Merge remote-tracking branch 'origin/develop' into feat/mercury-loopp

.github/workflows/integration-tests.yml

@@ -454,11 +454,11 @@ jobs:
             os: ubuntu-latest
             pyroscope_env: ci-smoke-vrf-evm-simulated
           - name: vrfv2
-            nodes: 3
+            nodes: 4
             os: ubuntu-latest
             pyroscope_env: ci-smoke-vrf2-evm-simulated
           - name: vrfv2plus
-            nodes: 3
+            nodes: 4
             os: ubuntu-latest
             pyroscope_env: ci-smoke-vrf2plus-evm-simulated
           - name: forwarder_ocr
@@ -1021,6 +1021,19 @@ jobs:
 
           # Remove the created container
           docker rm "$CONTAINER_ID"
+      - name: Generate config overrides
+        run: | # https://github.com/smartcontractkit/chainlink-testing-framework/blob/main/config/README.md
+          cat << EOF > config.toml
+          [ChainlinkImage]
+          image="${{ env.CHAINLINK_IMAGE }}"
+          version="${{ github.sha }}"
+          EOF
+          # shellcheck disable=SC2002
+          BASE64_CONFIG_OVERRIDE=$(cat config.toml | base64 -w 0)
+          # shellcheck disable=SC2086
+          echo ::add-mask::$BASE64_CONFIG_OVERRIDE
+          # shellcheck disable=SC2086
+          echo "BASE64_CONFIG_OVERRIDE=$BASE64_CONFIG_OVERRIDE" >> $GITHUB_ENV
       - name: Run Tests
         if: needs.changes.outputs.src == 'true' || github.event_name == 'workflow_dispatch'
         uses: smartcontractkit/chainlink-github-actions/chainlink-testing-framework/run-tests@ea889b3133bd7f16ab19ba4ba130de5d9162c669 # v2.3.4

CODEOWNERS

@@ -2,37 +2,29 @@
 # 1. Per Github docs: "Order is important; the last matching pattern takes the most precedence."
 # Please define less specific codeowner paths before more specific codeowner paths in order for the more specific rule to have priority
 
-# Misc
-/core/store @samsondav @jmank88
-/core/chains @samsondav
-/core/logger @jmank88
-/core/internal @samsondav @jmank88
+# Core
+/core @smartcontractkit/foundations
 
 # Chains
 /common @smartcontractkit/integrations
-/core/chains/evm @samsondav @prashantkumar1982
-/core/chains/evm/headtracker @pinebit @samsondav @prashantkumar1982
-/core/chains/evm/client @samsondav @prashantkumar1982
-/core/chains/evm/log @jmank88 @prashantkumar1982 @connorwstein
-/core/chains/evm/logpoller @reductionista @connorwstein
-/core/chains/cosmos @archseer @cfal
+/core/chains/ @smartcontractkit/integrations
 
 # Services
-/core/services/cron @samsondav
-/core/services/directrequest @connorwstein @samsondav
-/core/services/feeds @jkongie
-/core/services/fluxmonitorv2 @jkongie @PiotrTrzpil @connorwstein
-/core/services/health @samsondav
-/core/services/job @connorwstein
-/core/services/keystore @RyanRHall
-/core/services/ocr* @connorwstein @samsondav
-/core/services/ocr2 @jmank88 @krehermann
-/core/services/periodicbackup @PiotrTrzpil @samsondav
-/core/services/pg @samsondav
-/core/services/pipeline @connorwstein @prashantkumar1982
-/core/services/synchronization
-/core/services/telemetry
-/core/services/relay/evm/mercury @samsondav @sdrug @martin-cll
+/core/services/directrequest @smartcontractkit/keepers
+/core/services/feeds @smartcontractkit/FMS
+
+# To be deprecated in Chainlink V3
+/core/services/fluxmonitorv2 @smartcontractkit/foundations
+/core/services/job @smartcontractkit/ccip
+/core/services/keystore @smartcontractkit/keepers
+/core/services/ocr* @smartcontractkit/foundations
+/core/services/periodicbackup @smartcontractkit/foundations
+/core/services/pg @smartcontractkit/foundations @samsondav
+/core/services/pipeline @smartcontractkit/foundations @smartcontractkit/integrations
+/core/services/telemetry @smartcontractkit/realtime
+/core/services/relay/evm/mercury @smartcontractkit/mercury-team
+/core/services/webhook @smartcontractkit/foundations @smartcontractkit/integrations
+/core/services/llo @smartcontractkit/mercury-team
 
 # VRF-related services
 /core/services/vrf @smartcontractkit/vrf-team
@@ -48,27 +40,16 @@
 /core/services/keeper @smartcontractkit/keepers
 /core/services/ocr2/plugins/ocr2keeper @smartcontractkit/keepers
 
