WIP

Author: cedric-cordenier

.gitignore

@@ -32,6 +32,7 @@ tools/clroot/db.sqlite3-wal
 debug.env
 operator_ui/install
 .devenv
+CLAUDE.md
 
 # neovim
 .nvim.lua

core/cmd/shell_local.go

@@ -37,6 +37,7 @@ import (
 	evmtypes "github.com/smartcontractkit/chainlink-evm/pkg/types"
 
 	"github.com/smartcontractkit/chainlink/v2/core/build"
+	"github.com/smartcontractkit/chainlink/v2/core/config"
 	"github.com/smartcontractkit/chainlink/v2/core/logger"
 	"github.com/smartcontractkit/chainlink/v2/core/services/keystore"
 	"github.com/smartcontractkit/chainlink/v2/core/services/keystore/chaintype"
@@ -317,6 +318,27 @@ func (s *Shell) RunNode(c *cli.Context) error {
 	return nil
 }
 
+type ks[K any] interface {
+	Import(ctx context.Context, keyJSON []byte, password string) (K, error)
+}
+
+func importKeyIfProvided[K any](ctx context.Context, lggr logger.Logger, keyType string, importableKey config.ImportableKey, k ks[K]) error {
+	if importableKey.JSON() == "" {
+		return nil
+	}
+
+	lggr.Debugf("Importing %s %s", keyType, importableKey.JSON())
+	_, err := k.Import(ctx, []byte(importableKey.JSON()), importableKey.Password())
+	if errors.Is(err, keystore.ErrKeyExists) {
+		lggr.Debugf("%s key already exists %s", keyType, importableKey.JSON())
+		return nil
+	} else if err != nil {
+		return fmt.Errorf("error importing %s key: %w", keyType, err)
+	}
+
+	return nil
+}
+
 func (s *Shell) runNode(c *cli.Context) error {
 	ctx := s.ctx()
 	lggr := logger.Sugared(s.Logger.Named("RunNode"))
@@ -423,6 +445,11 @@ func (s *Shell) runNode(c *cli.Context) error {
 		}
 	}
 	if s.Config.OCR2().Enabled() {
+		err2 := importKeyIfProvided(rootCtx, lggr, "OCR2Key", s.Config.ImportedOCR2Key(), app.GetKeyStore().OCR2())
+		if err2 != nil {
+			return s.errorOut(err2)
+		}
+
 		var enabledChains []chaintype.ChainType
 		if s.Config.EVMEnabled() {
 			enabledChains = append(enabledChains, chaintype.EVM)
@@ -448,23 +475,19 @@ func (s *Shell) runNode(c *cli.Context) error {
 		if s.Config.SuiEnabled() {
 			enabledChains = append(enabledChains, chaintype.Sui)
 		}
-		err2 := app.GetKeyStore().OCR2().EnsureKeys(rootCtx, enabledChains...)
+		err2 = app.GetKeyStore().OCR2().EnsureKeys(rootCtx, enabledChains...)
 		if err2 != nil {
 			return fmt.Errorf("failed to ensure ocr key: %w", err2)
 		}
 	}
 
