chore: Rename Cerbos Cloud to Cerbos Hub (#1836)

* chore: Rename Cerbos Cloud to Cerbos Hub

Signed-off-by: Charith Ellawala <charith@cerbos.dev>

* Fix typo

Signed-off-by: Charith Ellawala <charith@cerbos.dev>

* Fix docs URL

Signed-off-by: Charith Ellawala <charith@cerbos.dev>

---------

Signed-off-by: Charith Ellawala <charith@cerbos.dev>

cmd/cerbos/server/server.go

@@ -50,7 +50,7 @@ type Cmd struct {
 	DebugListenAddr string       `help:"Address to start the gops listener" placeholder:":6666"`
 	LogLevel        LogLevelFlag `help:"Log level (${enum})" default:"info" enum:"debug,info,warn,error"`
 	Config          string       `help:"Path to config file" optional:"" placeholder:".cerbos.yaml" env:"CERBOS_CONFIG"`
-	CloudBundle     string       `help:"Use Cerbos Cloud to pull the policy bundle with the given label. Overrides the store defined in the configuration." optional:"" env:"CERBOS_CLOUD_BUNDLE"`
+	HubBundle       string       `help:"Use Cerbos Hub to pull the policy bundle with the given label. Overrides the store defined in the configuration." optional:"" env:"CERBOS_HUB_BUNDLE,CERBOS_CLOUD_BUNDLE"`
 	Set             []string     `help:"Config overrides" placeholder:"server.adminAPI.enabled=true"`
 	ZPagesEnabled   bool         `help:"Enable zpages" hidden:""`
 }
@@ -84,16 +84,16 @@ func (c *Cmd) Run() error {
 		}
 	}
 
-	if c.CloudBundle != "" {
+	if c.HubBundle != "" {
 		for _, override := range []string{
 			"storage.driver=bundle",
-			fmt.Sprintf("storage.bundle.remote.bundleLabel=%s", c.CloudBundle),
+			fmt.Sprintf("storage.bundle.remote.bundleLabel=%s", c.HubBundle),
 		} {
 			if err := strvals.ParseInto(override, confOverrides); err != nil {
-				return fmt.Errorf("failed to parse cloud override [%s]: %w", override, err)
+				return fmt.Errorf("failed to parse Cerbos Hub override [%s]: %w", override, err)
 			}
 		}
-		log.Infof("Adding configuration override to use Cerbos Cloud bundle labelled %q", c.CloudBundle)
+		log.Infof("Adding configuration override to use Cerbos Hub bundle labelled %q", c.HubBundle)
 	}
 
 	// load configuration

deploy/charts/cerbos/values-bundle-storage.yaml

@@ -1,11 +1,11 @@
-# Illustrates how to connect to Cerbos Cloud
+# Illustrates how to connect to Cerbos Hub
 # Prerequisites:
-# - Sign-up to Cerbos Cloud and follow the instructions to create an API key
-# - Create a Kubernetes secret named `cerbos-cloud-credentials`:
-#      kubectl create secret generic cerbos-cloud-credentials \
-#         --from-literal=CERBOS_CLOUD_CLIENT_ID=<YOUR_CLIENT_ID> \
-#         --from-literal=CERBOS_CLOUD_CLIENT_SECRET=<YOUR_CLIENT_SECRET> \
-#         --from-literal=CERBOS_CLOUD_SECRET_KEY=<YOUR_SECRET_KEY>
+# - Sign-up to Cerbos Hub and follow the instructions to create client credentials.
+# - Create a Kubernetes secret named `cerbos-hub-credentials`:
+#      kubectl create secret generic cerbos-hub-credentials \
+#         --from-literal=CERBOS_HUB_CLIENT_ID=<YOUR_CLIENT_ID> \
+#         --from-literal=CERBOS_HUB_CLIENT_SECRET=<YOUR_CLIENT_SECRET> \
+#         --from-literal=CERBOS_HUB_WORKSPACE_SECRET=<YOUR_WORKSPACE_SECRET>
 
 cerbos:
   config:
@@ -14,10 +14,9 @@ cerbos:
       driver: "bundle"
       bundle:
         remote:
-          bundleLabel: "YOUR_LABEL" # Alternatively, add `CERBOS_CLOUD_BUNDLE=<YOUR_LABEL>` to the secret you created above.
+          bundleLabel: "YOUR_LABEL" # Alternatively, add `CERBOS_HUB_BUNDLE=<YOUR_LABEL>` to the secret you created above.
 
