From fdad95b4b9aaaae278556e7409fb010cf4f30249 Mon Sep 17 00:00:00 2001 From: way zheng Date: Sat, 20 Dec 2025 18:09:15 -0800 Subject: [PATCH 1/5] update euid CF template and desc --- scripts/aws/EUID_CloudFormation.template.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/aws/EUID_CloudFormation.template.yml b/scripts/aws/EUID_CloudFormation.template.yml index 09fefb18f..22a8f5da0 100644 --- a/scripts/aws/EUID_CloudFormation.template.yml +++ b/scripts/aws/EUID_CloudFormation.template.yml @@ -38,6 +38,8 @@ Parameters: - m6i.4xlarge - r6i.2xlarge - r6i.4xlarge + - r7i.2xlarge + - r7i.4xlarge ConstraintDescription: must be a valid EC2 instance type. RootVolumeSize: Description: Instance root volume size @@ -90,7 +92,7 @@ Metadata: DeployToEnvironment: default: EUID environment to deploy to. Prod - production; Integ - integration test. InstanceType: - default: Instance Type for EC2. Minimum 4 vCPUs needed. M5, M5a, M5n, M6i and R6i Instance types are tested. Choose 2xlarge or 4xlarge. + default: Instance Type for EC2. Minimum 4 vCPUs needed. M5, M5a, M5n, M6i, R6i and R7i Instance types are tested. Choose 2xlarge or 4xlarge. SSHKeyName: default: Key Name for SSH to EC2 (required) RootVolumeSize: From 60903a1f48b731b7fcf0b31ba2829f7569bdd404 Mon Sep 17 00:00:00 2001 From: way zheng Date: Fri, 26 Dec 2025 14:23:38 -0800 Subject: [PATCH 2/5] update the CF to include correct cpu reqirements --- scripts/aws/EUID_CloudFormation.template.yml | 2 +- scripts/aws/UID_CloudFormation.template.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/aws/EUID_CloudFormation.template.yml b/scripts/aws/EUID_CloudFormation.template.yml index 22a8f5da0..30f12aea4 100644 --- a/scripts/aws/EUID_CloudFormation.template.yml +++ b/scripts/aws/EUID_CloudFormation.template.yml @@ -92,7 +92,7 @@ Metadata: DeployToEnvironment: default: EUID environment to deploy to. Prod - production; Integ - integration test. InstanceType: - default: Instance Type for EC2. Minimum 4 vCPUs needed. M5, M5a, M5n, M6i, R6i and R7i Instance types are tested. Choose 2xlarge or 4xlarge. + default: Instance Type for EC2. Minimum 8 vCPUs needed. M5, M5a, M5n, M6i, R6i and R7i Instance types are tested. Choose 2xlarge or 4xlarge. SSHKeyName: default: Key Name for SSH to EC2 (required) RootVolumeSize: diff --git a/scripts/aws/UID_CloudFormation.template.yml b/scripts/aws/UID_CloudFormation.template.yml index 58030f4d2..82ab2c1dc 100644 --- a/scripts/aws/UID_CloudFormation.template.yml +++ b/scripts/aws/UID_CloudFormation.template.yml @@ -92,7 +92,7 @@ Metadata: DeployToEnvironment: default: UID2 environment to deploy to. Prod - production; Integ - integration test. InstanceType: - default: Instance Type for EC2. Minimum 4 vCPUs needed. M5, M5a, M5n, M6i and R6i Instance types are tested. Choose 2xlarge or 4xlarge. + default: Instance Type for EC2. Minimum 8 vCPUs needed. M5, M5a, M5n, M6i, R6i and R7i Instance types are tested. Choose 2xlarge or 4xlarge. SSHKeyName: default: Key Name for SSH to EC2 (required) RootVolumeSize: From 93ad19308b7533b511f72a6125c83ad459450edd Mon Sep 17 00:00:00 2001 From: way zheng Date: Fri, 26 Dec 2025 15:37:12 -0800 Subject: [PATCH 3/5] update aks and azure cpu and memeory requriements to align --- scripts/azure-aks/deployment/operator.yaml | 6 +++++- scripts/azure-cc/deployment/operator.json | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/scripts/azure-aks/deployment/operator.yaml b/scripts/azure-aks/deployment/operator.yaml index 234bd4a23..bc6e752d6 100644 --- a/scripts/azure-aks/deployment/operator.yaml +++ b/scripts/azure-aks/deployment/operator.yaml @@ -39,7 +39,11 @@ spec: image: IMAGE_PLACEHOLDER resources: limits: - memory: "8Gi" + cpu: "6" + memory: "24Gi" + requests: + cpu: "6" + memory: "24Gi" imagePullPolicy: Always securityContext: runAsUser: 1000 diff --git a/scripts/azure-cc/deployment/operator.json b/scripts/azure-cc/deployment/operator.json index 43d395c1b..60cf08d11 100644 --- a/scripts/azure-cc/deployment/operator.json +++ b/scripts/azure-cc/deployment/operator.json @@ -116,8 +116,8 @@ ], "resources": { "requests": { - "cpu": 3.5, - "memoryInGB": 15.5 + "cpu": 6, + "memoryInGB": 24 } }, "environmentVariables": [ From 7374759c6328335512488cf51f207ab17b4c4d91 Mon Sep 17 00:00:00 2001 From: way zheng Date: Mon, 29 Dec 2025 07:17:45 -0800 Subject: [PATCH 4/5] pull origin main --- scripts/gcp-oidc/README.md | 6 +++--- scripts/gcp-oidc/terraform/README.md | 2 +- scripts/gcp-oidc/terraform/main.tf | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/gcp-oidc/README.md b/scripts/gcp-oidc/README.md index 1a6e35c0c..7f06d72e3 100644 --- a/scripts/gcp-oidc/README.md +++ b/scripts/gcp-oidc/README.md @@ -197,14 +197,14 @@ You will be provided a new operator API token which should be stored in Secret M `~tee-env-DEPLOYMENT_ENVIRONMENT=prod~`. It is recommended that you also specify the machine type in the gcloud script. Currently, it is recommended to run the -UID2 operator on a machine type of n2d-standard-16. (default to n2d-standard-2) +UID2 operator on a machine type of n2d-standard-8 for production. (default to n2d-standard-2) An example of the script is given below: ``` $ gcloud compute instances create {INSTANCE_NAME} \ --zone {ZONE} \ - --machine-type n2d-standard-16 \ + --machine-type n2d-standard-8 \ --confidential-compute \ --shielded-secure-boot \ --maintenance-policy Terminate \ @@ -215,7 +215,7 @@ $ gcloud compute instances create {INSTANCE_NAME} \ --metadata ^~^tee-image-reference={OPERATOR_IMAGE}~tee-restart-policy=Never~tee-container-log-redirect=true~tee-env-DEPLOYMENT_ENVIRONMENT=prod~tee-env-API_TOKEN_SECRET_NAME={OPERATOR_KEY_SECRET_FULL_NAME} ``` -Note that compared to the `gcloud` command used in the prior section, parameter `--machine-type n2d-standard-16` is set to ensure production deployment of UID2 Operator runs on the recommended machine type for production. +Note that compared to the `gcloud` command used in the prior section, parameter `--machine-type n2d-standard-8` is set to ensure production deployment of UID2 Operator runs on the recommended machine type for production. ## Upgrading diff --git a/scripts/gcp-oidc/terraform/README.md b/scripts/gcp-oidc/terraform/README.md index 8723a5347..f736b3057 100644 --- a/scripts/gcp-oidc/terraform/README.md +++ b/scripts/gcp-oidc/terraform/README.md @@ -68,7 +68,7 @@ terraform destroy | service_account_name | `string` | n/a | yes | The name of the service account that you want to use for your UID2 Operator instance in GCP Confidential Space. | | uid_operator_image | `string` | n/a | yes | The Docker image URL for the UID2 Private Operator for GCP, used in configuration, which you received as part of UID2 Operator Account Setup. For example: `us-docker.pkg.dev/uid2-prod-project/iabtechlab/uid2-operator@sha256:{IMAGE_SHA}` | | uid_operator_key | `string` | n/a | yes | The UID2 operator key, which you received as part of UID2 Operator Account Setup.
Note: only required during first time provision. You could leave it as empty string later if you don't want to update secret value. | -| uid_deployment_env | `string` | n/a | yes | Valid values: `integ` for integration environment, `prod` for production environment.
Machine type is determined by the deployment environment: `integ` uses `n2d-standard-2` and prod uses `n2d-standard-16`. | +| uid_deployment_env | `string` | n/a | yes | Valid values: `integ` for integration environment, `prod` for production environment.
Machine type is determined by the deployment environment: `integ` uses `n2d-standard-2` and prod uses `n2d-standard-8`. | | uid_operator_key_secret_name | `string` | `"secret-operator-key"` | no | The name that you specify for your operator key secret. The Terraform template creates a secret in the GCP Secret Manager to hold the `uid_operator_key` value. You can define the name; for example, `uid2-operator-operator-key-secret-integ`. | | region | `string` | `"us-east1"` | no | The region that you want to deploy to. For a list of valid regions, see [Available regions and zones](https://cloud.google.com/compute/docs/regions-zones#available) in the Google Cloud documentation.
