feature: implements config loading from env and file (#258)

This PR implements the config loading from a file and env vars. It
provides 3 loading methods:

- Load(filePath string) - Loads the config from the file path, with env
var fallback.
- LoadFile(filePath string) - Loads the config from the file path.
- LoadEnv() - Loads the config from the env vars.

Under the hood, it uses the viper library to load the config from the
file and env vars.

Author: jkongie

.changeset/tiny-paws-visit.md

@@ -0,0 +1,5 @@
+---
+"chainlink-deployments-framework": minor
+---
+
+Adds configuration loading to the CLD engine

deployment/ocr_secrets.go

@@ -1,6 +1,15 @@
 package deployment
 
-import "github.com/ethereum/go-ethereum/crypto"
+import (
+	"errors"
+
+	"github.com/ethereum/go-ethereum/crypto"
+)
+
+var (
+	// ErrMnemonicRequired is returned when the OCR mnemonic is not set
+	ErrMnemonicRequired = errors.New("xsigners or xproposers required")
+)
 
 // OCRSecrets are used to disseminate a shared secret to OCR nodes
 // through the blockchain where OCR configuration is stored. Its a low value secret used
@@ -22,3 +31,30 @@ func XXXGenerateTestOCRSecrets() OCRSecrets {
 
 	return s
 }
+
+// SharedSecrets generates shared secrets from the BIP39 mnemonic phrases for the OCR signers
+// and proposers.
+//
+// Lifted from here
+// https://github.com/smartcontractkit/offchain-reporting/blob/14a57d70e50474a2104aa413214e464d6bc69e16/lib/offchainreporting/internal/config/shared_secret_test.go#L32
+// Historically signers (fixed secret) and proposers (ephemeral secret) were
+// combined in this manner. We simply leave that as is.
+func GenerateSharedSecrets(xSigners, xProposers string) (OCRSecrets, error) {
+	if xSigners == "" || xProposers == "" {
+		return OCRSecrets{}, ErrMnemonicRequired
+	}
+
+	xSignersHash := crypto.Keccak256([]byte(xSigners))
+	xProposersHash := crypto.Keccak256([]byte(xProposers))
+	xSignersHashxProposersHashZero := append(append(append([]byte{}, xSignersHash...), xProposersHash...), 0)
+	xSignersHashxProposersHashOne := append(append(append([]byte{}, xSignersHash...), xProposersHash...), 1)
+	var sharedSecret [16]byte
+	copy(sharedSecret[:], crypto.Keccak256(xSignersHashxProposersHashZero))
+	var sk [32]byte
+	copy(sk[:], crypto.Keccak256(xSignersHashxProposersHashOne))
+
+	return OCRSecrets{
+		SharedSecret: sharedSecret,
+		EphemeralSk:  sk,
+	}, nil
+}

