feat: plain k8s build of hashi-guardian

0xsiddharthks · 0xsiddharthks · commit 06adb7a4fd00 · 2026-04-13T16:06:27.000-07:00
Adds a non-enclave Containerfile under docker/hashi-guardian-k8s/ that
mirrors hashi-screener's build shape, registers grpc.health.v1.Health
in the guardian binary so K8s gRPC probes work, and ships a dev-only
bootstrap_operator_init example that drives OperatorInit from env
vars against a real AWS S3 bucket.

The existing docker/hashi-guardian/ Nitro enclave build is untouched.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/hashi-guardian/Cargo.toml b/crates/hashi-guardian/Cargo.toml
@@ -12,6 +12,7 @@ serde_json.workspace = true
 tracing.workspace = true
 tracing-subscriber.workspace = true
 tonic.workspace = true
+tonic-health.workspace = true
 hashi-types = { path = "../hashi-types" }
 
 # Crypto dependencies
diff --git a/crates/hashi-guardian/examples/bootstrap_operator_init.rs b/crates/hashi-guardian/examples/bootstrap_operator_init.rs
@@ -0,0 +1,114 @@
+// Copyright (c) Mysten Labs, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+//! Bootstrap a hashi-guardian instance by calling `OperatorInit` with AWS S3
+//! credentials and dummy share commitments. This is a *development-only* helper
+//! intended to make a running guardian fully initialized enough to emit
+//! heartbeats against a real AWS S3 bucket with Object Lock enabled.
+//!
+//! It does **not** run a real `SetupNewKey` + `ProvisionerInit` flow — the
+//! resulting guardian will accept `OperatorInit` and start heartbeating, but
+//! will not be able to sign withdrawals (because no real key shares are ever
+//! combined). For production bootstrap use the operator + KP flow, not this.
+//!
+//! Usage (from repo root):
+//!
+//!     GUARDIAN_ENDPOINT=http://localhost:3000 \
+//!     AWS_S3_BUCKET=mysten-hashi-guardian-dev \
+//!     AWS_S3_REGION=us-west-2 \
+//!     AWS_ACCESS_KEY_ID=... \
+//!     AWS_SECRET_ACCESS_KEY=... \
+//!     BITCOIN_NETWORK=signet \
+//!     cargo run -p hashi-guardian --example bootstrap_operator_init
+
+use anyhow::anyhow;
+use anyhow::Context;
+use anyhow::Result;
+use hashi_types::proto::guardian_service_client::GuardianServiceClient;
+use hashi_types::proto::GuardianShareCommitment;
+use hashi_types::proto::GuardianShareId;
+use hashi_types::proto::Network as ProtoNetwork;
+use hashi_types::proto::OperatorInitRequest;
+use hashi_types::proto::S3Config as ProtoS3Config;
+use std::env;
+
+/// Must match `hashi_types::guardian::crypto::NUM_OF_SHARES`. We provide that
+/// many dummy commitments because `OperatorInitRequest` stores them verbatim;
+/// actual share verification happens later in `ProvisionerInit`, which this
+/// helper does not drive.
+const NUM_OF_SHARES: u32 = 5;
+
+fn required_env(name: &str) -> Result<String> {
+    env::var(name).map_err(|_| anyhow!("required env var `{name}` is not set"))
+}
+
+fn parse_network(s: &str) -> Result<ProtoNetwork> {
+    match s.to_ascii_lowercase().as_str() {
+        "mainnet" => Ok(ProtoNetwork::Mainnet),
+        "testnet" => Ok(ProtoNetwork::Testnet),
+        "regtest" => Ok(ProtoNetwork::Regtest),
+        "signet" => Ok(ProtoNetwork::Signet),
+        other => Err(anyhow!(
+            "unknown BITCOIN_NETWORK `{other}`; expected mainnet/testnet/regtest/signet"
+        )),
+    }
+}
+
+#[tokio::main]
+async fn main() -> Result<()> {
+    tracing_subscriber::fmt()
+        .with_env_filter(
+            tracing_subscriber::EnvFilter::builder()
+                .with_default_directive(tracing::level_filters::LevelFilter::INFO.into())
+                .from_env_lossy(),
+        )
+        .init();
+
+    let endpoint =
+        env::var("GUARDIAN_ENDPOINT").unwrap_or_else(|_| "http://localhost:3000".to_string());
+    let bucket = required_env("AWS_S3_BUCKET")?;
+    let region = required_env("AWS_S3_REGION")?;
+    let access_key = required_env("AWS_ACCESS_KEY_ID")?;
+    let secret_key = required_env("AWS_SECRET_ACCESS_KEY")?;
+    let network_str = env::var("BITCOIN_NETWORK").unwrap_or_else(|_| "signet".to_string());
+    let network = parse_network(&network_str)?;
+
+    tracing::info!(
+        endpoint = %endpoint,
+        bucket = %bucket,
+        region = %region,
+        network = ?network,
+        "connecting to guardian"
+    );
+
+    let mut client = GuardianServiceClient::connect(endpoint.clone())
+        .await
+        .with_context(|| format!("failed to connect to guardian at {endpoint}"))?;
+
+    let share_commitments: Vec<GuardianShareCommitment> = (1..=NUM_OF_SHARES)
+        .map(|id| GuardianShareCommitment {
+            id: Some(GuardianShareId { id: Some(id) }),
+            digest_hex: Some(String::new()),
+        })
+        .collect();
+
+    let request = OperatorInitRequest {
+        s3_config: Some(ProtoS3Config {
+            access_key: Some(access_key),
+            secret_key: Some(secret_key),
+            bucket_name: Some(bucket),
+            region: Some(region),
+        }),
+        share_commitments,
+        network: Some(network as i32),
+    };
+
+    tracing::info!("calling OperatorInit");
+    let response = client
+        .operator_init(request)
+        .await
+        .context("operator_init RPC failed")?;
+    tracing::info!(?response, "OperatorInit returned successfully");
+    println!("OperatorInit complete.");
+    Ok(())
+}
diff --git a/crates/hashi-guardian/src/main.rs b/crates/hashi-guardian/src/main.rs
@@ -20,6 +20,7 @@ use std::sync::OnceLock;
 use std::sync::RwLock;
 use std::time::Duration;
 use tonic::transport::Server;
+use tonic_health::server::health_reporter;
 use tracing::info;
 
