Skip to content

extract bootstrap secrets to env vars#1234

Open
nicolasgnr wants to merge 2 commits into
mainfrom
nm/extract-bootstrap-secrets-to-env-vars
Open

extract bootstrap secrets to env vars#1234
nicolasgnr wants to merge 2 commits into
mainfrom
nm/extract-bootstrap-secrets-to-env-vars

Conversation

@nicolasgnr

@nicolasgnr nicolasgnr commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR adds support for resolving sensitive configuration values from environment variables instead of requiring them to be stored in the TOML configuration file bootstrap.toml.

Specifically, the database URL and keystore password can now be provided via environment variables, making it easier to manage secrets securely. If both a value and its corresponding environment variable are configured, the value defined in the configuration file takes precedence.

Changes

  • Added GetURL() to DBConfig to resolve the database URL from either:

    • URL (highest precedence)
    • URLEnvVar
  • Added GetPassword() to KeystoreConfig to resolve the keystore password from either:

    • Password (highest precedence)
    • PasswordEnvVar
  • Refactored validation to use the new getter methods, centralizing configuration resolution and removing duplicated logic.

  • Updated the bootstrap flow to use the new resolution methods.

  • Added comprehensive tests covering:

    • Direct configuration values
    • Configuration precedence over environment variables
    • Environment variable fallback
    • Missing environment variables
    • Missing configuration from both sources

Motivation

Secrets such as database credentials and keystore passwords should not be committed to or stored in plaintext configuration files. This change allows deployments to inject these values securely through environment variables while maintaining backward compatibility with existing configurations.

This allow as to move from

[jd]
server_wsrpc_url = "wsrpc-job-distributor.sh"
server_csa_public_key = "41dcc9f2d7....."

[keystore]
password = "sensitive info"

[db]
url = "sensitive info"
[server]
listen_port = 8080

to

[jd]
server_wsrpc_url = "wsrpc-job-distributor.sh"
server_csa_public_key = "41dcc9f2d7....."

[keystore]
password_env_var = "KEYSTORE_PASSOWORD_ENV_VAR"

[db]
url_env_var = "CL_DATABASE_URL"
        
[server]
listen_port = 8080

This change is fully backward compatible. Existing configurations that specify password and url directly continue to work unchanged.

In the future, once everything have migrated, we can remove the plaintext secret fields from the configuration, making environment variables the only supported mechanism for supplying sensitive values.

@nicolasgnr nicolasgnr requested a review from a team as a code owner July 3, 2026 18:38
Copilot AI review requested due to automatic review settings July 3, 2026 18:38
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

👋 nicolasgnr, thanks for creating this pull request!

To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team.

Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks!

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds support in the bootstrapper configuration layer to resolve sensitive values (DB URL, keystore password) from environment variables with explicit precedence for values set directly in bootstrap.toml.

Changes:

  • Introduced KeystoreConfig.GetPassword() and DBConfig.GetURL() to centralize precedence/lookup logic (direct value > env var).
  • Refactored validation to use the new getters and updated bootstrap startup to consume resolved values.
  • Added unit tests covering direct values, precedence, env var fallback, and error cases.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 8 comments.

File Description
bootstrap/config.go Adds env-var-backed getters for keystore password and DB URL; updates validation to call getters.
bootstrap/config_test.go Adds tests for the new getters and extends validation tests (though additional env-var validation cases are still needed).
bootstrap/bootstrap.go Updates JD lifecycle startup to resolve DB URL and keystore password via the new getter methods.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread bootstrap/config.go
Comment thread bootstrap/config.go
Comment thread bootstrap/config.go
Comment thread bootstrap/bootstrap.go
Comment thread bootstrap/bootstrap.go
Comment thread bootstrap/config.go
Comment thread bootstrap/config_test.go
Comment thread bootstrap/config_test.go
bukata-sa
bukata-sa previously approved these changes Jul 3, 2026
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Code coverage report:

Package main nm/extract-bootstrap-secrets-to-env-vars Diff
github.com/smartcontractkit/chainlink-ccv/aggregator 49.57% 49.57% +0.00%
github.com/smartcontractkit/chainlink-ccv/bootstrap 45.80% 55.97% +10.17% 🎉
github.com/smartcontractkit/chainlink-ccv/cli 65.13% 65.13% +0.00%
github.com/smartcontractkit/chainlink-ccv/cmd 13.55% 13.55% +0.00%
github.com/smartcontractkit/chainlink-ccv/common 51.82% 51.82% +0.00%
github.com/smartcontractkit/chainlink-ccv/executor 46.47% 46.47% +0.00%
github.com/smartcontractkit/chainlink-ccv/indexer 35.55% 35.55% +0.00%
github.com/smartcontractkit/chainlink-ccv/integration 46.16% 46.25% +0.09%
github.com/smartcontractkit/chainlink-ccv/pkg 100.00% 100.00% +0.00%
github.com/smartcontractkit/chainlink-ccv/pricer 0.00% 0.00% +0.00%
github.com/smartcontractkit/chainlink-ccv/protocol 63.06% 62.97% -0.09%
github.com/smartcontractkit/chainlink-ccv/verifier 35.17% 35.17% +0.00%
Total 46.60% 46.70% +0.10%

@nicolasgnr nicolasgnr enabled auto-merge July 3, 2026 21:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants