add code to configure env

Author: shrimalmadhur

cmd/cerberus/flags.go

@@ -13,6 +13,94 @@ import (
 
 var (
 	version = "development"
+
+	keystoreDirFlag = &cli.StringFlag{
+		Name:    "keystore-dir",
+		Usage:   "Directory where the keystore files are stored",
+		Value:   "./data/keystore",
+		EnvVars: []string{"KEYSTORE_DIR"},
+	}
+
+	grpcPortFlag = &cli.StringFlag{
+		Name:    "grpc-port",
+		Usage:   "Port for the gRPC server",
+		Value:   "50051",
+		EnvVars: []string{"GRPC_PORT"},
+	}
+
+	metricsPortFlag = &cli.StringFlag{
+		Name:    "metrics-port",
+		Usage:   "Port for the metrics server",
+		Value:   "9091",
+		EnvVars: []string{"METRICS_PORT"},
+	}
+
+	logLevelFlag = &cli.StringFlag{
+		Name:    "log-level",
+		Usage:   "Log level - supported levels: debug, info, warn, error",
+		Value:   "info",
+		EnvVars: []string{"LOG_LEVEL"},
+	}
+
+	logFormatFlag = &cli.StringFlag{
+		Name:    "log-format",
+		Usage:   "Log format - supported formats: text, json",
+		Value:   "text",
+		EnvVars: []string{"LOG_FORMAT"},
+	}
+
+	// TLS flags to set up secure gRPC server, optional
+	tlsCaCertFlag = &cli.StringFlag{
+		Name:    "tls-ca-cert",
+		Usage:   "TLS CA certificate",
+		EnvVars: []string{"TLS_CA_CERT"},
+	}
+
+	tlsServerKeyFlag = &cli.StringFlag{
+		Name:    "tls-server-key",
+		Usage:   "TLS server key",
+		EnvVars: []string{"TLS_SERVER_KEY"},
+	}
+
+	storageTypeFlag = &cli.StringFlag{
+		Name:    "storage-type",
+		Usage:   "Storage type - supported types: filesystem, aws-secret-manager",
+		Value:   "filesystem",
+		EnvVars: []string{"STORAGE_TYPE"},
+	}
+
+	awsRegionFlag = &cli.StringFlag{
+		Name:    "aws-region",
+		Usage:   "AWS region",
+		Value:   "us-east-2",
+		EnvVars: []string{"AWS_REGION"},
+	}
+
+	awsProfileFlag = &cli.StringFlag{
+		Name:    "aws-profile",
+		Usage:   "AWS profile",
+		Value:   "default",
+		EnvVars: []string{"AWS_PROFILE"},
+	}
+
+	awsAuthenticationModeFlag = &cli.StringFlag{
+		Name:    "aws-authentication-mode",
+		Usage:   "AWS authentication mode - supported modes: environment, specified",
+		Value:   "environment",
+		EnvVars: []string{"AWS_AUTHENTICATION_MODE"},
+	}
+
+	awsAccessKeyIDFlag = &cli.StringFlag{
+		Name:    "aws-access-key-id",
+		Usage:   "AWS access key ID",
+		EnvVars: []string{"AWS_ACCESS_KEY_ID"},
+	}
+
+	awsSecretAccessKeyFlag = &cli.StringFlag{
+		Name:    "aws-secret-access-key",
+		Usage:   "AWS secret access key",
+		EnvVars: []string{"AWS_SECRET_ACCESS_KEY"},
+	}
 )
 
 func main() {
@@ -43,6 +131,7 @@ func main() {
 		tlsServerKeyFlag,
 		storageTypeFlag,
 		awsRegionFlag,
+		awsProfileFlag,
 		awsAuthenticationModeFlag,
 		awsAccessKeyIDFlag,
 		awsSecretAccessKeyFlag,
@@ -67,13 +156,29 @@ func start(c *cli.Context) error {
 	logFormat := c.String(logFormatFlag.Name)
 	tlsCaCert := c.String(tlsCaCertFlag.Name)
 	tlsServerKey := c.String(tlsServerKeyFlag.Name)
+	storageType := c.String(storageTypeFlag.Name)
+	awsRegion := c.String(awsRegionFlag.Name)
+	awsProfile := c.String(awsProfileFlag.Name)
+	awsAuthenticationMode := c.String(awsAuthenticationModeFlag.Name)
+	awsAccessKeyID := c.String(awsAccessKeyIDFlag.Name)
+	awsSecretAccessKey := c.String(awsSecretAccessKeyFlag.Name)
 
