feat: make keymanager optional (#523)

.github/tests/mix-with-tools.yaml

@@ -26,3 +26,4 @@ additional_services:
   - blockscout
 ethereum_metrics_exporter_enabled: true
 snooper_enabled: true
+keymanager_enabled: true

README.md

@@ -440,6 +440,11 @@ participants:
   # ]
   builder_network_params: null
 
+  # Participant flag for keymanager api
+  # This will open up http ports to your validator services!
+  # Defaults to false
+  keymanager_enabled: false
+
 # Default configuration parameters for the network
 network_params:
   # Network name, used to enable syncing of alternative networks
@@ -720,6 +725,11 @@ global_tolerations: []
 # Example: global_node_selectors: { "disktype": "ssd" }
 # Defaults to empty
 global_node_selectors: {}
+
+# Global parameters for keymanager api
+# This will open up http ports to your validator services!
+# Defaults to false
+keymanager_enabled: false
 ```
 
 #### Example configurations

main.star

@@ -62,6 +62,7 @@ def run(plan, args={}):
     xatu_sentry_params = args_with_right_defaults.xatu_sentry_params
     global_tolerations = args_with_right_defaults.global_tolerations
     global_node_selectors = args_with_right_defaults.global_node_selectors
+    keymanager_enabled = args_with_right_defaults.keymanager_enabled
 
     grafana_datasource_config_template = read_file(
         static_files.GRAFANA_DATASOURCE_CONFIG_TEMPLATE_FILEPATH
@@ -107,6 +108,7 @@ def run(plan, args={}):
         xatu_sentry_params,
         global_tolerations,
         global_node_selectors,
+        keymanager_enabled,
         parallel_keystore_generation,
     )
 

network_params.yaml

@@ -52,6 +52,7 @@ participants:
     blobber_enabled: false
     blobber_extra_params: []
     builder_network_params: null
+    keymanager_enabled: false
 network_params:
   network: kurtosis
   network_id: "3151908"
@@ -136,3 +137,4 @@ xatu_sentry_params:
     - blob_sidecar
 global_tolerations: []
 global_node_selectors: {}
+keymanager_enabled: false

src/cl/cl_launcher.star

@@ -176,6 +176,7 @@ def launch(
                 global_tolerations,
                 node_selectors,
                 participant.use_separate_vc,
+                participant.keymanager_enabled,
             )
         else:
             boot_cl_client_ctx = all_cl_contexts
@@ -208,6 +209,7 @@ def launch(
                 global_tolerations,
                 node_selectors,
                 participant.use_separate_vc,
+                participant.keymanager_enabled,
             )
 
         # Add participant cl additional prometheus labels

src/cl/grandine/grandine_launcher.star

@@ -89,6 +89,7 @@ def launch(
     global_tolerations,
     node_selectors,
     use_separate_vc,
+    keymanager_enabled,
 ):
     beacon_service_name = "{0}".format(service_name)
     log_level = input_parser.get_client_log_level_or_default(
@@ -127,6 +128,7 @@ def launch(
         launcher.el_cl_genesis_data,
         launcher.jwt_file,
         launcher.network,
+        keymanager_enabled,
         image,
         beacon_service_name,
         bootnode_context,
@@ -205,6 +207,7 @@ def get_beacon_config(
     el_cl_genesis_data,
     jwt_file,
     network,
+    keymanager_enabled,
     image,
     service_name,
     bootnode_contexts,
@@ -273,13 +276,15 @@ def get_beacon_config(
         # ^^^^^^^^^^^^^^^^^^^ METRICS CONFIG ^^^^^^^^^^^^^^^^^^^^^
