feat(spartan): (A-535) enable admin API key auth for next-scenario network

spartan/bootstrap.sh

@@ -99,6 +99,12 @@ function run_network_tests {
   source_network_env "$env_file"
   gcp_auth
   export SCENARIO_TESTS=1
+  # Retrieve the admin API key stored as a K8s Secret during deployment.
+  # Exported so the test runner can authenticate against the admin RPC endpoint.
+  export AZTEC_ADMIN_API_KEY
+  AZTEC_ADMIN_API_KEY=$(kubectl get secret aztec-admin-api-key \
+    --namespace "$NAMESPACE" \
+    -o jsonpath='{.data.key}' 2>/dev/null | base64 -d 2>/dev/null || true)
   local failed=()
   for test_file in "$@"; do
     echo_header "Running $test_file"

spartan/scripts/deploy_network.sh

@@ -459,6 +459,20 @@ else
 fi
 
 
+# -------------------------------
+# Generate admin API key
+# -------------------------------
+# Generate a fresh key on every deploy; the hash goes to validators and the
+# raw key is stored as a K8s Secret for the test runner to retrieve later.
+# The raw key is never logged.
+ADMIN_API_KEY=$(openssl rand -hex 32)
+ADMIN_API_KEY_HASH=$(printf '%s' "$ADMIN_API_KEY" | sha256sum | cut -d' ' -f1)
+kubectl create secret generic aztec-admin-api-key \
+  --from-literal=key="$ADMIN_API_KEY" \
+  --namespace "${NAMESPACE}" \
+  --dry-run=client -o yaml | kubectl apply -f -
+unset ADMIN_API_KEY
+
 # -------------------------------
 # Deploy Aztec infra
 # -------------------------------
@@ -612,6 +626,7 @@ PROVER_AGENT_PROOF_TYPES = ${PROVER_AGENT_PROOF_TYPES:-[]}
 DEBUG_FORCE_TX_PROOF_VERIFICATION = ${DEBUG_FORCE_TX_PROOF_VERIFICATION:-false}
 
 WAIT_FOR_PROVER_DEPLOY = ${WAIT_FOR_PROVER_DEPLOY:-null}
+ADMIN_API_KEY_HASH = "${ADMIN_API_KEY_HASH}"
 EOF
 
 k8s_denoise "tf_run "${DEPLOY_AZTEC_INFRA_DIR}" "${DESTROY_AZTEC_INFRA}" "${CREATE_AZTEC_INFRA}""

spartan/terraform/deploy-aztec-infra/main.tf

@@ -223,6 +223,7 @@ locals {
     "validator.node.env.WS_NUM_HISTORIC_CHECKPOINTS"           = var.WS_NUM_HISTORIC_CHECKPOINTS
     "validator.node.env.TX_COLLECTION_FILE_STORE_URLS"         = var.TX_COLLECTION_FILE_STORE_URLS
     "validator.node.env.SEQ_SKIP_CHECKPOINT_PUBLISH_PERCENT"   = var.SEQ_SKIP_CHECKPOINT_PUBLISH_PERCENT
+    "validator.node.adminApiKeyHash"                            = var.ADMIN_API_KEY_HASH
   }
 
   # Note: nonsensitive() is required here because helm_releases is used in for_each,

spartan/terraform/deploy-aztec-infra/variables.tf

@@ -229,6 +229,12 @@ variable "VALIDATOR_HA_REPLICAS" {
   default     = 0
 }
 
+variable "ADMIN_API_KEY_HASH" {
+  description = "SHA-256 hex hash of the admin API key. When set, enables admin API authentication on validator nodes. Leave empty to disable admin auth (default)."
+  type        = string
+  default     = ""
+}
+
 variable "PROVER_MNEMONIC" {
   description = "The prover mnemonic"
   type        = string

yarn-project/end-to-end/src/spartan/utils/config.ts

@@ -16,6 +16,7 @@ const testConfigSchema = z.object({
   AZTEC_PROOF_SUBMISSION_WINDOW: z.coerce.number().optional().default(5),
   AZTEC_LAG_IN_EPOCHS_FOR_VALIDATOR_SET: z.coerce.number().optional().default(2),
   FUNDING_PRIVATE_KEY: z.string().optional(),
+  AZTEC_ADMIN_API_KEY: z.string().optional(),
 });
 
 export type TestConfig = z.infer<typeof testConfigSchema>;

yarn-project/end-to-end/src/spartan/utils/nodes.ts

@@ -173,7 +173,7 @@ export async function withSequencersAdmin<T>(env: TestConfig, fn: (node: AztecNo
           if (statusRes.status !== 200) {
             throw new Error(`Admin endpoint returned status ${statusRes.status}`);
           }
-          const client = createAztecNodeAdminClient(url);
+          const client = createAztecNodeAdminClient(url, {}, undefined, env.AZTEC_ADMIN_API_KEY);
           return { result: await fn(client), process };
         } catch (err) {
           // Kill the port-forward before retrying