Use simplified auth header approach

core/cmd/shell.go

@@ -3,7 +3,6 @@ package cmd
 import (
 	"bytes"
 	"context"
-	"crypto/ed25519"
 	"crypto/tls"
 	"database/sql"
 	"encoding/json"
@@ -67,7 +66,7 @@ var (
 	grpcOpts        loop.GRPCOpts
 )
 
-func initGlobals(cfgProm config.Prometheus, cfgTracing config.Tracing, cfgTelemetry config.Telemetry, lggr logger.Logger, csaPubKey []byte, csaSigner func([]byte) []byte) error {
+func initGlobals(cfgProm config.Prometheus, cfgTracing config.Tracing, cfgTelemetry config.Telemetry, lggr logger.Logger, csaPubKeyHex string, beholderAuthHeaders map[string]string) error {
 	// Avoid double initializations, but does not prevent relay methods from being called multiple times.
 	var err error
 	initGlobalsOnce.Do(func() {
@@ -105,8 +104,8 @@ func initGlobals(cfgProm config.Prometheus, cfgTracing config.Tracing, cfgTeleme
 				OtelExporterGRPCEndpoint: cfgTelemetry.OtelExporterGRPCEndpoint(),
 				ResourceAttributes:       attributes,
 				TraceSampleRatio:         cfgTelemetry.TraceSampleRatio(),
-				AuthenticatorPublicKey:   csaPubKey,
-				AuthenticatorSigner:      csaSigner,
+				AuthPublicKeyHex:         csaPubKeyHex,
+				AuthHeaders:              beholderAuthHeaders,
 			}
 			if tracingCfg.Enabled {
 				clientCfg.TraceSpanExporter, err = tracingCfg.NewSpanExporter()
@@ -209,25 +208,19 @@ func (n ChainlinkAppFactory) NewApplication(ctx context.Context, cfg chainlink.G
 		return nil, errors.Wrap(err, "failed to ensure CSA key")
 	}
 
-	csaKeys, err := keyStore.CSA().GetAll()
+	beholderAuthHeaders, csaPubKeyHex, err := keystore.BuildBeholderAuth(keyStore)
 	if err != nil {
-		return nil, err
-	}
-	csaKey := csaKeys[0]
-	csaPubKey := csaKey.PublicKey
-	csaPrivKey := csaKey.Raw().Bytes()
-	csaSigner := func(data []byte) []byte {
-		return ed25519.Sign(csaPrivKey, data)
+		return nil, errors.Wrap(err, "failed to build Beholder auth")
 	}
 
-	err = initGlobals(cfg.Prometheus(), cfg.Tracing(), cfg.Telemetry(), appLggr, csaPubKey, csaSigner)
+	err = initGlobals(cfg.Prometheus(), cfg.Tracing(), cfg.Telemetry(), appLggr, csaPubKeyHex, beholderAuthHeaders)
 	if err != nil {
 		appLggr.Errorf("Failed to initialize globals: %v", err)
 	}
 
 	mailMon := mailbox.NewMonitor(cfg.AppID().String(), appLggr.Named("Mailbox"))
 
-	loopRegistry := plugins.NewLoopRegistry(appLggr, cfg.Tracing(), cfg.Telemetry())
+	loopRegistry := plugins.NewLoopRegistry(appLggr, cfg.Tracing(), cfg.Telemetry(), beholderAuthHeaders, csaPubKeyHex)
 
 	mercuryPool := wsrpc.NewPool(appLggr, cache.Config{
 		LatestReportTTL:      cfg.Mercury().Cache().LatestReportTTL(),

core/cmd/shell_local_test.go

@@ -46,7 +46,7 @@ import (
 func genTestEVMRelayers(t *testing.T, opts legacyevm.ChainRelayOpts, ks evmrelayer.CSAETHKeystore) *chainlink.CoreRelayerChainInteroperators {
 	f := chainlink.RelayerFactory{
 		Logger:               opts.Logger,
-		LoopRegistry:         plugins.NewLoopRegistry(opts.Logger, opts.AppConfig.Tracing(), opts.AppConfig.Telemetry()),
+		LoopRegistry:         plugins.NewLoopRegistry(opts.Logger, opts.AppConfig.Tracing(), opts.AppConfig.Telemetry(), nil, ""),
 		CapabilitiesRegistry: capabilities.NewRegistry(opts.Logger),
 	}
 

core/cmd/shell_test.go

@@ -351,7 +351,7 @@ func TestNewUserCache(t *testing.T) {
 
 func TestSetupSolanaRelayer(t *testing.T) {
 	lggr := logger.TestLogger(t)
-	reg := plugins.NewLoopRegistry(lggr, nil, nil)
+	reg := plugins.NewLoopRegistry(lggr, nil, nil, nil, "")
 	ks := mocks.NewSolana(t)
 
 	// config 3 chains but only enable 2 => should only be 2 relayer
@@ -466,7 +466,7 @@ func TestSetupSolanaRelayer(t *testing.T) {
 
 func TestSetupStarkNetRelayer(t *testing.T) {
 	lggr := logger.TestLogger(t)
-	reg := plugins.NewLoopRegistry(lggr, nil, nil)
+	reg := plugins.NewLoopRegistry(lggr, nil, nil, nil, "")
 	ks := mocks.NewStarkNet(t)
 	// config 3 chains but only enable 2 => should only be 2 relayer
 	nEnabledChains := 2

core/internal/cltest/cltest.go

@@ -392,7 +392,7 @@ func NewApplicationWithConfig(t testing.TB, cfg chainlink.GeneralConfig, flagsAn
 	keyStore := keystore.NewInMemory(ds, utils.FastScryptParams, lggr)
 
 	mailMon := mailbox.NewMonitor(cfg.AppID().String(), lggr.Named("Mailbox"))
-	loopRegistry := plugins.NewLoopRegistry(lggr, nil, nil)
+	loopRegistry := plugins.NewLoopRegistry(lggr, nil, nil, nil, "")
 
 	mercuryPool := wsrpc.NewPool(lggr, cache.Config{
 		LatestReportTTL:      cfg.Mercury().Cache().LatestReportTTL(),
@@ -486,7 +486,7 @@ func NewApplicationWithConfig(t testing.TB, cfg chainlink.GeneralConfig, flagsAn
 		RestrictedHTTPClient:       c,
 		UnrestrictedHTTPClient:     c,
 		SecretGenerator:            MockSecretGenerator{},
-		LoopRegistry:               plugins.NewLoopRegistry(lggr, nil, nil),
+		LoopRegistry:               plugins.NewLoopRegistry(lggr, nil, nil, nil, ""),
 		MercuryPool:                mercuryPool,
 		CapabilitiesRegistry:       capabilitiesRegistry,
 		CapabilitiesDispatcher:     dispatcher,

core/scripts/go.mod

@@ -24,7 +24,7 @@ require (
 	github.com/prometheus/client_golang v1.20.0
 	github.com/shopspring/decimal v1.4.0
 	github.com/smartcontractkit/chainlink-automation v1.0.0-alpha.0.0.20241023165837-8c05ee9b97d5
-	github.com/smartcontractkit/chainlink-common v0.3.1-0.20241101200950-210eb67fecd0
+	github.com/smartcontractkit/chainlink-common v0.3.1-0.20241106012901-5a80788ed40f
 	github.com/smartcontractkit/chainlink/integration-tests v0.0.0-00010101000000-000000000000
 	github.com/smartcontractkit/chainlink/v2 v2.0.0-00010101000000-000000000000
 	github.com/smartcontractkit/libocr v0.0.0-20241007185508-adbe57025f12