         # To enable syncing other networks too without checkpoint syncing
     ]
-    validator_flags = [
+    validator_default_cmd = [
         "--keystore-dir=" + validator_keys_dirpath,
         "--keystore-password-file=" + validator_secrets_dirpath,
         "--suggested-fee-recipient=" + constants.VALIDATING_REWARDS_ACCOUNT,
         "--graffiti=" + full_name,
     ]
 
+    keymanager_api_cmd = []
+
     if network not in constants.PUBLIC_NETWORKS:
         cmd.append(
             "--configuration-directory="
@@ -341,30 +346,29 @@ def get_beacon_config(
         constants.GENESIS_DATA_MOUNTPOINT_ON_CLIENTS: el_cl_genesis_data.files_artifact_uuid,
         constants.JWT_MOUNTPOINT_ON_CLIENTS: jwt_file,
     }
-    beacon_validator_used_ports = {}
-    beacon_validator_used_ports.update(BEACON_USED_PORTS)
+
+    ports = {}
+    ports.update(BEACON_USED_PORTS)
     if node_keystore_files != None and not use_separate_vc:
-        # validator_http_port_id_spec = shared_utils.new_port_spec(
-        #     vc_shared.VALIDATOR_HTTP_PORT_NUM,
-        #     shared_utils.TCP_PROTOCOL,
-        #     shared_utils.HTTP_APPLICATION_PROTOCOL,
-        # )
-        # beacon_validator_used_ports.update(
-        #     {VALIDATOR_HTTP_PORT_ID: validator_http_port_id_spec}
-        # )
-        cmd.extend(validator_flags)
+        cmd.extend(validator_default_cmd)
         files[
             VALIDATOR_KEYS_DIRPATH_ON_SERVICE_CONTAINER
         ] = node_keystore_files.files_artifact_uuid
 
+        # Keymanager is still unimplemented in grandine
+        # if keymanager_enabled:
+        #     cmd.extend(keymanager_api_cmd)
+        #     ports.update(vc_shared.VALIDATOR_KEYMANAGER_USED_PORTS)
+
     if persistent:
         files[BEACON_DATA_DIRPATH_ON_SERVICE_CONTAINER] = Directory(
             persistent_key="data-{0}".format(service_name),
             size=cl_volume_size,
         )
+
     return ServiceConfig(
         image=image,
-        ports=beacon_validator_used_ports,
+        ports=ports,
         cmd=cmd,
         env_vars=extra_env_vars,
         files=files,

src/cl/lighthouse/lighthouse_launcher.star

@@ -91,6 +91,7 @@ def launch(
     global_tolerations,
     node_selectors,
     use_separate_vc=True,
+    keymanager_enabled=False,
 ):
     beacon_service_name = "{0}".format(service_name)
 

src/cl/lodestar/lodestar_launcher.star

@@ -80,6 +80,7 @@ def launch(
     global_tolerations,
     node_selectors,
     use_separate_vc=True,
+    keymanager_enabled=False,
 ):
     beacon_service_name = "{0}".format(service_name)
     log_level = input_parser.get_client_log_level_or_default(

src/cl/nimbus/nimbus_launcher.star

@@ -102,6 +102,7 @@ def launch(
     global_tolerations,
     node_selectors,
     use_separate_vc,
+    keymanager_enabled,
 ):
     beacon_service_name = "{0}".format(service_name)
 
@@ -138,6 +139,7 @@ def launch(
         plan,
         launcher.el_cl_genesis_data,
         launcher.jwt_file,
+        keymanager_enabled,
         launcher.keymanager_file,
         launcher.network,
         image,
@@ -215,6 +217,7 @@ def get_beacon_config(
     plan,
     el_cl_genesis_data,
     jwt_file,
+    keymanager_enabled,
     keymanager_file,
     network,
     image,
@@ -297,11 +300,14 @@ def get_beacon_config(
         # ^^^^^^^^^^^^^^^^^^^ METRICS CONFIG ^^^^^^^^^^^^^^^^^^^^^
     ]
 
-    validator_flags = [