 mod getters;
@@ -128,7 +129,14 @@ async fn main() -> Result<()> {
     let addr = "0.0.0.0:3000".parse()?;
     info!("gRPC server listening on {}.", addr);
 
+    // gRPC health reporter — used by the K8s gRPC probe and GKE HealthCheckPolicy.
+    let (health_reporter, health_service) = health_reporter();
+    health_reporter
+        .set_serving::<GuardianServiceServer<GuardianGrpc>>()
+        .await;
+
     let server_future = Server::builder()
+        .add_service(health_service)
         .add_service(GuardianServiceServer::new(svc))
         .serve(addr);
 
diff --git a/docker/hashi-guardian-k8s/Containerfile b/docker/hashi-guardian-k8s/Containerfile
@@ -0,0 +1,63 @@
+# syntax=docker/dockerfile:1
+
+# Plain Kubernetes (non-enclave) build of hashi-guardian.
+# Mirrors docker/hashi-screener/Containerfile. The sibling
+# docker/hashi-guardian/Containerfile is the Nitro enclave build and produces
+# an EIF, not a runnable OCI image — do not conflate the two.
+
+FROM stagex/pallet-rust@sha256:84621c4c29330c8a969489671d46227a0a43f52cdae243f5b91e95781dbfe5ed AS pallet-rust
+FROM stagex/busybox@sha256:3d128909dbc8e7b6c4b8c3c31f4583f01a307907ea179934bb42c4ef056c7efd AS busybox
+FROM stagex/core-filesystem@sha256:da28831927652291b0fa573092fd41c8c96ca181ea224df7bff40e1833c3db13 AS core-filesystem
+
+#
+# Deps stage: fetch and compile external dependencies (cached until Cargo.toml/Cargo.lock change)
+#
+FROM pallet-rust AS deps
+
+# Shell needed by cc-based build scripts (blst, ring, etc.)
+COPY --from=busybox . /
+
+# Copy only manifests
+COPY Cargo.toml Cargo.lock /src/
+COPY crates/hashi-guardian/Cargo.toml /src/crates/hashi-guardian/Cargo.toml
+COPY crates/hashi-types/Cargo.toml /src/crates/hashi-types/Cargo.toml
+
+WORKDIR /src
+
+# Create stub source files so cargo can resolve and compile all external deps
+RUN mkdir -p crates/hashi-guardian/src \
+ && echo 'fn main(){}' > crates/hashi-guardian/src/main.rs \
+ && touch crates/hashi-guardian/src/lib.rs \
+ && mkdir -p crates/hashi-types/src \
+ && touch crates/hashi-types/src/lib.rs
+
+ENV TARGET=x86_64-unknown-linux-musl
+ENV OPENSSL_STATIC=true
+ENV CARGO_INCREMENTAL=0
+ENV RUSTFLAGS="-C target-feature=+crt-static -C relocation-model=static -C target-cpu=x86-64"
+
+RUN cargo fetch
+RUN --network=none cargo build --release --frozen --target "$TARGET" --bin hashi-guardian
+
+#
+# Build stage: compile with real source (only local crates recompile)
+#