 	if s.Config.P2P().Enabled() {
-		if s.Config.ImportedP2PKey().JSON() != "" {
-			lggr.Debugf("Importing p2p key %s", s.Config.ImportedP2PKey().JSON())
-			_, err2 := app.GetKeyStore().P2P().Import(rootCtx, []byte(s.Config.ImportedP2PKey().JSON()), s.Config.ImportedP2PKey().Password())
-			if errors.Is(err2, keystore.ErrKeyExists) {
-				lggr.Debugf("P2P key already exists %s", s.Config.ImportedP2PKey().JSON())
-			} else if err2 != nil {
-				return s.errorOut(fmt.Errorf("error importing p2p key: %w", err2))
-			}
+		err2 := importKeyIfProvided(rootCtx, lggr, "P2P", s.Config.ImportedP2PKey(), app.GetKeyStore().P2P())
+		if err2 != nil {
+			return s.errorOut(err2)
 		}
-		err2 := app.GetKeyStore().P2P().EnsureKey(rootCtx)
+
+		err2 = app.GetKeyStore().P2P().EnsureKey(rootCtx)
 		if err2 != nil {
 			return fmt.Errorf("failed to ensure p2p key: %w", err2)
 		}
@@ -525,17 +548,12 @@ func (s *Shell) runNode(c *cli.Context) error {
 		}
 	}
 	if s.Config.CRE().EnableDKGRecipient() {
-		if s.Config.ImportedDKGRecipientKey().JSON() != "" {
-			lggr.Debugf("Importing DKG recipient key %s", s.Config.ImportedDKGRecipientKey().JSON())
-			_, err2 := app.GetKeyStore().DKGRecipient().Import(rootCtx, []byte(s.Config.ImportedDKGRecipientKey().JSON()), s.Config.ImportedDKGRecipientKey().Password())
-			if errors.Is(err2, keystore.ErrKeyExists) {
-				lggr.Debugf("DKG recipient key already exists %s", s.Config.ImportedDKGRecipientKey().JSON())
-			} else if err2 != nil {
-				return s.errorOut(fmt.Errorf("error importing dkg recipient key: %w", err2))
-			}
+		err2 := importKeyIfProvided(rootCtx, lggr, "DKG Recipient", s.Config.ImportedDKGRecipientKey(), app.GetKeyStore().DKGRecipient())
+		if err2 != nil {
+			return s.errorOut(err2)
 		}
 
-		err2 := app.GetKeyStore().DKGRecipient().EnsureKey(rootCtx)
+		err2 = app.GetKeyStore().DKGRecipient().EnsureKey(rootCtx)
 		if err2 != nil {
 			return fmt.Errorf("failed to ensure dkg recipient key: %w", err2)
 		}
@@ -546,6 +564,11 @@ func (s *Shell) runNode(c *cli.Context) error {
 		return fmt.Errorf("failed to ensure workflow key: %w", err2)
 	}
 
+	err2 = importKeyIfProvided(rootCtx, lggr, "CSA", s.Config.ImportedCSAKey(), app.GetKeyStore().CSA())
+	if err2 != nil {
+		return s.errorOut(err2)
+	}
+
 	err2 = app.GetKeyStore().CSA().EnsureKey(rootCtx)
 	if err2 != nil {
 		return fmt.Errorf("failed to ensure CSA key: %w", err2)

core/config/toml/types.go

@@ -146,6 +146,8 @@ type Secrets struct {
 
 	P2PKey          P2PKey          `toml:",omitempty"`
 	DKGRecipientKey DKGRecipientKey `toml:",omitempty"`
+	CSAKey          CSAKey          `toml:",omitempty"`
+	OCR2Key         OCR2Key         `toml:",omitempty"`
 
 	CRE CreSecrets `toml:",omitempty"`
 	CCV CCVSecrets `toml:",omitempty"`
@@ -496,6 +498,78 @@ func (p *DKGRecipientKey) ValidateConfig() (err error) {
 	return err
 }
 