+    validator_default_cmd = [
         "--validators-dir=" + validator_keys_dirpath,
         "--secrets-dir=" + validator_secrets_dirpath,
         "--suggested-fee-recipient=" + constants.VALIDATING_REWARDS_ACCOUNT,
         "--graffiti=" + full_name,
+    ]
+
+    keymanager_api_cmd = [
         "--keymanager",
         "--keymanager-port={0}".format(vc_shared.VALIDATOR_HTTP_PORT_NUM),
         "--keymanager-address=0.0.0.0",
@@ -333,23 +339,19 @@ def get_beacon_config(
         constants.GENESIS_DATA_MOUNTPOINT_ON_CLIENTS: el_cl_genesis_data.files_artifact_uuid,
         constants.JWT_MOUNTPOINT_ON_CLIENTS: jwt_file,
     }
-    beacon_validator_used_ports = {}
-    beacon_validator_used_ports.update(BEACON_USED_PORTS)
+    ports = {}
+    ports.update(BEACON_USED_PORTS)
     if node_keystore_files != None and not use_separate_vc:
-        validator_http_port_id_spec = shared_utils.new_port_spec(
-            vc_shared.VALIDATOR_HTTP_PORT_NUM,
-            shared_utils.TCP_PROTOCOL,
-            shared_utils.HTTP_APPLICATION_PROTOCOL,
-        )
-        beacon_validator_used_ports.update(
-            {VALIDATOR_HTTP_PORT_ID: validator_http_port_id_spec}
-        )
-        cmd.extend(validator_flags)
+        cmd.extend(validator_default_cmd)
         files[
             VALIDATOR_KEYS_MOUNTPOINT_ON_CLIENTS
         ] = node_keystore_files.files_artifact_uuid
         files[constants.KEYMANAGER_MOUNT_PATH_ON_CLIENTS] = keymanager_file
 
+        if keymanager_enabled:
+            cmd.extend(keymanager_api_cmd)
+            ports.update(vc_shared.VALIDATOR_KEYMANAGER_USED_PORTS)
+
     if persistent:
         files[BEACON_DATA_DIRPATH_ON_SERVICE_CONTAINER] = Directory(
             persistent_key="data-{0}".format(service_name),
@@ -358,7 +360,7 @@ def get_beacon_config(
 
     return ServiceConfig(
         image=image,
-        ports=beacon_validator_used_ports,
+        ports=ports,
         cmd=cmd,
         env_vars=extra_env_vars,
         files=files,

src/cl/prysm/prysm_launcher.star

@@ -87,6 +87,7 @@ def launch(
     global_tolerations,
     node_selectors,
     use_separate_vc=True,
+    keymanager_enabled=False,
 ):
     beacon_service_name = "{0}".format(service_name)
     log_level = input_parser.get_client_log_level_or_default(

src/cl/teku/teku_launcher.star

@@ -91,6 +91,7 @@ def launch(
     global_tolerations,
     node_selectors,
     use_separate_vc,
+    keymanager_enabled,
 ):
     beacon_service_name = "{0}".format(service_name)
     log_level = input_parser.get_client_log_level_or_default(
@@ -128,6 +129,7 @@ def launch(
         plan,
         launcher.el_cl_genesis_data,
         launcher.jwt_file,
+        keymanager_enabled,
         launcher.keymanager_file,
         launcher.keymanager_p12_file,
         launcher.network,
@@ -208,6 +210,7 @@ def get_beacon_config(
     plan,
     el_cl_genesis_data,
     jwt_file,
+    keymanager_enabled,
     keymanager_file,
     keymanager_p12_file,
     network,
@@ -291,7 +294,7 @@ def get_beacon_config(
         # To enable syncing other networks too without checkpoint syncing
         "--ignore-weak-subjectivity-period-enabled=true",
     ]
-    validator_flags = [
+    validator_default_cmd = [
         "--validator-keys={0}:{1}".format(
             validator_keys_dirpath,
             validator_secrets_dirpath,
@@ -299,6 +302,9 @@ def get_beacon_config(
