use flag for antispam size

phbnf · phbnf · commit 48e9424385b1 · 2025-05-08T17:28:48.000Z
# Conflicts:
#	deployment/modules/aws/tesseract/conformance/main.tf
diff --git a/cmd/aws/main.go b/cmd/aws/main.go
@@ -61,7 +61,7 @@ var (
 	dbPassword                 = flag.String("db_password", "", "AuroraDB password")
 	dbMaxConns                 = flag.Int("db_max_conns", 0, "Maximum connections to the database, defaults to 0, i.e unlimited")
 	dbMaxIdle                  = flag.Int("db_max_idle_conns", 2, "Maximum idle database connections in the connection pool, defaults to 2")
-	dedupPath                  = flag.String("dedup_path", "", "Path to the deduplication database.")
+	inMemoryAntispamCacheSize  = flag.Uint("inmemory_antispam_cache_size", 2<<10, "Maximum number of entries to keep in the in-memory antispam cache.")
 	rootsPemFile               = flag.String("roots_pem_file", "", "Path to the file containing root certificates that are acceptable to the log. The certs are served through get-roots endpoint.")
 	rejectExpired              = flag.Bool("reject_expired", false, "If true then the certificate validity period will be checked against the current time during the validation of submissions. This will cause expired certificates to be rejected.")
 	rejectUnexpired            = flag.Bool("reject_unexpired", false, "If true then CTFE rejects certificates that are either currently valid or not yet valid.")
@@ -160,7 +160,7 @@ func newAWSStorage(ctx context.Context, signer note.Signer) (*storage.CTStorage,
 	appender, _, _, err := tessera.NewAppender(ctx, driver, tessera.NewAppendOptions().
 		WithCheckpointSigner(signer).
 		WithCTLayout().
-		WithAntispam(2<<18, antispam)) // TODO(phbnf): do the math to see what fits in memory
+		WithAntispam(*inMemoryAntispamCacheSize, antispam))
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize AWS Tessera storage: %v", err)
 	}
diff --git a/cmd/gcp/main.go b/cmd/gcp/main.go
@@ -55,6 +55,7 @@ var (
 	bucket                     = flag.String("bucket", "", "Name of the bucket to store the log in.")
 	spannerDB                  = flag.String("spanner_db_path", "", "Spanner database path: projects/{projectId}/instances/{instanceId}/databases/{databaseId}.")
 	spannerAntispamDB          = flag.String("spanner_antispam_db_path", "", "EXPERIMENTAL: Spanner antispam deduplication database path projects/{projectId}/instances/{instanceId}/databases/{databaseId}.")
+	inMemoryAntispamCacheSize  = flag.Uint("inmemory_antispam_cache_size", 2<<10, "Maximum number of entries to keep in the in-memory antispam cache.")
 	rootsPemFile               = flag.String("roots_pem_file", "", "Path to the file containing root certificates that are acceptable to the log. The certs are served through get-roots endpoint.")
 	rejectExpired              = flag.Bool("reject_expired", false, "If true then the certificate validity period will be checked against the current time during the validation of submissions. This will cause expired certificates to be rejected.")
 	rejectUnexpired            = flag.Bool("reject_unexpired", false, "If true then CTFE rejects certificates that are either currently valid or not yet valid.")
@@ -170,7 +171,7 @@ func newGCPStorage(ctx context.Context, signer note.Signer) (*storage.CTStorage,
 	opts := tessera.NewAppendOptions().
 		WithCheckpointSigner(signer).
 		WithCTLayout().
-		WithAntispam(2<<18, antispam) // TODO(phbnf): do the math to see what fits in memory
+		WithAntispam(*inMemoryAntispamCacheSize, antispam)
 
