feat: Expose panel exchange flags via CUE tags (#1795)

This introduces CUE files with important panel exchange flags
configurable via tags using `--define`.

build/variables.bzl

@@ -77,6 +77,8 @@ AWS_SETTINGS = struct(
     s3_region = "$(s3_region)",
     amp_ingest_endpoint = "$(amp_ingest_endpoint)",
     amp_region = "$(amp_region)",
+    kms_key_arn = "$(kms_key_arn)",
+    private_ca_arn = "$(private_ca_arn)",
 )
 
 # Settings for Kingdom Kubernetes deployments.
@@ -134,6 +136,25 @@ GRAFANA_K8S_SETTINGS = struct(
     secret_name = "$(k8s_grafana_secret_name)",
 )
 
+PANEL_EXCHANGE_SETTINGS = struct(
+    party_type = "$(party_type)",
+    party_id = "$(party_id)",
+    recurring_exchange_ids = "$(recurring_exchange_ids)",
+    cluster_service_account_name = "$(cluster_service_account_name)",
+    private_storage_bucket = "$(private_storage_bucket)",
+    dataflow_region = "$(dataflow_region)",
+    dataflow_temp_storage_bucket = "$(dataflow_temp_storage_bucket)",
+    kms_region = "$(kms_region)",
+    kms_key_ring = "$(kms_key_ring)",
+    kms_key = "$(kms_key)",
+    private_ca_region = "$(private_ca_region)",
+    private_ca_name = "$(private_ca_name)",
+    private_ca_pool_id = "$(private_ca_pool_id)",
+    cert_common_name = "$(cert_common_name)",
+    cert_organization = "$(cert_organization)",
+    cert_dns_name = "$(cert_dns_name)",
+)
+
 # Config for Panel Exchange Client Example Daemon.
 EXAMPLE_PANEL_EXCHANGE_CLIENT_DAEMON_CONFIG = struct(
     edp_name = "$(edp_name)",

src/main/k8s/panelmatch/dev/BUILD.bazel

@@ -1,5 +1,5 @@
 load("@wfa_rules_cue//cue:defs.bzl", "cue_library")
-load("//build:variables.bzl", "EXAMPLE_KINGDOMLESS_PANEL_EXCHANGE_CLIENT_DAEMON_CONFIG", "EXAMPLE_PANEL_EXCHANGE_CLIENT_DAEMON_CONFIG")
+load("//build:variables.bzl", "AWS_SETTINGS", "EXAMPLE_KINGDOMLESS_PANEL_EXCHANGE_CLIENT_DAEMON_CONFIG", "EXAMPLE_PANEL_EXCHANGE_CLIENT_DAEMON_CONFIG", "GCLOUD_SETTINGS", "IMAGE_REPOSITORY_SETTINGS", "PANEL_EXCHANGE_SETTINGS")
 load("//build/k8s:defs.bzl", "kustomization_dir")
 load("//src/main/k8s:macros.bzl", "cue_dump")
 
