From 4dcfb47b066d4f20a29788a73cebcf46042c2fbb Mon Sep 17 00:00:00 2001 From: Al Cutter Date: Wed, 20 Aug 2025 16:22:41 +0100 Subject: [PATCH 1/3] Update cloudbuild to build witness images --- deployment/live/cloudbuild/dev/terragrunt.hcl | 5 +- deployment/live/cloudbuild/terragrunt.hcl | 8 +- deployment/live/monitoring/ci/terragrunt.hcl | 2 +- deployment/live/monitoring/dev/terragrunt.hcl | 2 +- .../live/monitoring/prod/terragrunt.hcl | 4 +- deployment/live/monitoring/terragrunt.hcl | 2 +- deployment/live/serving/terragrunt.hcl | 8 +- deployment/modules/cloudbuild/main.tf | 122 ++++++++++++++++-- deployment/modules/cloudbuild/outputs.tf | 11 +- deployment/modules/cloudbuild/variables.tf | 9 +- 10 files changed, 143 insertions(+), 30 deletions(-) diff --git a/deployment/live/cloudbuild/dev/terragrunt.hcl b/deployment/live/cloudbuild/dev/terragrunt.hcl index d4b3c98..42236c3 100644 --- a/deployment/live/cloudbuild/dev/terragrunt.hcl +++ b/deployment/live/cloudbuild/dev/terragrunt.hcl @@ -6,8 +6,9 @@ include "root" { inputs = merge( include.root.locals, { - cloud_run_service = "distributor-service-dev" - slack_template_json = file("slack.json") + distributor_cloud_run_service = "distributor-service-dev" + witness_cloud_run_service = "witness-service-dev" + slack_template_json = file("slack.json") } ) diff --git a/deployment/live/cloudbuild/terragrunt.hcl b/deployment/live/cloudbuild/terragrunt.hcl index 958668f..4968e6a 100644 --- a/deployment/live/cloudbuild/terragrunt.hcl +++ b/deployment/live/cloudbuild/terragrunt.hcl @@ -3,9 +3,9 @@ terraform { } locals { - project_id = "checkpoint-distributor" - region = "us-central1" - env = path_relative_to_include() + project_id = "checkpoint-distributor" + region = "us-central1" + env = path_relative_to_include() } remote_state { @@ -18,7 +18,7 @@ remote_state { prefix = "${path_relative_to_include()}-terraform.tfstate" gcs_bucket_labels = { - name = "terraform_state_storage" + name = "terraform_state_storage" } } } diff --git a/deployment/live/monitoring/ci/terragrunt.hcl b/deployment/live/monitoring/ci/terragrunt.hcl index d3a4568..9dc6583 100644 --- a/deployment/live/monitoring/ci/terragrunt.hcl +++ b/deployment/live/monitoring/ci/terragrunt.hcl @@ -7,7 +7,7 @@ inputs = merge( include.root.locals, { alert_lt_num_witness_threshold = 0 - num_expected_devices = 5 + num_expected_devices = 5 } ) diff --git a/deployment/live/monitoring/dev/terragrunt.hcl b/deployment/live/monitoring/dev/terragrunt.hcl index e7f247c..e46ff11 100644 --- a/deployment/live/monitoring/dev/terragrunt.hcl +++ b/deployment/live/monitoring/dev/terragrunt.hcl @@ -7,7 +7,7 @@ inputs = merge( include.root.locals, { alert_lt_num_witness_threshold = 0 - num_expected_devices = 2 + num_expected_devices = 2 } ) diff --git a/deployment/live/monitoring/prod/terragrunt.hcl b/deployment/live/monitoring/prod/terragrunt.hcl index 979b22c..757dfa8 100644 --- a/deployment/live/monitoring/prod/terragrunt.hcl +++ b/deployment/live/monitoring/prod/terragrunt.hcl @@ -7,8 +7,8 @@ inputs = merge( include.root.locals, { alert_lt_num_witness_threshold = 10 - alert_enable_num_witness = false - num_expected_devices = 15 + alert_enable_num_witness = false + num_expected_devices = 15 } ) diff --git a/deployment/live/monitoring/terragrunt.hcl b/deployment/live/monitoring/terragrunt.hcl index 21a805c..980abd4 100644 --- a/deployment/live/monitoring/terragrunt.hcl +++ b/deployment/live/monitoring/terragrunt.hcl @@ -19,7 +19,7 @@ remote_state { prefix = "${path_relative_to_include()}/terraform.tfstate" gcs_bucket_labels = { - name = "terraform_state_storage" + name = "terraform_state_storage" } } } diff --git a/deployment/live/serving/terragrunt.hcl b/deployment/live/serving/terragrunt.hcl index 908668b..a082bbc 100644 --- a/deployment/live/serving/terragrunt.hcl +++ b/deployment/live/serving/terragrunt.hcl @@ -3,9 +3,9 @@ terraform { } locals { - project_id = "checkpoint-distributor" - region = "us-central1" - env = path_relative_to_include() + project_id = "checkpoint-distributor" + region = "us-central1" + env = path_relative_to_include() witnesses_raw = yamldecode(file("${get_repo_root()}/config/witnesses-${local.env}.yaml")) witnessArgs = [for w in local.witnesses_raw.Witnesses : "--witkey=${w}"] } @@ -20,7 +20,7 @@ remote_state { prefix = "${path_relative_to_include()}/terraform.tfstate" gcs_bucket_labels = { - name = "terraform_state_storage" + name = "terraform_state_storage" } } } diff --git a/deployment/modules/cloudbuild/main.tf b/deployment/modules/cloudbuild/main.tf index d2fbc9b..ef8c07a 100644 --- a/deployment/modules/cloudbuild/main.tf +++ b/deployment/modules/cloudbuild/main.tf @@ -30,7 +30,8 @@ resource "google_artifact_registry_repository" "distributor_docker" { locals { artifact_repo = "${var.region}-docker.pkg.dev/${var.project_id}/${google_artifact_registry_repository.distributor_docker.name}" - docker_image = "${local.artifact_repo}/distributor" + distributor_docker_image = "${local.artifact_repo}/distributor" + witness_docker_image = "${local.artifact_repo}/witness" } resource "google_cloudbuild_trigger" "distributor_docker" { @@ -51,8 +52,8 @@ resource "google_cloudbuild_trigger" "distributor_docker" { name = "gcr.io/cloud-builders/docker" args = [ "build", - "-t", "${local.docker_image}:$SHORT_SHA", - "-t", "${local.docker_image}:latest", + "-t", "${local.distributor_docker_image}:$SHORT_SHA", + "-t", "${local.distributor_docker_image}:latest", "-f", "./cmd/Dockerfile", "." ] @@ -62,7 +63,7 @@ resource "google_cloudbuild_trigger" "distributor_docker" { args = [ "push", "--all-tags", - local.docker_image + local.distributor_docker_image ] } # Deploy container image to Cloud Run @@ -72,9 +73,9 @@ resource "google_cloudbuild_trigger" "distributor_docker" { args = [ "run", "deploy", - var.cloud_run_service, + var.distributor_cloud_run_service, "--image", - "${local.docker_image}:$SHORT_SHA", + "${local.distributor_docker_image}:$SHORT_SHA", "--region", var.region ] @@ -109,22 +110,22 @@ resource "google_cloudbuild_trigger" "distributor_docker_tag" { name = "gcr.io/cloud-builders/docker" args = [ "pull", - "${local.docker_image}:$SHORT_SHA", + "${local.distributor_docker_image}:$SHORT_SHA", ] } step { name = "gcr.io/cloud-builders/docker" args = [ "tag", - "${local.docker_image}:$SHORT_SHA", - "${local.docker_image}:$TAG_NAME", + "${local.distributor_docker_image}:$SHORT_SHA", + "${local.distributor_docker_image}:$TAG_NAME", ] } step { name = "gcr.io/cloud-builders/docker" args = [ "push", - "${local.docker_image}:$TAG_NAME", + "${local.distributor_docker_image}:$TAG_NAME", ] } options { @@ -133,6 +134,107 @@ resource "google_cloudbuild_trigger" "distributor_docker_tag" { } } +resource "google_cloudbuild_trigger" "witness_docker" { + name = "build-witness-docker-${var.env}" + service_account = google_service_account.cloudbuild_service_account.id + location = var.region + + github { + owner = "transparency-dev" + name = "witness" + push { + branch = "^main$" + } + } + + build { + step { + name = "gcr.io/cloud-builders/docker" + args = [ + "build", + "-t", "${local.witness_docker_image}:$SHORT_SHA", + "-t", "${local.witness_docker_image}:latest", + "-f", "./cmd/gcp/omniwitness/Dockerfile", + "." + ] + } + step { + name = "gcr.io/cloud-builders/docker" + args = [ + "push", + "--all-tags", + local.witness_docker_image + ] + } + # Deploy container image to Cloud Run + step { + name = "gcr.io/google.com/cloudsdktool/cloud-sdk" + entrypoint = "gcloud" + args = [ + "run", + "deploy", + var.witness_cloud_run_service, + "--image", + "${local.witness_docker_image}:$SHORT_SHA", + "--region", + var.region + ] + } + options { + logging = "CLOUD_LOGGING_ONLY" + } + } +} + +# When a new tag is pushed to GitHub, add that tag to the docker +# image that was already pushed to the repo for the corresponding +# commit hash. +# This requires that the above step has already completed, but that +# seems like a fair assumption given that we'd have deployed it in ci +# before tagging it. +resource "google_cloudbuild_trigger" "witness_docker_tag" { + name = "tag-witness-docker-${var.env}" + service_account = google_service_account.cloudbuild_service_account.id + location = var.region + + github { + owner = "transparency-dev" + name = "witness" + push { + tag = ".*" + } + } + + build { + step { + name = "gcr.io/cloud-builders/docker" + args = [ + "pull", + "${local.witness_docker_image}:$SHORT_SHA", + ] + } + step { + name = "gcr.io/cloud-builders/docker" + args = [ + "tag", + "${local.witness_docker_image}:$SHORT_SHA", + "${local.witness_docker_image}:$TAG_NAME", + ] + } + step { + name = "gcr.io/cloud-builders/docker" + args = [ + "push", + "${local.witness_docker_image}:$TAG_NAME", + ] + } + options { + logging = "CLOUD_LOGGING_ONLY" + } + } +} + + resource "google_service_account" "cloudbuild_service_account" { account_id = "cloudbuild-${var.env}-sa" display_name = "Service Account for CloudBuild (${var.env})" diff --git a/deployment/modules/cloudbuild/outputs.tf b/deployment/modules/cloudbuild/outputs.tf index b858daf..831a0d3 100644 --- a/deployment/modules/cloudbuild/outputs.tf +++ b/deployment/modules/cloudbuild/outputs.tf @@ -29,7 +29,12 @@ output "cloudbuild_trigger_id" { value = google_cloudbuild_trigger.distributor_docker.id } -output "docker_image" { - description = "The address of the docker image that will be built" - value = local.docker_image +output "distributor_docker_image" { + description = "The address of the distributor docker image that will be built" + value = local.distributor_docker_image +} + +output "witness_docker_image" { + description = "The address of the witness docker image that will be built" + value = local.witness_docker_image } diff --git a/deployment/modules/cloudbuild/variables.tf b/deployment/modules/cloudbuild/variables.tf index e8ad183..be2adf7 100644 --- a/deployment/modules/cloudbuild/variables.tf +++ b/deployment/modules/cloudbuild/variables.tf @@ -29,8 +29,13 @@ variable "env" { type = string } -variable "cloud_run_service" { - description = "The name of the cloud run service that new images should be pushed to" +variable "distributor_cloud_run_service" { + description = "The name of the cloud run service running the distributor that new distributor images should be pushed to" + type = string +} + +variable "witness_cloud_run_service" { + description = "The name of the cloud run service running the witness that new witness images should be pushed to" type = string } From 020388c438ee3dc3cf51a194fad0da864ddf6255 Mon Sep 17 00:00:00 2001 From: Al Cutter Date: Wed, 20 Aug 2025 16:44:41 +0100 Subject: [PATCH 2/3] Add witness module --- deployment/live/witness/README.md | 26 +++ deployment/live/witness/dev/terragrunt.hcl | 13 ++ deployment/live/witness/root.hcl | 24 +++ deployment/modules/witness/main.tf | 205 +++++++++++++++++++++ deployment/modules/witness/outputs.tf | 21 +++ deployment/modules/witness/variables.tf | 47 +++++ 6 files changed, 336 insertions(+) create mode 100644 deployment/live/witness/README.md create mode 100644 deployment/live/witness/dev/terragrunt.hcl create mode 100644 deployment/live/witness/root.hcl create mode 100644 deployment/modules/witness/main.tf create mode 100644 deployment/modules/witness/outputs.tf create mode 100644 deployment/modules/witness/variables.tf diff --git a/deployment/live/witness/README.md b/deployment/live/witness/README.md new file mode 100644 index 0000000..b7822fe --- /dev/null +++ b/deployment/live/witness/README.md @@ -0,0 +1,26 @@ +# Witness deployment + +The directories under here contain the top-level terragrunt files for the deployment