Skip to content

Commit

Permalink
fix: include OCR secrets as part of deployment.Environment (#15470)
Browse files Browse the repository at this point in the history
There are many cases where a changeset requires access to the OCR secrets and because it is not accessible via `deployment.Environment`, users are left no choice but to pass secrets as config in a changesets.
By plumbing OCR secrets in `deployment.Environment`, user will no longer need to do the workaround.

Update code to use OCR secrets from the env instead of from requests.

JIRA: https://smartcontract-it.atlassian.net/browse/DPA-1357
  • Loading branch information
graham-chainlink authored Dec 9, 2024
1 parent 077971e commit e8b68e4
Show file tree
Hide file tree
Showing 21 changed files with 60 additions and 62 deletions.
5 changes: 5 additions & 0 deletions .changeset/hot-islands-dress.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
"chainlink": patch
---

#internal refactor: inject ocr secrets via env instead of config
3 changes: 1 addition & 2 deletions core/scripts/keystone/src/88_gen_ocr3_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,8 @@ func mustReadConfig(fileName string) (output ksdeploy.TopLevelConfigSource) {
func generateOCR3Config(nodeList string, configFile string, chainID int64, pubKeysPath string) ksdeploy.OCR2OracleConfig {
topLevelCfg := mustReadConfig(configFile)
cfg := topLevelCfg.OracleConfig
cfg.OCRSecrets = deployment.XXXGenerateTestOCRSecrets()
nca := downloadNodePubKeys(nodeList, chainID, pubKeysPath)
c, err := ksdeploy.GenerateOCR3Config(cfg, nca)
c, err := ksdeploy.GenerateOCR3Config(cfg, nca, deployment.XXXGenerateTestOCRSecrets())
helpers.PanicErr(err)
return c
}
2 changes: 1 addition & 1 deletion deployment/ccip/changeset/cs_active_candidate.go
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ func SetCandidatePluginChangeset(
}

newDONArgs, err := internal.BuildOCR3ConfigForCCIPHome(
cfg.OCRSecrets,
e.OCRSecrets,
state.Chains[cfg.NewChainSelector].OffRamp,
e.Chains[cfg.NewChainSelector],
nodes.NonBootstraps(),
Expand Down
2 changes: 1 addition & 1 deletion deployment/ccip/changeset/cs_active_candidate_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,7 @@ func TestActiveCandidate(t *testing.T) {
nil,
)
ocr3ConfigMap, err := internal.BuildOCR3ConfigForCCIPHome(
deployment.XXXGenerateTestOCRSecrets(),
e.OCRSecrets,
state.Chains[tenv.FeedChainSel].OffRamp,
e.Chains[tenv.FeedChainSel],
nodes.NonBootstraps(),
Expand Down
6 changes: 3 additions & 3 deletions deployment/ccip/changeset/cs_add_chain.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (

"github.com/smartcontractkit/chainlink-ccip/chainconfig"
"github.com/smartcontractkit/chainlink-ccip/pkg/types/ccipocr3"

"github.com/smartcontractkit/chainlink/deployment/ccip/changeset/internal"
"github.com/smartcontractkit/chainlink/deployment/common/proposalutils"
"github.com/smartcontractkit/chainlink/v2/core/capabilities/ccip/types"
Expand Down Expand Up @@ -142,7 +143,6 @@ type AddDonAndSetCandidateChangesetConfig struct {
PluginType types.PluginType
NodeIDs []string
CCIPOCRParams CCIPOCRParams
OCRSecrets deployment.OCRSecrets
}

func (a AddDonAndSetCandidateChangesetConfig) Validate(e deployment.Environment, state CCIPOnChainState) (deployment.Nodes, error) {
Expand Down Expand Up @@ -191,7 +191,7 @@ func (a AddDonAndSetCandidateChangesetConfig) Validate(e deployment.Environment,
return nil, fmt.Errorf("invalid ccip ocr params: %w", err)
}

if a.OCRSecrets.IsEmpty() {
if e.OCRSecrets.IsEmpty() {
return nil, fmt.Errorf("OCR secrets must be set")
}

Expand All @@ -215,7 +215,7 @@ func AddDonAndSetCandidateChangeset(
}

newDONArgs, err := internal.BuildOCR3ConfigForCCIPHome(
cfg.OCRSecrets,
e.OCRSecrets,
state.Chains[cfg.NewChainSelector].OffRamp,
e.Chains[cfg.NewChainSelector],
nodes.NonBootstraps(),
Expand Down
3 changes: 0 additions & 3 deletions deployment/ccip/changeset/cs_add_chain_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,6 @@ func TestAddChainInbound(t *testing.T) {
HomeChainSel: e.HomeChainSel,
FeedChainSel: e.FeedChainSel,
ChainConfigByChain: chainConfig,
OCRSecrets: deployment.XXXGenerateTestOCRSecrets(),
})
require.NoError(t, err)