+FROM deps AS build
+
+ARG GIT_REVISION=unknown
+ENV GIT_REVISION=${GIT_REVISION}
+
+COPY crates/hashi-guardian /src/crates/hashi-guardian
+COPY crates/hashi-types /src/crates/hashi-types
+
+# Touch source files to invalidate cargo's fingerprint cache for local crates
+RUN find crates/ -name "*.rs" -exec touch {} +
+
+RUN --network=none cargo build --release --frozen --target "$TARGET" --bin hashi-guardian
+
+#
+# Package stage: minimal runtime image
+#
+FROM core-filesystem
+COPY --from=build /src/target/x86_64-unknown-linux-musl/release/hashi-guardian /usr/bin/hashi-guardian
+ENTRYPOINT ["/usr/bin/hashi-guardian"]
diff --git a/docker/hashi-guardian-k8s/build.sh b/docker/hashi-guardian-k8s/build.sh
@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+# Copyright (c), Mysten Labs, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+# Builds the hashi-guardian binary as a plain Kubernetes (non-enclave) image.
+#
+# Usage:
+#   bash docker/hashi-guardian-k8s/build.sh              # build with cache
+#   GIT_REVISION=test bash docker/hashi-guardian-k8s/build.sh --no-cache && sha256sum out/hashi-guardian   # build without cache, useful to check reproducibility
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(git -C "${SCRIPT_DIR}" rev-parse --show-toplevel)"
+IMAGE_NAME="${IMAGE_NAME:-hashi-guardian}"
+GIT_REVISION="${GIT_REVISION:-$(git -C "$REPO_ROOT" describe --always --exclude '*' --dirty --abbrev=8)}"
+IMAGE_TAG="${IMAGE_TAG:-${GIT_REVISION}}"
+OUT_DIR="${OUT_DIR:-${REPO_ROOT}/out}"
+
+EXTRA_ARGS=()
+for arg in "$@"; do
+    case "$arg" in
+        --no-cache) EXTRA_ARGS+=("--no-cache") ;;
+        *) echo "Unknown argument: $arg"; exit 1 ;;
+    esac
+done
+
+mkdir -p "${OUT_DIR}"
+
+echo "Building ${IMAGE_NAME}:${IMAGE_TAG} (revision: ${GIT_REVISION})"
+
+docker build \
+    -f "${SCRIPT_DIR}/Containerfile" \
+    --platform linux/amd64 \
+    --build-arg "GIT_REVISION=${GIT_REVISION}" \
+    --provenance=false \
+    "${EXTRA_ARGS[@]}" \
+    -t "${IMAGE_NAME}:${IMAGE_TAG}" \
+    -t "${IMAGE_NAME}:latest" \
+    "${REPO_ROOT}"
+
+echo "Successfully built ${IMAGE_NAME}:${IMAGE_TAG}"
+
+# Extract the binary from the image
+CID=$(docker create "${IMAGE_NAME}:${IMAGE_TAG}")
+docker cp "${CID}:/usr/bin/hashi-guardian" "${OUT_DIR}/hashi-guardian"
+docker rm "${CID}" > /dev/null
+
+echo ""
+echo "Binary: ${OUT_DIR}/hashi-guardian"
+echo "SHA-256: $(sha256sum "${OUT_DIR}/hashi-guardian" | awk '{print $1}')"