NOTE: The UID2 Private Operator implementation for GCP Confidential Space is not supported in these areas: Europe, China. | | network_name | `string` | `"uid-operator"` | no | The VPC resource name (also used for rules/ instance tags). | diff --git a/scripts/gcp-oidc/terraform/main.tf b/scripts/gcp-oidc/terraform/main.tf index 7a0141726..6b6e81b87 100644 --- a/scripts/gcp-oidc/terraform/main.tf +++ b/scripts/gcp-oidc/terraform/main.tf @@ -94,7 +94,7 @@ module "secret-manager" { resource "google_compute_instance_template" "uid_operator" { depends_on = [module.project_services] name_prefix = "uid-operator-cs-template-" - machine_type = var.uid_deployment_env == "prod" ? "n2d-standard-16" : "n2d-standard-2" + machine_type = var.uid_deployment_env == "prod" ? "n2d-standard-8" : "n2d-standard-2" tags = [var.network_name] From ae25495d213d47f568c7d5abc3cb7e3f276de8d8 Mon Sep 17 00:00:00 2001 From: way zheng Date: Mon, 29 Dec 2025 08:01:23 -0800 Subject: [PATCH 5/5] revert gcp related changes as they are not necessary --- scripts/gcp-oidc/README.md | 6 +++--- scripts/gcp-oidc/terraform/README.md | 2 +- scripts/gcp-oidc/terraform/main.tf | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/gcp-oidc/README.md b/scripts/gcp-oidc/README.md index 7f06d72e3..1a6e35c0c 100644 --- a/scripts/gcp-oidc/README.md +++ b/scripts/gcp-oidc/README.md @@ -197,14 +197,14 @@ You will be provided a new operator API token which should be stored in Secret M `~tee-env-DEPLOYMENT_ENVIRONMENT=prod~`. It is recommended that you also specify the machine type in the gcloud script. Currently, it is recommended to run the -UID2 operator on a machine type of n2d-standard-8 for production. (default to n2d-standard-2) +UID2 operator on a machine type of n2d-standard-16. (default to n2d-standard-2) An example of the script is given below: ``` $ gcloud compute instances create {INSTANCE_NAME} \ --zone {ZONE} \ - --machine-type n2d-standard-8 \ + --machine-type n2d-standard-16 \ --confidential-compute \ --shielded-secure-boot \ --maintenance-policy Terminate \ @@ -215,7 +215,7 @@ $ gcloud compute instances create {INSTANCE_NAME} \ --metadata ^~^tee-image-reference={OPERATOR_IMAGE}~tee-restart-policy=Never~tee-container-log-redirect=true~tee-env-DEPLOYMENT_ENVIRONMENT=prod~tee-env-API_TOKEN_SECRET_NAME={OPERATOR_KEY_SECRET_FULL_NAME} ``` -Note that compared to the `gcloud` command used in the prior section, parameter `--machine-type n2d-standard-8` is set to ensure production deployment of UID2 Operator runs on the recommended machine type for production. +Note that compared to the `gcloud` command used in the prior section, parameter `--machine-type n2d-standard-16` is set to ensure production deployment of UID2 Operator runs on the recommended machine type for production. ## Upgrading diff --git a/scripts/gcp-oidc/terraform/README.md b/scripts/gcp-oidc/terraform/README.md index f736b3057..8723a5347 100644 --- a/scripts/gcp-oidc/terraform/README.md +++ b/scripts/gcp-oidc/terraform/README.md @@ -68,7 +68,7 @@ terraform destroy | service_account_name | `string` | n/a | yes | The name of the service account that you want to use for your UID2 Operator instance in GCP Confidential Space. | | uid_operator_image | `string` | n/a | yes | The Docker image URL for the UID2 Private Operator for GCP, used in configuration, which you received as part of UID2 Operator Account Setup. For example: `us-docker.pkg.dev/uid2-prod-project/iabtechlab/uid2-operator@sha256:{IMAGE_SHA}` | | uid_operator_key | `string` | n/a | yes | The UID2 operator key, which you received as part of UID2 Operator Account Setup.
Note: only required during first time provision. You could leave it as empty string later if you don't want to update secret value. | -| uid_deployment_env | `string` | n/a | yes | Valid values: `integ` for integration environment, `prod` for production environment.
Machine type is determined by the deployment environment: `integ` uses `n2d-standard-2` and prod uses `n2d-standard-8`. | +| uid_deployment_env | `string` | n/a | yes | Valid values: `integ` for integration environment, `prod` for production environment.
Machine type is determined by the deployment environment: `integ` uses `n2d-standard-2` and prod uses `n2d-standard-16`. | | uid_operator_key_secret_name | `string` | `"secret-operator-key"` | no | The name that you specify for your operator key secret. The Terraform template creates a secret in the GCP Secret Manager to hold the `uid_operator_key` value. You can define the name; for example, `uid2-operator-operator-key-secret-integ`. | | region | `string` | `"us-east1"` | no | The region that you want to deploy to. For a list of valid regions, see [Available regions and zones](https://cloud.google.com/compute/docs/regions-zones#available) in the Google Cloud documentation.
NOTE: The UID2 Private Operator implementation for GCP Confidential Space is not supported in these areas: Europe, China. | | network_name | `string` | `"uid-operator"` | no | The VPC resource name (also used for rules/ instance tags). | diff --git a/scripts/gcp-oidc/terraform/main.tf b/scripts/gcp-oidc/terraform/main.tf index 6b6e81b87..7a0141726 100644 --- a/scripts/gcp-oidc/terraform/main.tf +++ b/scripts/gcp-oidc/terraform/main.tf @@ -94,7 +94,7 @@ module "secret-manager" { resource "google_compute_instance_template" "uid_operator" { depends_on = [module.project_services] name_prefix = "uid-operator-cs-template-" - machine_type = var.uid_deployment_env == "prod" ? "n2d-standard-8" : "n2d-standard-2" + machine_type = var.uid_deployment_env == "prod" ? "n2d-standard-16" : "n2d-standard-2" tags = [var.network_name]