         "--validators-proposer-default-fee-recipient="
         + constants.VALIDATING_REWARDS_ACCOUNT,
         "--validators-graffiti=" + full_name,
+    ]
+
+    keymanager_api_cmd = [
         "--validator-api-enabled=true",
         "--validator-api-host-allowlist=*",
         "--validator-api-port={0}".format(vc_shared.VALIDATOR_HTTP_PORT_NUM),
@@ -381,32 +387,29 @@ def get_beacon_config(
         constants.GENESIS_DATA_MOUNTPOINT_ON_CLIENTS: el_cl_genesis_data.files_artifact_uuid,
         constants.JWT_MOUNTPOINT_ON_CLIENTS: jwt_file,
     }
-    beacon_validator_used_ports = {}
-    beacon_validator_used_ports.update(BEACON_USED_PORTS)
+    ports = {}
+    ports.update(BEACON_USED_PORTS)
     if node_keystore_files != None and not use_separate_vc:
-        validator_http_port_id_spec = shared_utils.new_port_spec(
-            vc_shared.VALIDATOR_HTTP_PORT_NUM,
-            shared_utils.TCP_PROTOCOL,
-            shared_utils.HTTP_APPLICATION_PROTOCOL,
-        )
-        beacon_validator_used_ports.update(
-            {VALIDATOR_HTTP_PORT_ID: validator_http_port_id_spec}
-        )
-        cmd.extend(validator_flags)
+        cmd.extend(validator_default_cmd)
         files[
             VALIDATOR_KEYS_DIRPATH_ON_SERVICE_CONTAINER
         ] = node_keystore_files.files_artifact_uuid
         files[constants.KEYMANAGER_MOUNT_PATH_ON_CLIENTS] = keymanager_file
         files[constants.KEYMANAGER_P12_MOUNT_PATH_ON_CLIENTS] = keymanager_p12_file
 
+        if keymanager_enabled:
+            cmd.extend(keymanager_api_cmd)
+            ports.update(vc_shared.VALIDATOR_KEYMANAGER_USED_PORTS)
+
     if persistent:
         files[BEACON_DATA_DIRPATH_ON_SERVICE_CONTAINER] = Directory(
             persistent_key="data-{0}".format(service_name),
             size=cl_volume_size,
         )
+
     return ServiceConfig(
         image=image,
-        ports=beacon_validator_used_ports,
+        ports=ports,
         cmd=cmd,
         env_vars=extra_env_vars,
         files=files,

src/package_io/input_parser.star

@@ -205,6 +205,7 @@ def input_parser(plan, input_args):
                 ),
                 blobber_enabled=participant["blobber_enabled"],
                 blobber_extra_params=participant["blobber_extra_params"],
+                keymanager_enabled=participant["keymanager_enabled"],
             )
             for participant in result["participants"]
         ],
@@ -303,6 +304,7 @@ def input_parser(plan, input_args):
         ),
         global_tolerations=result["global_tolerations"],
         global_node_selectors=result["global_node_selectors"],
+        keymanager_enabled=result["keymanager_enabled"],
     )
 
 
@@ -415,6 +417,12 @@ def parse_network_params(input_args):
             if default_snooper_enabled:
                 participant["snooper_enabled"] = default_snooper_enabled
 
+        keymanager_enabled = participant["keymanager_enabled"]
+        if keymanager_enabled == False:
+            default_keymanager_enabled = result["keymanager_enabled"]
+            if default_keymanager_enabled:
+                participant["keymanager_enabled"] = default_keymanager_enabled
+
         ethereum_metrics_exporter_enabled = participant[
             "ethereum_metrics_exporter_enabled"
         ]
@@ -582,6 +590,7 @@ def default_input_args():
         "xatu_sentry_enabled": False,
         "global_tolerations": [],
