proper way to acquire a token automatically

[boredland]

Hi there!

If I understand the token correctly, it is meant to be acquired once per application and thereafter will indicate ownership over all queues created by it.

For me, that leads to a significant question about automation:

In a CI/CD and IaC (terraform) environment: who acquires it?

So far I tried these approaches:

• ❌ terraform does the curl via an external data source and provides the QUIRREL_TOKEN. this creates a new token on every run of terraform.
• ❌ the ci does the curl and sets it for the deployment environment. this creates a new token on each deployment.

While I might be able to hack sth. around terraform to not update the token every time, my feeling is, that I don't really understand what the purpose of the QUIRREL_TOKEN is. Specifically in a, usually, non multi-tenant self-hosted environment.

Wouldn't the symmetrical encryption already ensure ownership?

Is the correct combination of QUIRREL_BASE_URL and QUIRREL_ENCRYPTION_SECRET not already enough to guarantee that the correct application is processing he tasks it submitted?

Am I overseeing something?

Would it be an option to provide a way to set a token via an environment variable as a workaround?

[Skn0tt]

The specific semantics of acquiring a QUIRREL_TOKEN is indeed a leftover from multi-tenacy. But also without multi-tenacy, QUIRREL_TOKEN is required for authentication between Quirrel server and your application, since at least the application needs to be reachable via the public internet.

The correct combination of QUIRREL_BASE_URL and QUIRREL_ENCRYPTION_SECRET is indeed not enough, since QUIRREL_ENCRYPTION_SECRET is only for client-side encryption of job payloads. If there was no added security, then a malicious actor that discovered QUIRREL_BASE_URL (which is easy to discover, given it's the url of your application) would be able to e.g. delete all queued jobs.

The intended way of acquiring a Quirrel token is to do it once by hand, and then store it in some config (e.g. env variables). Can you elaborate on the need for doing this automatically?

[boredland]

need probably is a stretch, but when you already provision the quirrel containers and all environment variables via terraform, it feels awkward to do a single step "by hand". but well, I could, for sure ;-)

[Skn0tt]

Quirrel is designed for JAMStack applications, so terraform-based deployments or similar didnt inform the design. I'm curious, why are you opting for Quirrel as your jobqueue instead of smth like BullMQ or Agenda?

[boredland]

It is a jamstack application (kinda). We don't use terraform for the deployments of our application itself, but to provision environment variables and external dependencies, like quirrel.

[Skn0tt]

Okidoke :) Did this thread help your issue, or are there still open questions related to this?

[boredland]

It is just good to know. If I get very bored, I'll look into a proper terrafrom integration. But setting it manually is fine for now.