#!/usr/bin/env bash # Update RPC Security Configuration # Run this after DNS is configured to restrict CORS and host allowlist set -e SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" source "$SCRIPT_DIR/../lib/init.sh" PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)" cd "$PROJECT_ROOT" # Load .env via dotenv (RPC CR/LF trim). Fallback: raw source. if [[ -f "$SCRIPT_DIR/../lib/deployment/dotenv.sh" ]]; then # shellcheck disable=SC1090 source "$SCRIPT_DIR/../lib/deployment/dotenv.sh" load_deployment_env --repo-root "${PROJECT_ROOT:-$REPO_ROOT}" elif [[ -n "${PROJECT_ROOT:-}" && -f "$PROJECT_ROOT/.env" ]]; then set -a # shellcheck disable=SC1090 source "$PROJECT_ROOT/.env" set +a elif [[ -n "${REPO_ROOT:-}" && -f "$REPO_ROOT/.env" ]]; then set -a # shellcheck disable=SC1090 source "$REPO_ROOT/.env" set +a fi log_info "=== Updating RPC Security Configuration ===" # Default domains (update these after DNS deployment) RPC_DOMAINS=( "https://rpc.d-bis.org" "https://rpc2.d-bis.org" "https://explorer.d-bis.org" ) RPC_HOSTS=( "rpc.d-bis.org" "rpc2.d-bis.org" "localhost" "127.0.0.1" ) echo "Updating RPC security with domains: ${RPC_DOMAINS[*]}" # Update config/rpc/besu-config.toml if [ -f "config/rpc/besu-config.toml" ]; then # Create CORS array string CORS_STR=$(printf '"%s",' "${RPC_DOMAINS[@]}" | sed 's/,$//') CORS_STR="[$CORS_STR]" # Create host allowlist string HOSTS_STR=$(printf '"%s",' "${RPC_HOSTS[@]}" | sed 's/,$//') HOSTS_STR="[$HOSTS_STR]" # Update CORS sed -i "s|rpc-http-cors-origins=\[\".*\"\]|rpc-http-cors-origins=$CORS_STR|g" config/rpc/besu-config.toml sed -i "s|rpc-ws-origins=\[\".*\"\]|rpc-ws-origins=$CORS_STR|g" config/rpc/besu-config.toml # Update host allowlist sed -i "s|rpc-http-host-allowlist=\[.*\]|rpc-http-host-allowlist=$HOSTS_STR|g" config/rpc/besu-config.toml log_success "✅ Updated config/rpc/besu-config.toml" fi # Update k8s/base/rpc/statefulset.yaml if [ -f "k8s/base/rpc/statefulset.yaml" ]; then CORS_STR=$(printf '"%s",' "${RPC_DOMAINS[@]}" | sed 's/,$//') CORS_STR="[$CORS_STR]" HOSTS_STR=$(printf '"%s",' "${RPC_HOSTS[@]}" | sed 's/,$//') HOSTS_STR="[$HOSTS_STR]" sed -i "s|rpc-http-cors-origins=\[\".*\"\]|rpc-http-cors-origins=$CORS_STR|g" k8s/base/rpc/statefulset.yaml sed -i "s|rpc-ws-origins=\[\".*\"\]|rpc-ws-origins=$CORS_STR|g" k8s/base/rpc/statefulset.yaml sed -i "s|rpc-http-host-allowlist=\[.*\]|rpc-http-host-allowlist=$HOSTS_STR|g" k8s/base/rpc/statefulset.yaml log_success "✅ Updated k8s/base/rpc/statefulset.yaml" fi # Update helm/besu-network/values-rpc.yaml if [ -f "helm/besu-network/values-rpc.yaml" ]; then CORS_STR=$(printf ' - "%s"\n' "${RPC_DOMAINS[@]}" | sed 's|https://||g') HOSTS_STR=$(printf ' - "%s"\n' "${RPC_HOSTS[@]}") # Note: Helm values use YAML array format log_warn "⚠️ Helm values need manual update (YAML format)" echo "Update helm/besu-network/values-rpc.yaml:" echo " corsOrigins:" for domain in "${RPC_DOMAINS[@]}"; do echo " - \"$domain\" done echo " hostAllowlist:" for host in "${RPC_HOSTS[@]}"; do echo " - \"$host\" done fi log_success "✅ RPC security configuration updated" log_warn "Note: Restart RPC pods after updating configuration"