         "global_node_selectors": {},
+        "keymanager_enabled": False,
     }
 
 
@@ -659,6 +668,7 @@ def default_participant():
         "blobber_enabled": False,
         "blobber_extra_params": [],
         "builder_network_params": None,
+        "keymanager_enabled": False,
     }
 
 

src/participant_network.star

@@ -39,6 +39,7 @@ def launch_participant_network(
     xatu_sentry_params,
     global_tolerations,
     global_node_selectors,
+    keymanager_enabled,
     parallel_keystore_generation=False,
 ):
     network_id = network_params.network_id
@@ -343,6 +344,7 @@ def launch_participant_network(
             participant_tolerations=participant.tolerations,
             global_tolerations=global_tolerations,
             node_selectors=node_selectors,
+            keymanager_enabled=participant.keymanager_enabled,
             network=network_params.network,
             electra_fork_epoch=network_params.electra_fork_epoch,
         )

src/vc/lighthouse.star

@@ -34,6 +34,7 @@ def get_config(
     extra_labels,
     tolerations,
     node_selectors,
+    keymanager_enabled,
     network,
     electra_fork_epoch,
 ):
@@ -64,11 +65,6 @@ def get_config(
         # "--enable-doppelganger-protection", // Disabled to not have to wait 2 epochs before validator can start
         # burn address - If unset, the validator will scream in its logs
         "--suggested-fee-recipient=" + constants.VALIDATING_REWARDS_ACCOUNT,
-        "--http",
-        "--http-port={0}".format(vc_shared.VALIDATOR_HTTP_PORT_NUM),
-        "--http-address=0.0.0.0",
-        "--http-allow-origin=*",
-        "--unencrypted-http-transport",
         # vvvvvvvvvvvvvvvvvvv PROMETHEUS CONFIG vvvvvvvvvvvvvvvvvvvvv
         "--metrics",
         "--metrics-address=0.0.0.0",
@@ -78,6 +74,14 @@ def get_config(
         "--graffiti=" + full_name,
     ]
 
+    keymanager_api_cmd = [
+        "--http",
+        "--http-port={0}".format(vc_shared.VALIDATOR_HTTP_PORT_NUM),
+        "--http-address=0.0.0.0",
+        "--http-allow-origin=*",
+        "--unencrypted-http-transport",
+    ]
+
     if not (constants.NETWORK_NAME.verkle in network or electra_fork_epoch != None):
         cmd.append("--produce-block-v3")
 
@@ -90,9 +94,17 @@ def get_config(
     }
     env = {RUST_BACKTRACE_ENVVAR_NAME: RUST_FULL_BACKTRACE_KEYWORD}
     env.update(extra_env_vars)
+
+    ports = {}
+    ports.update(vc_shared.VALIDATOR_CLIENT_USED_PORTS)
+
+    if keymanager_enabled:
+        cmd.extend(keymanager_api_cmd)
+        ports.update(vc_shared.VALIDATOR_KEYMANAGER_USED_PORTS)
+
     return ServiceConfig(
         image=image,
-        ports=vc_shared.VALIDATOR_CLIENT_USED_PORTS,
+        ports=ports,
         cmd=cmd,
         env_vars=env,
         files=files,

src/vc/lodestar.star

@@ -31,6 +31,7 @@ def get_config(
     extra_labels,
     tolerations,
     node_selectors,
+    keymanager_enabled,
 ):
     log_level = input_parser.get_client_log_level_or_default(
         participant_log_level, global_log_level, VERBOSITY_LEVELS
@@ -56,11 +57,6 @@ def get_config(
         "--keystoresDir=" + validator_keys_dirpath,
         "--secretsDir=" + validator_secrets_dirpath,
         "--suggestedFeeRecipient=" + constants.VALIDATING_REWARDS_ACCOUNT,
-        "--keymanager",
-        "--keymanager.authEnabled=true",
-        "--keymanager.port={0}".format(vc_shared.VALIDATOR_HTTP_PORT_NUM),
