Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce signing env vars #13

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 28 additions & 23 deletions main.tf
Original file line number Diff line number Diff line change
@@ -21,29 +21,34 @@ module "cloud_run" {
container_port = var.superblocks_agent_port
container_image = var.superblocks_agent_image
container_env = merge({
"SUPERBLOCKS_ORCHESTRATOR_LOG_LEVEL" = "${var.superblocks_log_level}"
"SUPERBLOCKS_ORCHESTRATOR_HTTP_PORT" = "${var.superblocks_agent_port}"
"SUPERBLOCKS_ORCHESTRATOR_GRPC_PORT" = "8081"
"SUPERBLOCKS_ORCHESTRATOR_METRICS_PORT" = "9090"
"SUPERBLOCKS_ORCHESTRATOR_GRPC_BIND" = "0.0.0.0"
"SUPERBLOCKS_ORCHESTRATOR_HTTP_BIND" = "0.0.0.0"
"SUPERBLOCKS_ORCHESTRATOR_GRPC_MSG_RES_MAX" = "${var.superblocks_grpc_msg_res_max}"
"SUPERBLOCKS_ORCHESTRATOR_GRPC_MSG_REQ_MAX" = "${var.superblocks_grpc_msg_req_max}"
"SUPERBLOCKS_ORCHESTRATOR_SUPERBLOCKS_URL" = "${var.superblocks_server_url}"
"SUPERBLOCKS_ORCHESTRATOR_SUPERBLOCKS_TIMEOUT" = "${var.superblocks_timeout}"
"SUPERBLOCKS_ORCHESTRATOR_OTEL_COLLECTOR_HTTP_URL" = "https://traces.intake.superblocks.com:443/v1/traces"
"SUPERBLOCKS_ORCHESTRATOR_EMITTER_REMOTE_INTAKE" = "https://logs.intake.superblocks.com"
"SUPERBLOCKS_ORCHESTRATOR_INTAKE_METADATA_URL" = "https://metadata.intake.superblocks.com"
"SUPERBLOCKS_ORCHESTRATOR_TRANSPORT_MODE" = "grpc"
"SUPERBLOCKS_ORCHESTRATOR_STORE_MODE" = "grpc"
"SUPERBLOCKS_AGENT_KEY" = "${var.superblocks_agent_key}"
"SUPERBLOCKS_ORCHESTRATOR_SUPERBLOCKS_KEY" = "${var.superblocks_agent_key}"
"SUPERBLOCKS_ORCHESTRATOR_FILE_SERVER_URL" = "http://127.0.0.1:${local.superblocks_http_port}/v2/files"
"SUPERBLOCKS_ORCHESTRATOR_AGENT_HOST_URL" = "https://${var.subdomain}.${var.domain}"
"SUPERBLOCKS_ORCHESTRATOR_AGENT_ENVIRONMENT" = "${var.superblocks_agent_environment}"
"SUPERBLOCKS_ORCHESTRATOR_AGENT_TAGS" = "${var.superblocks_agent_tags}"
"SUPERBLOCKS_ORCHESTRATOR_DATA_DOMAIN" = "${var.superblocks_agent_data_domain}"
"SUPERBLOCKS_ORCHESTRATOR_HANDLE_CORS" = "${var.superblocks_agent_handle_cors}"
"SUPERBLOCKS_ORCHESTRATOR_LOG_LEVEL" = "${var.superblocks_log_level}"
"SUPERBLOCKS_ORCHESTRATOR_HTTP_PORT" = "${var.superblocks_agent_port}"
"SUPERBLOCKS_ORCHESTRATOR_GRPC_PORT" = "8081"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why arent these vars?