-/core/services/webhook @samsondav
-
 # Chainlink Functions
 core/services/functions @smartcontractkit/functions
 core/services/ocr2/plugins/functions @smartcontractkit/functions
-core/services/s4 @pinebit @bolekk
-core/service/ocr2/plugins/s4 @pinebit @bolekk
-core/services/ocr2/plugins/threshold @KuphJr @bolekk
-core/services/relay/evm/functions.go @bolekk @justinkaseman @KuphJr
-core/services/relay/evm/functions @bolekk @justinkaseman @KuphJr
+core/services/s4 @smartcontractkit/functions
+core/service/ocr2/plugins/s4 @smartcontractkit/functions
+core/services/ocr2/plugins/threshold @smartcontractkit/functions
+core/services/relay/evm/functions @smartcontractkit/functions
+core/services/relay/evm/functions @smartcontractkit/functions
 core/scripts/functions @smartcontractkit/functions
-core/scripts/gateway @bolekk @pinebit
-
-# API
-/core/web @jkongie
-
-# CLI
-/core/cmd @jkongie @jmank88 @samsondav
-
-# UI
-/operator-ui/ @DeividasK @jkongie
+core/scripts/gateway @smartcontractkit/functions
 
 # Contracts
 /contracts/ @RensR
@@ -78,23 +59,21 @@ core/scripts/gateway @bolekk @pinebit
 # This could give some false positives, so afterwards we match on the project directories
 # to ensure the entire directory is always owned by the correct team.
 
-/contracts/**/*shared* @RensR
 /contracts/**/*keeper* @smartcontractkit/keepers
 /contracts/**/*upkeep* @smartcontractkit/keepers
 /contracts/**/*automation* @smartcontractkit/keepers
 /contracts/**/*functions* @smartcontractkit/functions
-/contracts/**/*llo-feeds* @austinborn @Fletch153
+/contracts/**/*llo-feeds* @smartcontrackit/mercury-team
 /contracts/**/*vrf* @smartcontractkit/vrf-team
-/contracts/**/*l2ep* @simsonraj
-/contracts/**/*operatorforwarder* @essamhassan
+/contracts/**/*l2ep* @smartcontractkit/integrations
 
 /contracts/src/v0.8/automation @smartcontractkit/keepers
 /contracts/src/v0.8/functions @smartcontractkit/functions
 # TODO: interfaces folder, folder should be removed and files moved to the correct folders
-/contracts/src/v0.8/l2ep @simsonraj
-/contracts/src/v0.8/llo-feeds @austinborn @Fletch153
+/contracts/src/v0.8/l2ep @chris-de-leon-cll
+/contracts/src/v0.8/llo-feeds @smartcontractkit/mercury-team
 # TODO: mocks folder, folder should be removed and files moved to the correct folders
-/contracts/src/v0.8/operatorforwarder @essamhassan
+/contracts/src/v0.8/operatorforwarder @smartcontractkit/foundations
 /contracts/src/v0.8/shared @RensR
 # TODO: tests folder, folder should be removed and files moved to the correct folders
 # TODO: transmission folder, owner should be found
@@ -112,10 +91,7 @@ core/scripts/gateway @bolekk @pinebit
 /integration-tests/**/*automation* @smartcontractkit/keepers
 
 # CI/CD
-/.github/** @chainchad @javuto @jkongie @jmank88 @samsondav
-/.github/workflows/integration-tests.yml @smartcontractkit/test-tooling-team
-/.github/workflows/integration-chaos-tests.yml @smartcontractkit/test-tooling-team
-/.github/workflows/integration-tests-publish.yml @smartcontractkit/test-tooling-team
+/.github/** @smartcontractkit/releng @smartcontractkit/test-tooling-team
 /.github/workflows/performance-tests.yml @smartcontractkit/test-tooling-team
 /.github/workflows/automation-ondemand-tests.yml @smartcontractkit/keepers
 /.github/workflows/automation-benchmark-tests.yml @smartcontractkit/keepers
@@ -138,9 +114,5 @@ flake.nix @smartcontractkit/prodsec-public
 flake.lock @smartcontractkit/prodsec-public
 
 # Config
-./core/config @samsondav @jmank88
-./docs/CONFIG.md @samsondav @jmank88 @dwightjl
-./internal/config/docs.toml @samsondav @jmank88 @dwightjl
-
-# LOOP Plugins
-/plugins @jmank88 @krehermann
+./docs/CONFIG.md @smartcontractkit/foundations @smartcontractkit/devrel
+./internal/config/docs.toml @smartcontractkit/foundations @smartcontractkit/devrel

charts/chainlink-cluster/devspace.yaml

@@ -34,8 +34,8 @@ pipelines:
       echo "Authorizing into ECR registry"
       aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin ${registry_id}.dkr.ecr.us-west-2.amazonaws.com
 