-        "--keymanager.address=0.0.0.0",
-        "--keymanager.cors=*",
         # vvvvvvvvvvvvvvvvvvv PROMETHEUS CONFIG vvvvvvvvvvvvvvvvvvvvv
         "--metrics",
         "--metrics.address=0.0.0.0",
@@ -70,6 +66,14 @@ def get_config(
         "--useProduceBlockV3",
     ]
 
+    keymanager_api_cmd = [
+        "--keymanager",
+        "--keymanager.authEnabled=true",
+        "--keymanager.port={0}".format(vc_shared.VALIDATOR_HTTP_PORT_NUM),
+        "--keymanager.address=0.0.0.0",
+        "--keymanager.cors=*",
+    ]
+
     if len(extra_params) > 0:
         # this is a repeated<proto type>, we convert it into Starlark
         cmd.extend([param for param in extra_params])
@@ -79,9 +83,16 @@ def get_config(
         vc_shared.VALIDATOR_CLIENT_KEYS_MOUNTPOINT: node_keystore_files.files_artifact_uuid,
     }
 
+    ports = {}
+    ports.update(vc_shared.VALIDATOR_CLIENT_USED_PORTS)
+
+    if keymanager_enabled:
+        cmd.extend(keymanager_api_cmd)
+        ports.update(vc_shared.VALIDATOR_KEYMANAGER_USED_PORTS)
+
     return ServiceConfig(
         image=image,
-        ports=vc_shared.VALIDATOR_CLIENT_USED_PORTS,
+        ports=ports,
         cmd=cmd,
         env_vars=extra_env_vars,
         files=files,

src/vc/nimbus.star

@@ -21,6 +21,7 @@ def get_config(
     extra_labels,
     tolerations,
     node_selectors,
+    keymanager_enabled,
 ):
     validator_keys_dirpath = ""
     validator_secrets_dirpath = ""
@@ -39,11 +40,6 @@ def get_config(
         "--validators-dir=" + validator_keys_dirpath,
         "--secrets-dir=" + validator_secrets_dirpath,
         "--suggested-fee-recipient=" + constants.VALIDATING_REWARDS_ACCOUNT,
-        "--keymanager",
-        "--keymanager-port={0}".format(vc_shared.VALIDATOR_HTTP_PORT_NUM),
-        "--keymanager-address=0.0.0.0",
-        "--keymanager-allow-origin=*",
-        "--keymanager-token-file=" + constants.KEYMANAGER_MOUNT_PATH_ON_CONTAINER,
         # vvvvvvvvvvvvvvvvvvv METRICS CONFIG vvvvvvvvvvvvvvvvvvvvv
         "--metrics",
         "--metrics-address=0.0.0.0",
@@ -51,6 +47,14 @@ def get_config(
         "--graffiti=" + full_name,
     ]
 
+    keymanager_api_cmd = [
+        "--keymanager",
+        "--keymanager-port={0}".format(vc_shared.VALIDATOR_HTTP_PORT_NUM),
+        "--keymanager-address=0.0.0.0",
+        "--keymanager-allow-origin=*",
+        "--keymanager-token-file=" + constants.KEYMANAGER_MOUNT_PATH_ON_CONTAINER,
+    ]
+
     if len(extra_params) > 0:
         # this is a repeated<proto type>, we convert it into Starlark
         cmd.extend([param for param in extra_params])
@@ -60,9 +64,16 @@ def get_config(
         constants.KEYMANAGER_MOUNT_PATH_ON_CLIENTS: keymanager_file,
     }
 
+    ports = {}
+    ports.update(vc_shared.VALIDATOR_CLIENT_USED_PORTS)
+
+    if keymanager_enabled:
+        cmd.extend(keymanager_api_cmd)
+        ports.update(vc_shared.VALIDATOR_KEYMANAGER_USED_PORTS)
+
     return ServiceConfig(
         image=image,
-        ports=vc_shared.VALIDATOR_CLIENT_USED_PORTS,
+        ports=ports,
         cmd=cmd,
         env_vars=extra_env_vars,
         files=files,

src/vc/prysm.star

@@ -25,6 +25,7 @@ def get_config(
     prysm_password_artifact_uuid,
     tolerations,
     node_selectors,
+    keymanager_enabled,
 ):
     validator_keys_dirpath = shared_utils.path_join(