Expand Down Expand Up @@ -191,7 +190,6 @@ func TestAddChainInbound(t *testing.T) {
NewChainSelector: newChain,
PluginType: types.PluginTypeCCIPCommit,
NodeIDs: nodeIDs,
OCRSecrets: deployment.XXXGenerateTestOCRSecrets(),
CCIPOCRParams: DefaultOCRParams(
e.FeedChainSel,
tokenConfig.GetTokenInfo(logger.TestLogger(t), state.Chains[newChain].LinkToken, state.Chains[newChain].Weth9),
Expand All @@ -207,7 +205,6 @@ func TestAddChainInbound(t *testing.T) {
NewChainSelector: newChain,
PluginType: types.PluginTypeCCIPExec,
NodeIDs: nodeIDs,
OCRSecrets: deployment.XXXGenerateTestOCRSecrets(),
CCIPOCRParams: DefaultOCRParams(
e.FeedChainSel,
tokenConfig.GetTokenInfo(logger.TestLogger(t), state.Chains[newChain].LinkToken, state.Chains[newChain].Weth9),
Expand Down
8 changes: 2 additions & 6 deletions deployment/ccip/changeset/cs_initial_add_chain.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,6 @@ type NewChainsConfig struct {
// Common to all chains
HomeChainSel uint64
FeedChainSel uint64
OCRSecrets deployment.OCRSecrets
// Per chain config
ChainConfigByChain map[uint64]CCIPOCRParams
}
Expand All @@ -96,9 +95,6 @@ func (c NewChainsConfig) Validate() error {
if err := deployment.IsValidChainSelector(c.FeedChainSel); err != nil {
return fmt.Errorf("invalid feed chain selector: %d - %w", c.FeedChainSel, err)
}
if c.OCRSecrets.IsEmpty() {
return fmt.Errorf("no OCR secrets provided")
}
// Validate chain config
for chain, cfg := range c.ChainConfigByChain {
if err := cfg.Validate(); err != nil {
Expand Down Expand Up @@ -166,7 +162,7 @@ func configureChain(
e deployment.Environment,
c NewChainsConfig,
) error {
if c.OCRSecrets.IsEmpty() {
if e.OCRSecrets.IsEmpty() {
return fmt.Errorf("OCR secrets are empty")
}
nodes, err := deployment.NodeInfo(e.NodeIDs, e.Offchain)
Expand Down Expand Up @@ -217,7 +213,7 @@ func configureChain(
// For each chain, we create a DON on the home chain (2 OCR instances)
if err := addDON(
e.Logger,
c.OCRSecrets,
e.OCRSecrets,
capReg,
ccipHome,
rmnHome.Address(),
Expand Down
1 change: 0 additions & 1 deletion deployment/ccip/changeset/test_helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -379,7 +379,6 @@ func NewMemoryEnvironmentWithJobsAndContracts(t *testing.T, lggr logger.Logger,
Config: NewChainsConfig{
HomeChainSel: e.HomeChainSel,
FeedChainSel: e.FeedChainSel,
OCRSecrets: deployment.XXXGenerateTestOCRSecrets(),
ChainConfigByChain: chainConfigs,
},
},
Expand Down
1 change: 1 addition & 0 deletions deployment/common/changeset/test_helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@ func ApplyChangesets(t *testing.T, e deployment.Environment, timelocksPerChain m
Chains: e.Chains,
NodeIDs: e.NodeIDs,
Offchain: e.Offchain,
OCRSecrets: e.OCRSecrets,
}
}
return currentEnv, nil
Expand Down
3 changes: 3 additions & 0 deletions deployment/environment.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,7 @@ type Environment struct {
NodeIDs []string
Offchain OffchainClient
GetContext func() context.Context
OCRSecrets OCRSecrets
}

func NewEnvironment(
Expand All @@ -108,6 +109,7 @@ func NewEnvironment(
nodeIDs []string,
offchain OffchainClient,
ctx func() context.Context,
secrets OCRSecrets,
) *Environment {
return &Environment{
Name: name,
Expand All @@ -117,6 +119,7 @@ func NewEnvironment(
NodeIDs: nodeIDs,
Offchain: offchain,
GetContext: ctx,
OCRSecrets: secrets,
}
}

