remove optional signer client from PbsModuleConfig as signer should only be used if modules are present

Author: JasonVranek

crates/cli/src/docker_init.rs

@@ -1520,11 +1520,10 @@ mod tests {
         config
     }
 
-    /// Returns a `ServiceCreationInfo` whose CB config has `pbs.with_signer =
-    /// true` and a local signer with `TlsMode::Certificate(certs_path)`.
+    /// Returns a `ServiceCreationInfo` whose CB config has a local signer with
+    /// `TlsMode::Certificate(certs_path)`.
     fn service_config_with_tls(certs_path: PathBuf) -> ServiceCreationInfo {
         let mut sc = minimal_service_config();
-        sc.config_info.cb_config.pbs.with_signer = true;
         sc.config_info.cb_config.signer = Some(local_signer_config_with_tls(certs_path));
         sc
     }
@@ -1620,12 +1619,15 @@ mod tests {
     // -------------------------------------------------------------------------
 
     #[test]
-    fn test_create_pbs_service_with_tls_adds_cert_env_and_volume() -> eyre::Result<()> {
+    fn test_create_pbs_service_with_tls_but_no_commit_module_no_cert() -> eyre::Result<()> {
+        // PBS no longer connects to the signer directly; only commit modules do.
+        // Even when the signer is configured with TLS, the cert env/volume must
+        // NOT be injected into the PBS container unless a Commit module is present.
         let mut sc = service_config_with_tls(PathBuf::from("/my/certs"));
         let service = create_pbs_service(&mut sc)?;
 
-        assert!(has_env_key(&service, SIGNER_TLS_CERTIFICATES_PATH_ENV));
-        assert!(has_volume(&service, SIGNER_TLS_CERTIFICATE_NAME));
+        assert!(!has_env_key(&service, SIGNER_TLS_CERTIFICATES_PATH_ENV));
+        assert!(!has_volume(&service, SIGNER_TLS_CERTIFICATE_NAME));
         Ok(())
     }
 

crates/common/src/config/mod.rs

@@ -131,10 +131,9 @@ impl CommitBoostConfig {
 
     /// Helper to return if the signer module is needed based on the config
     pub fn needs_signer_module(&self) -> bool {
-        self.pbs.with_signer ||
-            self.modules.as_ref().is_some_and(|modules| {
-                modules.iter().any(|module| matches!(module.kind, ModuleKind::Commit))
-            })
+        self.modules.as_ref().is_some_and(|modules| {
+            modules.iter().any(|module| matches!(module.kind, ModuleKind::Commit))
+        })
     }
 
     pub fn signer_uses_tls(&self) -> bool {

crates/common/src/config/pbs.rs

@@ -21,17 +21,12 @@ use super::{
     load_optional_env_var,
 };
 use crate::{
-    commit::client::SignerClient,
-    config::{
-        CONFIG_ENV, MODULE_JWT_ENV, MuxKeysLoader, PBS_IMAGE_DEFAULT, PBS_SERVICE_NAME, PbsMuxes,
-        SIGNER_TLS_CERTIFICATE_NAME, SIGNER_TLS_CERTIFICATES_PATH_ENV, SIGNER_URL_ENV,
-        SignerConfig, TlsMode, load_env_var, load_file_from_env,
-    },
+    config::{CONFIG_ENV, MuxKeysLoader, PBS_IMAGE_DEFAULT, PbsMuxes, load_file_from_env},
     pbs::{
         DEFAULT_PBS_PORT, DEFAULT_REGISTRY_REFRESH_SECONDS, DefaultTimeout, LATE_IN_SLOT_TIME_MS,
         REGISTER_VALIDATOR_RETRY_LIMIT, RelayClient, RelayEntry,
     },
-    types::{BlsPublicKey, Chain, Jwt, ModuleId},
+    types::{BlsPublicKey, Chain},
     utils::{
         WEI_PER_ETH, as_eth_str, default_bool, default_host, default_u16, default_u32, default_u64,
         default_u256,
@@ -244,9 +239,6 @@ pub struct StaticPbsConfig {
     /// Config of pbs module
     #[serde(flatten)]
     pub pbs_config: PbsConfig,
-    /// Whether to enable the signer client
-    #[serde(default = "default_bool::<false>")]
-    pub with_signer: bool,
 }
 
 impl StaticPbsConfig {
@@ -279,8 +271,6 @@ pub struct PbsModuleConfig {
     /// URL) DO NOT use this for get_header calls, use `relays` or `mux_lookup`
     /// instead
     pub all_relays: Vec<RelayClient>,
-    /// Signer client to call Signer API
-    pub signer_client: Option<SignerClient>,
     /// List of raw mux details configured, if any
     pub registry_muxes: Option<HashMap<MuxKeysLoader, RuntimeMuxConfig>>,
     /// Lookup of pubkey to mux config
@@ -355,7 +345,6 @@ pub async fn load_pbs_config(config_path: Option<PathBuf>) -> Result<(PbsModuleC
             pbs_config: Arc::new(config.pbs.pbs_config),
             relays: relay_clients,
             all_relays,
-            signer_client: None,
             registry_muxes,
             mux_lookup,
         },
@@ -378,7 +367,6 @@ pub async fn load_pbs_custom_config<T: DeserializeOwned>() -> Result<(PbsModuleC
         chain: Chain,
         relays: Vec<RelayConfig>,
         pbs: CustomPbsConfig<U>,
-        signer: Option<SignerConfig>,
         muxes: Option<PbsMuxes>,
     }
 
@@ -431,41 +419,13 @@ pub async fn load_pbs_custom_config<T: DeserializeOwned>() -> Result<(PbsModuleC
 
     let all_relays = all_relays.into_values().collect();
 