 # Create environment variables from the secret.
 envFrom:
   - secretRef:
-      name: cerbos-cloud-credentials
-
+      name: cerbos-hub-credentials

docs/modules/configuration/partials/fullconfiguration.adoc

@@ -120,10 +120,10 @@ storage:
     # This section is required only if storage.driver is bundle.
     cacheSize: 1024 # CacheSize defines the number of policies to cache in memory.
     credentials: # Credentials holds bundle source credentials.
-      clientID: 92B0K05B6HOF # ClientID of the Cerbos Cloud API key. Defaults to the value of the CERBOS_CLOUD_CLIENT_ID environment variable.
-      clientSecret: ${CERBOS_CLOUD_CLIENT_SECRET} # ClientSecret of the Cerbos Cloud API key. Defaults to the value of the CERBOS_CLOUD_CLIENT_SECRET environment variable.
-      instanceID: crb-004 # InstanceID is the unique identifier for this Cerbos instance. Defaults to the value of the CERBOS_PDP_ID environment variable.
-      secretKey: ${CERBOS_CLOUD_SECRET_KEY} # SecretKey to decrypt the bundles. Defaults to the value of the CERBOS_CLOUD_SECRET_KEY environment variable.
+      clientID: 92B0K05B6HOF # ClientID of the Cerbos Hub credential. Defaults to the value of the CERBOS_HUB_CLIENT_ID environment variable.
+      clientSecret: ${CERBOS_HUB_CLIENT_SECRET} # ClientSecret of the Cerbos Hub credential. Defaults to the value of the CERBOS_HUB_CLIENT_SECRET environment variable.
+      pdpID: crb-004 # PDPID is the unique identifier for this Cerbos instance. Defaults to the value of the CERBOS_HUB_PDP_ID environment variable.
+      workspaceSecret: ${CERBOS_HUB_WORKSPACE_SECRET} # WorkspaceSecret used to decrypt the bundles. Defaults to the value of the CERBOS_HUB_WORKSPACE_SECRET environment variable.
     local: # Local holds configuration for local bundle source.
       bundlePath: /path/to/bundle.crbp # Required. BundlePath is the full path to the local bundle file.
       tempDir: ${TEMP} # TempDir is the directory to use for temporary files.

docs/supplemental-ui/partials/header-content.hbs

@@ -28,9 +28,9 @@
             <a class="navbar-item" href="https://github.com/cerbos/cerbos">Code</a>
             <a class="navbar-item" href="https://github.com/cerbos/cerbos/issues">Issue Tracker</a>
             <a class="navbar-item" href="https://github.com/cerbos/cerbos/discussions">Discussion Forum</a>
-            <div class="navbar-item"><strong>Cerbos Cloud</strong></div>
-            <a class="navbar-item" href="https://cerbos.cloud">Sign up</a>
-            <a class="navbar-item" href="https://docs.cerbos.dev/cerbos-cloud/latest/index.html">Documentation</a>
+            <div class="navbar-item"><strong>Cerbos Hub</strong></div>
+            <a class="navbar-item" href="https://hub.cerbos.cloud">Sign up</a>
+            <a class="navbar-item" href="https://docs.cerbos.dev/cerbos-hub/">Documentation</a>
           </div>
         </div>
 
@@ -44,7 +44,7 @@
         </div>
 
         <a class="navbar-item" href="https://cerbos.dev">Cerbos website</a>
-        <a class="navbar-item" href="https://cerbos.cloud">Cerbos Cloud</a>
+        <a class="navbar-item" href="https://hub.cerbos.cloud">Cerbos Hub</a>
 
       </div>
     </div>

hack/dev/conf.secure.bundle.yaml

@@ -43,7 +43,7 @@ storage:
     local:
       bundlePath: internal/test/testdata/bundle/bundle.crbp
     credentials:
-      secretKey: CERBOS-1PVCDJFES5KDVJPL2Y8U6NEW7W6NHL5Z8HG7KSUGJRTCWSN4RJW4Q8HVPZE
+      workspaceSecret: CERBOS-1PVCDJFES5KDVJPL2Y8U6NEW7W6NHL5Z8HG7KSUGJRTCWSN4RJW4Q8HVPZE
 
 schema:
   enforcement: reject

internal/observability/metrics/metrics.go

@@ -140,14 +140,14 @@ var (
 		Aggregation: view.LastValue(),
 	}
 
-	CloudConnectedCount = stats.Int64(
-		"cerbos.dev/cloud/connected",
-		"Is the instance connected to Cerbos Cloud",
+	HubConnectedCount = stats.Int64(
+		"cerbos.dev/hub/connected",
+		"Is the instance connected to Cerbos Hub",
 		stats.UnitDimensionless,
 	)
 
-	CloudConnectedCountView = &view.View{
-		Measure:     CloudConnectedCount,
+	HubConnectedCountView = &view.View{
+		Measure:     HubConnectedCount,
 		Aggregation: view.LastValue(),
 	}
 