Expand Down
1 change: 1 addition & 0 deletions deployment/environment/devenv/environment.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,5 +52,6 @@ func NewEnvironment(ctx func() context.Context, lggr logger.Logger, config Envir
nodeIDs,
offChain,
ctx,
deployment.XXXGenerateTestOCRSecrets(),
), jd.don, nil
}
2 changes: 2 additions & 0 deletions deployment/environment/memory/environment.go
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,7 @@ func NewMemoryEnvironmentFromChainsNodes(
nodeIDs, // Note these have the p2p_ prefix.
NewMemoryJobClient(nodes),
ctx,
deployment.XXXGenerateTestOCRSecrets(),
)
}

Expand All @@ -161,5 +162,6 @@ func NewMemoryEnvironment(t *testing.T, lggr logger.Logger, logLevel zapcore.Lev
nodeIDs,
NewMemoryJobClient(nodes),
func() context.Context { return tests.Context(t) },
deployment.XXXGenerateTestOCRSecrets(),
)
}
3 changes: 2 additions & 1 deletion deployment/keystone/changeset/configure_contracts.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"fmt"

"github.com/smartcontractkit/chainlink-common/pkg/logger"

"github.com/smartcontractkit/chainlink/deployment"
kslib "github.com/smartcontractkit/chainlink/deployment/keystone"
)
Expand All @@ -14,7 +15,7 @@ var _ deployment.ChangeSet[InitialContractsCfg] = ConfigureInitialContractsChang
type InitialContractsCfg struct {
RegistryChainSel uint64
Dons []kslib.DonCapabilities
OCR3Config *kslib.OracleConfigWithSecrets
OCR3Config *kslib.OracleConfig
}

func ConfigureInitialContractsChangeset(e deployment.Environment, cfg InitialContractsCfg) (deployment.ChangesetOutput, error) {
Expand Down
3 changes: 2 additions & 1 deletion deployment/keystone/changeset/deploy_ocr3.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"io"

"github.com/smartcontractkit/ccip-owner-contracts/pkg/proposal/timelock"

"github.com/smartcontractkit/chainlink/deployment"
kslib "github.com/smartcontractkit/chainlink/deployment/keystone"
)
Expand Down Expand Up @@ -33,7 +34,7 @@ var _ deployment.ChangeSet[ConfigureOCR3Config] = ConfigureOCR3Contract
type ConfigureOCR3Config struct {
ChainSel uint64
NodeIDs []string
OCR3Config *kslib.OracleConfigWithSecrets
OCR3Config *kslib.OracleConfig
DryRun bool
WriteGeneratedConfig io.Writer // if not nil, write the generated config to this writer as JSON [OCR2OracleConfig]

Expand Down
11 changes: 4 additions & 7 deletions deployment/keystone/changeset/deploy_ocr3_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import (

"github.com/smartcontractkit/ccip-owner-contracts/pkg/gethwrappers"
"github.com/smartcontractkit/chainlink-common/pkg/logger"
"github.com/smartcontractkit/chainlink/deployment"

commonchangeset "github.com/smartcontractkit/chainlink/deployment/common/changeset"
"github.com/smartcontractkit/chainlink/deployment/environment/memory"
kslib "github.com/smartcontractkit/chainlink/deployment/keystone"
Expand Down Expand Up @@ -48,12 +48,9 @@ func TestConfigureOCR3(t *testing.T) {
t.Parallel()
lggr := logger.Test(t)

c := kslib.OracleConfigWithSecrets{
OracleConfig: kslib.OracleConfig{
MaxFaultyOracles: 1,
DeltaProgressMillis: 12345,
},
OCRSecrets: deployment.XXXGenerateTestOCRSecrets(),
c := kslib.OracleConfig{
MaxFaultyOracles: 1,
DeltaProgressMillis: 12345,
}

t.Run("no mcms", func(t *testing.T) {
Expand Down
17 changes: 7 additions & 10 deletions deployment/keystone/changeset/helpers_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,16 +7,19 @@ import (
"encoding/hex"
"errors"
"fmt"
"math"
"math/big"
"sort"

"math"
"testing"

"github.com/smartcontractkit/ccip-owner-contracts/pkg/gethwrappers"
"github.com/smartcontractkit/chainlink-common/pkg/logger"
"github.com/smartcontractkit/chainlink-common/pkg/utils/tests"
"github.com/smartcontractkit/chainlink-protos/job-distributor/v1/node"
"github.com/stretchr/testify/require"
"go.uber.org/zap/zapcore"
"golang.org/x/exp/maps"

"github.com/smartcontractkit/chainlink/deployment"
commonchangeset "github.com/smartcontractkit/chainlink/deployment/common/changeset"
commontypes "github.com/smartcontractkit/chainlink/deployment/common/types"
Expand All @@ -26,9 +29,6 @@ import (
kschangeset "github.com/smartcontractkit/chainlink/deployment/keystone/changeset"
kcr "github.com/smartcontractkit/chainlink/v2/core/gethwrappers/keystone/generated/capabilities_registry"
"github.com/smartcontractkit/chainlink/v2/core/services/keystore/keys/p2pkey"
"github.com/stretchr/testify/require"
"go.uber.org/zap/zapcore"
"golang.org/x/exp/maps"
)

func TestSetupTestEnv(t *testing.T) {
Expand Down Expand Up @@ -215,11 +215,8 @@ func SetupTestEnv(t *testing.T, c TestConfig) TestEnv {
err = env.ExistingAddresses.Merge(e.ExistingAddresses)
require.NoError(t, err)

var ocr3Config = keystone.OracleConfigWithSecrets{
OracleConfig: keystone.OracleConfig{
MaxFaultyOracles: len(wfNodes) / 3,
},
OCRSecrets: deployment.XXXGenerateTestOCRSecrets(),
var ocr3Config = keystone.OracleConfig{
MaxFaultyOracles: len(wfNodes) / 3,
}
var allDons = []keystone.DonCapabilities{wfDon, cwDon, assetDon}

Expand Down
10 changes: 6 additions & 4 deletions deployment/keystone/deploy.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,8 @@ type ConfigureContractsRequest struct {
RegistryChainSel uint64
Env *deployment.Environment

Dons []DonCapabilities // externally sourced based on the environment
OCR3Config *OracleConfigWithSecrets // TODO: probably should be a map of don to config; but currently we only have one wf don therefore one config
Dons []DonCapabilities // externally sourced based on the environment
OCR3Config *OracleConfig // TODO: probably should be a map of don to config; but currently we only have one wf don therefore one config

// TODO rm this option; unused
DoContractDeploy bool // if false, the contracts are assumed to be deployed and the address book is used
Expand Down Expand Up @@ -304,7 +304,7 @@ func ConfigureRegistry(ctx context.Context, lggr logger.Logger, req ConfigureCon

// Depreciated: use changeset.ConfigureOCR3Contract instead
// ocr3 contract on the registry chain for the wf dons
func ConfigureOCR3Contract(env *deployment.Environment, chainSel uint64, dons []RegisteredDon, cfg *OracleConfigWithSecrets) error {
func ConfigureOCR3Contract(env *deployment.Environment, chainSel uint64, dons []RegisteredDon, cfg *OracleConfig) error {
registryChain, ok := env.Chains[chainSel]
if !ok {
return fmt.Errorf("chain %d not found in environment", chainSel)
Expand Down Expand Up @@ -338,6 +338,7 @@ func ConfigureOCR3Contract(env *deployment.Environment, chainSel uint64, dons []
contract: contract,
nodes: don.Nodes,
contractSet: &contracts,
ocrSecrets: env.OCRSecrets,
})
if err != nil {
return fmt.Errorf("failed to configure OCR3 contract for don %s: %w", don.Name, err)
Expand All @@ -354,7 +355,7 @@ type ConfigureOCR3Resp struct {
type ConfigureOCR3Config struct {
ChainSel uint64
NodeIDs []string
OCR3Config *OracleConfigWithSecrets
OCR3Config *OracleConfig
DryRun bool

UseMCMS bool
Expand Down Expand Up @@ -398,6 +399,7 @@ func ConfigureOCR3ContractFromJD(env *deployment.Environment, cfg ConfigureOCR3C
dryRun: cfg.DryRun,
contractSet: &contracts,
useMCMS: cfg.UseMCMS,
ocrSecrets: env.OCRSecrets,
})
if err != nil {
return nil, err
Expand Down
8 changes: 3 additions & 5 deletions deployment/keystone/deploy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ func TestDeployCLO(t *testing.T) {
Offchain: clo.NewJobClient(lggr, clo.JobClientConfig{Nops: allNops}),
Chains: allChains,
Logger: lggr,
OCRSecrets: deployment.XXXGenerateTestOCRSecrets(),
}
// assume that all the nodes in the provided input nops are part of the don
for _, nop := range allNops {
Expand All @@ -119,11 +120,8 @@ func TestDeployCLO(t *testing.T) {
registryChainSel, err := chainsel.SelectorFromChainId(11155111)
require.NoError(t, err)

var ocr3Config = keystone.OracleConfigWithSecrets{
OracleConfig: keystone.OracleConfig{
MaxFaultyOracles: len(wfNops) / 3,
},
OCRSecrets: deployment.XXXGenerateTestOCRSecrets(),
var ocr3Config = keystone.OracleConfig{
MaxFaultyOracles: len(wfNops) / 3,
}

ctx := tests.Context(t)
Expand Down
Loading

0 comments on commit e8b68e4

Please sign in to comment.