From c33c9129af5aee99d41ae6b592f9f444041a4dcd Mon Sep 17 00:00:00 2001 From: Russell Stern Date: Tue, 23 Jun 2026 10:44:48 -0400 Subject: [PATCH 1/2] Added label consensus flag --- pkg/settings/cresettings/README.md | 1 + pkg/settings/cresettings/defaults.json | 1 + pkg/settings/cresettings/defaults.toml | 1 + pkg/settings/cresettings/settings.go | 86 ++++++++++++----------- pkg/settings/cresettings/settings_test.go | 1 + 5 files changed, 48 insertions(+), 42 deletions(-) diff --git a/pkg/settings/cresettings/README.md b/pkg/settings/cresettings/README.md index b6dae48840..8f58d34996 100644 --- a/pkg/settings/cresettings/README.md +++ b/pkg/settings/cresettings/README.md @@ -42,6 +42,7 @@ flowchart VaultBase64EncodingEnabled[/VaultBase64EncodingEnabled\]:::gate VaultForceEmptyOCRRounds[/VaultForceEmptyOCRRounds\]:::gate VaultOptimizationsEnabled[/VaultOptimizationsEnabled\]:::gate + VaultGetSecretsShareLabelConsensusEnabled[/VaultGetSecretsShareLabelConsensusEnabled\]:::gate VaultOwnerAddressCanonicalizationEnabled[/VaultOwnerAddressCanonicalizationEnabled\]:::gate VaultSignedResponseRequestIDEnabled[/VaultSignedResponseRequestIDEnabled\]:::gate end diff --git a/pkg/settings/cresettings/defaults.json b/pkg/settings/cresettings/defaults.json index cac5ad93a2..ceefc3f87f 100644 --- a/pkg/settings/cresettings/defaults.json +++ b/pkg/settings/cresettings/defaults.json @@ -9,6 +9,7 @@ "VaultBase64EncodingEnabled": "false", "VaultForceEmptyOCRRounds": "false", "VaultOptimizationsEnabled": "false", + "VaultGetSecretsShareLabelConsensusEnabled": "false", "VaultOwnerAddressCanonicalizationEnabled": "false", "VaultSignedResponseRequestIDEnabled": "false", "GatewayHTTPGlobalRate": "500rps:500", diff --git a/pkg/settings/cresettings/defaults.toml b/pkg/settings/cresettings/defaults.toml index ca3f164a67..3e26f2f3a1 100644 --- a/pkg/settings/cresettings/defaults.toml +++ b/pkg/settings/cresettings/defaults.toml @@ -8,6 +8,7 @@ PropagateOrgIDInRequestMetadata = 'false' VaultBase64EncodingEnabled = 'false' VaultForceEmptyOCRRounds = 'false' VaultOptimizationsEnabled = 'false' +VaultGetSecretsShareLabelConsensusEnabled = 'false' VaultOwnerAddressCanonicalizationEnabled = 'false' VaultSignedResponseRequestIDEnabled = 'false' GatewayHTTPGlobalRate = '500rps:500' diff --git a/pkg/settings/cresettings/settings.go b/pkg/settings/cresettings/settings.go index fb82fe98ee..6f7adf0821 100644 --- a/pkg/settings/cresettings/settings.go +++ b/pkg/settings/cresettings/settings.go @@ -58,24 +58,25 @@ var Default = Schema{ GatewayVaultManagementEnabled: Bool(true), VaultJWTAuthEnabled: Bool(false), // Deprecated: retained for backwards compatibility; workflow owner identifies secret ownership. - VaultOrgIdAsSecretOwnerEnabled: Bool(false), - PropagateOrgIDInRequestMetadata: Bool(false), - VaultBase64EncodingEnabled: Bool(false), - VaultForceEmptyOCRRounds: Bool(false), - VaultOptimizationsEnabled: Bool(false), - VaultOwnerAddressCanonicalizationEnabled: Bool(false), - VaultSignedResponseRequestIDEnabled: Bool(false), - GatewayHTTPGlobalRate: Rate(rate.Limit(500), 500), - GatewayHTTPPerNodeRate: Rate(rate.Limit(100), 100), - GatewayConfidentialRelayGlobalRate: Rate(rate.Limit(50), 10), - GatewayConfidentialRelayPerNodeRate: Rate(rate.Limit(10), 10), - GatewayHTTPActionMtlsRequestRate: Rate(rate.Every(30*time.Second), 0), - GatewayHTTPActionMtlsConcurrencyLimit: Int(50), - TriggerRegistrationStatusUpdateTimeout: Duration(0 * time.Second), - BaseTriggerRetryInterval: Duration(30 * time.Second), - BaseTriggerMaxRetries: Int(20), - BaseTriggerPruneAge: Duration(24 * time.Hour), - BaseTriggerMaxSendsPerTick: Int(20), + VaultOrgIdAsSecretOwnerEnabled: Bool(false), + PropagateOrgIDInRequestMetadata: Bool(false), + VaultBase64EncodingEnabled: Bool(false), + VaultForceEmptyOCRRounds: Bool(false), + VaultOptimizationsEnabled: Bool(false), + VaultGetSecretsShareLabelConsensusEnabled: Bool(false), + VaultOwnerAddressCanonicalizationEnabled: Bool(false), + VaultSignedResponseRequestIDEnabled: Bool(false), + GatewayHTTPGlobalRate: Rate(rate.Limit(500), 500), + GatewayHTTPPerNodeRate: Rate(rate.Limit(100), 100), + GatewayConfidentialRelayGlobalRate: Rate(rate.Limit(50), 10), + GatewayConfidentialRelayPerNodeRate: Rate(rate.Limit(10), 10), + GatewayHTTPActionMtlsRequestRate: Rate(rate.Every(30*time.Second), 0), + GatewayHTTPActionMtlsConcurrencyLimit: Int(50), + TriggerRegistrationStatusUpdateTimeout: Duration(0 * time.Second), + BaseTriggerRetryInterval: Duration(30 * time.Second), + BaseTriggerMaxRetries: Int(20), + BaseTriggerPruneAge: Duration(24 * time.Hour), + BaseTriggerMaxSendsPerTick: Int(20), // DANGER(cedric): Be extremely careful changing these vault limits below as they act as a default value // used by the Vault OCR plugin -- changing these values could cause issues with the plugin during an image @@ -270,25 +271,26 @@ var Default = Schema{ } type Schema struct { - WorkflowLimit Setting[int] `unit:"{workflow}"` - WorkflowExecutionConcurrencyLimit Setting[int] `unit:"{workflow}"` - GatewayIncomingPayloadSizeLimit Setting[config.Size] - GatewayVaultManagementEnabled Setting[bool] - VaultJWTAuthEnabled Setting[bool] - VaultOrgIdAsSecretOwnerEnabled Setting[bool] // Deprecated - PropagateOrgIDInRequestMetadata Setting[bool] - VaultBase64EncodingEnabled Setting[bool] - VaultForceEmptyOCRRounds Setting[bool] - VaultOptimizationsEnabled Setting[bool] - VaultOwnerAddressCanonicalizationEnabled Setting[bool] - VaultSignedResponseRequestIDEnabled Setting[bool] - GatewayHTTPGlobalRate Setting[config.Rate] - GatewayHTTPPerNodeRate Setting[config.Rate] - GatewayConfidentialRelayGlobalRate Setting[config.Rate] - GatewayConfidentialRelayPerNodeRate Setting[config.Rate] - GatewayHTTPActionMtlsRequestRate Setting[config.Rate] - GatewayHTTPActionMtlsConcurrencyLimit Setting[int] `unit:"{request}"` - TriggerRegistrationStatusUpdateTimeout Setting[time.Duration] + WorkflowLimit Setting[int] `unit:"{workflow}"` + WorkflowExecutionConcurrencyLimit Setting[int] `unit:"{workflow}"` + GatewayIncomingPayloadSizeLimit Setting[config.Size] + GatewayVaultManagementEnabled Setting[bool] + VaultJWTAuthEnabled Setting[bool] + VaultOrgIdAsSecretOwnerEnabled Setting[bool] // Deprecated + PropagateOrgIDInRequestMetadata Setting[bool] + VaultBase64EncodingEnabled Setting[bool] + VaultForceEmptyOCRRounds Setting[bool] + VaultOptimizationsEnabled Setting[bool] + VaultGetSecretsShareLabelConsensusEnabled Setting[bool] + VaultOwnerAddressCanonicalizationEnabled Setting[bool] + VaultSignedResponseRequestIDEnabled Setting[bool] + GatewayHTTPGlobalRate Setting[config.Rate] + GatewayHTTPPerNodeRate Setting[config.Rate] + GatewayConfidentialRelayGlobalRate Setting[config.Rate] + GatewayConfidentialRelayPerNodeRate Setting[config.Rate] + GatewayHTTPActionMtlsRequestRate Setting[config.Rate] + GatewayHTTPActionMtlsConcurrencyLimit