@@ -255,11 +255,11 @@ var DefaultCerbosViews = []*view.View{
 	BundleStoreUpdatesCountView,
 	CacheAccessCountView,
 	CacheMaxSizeView,
-	CloudConnectedCountView,
 	CompileDurationView,
 	EngineCheckLatencyView,
 	EngineCheckBatchSizeView,
 	EnginePlanLatencyView,
+	HubConnectedCountView,
 	IndexCRUDCountView,
 	IndexEntryCountView,
 	StorePollCountView,

internal/server/server_test.go

@@ -86,7 +86,7 @@ func TestServer(t *testing.T) {
 
 			conf := &bundle.Conf{
 				CacheSize:   1024,
-				Credentials: bundle.CredentialsConf{SecretKey: string(bytes.TrimSpace(keyBytes))},
+				Credentials: bundle.CredentialsConf{WorkspaceSecret: string(bytes.TrimSpace(keyBytes))},
 				Local: &bundle.LocalSourceConf{
 					BundlePath: filepath.Join(dir, "bundle.crbp"),
 					TempDir:    t.TempDir(),

internal/storage/bundle/conf.go

@@ -20,13 +20,6 @@ import (
 const (
 	confKey = storage.ConfKey + "." + DriverName
 
-	bundleLabelEnvVar  = "CERBOS_CLOUD_BUNDLE"
-	clientIDEnvVar     = "CERBOS_CLOUD_CLIENT_ID"
-	clientSecretEnvVar = "CERBOS_CLOUD_CLIENT_SECRET" //nolint:gosec
-	instanceIDEnvVar   = "CERBOS_PDP_ID"
-	offlineEnvVar      = "CERBOS_CLOUD_OFFLINE"
-	secretKeyEnvVar    = "CERBOS_CLOUD_SECRET_KEY" //nolint:gosec
-
 	defaultAPIEndpoint       = "https://api.cerbos.cloud"
 	defaultBootstrapHost     = "https://cdn.cerbos.cloud"
 	defaultCacheSize         = 1024
@@ -39,6 +32,42 @@ const (
 
 var ErrNoSource = errors.New("at least one of local or remote sources must be defined")
 
+type envVarKey int
+
+const (
+	bundleLabelKey envVarKey = iota
+	clientIDKey
+	clientSecretKey
+	offlineKey
+	pdpIDKey
+	workspaceSecretKey
+)
+
+var envVars = map[envVarKey][]string{
+	bundleLabelKey:     {"CERBOS_HUB_BUNDLE", "CERBOS_CLOUD_BUNDLE"},
+	clientIDKey:        {"CERBOS_HUB_CLIENT_ID", "CERBOS_CLOUD_CLIENT_ID"},
+	clientSecretKey:    {"CERBOS_HUB_CLIENT_SECRET", "CERBOS_CLOUD_CLIENT_SECRET"},
+	offlineKey:         {"CERBOS_HUB_OFFLINE", "CERBOS_CLOUD_OFFLINE"},
+	pdpIDKey:           {"CERBOS_HUB_PDP_ID", "CERBOS_PDP_ID"},
+	workspaceSecretKey: {"CERBOS_HUB_WORKSPACE_SECRET", "CERBOS_CLOUD_SECRET_KEY"},
+}
+
+func getEnv(key envVarKey) string {
+	varNames, ok := envVars[key]
+	if !ok {
+		return ""
+	}
+
+	for _, v := range varNames {
+		val, ok := os.LookupEnv(v)
+		if ok {
+			return val
+		}
+	}
+
+	return ""
+}
+
 // Conf is required (if driver is set to 'bundle') configuration for bundle storage driver.
 // +desc=This section is required only if storage.driver is bundle.
 type Conf struct {
@@ -54,18 +83,22 @@ type Conf struct {
 
 // CredentialsConf holds credentials for accessing the bundle service.
 type CredentialsConf struct {
-	// InstanceID is the unique identifier for this Cerbos instance. Defaults to the value of the CERBOS_PDP_ID environment variable.
-	InstanceID string `yaml:"instanceID" conf:",example=crb-004"`
-	// ClientID of the Cerbos Cloud API key. Defaults to the value of the CERBOS_CLOUD_CLIENT_ID environment variable.
+	// PDPID is the unique identifier for this Cerbos instance. Defaults to the value of the CERBOS_HUB_PDP_ID environment variable.
+	PDPID string `yaml:"pdpID" conf:",example=crb-004"`
+	// ClientID of the Cerbos Hub credential. Defaults to the value of the CERBOS_HUB_CLIENT_ID environment variable.
 	ClientID string `yaml:"clientID" conf:",example=92B0K05B6HOF"`
-	// ClientSecret of the Cerbos Cloud API key. Defaults to the value of the CERBOS_CLOUD_CLIENT_SECRET environment variable.
-	ClientSecret string `yaml:"clientSecret" conf:",example=${CERBOS_CLOUD_CLIENT_SECRET}"`
-	// SecretKey to decrypt the bundles. Defaults to the value of the CERBOS_CLOUD_SECRET_KEY environment variable.
-	SecretKey string `yaml:"secretKey" conf:",example=${CERBOS_CLOUD_SECRET_KEY}"`
+	// ClientSecret of the Cerbos Hub credential. Defaults to the value of the CERBOS_HUB_CLIENT_SECRET environment variable.
+	ClientSecret string `yaml:"clientSecret" conf:",example=${CERBOS_HUB_CLIENT_SECRET}"`
+	// WorkspaceSecret used to decrypt the bundles. Defaults to the value of the CERBOS_HUB_WORKSPACE_SECRET environment variable.
+	WorkspaceSecret string `yaml:"workspaceSecret" conf:",example=${CERBOS_HUB_WORKSPACE_SECRET}"`
+	// Deprecated: Use PDPID
+	InstanceID string `yaml:"instanceID" conf:",ignore"`
+	// Deprecated: Use WorkspaceSecret
+	SecretKey string `yaml:"secretKey" conf:",ignore"`
 }
 