engine/cld/config/env/config.go

@@ -0,0 +1,227 @@
+package config
+
+import (
+	"errors"
+	"io/fs"
+	"os"
+	"slices"
+
+	"github.com/spf13/viper"
+)
+
+// KMSConfig is the configuration for the AWS KMS.
+//
+// WARNING: This data type contains sensitive fields and should not be logged or set in file
+// configuration.
+type KMSConfig struct {
+	KeyID     string `mapstructure:"key_id"`     // Secret: AWS KMS Key ID
+	KeyRegion string `mapstructure:"key_region"` // Secret: AWS KMS Key Region (e.g. us-west-1)
+}
+
+// EVMConfig is the configuration for the EVM Chains.
+//
+// WARNING: This data type contains sensitive fields and should not be logged or set in file
+// configuration.
+type EVMConfig struct {
+	DeployerKey string      `mapstructure:"deployer_key"` // Secret: The private key of the deployer account. Prefer to use KMS keys instead.
+	Seth        *SethConfig `mapstructure:"seth"`         // Seth configuration for transaction tracing
+}
+
+type SethConfig struct {
+	ConfigFilePath  string   `mapstructure:"config_file_path"`  // The path to the Seth config file
+	GethWrapperDirs []string `mapstructure:"geth_wrapper_dirs"` // The paths to the Geth wrapper directories
+}
+
+// SolanaConfig is the configuration for the Solana Chains.
+//
+// WARNING: This data type contains sensitive fields and should not be logged or set in file
+// configuration.
+type SolanaConfig struct {
+	WalletKey       string `mapstructure:"wallet_key"`        // Secret: The private key of the wallet account.
+	ProgramsDirPath string `mapstructure:"programs_dir_path"` // The path to the Solana programs directory.
+}
+
+// AptosConfig is the configuration for the Aptos Chains.
+//
+// WARNING: This data type contains sensitive fields and should not be logged or set in file
+// configuration.
+type AptosConfig struct {
+	DeployerKey string `mapstructure:"deployer_key"` // Secret: The private key of the deployer account.
+}
+
+// TronConfig is the configuration for the Tron Chains.
+//
+// WARNING: This data type contains sensitive fields and should not be logged or set in file
+// configuration.
+type TronConfig struct {
+	DeployerKey string `mapstructure:"deployer_key"` // Secret: The private key of the deployer account.
+}
+
+// JobDistributorConfig is the configuration for connecting and authenticating to the Job
+// Distributor.
+//
+// WARNING: This data type contains sensitive fields and should not be logged or set in file
+// configuration.
+type JobDistributorConfig struct {
+	Endpoints JobDistributorEndpoints `mapstructure:"endpoints"` // The URL endpoints for the Job Distributor
+	Auth      JobDistributorAuth      `mapstructure:"auth"`      // Secret: The authentication configuration for the Job Distributor
+}
+
+// JobDistributorAuth is the configuration for authenticating to the Job Distributor via Cognito.
+//
+// WARNING: This data type contains sensitive fields and should not be logged or set in file
+// configuration.
+type JobDistributorAuth struct {
+	CognitoAppClientID     string `mapstructure:"cognito_app_client_id"`     // Secret: The Cognito App Client ID
+	CognitoAppClientSecret string `mapstructure:"cognito_app_client_secret"` // Secret: The Cognito App Client Secret
+	AWSRegion              string `mapstructure:"aws_region"`                // Secret: The AWS Region
+	Username               string `mapstructure:"username"`                  // Secret: The Cognito username for the Job Distributor
+	Password               string `mapstructure:"password"`                  // Secret: The Cognito password for the Job Distributor
+}
+
+// JobDistributorEndpoints is the configuration for the URL endpoints for the Job Distributor.
+type JobDistributorEndpoints struct {
+	WSRPC string `mapstructure:"wsrpc"` // The WebSocket RPC URL for the Job Distributor. Used to connect Job Distributor to CL nodes.
+	GRPC  string `mapstructure:"grpc"`  // The gRPC URL for the Job Distributor. Used to interact with the Job Distributor API.
+}
+
+// OCRConfig is the configuration for the OCR.
+//
+// WARNING: This data type contains sensitive fields and should not be logged or set in file
+// configuration.
+type OCRConfig struct {
+	XSigners   string `mapstructure:"x_signers"`   // Secret: BIP39 mnemonic phrase for the OCR signer.
+	XProposers string `mapstructure:"x_proposers"` // Secret: BIP39 mnemonic phrase for the OCR proposer.
+}
+
+// CatalogConfig is the configuration to connect to the Catalog.
+type CatalogConfig struct {
+	GRPC string `mapstructure:"grpc"` // The gRPC URL for the Catalog. Used to interact with the Catalog API.
+}
+
+// OnchainConfig wraps the configuration for the onchain components.
+type OnchainConfig struct {
+	KMS    KMSConfig    `mapstructure:"kms"`
+	EVM    EVMConfig    `mapstructure:"evm"`
+	Solana SolanaConfig `mapstructure:"solana"`
+	Aptos  AptosConfig  `mapstructure:"aptos"`
+	Tron   TronConfig   `mapstructure:"tron"`
+}
+
+// OffchainConfig wraps the configuration for the offchain components.