core/scripts/go.sum

@@ -1090,6 +1090,14 @@ github.com/smartcontractkit/chainlink-common v0.3.1-0.20241101200950-210eb67fecd
 github.com/smartcontractkit/chainlink-common v0.3.1-0.20241101200950-210eb67fecd0/go.mod h1:TQ9/KKXZ9vr8QAlUquqGpSvDCpR+DtABKPXZY4CiRns=
 github.com/smartcontractkit/chainlink-common v0.3.1-0.20241101202525-8de7278fe6fa h1:8k7eLz8zqRGd05oKYjlVAalgQabL0cjjcImEcfmxquY=
 github.com/smartcontractkit/chainlink-common v0.3.1-0.20241101202525-8de7278fe6fa/go.mod h1:TQ9/KKXZ9vr8QAlUquqGpSvDCpR+DtABKPXZY4CiRns=
+github.com/smartcontractkit/chainlink-common v0.3.1-0.20241105201914-33342abf9229 h1:I2IjGarJDyb5c2YKE5RjgmudkYK5yGOZrx/HjpcZc9M=
+github.com/smartcontractkit/chainlink-common v0.3.1-0.20241105201914-33342abf9229/go.mod h1:TQ9/KKXZ9vr8QAlUquqGpSvDCpR+DtABKPXZY4CiRns=
+github.com/smartcontractkit/chainlink-common v0.3.1-0.20241105211331-d77a5c800dc7 h1:cI62yphGqoverMSfNioQKk8MRobLvywilvgw7ZED2jM=
+github.com/smartcontractkit/chainlink-common v0.3.1-0.20241105211331-d77a5c800dc7/go.mod h1:TQ9/KKXZ9vr8QAlUquqGpSvDCpR+DtABKPXZY4CiRns=
+github.com/smartcontractkit/chainlink-common v0.3.1-0.20241105212138-240239940208 h1:rjyjZdlvW97UGJ47VWDMjDFstY1utDZYyZhxbIehaC4=
+github.com/smartcontractkit/chainlink-common v0.3.1-0.20241105212138-240239940208/go.mod h1:TQ9/KKXZ9vr8QAlUquqGpSvDCpR+DtABKPXZY4CiRns=
+github.com/smartcontractkit/chainlink-common v0.3.1-0.20241106012901-5a80788ed40f h1:2Qs1lM5GY0E5IaMwky7jOsCSEjLMFUU6cd/BlaEIcK0=
+github.com/smartcontractkit/chainlink-common v0.3.1-0.20241106012901-5a80788ed40f/go.mod h1:TQ9/KKXZ9vr8QAlUquqGpSvDCpR+DtABKPXZY4CiRns=
 github.com/smartcontractkit/chainlink-cosmos v0.5.2-0.20241017133723-5277829bd53f h1:BwrIaQIx5Iy6eT+DfLhFfK2XqjxRm74mVdlX8gbu4dw=
 github.com/smartcontractkit/chainlink-cosmos v0.5.2-0.20241017133723-5277829bd53f/go.mod h1:wHtwSR3F1CQSJJZDQKuqaqFYnvkT+kMyget7dl8Clvo=
 github.com/smartcontractkit/chainlink-data-streams v0.1.1-0.20241018134907-a00ba3729b5e h1:JiETqdNM0bktAUGMc62COwXIaw3rR3M77Me6bBLG0Fg=

core/services/chainlink/application.go

@@ -302,7 +302,11 @@ func NewApplication(opts ApplicationOpts) (Application, error) {
 	// we need to initialize in case we serve OCR2 LOOPs
 	loopRegistry := opts.LoopRegistry
 	if loopRegistry == nil {
-		loopRegistry = plugins.NewLoopRegistry(globalLogger, opts.Config.Tracing(), opts.Config.Telemetry())
+		beholderAuthHeaders, csaPubKeyHex, err := keystore.BuildBeholderAuth(keyStore)
+		if err != nil {
+			return nil, fmt.Errorf("could not build Beholder auth: %w", err)
+		}
+		loopRegistry = plugins.NewLoopRegistry(globalLogger, opts.Config.Tracing(), opts.Config.Telemetry(), beholderAuthHeaders, csaPubKeyHex)
 	}
 
 	// If the audit logger is enabled

core/services/chainlink/relayer_chain_interoperators_test.go

@@ -176,7 +176,7 @@ func TestCoreRelayerChainInteroperators(t *testing.T) {
 
 	factory := chainlink.RelayerFactory{
 		Logger:               lggr,
-		LoopRegistry:         plugins.NewLoopRegistry(lggr, nil, nil),
+		LoopRegistry:         plugins.NewLoopRegistry(lggr, nil, nil, nil, ""),
 		GRPCOpts:             loop.GRPCOpts{},
 		CapabilitiesRegistry: capabilities.NewRegistry(lggr),
 	}

core/services/keystore/beholder.go

@@ -0,0 +1,23 @@
+package keystore
+
+import (
+	"crypto/ed25519"
+	"encoding/hex"
+
+	"github.com/smartcontractkit/chainlink-common/pkg/beholder"
+)
+
+func BuildBeholderAuth(keyStore Master) (map[string]string, string, error) {
+	csaKeys, err := keyStore.CSA().GetAll()
+	if err != nil {
+		return nil, "", err
+	}
+	csaKey := csaKeys[0]
+	csaPrivKey := csaKey.Raw().Bytes()
+	csaSigner := func(data []byte) []byte {
+		return ed25519.Sign(csaPrivKey, data)
+	}
+	beholderAuthHeaders := beholder.BuildAuthHeaders(csaSigner, csaKey.PublicKey)
+
+	return beholderAuthHeaders, hex.EncodeToString(csaKey.PublicKey), nil
+}

core/services/ocr2/plugins/ccip/testhelpers/integration/chainlink.go

@@ -459,7 +459,10 @@ func setupNodeCCIP(
 		},
 		CSAETHKeystore: simEthKeyStore,
 	}
-	loopRegistry := plugins.NewLoopRegistry(lggr.Named("LoopRegistry"), config.Tracing(), config.Telemetry())
+	beholderAuthHeaders, csaPubKeyHex, err := keystore.BuildBeholderAuth(keyStore)
+	require.NoError(t, err)
+
+	loopRegistry := plugins.NewLoopRegistry(lggr.Named("LoopRegistry"), config.Tracing(), config.Telemetry(), beholderAuthHeaders, csaPubKeyHex)
 	relayerFactory := chainlink.RelayerFactory{
 		Logger:               lggr,
 		LoopRegistry:         loopRegistry,
@@ -489,7 +492,7 @@ func setupNodeCCIP(
 		RestrictedHTTPClient:       &http.Client{},
 		AuditLogger:                audit.NoopLogger,
 		MailMon:                    mailMon,
-		LoopRegistry:               plugins.NewLoopRegistry(lggr, config.Tracing(), config.Telemetry()),
+		LoopRegistry:               plugins.NewLoopRegistry(lggr, config.Tracing(), config.Telemetry(), beholderAuthHeaders, csaPubKeyHex),
 	})
 	require.NoError(t, err)
 	require.NoError(t, app.GetKeyStore().Unlock(ctx, "password"))

core/services/ocr2/plugins/ccip/testhelpers/testhelpers_1_4_0/chainlink.go

@@ -454,7 +454,11 @@ func setupNodeCCIP(
 		},
 		CSAETHKeystore: simEthKeyStore,
 	}
-	loopRegistry := plugins.NewLoopRegistry(lggr.Named("LoopRegistry"), config.Tracing(), config.Telemetry())
+
+	beholderAuthHeaders, csaPubKeyHex, err := keystore.BuildBeholderAuth(keyStore)
+	require.NoError(t, err)
+
+	loopRegistry := plugins.NewLoopRegistry(lggr.Named("LoopRegistry"), config.Tracing(), config.Telemetry(), beholderAuthHeaders, csaPubKeyHex)
 	relayerFactory := chainlink.RelayerFactory{
 		Logger:               lggr,
 		LoopRegistry:         loopRegistry,
@@ -484,7 +488,7 @@ func setupNodeCCIP(
 		RestrictedHTTPClient:       &http.Client{},
 		AuditLogger:                audit.NoopLogger,
 		MailMon:                    mailMon,
-		LoopRegistry:               plugins.NewLoopRegistry(lggr, config.Tracing(), config.Telemetry()),
+		LoopRegistry:               plugins.NewLoopRegistry(lggr, config.Tracing(), config.Telemetry(), beholderAuthHeaders, csaPubKeyHex),
 	})
 	ctx := testutils.Context(t)
 	require.NoError(t, err)

