cloudflare · mendess · Dec 3, 2025 · Nov 28, 2025 · Nov 28, 2025 · Dec 2, 2025
diff --git a/crates/ct_worker/README.md b/crates/ct_worker/README.md
@@ -104,36 +104,48 @@ Follow these instructions to deploy a CT log with the `dev` configuration to Clo
 
 Run the following for each of the `dev2025h1a` and `dev2025h2a` log shards to configure resources (or use `scripts/create-log.sh`):
 
-1.  Set log shard name and deployment environment.
+1.  Set log shard name and deployment environment. The [location hint][location-hint] is optional.
 
-        export LOG_NAME=dev2025h1a
-        export ENV=dev
+```bash
+export LOG_NAME=dev2025h1a
+export CLOUDFLARE_ACCOUNT_ID=some-account-id-here
+export ENV=dev
+export LOCATION=wnam # optional
+```
 
-1.  Create R2 bucket for public assets, optionally with a [location hint](https://developers.cloudflare.com/r2/reference/data-location/).
+1.  Setup the roots kv namespace
 
-        npx wrangler r2 bucket create static-ct-public-${LOG_NAME} [--location <location>]
+```bash
+npx wrangler -e="${ENV}" kv namespace create static-ct-ccadb-roots --binding ccadb_roots
+```
 
-1.  Create KV namespace for per-log deduplication cache.
+**Alternatively run the script [create-root-kv.sh](./scripts/create-root-kv.sh)**
 
-    ```text
-    # After running, add generated namespace ID to `wrangler.jsonc`
-    npx wrangler kv namespace create static-ct-cache-${LOG_NAME}
-    ```
+1.  Create the the R2 bucket for public assets, the kv namespace for per-log
+    deduplication cache and generate the [secrets][secrets-docs] for signing and witness keys.
 
-1.  Generate [secrets](https://developers.cloudflare.com/workers/configuration/secrets) for the signing and witness keys. NOTE: this will overwrite any existing secrets of the same name.
+```bash
+npx wrangler r2 bucket create static-ct-public-${LOG_NAME} [--location <location>]
+npx wrangler kv namespace create static-ct-cache-${LOG_NAME}
+openssl genpkey -algorithm ed25519 | npx wrangler -e=${ENV} secret put WITNESS_KEY_${LOG_NAME}
+openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 | npx wrangler -e=${ENV} secret put SIGNING_KEY_${LOG_NAME}
+```
 
-        openssl genpkey -algorithm ed25519 | npx wrangler -e=${ENV} secret put WITNESS_KEY_${LOG_NAME}
-        openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 | npx wrangler -e=${ENV} secret put SIGNING_KEY_${LOG_NAME}
+**Alternatively, simply run the script [create-log.sh](./scripts/create-log.sh)**
 
-    (Note: For mtc_worker we use ed25519 for the signing key. There is no witness.)
+(Note: For mtc_worker we use ed25519 for the signing key. There is no witness.)
 
 1.  Deploy the worker. The worker will be available at `https://static-ct-${ENV}.<your-team>.workers.dev/logs/${LOG_NAME}`.
 
-        npx wrangler -e=${ENV} deploy
+```bash
+npx wrangler -e=${ENV} deploy
+```
 
 1.  Tail the worker:
 
-        npx wrangler -e=${ENV} tail
+```bash
+npx wrangler -e=${ENV} tail
+```
 
 1.  Send some requests. See [local development](#local-deployment) for examples.
 
@@ -197,3 +209,7 @@ This project ports code from [sunlight](https://github.com/FiloSottile/sunlight)
 ## License
 
 The project is licensed under the [BSD-3-Clause License](./LICENSE).
+
+
+location-hint: https://developers.cloudflare.com/r2/reference/data-location/
+secrets-docs: https://developers.cloudflare.com/workers/configuration/secrets
diff --git a/crates/ct_worker/scripts/create-log.sh b/crates/ct_worker/scripts/create-log.sh
@@ -1,49 +1,74 @@
 #!/usr/bin/env bash
 
 set -e -o pipefail
+cd "$(dirname "$0")/.." || exit # this script assumes it's runnnig inside the ct_worker dir
 
 # Helper script to create resources for a log shard.
 
-if [ -z $ENV ] || [ -z $LOG_NAME ] || [ -z $LOCATION ] || [ -z $CLOUDFLARE_ACCOUNT_ID ]; then
-	echo "ENV, LOG_NAME, LOCATION, and CLOUDFLARE_ACCOUNT_ID must all be set"
+if [ -z "${ENV}" ] || [ -z "${LOG_NAME}" ] || [ -z "${CLOUDFLARE_ACCOUNT_ID}" ]; then
+	echo "ENV, LOG_NAME, and CLOUDFLARE_ACCOUNT_ID must all be set"
 	exit 1
 fi
 
 WRANGLER_CONF=${WRANGLER_CONF:-wrangler.jsonc}
 
 while true; do
-    read -p "Do you want to proceed with ENV=${ENV}, LOG_NAME=${LOG_NAME}, LOCATION=${LOCATION}, CLOUDFLARE_ACCOUNT_ID=${CLOUDFLARE_ACCOUNT_ID}? (y/N) " yn
+    if [ "${LOCATION}" ]; then
+        L=", LOCATION=${LOCATION}"
+    fi
+    read -rp "Do you want to proceed with ENV=${ENV}, LOG_NAME=${LOG_NAME}${L}, CLOUDFLARE_ACCOUNT_ID=${CLOUDFLARE_ACCOUNT_ID}? (y/N) " yn
     case $yn in
         [yY] ) echo "Proceeding..."; break;;
         [nN] ) echo "Exiting..."; exit;;
         * ) echo "Invalid input. Please enter 'y' or 'N'.";;
     esac
 done
 
