Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tezos signer forwarder #498

Merged
merged 40 commits into from
Nov 10, 2023
Merged

Tezos signer forwarder #498

merged 40 commits into from
Nov 10, 2023

Conversation

nicolasochem
Copy link
Collaborator

@nicolasochem nicolasochem commented Oct 18, 2022

The last remaining piece of https://github.com/midl-dev/tezos-on-gke/ to move into tezos-k8s, tezos-signer-forwarder is a terminating pod for ssh tunnels exposing a tezos signing endpoint from an on-prem location.

This PR introduces:

  • a new alpine container running sshd with custom configuration: this is the tunnel termination endpoint
  • a sidecar for this container that exposes the metrics of the signer, complemented with a custom URL monitor
  • a chart.

The chart allows to define several "bakers" which correspond to one baking public key. A "baker" can have several "endpoints" corresponding to an individual hardware signer. Every "baker" deploys a service that the tezos chart can target as remote signer; this is indistinguishable from a cloud-hosted signer.

This supports HA deployments with 2 remote signers.

It works well in combination with https://github.com/midl-dev/tezos-remote-signer-os but all that's really needed is to connect to the ssh tunnel endpoint and forward the signer port.

This will be better documented later.

The last remaining piece of https://github.com/midl-dev/tezos-on-gke/ to
move into tezos-k8s, tezos-signer-forwarder is a terminating pod for ssh
tunnels exposing a tezos signing endpoint from an on-prem location.
@nicolasochem nicolasochem marked this pull request as ready for review April 12, 2023 03:43
Copy link
Collaborator

@harryttd harryttd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have to finish reviewing a few things but submitting my current comments. Went through most of the PR but still need to understand better the services and statefulset "endpoints". I don't recall if we spoke about sts vs deployment for this PR or another one, but that is one thing i'm thinking about. As there is no state for the forwarders, and they don't appear to be scalable on the sts pods level, then why not just use a deployment.

Comment on lines +3 to +4
metadata:
name: tezos-signer-forwarder-secret-{{ .Values.name }}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe namespace should be used, otherwise resources will not be deployed in the correct ns. There are other resources as well missing the namespace field.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, I think helm always installs stuff in a specific namespace, and so does pulumi.

https://www.reddit.com/r/kubernetes/comments/uglbn3/should_i_define_the_namespace_metadata_info_on_my/

I've actually removed it wherever it was still set on this chart. I know it's different from all our other charts in this repo, so I'm ok to re-add them because of consistency, but by default I wouldn't because these lines don't do anything.

charts/tezos-signer-forwarder/templates/service.yaml Outdated Show resolved Hide resolved
charts/tezos-signer-forwarder/templates/service.yaml Outdated Show resolved Hide resolved
signerForwarder/Dockerfile Outdated Show resolved Hide resolved
charts/tezos-signer-forwarder/templates/config.yaml Outdated Show resolved Hide resolved
app.kubernetes.io/name: tezos-signer-forwarder
midl_baker_name: {{ $name }}
midl_endpoint_name: {{ $endpoint.alias }}
spec:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

podSecurityContext should be set, and more k8s fields in general should be configurable, such as serviceAccountName. See kms signer example

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see the point. security context can't be modified since we need to run as root, and the service account is not needed. This is unlike kms where you need a service account to bind to IAM permissions to access the KMS.

secret:
secretName: tezos-signer-forwarder-secret-{{ $.Values.name }}
defaultMode: 0400
containers:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Containers should not be allowed privilege escalation, and all linux capabilities should be dropped unless they happen to be needed. See kms signer example

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried and I got

chroot("/var/empty"): Operation not permitted [preauth] 

charts/tezos-signer-forwarder/scripts/signer_exporter.py Outdated Show resolved Hide resolved
charts/tezos-signer-forwarder/scripts/signer_exporter.py Outdated Show resolved Hide resolved
Comment on lines +54 to +59
- name: config-volume
mountPath: /home/signer/.ssh/authorized_keys
subPath: authorized_keys
- name: secret-volume
mountPath: /etc/ssh/ssh_host_ecdsa_key
subPath: ssh_host_ecdsa_key
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should be able to add readOnly: true to these mounts. Although cm and secrets in aws at least are read-only, i don't believe the backing storage is like that across all k8s providers

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

charts/tezos-signer-forwarder/templates/service.yaml Outdated Show resolved Hide resolved
charts/tezos-signer-forwarder/templates/statefulset.yaml Outdated Show resolved Hide resolved
charts/tezos-signer-forwarder/templates/config.yaml Outdated Show resolved Hide resolved
@nicolasochem
Copy link
Collaborator Author

@harryttd long story short, I was struggling with this a lot in the past, I've now rediscovered that sshd must run as root. It's not really meant to be used in containers, but it's possible to do so as long as you don't change the user. There is still an user (signer) but sshd assumes this identity when it starts. see https://superuser.com/a/1548482

I've addressed your other comments, thanks for them. Please re-review.

Copy link
Collaborator

@harryttd harryttd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

left a couple more comments. but otherwise approved. thanks

@nicolasochem nicolasochem merged commit 4d858ba into master Nov 10, 2023
22 checks passed
@nicolasochem nicolasochem deleted the tezos_signer_forwarder branch November 10, 2023 23:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants