From 836eda4eed3776dd406d354343655c0ff8b9d2b6 Mon Sep 17 00:00:00 2001
From: Barnabas Busa <busa.barnabas@gmail.com>
Date: Mon, 4 Mar 2024 16:29:37 +0100
Subject: [PATCH] feat: add keymanager to all validator processes (#502)

---
 .circleci/config.yml                          |   2 +-
 .github/tests/blobber.yaml                    |   2 -
 .github/tests/split-teku.yaml                 |   2 +-
 main.star                                     |  10 ++++
 src/cl/nimbus/nimbus_launcher.star            |  30 ++++++++---
 src/cl/teku/teku_launcher.star                |  47 +++++++++++++++---
 src/package_io/constants.star                 |   8 +++
 src/participant_network.star                  |  10 +++-
 src/static_files/static_files.star            |   4 ++
 src/validator_client/lighthouse.star          |  10 ++++
 src/validator_client/lodestar.star            |   6 +++
 src/validator_client/nimbus.star              |   7 +++
 src/validator_client/prysm.star               |   3 ++
 src/validator_client/shared.star              |   8 +++
 src/validator_client/teku.star                |  14 ++++++
 .../validator_client_launcher.star            |  13 +++++
 static_files/keymanager/generate_certs.sh     |   7 +++
 static_files/keymanager/keymanager.txt        |   1 +
 static_files/keymanager/openssl.cnf           |  23 +++++++++
 .../keymanager/validator_keystore.p12         | Bin 0 -> 2707 bytes
 20 files changed, 189 insertions(+), 18 deletions(-)
 create mode 100644 static_files/keymanager/generate_certs.sh
 create mode 100644 static_files/keymanager/keymanager.txt
 create mode 100644 static_files/keymanager/openssl.cnf
 create mode 100644 static_files/keymanager/validator_keystore.p12

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 7161fef3a..e0cdfe8f6 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -6,7 +6,7 @@ orbs:
 executors:
   ubuntu_vm:
     machine:
-      image: ubuntu-2204:2023.07.2
+      image: ubuntu-2204:current
 
 parameters:
   should-enable-check-latest-version-workflow:
diff --git a/.github/tests/blobber.yaml b/.github/tests/blobber.yaml
index 9f72054b1..75480a1a4 100644
--- a/.github/tests/blobber.yaml
+++ b/.github/tests/blobber.yaml
@@ -2,7 +2,6 @@ participants:
   - el_client_type: geth
     el_client_image: ethpandaops/geth:master
     cl_client_type: lighthouse
-    cl_client_image: ethpandaops/lighthouse:sidecar-inclusion-proof-c6be31c
     blobber_enabled: true
     blobber_extra_params:
       - --proposal-action-frequency=1
@@ -11,7 +10,6 @@ participants:
   - el_client_type: geth
     el_client_image: ethpandaops/geth:master
     cl_client_type: lodestar
-    cl_client_image: ethpandaops/lodestar:blobs-inclproof-d5a5a47
     count: 1
 network_params:
   deneb_fork_epoch: 1
diff --git a/.github/tests/split-teku.yaml b/.github/tests/split-teku.yaml
index c5dbe4bae..e2dfb6328 100644
--- a/.github/tests/split-teku.yaml
+++ b/.github/tests/split-teku.yaml
@@ -1,8 +1,8 @@
 participants:
   - el_client_type: geth
     cl_client_type: teku
-    use_separate_validator_client: true
     validator_count: 0
+    use_separate_validator_client: true
   - el_client_type: nethermind
     cl_client_type: teku
     use_separate_validator_client: true
diff --git a/main.star b/main.star
index 68bac3681..a52722e28 100644
--- a/main.star
+++ b/main.star
@@ -75,6 +75,14 @@ def run(plan, args={}):
         src=static_files.JWT_PATH_FILEPATH,
         name="jwt_file",
     )
+    keymanager_file = plan.upload_files(
+        src=static_files.KEYMANAGER_PATH_FILEPATH,
+        name="keymanager_file",
+    )
+    keymanager_p12_file = plan.upload_files(
+        src=static_files.KEYMANAGER_P12_PATH_FILEPATH,
+        name="keymanager_p12_file",
+    )
     plan.print("Read the prometheus, grafana templates")
 
     plan.print(
@@ -93,6 +101,8 @@ def run(plan, args={}):
         network_params,
         args_with_right_defaults.global_client_log_level,
         jwt_file,
+        keymanager_file,
+        keymanager_p12_file,
         persistent,
         xatu_sentry_params,
         global_tolerations,
diff --git a/src/cl/nimbus/nimbus_launcher.star b/src/cl/nimbus/nimbus_launcher.star
index bd6a2b0df..2995c88a6 100644
--- a/src/cl/nimbus/nimbus_launcher.star
+++ b/src/cl/nimbus/nimbus_launcher.star
@@ -5,7 +5,7 @@ cl_client_context = import_module("../../cl/cl_client_context.star")
 cl_node_ready_conditions = import_module("../../cl/cl_node_ready_conditions.star")
 node_metrics = import_module("../../node_metrics_info.star")
 constants = import_module("../../package_io/constants.star")
-
+validator_client_shared = import_module("../../validator_client/shared.star")
 #  ---------------------------------- Beacon client -------------------------------------
 # Nimbus requires that its data directory already exists (because it expects you to bind-mount it), so we
 #  have to to create it
@@ -15,6 +15,7 @@ BEACON_TCP_DISCOVERY_PORT_ID = "tcp-discovery"
 BEACON_UDP_DISCOVERY_PORT_ID = "udp-discovery"
 BEACON_HTTP_PORT_ID = "http"
 BEACON_METRICS_PORT_ID = "metrics"
+VALIDATOR_HTTP_PORT_ID = "http-validator"
 
