Use limits framework instead of onchain config for Vault plugin ocr config

[prashantkumar1982]

New limits were added for Vault here: smartcontractkit/chainlink-common#1877

This PR makes use of those. This helps us move away from depending on onchain config, which is very cumbersome to change.

AI generated this PR by this prompts:

The goal is to make code changes in Vault Plugin at chainlink/core/services/ocr2/plugins/vault/plugin.go.
The function NewReportingPlugin() at line 182 has a variable called configProto.
We want to stop reading values from that, and instead, for all fields read from there, we want to provide a separate source.

The separate source should be added by you in this file: chainlink-common/pkg/settings/cresettings/settings.go. Some fields are already existing in lines 64-69, so feel free to reuse them. But for new ones, please create new entries here, with the prefix string Vault.

For default values of all these fields, please pick the values from this place: chainlink-deployments/domains/cre/prod/durable_pipelines/archived/upgrade_vault_ocr_plugin_20260218_172509.yaml.
The relevant fields are in this file lines 47-83.

If you find a field value in the settings.go file has a default different than the one in upgrade_vault_ocr_plugin_20260218_172509.yaml, then please choose the value in the yaml file.

The changes that you make will be in 2 parts:

1. In folder chainlink-common. Make sure you create new fields, edit existing ones as needed, but also fix any other related code in that overall folder. There are other files like defaults.json, README.md, defaults.toml, settings.go, that refer to these fields. Please edit all those files.
2. After step 1, you need to use those in the chainlink folder changes to plugin.go file. All places using configProto as source will change to using these new cresettings source. For example, "cresettings.Default.VaultPluginBatchSizeLimit".

[github-actions]

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

• #added For any new functionality added.
• #breaking_change For any functionality that requires manual action for the node to boot.
• #bugfix For bug fixes.
• #changed For any change to the existing functionality.
• #db_update For any feature that introduces updates to database schema.
• #deprecation_notice For any upcoming deprecation functionality.
• #internal For changesets that need to be excluded from the final changelog.
• #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
• #removed For any functionality/config that is removed.
• #updated For any functionality that is updated.
• #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

[github-actions]

✅ No conflicts with other open PRs targeting develop

[trunk-io]

     

View Full Report ↗︎ ⋅ Docs

[cedric-cordenier]

@prashantkumar1982 Have you checked that these values behave in the same way as the plugin limits?

I think BatchSize definitely doesn't -- if this applies unevenly across nodes in the DON we'll get a non-determinism error, regardless of whether we're hitting the batchSize or not

[cedric-cordenier]

The others would normally lead the plugin to return an error to the user, so I think those are also not safe to change node by node since an inconsistency will lead to a loss of quorum

[prashantkumar1982]

As we discussed, these 2 are problematic:

• maxSecretsPerOwnerLimiter
• batchSize
  Meaning these, if mismatched on a few nodes, could cause quorum failures.

we discussed that since changes will be based on limits framework, they will apply very uniformly and quickly on all nodes, but that still could be a few minutes, when potentially we fail quorum, thus slowing Vault DON, or maybe partial outage during that time.

Thus I moved these above 2 fields back to being read from onchain config.
All others are just max size changes, and should be ok to be changed safely via limits framework.

[jmank88]

Why a dummy owner?

[prashantkumar1982]

I didn't change this, it was pre-existing:

chainlink/core/services/ocr2/plugins/vault/plugin.go

Line 174 in ac7fc1c

ctx = contexts.WithCRE(ctx, contexts.CRE{Owner: "DUMMY-OWNER-FOR-LOGGING"})

[jmank88]

Seems pretty hacky 🤷

[prashantkumar1982]

I don't know why we needed to even create a new ctx. Could just reuse existing one

[jmank88]

You need to use the getter from the limits factory. The default getter doesn't know about the distributed settings

[prashantkumar1982]

Ok, now using the limitsFactory.Settings.
But I don't have much context of how to use the limits framework correctly. So please review if this is correct usage.
🙏

[cl-sonarqube-production]

Quality Gate passed

Issues
0 New issues
2 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[bolekk]

Limits migration LGTM. I'm not able to check the sanity of all defaults.