 func (cc CredentialsConf) ToCredentials() (*credentials.Credentials, error) {
-	return credentials.New(cc.ClientID, cc.ClientSecret, cc.SecretKey)
+	return credentials.New(cc.ClientID, cc.ClientSecret, cc.WorkspaceSecret)
 }
 
 // LocalSourceConf holds configuration for local bundle store.
@@ -124,10 +157,10 @@ func (conf *Conf) SetDefaults() {
 	conf.CacheSize = defaultCacheSize
 
 	conf.Credentials = CredentialsConf{
-		ClientID:     os.Getenv(clientIDEnvVar),
-		ClientSecret: os.Getenv(clientSecretEnvVar),
-		InstanceID:   os.Getenv(instanceIDEnvVar),
-		SecretKey:    os.Getenv(secretKeyEnvVar),
+		ClientID:        getEnv(clientIDKey),
+		ClientSecret:    getEnv(clientSecretKey),
+		PDPID:           getEnv(pdpIDKey),
+		WorkspaceSecret: getEnv(workspaceSecretKey),
 	}
 }
 
@@ -148,6 +181,16 @@ func (conf *Conf) Validate() (outErr error) {
 		outErr = multierr.Append(outErr, err)
 	}
 
+	// SecretKey was renamed to WorkspaceSecret in Cerbos 0.31.0
+	if conf.Credentials.WorkspaceSecret == "" && conf.Credentials.SecretKey != "" {
+		conf.Credentials.WorkspaceSecret = conf.Credentials.SecretKey
+	}
+
+	// InstanceID was renamed to PDPID in Cerbos 0.31.0
+	if conf.Credentials.PDPID == "" && conf.Credentials.InstanceID != "" {
+		conf.Credentials.PDPID = conf.Credentials.InstanceID
+	}
+
 	return outErr
 }
 
@@ -174,7 +217,7 @@ func (lc *LocalSourceConf) setDefaults() error {
 	}
 
 	if lc.TempDir == "" {
-		dir, err := os.MkdirTemp("", "cerbos-cloud-*")
+		dir, err := os.MkdirTemp("", "cerbos-hub-*")
 		if err != nil {
 			return fmt.Errorf("failed to create temporary directory: %w", err)
 		}
@@ -189,6 +232,10 @@ func (rc *RemoteSourceConf) validate() error {
 		return nil
 	}
 
+	if rc.BundleLabel == "" {
+		rc.BundleLabel = getEnv(bundleLabelKey)
+	}
+
 	if strings.TrimSpace(rc.BundleLabel) == "" {
 		return errors.New("bundleLabel must be specified")
 	}
@@ -202,11 +249,11 @@ func (rc *RemoteSourceConf) setDefaults() error {
 	}
 
 	if rc.BundleLabel == "" {
-		rc.BundleLabel = os.Getenv(bundleLabelEnvVar)
+		rc.BundleLabel = getEnv(bundleLabelKey)
 	}
 
 	if rc.TempDir == "" {
-		dir, err := os.MkdirTemp("", "cerbos-cloud-*")
+		dir, err := os.MkdirTemp("", "cerbos-hub-*")
 		if err != nil {
 			return fmt.Errorf("failed to create temporary directory: %w", err)
 		}
@@ -219,7 +266,7 @@ func (rc *RemoteSourceConf) setDefaults() error {
 			return fmt.Errorf("failed to determine cache directory: %w", err)
 		}
 
-		dir := filepath.Join(cacheDir, "cerbos-cloud")
+		dir := filepath.Join(cacheDir, "cerbos-hub")
 		//nolint:gomnd
 		if err := os.MkdirAll(dir, 0o764); err != nil {
 			return fmt.Errorf("failed to create cache dir %q: %w", dir, err)