@@ -185,3 +185,114 @@ kustomization_dir(
     generate_kustomization = True,
     tags = ["manual"],
 )
+
+cue_library(
+    name = "config",
+    srcs = ["config.cue"],
+)
+
+cue_library(
+    name = "config_aws",
+    srcs = ["config_aws.cue"],
+    deps = [
+        ":config",
+    ],
+)
+
+cue_library(
+    name = "config_gke",
+    srcs = ["config_gke.cue"],
+    deps = [
+        ":config",
+    ],
+)
+
+cue_library(
+    name = "daemon_config",
+    srcs = ["daemon_config.cue"],
+)
+
+cue_dump(
+    name = "kingdomless_daemon_gke",
+    srcs = ["kingdomless_daemon_gke.cue"],
+    cue_tags = {
+        "google_cloud_project": GCLOUD_SETTINGS.project,
+        "party_type": PANEL_EXCHANGE_SETTINGS.party_type,
+        "party_id": PANEL_EXCHANGE_SETTINGS.party_id,
+        "recurring_exchange_ids": PANEL_EXCHANGE_SETTINGS.recurring_exchange_ids,
+        "cluster_service_account_name": PANEL_EXCHANGE_SETTINGS.cluster_service_account_name,
+        "private_storage_bucket": PANEL_EXCHANGE_SETTINGS.private_storage_bucket,
+        "kms_region": PANEL_EXCHANGE_SETTINGS.kms_region,
+        "kms_key_ring": PANEL_EXCHANGE_SETTINGS.kms_key_ring,
+        "kms_key": PANEL_EXCHANGE_SETTINGS.kms_key,
+        "private_ca_region": PANEL_EXCHANGE_SETTINGS.private_ca_region,
+        "private_ca_name": PANEL_EXCHANGE_SETTINGS.private_ca_name,
+        "private_ca_pool_id": PANEL_EXCHANGE_SETTINGS.private_ca_pool_id,
+        "cert_common_name": PANEL_EXCHANGE_SETTINGS.cert_common_name,
+        "cert_organization": PANEL_EXCHANGE_SETTINGS.cert_organization,
+        "cert_dns_name": PANEL_EXCHANGE_SETTINGS.cert_dns_name,
+        "dataflow_region": PANEL_EXCHANGE_SETTINGS.dataflow_region,
+        "dataflow_temp_storage_bucket": PANEL_EXCHANGE_SETTINGS.dataflow_temp_storage_bucket,
+        "container_registry": IMAGE_REPOSITORY_SETTINGS.container_registry,
+        "image_repo_prefix": IMAGE_REPOSITORY_SETTINGS.repository_prefix,
+        "image_repo_suffix": "panel-exchange/gcloud-example-daemon",
+        "image_tag": IMAGE_REPOSITORY_SETTINGS.image_tag,
+    },
+    tags = ["manual"],
+    deps = [
+        ":base_gke",
+        ":config_gke",
+        ":daemon_config",
+    ],
+)
+
+kustomization_dir(
+    name = "export_kingdomless_daemon_gke",
+    srcs = [
+        "resource_requirements.yaml",
+        ":kingdomless_daemon_gke",
+    ],
+    generate_kustomization = True,
+    tags = ["manual"],
+)
+
+cue_dump(
+    name = "kingdomless_daemon_aws",
+    srcs = ["kingdomless_daemon_aws.cue"],
+    cue_tags = {
+        "party_type": PANEL_EXCHANGE_SETTINGS.party_type,
+        "party_id": PANEL_EXCHANGE_SETTINGS.party_id,
+        "recurring_exchange_ids": PANEL_EXCHANGE_SETTINGS.recurring_exchange_ids,
+        "cluster_service_account_name": PANEL_EXCHANGE_SETTINGS.cluster_service_account_name,
+        "s3_bucket": AWS_SETTINGS.s3_bucket,
+        "s3_region": AWS_SETTINGS.s3_region,
+        "kms_key_arn": AWS_SETTINGS.kms_key_arn,
+        "private_ca_arn": AWS_SETTINGS.private_ca_arn,
+        "private_ca_region": PANEL_EXCHANGE_SETTINGS.private_ca_region,
+        "private_ca_name": PANEL_EXCHANGE_SETTINGS.private_ca_name,
+        "private_ca_pool_id": PANEL_EXCHANGE_SETTINGS.private_ca_pool_id,
+        "cert_common_name": PANEL_EXCHANGE_SETTINGS.cert_common_name,
+        "cert_organization": PANEL_EXCHANGE_SETTINGS.cert_organization,
+        "cert_dns_name": PANEL_EXCHANGE_SETTINGS.cert_dns_name,
+        "container_registry": IMAGE_REPOSITORY_SETTINGS.container_registry,
+        "image_repo_prefix": IMAGE_REPOSITORY_SETTINGS.repository_prefix,
+        "image_repo_suffix": "panel-exchange/aws-example-daemon",
+        "image_tag": IMAGE_REPOSITORY_SETTINGS.image_tag,
+    },
+    tags = ["manual"],
+    deps = [
+        ":base_aws",
+        ":config_aws",
+        ":daemon_config",
+    ],
+)
+
+kustomization_dir(
+    name = "export_kingdomless_daemon_aws",
+    srcs = [
+        "resource_requirements.yaml",
+        ":kingdomless_daemon_aws",
+    ],
+    generate_kustomization = True,
+    tags = ["manual"],
+)

src/main/k8s/panelmatch/dev/config.cue

@@ -0,0 +1,52 @@
+// Copyright 2024 The Cross-Media Measurement Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package k8s
+
+import "strings"
+
+#ContainerRegistryConfig: {
+	registry:   string @tag("container_registry")
+	repoPrefix: string @tag("image_repo_prefix")
+}
+
+#ImageConfig: Config={
+	#ContainerRegistryConfig
+
+	repoSuffix: string @tag("image_repo_suffix")
+	tag:        string @tag("image_tag")
+	image:      strings.Join([Config.registry, Config.repoPrefix, repoSuffix], "/") + ":\(tag)"
+}
+
+#PrivateCaConfig: {
+	region:           string
+	name:             string
+	poolId:           string
+	certCommonName:   string
+	certOrganization: string
+	certDnsName:      string
+	certValidDays:    string
+
+	_extraFlags: [...string]
+
+	flags: _extraFlags + [
+		"--privateca-ca-location=" + region,
+		"--privateca-ca-name=" + name,
+		"--privateca-pool-id=" + poolId,
+		"--x509-common-name=" + certCommonName,
+		"--x509-organization=" + certOrganization,
+		"--x509-dns-name=" + certDnsName,
+		"--x509-valid-days=14d",
+	]
+}