+type OffchainConfig struct {
+	JobDistributor JobDistributorConfig `mapstructure:"job_distributor"`
+	OCR            OCRConfig            `mapstructure:"ocr"`
+}
+
+// Config wraps the entire configuration for the CLD engine.
+type Config struct {
+	Onchain  OnchainConfig  `mapstructure:"onchain"`
+	Offchain OffchainConfig `mapstructure:"offchain"`
+	Catalog  CatalogConfig  `mapstructure:"catalog"`
+}
+
+// Load loads the config from the file path, falling back to env vars if the file does not exist.
+// If the file exists, any env vars that are set will override the values loaded from the file.
+func Load(filePath string) (*Config, error) {
+	v := viper.New()
+	v.SetConfigFile(filePath)
+
+	// Bind environment variables
+	if err := bindEnvs(v); err != nil {
+		return nil, err
+	}
+
+	// If the config file exists, we continue to read it, otherwise we fallback to using
+	// environment variables
+	if _, err := os.Stat(filePath); !errors.Is(err, fs.ErrNotExist) {
+		if err := v.ReadInConfig(); err != nil {
+			return nil, err
+		}
+	}
+
+	cfg := &Config{}
+	err := v.Unmarshal(cfg)
+
+	return cfg, err
+}
+
+// LoadEnv loads the config from the environment variables.
+func LoadEnv() (*Config, error) {
+	v := viper.New()
+
+	// Bind environment variables
+	if err := bindEnvs(v); err != nil {
+		return nil, err
+	}
+
+	cfg := &Config{}
+	err := v.Unmarshal(cfg)
+
+	return cfg, err
+}
+
+// LoadFile loads the config from a file.
+func LoadFile(filePath string) (*Config, error) {
+	v := viper.New()
+	v.SetConfigFile(filePath)
+
+	if err := v.ReadInConfig(); err != nil {
+		return nil, err
+	}
+
+	cfg := &Config{}
+	err := v.Unmarshal(cfg)
+
+	return cfg, err
+}
+
+var (
+	// envBindings defines how environment variables map to configuration keys used by Viper.
+	// Each entry maps a config key (as used in the struct, e.g. "onchain.kms.key_id") to a list of
+	// environment variable names that can provide its value.
+	//
+	// The first element in the list is the preferred (new) environment variable name, and the second
+	// (if present) is a legacy or backwards-compatible name. This allows the config loader to support
+	// both new and old environment variable conventions seamlessly, ensuring smooth transitions and
+	// compatibility with existing deployments.
+	//
+	// When loading, Viper will check each listed environment variable in order and use the first one
+	// that is set.
+	envBindings = map[string][]string{
+		"onchain.kms.key_id":                                      {"ONCHAIN_KMS_KEY_ID", "KMS_KEY_ID"},
+		"onchain.kms.key_region":                                  {"ONCHAIN_KMS_KEY_REGION", "KMS_KEY_REGION"},
+		"onchain.evm.deployer_key":                                {"ONCHAIN_EVM_DEPLOYER_KEY", "EVM_DEPLOYER_KEY"},
+		"onchain.evm.seth.config_file_path":                       {"ONCHAIN_EVM_SETH_CONFIG_FILE_PATH", "SETH_CONFIG_FILE"},
+		"onchain.evm.seth.geth_wrapper_dirs":                      {"ONCHAIN_EVM_SETH_GETH_WRAPPER_DIRS", "GETH_WRAPPERS_DIRS"},
+		"onchain.solana.wallet_key":                               {"ONCHAIN_SOLANA_WALLET_KEY", "SOLANA_WALLET_KEY"},
+		"onchain.solana.programs_dir_path":                        {"ONCHAIN_SOLANA_PROGRAMS_DIR_PATH", "SOLANA_PROGRAM_PATH"},
+		"onchain.aptos.deployer_key":                              {"ONCHAIN_APTOS_DEPLOYER_KEY", "APTOS_DEPLOYER_KEY"},
+		"onchain.tron.deployer_key":                               {"ONCHAIN_TRON_DEPLOYER_KEY", "TRON_DEPLOYER_KEY"},
+		"offchain.job_distributor.auth.cognito_app_client_id":     {"OFFCHAIN_JD_AUTH_COGNITO_APP_CLIENT_ID", "JD_AUTH_COGNITO_APP_CLIENT_ID"},
+		"offchain.job_distributor.auth.cognito_app_client_secret": {"OFFCHAIN_JD_AUTH_COGNITO_APP_CLIENT_SECRET", "JD_AUTH_COGNITO_APP_CLIENT_SECRET"},
+		"offchain.job_distributor.auth.aws_region":                {"OFFCHAIN_JD_AUTH_AWS_REGION", "JD_AUTH_AWS_REGION"},
+		"offchain.job_distributor.auth.username":                  {"OFFCHAIN_JD_AUTH_USERNAME", "JD_AUTH_USERNAME"},
+		"offchain.job_distributor.auth.password":                  {"OFFCHAIN_JD_AUTH_PASSWORD", "JD_AUTH_PASSWORD"},
+		"offchain.job_distributor.endpoints.wsrpc":                {"OFFCHAIN_JD_ENDPOINTS_WSRPC", "JD_WS_RPC"},
+		"offchain.job_distributor.endpoints.grpc":                 {"OFFCHAIN_JD_ENDPOINTS_GRPC", "JD_GRPC"},
+		"offchain.ocr.x_signers":                                  {"OFFCHAIN_OCR_X_SIGNERS", "OCR_X_SIGNERS"},
+		"offchain.ocr.x_proposers":                                {"OFFCHAIN_OCR_X_PROPOSERS", "OCR_X_PROPOSERS"},
+		"catalog.grpc":                                            {"CATALOG_GRPC"},
+	}
+)
+
+// bindEnvs binds the environment variables to the viper instance.
+func bindEnvs(v *viper.Viper) error {
+	// Bind environment variables mappings to the viper instance
+	for key, envs := range envBindings {
+		// Prepend the env key to the start of the arguments
+		inputs := slices.Insert(envs, 0, key)
+
+		if err := v.BindEnv(inputs...); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}