i.e. whats our criteria for vars vs hardcode

"SUPERBLOCKS_ORCHESTRATOR_METRICS_PORT" = "9090"
"SUPERBLOCKS_ORCHESTRATOR_GRPC_BIND" = "0.0.0.0"
"SUPERBLOCKS_ORCHESTRATOR_HTTP_BIND" = "0.0.0.0"
"SUPERBLOCKS_ORCHESTRATOR_GRPC_MSG_RES_MAX" = "${var.superblocks_grpc_msg_res_max}"
"SUPERBLOCKS_ORCHESTRATOR_GRPC_MSG_REQ_MAX" = "${var.superblocks_grpc_msg_req_max}"
"SUPERBLOCKS_ORCHESTRATOR_SUPERBLOCKS_URL" = "${var.superblocks_server_url}"
"SUPERBLOCKS_ORCHESTRATOR_SUPERBLOCKS_TIMEOUT" = "${var.superblocks_timeout}"
"SUPERBLOCKS_ORCHESTRATOR_OTEL_COLLECTOR_HTTP_URL" = "https://traces.intake.superblocks.com:443/v1/traces"
"SUPERBLOCKS_ORCHESTRATOR_EMITTER_REMOTE_INTAKE" = "https://logs.intake.superblocks.com"
"SUPERBLOCKS_ORCHESTRATOR_INTAKE_METADATA_URL" = "https://metadata.intake.superblocks.com"
"SUPERBLOCKS_ORCHESTRATOR_TRANSPORT_MODE" = "grpc"
"SUPERBLOCKS_ORCHESTRATOR_STORE_MODE" = "grpc"
"SUPERBLOCKS_AGENT_KEY" = "${var.superblocks_agent_key}"
"SUPERBLOCKS_ORCHESTRATOR_SUPERBLOCKS_KEY" = "${var.superblocks_agent_key}"
"SUPERBLOCKS_ORCHESTRATOR_FILE_SERVER_URL" = "http://127.0.0.1:${local.superblocks_http_port}/v2/files"
"SUPERBLOCKS_ORCHESTRATOR_AGENT_HOST_URL" = "https://${var.subdomain}.${var.domain}"
"SUPERBLOCKS_ORCHESTRATOR_AGENT_ENVIRONMENT" = "${var.superblocks_agent_environment}"
"SUPERBLOCKS_ORCHESTRATOR_AGENT_TAGS" = "${var.superblocks_agent_tags}"
"SUPERBLOCKS_ORCHESTRATOR_DATA_DOMAIN" = "${var.superblocks_agent_data_domain}"
"SUPERBLOCKS_ORCHESTRATOR_HANDLE_CORS" = "${var.superblocks_agent_handle_cors}"
"SUPERBLOCKS_ORCHESTRATOR_SIGNATURE_SIGNING_KEY_ID" = "${var.superblocks_agent_signing_key_id}"
"SUPERBLOCKS_ORCHESTRATOR_SIGNATURE_VERIFICATION_KEY_IDS" = "${var.superblocks_agent_verification_key_ids}"
"SUPERBLOCKS_ORCHESTRATOR_SIGNATURE_KEYS" = "${var.superblocks_agent_signature_keys}"
"SUPERBLOCKS_ORCHESTRATOR_SIGNATURE_ENABLED" = "${var.superblocks_agent_signature_enabled}"
"SUPERBLOCKS_ORCHESTRATOR_RESIGNER_ENABLED" = "${var.superblocks_agent_resigner_enabled}"
}, var.superblocks_additional_env_vars)
container_cpu_throttling = var.container_cpu_throttling
container_requests_cpu = var.container_requests_cpu
32 changes: 32 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
@@ -121,6 +121,38 @@ variable "superblocks_additional_env_vars" {
description = "Additional environment variables to specify for the Superblocks Agent container."
}

#### Signing and Resigning

variable "superblocks_agent_signing_key_id" {
type = string
default = ""
description = "The key id of the signing key used to sign the organization's resources"
}

variable "superblocks_agent_verification_key_ids" {
type = string
default = ""
description = "The key ids of the verification keys used to verify the org's resources. This is a space separated list of key ids."

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: org's vs organization's above

}

variable "superblocks_agent_signature_keys" {
type = string
default = ""
description = "The key data specified in the form of <key_id>:<key_data>. This is a comma separated list of key data."
}

variable "superblocks_agent_signature_enabled" {
type = bool
default = false
description = "Whether to enable verification of the organization's resources. Note that all resources MUST have been signed prior to enabling this feature."
}

variable "superblocks_agent_resigner_enabled" {
type = bool
default = false
description = "Whether to enable the resigner. This will allow the agent to bulk sign the organization's resources."
}

#################################################################
# Cloud Run
#################################################################