-      run_dependencies --all                           
-      ensure_pull_secrets --all                         
+      run_dependencies --all
+      ensure_pull_secrets --all
       build_images ---var DOCKER_DEFAULT_PLATFORM=linux/amd64  --all -t $(git rev-parse --short HEAD)
       kubectl annotate namespace ${DEVSPACE_NAMESPACE} janitor/ttl=${NS_TTL} || true
       kubectl label namespace/${DEVSPACE_NAMESPACE} network=crib || true
@@ -63,7 +63,7 @@ pipelines:
       else
         echo "Image tag '$tag' not found. Please build the image using 'devspace deploy'"
         exit 1
-      fi 
+      fi
       create_deployments app \
       --set=helm.values.chainlink.nodes[0].image=$image \
       --set=helm.values.chainlink.nodes[1].image=$image \

charts/chainlink-cluster/devspace_start.sh

@@ -7,9 +7,9 @@ COLOR_RESET="\033[0m"
 
 # Print useful output for user
 echo -e "${COLOR_BLUE}
-     %########%      
-     %###########%       ____                 _____                      
-         %#########%    |  _ \   ___ __   __ / ___/  ____    ____   ____ ___ 
+     %########%
+     %###########%       ____                 _____
+         %#########%    |  _ \   ___ __   __ / ___/  ____    ____   ____ ___
          %#########%    | | | | / _ \\\\\ \ / / \___ \ |  _ \  / _  | / __// _ \\
      %#############%    | |_| |(  __/ \ V /  ____) )| |_) )( (_| |( (__(  __/
      %#############%    |____/  \___|  \_/   \____/ |  __/  \__,_| \___\\\\\___|

charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml

@@ -0,0 +1,25 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-db
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ $.Release.Name }}-db
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        # Allow all node pods to access the database pods.
+        - podSelector:
+            matchLabels:
+              app: {{ $.Release.Name }}
+        # Allow all runner pods to access the database pods.
+        - podSelector:
+            matchLabels:
+              app: runner
+      ports:
+        - protocol: TCP
+          port: 5432
+{{- end }}

charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-node
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ $.Release.Name }}
+  policyTypes:
+    - Ingress
+  ingress:
+    # Allow all ingress traffic between the node pods and from runner pod.
+    - from:
+      - podSelector:
+          matchLabels:
+            app: {{ $.Release.Name }}
+      - podSelector:
+          matchLabels:
+            app: runner
+{{- end }}

charts/chainlink-cluster/templates/geth-networkpolicy.yaml

@@ -0,0 +1,27 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-geth
+spec:
+  podSelector:
+    matchLabels:
+      app: geth
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        # Allow http and websocket connections from the node pods.
+        - podSelector:
+            matchLabels:
+              app: {{ $.Release.Name }}
+        # Allow http and websocket connections from the runner pods.
+        - podSelector:
+            matchLabels:
+              app: runner
+      ports:
+        - protocol: TCP
+          port: 8544
+        - protocol: TCP
+          port: 8546
+{{- end }}

charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml

@@ -0,0 +1,25 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-mockserver
+spec:
+  podSelector:
+    matchLabels:
+      app: mockserver
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        # Allow http traffic from the node pods.
+        - podSelector:
+            matchLabels:
+              app: {{ $.Release.Name }}
+        # Allow http traffic from the runner pods.
+        - podSelector:
+            matchLabels:
+              app: runner
+      ports:
+        - protocol: TCP
+          port: 1080
+{{- end }}

charts/chainlink-cluster/templates/networkpolicy-default.yaml

@@ -0,0 +1,43 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default
+spec:
+  podSelector:
+    matchLabels: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+  {{- if and .Values.networkPolicyDefault.ingress.allowCustomCidrs (not (empty .Values.networkPolicyDefault.ingress.customCidrs)) }}
+  # Using a comma separated list to make it easy to pass in with:
+  # `helm template ... --set networkPolicyDefault.ingress.customCidrs=...`
+  {{- $cidrs := splitList "," .Values.networkPolicyDefault.ingress.customCidrs }}
+    - from:
+      {{- range $cidr := $cidrs }}
+      - ipBlock:
+          cidr: {{ $cidr | quote }}
+      {{- end }}
+  {{- else }}
+    # Deny all ingress if no rules are specified. Rules can still be specified in other templates.
+    - {}
+  {{- end }}
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: "{{ $.Release.Namespace }}"
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+{{- end }}

charts/chainlink-cluster/templates/runner-networkpolicy.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-runner
+spec:
+  podSelector:
+    matchLabels:
+      app: runner
+  policyTypes:
+    - Ingress
+  ingress:
+    # Allow all ingress traffic between the node pods and from runner pod.
+    - from:
+      - podSelector:
+          matchLabels:
+            app: {{ $.Release.Name }}
+      - podSelector:
+          matchLabels:
+            app: runner
+{{- end }}

charts/chainlink-cluster/values.yaml

@@ -284,6 +284,9 @@ nodeSelector:
 tolerations:
 affinity:
 
+networkPolicies:
+  enabled: true
+
 # Configure the default network policy.
 networkPolicyDefault:
   ingress: