Each node needs:

A register_rln.sh script
- Based on the one that we have in the nwaku-compose repo, but using the image harbor.status.im/wakuorg/nwaku:deploy-waku-test.
- Should be run every time the node starts.
- The first time the script runs, it generates a keystore.json file that should be accessible by the nwaku node.
- The next time the script runs, if the keystore.json exists, it does nothing, and the nwaku start should carry on.
Env vars that are used by the register_rln.sh script:
- RLN_RELAY_ETH_CLIENT_ADDRESS: Sepolia Eth client RPC URL
- ETH_TESTNET_KEY: Sepolia private key account. This should be kept in bitwarden.
- RLN_RELAY_CRED_PASSWORD: Password to protect the keystore.json created by the register_rln.sh script. Also kept in bitwarden.
New entries in conf/config.toml so that the nwaku node can load the keystore.json
- rln-relay-cred-path = '/data/keystore/keystore.json'
New entry in docker-compose.yml
- rln-relay-cred-password = 'random_password' <-- Notice that this password should be the same that is stored in bitwarden and is used by the register_rln.sh script.

More context

https://discord.com/channels/1110799176264056863/1232247050414985296

Ivansete-status commented 1 month ago

Jakub suggested a simpler approach rather than using an external script, and then running the wakunode2 node.

The idea would be to only have one single script, which will perform the RLN registration if the keystore.json file doesn't exist, and after that, the normal wakunode2 will start.

The following can help to get inspiration on how to run the node from a script: https://github.com/waku-org/nwaku-compose/blob/a737ff9a75de8a4441b3fa07c5f065c368931d9b/docker-compose.yml#L57 https://github.com/waku-org/nwaku-compose/blob/a737ff9a75de8a4441b3fa07c5f065c368931d9b/docker-compose.yml#L61-L63 https://github.com/waku-org/nwaku-compose/blob/master/run_node.sh

With that, the run_node.sh script, should have something like:

if test -f ./data/keystore/keystore.json; then
  echo "keystore/keystore.json already exists. Skipping the RLN registration."
else

  ## Performs the RLN registration if the keystore.json credentials file does not exist
  exec /usr/bin/wakunode generateRlnKeystore \
      --rln-relay-eth-client-address=${RLN_RELAY_ETH_CLIENT_ADDRESS} \
      --rln-relay-eth-private-key=${ETH_TESTNET_KEY} \
      --rln-relay-eth-contract-address=0xCB33Aa5B38d79E3D9Fa8B10afF38AA201399a7e3 \
      --rln-relay-cred-path=/data/keystore/keystore.json \
      --rln-relay-cred-password="${RLN_RELAY_CRED_PASSWORD}" \
      --rln-relay-user-message-limit=100 \
     --execute
fi

## Start the node, as usual
exec /usr/bin/wakunode --config-file=/conf/config.toml
      --nodekey=...
      --store-message-db-url='......'
      --rln-relay-cred-password = 'random_password'

Notice that the env vars might not be needed in this case and then just leave the values written there directly from bitwarden.

apentori commented 4 weeks ago

Modification prepared, before applying:

does rln-relay-cred-password have some caractere specification ? (min number of char, spcial caratere needed ?) I can't find any info on that in https://docs.waku.org/guides/nwaku/config-options/#relay-config.
Can you add / send me, the private key of the sepolia account to be used as : $ETH_TESTNET_KEY?
Can you confirm the fleet to apply the changes is .waku.test at first ?

yakimant commented 4 weeks ago

@apentori, @Ivansete-status, we could probably have generateRlnKeystore run in ansible, if it only needs to run once and not to complicate with run script. What do you think?

Ivansete-status commented 3 weeks ago

@apentori, @Ivansete-status, we could probably have generateRlnKeystore run in ansible, if it only needs to run once and not to complicate with run script. What do you think?

That sounds very sensible indeed. I'm not familiar with Ansible but feel free to pick up the simpler option for you

Ivansete-status commented 3 weeks ago

Modification prepared, before applying:

does rln-relay-cred-password have some caractere specification ? (min number of char, spcial caratere needed ?) I can't find any info on that in https://docs.waku.org/guides/nwaku/config-options/#relay-config.

I think the only constraint is that it should be longer than 8 chars, e.g., MySuperKeyStorePassword1234!

Can you add / send me, the private key of the sepolia account to be used as : $ETH_TESTNET_KEY?

I will send you my ETH_TESTNET_KEY

Can you confirm the fleet to apply the changes is .waku.test at first ?

Yes, first of all let's make sure it is correctly deployed in waku.test.

apentori commented 3 weeks ago

@apentori, @Ivansete-status, we could probably have generateRlnKeystore run in ansible, if it only needs to run once and not to complicate with run script. What do you think?

if we set it up with Ansible, the container won't be abble to properly start if some dev remove the keystore. Not sure if it will happen or not.

@Ivansete-status shouldn't the script be included directly in the docker container ?

Ivansete-status commented 3 weeks ago

@Ivansete-status shouldn't the script be included directly in the docker container ?

Yes, let's do that as it will give more flexibility if in the future we need to recreate the keystore file

apentori commented 3 weeks ago

For some reason the Keystore generation fail if the rln-relay-eth-client-address is our Sepolia host:

ERR 2024-08-23 13:57:18.567+00:00 Unrecoverable error occurred               topics="rln_keystore_generator" tid=1 file=rln_keystore_generator.nim:54 error="Failed to register the member: {\"code\":-32000,\"message\":\"only replay-protected (EIP-155) transactions allowed over RPC\"}"

It works by changing the rln-relay-eth-client-address to infura.

apentori commented 2 weeks ago

@Ivansete-status Do you have news about the RPC call issue ?

Ivansete-status commented 1 week ago

@Ivansete-status Do you have news about the RPC call issue ?

Sorry for the delay @apentori. Is our eth client configured to support EIP-155?

Ivansete-status commented 3 days ago

We can try to add the following setting in Eth client's geth.yml file: --rpc.allow-unprotected-txs

status-im / infra-waku