Signing Agent
Configure
TL;DR
- The Signing Agent Docker image references a configuration file, config.yaml.
- You can download a template for it from GitHub: config-template.yaml.
Configuration options
The following settings are configurable via the YAML file:
- Base
- Auto approval
- Qredo WebSocket
- HTTP
- Logging
- Load balancing
- Store
- Learn more about setting up cloud storage of secrets.
Configuration properties
Customize the properties of config.yaml to suit your needs.
The following table presents each property.
| Property | Sub-property | Sub-property/Options | Description |
|---|---|---|---|
| base | Controls connection properties | ||
| qredoApi | https://api-v2.qredo.network/api/v2 | Base domain for the production environment | |
| autoApproval | Enables automatic approval of all transactions | ||
| enabled | true, false | Toggles automatic approval on/off | |
| retryIntervalMaxSec | Maximum time for which the Signing Agent retries approval attempts. Failure fallback applies after this period | ||
| retryIntervalSec | Interval between approval attempts. Cycled until retryIntervalMaxSec is reached. | ||
| websocket | This is returned with agentID when the agent is registered | ||
| qredoWebsocket | Qredo provides a WebSocket to collect transaction approval requests from | ||
| reconnectTimeoutSec | Timeout in seconds for connection attempt | ||
| reconnectIntervalSec | Interval in seconds between connection attempts | ||
| pingPeriodSec | The ping period for the ping handler in seconds | ||
| pongWaitSec | The pong wait for the pong handler in seconds | ||
| writeWaitSec | The write wait in seconds | ||
| readBufferSize | The WebSocket upgrader read buffer size in bytes | ||
| writeBufferSize | The WebSocket upgrader write buffer size in bytes | ||
| http | |||
| addr | The address and port the service runs on | ||
| CORSAllowOrigins | * | Optional: The value assigned to the Access-Control-Allow-Origin of the responses of the build in API. If not required, pass *. | |
| logAllRequests | true, false | Toggles logging of incoming requests to the build in API on/off | |
| TLS | TLS configurations for the internal HTTP server. Used to determine whether HTTP or HTTPS is applied. | ||
| enabled | Toggles whether TLS is enabled on/off with true, false | ||
| keyFile | If enabled is true, specifies the key file to use for the TLS server | ||
| certFile | If enabled is true, specifies the cert file to use for the TLS server | ||
| logging | |||
| format | text, json | File format for the log | |
| level | debug, info, warn, error | Log level; default is debug | |
| loadBalancing | |||
| enable | true, false | Toggles whether load balancing logic is on/off | |
| onLockErrorTimeoutMs | On lock timeout in milliseconds | ||
| actionIDExpirationSec | Expiration of action_id variable in Redis in seconds | ||
| redis | |||
| host | Redis host | ||
| port | Redis port | ||
| password | Redis password | ||
| db | Redis database name | ||
| store | Store type holding private key information for the Signing Agent | ||
| type | file, oci, aws, gcp | ||
| file | If store type is file, pass path to the storage file | ||
| oci | If store type is Oracle cloud configuration, details for the Oracle vault | ||
| compartment | Oracle Cloud Identifier (OCID) where the vault and encryption key reside | ||
| vault | OCID of the vault where the secret will be stored | ||
| secretEncryptionKey | Encryption key used for both the secret and the data inside the secret | ||
| configSecret | Name of secret that will be used to store the data | ||
| aws | Amazon cloud configuration to store the private keys in amazon secrets manager | ||
| region | If using AWS Secrets Manager, AWS region where the secret is stored | ||
| configSecret | If using AWS Secrets Manager, name of the AWS Secrets Manager secret containing the encrypted data | ||
| gcp | If store type is Google Cloud Platform, details for its configuration | ||
| projectID | Your project ID | ||
| configSecret | Name of secret that will be used to store the data |
Example configuration values
Note, this is not an example configuration file, as examples are provided for properties that would conflict, such as storing/passing the private key by different methods.
| Property | Sub-property | Sub-property | Example |
|---|---|---|---|
| base | |||
| qredoApi | sandbox-api.qredo.network | ||
| pin | 0 | ||
| autoApproval | |||
| enabled | false | ||
| retryIntervalMaxSec | 300 | ||
| retryIntervalSec | 5 | ||
| websocket | |||
| qredoWebsocket | wss://sandbox-api.qredo.network/api/v1/p/coreclient/feed | ||
| reconnectTimeoutSec | 300 | ||
| reconnectIntervalSec | 5 | ||
| pingPeriodSec | 5 | ||
| pongWaitSec | 10 | ||
| writeWaitSec | 10 | ||
| readBufferSize | 512 | ||
| writeBufferSize | 1024 | ||
| http | |||
| addr | 0.0.0.0:8007 | ||
| CORSAllowOrigins | * | ||
| logAllRequests | false | ||
| TLS | |||
| enabled | true | ||
| keyFile | tls/domain.crt | ||
| certFile | tls/domain.key | ||
| logging | |||
| format | text | ||
| level | debug | ||
| loadBalancing | |||
| enable | false | ||
| onLockErrorTimeoutMs | 300 | ||
| actionIDExpirationSec | 6 | ||
| redis | |||
| host | redis | ||
| port | 6379 | ||
| password | "" | ||
| db | 0 | ||
| store | |||
| type | file | ||
| file | /volume/ccstore.db | ||
| oci | |||
| compartment | ocid1.tenancy.oc1... | ||
| vault | ocid1.vault.oc1... | ||
| secretEncryptionKey | ocid1.key.oc1... | ||
| configSecret | signing_agent_config | ||
| aws | |||
| region | aws-region-... | ||
| configSecret | secrets_manager_secret... | ||
| gcp | |||
| projectID | signing-agent-1234... | ||
| configSecret | secrets_manager_secret... |
Cloud secret storage
An alternative to storing the Signing Agent configuration on-premises in a file is to use secure cloud-based storage.
In the sections below, you'll find the supported cloud-based solutions and correct configs for them. Further specifics of usage are best discussed with your cloud services admin department.
Oracle Cloud Vault
In order to use Oracle Cloud Vault storage, update your configuration storage setting, i.e. set the store: type to oci in the YAML configuration file.
For example, your YAML config should look something like the following:
store:
type: oci
oci:
compartment: ocid1.tenancy....
vault: ocid1.vault....
secretEncryptionKey: ocid1.key....
configSecret: signing_agent_config
...
AWS Cloud Secrets Manager
In order to use AWS for configuration storage, update your configuration storage setting, i.e. set the store:type to aws and provide the AWS Region and the name of the Secrets Manager secret in the YAML configuration file.
For example, your YAML config should look something like the following:
store:
type: aws
aws:
region: eu-west-2
configSecret: signing_agent_config
...
Google Cloud Platform
In order to use Google Cloud Platform for configuration storage, update your configuration storage setting, i.e. set the store: type to gcp and provide the project ID and the name of secret that will be used to store the data
For example, your YAML config should look something like the following:
store:
type: gcp
gcp:
projectID: signing-agent-1234...
configSecret: secrets_manager_secret...
Config Gottchas
HTTP/TLS
If you wish to configure the TLS settings, you must supply the certFile and keyFile to setup HTTPS.