+type CSAKey struct {
+	JSON     *models.Secret
+	Password *models.Secret
+}
+
+func (p *CSAKey) SetFrom(f *CSAKey) (err error) {
+	err = p.validateMerge(f)
+	if err != nil {
+		return err
+	}
+	if v := f.JSON; v != nil {
+		p.JSON = v
+	}
+	if v := f.Password; v != nil {
+		p.Password = v
+	}
+	return nil
+}
+
+func (p *CSAKey) validateMerge(f *CSAKey) (err error) {
+	if p.JSON != nil && f.JSON != nil {
+		err = errors.Join(err, configutils.ErrOverride{Name: "JSON"})
+	}
+	if p.Password != nil && f.Password != nil {
+		err = errors.Join(err, configutils.ErrOverride{Name: "Password"})
+	}
+	return err
+}
+
+func (p *CSAKey) ValidateConfig() (err error) {
+	if (p.JSON != nil) != (p.Password != nil) {
+		err = errors.Join(err, configutils.ErrInvalid{Name: "CSAKey", Value: p.JSON, Msg: "all fields must be nil or non-nil"})
+	}
+	return err
+}
+
+type OCR2Key struct {
+	JSON     *models.Secret
+	Password *models.Secret
+}
+
+func (p *OCR2Key) SetFrom(f *OCR2Key) (err error) {
+	err = p.validateMerge(f)
+	if err != nil {
+		return err
+	}
+	if v := f.JSON; v != nil {
+		p.JSON = v
+	}
+	if v := f.Password; v != nil {
+		p.Password = v
+	}
+	return nil
+}
+
+func (p *OCR2Key) validateMerge(f *OCR2Key) (err error) {
+	if p.JSON != nil && f.JSON != nil {
+		err = errors.Join(err, configutils.ErrOverride{Name: "JSON"})
+	}
+	if p.Password != nil && f.Password != nil {
+		err = errors.Join(err, configutils.ErrOverride{Name: "Password"})
+	}
+	return err
+}
+
+func (p *OCR2Key) ValidateConfig() (err error) {
+	if (p.JSON != nil) != (p.Password != nil) {
+		err = errors.Join(err, configutils.ErrInvalid{Name: "OCR2Key", Value: p.JSON, Msg: "all fields must be nil or non-nil"})
+	}
+	return err
+}
+
 type Passwords struct {
 	Keystore *models.Secret
 	VRF      *models.Secret

core/services/chainlink/config_general.go

@@ -573,6 +573,14 @@ func (g *generalConfig) ImportedP2PKey() coreconfig.ImportableKey {
 	return &importedP2PKeyConfig{s: g.secrets.P2PKey}
 }
 
+func (g *generalConfig) ImportedCSAKey() coreconfig.ImportableKey {
+	return &importedCSAKeyConfig{s: g.secrets.CSAKey}
+}
+
+func (g *generalConfig) ImportedOCR2Key() coreconfig.ImportableKey {
+	return &importedOCR2KeyConfig{s: g.secrets.OCR2Key}
+}
+
 func (g *generalConfig) Tracing() coreconfig.Tracing {
 	return &tracingConfig{s: g.c.Tracing}
 }

core/services/chainlink/config_imported_csa_key.go

@@ -0,0 +1,21 @@
+package chainlink
+
+import "github.com/smartcontractkit/chainlink/v2/core/config/toml"
+
+type importedCSAKeyConfig struct {
+	s toml.CSAKey
+}
+
+func (t *importedCSAKeyConfig) JSON() string {
+	if t.s.JSON == nil {
+		return ""
+	}
+	return string(*t.s.JSON)
+}
+
+func (t *importedCSAKeyConfig) Password() string {
+	if t.s.Password == nil {
+		return ""
+	}
+	return string(*t.s.Password)
+}

core/services/chainlink/config_imported_ocr2_key.go

@@ -0,0 +1,21 @@
+package chainlink
+
+import "github.com/smartcontractkit/chainlink/v2/core/config/toml"
+
+type importedOCR2KeyConfig struct {
+	s toml.OCR2Key
+}
+
+func (t *importedOCR2KeyConfig) JSON() string {
+	if t.s.JSON == nil {
+		return ""
+	}
+	return string(*t.s.JSON)
+}
+
+func (t *importedOCR2KeyConfig) Password() string {
+	if t.s.Password == nil {
+		return ""
+	}
+	return string(*t.s.Password)
+}

core/services/chainlink/mocks/general_config.go

@@ -30,4 +30,6 @@ type ImportedSecretConfig interface {
 	ImportedEthKeys() coreconfig.ImportableChainKeyLister
 	ImportedSolKeys() coreconfig.ImportableChainKeyLister
 	ImportedDKGRecipientKey() coreconfig.ImportableKey
+	ImportedCSAKey() coreconfig.ImportableKey
+	ImportedOCR2Key() coreconfig.ImportableKey
 }