core/web/loop_registry_internal_test.go

@@ -38,7 +38,7 @@ func TestLoopRegistryServer_CantWriteToResponse(t *testing.T) {
 	l, o := logger.TestLoggerObserved(t, zap.ErrorLevel)
 	s := &LoopRegistryServer{
 		exposedPromPort: 1,
-		registry:        plugins.NewLoopRegistry(l, nil, nil),
+		registry:        plugins.NewLoopRegistry(l, nil, nil, nil, ""),
 		logger:          l.(logger.SugaredLogger),
 		jsonMarshalFn:   json.Marshal,
 	}
@@ -53,7 +53,7 @@ func TestLoopRegistryServer_CantMarshal(t *testing.T) {
 	l, o := logger.TestLoggerObserved(t, zap.ErrorLevel)
 	s := &LoopRegistryServer{
 		exposedPromPort: 1,
-		registry:        plugins.NewLoopRegistry(l, nil, nil),
+		registry:        plugins.NewLoopRegistry(l, nil, nil, nil, ""),
 		logger:          l.(logger.SugaredLogger),
 		jsonMarshalFn: func(any) ([]byte, error) {
 			return []byte(""), errors.New("can't unmarshal")

go.mod

@@ -76,7 +76,7 @@ require (
 	github.com/smartcontractkit/chain-selectors v1.0.27
 	github.com/smartcontractkit/chainlink-automation v0.8.1
 	github.com/smartcontractkit/chainlink-ccip v0.0.0-20241025085158-0f6dce5d1fdb
-	github.com/smartcontractkit/chainlink-common v0.3.1-0.20241101200950-210eb67fecd0
+	github.com/smartcontractkit/chainlink-common v0.3.1-0.20241106012901-5a80788ed40f
 	github.com/smartcontractkit/chainlink-cosmos v0.5.2-0.20241017133723-5277829bd53f
 	github.com/smartcontractkit/chainlink-data-streams v0.1.1-0.20241018134907-a00ba3729b5e
 	github.com/smartcontractkit/chainlink-feeds v0.1.1

go.sum

@@ -1073,6 +1073,14 @@ github.com/smartcontractkit/chainlink-common v0.3.1-0.20241101200950-210eb67fecd
 github.com/smartcontractkit/chainlink-common v0.3.1-0.20241101200950-210eb67fecd0/go.mod h1:TQ9/KKXZ9vr8QAlUquqGpSvDCpR+DtABKPXZY4CiRns=
 github.com/smartcontractkit/chainlink-common v0.3.1-0.20241101202525-8de7278fe6fa h1:8k7eLz8zqRGd05oKYjlVAalgQabL0cjjcImEcfmxquY=
 github.com/smartcontractkit/chainlink-common v0.3.1-0.20241101202525-8de7278fe6fa/go.mod h1:TQ9/KKXZ9vr8QAlUquqGpSvDCpR+DtABKPXZY4CiRns=
+github.com/smartcontractkit/chainlink-common v0.3.1-0.20241105201914-33342abf9229 h1:I2IjGarJDyb5c2YKE5RjgmudkYK5yGOZrx/HjpcZc9M=
+github.com/smartcontractkit/chainlink-common v0.3.1-0.20241105201914-33342abf9229/go.mod h1:TQ9/KKXZ9vr8QAlUquqGpSvDCpR+DtABKPXZY4CiRns=
+github.com/smartcontractkit/chainlink-common v0.3.1-0.20241105211331-d77a5c800dc7 h1:cI62yphGqoverMSfNioQKk8MRobLvywilvgw7ZED2jM=
+github.com/smartcontractkit/chainlink-common v0.3.1-0.20241105211331-d77a5c800dc7/go.mod h1:TQ9/KKXZ9vr8QAlUquqGpSvDCpR+DtABKPXZY4CiRns=
+github.com/smartcontractkit/chainlink-common v0.3.1-0.20241105212138-240239940208 h1:rjyjZdlvW97UGJ47VWDMjDFstY1utDZYyZhxbIehaC4=
+github.com/smartcontractkit/chainlink-common v0.3.1-0.20241105212138-240239940208/go.mod h1:TQ9/KKXZ9vr8QAlUquqGpSvDCpR+DtABKPXZY4CiRns=
+github.com/smartcontractkit/chainlink-common v0.3.1-0.20241106012901-5a80788ed40f h1:2Qs1lM5GY0E5IaMwky7jOsCSEjLMFUU6cd/BlaEIcK0=
+github.com/smartcontractkit/chainlink-common v0.3.1-0.20241106012901-5a80788ed40f/go.mod h1:TQ9/KKXZ9vr8QAlUquqGpSvDCpR+DtABKPXZY4CiRns=
 github.com/smartcontractkit/chainlink-cosmos v0.5.2-0.20241017133723-5277829bd53f h1:BwrIaQIx5Iy6eT+DfLhFfK2XqjxRm74mVdlX8gbu4dw=
 github.com/smartcontractkit/chainlink-cosmos v0.5.2-0.20241017133723-5277829bd53f/go.mod h1:wHtwSR3F1CQSJJZDQKuqaqFYnvkT+kMyget7dl8Clvo=
 github.com/smartcontractkit/chainlink-data-streams v0.1.1-0.20241018134907-a00ba3729b5e h1:JiETqdNM0bktAUGMc62COwXIaw3rR3M77Me6bBLG0Fg=