environments. + +In all cases, before deploying for the first time, you MUST have created the witness public and +private keys or the `terragrunt apply` will fail. + +The keys can be generated and stored in Secret Manager from a shell on machine with appropriate +gcloud auth, e.g. CloudShell. +The example command below will generate a public and private note key-pair, using the provided +witness name, and will use those to create and populate the initial version of two Secret Manager +secrets called `witness_public_XXX` and `witness_secret_XXX` respectively, where XXX is the name +of the target deployment environment. + +```bash +$ export TARGET="dev" # This MUST match the name of the directory you're deploying +$ export WITNESS_NAME="..." # This is the witness name we're generating keys for. It should follow the schemaless-url recommendation from `tlog-witness`. +$ go run github.com/transparency-dev/serverless-log/cmd/generate_keys@HEAD \ + --key_name="${WITNESS_NAME}" \ + --print | + tee >(grep -v PRIVATE | gcloud secrets create witness_public_${TARGET} --data-file=-) | + grep PRIVATE | + gcloud secrets create witness_secret_${TARGET} --data-file=- +Created version [1] of the secret [witness_public_dev]. +Created version [1] of the secret [witness_secret_dev]. +``` diff --git a/deployment/live/witness/dev/terragrunt.hcl b/deployment/live/witness/dev/terragrunt.hcl new file mode 100644 index 0000000..ae1617f --- /dev/null +++ b/deployment/live/witness/dev/terragrunt.hcl @@ -0,0 +1,13 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + expose = true +} + +inputs = merge( + include.root.locals, + { + witness_docker_image = "us-central1-docker.pkg.dev/checkpoint-distributor/distributor-docker-dev/witness:latest" + ephemeral = true + } +) + diff --git a/deployment/live/witness/root.hcl b/deployment/live/witness/root.hcl new file mode 100644 index 0000000..7887441 --- /dev/null +++ b/deployment/live/witness/root.hcl @@ -0,0 +1,24 @@ +terraform { + source = "${get_repo_root()}/deployment/modules/witness" +} + +locals { + project_id = "checkpoint-distributor" + region = "us-central1" + env = path_relative_to_include() +} + +remote_state { + backend = "gcs" + + config = { + project = local.project_id + location = local.region + bucket = "${local.project_id}-witness-${local.env}-terraform-state" + prefix = "${path_relative_to_include()}/terraform.tfstate" + + gcs_bucket_labels = { + name = "terraform_state_storage" + } + } +} diff --git a/deployment/modules/witness/main.tf b/deployment/modules/witness/main.tf new file mode 100644 index 0000000..6afa537 --- /dev/null +++ b/deployment/modules/witness/main.tf @@ -0,0 +1,205 @@ +/*ec + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# Project data +provider "google" { + project = var.project_id +} + +data "google_project" "project" { + project_id = var.project_id +} + +# This will be configured by terragrunt when deploying +terraform { + backend "gcs" {} + required_providers { + google = { + source = "hashicorp/google" + version = "6.0.1" + } + google-beta = { + source = "hashicorp/google-beta" + version = "6.0.1" + } + } +} + +# Enable Secret Manager API +resource "google_project_service" "secretmanager_api" { + service = "secretmanager.googleapis.com" + disable_on_destroy = false +} + +# Enable Spanner +resource "google_project_service" "spanner_api" { + service = "spanner.googleapis.com" + disable_on_destroy = false +} + +# Enable Cloud Run API +resource "google_project_service" "cloudrun_api" { + service = "run.googleapis.com" + disable_on_destroy = false +} + +data "google_secret_manager_secret" "witness_secret" { + secret_id = "witness_secret_${var.env}" +} + +data "google_secret_manager_secret_version" "witness_secret_data" { + secret = data.google_secret_manager_secret.witness_secret.id +} + +# Update service accounts to allow secret access +resource "google_secret_manager_secret_iam_member" "secretaccess_compute_witness" { + secret_id = data.google_secret_manager_secret.witness_secret.id + role = "roles/secretmanager.secretAccessor" + member = "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com" # Project's compute service account +} + +resource "google_spanner_instance" "witness_spanner" { + name = "witness-${var.env}" + config = "regional-${var.region}" + display_name = "Witness ${var.env}" + processing_units = 100 + + force_destroy = var.ephemeral + depends_on = [ + google_project_service.spanner_api, + ] +} + +resource "google_spanner_database" "witness_db" { + instance = google_spanner_instance.witness_spanner.name + name = "witness_db_${var.env}" + + deletion_protection = !var.ephemeral +} + +resource "google_spanner_database_iam_member" "database" { + instance = google_spanner_instance.witness_spanner.name + database = google_spanner_database.witness_db.name + role = "roles/spanner.databaseAdmin" + + member = "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com" # Project's compute service account +} + +locals { + spanner_db_full = "projects/${var.project_id}/instances/${google_spanner_instance.witness_spanner.name}/databases/${google_spanner_database.witness_db.name}" +} + +### +### Set up Cloud Run service +### +resource "google_service_account" "cloudrun_service_account" { + account_id = "cloudrun-witness-${var.env}-sa" + display_name = "Service Account for Witness Cloud Run (${var.env})" +} + +resource "google_project_iam_member" "iam_act_as" { + project = var.project_id + role = "roles/iam.serviceAccountUser" + member = "serviceAccount:${google_service_account.cloudrun_service_account.email}" +} +resource "google_project_iam_member" "iam_metrics_writer" { + project = var.project_id + role = "roles/monitoring.metricWriter" + member = "serviceAccount:${google_service_account.cloudrun_service_account.email}" +} +resource "google_project_iam_member" "iam_spanner_client" { + project = var.project_id + role = "roles/spanner.databaseUser" + member = "serviceAccount:${google_service_account.cloudrun_service_account.email}" +} +resource "google_project_iam_member" "iam_service_agent" { + project = var.project_id + role = "roles/run.serviceAgent" + member = "serviceAccount:${google_service_account.cloudrun_service_account.email}" +} +resource "google_project_iam_member" "iam_secret_accessor" { + project = var.project_id + role = "roles/secretmanager.secretAccessor" + member = "serviceAccount:${google_service_account.cloudrun_service_account.email}" +} + +resource "google_cloud_run_v2_service" "default" { + name = "witness-service-${var.env}" + location = var.region + launch_stage = "GA" + + + template { + service_account = google_service_account.cloudrun_service_account.email + scaling { + min_instance_count = 1 + max_instance_count = 3 + } + max_instance_request_concurrency = 1000 + containers { + image = var.witness_docker_image + name = "witness" + args = concat([ + "--logtostderr", + "--v=1", + "--listen=:8090", + "--spanner=${local.spanner_db_full}", + "--signer_private_key_secret_name=${data.google_secret_manager_secret_version.witness_secret_data.name}" + ], var.extra_args) + ports { + container_port = 8090 + } + + startup_probe { + initial_delay_seconds = 1 + timeout_seconds = 1 + period_seconds = 10 + failure_threshold = 3 + tcp_socket { + port = 8090 + } + } + } + containers { + image = "us-docker.pkg.dev/cloud-ops-agents-artifacts/cloud-run-gmp-sidecar/cloud-run-gmp-sidecar:1.0.0" + name = "collector" + depends_on = ["witness"] + } + } + client = "terraform" + depends_on = [ + google_project_service.secretmanager_api, + google_project_service.cloudrun_api, + google_project_service.spanner_api, + google_project_iam_member.iam_act_as, + google_project_iam_member.iam_metrics_writer, + google_project_iam_member.iam_spanner_client, + google_project_iam_member.iam_service_agent, + google_project_iam_member.iam_secret_accessor, + ] + + deletion_protection = !var.ephemeral +} + +resource "google_cloud_run_service_iam_binding" "default" { + location = google_cloud_run_v2_service.default.location + service = google_cloud_run_v2_service.default.name + role = "roles/run.invoker" + members = [ + "allUsers" + ] +} + diff --git a/deployment/modules/witness/outputs.tf b/deployment/modules/witness/outputs.tf new file mode 100644 index 0000000..728c896 --- /dev/null +++ b/deployment/modules/witness/outputs.tf @@ -0,0 +1,21 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "witness_uri" { + description = "The main URI in which this Service is serving traffic." + value = google_cloud_run_v2_service.default.uri +} + diff --git a/deployment/modules/witness/variables.tf b/deployment/modules/witness/variables.tf new file mode 100644 index 0000000..9c6014c --- /dev/null +++ b/deployment/modules/witness/variables.tf @@ -0,0 +1,47 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The project ID to host the cluster in" + type = string +} + +variable "region" { + description = "The region to host the cluster in" + type = string +} + +variable "env" { + description = "Unique identifier for the env, e.g. ci or prod" + type = string +} + +variable "witness_docker_image" { + description = "The full image URL (path & tag) for the witness docker image to deploy" + type = string +} + +variable "extra_args" { + description = "Extra arguments to be provided to the witness invoked in cloud run" + type = list(string) + default = [] +} + +variable "ephemeral" { + description = "Set to true if this is a CI/temporary deploy" + type = bool + default = false +} From 13feeed26014ab8a90a588be6e9fd3bc485d6df9 Mon Sep 17 00:00:00 2001 From: Al Cutter Date: Thu, 21 Aug 2025 10:23:42 +0100 Subject: [PATCH 3/3] Address comments --- deployment/live/witness/README.md | 17 +++++++++-------- deployment/modules/witness/main.tf | 2 +- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/deployment/live/witness/README.md b/deployment/live/witness/README.md index b7822fe..81817c3 100644 --- a/deployment/live/witness/README.md +++ b/deployment/live/witness/README.md @@ -2,15 +2,16 @@ The directories under here contain the top-level terragrunt files for the deployment environments. -In all cases, before deploying for the first time, you MUST have created the witness public and -private keys or the `terragrunt apply` will fail. +In all cases, before deploying for the first time, you MUST have created the witness `private` key +and stored it in Secret Manager, or the `terragrunt apply` will fail. -The keys can be generated and stored in Secret Manager from a shell on machine with appropriate -gcloud auth, e.g. CloudShell. -The example command below will generate a public and private note key-pair, using the provided -witness name, and will use those to create and populate the initial version of two Secret Manager -secrets called `witness_public_XXX` and `witness_secret_XXX` respectively, where XXX is the name -of the target deployment environment. +> [!Note] +> While the witness binary itself doesn't need the `public` key, *you will* in order to share it +> with others. + +Below is a `bash` snippet which will generate and store both the public and private key in Secret +Manager under secrets called `witness_public_XXX` and `witness_secret_XXX` respectively, where +```XXX``` is the name of the target deployment environment. ```bash $ export TARGET="dev" # This MUST match the name of the directory you're deploying diff --git a/deployment/modules/witness/main.tf b/deployment/modules/witness/main.tf index 6afa537..6b202bb 100644 --- a/deployment/modules/witness/main.tf +++ b/deployment/modules/witness/main.tf @@ -1,4 +1,4 @@ -/*ec +/* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License");