Ability to add validators with a low-watermark specified

[gg718]

It is currently possible to use the web3signer eth2 watermark-repair subcommand to specify the low-watermarks for all existing validators, but if a new validator is added before the specified epoch/slot, it will not have a low-watermark set, and you'd need to re-run the subcommand, which isn't ideal.

Would it be possible to introduce a new field in the validator YAML configuration to allow specifying the low-watermark when a validator is added? This is particularly useful while a migration or maintenance is occurring to ensure any new validators that are added do not accidentally attest before the expected epoch (similar to the scenario outlined in #696).

Alternative approach: Would it be possible to set watermarks globally (e.g. on the metadata table) and not on a per-validator basis (perhaps via the API?), to ensure Web3Signer does not perform any duties until a particular epoch has passed?

[jframe]

The validators you are adding are these new validators? Do they have any slashing protection data?

Using the keymanager import https://ethereum.github.io/keymanager-APIs/#/Local%20Key%20Manager/importKeystores to import the key along with the slashing protection data might solve the issue you are having setting a low watermark for the validator you are adding.

[gg718]

Sorry, I should have been clearer in my OP - I'm using the Remote Signer API (as described here).

Also, the validators aren't necessarily new. They may have been added to a particular Web3Signer database in the past, but have just been migrated back (e.g. between two separate data centers).

[jframe]

Could you use export the import slashing protection subcommands to export the slashing protection data and importing it into other instance? The slashing protection import will set a low waterwark for each validator individually based on the slashing protection export data.

The watermark repair command is designed as a fail-safe if for whatever reason you are unable to access your slashing protection data. If you slashing protection data you should be using that.

[gg718]

I'm using the Web3signer API to add and remove keys programatically.

The problem with the import/export subcommands is that I don't want to move all keys, but only a subset to redistribute/rebalance the keys between data centers, while at the same time minimizing downtime on the keys not being moved.

Is it possible to enable importing and exporting the slashing protection db via the API perhaps? The ideal situation would be to allow the exporting of specific keys rather than the entire database each time.