plugins/loop_registry.go

@@ -8,7 +8,6 @@ import (
 
 	"github.com/hashicorp/consul/sdk/freeport"
 
-	"github.com/smartcontractkit/chainlink-common/pkg/beholder"
 	"github.com/smartcontractkit/chainlink-common/pkg/logger"
 	"github.com/smartcontractkit/chainlink-common/pkg/loop"
 
@@ -28,17 +27,21 @@ type LoopRegistry struct {
 	mu       sync.Mutex
 	registry map[string]*RegisteredLoop
 
-	lggr         logger.Logger
-	cfgTracing   config.Tracing
-	cfgTelemetry config.Telemetry
+	lggr                   logger.Logger
+	cfgTracing             config.Tracing
+	cfgTelemetry           config.Telemetry
+	telemetryAuthHeaders   map[string]string
+	telemetryAuthPubKeyHex string
 }
 
-func NewLoopRegistry(lggr logger.Logger, tracing config.Tracing, telemetry config.Telemetry) *LoopRegistry {
+func NewLoopRegistry(lggr logger.Logger, tracing config.Tracing, telemetry config.Telemetry, telemetryAuthHeaders map[string]string, telemetryAuthPubKeyHex string) *LoopRegistry {
 	return &LoopRegistry{
-		registry:     map[string]*RegisteredLoop{},
-		lggr:         logger.Named(lggr, "LoopRegistry"),
-		cfgTracing:   tracing,
-		cfgTelemetry: telemetry,
+		registry:               map[string]*RegisteredLoop{},
+		lggr:                   logger.Named(lggr, "LoopRegistry"),
+		cfgTracing:             tracing,
+		cfgTelemetry:           telemetry,
+		telemetryAuthHeaders:   telemetryAuthHeaders,
+		telemetryAuthPubKeyHex: telemetryAuthPubKeyHex,
 	}
 }
 
@@ -75,8 +78,8 @@ func (m *LoopRegistry) Register(id string) (*RegisteredLoop, error) {
 		envCfg.TelemetryCACertFile = m.cfgTelemetry.CACertFile()
 		envCfg.TelemetryAttributes = m.cfgTelemetry.ResourceAttributes()
 		envCfg.TelemetryTraceSampleRatio = m.cfgTelemetry.TraceSampleRatio()
-		envCfg.TelemetryAuthHeaders = beholder.GetAuthenticator().GetHeaders()
-		envCfg.TelemetryAuthPubKeyHex = fmt.Sprintf("%x", beholder.GetAuthenticator().GetPubKey())
+		envCfg.TelemetryAuthHeaders = m.telemetryAuthHeaders
+		envCfg.TelemetryAuthPubKeyHex = m.telemetryAuthPubKeyHex
 	}
 
 	m.registry[id] = &RegisteredLoop{Name: id, EnvCfg: envCfg}

plugins/loop_registry_test.go

@@ -11,7 +11,7 @@ import (
 
 func TestPluginPortManager(t *testing.T) {
 	// register one
-	m := NewLoopRegistry(logger.TestLogger(t), nil, nil)
+	m := NewLoopRegistry(logger.TestLogger(t), nil, nil, nil, "")
 	pFoo, err := m.Register("foo")
 	require.NoError(t, err)
 	require.Equal(t, "foo", pFoo.Name)