+
+# https://github.com/cloudflare/azul/pull/169#discussion_r2582145507
+location=()
+if [ "${LOCATION}" ]; then
+    location=(--location "${LOCATION}")
+fi
+
 # Create R2 bucket if it does not already exist
-npx wrangler -e="${ENV}" -c "${WRANGLER_CONF}" r2 bucket create static-ct-public-${LOG_NAME} --location ${LOCATION}
+npx wrangler \
+    -e="${ENV}" \
+    -c "${WRANGLER_CONF}" \
+    r2 bucket create \
+    "static-ct-public-${LOG_NAME}" \
+    --update-config \
+    --binding "public_${LOG_NAME}" "${location[@]}"
 
 # Create KV namespace if it does not already exist
-npx wrangler -e="${ENV}" -c "${WRANGLER_CONF}" kv namespace create static-ct-cache-${LOG_NAME}
+npx wrangler \
+    -e="${ENV}" \
+    -c "${WRANGLER_CONF}" \
+    kv namespace create \
+    "static-ct-cache-${LOG_NAME}" \
+    --update-config \
+    --binding "cache_${LOG_NAME}"
 
 # Create witness and log signing keys if they do not already exist
-if npx wrangler -e=${ENV} secret list | grep -q WITNESS_KEY_${LOG_NAME}; then
+if npx wrangler -e="${ENV}" -c "${WRANGLER_CONF}" secret list | grep -q "WITNESS_KEY_${LOG_NAME}"; then
 	echo "WITNESS_KEY_${LOG_NAME} already exists"
 else
-	openssl genpkey -algorithm ed25519 | npx wrangler -c "$WRANGLER_CONF" -e=${ENV} secret put WITNESS_KEY_${LOG_NAME}
+	openssl genpkey -algorithm ed25519 |
+        npx wrangler -e="${ENV}" -c "${WRANGLER_CONF}" secret put "WITNESS_KEY_${LOG_NAME}"
 fi
-if npx wrangler -e=${ENV} secret list | grep -q SIGNING_KEY_${LOG_NAME}; then
+if npx wrangler -e="${ENV}" -c "${WRANGLER_CONF}" secret list | grep -q "SIGNING_KEY_${LOG_NAME}"; then
 	echo "SIGNING_KEY_${LOG_NAME} already exists"
 else
-	openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 | npx wrangler -c "$WRANGLER_CONF" -e=${ENV} secret put SIGNING_KEY_${LOG_NAME}
+	openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 |
+        npx wrangler -e="${ENV}" -c "${WRANGLER_CONF}" secret put "SIGNING_KEY_${LOG_NAME}"
 fi
 
 echo "DONE"
 echo "NOTE: If you intend to run wrangler dev with this log, you must add the appropriate signing keys to .dev.vars"
 echo "~~~~~~"
-echo "echo -n \"SIGNING_KEY_${LOG_NAME}=\\\\\"\" >> .dev.vars"
-echo "openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 | sed 's/$/\\\\\\\\\\\\\\\\n/g' | tr -d \\\\n >> .dev.vars"
-echo "echo '\"' >> .dev.vars"
-echo "echo -n \"WITNESS_KEY_${LOG_NAME}=\\\\\"\" >> .dev.vars"
-echo "openssl genpkey -algorithm ed25519 | sed 's/$/\\\\\\\\\\\\\\\\n/g' | tr -d \\\\n >> .dev.vars"
-echo "echo '\"' >> .dev.vars"
+printf 'echo -n "SIGNING_KEY_%s=\\"" >> .dev.vars\n' "${LOG_NAME}"
+printf 'openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 | sed '\''s/$/\\\\n/g'\'' | tr -d '\''\\n'\'' >> .dev.vars\n'
+printf 'echo \\" >> .dev.vars\n'
+printf 'echo -n "WITNESS_KEY_%s=\\"" >> .dev.vars\n' "${LOG_NAME}"
+printf 'openssl genpkey -algorithm ed25519 | sed '\''s/$/\\\\n/g'\'' | tr -d '\''\\n'\'' >> .dev.vars\n'
+printf 'echo \\" >> .dev.vars\n'
diff --git a/crates/ct_worker/scripts/create-root-kv.sh b/crates/ct_worker/scripts/create-root-kv.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+cd "$(dirname "$0")/.." || exit # this script assumes it's runnnig inside the ct_worker dir
+
+# Helper script to create resources for a log shard.
+
+if [ -z "${ENV}" ] || [ -z "${CLOUDFLARE_ACCOUNT_ID}" ]; then
+	echo "ENV and CLOUDFLARE_ACCOUNT_ID must all be set"
+	exit 1
+fi
+
+WRANGLER_CONF=${WRANGLER_CONF:-wrangler.jsonc}
+
+while true; do
+    read -rp "Do you want to proceed with ENV=${ENV}, CLOUDFLARE_ACCOUNT_ID=${CLOUDFLARE_ACCOUNT_ID}? (y/N) " yn
+    case $yn in
+        [yY] ) echo "Proceeding..."; break;;
+        [nN] ) echo "Exiting..."; exit;;
+        * ) echo "Invalid input. Please enter 'y' or 'N'.";;
+    esac
+done
+
+# Create KV namespace if it does not already exist
+npx wrangler \
+    -e="${ENV}" \
+    -c "${WRANGLER_CONF}" \
+    kv namespace create \
+    static-ct-ccadb-roots \
+    --update-config \
+    --binding ccadb_roots