Setting[int] `unit:"{request}"` + TriggerRegistrationStatusUpdateTimeout Setting[time.Duration] BaseTriggerRetryInterval Setting[time.Duration] BaseTriggerMaxRetries Setting[int] `unit:"{attempt}"` @@ -380,12 +382,12 @@ type Workflows struct { Secrets secrets DONTime donTime - FeatureMultiTriggerExecutionIDsActiveAt Setting[config.Timestamp] // Deprecated - FeatureMultiTriggerExecutionIDsActivePeriod Setting[Range[config.Timestamp]] + FeatureMultiTriggerExecutionIDsActiveAt Setting[config.Timestamp] // Deprecated + FeatureMultiTriggerExecutionIDsActivePeriod Setting[Range[config.Timestamp]] FeatureUseSingleDONTimeProviderPerExecutionActivePeriod Setting[Range[config.Timestamp]] - FeatureChainCapabilityHashBasedOCRActivePeriod Setting[Range[config.Timestamp]] - FeatureEVMWriteReportL1FeeActivePeriod Setting[Range[config.Timestamp]] - FeatureAptosWriteReportBlockTimestampActivePeriod Setting[Range[config.Timestamp]] + FeatureChainCapabilityHashBasedOCRActivePeriod Setting[Range[config.Timestamp]] + FeatureEVMWriteReportL1FeeActivePeriod Setting[Range[config.Timestamp]] + FeatureAptosWriteReportBlockTimestampActivePeriod Setting[Range[config.Timestamp]] } type cronTrigger struct { diff --git a/pkg/settings/cresettings/settings_test.go b/pkg/settings/cresettings/settings_test.go index 29def53c42..219d654001 100644 --- a/pkg/settings/cresettings/settings_test.go +++ b/pkg/settings/cresettings/settings_test.go @@ -135,6 +135,7 @@ func TestSchema_Unmarshal(t *testing.T) { assert.False(t, cfg.VaultBase64EncodingEnabled.DefaultValue) assert.False(t, cfg.VaultForceEmptyOCRRounds.DefaultValue) assert.False(t, cfg.VaultOptimizationsEnabled.DefaultValue) + assert.False(t, cfg.VaultGetSecretsShareLabelConsensusEnabled.DefaultValue) assert.False(t, cfg.VaultOwnerAddressCanonicalizationEnabled.DefaultValue) assert.False(t, cfg.VaultSignedResponseRequestIDEnabled.DefaultValue) assert.Equal(t, config.Rate{Limit: rate.Limit(20), Burst: 7}, cfg.GatewayConfidentialRelayGlobalRate.DefaultValue) From 93113c161842476f93c87254724f26797c144117 Mon Sep 17 00:00:00 2001 From: Russell Stern Date: Wed, 24 Jun 2026 09:21:37 -0400 Subject: [PATCH 2/2] Renamed the flag --- pkg/settings/cresettings/README.md | 2 +- pkg/settings/cresettings/defaults.json | 2 +- pkg/settings/cresettings/defaults.toml | 2 +- pkg/settings/cresettings/settings.go | 78 +++++++++++------------ pkg/settings/cresettings/settings_test.go | 2 +- 5 files changed, 43 insertions(+), 43 deletions(-) diff --git a/pkg/settings/cresettings/README.md b/pkg/settings/cresettings/README.md index 8f58d34996..25a82dfb5c 100644 --- a/pkg/settings/cresettings/README.md +++ b/pkg/settings/cresettings/README.md @@ -42,7 +42,7 @@ flowchart VaultBase64EncodingEnabled[/VaultBase64EncodingEnabled\]:::gate VaultForceEmptyOCRRounds[/VaultForceEmptyOCRRounds\]:::gate VaultOptimizationsEnabled[/VaultOptimizationsEnabled\]:::gate - VaultGetSecretsShareLabelConsensusEnabled[/VaultGetSecretsShareLabelConsensusEnabled\]:::gate + VaultGetSecretsShareAggregationIncludesPublicKeys[/VaultGetSecretsShareAggregationIncludesPublicKeys\]:::gate VaultOwnerAddressCanonicalizationEnabled[/VaultOwnerAddressCanonicalizationEnabled\]:::gate VaultSignedResponseRequestIDEnabled[/VaultSignedResponseRequestIDEnabled\]:::gate end diff --git a/pkg/settings/cresettings/defaults.json b/pkg/settings/cresettings/defaults.json index ceefc3f87f..11ff04f0d5 100644 --- a/pkg/settings/cresettings/defaults.json +++ b/pkg/settings/cresettings/defaults.json @@ -9,7 +9,7 @@ "VaultBase64EncodingEnabled": "false", "VaultForceEmptyOCRRounds": "false", "VaultOptimizationsEnabled": "false", - "VaultGetSecretsShareLabelConsensusEnabled": "false", + "VaultGetSecretsShareAggregationIncludesPublicKeys": "false", "VaultOwnerAddressCanonicalizationEnabled": "false", "VaultSignedResponseRequestIDEnabled": "false", "GatewayHTTPGlobalRate": "500rps:500", diff --git a/pkg/settings/cresettings/defaults.toml b/pkg/settings/cresettings/defaults.toml index 3e26f2f3a1..7e0381f602 100644 --- a/pkg/settings/cresettings/defaults.toml +++ b/pkg/settings/cresettings/defaults.toml @@ -8,7 +8,7 @@ PropagateOrgIDInRequestMetadata = 'false' VaultBase64EncodingEnabled = 'false' VaultForceEmptyOCRRounds = 'false' VaultOptimizationsEnabled = 'false' -VaultGetSecretsShareLabelConsensusEnabled = 'false' +VaultGetSecretsShareAggregationIncludesPublicKeys = 'false' VaultOwnerAddressCanonicalizationEnabled = 'false' VaultSignedResponseRequestIDEnabled = 'false' GatewayHTTPGlobalRate = '500rps:500' diff --git a/pkg/settings/cresettings/settings.go b/pkg/settings/cresettings/settings.go index 6f7adf0821..2f8a42d4c5 100644 --- a/pkg/settings/cresettings/settings.go +++ b/pkg/settings/cresettings/settings.go @@ -58,25 +58,25 @@ var Default = Schema{ GatewayVaultManagementEnabled: Bool(true), VaultJWTAuthEnabled: Bool(false), // Deprecated: retained for backwards compatibility; workflow owner identifies secret ownership. - VaultOrgIdAsSecretOwnerEnabled: Bool(false), - PropagateOrgIDInRequestMetadata: Bool(false), - VaultBase64EncodingEnabled: Bool(false), - VaultForceEmptyOCRRounds: Bool(false), - VaultOptimizationsEnabled: Bool(false), - VaultGetSecretsShareLabelConsensusEnabled: Bool(false), - VaultOwnerAddressCanonicalizationEnabled: Bool(false), - VaultSignedResponseRequestIDEnabled: Bool(false), - GatewayHTTPGlobalRate: Rate(rate.Limit(500), 500), - GatewayHTTPPerNodeRate: Rate(rate.Limit(100), 100), - GatewayConfidentialRelayGlobalRate: Rate(rate.Limit(50), 10), - GatewayConfidentialRelayPerNodeRate: Rate(rate.Limit(10), 10), - GatewayHTTPActionMtlsRequestRate: Rate(rate.Every(30*time.Second), 0), - GatewayHTTPActionMtlsConcurrencyLimit: Int(50), - TriggerRegistrationStatusUpdateTimeout: Duration(0 * time.Second), - BaseTriggerRetryInterval: Duration(30 * time.Second), - BaseTriggerMaxRetries: Int(20), - BaseTriggerPruneAge: Duration(24 * time.Hour), - BaseTriggerMaxSendsPerTick: Int(20), + VaultOrgIdAsSecretOwnerEnabled: Bool(false), + PropagateOrgIDInRequestMetadata: Bool(false), + VaultBase64EncodingEnabled: Bool(false), + VaultForceEmptyOCRRounds: Bool(false), + VaultOptimizationsEnabled: Bool(false), + VaultGetSecretsShareAggregationIncludesPublicKeys: Bool(false), + VaultOwnerAddressCanonicalizationEnabled: Bool(false), + VaultSignedResponseRequestIDEnabled: Bool(false), + GatewayHTTPGlobalRate: Rate(rate.Limit(500), 500), + GatewayHTTPPerNodeRate: Rate(rate.Limit(100), 100), + GatewayConfidentialRelayGlobalRate: Rate(rate.Limit(50), 10), + GatewayConfidentialRelayPerNodeRate: Rate(rate.Limit(10), 10), + GatewayHTTPActionMtlsRequestRate: Rate(rate.Every(30*time.Second), 0), + GatewayHTTPActionMtlsConcurrencyLimit: Int(50), + TriggerRegistrationStatusUpdateTimeout: Duration(0 * time.Second), + BaseTriggerRetryInterval: Duration(30 * time.Second), + BaseTriggerMaxRetries: Int(20), + BaseTriggerPruneAge: Duration(24 * time.Hour), + BaseTriggerMaxSendsPerTick: Int(20), // DANGER(cedric): Be extremely careful changing these vault limits below as they act as a default value // used by the Vault OCR plugin -- changing these values could cause issues with the plugin during an image @@ -271,26 +271,26 @@ var Default = Schema{ } type Schema struct { - WorkflowLimit Setting[int] `unit:"{workflow}"` - WorkflowExecutionConcurrencyLimit Setting[int] `unit:"{workflow}"` - GatewayIncomingPayloadSizeLimit Setting[config.Size] - GatewayVaultManagementEnabled Setting[bool] - VaultJWTAuthEnabled Setting[bool] - VaultOrgIdAsSecretOwnerEnabled Setting[bool] // Deprecated - PropagateOrgIDInRequestMetadata Setting[bool] - VaultBase64EncodingEnabled Setting[bool] - VaultForceEmptyOCRRounds Setting[bool] - VaultOptimizationsEnabled Setting[bool] - VaultGetSecretsShareLabelConsensusEnabled Setting[bool] - VaultOwnerAddressCanonicalizationEnabled Setting[bool] - VaultSignedResponseRequestIDEnabled Setting[bool] - GatewayHTTPGlobalRate Setting[config.Rate] - GatewayHTTPPerNodeRate Setting[config.Rate] - GatewayConfidentialRelayGlobalRate Setting[config.Rate] - GatewayConfidentialRelayPerNodeRate Setting[config.Rate] - GatewayHTTPActionMtlsRequestRate Setting[config.Rate] - GatewayHTTPActionMtlsConcurrencyLimit Setting[int] `unit:"{request}"` - TriggerRegistrationStatusUpdateTimeout Setting[time.Duration] + WorkflowLimit Setting[int] `unit:"{workflow}"` + WorkflowExecutionConcurrencyLimit Setting[int] `unit:"{workflow}"` + GatewayIncomingPayloadSizeLimit Setting[config.Size] + GatewayVaultManagementEnabled Setting[bool] + VaultJWTAuthEnabled Setting[bool] + VaultOrgIdAsSecretOwnerEnabled Setting[bool] // Deprecated + PropagateOrgIDInRequestMetadata Setting[bool] + VaultBase64EncodingEnabled Setting[bool] + VaultForceEmptyOCRRounds Setting[bool] + VaultOptimizationsEnabled Setting[bool] + VaultGetSecretsShareAggregationIncludesPublicKeys Setting[bool] + VaultOwnerAddressCanonicalizationEnabled Setting[bool] + VaultSignedResponseRequestIDEnabled Setting[bool] + GatewayHTTPGlobalRate Setting[config.Rate] + GatewayHTTPPerNodeRate Setting[config.Rate] + GatewayConfidentialRelayGlobalRate Setting[config.Rate] + GatewayConfidentialRelayPerNodeRate Setting[config.Rate] + GatewayHTTPActionMtlsRequestRate Setting[config.Rate] + GatewayHTTPActionMtlsConcurrencyLimit Setting[int] `unit:"{request}"` + TriggerRegistrationStatusUpdateTimeout Setting[time.Duration] BaseTriggerRetryInterval Setting[time.Duration] BaseTriggerMaxRetries Setting[int] `unit:"{attempt}"` diff --git a/pkg/settings/cresettings/settings_test.go b/pkg/settings/cresettings/settings_test.go index 219d654001..68b1bc3a4b 100644 --- a/pkg/settings/cresettings/settings_test.go +++ b/pkg/settings/cresettings/settings_test.go @@ -135,7 +135,7 @@ func TestSchema_Unmarshal(t *testing.T) { assert.False(t, cfg.VaultBase64EncodingEnabled.DefaultValue) assert.False(t, cfg.VaultForceEmptyOCRRounds.DefaultValue) assert.False(t, cfg.VaultOptimizationsEnabled.DefaultValue) - assert.False(t, cfg.VaultGetSecretsShareLabelConsensusEnabled.DefaultValue) + assert.False(t, cfg.VaultGetSecretsShareAggregationIncludesPublicKeys.DefaultValue) assert.False(t, cfg.VaultOwnerAddressCanonicalizationEnabled.DefaultValue) assert.False(t, cfg.VaultSignedResponseRequestIDEnabled.DefaultValue) assert.Equal(t, config.Rate{Limit: rate.Limit(20), Burst: 7}, cfg.GatewayConfidentialRelayGlobalRate.DefaultValue)