 # Port nums
 BEACON_DISCOVERY_PORT_NUM = 9000
@@ -135,6 +136,7 @@ def launch(
         plan,
         launcher.el_cl_genesis_data,
         launcher.jwt_file,
+        launcher.keymanager_file,
         launcher.network,
         image,
         beacon_service_name,
@@ -209,6 +211,7 @@ def get_beacon_config(
     plan,
     el_cl_genesis_data,
     jwt_file,
+    keymanager_file,
     network,
     image,
     service_name,
@@ -296,11 +299,13 @@ def get_beacon_config(
         + constants.CL_CLIENT_TYPE.nimbus
         + "-"
         + el_client_context.client_name,
+        "--keymanager",
+        "--keymanager-port={0}".format(validator_client_shared.VALIDATOR_HTTP_PORT_NUM),
+        "--keymanager-address=0.0.0.0",
+        "--keymanager-allow-origin=*",
+        "--keymanager-token-file=" + constants.KEYMANAGER_MOUNT_PATH_ON_CONTAINER,
     ]
 
-    if node_keystore_files != None and not use_separate_validator_client:
-        cmd.extend(validator_flags)
-
     if network not in constants.PUBLIC_NETWORKS:
         cmd.append(
             "--bootstrap-file="
@@ -325,10 +330,22 @@ def get_beacon_config(
         constants.GENESIS_DATA_MOUNTPOINT_ON_CLIENTS: el_cl_genesis_data.files_artifact_uuid,
         constants.JWT_MOUNTPOINT_ON_CLIENTS: jwt_file,
     }
+    beacon_validator_used_ports = {}
+    beacon_validator_used_ports.update(BEACON_USED_PORTS)
     if node_keystore_files != None and not use_separate_validator_client:
+        validator_http_port_id_spec = shared_utils.new_port_spec(
+            validator_client_shared.VALIDATOR_HTTP_PORT_NUM,
+            shared_utils.TCP_PROTOCOL,
+            shared_utils.HTTP_APPLICATION_PROTOCOL,
+        )
+        beacon_validator_used_ports.update(
+            {VALIDATOR_HTTP_PORT_ID: validator_http_port_id_spec}
+        )
+        cmd.extend(validator_flags)
         files[
             VALIDATOR_KEYS_MOUNTPOINT_ON_CLIENTS
         ] = node_keystore_files.files_artifact_uuid
+        files[constants.KEYMANAGER_MOUNT_PATH_ON_CLIENTS] = keymanager_file
 
     if persistent:
         files[BEACON_DATA_DIRPATH_ON_SERVICE_CONTAINER] = Directory(
@@ -338,7 +355,7 @@ def get_beacon_config(
 
     return ServiceConfig(
         image=image,
-        ports=BEACON_USED_PORTS,
+        ports=beacon_validator_used_ports,
         cmd=cmd,
         files=files,
         private_ip_address_placeholder=PRIVATE_IP_ADDRESS_PLACEHOLDER,
@@ -362,9 +379,10 @@ def get_beacon_config(
     )
 
 
-def new_nimbus_launcher(el_cl_genesis_data, jwt_file, network):
+def new_nimbus_launcher(el_cl_genesis_data, jwt_file, network, keymanager_file):
     return struct(
         el_cl_genesis_data=el_cl_genesis_data,
         jwt_file=jwt_file,
         network=network,
+        keymanager_file=keymanager_file,
     )
diff --git a/src/cl/teku/teku_launcher.star b/src/cl/teku/teku_launcher.star
index abc0a87f0..b5aecdc3e 100644
--- a/src/cl/teku/teku_launcher.star
+++ b/src/cl/teku/teku_launcher.star
@@ -4,9 +4,10 @@ cl_client_context = import_module("../../cl/cl_client_context.star")
 node_metrics = import_module("../../node_metrics_info.star")
 cl_node_ready_conditions = import_module("../../cl/cl_node_ready_conditions.star")
 constants = import_module("../../package_io/constants.star")
+validator_client_shared = import_module("../../validator_client/shared.star")
+#  ---------------------------------- Beacon client -------------------------------------
 TEKU_BINARY_FILEPATH_IN_IMAGE = "/opt/teku/bin/teku"
 
-#  ---------------------------------- Beacon client -------------------------------------
 # The Docker container runs as the "teku" user so we can't write to root
 BEACON_DATA_DIRPATH_ON_SERVICE_CONTAINER = "/data/teku/teku-beacon-data"
 