 	cfg := &configuration.Configuration{
-		KeystoreDir:  keystoreDir,
-		GrpcPort:     grpcPort,
-		MetricsPort:  metricsPort,
-		TLSCACert:    tlsCaCert,
-		TLSServerKey: tlsServerKey,
+		KeystoreDir:           keystoreDir,
+		GrpcPort:              grpcPort,
+		MetricsPort:           metricsPort,
+		TLSCACert:             tlsCaCert,
+		TLSServerKey:          tlsServerKey,
+		StorageType:           storageType,
+		AWSRegion:             awsRegion,
+		AWSProfile:            awsProfile,
+		AWSAuthenticationMode: awsAuthenticationMode,
+		AWSAccessKeyID:        awsAccessKeyID,
+		AWSSecretAccessKey:    awsSecretAccessKey,
+	}
+
+	if err := cfg.Validate(); err != nil {
+		return fmt.Errorf("invalid configuration: %v", err)
 	}
 
 	sLogLevel := levelToLogLevel(logLevel)
@@ -86,7 +191,7 @@ func start(c *cli.Context) error {
 		handler := slog.NewTextHandler(os.Stdout, &slogOptions)
 		logger = slog.New(handler)
 	}
-
+	logger.Info("using configuration", "config", cfg)
 	logger.Info(fmt.Sprintf("Starting cerberus server version: %s", version))
 	server.Start(cfg, logger)
 	return nil

cmd/cerberus/main.go

@@ -1,11 +1,69 @@
 package configuration
 
+import "fmt"
+
 type Configuration struct {
+	StorageType string
+
+	// FileSystem storage parameters
 	KeystoreDir string
 
+	// AWS Secrets Manager storage parameters
+	AWSRegion             string
+	AWSProfile            string
+	AWSAuthenticationMode string
+	AWSAccessKeyID        string
+	AWSSecretAccessKey    string
+
 	GrpcPort    string
 	MetricsPort string
 
 	TLSCACert    string
 	TLSServerKey string
 }
+
+func (s *Configuration) Validate() error {
+	if s.StorageType == "" {
+		return fmt.Errorf("storage type is required")
+	}
+
+	switch s.StorageType {
+	case "filesystem":
+		if s.KeystoreDir == "" {
+			return fmt.Errorf("keystore directory is required")
+		}
+	case "aws-secrets-manager":
+		if s.AWSRegion == "" {
+			return fmt.Errorf("AWS region is required")
+		}
+
+		if s.AWSAuthenticationMode == "specified" {
+			if s.AWSAccessKeyID == "" {
+				return fmt.Errorf("AWS access key ID is required")
+			}
+			if s.AWSSecretAccessKey == "" {
+				return fmt.Errorf("AWS secret access key is required")
+			}
+		}
+	default:
+		return fmt.Errorf("unsupported storage type: %s", s.StorageType)
+	}
+
+	if s.GrpcPort == "" {
+		return fmt.Errorf("gRPC port is required")
+	}
+
+	if s.MetricsPort == "" {
+		return fmt.Errorf("metrics port is required")
+	}
+
+	if s.TLSCACert != "" && s.TLSServerKey == "" {
+		return fmt.Errorf("TLS server key is required when TLS CA certificate is provided")
+	}
+
+	if s.TLSServerKey != "" && s.TLSCACert == "" {
+		return fmt.Errorf("TLS CA certificate is required when TLS server key is provided")
+	}
+
+	return nil
+}

internal/configuration/configuration.go

@@ -8,6 +8,9 @@ import (
 	"net/http"
 	"os"
 
+	"github.com/Layr-Labs/cerberus/internal/store"
+	"github.com/Layr-Labs/cerberus/internal/store/awssecretmanager"
+
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/collectors"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@@ -40,7 +43,40 @@ func Start(config *configuration.Configuration, logger *slog.Logger) {
 
 	go startMetricsServer(registry, config.MetricsPort, logger)
 
-	keystore := filesystem.NewStore(config.KeystoreDir, logger)
+	var keystore store.Store
+	switch config.StorageType {
+	case "filesystem":
+		keystore = filesystem.NewStore(config.KeystoreDir, logger)
+	case "aws-secrets-manager":
+		switch config.AWSAuthenticationMode {
+		case "environment":
+			keystore, err = awssecretmanager.NewStoreWithEnv(
+				config.AWSRegion,
+				config.AWSProfile,
+				logger,
+			)
+			if err != nil {
+				logger.Error(fmt.Sprintf("Failed to create AWS Secret Manager store: %v", err))
+				os.Exit(1)
+			}
+			logger.Info("Using environment credentials for AWS Secret Manager")
+		case "specified":
+			keystore, err = awssecretmanager.NewStoreWithSpecifiedCredentials(
+				config.AWSRegion,
+				config.AWSAccessKeyID,
+				config.AWSSecretAccessKey,
+				logger,
+			)
+			if err != nil {
+				logger.Error(fmt.Sprintf("Failed to create AWS Secret Manager store: %v", err))
+				os.Exit(1)
+			}
+			logger.Info("Using specified credentials for AWS Secret Manager")
+		}
+	default:
+		logger.Error(fmt.Sprintf("Unsupported storage type: %s", config.StorageType))
+		os.Exit(1)
+	}
 
 	var opts []grpc.ServerOption
 	if config.TLSCACert != "" && config.TLSServerKey != "" {