 	// TODO(phbnf): figure out the best way to thread the `shutdown` func NewAppends returns back out to main so we can cleanly close Tessera down
 	// when it's time to exit.
diff --git a/deployment/live/aws/conformance/ci/.terraform.lock.hcl b/deployment/live/aws/conformance/ci/.terraform.lock.hcl
diff --git a/deployment/live/aws/test/README.md b/deployment/live/aws/test/README.md
@@ -76,6 +76,8 @@ Store the Aurora RDS database and S3 bucket information into the environment var
 export TESSERACT_DB_HOST=$(terragrunt output -raw rds_aurora_cluster_endpoint)
 export TESSERACT_DB_PASSWORD=$(aws secretsmanager get-secret-value --secret-id $(terragrunt output -json rds_aurora_cluster_master_user_secret | jq --raw-output .[0].secret_arn) --query SecretString --output text | jq --raw-output .password)
 export TESSERACT_BUCKET_NAME=$(terragrunt output -raw s3_bucket_name)
+export SCTFE_SIGNER_ECDSA_P256_PUBLIC_KEY_ID=$(terragrunt output -raw ecdsa_p256_public_key_id)
+export SCTFE_SIGNER_ECDSA_P256_PRIVATE_KEY_ID=$(terragrunt output -raw ecdsa_p256_private_key_id)
 ```
 
 Connect the VM and Aurora database following [these instructions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/tutorial-ec2-rds-option1.html#option1-task3-connect-ec2-instance-to-rds-database), it takes a few clicks in the UI.
@@ -98,6 +100,8 @@ go run ./cmd/aws \
   --db_user=tesseract \
   --db_password=${TESSERACT_DB_PASSWORD} \
   --antispam_db_name=antispam_db
+  --signer_public_key_secret_name=${SCTFE_SIGNER_ECDSA_P256_PUBLIC_KEY_ID} \
+  --signer_private_key_secret_name=${SCTFE_SIGNER_ECDSA_P256_PRIVATE_KEY_ID}
 ```
 
 In a different terminal you can either mint and submit certificates manually, or
@@ -190,6 +194,8 @@ go run ./cmd/aws \
   --db_user=tesseract \
   --db_password=${TESSERACT_DB_PASSWORD} \
   --antispam_db_name=antispam_db
+  --signer_public_key_secret_name=${SCTFE_SIGNER_ECDSA_P256_PUBLIC_KEY_ID} \
+  --signer_private_key_secret_name=${SCTFE_SIGNER_ECDSA_P256_PRIVATE_KEY_ID}
   -v=3
 ```
 
diff --git a/deployment/modules/aws/tesseract/conformance/main.tf b/deployment/modules/aws/tesseract/conformance/main.tf
@@ -173,6 +173,7 @@ resource "aws_ecs_task_definition" "conformance" {
       "--signer_public_key_secret_name=${module.secretsmanager.ecdsa_p256_public_key_id}",
       "--signer_private_key_secret_name=${module.secretsmanager.ecdsa_p256_private_key_id}",
       "--antispam_db_name=${module.storage.antispam_database_name}",
+      "--inmemory_antispam_cache_size=25000000", # About 1GB of memory.
       "-v=2"
     ],
     "logConfiguration" : {
diff --git a/deployment/modules/gcp/cloudrun/main.tf b/deployment/modules/gcp/cloudrun/main.tf
@@ -51,6 +51,7 @@ resource "google_cloud_run_v2_service" "default" {
         "--origin=${var.base_name}${var.origin_suffix}",
         "--signer_public_key_secret_name=${var.signer_public_key_secret_name}",
         "--signer_private_key_secret_name=${var.signer_private_key_secret_name}",
+      	"--inmemory_antispam_cache_size=25000000", # About 1GB of memory.
       ]
       ports {
         container_port = 6962

Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,7 @@ resource "google_cloud_run_v2_service" "default" {`
`51`	`51`	`"--origin=${var.base_name}${var.origin_suffix}",`
`52`	`52`	`"--signer_public_key_secret_name=${var.signer_public_key_secret_name}",`
`53`	`53`	`"--signer_private_key_secret_name=${var.signer_private_key_secret_name}",`
	`54`	`+ "--inmemory_antispam_cache_size=25000000", # About 1GB of memory.`
`54`	`55`	`]`
`55`	`56`	`ports {`
`56`	`57`	`container_port = 6962`