@@ -15,6 +16,7 @@ BEACON_TCP_DISCOVERY_PORT_ID = "tcp-discovery"
 BEACON_UDP_DISCOVERY_PORT_ID = "udp-discovery"
 BEACON_HTTP_PORT_ID = "http"
 BEACON_METRICS_PORT_ID = "metrics"
+VALIDATOR_HTTP_PORT_ID = "http-validator"
 
 # Port nums
 BEACON_DISCOVERY_PORT_NUM = 9000
@@ -124,6 +126,8 @@ def launch(
         plan,
         launcher.el_cl_genesis_data,
         launcher.jwt_file,
+        launcher.keymanager_file,
+        launcher.keymanager_p12_file,
         launcher.network,
         image,
         beacon_service_name,
@@ -200,6 +204,8 @@ def get_beacon_config(
     plan,
     el_cl_genesis_data,
     jwt_file,
+    keymanager_file,
+    keymanager_p12_file,
     network,
     image,
     service_name,
@@ -290,11 +296,19 @@ def get_beacon_config(
         + constants.CL_CLIENT_TYPE.teku
         + "-"
         + el_client_context.client_name,
+        "--validator-api-enabled=true",
+        "--validator-api-host-allowlist=*",
+        "--validator-api-port={0}".format(
+            validator_client_shared.VALIDATOR_HTTP_PORT_NUM
+        ),
+        "--validator-api-interface=0.0.0.0",
+        "--validator-api-keystore-file="
+        + constants.KEYMANAGER_P12_MOUNT_PATH_ON_CONTAINER,
+        "--validator-api-keystore-password-file="
+        + constants.KEYMANAGER_MOUNT_PATH_ON_CONTAINER,
+        "--validator-api-docs-enabled=true",
     ]
 
-    if node_keystore_files != None and not use_separate_validator_client:
-        cmd.extend(validator_flags)
-
     if network not in constants.PUBLIC_NETWORKS:
         cmd.append(
             "--initial-state="
@@ -366,10 +380,23 @@ def get_beacon_config(
         constants.GENESIS_DATA_MOUNTPOINT_ON_CLIENTS: el_cl_genesis_data.files_artifact_uuid,
         constants.JWT_MOUNTPOINT_ON_CLIENTS: jwt_file,
     }
+    beacon_validator_used_ports = {}
+    beacon_validator_used_ports.update(BEACON_USED_PORTS)
     if node_keystore_files != None and not use_separate_validator_client:
+        validator_http_port_id_spec = shared_utils.new_port_spec(
+            validator_client_shared.VALIDATOR_HTTP_PORT_NUM,
+            shared_utils.TCP_PROTOCOL,
+            shared_utils.HTTP_APPLICATION_PROTOCOL,
+        )
+        beacon_validator_used_ports.update(
+            {VALIDATOR_HTTP_PORT_ID: validator_http_port_id_spec}
+        )
+        cmd.extend(validator_flags)
         files[
             VALIDATOR_KEYS_DIRPATH_ON_SERVICE_CONTAINER
         ] = node_keystore_files.files_artifact_uuid
+        files[constants.KEYMANAGER_MOUNT_PATH_ON_CLIENTS] = keymanager_file
+        files[constants.KEYMANAGER_P12_MOUNT_PATH_ON_CLIENTS] = keymanager_p12_file
 
     if persistent:
         files[BEACON_DATA_DIRPATH_ON_SERVICE_CONTAINER] = Directory(
@@ -378,7 +405,7 @@ def get_beacon_config(
         )
     return ServiceConfig(
         image=image,
-        ports=BEACON_USED_PORTS,
+        ports=beacon_validator_used_ports,
         cmd=cmd,
         # entrypoint=ENTRYPOINT_ARGS,
         files=files,
@@ -403,7 +430,13 @@ def get_beacon_config(
     )
 
 
-def new_teku_launcher(el_cl_genesis_data, jwt_file, network):
+def new_teku_launcher(
+    el_cl_genesis_data, jwt_file, network, keymanager_file, keymanager_p12_file
+):
     return struct(
-        el_cl_genesis_data=el_cl_genesis_data, jwt_file=jwt_file, network=network
+        el_cl_genesis_data=el_cl_genesis_data,
+        jwt_file=jwt_file,
+        network=network,
+        keymanager_file=keymanager_file,
+        keymanager_p12_file=keymanager_p12_file,
     )
diff --git a/src/package_io/constants.star b/src/package_io/constants.star
index 8c45120b2..0368abe4d 100644
--- a/src/package_io/constants.star
+++ b/src/package_io/constants.star
@@ -55,6 +55,14 @@ GENESIS_CONFIG_MOUNT_PATH_ON_CONTAINER = (
 JWT_MOUNTPOINT_ON_CLIENTS = "/jwt"
 JWT_MOUNT_PATH_ON_CONTAINER = JWT_MOUNTPOINT_ON_CLIENTS + "/jwtsecret"
 