         vc_shared.VALIDATOR_CLIENT_KEYS_MOUNTPOINT,
@@ -49,15 +50,19 @@ def get_config(
         "--wallet-dir=" + validator_keys_dirpath,
         "--wallet-password-file=" + validator_secrets_dirpath,
         "--suggested-fee-recipient=" + constants.VALIDATING_REWARDS_ACCOUNT,
-        "--rpc",
-        "--rpc-port={0}".format(vc_shared.VALIDATOR_HTTP_PORT_NUM),
-        "--rpc-host=0.0.0.0",
         # vvvvvvvvvvvvvvvvvvv METRICS CONFIG vvvvvvvvvvvvvvvvvvvvv
         "--disable-monitoring=false",
         "--monitoring-host=0.0.0.0",
         "--monitoring-port={0}".format(vc_shared.VALIDATOR_CLIENT_METRICS_PORT_NUM),
         # ^^^^^^^^^^^^^^^^^^^ METRICS CONFIG ^^^^^^^^^^^^^^^^^^^^^
         "--graffiti=" + full_name,
+        "--enable-beacon-rest-api",
+    ]
+
+    keymanager_api_cmd = [
+        "--rpc",
+        "--rpc-port={0}".format(vc_shared.VALIDATOR_HTTP_PORT_NUM),
+        "--rpc-host=0.0.0.0",
     ]
 
     if len(extra_params) > 0:
@@ -70,9 +75,16 @@ def get_config(
         PRYSM_PASSWORD_MOUNT_DIRPATH_ON_SERVICE_CONTAINER: prysm_password_artifact_uuid,
     }
 
+    ports = {}
+    ports.update(vc_shared.VALIDATOR_CLIENT_USED_PORTS)
+
+    if keymanager_enabled:
+        cmd.extend(keymanager_api_cmd)
+        ports.update(vc_shared.VALIDATOR_KEYMANAGER_USED_PORTS)
+
     return ServiceConfig(
         image=image,
-        ports=vc_shared.VALIDATOR_CLIENT_USED_PORTS,
+        ports=ports,
         cmd=cmd,
         env_vars=extra_env_vars,
         files=files,

src/vc/shared.star

@@ -4,21 +4,24 @@ PRIVATE_IP_ADDRESS_PLACEHOLDER = "KURTOSIS_IP_ADDR_PLACEHOLDER"
 VALIDATOR_CLIENT_KEYS_MOUNTPOINT = "/keystores"
 
 VALIDATOR_HTTP_PORT_NUM = 5056
-VALIDATOR_HTTP_PORT_ID = "http"
+VALIDATOR_HTTP_PORT_ID = "vc-http"
 
 VALIDATOR_CLIENT_METRICS_PORT_NUM = 8080
 VALIDATOR_CLIENT_METRICS_PORT_ID = "metrics"
 METRICS_PATH = "/metrics"
 
 VALIDATOR_CLIENT_USED_PORTS = {
-    VALIDATOR_HTTP_PORT_ID: shared_utils.new_port_spec(
-        VALIDATOR_HTTP_PORT_NUM,
-        shared_utils.TCP_PROTOCOL,
-        shared_utils.HTTP_APPLICATION_PROTOCOL,
-    ),
     VALIDATOR_CLIENT_METRICS_PORT_ID: shared_utils.new_port_spec(
         VALIDATOR_CLIENT_METRICS_PORT_NUM,
         shared_utils.TCP_PROTOCOL,
         shared_utils.HTTP_APPLICATION_PROTOCOL,
     ),
 }
+
+VALIDATOR_KEYMANAGER_USED_PORTS = {
+    VALIDATOR_HTTP_PORT_ID: shared_utils.new_port_spec(
+        VALIDATOR_HTTP_PORT_NUM,
+        shared_utils.TCP_PROTOCOL,
+        shared_utils.HTTP_APPLICATION_PROTOCOL,
+    )
+}

src/vc/teku.star

@@ -22,6 +22,7 @@ def get_config(
     extra_labels,
     tolerations,
     node_selectors,
+    keymanager_enabled,
 ):
     validator_keys_dirpath = ""
     validator_secrets_dirpath = ""
@@ -48,6 +49,14 @@ def get_config(
         "--validators-proposer-default-fee-recipient="
         + constants.VALIDATING_REWARDS_ACCOUNT,
         "--validators-graffiti=" + full_name,
+        # vvvvvvvvvvvvvvvvvvv METRICS CONFIG vvvvvvvvvvvvvvvvvvvvv
+        "--metrics-enabled=true",
+        "--metrics-host-allowlist=*",
+        "--metrics-interface=0.0.0.0",
+        "--metrics-port={0}".format(vc_shared.VALIDATOR_CLIENT_METRICS_PORT_NUM),
+    ]
+
+    keymanager_api_cmd = [
         "--validator-api-enabled=true",
         "--validator-api-host-allowlist=*",
         "--validator-api-port={0}".format(vc_shared.VALIDATOR_HTTP_PORT_NUM),