-    let signer_client = if cb_config.pbs.static_config.with_signer {
-        // if custom pbs requires a signer client, load jwt
-        let module_jwt = Jwt(load_env_var(MODULE_JWT_ENV)?);
-        let signer_server_url = load_env_var(SIGNER_URL_ENV)?.parse()?;
-        let certs_path = match cb_config
-            .signer
-            .ok_or_else(|| eyre::eyre!("with_signer = true but no [signer] section in config"))?
-            .tls_mode
-        {
-            TlsMode::Insecure => None,
-            TlsMode::Certificate(path) => Some(
-                load_env_var(SIGNER_TLS_CERTIFICATES_PATH_ENV)
-                    .map(PathBuf::from)
-                    .unwrap_or(path)
-                    .join(SIGNER_TLS_CERTIFICATE_NAME),
-            ),
-        };
-        Some(SignerClient::new(
-            signer_server_url,
-            certs_path,
-            module_jwt,
-            ModuleId(PBS_SERVICE_NAME.to_string()),
-        )?)
-    } else {
-        None
-    };
-
     Ok((
         PbsModuleConfig {
             chain: cb_config.chain,
             endpoint,
             pbs_config: Arc::new(cb_config.pbs.static_config.pbs_config),
             relays: relay_clients,
             all_relays,
-            signer_client,
             registry_muxes,
             mux_lookup,
         },

crates/common/src/config/signer.rs

@@ -485,7 +485,6 @@ mod tests {
                     ssv_node_api_url: Url::parse("https://example.net").unwrap(),
                     ssv_public_api_url: Url::parse("https://example.net").unwrap(),
                 },
-                with_signer: true,
             },
             muxes: None,
             modules: Some(vec![]),

docs/docs/get_started/building.md

@@ -108,7 +108,6 @@ chain = "Hoodi"
 
 [pbs]
 port = 18550
-with_signer = true
 
 [[relays]]
 url = "https://0xafa4c6985aa049fb79dd37010438cfebeb0f2bd42b115b89dd678dab0670c1de38da0c4e9138c9290a398ecd9a0b3110@boost-relay-hoodi.flashbots.net"

docs/docs/get_started/configuration.md

@@ -63,8 +63,6 @@ To start a local Signer Service, you need to include its parameters in the confi
 ```toml
 [pbs]
 ...
-with_signer = true
-
 [signer]
 port = 20000
 
@@ -97,8 +95,6 @@ We currently support Lighthouse, Prysm, Teku, Lodestar, and Nimbus's keystores s
 ```toml
 [pbs]
 ...
-with_signer = true
-
 [signer]
 port = 20000
 
@@ -129,8 +125,6 @@ secrets_path = "secrets"
 ```toml
 [pbs]
 ...
-with_signer = true
-
 [signer]
 port = 20000
 
@@ -161,8 +155,6 @@ secrets_path = "secrets/password.txt"
 ```toml
 [pbs]
 ...
-with_signer = true
-
 [signer]
 port = 20000
 
@@ -192,8 +184,6 @@ secrets_path = "secrets"
 ```toml
 [pbs]
 ...
-with_signer = true
-
 [signer]
 port = 20000
 
@@ -228,8 +218,6 @@ All keys have the same password stored in `secrets/password.txt`
   ```toml
   [pbs]
   ...
-  with_signer = true
-
   [signer]
   port = 20000
 
@@ -397,8 +385,6 @@ Specifying it is done within Commit-Boost's configuration file using the `[signe
 ```toml
 [pbs]
 ...
-with_signer = true
-
 [signer]
 port = 20000
 ...

tests/data/configs/pbs.happy.toml

@@ -14,7 +14,6 @@ timeout_get_header_ms = 950
 timeout_get_payload_ms = 4000
 timeout_register_validator_ms = 3000
 wait_all_registrations = true
-with_signer = false
 
 
 [[relays]]

tests/data/configs/signer.happy.toml

@@ -2,7 +2,6 @@ chain = "Hoodi"
 
 [pbs]
 docker_image = "ghcr.io/commit-boost/pbs:latest"
-with_signer = true
 host = "127.0.0.1"
 port = 18550
 relay_check = true

tests/src/utils.rs

@@ -107,7 +107,7 @@ pub fn get_pbs_config(port: u16) -> PbsConfig {
 }
 
 pub fn get_pbs_static_config(pbs_config: PbsConfig) -> StaticPbsConfig {
-    StaticPbsConfig { docker_image: String::from(""), pbs_config, with_signer: true }
+    StaticPbsConfig { docker_image: String::from(""), pbs_config }
 }
 
 pub fn get_commit_boost_config(pbs_static_config: StaticPbsConfig) -> CommitBoostConfig {
@@ -132,7 +132,6 @@ pub fn to_pbs_config(
         chain,
         endpoint: SocketAddr::new(pbs_config.host.into(), pbs_config.port),
         pbs_config: Arc::new(pbs_config),
-        signer_client: None,
         all_relays: relays.clone(),
         relays,
         registry_muxes: None,

tests/tests/config.rs

@@ -41,7 +41,6 @@ async fn test_load_pbs_happy() -> Result<()> {
 
     // Docker and general settings
     assert_eq!(config.pbs.docker_image, "ghcr.io/commit-boost/pbs:latest");
-    assert!(!config.pbs.with_signer);
     assert_eq!(config.pbs.pbs_config.host, "127.0.0.1".parse::<Ipv4Addr>().unwrap());
     assert_eq!(config.pbs.pbs_config.port, 18550);
     assert!(config.pbs.pbs_config.relay_check);