+KEYMANAGER_MOUNT_PATH_ON_CLIENTS = "/keymanager"
+KEYMANAGER_MOUNT_PATH_ON_CONTAINER = (
+    KEYMANAGER_MOUNT_PATH_ON_CLIENTS + "/keymanager.txt"
+)
+KEYMANAGER_P12_MOUNT_PATH_ON_CLIENTS = "/keymanager-p12"
+KEYMANAGER_P12_MOUNT_PATH_ON_CONTAINER = (
+    KEYMANAGER_P12_MOUNT_PATH_ON_CLIENTS + "/validator_keystore.p12"
+)
 
 GENESIS_FORK_VERSION = "0x10000038"
 BELLATRIX_FORK_VERSION = "0x30000038"
diff --git a/src/participant_network.star b/src/participant_network.star
index 696ee53a5..78e81972c 100644
--- a/src/participant_network.star
+++ b/src/participant_network.star
@@ -68,6 +68,8 @@ def launch_participant_network(
     network_params,
     global_log_level,
     jwt_file,
+    keymanager_file,
+    keymanager_p12_file,
     persistent,
     xatu_sentry_params,
     global_tolerations,
@@ -523,7 +525,7 @@ def launch_participant_network(
         },
         constants.CL_CLIENT_TYPE.nimbus: {
             "launcher": nimbus.new_nimbus_launcher(
-                el_cl_data, jwt_file, network_params.network
+                el_cl_data, jwt_file, network_params.network, keymanager_file
             ),
             "launch_method": nimbus.launch,
         },
@@ -542,6 +544,8 @@ def launch_participant_network(
                 el_cl_data,
                 jwt_file,
                 network_params.network,
+                keymanager_file,
+                keymanager_p12_file,
             ),
             "launch_method": teku.launch,
         },
@@ -775,6 +779,8 @@ def launch_participant_network(
             launcher=validator_client.new_validator_client_launcher(
                 el_cl_genesis_data=el_cl_data
             ),
+            keymanager_file=keymanager_file,
+            keymanager_p12_file=keymanager_p12_file,
             service_name="vc-{0}-{1}-{2}".format(
                 index_str, validator_client_type, el_client_type
             ),
@@ -797,6 +803,8 @@ def launch_participant_network(
             participant_tolerations=participant.tolerations,
             global_tolerations=global_tolerations,
             node_selectors=node_selectors,
+            network=network_params.network,  # TODO: remove when deneb rebase is done
+            electra_fork_epoch=network_params.electra_fork_epoch,  # TODO: remove when deneb rebase is done
         )
         all_validator_client_contexts.append(validator_client_context)
 
diff --git a/src/static_files/static_files.star b/src/static_files/static_files.star
index 40eb2254e..98d2c838e 100644
--- a/src/static_files/static_files.star
+++ b/src/static_files/static_files.star
@@ -68,5 +68,9 @@ CL_GENESIS_GENERATION_MNEMONICS_TEMPLATE_FILEPATH = (
 )
 
 JWT_PATH_FILEPATH = STATIC_FILES_DIRPATH + "/jwt/jwtsecret"
+KEYMANAGER_PATH_FILEPATH = STATIC_FILES_DIRPATH + "/keymanager/keymanager.txt"
+KEYMANAGER_P12_PATH_FILEPATH = (
+    STATIC_FILES_DIRPATH + "/keymanager/validator_keystore.p12"
+)
 
 SHADOWFORK_FILEPATH = "/network-configs/latest_block.json"
diff --git a/src/validator_client/lighthouse.star b/src/validator_client/lighthouse.star
index 2fcc833ce..9de7f6110 100644
--- a/src/validator_client/lighthouse.star
+++ b/src/validator_client/lighthouse.star
@@ -32,6 +32,8 @@ def get_config(
     extra_labels,
     tolerations,
     node_selectors,
+    network,
+    electra_fork_epoch,
 ):
     log_level = input_parser.get_client_log_level_or_default(
         participant_log_level, global_log_level, VERBOSITY_LEVELS
@@ -60,6 +62,11 @@ def get_config(
         # "--enable-doppelganger-protection", // Disabled to not have to wait 2 epochs before validator can start
         # burn address - If unset, the validator will scream in its logs
         "--suggested-fee-recipient=" + constants.VALIDATING_REWARDS_ACCOUNT,
+        "--http",
+        "--http-port={0}".format(validator_client_shared.VALIDATOR_HTTP_PORT_NUM),
+        "--http-address=0.0.0.0",
+        "--http-allow-origin=*",
+        "--unencrypted-http-transport",
         # vvvvvvvvvvvvvvvvvvv PROMETHEUS CONFIG vvvvvvvvvvvvvvvvvvvvv
         "--metrics",
         "--metrics-address=0.0.0.0",
@@ -74,6 +81,9 @@ def get_config(
         + el_client_context.client_name,
     ]
 