@@ -56,11 +65,6 @@ def get_config(
         + constants.KEYMANAGER_P12_MOUNT_PATH_ON_CONTAINER,
         "--validator-api-keystore-password-file="
         + constants.KEYMANAGER_MOUNT_PATH_ON_CONTAINER,
-        # vvvvvvvvvvvvvvvvvvv METRICS CONFIG vvvvvvvvvvvvvvvvvvvvv
-        "--metrics-enabled=true",
-        "--metrics-host-allowlist=*",
-        "--metrics-interface=0.0.0.0",
-        "--metrics-port={0}".format(vc_shared.VALIDATOR_CLIENT_METRICS_PORT_NUM),
     ]
 
     if len(extra_params) > 0:
@@ -74,9 +78,16 @@ def get_config(
         constants.KEYMANAGER_P12_MOUNT_PATH_ON_CLIENTS: keymanager_p12_file,
     }
 
+    ports = {}
+    ports.update(vc_shared.VALIDATOR_CLIENT_USED_PORTS)
+
+    if keymanager_enabled:
+        cmd.extend(keymanager_api_cmd)
+        ports.update(vc_shared.VALIDATOR_KEYMANAGER_USED_PORTS)
+
     return ServiceConfig(
         image=image,
-        ports=vc_shared.VALIDATOR_CLIENT_USED_PORTS,
+        ports=ports,
         cmd=cmd,
         env_vars=extra_env_vars,
         files=files,

src/vc/vc_launcher.star

@@ -46,6 +46,7 @@ def launch(
     participant_tolerations,
     global_tolerations,
     node_selectors,
+    keymanager_enabled,
     network,  # TODO: remove when deneb rebase is done
     electra_fork_epoch,  # TODO: remove when deneb rebase is done
 ):
@@ -92,6 +93,7 @@ def launch(
             extra_labels=extra_labels,
             tolerations=tolerations,
             node_selectors=node_selectors,
+            keymanager_enabled=keymanager_enabled,
             network=network,  # TODO: remove when deneb rebase is done
             electra_fork_epoch=electra_fork_epoch,  # TODO: remove when deneb rebase is done
         )
@@ -115,6 +117,7 @@ def launch(
             extra_labels=extra_labels,
             tolerations=tolerations,
             node_selectors=node_selectors,
+            keymanager_enabled=keymanager_enabled,
         )
     elif vc_type == constants.VC_TYPE.teku:
         config = teku.get_config(
@@ -136,6 +139,7 @@ def launch(
             extra_labels=extra_labels,
             tolerations=tolerations,
             node_selectors=node_selectors,
+            keymanager_enabled=keymanager_enabled,
         )
     elif vc_type == constants.VC_TYPE.nimbus:
         config = nimbus.get_config(
@@ -156,6 +160,7 @@ def launch(
             extra_labels=extra_labels,
             tolerations=tolerations,
             node_selectors=node_selectors,
+            keymanager_enabled=keymanager_enabled,
         )
     elif vc_type == constants.VC_TYPE.prysm:
         # Prysm VC only works with Prysm beacon node right now
@@ -184,6 +189,7 @@ def launch(
             prysm_password_artifact_uuid=prysm_password_artifact_uuid,
             tolerations=tolerations,
             node_selectors=node_selectors,
+            keymanager_enabled=keymanager_enabled,
         )
     elif vc_type == constants.VC_TYPE.grandine:
         fail("Grandine VC is not yet supported")
@@ -202,7 +208,11 @@ def launch(
         service_name, vc_shared.METRICS_PATH, validator_metrics_url
     )
 
-    validator_http_port = validator_service.ports[vc_shared.VALIDATOR_HTTP_PORT_ID]
+    validator_http_port = (
+        validator_service.ports[vc_shared.VALIDATOR_HTTP_PORT_ID]
+        if keymanager_enabled
+        else None
+    )
 
     return vc_context.new_vc_context(
         client_name=vc_type,