src/main/k8s/panelmatch/dev/config_aws.cue

@@ -0,0 +1,39 @@
+// Copyright 2024 The Cross-Media Measurement Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package k8s
+
+#AwsS3Config: {
+	bucket: string @tag("s3_bucket")
+	region: string @tag("s3_region")
+	flags: [
+		"--s3-storage-bucket=" + bucket,
+		"--s3-region=" + region,
+	]
+}
+
+#AwsPrivateCaConfig: #PrivateCaConfig & {
+	privateCaArn: string
+
+	_extraFlags: [
+		"--certificate-authority-arn=" + privateCaArn,
+	]
+}
+
+#AwsKmsConfig: {
+	kmsKeyArn: string
+	flags: [
+		"--tink-key-uri=aws-kms://\(kmsKeyArn)",
+	]
+}

src/main/k8s/panelmatch/dev/config_gke.cue

@@ -0,0 +1,66 @@
+// Copyright 2024 The Cross-Media Measurement Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package k8s
+
+#GCloudProject: string @tag("google_cloud_project")
+
+#GCloudConfig: {
+	project: #GCloudProject
+}
+
+#CloudStorageConfig: Config={
+	#GCloudConfig
+
+	bucket: string
+	flags: [
+		"--google-cloud-storage-project=" + Config.project,
+		"--google-cloud-storage-bucket=" + bucket,
+	]
+}
+
+#CloudDataflowConfig: Config={
+	#GCloudConfig
+
+	region:             string
+	serviceAccountName: string
+	bucket:             string
+	flags: [
+		"--dataflow-project-id=" + Config.project,
+		"--dataflow-region=" + region,
+		"--dataflow-service-account=" + serviceAccountName,
+		"--dataflow-temp-location=gs://\(bucket)/dataflow-temp/",
+		"--dataflow-worker-machine-type=n1-standard-1",
+		"--dataflow-disk-size=30",
+		"--dataflow-worker-logging-options-level=INFO",
+		"--sdk-harness-options-log-level=INFO",
+	]
+}
+
+#GCloudPrivateCaConfig: #PrivateCaConfig & {
+	_extraFlags: [
+		"--privateca-project-id=" + #GCloudConfig.project,
+	]
+}
+
+#GCloudKmsConfig: Config={
+	#GCloudConfig
+
+	region:  string
+	keyRing: string
+	key:     string
+	flags: [
+		"--tink-key-uri=gcp-kms://projects/\(Config.project)/locations/\(region)/keyRings/\(keyRing)/cryptoKeys/\(key)",
+	]
+}

src/main/k8s/panelmatch/dev/daemon_config.cue

@@ -0,0 +1,48 @@
+// Copyright 2024 The Cross-Media Measurement Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package k8s
+
+#ExchangeDaemonConfig: {
+	runMode:   "CRON_JOB" | "DAEMON"
+	partyType: "DATA_PROVIDER" | "MODEL_PROVIDER"
+
+	_extraFlags: [...string]
+
+	flags: _extraFlags + [
+		"--run-mode=" + runMode,
+		"--party-type=" + partyType,
+		"--blob-size-limit-bytes=1000000000", // 1 GB
+		"--storage-signing-algorithm=EC",
+		"--polling-interval=10s",
+		"--preprocessing-max-byte-size=1000000", // 1 MB
+		"--preprocessing-file-count=1000",
+		"--max-parallel-claimed-exchange-steps=1",
+	]
+}
+
+#KingdomlessExchangeDaemonConfig: #ExchangeDaemonConfig & {
+	partyId:              string
+	recurringExchangeIds: string
+
+	runMode: "CRON_JOB"
+
+	_extraFlags: [
+		"--id=" + partyId,
+		"--kingdomless-recurring-exchange-ids=" + recurringExchangeIds,
+		"--checkpoint-signing-algorithm=SHA256withECDSA",
+		"--lookback-window=14d",
+		"--task-timeout=24h",
+	]
+}