+    if not (constants.NETWORK_NAME.verkle in network and electra_fork_epoch == None):
+        cmd.append("--produce-block-v3")
+
     if len(extra_params):
         cmd.extend([param for param in extra_params])
 
diff --git a/src/validator_client/lodestar.star b/src/validator_client/lodestar.star
index c60c1b025..23e02e044 100644
--- a/src/validator_client/lodestar.star
+++ b/src/validator_client/lodestar.star
@@ -54,6 +54,11 @@ def get_config(
         "--keystoresDir=" + validator_keys_dirpath,
         "--secretsDir=" + validator_secrets_dirpath,
         "--suggestedFeeRecipient=" + constants.VALIDATING_REWARDS_ACCOUNT,
+        "--keymanager",
+        "--keymanager.authEnabled=true",
+        "--keymanager.port={0}".format(validator_client_shared.VALIDATOR_HTTP_PORT_NUM),
+        "--keymanager.address=0.0.0.0",
+        "--keymanager.cors=*",
         # vvvvvvvvvvvvvvvvvvv PROMETHEUS CONFIG vvvvvvvvvvvvvvvvvvvvv
         "--metrics",
         "--metrics.address=0.0.0.0",
@@ -65,6 +70,7 @@ def get_config(
         + cl_client_context.client_name
         + "-"
         + el_client_context.client_name,
+        "--useProduceBlockV3",
     ]
 
     if len(extra_params) > 0:
diff --git a/src/validator_client/nimbus.star b/src/validator_client/nimbus.star
index 7a6ecaed5..164b35ac6 100644
--- a/src/validator_client/nimbus.star
+++ b/src/validator_client/nimbus.star
@@ -6,6 +6,7 @@ validator_client_shared = import_module("./shared.star")
 def get_config(
     el_cl_genesis_data,
     image,
+    keymanager_file,
     beacon_http_url,
     cl_client_context,
     el_client_context,
@@ -36,6 +37,11 @@ def get_config(
         "--validators-dir=" + validator_keys_dirpath,
         "--secrets-dir=" + validator_secrets_dirpath,
         "--suggested-fee-recipient=" + constants.VALIDATING_REWARDS_ACCOUNT,
+        "--keymanager",
+        "--keymanager-port={0}".format(validator_client_shared.VALIDATOR_HTTP_PORT_NUM),
+        "--keymanager-address=0.0.0.0",
+        "--keymanager-allow-origin=*",
+        "--keymanager-token-file=" + constants.KEYMANAGER_MOUNT_PATH_ON_CONTAINER,
         # vvvvvvvvvvvvvvvvvvv METRICS CONFIG vvvvvvvvvvvvvvvvvvvvv
         "--metrics",
         "--metrics-address=0.0.0.0",
@@ -54,6 +60,7 @@ def get_config(
 
     files = {
         validator_client_shared.VALIDATOR_CLIENT_KEYS_MOUNTPOINT: node_keystore_files.files_artifact_uuid,
+        constants.KEYMANAGER_MOUNT_PATH_ON_CLIENTS: keymanager_file,
     }
 
     return ServiceConfig(
diff --git a/src/validator_client/prysm.star b/src/validator_client/prysm.star
index 5c05ac9c1..e5ed58e4e 100644
--- a/src/validator_client/prysm.star
+++ b/src/validator_client/prysm.star
@@ -47,6 +47,9 @@ def get_config(
         "--wallet-dir=" + validator_keys_dirpath,
         "--wallet-password-file=" + validator_secrets_dirpath,
         "--suggested-fee-recipient=" + constants.VALIDATING_REWARDS_ACCOUNT,
+        "--rpc",
+        "--rpc-port={0}".format(validator_client_shared.VALIDATOR_HTTP_PORT_NUM),
+        "--rpc-host=0.0.0.0",
         # vvvvvvvvvvvvvvvvvvv METRICS CONFIG vvvvvvvvvvvvvvvvvvvvv
         "--disable-monitoring=false",
         "--monitoring-host=0.0.0.0",
diff --git a/src/validator_client/shared.star b/src/validator_client/shared.star
index fbbf27108..1eb7cdbd3 100644
--- a/src/validator_client/shared.star
+++ b/src/validator_client/shared.star
@@ -3,11 +3,19 @@ shared_utils = import_module("../shared_utils/shared_utils.star")
 PRIVATE_IP_ADDRESS_PLACEHOLDER = "KURTOSIS_IP_ADDR_PLACEHOLDER"
 VALIDATOR_CLIENT_KEYS_MOUNTPOINT = "/keystores"
 
+VALIDATOR_HTTP_PORT_NUM = 5056
+VALIDATOR_HTTP_PORT_ID = "http"
+
 VALIDATOR_CLIENT_METRICS_PORT_NUM = 8080
 VALIDATOR_CLIENT_METRICS_PORT_ID = "metrics"
 METRICS_PATH = "/metrics"
 
 VALIDATOR_CLIENT_USED_PORTS = {
+    VALIDATOR_HTTP_PORT_ID: shared_utils.new_port_spec(
+        VALIDATOR_HTTP_PORT_NUM,
+        shared_utils.TCP_PROTOCOL,
+        shared_utils.HTTP_APPLICATION_PROTOCOL,
+    ),
     VALIDATOR_CLIENT_METRICS_PORT_ID: shared_utils.new_port_spec(
         VALIDATOR_CLIENT_METRICS_PORT_NUM,
         shared_utils.TCP_PROTOCOL,
diff --git a/src/validator_client/teku.star b/src/validator_client/teku.star
index f644babf3..2eb69134a 100644
--- a/src/validator_client/teku.star
+++ b/src/validator_client/teku.star
@@ -5,6 +5,8 @@ validator_client_shared = import_module("./shared.star")
 
 def get_config(
     el_cl_genesis_data,
+    keymanager_file,
+    keymanager_p12_file,
     image,
     beacon_http_url,
     cl_client_context,
@@ -47,6 +49,16 @@ def get_config(
         + cl_client_context.client_name
         + "-"
         + el_client_context.client_name,
+        "--validator-api-enabled=true",
+        "--validator-api-host-allowlist=*",
+        "--validator-api-port={0}".format(
+            validator_client_shared.VALIDATOR_HTTP_PORT_NUM
+        ),
+        "--validator-api-interface=0.0.0.0",
+        "--validator-api-keystore-file="
+        + constants.KEYMANAGER_P12_MOUNT_PATH_ON_CONTAINER,
+        "--validator-api-keystore-password-file="
+        + constants.KEYMANAGER_MOUNT_PATH_ON_CONTAINER,
         # vvvvvvvvvvvvvvvvvvv METRICS CONFIG vvvvvvvvvvvvvvvvvvvvv
         "--metrics-enabled=true",
         "--metrics-host-allowlist=*",
@@ -63,6 +75,8 @@ def get_config(
     files = {
         constants.GENESIS_DATA_MOUNTPOINT_ON_CLIENTS: el_cl_genesis_data.files_artifact_uuid,
         validator_client_shared.VALIDATOR_CLIENT_KEYS_MOUNTPOINT: node_keystore_files.files_artifact_uuid,
+        constants.KEYMANAGER_MOUNT_PATH_ON_CLIENTS: keymanager_file,
+        constants.KEYMANAGER_P12_MOUNT_PATH_ON_CLIENTS: keymanager_p12_file,
     }
 
     return ServiceConfig(
diff --git a/src/validator_client/validator_client_launcher.star b/src/validator_client/validator_client_launcher.star
index 2d0fbcc09..0e9ab69cb 100644
--- a/src/validator_client/validator_client_launcher.star
+++ b/src/validator_client/validator_client_launcher.star
@@ -20,6 +20,8 @@ MAX_MEMORY = 512
 def launch(
     plan,
     launcher,
+    keymanager_file,
+    keymanager_p12_file,
     service_name,
     validator_client_type,
     image,
@@ -40,6 +42,8 @@ def launch(
     participant_tolerations,
     global_tolerations,
     node_selectors,
+    network,  # TODO: remove when deneb rebase is done
+    electra_fork_epoch,  # TODO: remove when deneb rebase is done
 ):
     if node_keystore_files == None:
         return None
@@ -76,6 +80,8 @@ def launch(
             extra_labels=extra_labels,
             tolerations=tolerations,
             node_selectors=node_selectors,
+            network=network,  # TODO: remove when deneb rebase is done
+            electra_fork_epoch=electra_fork_epoch,  # TODO: remove when deneb rebase is done
         )
     elif validator_client_type == constants.VC_CLIENT_TYPE.lodestar:
         config = lodestar.get_config(
@@ -99,6 +105,8 @@ def launch(
     elif validator_client_type == constants.VC_CLIENT_TYPE.teku:
         config = teku.get_config(
             el_cl_genesis_data=launcher.el_cl_genesis_data,
+            keymanager_file=keymanager_file,
+            keymanager_p12_file=keymanager_p12_file,
             image=image,
             beacon_http_url=beacon_http_url,
             cl_client_context=cl_client_context,
@@ -116,6 +124,7 @@ def launch(
     elif validator_client_type == constants.VC_CLIENT_TYPE.nimbus:
         config = nimbus.get_config(
             el_cl_genesis_data=launcher.el_cl_genesis_data,
+            keymanager_file=keymanager_file,
             image=image,
             beacon_http_url=beacon_http_url,
             cl_client_context=cl_client_context,
@@ -168,6 +177,10 @@ def launch(
         service_name, validator_client_shared.METRICS_PATH, validator_metrics_url
     )
 
+    validator_http_port = validator_service.ports[
+        validator_client_shared.VALIDATOR_HTTP_PORT_ID
+    ]
+
     return validator_client_context.new_validator_client_context(
         service_name=service_name,
         client_name=validator_client_type,
diff --git a/static_files/keymanager/generate_certs.sh b/static_files/keymanager/generate_certs.sh
new file mode 100644
index 000000000..b323df85c
--- /dev/null
+++ b/static_files/keymanager/generate_certs.sh
@@ -0,0 +1,7 @@
+# To run this script, you need to have openssl installed on your machine
+# This script generates a self-signed certificate and a private key, and then exports them to a PKCS12 keystore
+# The keystore is encrypted with a password that is stored in a file called keymanager.txt
+# The keystore is then saved to a file called validator_keystore.p12
+# https://docs.teku.consensys.io/23.12.0/how-to/use-external-signer/manage-keys#support-multiple-domains-and-ips
+
+openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -config openssl.cnf | openssl pkcs12 -export -out validator_keystore.p12 -passout file:keymanager.txt
diff --git a/static_files/keymanager/keymanager.txt b/static_files/keymanager/keymanager.txt
new file mode 100644
index 000000000..8afbcde70
--- /dev/null
+++ b/static_files/keymanager/keymanager.txt
@@ -0,0 +1 @@
+api-token-0x7443c65f8cb0eb4ef6ab78c173d085f28b349f40dda27c74604439e07848a6d4
\ No newline at end of file
diff --git a/static_files/keymanager/openssl.cnf b/static_files/keymanager/openssl.cnf
new file mode 100644
index 000000000..0afbc9731
--- /dev/null
+++ b/static_files/keymanager/openssl.cnf
@@ -0,0 +1,23 @@
+[req]
+distinguished_name = Kurtosis
+x509_extensions = v3_req
+prompt = no
+
+[Kurtosis]
+countryName = EU
+stateOrProvinceName = CA
+localityName = San Francisco
+organizationName = Kurtosis
+organizationalUnitName = ethereum-package
+
+[v3_req]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+basicConstraints = CA:TRUE
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = mydomain.com
+DNS.2 = localhost
+IP.1 = 127.0.0.1
+IP.2 = 10.0.0.6
diff --git a/static_files/keymanager/validator_keystore.p12 b/static_files/keymanager/validator_keystore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..c8267284102b2b247f968e0d0c5b68bf03345dd2
GIT binary patch
literal 2707
zcmai$X*AS}8^_J~8I8zD_T5;<SQ_hOud#D25klFT7+WTLvW_K76s{#SsSJkf`xdg5
zlwFZz9kL}cT})i}{Qsx>^1gV^bH1PNi|5_vJSYOw12BjlMPSl{K#}o=@jqEWjGzJn
zlL|m!QaHhKC<2iCZv`nJ0Ldrl9vDP-vZDTNKq#l*fq?~OiIV>}GNZ%**inbhY~frP
z+LyUED_lh-0}MVzhhm1D`rlPBlz|Q<0D(Hk8-i}q10W;-`?jK)3c7o%I5;A#u9CIa
zE{XuaTCd!~q|`2C^agdE3$1NV<HOVsZc5h|wY%-cWAel`ZW<_9Kfqbjo5k^%;Wnl*
zgx%)m?-uV0hkNRWppEshQ#aQ0JSLR<mr7q{+m%my>upKiI3@-xP!1-8ZCQ(18Vb)^
zKeaGhS`l_+*J;gvO_S7nx_>G3W=(ITbM3H=F4y25^MVNyI5n#j_-B&y_n^sUq3i4D
z@6Q+c^ao}mrG0qZ9OM+gMNRP98oo$GDgZo!^I6%;Bh}(|HSglA4h3wo56}&8nCJ!H
