smom-dbis-138/scripts/deployment/update-rpc-security.sh

#!/usr/bin/env bash
# Update RPC Security Configuration
# Run this after DNS is configured to restrict CORS and host allowlist

set -e

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/../lib/init.sh"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
cd "$PROJECT_ROOT"


log_info "=== Updating RPC Security Configuration ==="

# Default domains (update these after DNS deployment)
RPC_DOMAINS=(
    "https://rpc.d-bis.org"
    "https://rpc2.d-bis.org"
    "https://explorer.d-bis.org"
)

RPC_HOSTS=(
    "rpc.d-bis.org"
    "rpc2.d-bis.org"
    "localhost"
    "127.0.0.1"
)

echo "Updating RPC security with domains: ${RPC_DOMAINS[*]}"

# Update config/rpc/besu-config.toml
if [ -f "config/rpc/besu-config.toml" ]; then
    # Create CORS array string
    CORS_STR=$(printf '"%s",' "${RPC_DOMAINS[@]}" | sed 's/,$//')
    CORS_STR="[$CORS_STR]"
    
    # Create host allowlist string
    HOSTS_STR=$(printf '"%s",' "${RPC_HOSTS[@]}" | sed 's/,$//')
    HOSTS_STR="[$HOSTS_STR]"
    
    # Update CORS
    sed -i "s|rpc-http-cors-origins=\[\".*\"\]|rpc-http-cors-origins=$CORS_STR|g" config/rpc/besu-config.toml
    sed -i "s|rpc-ws-origins=\[\".*\"\]|rpc-ws-origins=$CORS_STR|g" config/rpc/besu-config.toml
    
    # Update host allowlist
    sed -i "s|rpc-http-host-allowlist=\[.*\]|rpc-http-host-allowlist=$HOSTS_STR|g" config/rpc/besu-config.toml
    
    log_success "✅ Updated config/rpc/besu-config.toml"
fi

# Update k8s/base/rpc/statefulset.yaml
if [ -f "k8s/base/rpc/statefulset.yaml" ]; then
    CORS_STR=$(printf '"%s",' "${RPC_DOMAINS[@]}" | sed 's/,$//')
    CORS_STR="[$CORS_STR]"
    HOSTS_STR=$(printf '"%s",' "${RPC_HOSTS[@]}" | sed 's/,$//')
    HOSTS_STR="[$HOSTS_STR]"
    
    sed -i "s|rpc-http-cors-origins=\[\".*\"\]|rpc-http-cors-origins=$CORS_STR|g" k8s/base/rpc/statefulset.yaml
    sed -i "s|rpc-ws-origins=\[\".*\"\]|rpc-ws-origins=$CORS_STR|g" k8s/base/rpc/statefulset.yaml
    sed -i "s|rpc-http-host-allowlist=\[.*\]|rpc-http-host-allowlist=$HOSTS_STR|g" k8s/base/rpc/statefulset.yaml
    
    log_success "✅ Updated k8s/base/rpc/statefulset.yaml"
fi

# Update helm/besu-network/values-rpc.yaml
if [ -f "helm/besu-network/values-rpc.yaml" ]; then
    CORS_STR=$(printf '    - "%s"\n' "${RPC_DOMAINS[@]}" | sed 's|https://||g')
    HOSTS_STR=$(printf '    - "%s"\n' "${RPC_HOSTS[@]}")
    
    # Note: Helm values use YAML array format
    log_warn "⚠️  Helm values need manual update (YAML format)"
    echo "Update helm/besu-network/values-rpc.yaml:"
    echo "  corsOrigins:"
    for domain in "${RPC_DOMAINS[@]}"; do
        echo "    - \"$domain\"
    done
    echo "  hostAllowlist:"
    for host in "${RPC_HOSTS[@]}"; do
        echo "    - \"$host\"
    done
fi

log_success "✅ RPC security configuration updated"
log_warn "Note: Restart RPC pods after updating configuration"