zYhH#Uow=hjD!G#bUPPSdVTij-z~#WYR!ww#`~yewS!vGN@JPQ2?7@Ik5Me*Ap7v30
zHu)Ek`82}uY27Hd4mmWgmaI2Z=}@rqnkT%msgP8jq^)Lk)`5{I?+|;9LCS`rE#mv8
zGHjAjOZx+rB8a_b(WPg3wZ%1TyN@WaO*4`hF-k7G*QFJIfa}b|aP6BHki%LZwg4Te
zdp_5m9!P+Wfi+ToFmA}QIe`t#QdNNzH5CtB>Ncwf_9%`H^7r#6-dWAic<rm+n%RqE
z39r?MK8vUM7yKBli!h_J!WQ67f+g8=L{3{crVPHc2oNhidY3em_na=!wReW2iS@5&
zn+z5#NB8Fjka~0)!{E`#vD$-Y5k;er^N6n+H(Rsi^_c9NUP3MdmRcK{(sxsIs(FY=
zb4tc}kD43Lk7HlR+B><%%kawX45yBa3eE&+x5&pF$)k&X{2aedPk0;e$W@ox==Z;#
z@V+HXzsM5e4-r)H|5_shIc4rQ=VV{qm_AqJ@r|*~tW82+&8$VUdP!@>9KG~dSffqN
zD9-w(-N7=|oZAU7zoz!<!`+qjzh)lQd=^%&ewm9@Re?mJT{Jb*A$6glN~cT>$t5kz
zI<8o>|0^z+`+R=OCW^46&Y=41O)q0%n|_L^a)-?^4O31ceYFop3o;%_>Bha_?%X=`
zW!;#g37k>fn`h(n>#=aDKx$iVA=<ASHwra}sOOf4ri)>4AS$jrMHebjL0X%>tNSLb
zA7^^mlSQH&q28%~h2tJz<XI+}@yvri%!F_yQPFJf%#?+Y6ErID9<86*O-C8&)2utP
zV^qd*#S_uK+V8B?+@#xQ+PT72*ytI-SrUY=kC868?tX~_@xv{#G-uYyaz?b%y#Lzp
zpdML)BT=|!P9NEouk&y>yP=muXKd-pvkMy)0bvPY6L`ox_N~Xh$0Icu^unLv1CZpG
z{!i{48@=&ex&3+i8=cRajlzt3L1cR&;<=LH7wlWll)P%HSl5O+o-#Y{go;yOGi3_V
zM#=ejZkvvAtMt4hh`jT@7;6%f8wJvyYLw9ZC1KsG9CaO|D=M_>t3KtzCM)K%SzX~6
zU8|r0szebO?*I18KjLBt2M7#zPH^DK+=iU~ztfnRK;V;7^#m&am#8G7togcv$1`nr
zriV0!+hPAHDv?3;&!l!bUPkQKhChHPSAYNvBbf~18x^`Gv`;@SM=;sFec&9cFe~Yz
zH<gx0YaabMFNWs9Qf?5jG&;iqxQRqmNDw?MGv`$v4#1`Pd-n}8URrv=$~3pV8BAX(
z3EeMBQIeT3FXs6gn!AB^b~N;lu(z{KXZ#EE9<iWds5VB;Z}>7)5V^)4yKmt9u$Pm+
zweB<*m$>+Vmel;%Mc?p|wb?YG`JU;?;SE{Rmwot0N{(A7%eVVsFFe_cw<c1o(aV|2
zr;1E+F7`15XH-%*sA~*R98xbw>CPVngVmz~ssm<qJ}tH__4z}7OE3S1p3<fdn7Q-g
z+;WncY@T30f~zW0`3sGxH&wqVyQ-YD_SBlUFNXwt_^}w|m2ntt!F08M>Uo?@*Z8+$
zP7g#$Z;t+B%t7S$i!^ck9n3;SY*4q=8@_z<0I542DKr5`u!L(R4S4O8WOe6V7bAV~
zlj9%NUtz~zBAJ9BNMPcHaefM?A)1lna)0@=eolANhTTOO6%agPKaGsC*j?66SP#o(
z8{0<l;1@0n$lM<$+PzY$BI@5goHR9Czj(Io^FWmC+)sL~rq>?j>ssn$H`kBXHTcdJ
z^Vg+|tp_wYZPKtE?n&?F&{=&VTo!N~IYOl;UP4nvB}P$E#w|Ed{a`iOs!cvnF(e5&
z?3;WC0=97+QK2{tcP~;O9{TNVa#TI+P-8FM`PHu$6dA7Lyz!2@#&K&1Hq_CIxC5)~
zqk|azv7@M3{wLPx(KI*%4lg47#F5sMhSNCie5%w>wNi?lg;?>?SG9+Li<T5+FdYwF
zY~==9Ni3pya>noYN-Dt>hT-A;+Qm>~(<hGuY+I&w6Z47<I^(Ffr^$@m=UDTDkE_%D
z=ya1(=+br28dXxW^If16G1OUuXm{yOz0p`@@W!QV%}*uac3m%mrJG6^d>8jb>OVE{
z6*7yEy#@?ij#Tx+t%&#l4YmsDgsp_&<a2Tdz@_ciZ&RU$#i~UU7aWp51u3E&4Py}F
zZoGwiRMPgY@aEoo+NKMix?6s&5!)an!0Z6$uLXyN_HY@$^`KB29Tmt9ahT;1{vhov
zomc15)T`97FlG6e@8egYWcrXKYrKn!jZ0L~rksEVpJaqwW8vts4t~p<epF~#a5YH>
z;aVcqBaMq3)-L#Xe?T-U?n$Ap%q{Hv6)D;G+B|+H>$M+fv71AuM;I%^CAFU}2io0k
zBK>$yvb>gyvrW7ZSGkVloa{F>Po}mFtB+t_EeW)kqnCmGs+cwX!ZW{$KmL^S#jZDZ
z_N8<3%)v!_DpuJ;a$KArw74U#Ry|(ilr=OW>rR?}@S@aq25c-ubrmX-9F={lwuTPm
zjJ*#NuB4Wf9z3R+Gw~_@G9+d8Bz~<P9s3?3#%o=;UBbKqWt>m?F@6+dDJaPk4Mh^(
z$3*)X&*;H;?#)fsW(iCCE@v{u4r!K(EyC4vs$#k@*LrrWw*ig(^@uU4uZlxfMB5n0
zkmTm-hRizI?5I8kQPnI@G5k6_18vD?gU=wa%@qYmRkzW62Q+xut)=4x6NQUQ&5g>^
zBYkTqKIQ^LusphUz8N3QCpG&*-hEJ_dzq{muZat{{<rSCcn^bDyH9em87is~@_LU{
zBL#sQ7d>e{^5Q7?Z_z?I<T-(JlMQ&TEN!YbfeqF|<T)l<Fg^oNmr(L3mfvq27{ova
y2z#GDQ`SrnsgJbVW!zQbXFDE?-|>K$;q6;RTJj=w#eq{R+#Ufn2^9E0s{I=`LflUP

literal 0
HcmV?d00001