Skip to content

Cluster Mode

Jump to bottom
Lucas Teske edited this page Apr 4, 2019 · 5 revisions

Remote Signer Cluster Mode

Remote Signer supports a cluster mode when running inside kubernetes that enables secure password sharing between all nodes, in a way that even if the private key is unlocked in a specific node, it will be available for other trusted nodes.

The node trust source is a common GPG Key that is shared between the nodes. The GPG key is specified by the following environment variables:

  • MASTER_GPG_KEY_PATH => Path of the GPG Key File (the file should be the same for all nodes)
  • MASTER_GPG_KEY_PASSWORD_PATH => Path of the GPG Key Password File
  • MASTER_GPG_KEY_BASE64_ENCODED => If the GPG Key is base64 encoded

This GPG key should be set up in a strict secret inside the kubernetes cluster together with the password. The Remote-Signer uses Kubernetes API to discover other remote-signer nodes using the same namespace. To enable the Remote Signer to discover other nodes, a RBAC rule should be created allowing the nodes to check the namespace:

kubectl create rolebinding pod-reader --clusterrole=view --serviceaccount=PODNAME:default --namespace=POD_NAMESPACE

So for example if the remote-signer pod is named server and is inside a remote-signer namespace you should run:

kubectl create rolebinding pod-reader --clusterrole=view --serviceaccount=server:default --namespace=remote-signer

Then they should be able to discover themselves and other nodes:

...
INFO| RemoteSigner   | Remote Signer is now listening at 0.0.0.0:5100
INFO| Kubernetes     | Starting Kubernetes Routine
INFO| Kubernetes     | Kubernetes Namespace: remote-signer
INFO| Kubernetes     | Pod Hostname: server-5bb7f59794-jcphc
INFO| Kubernetes     | Pod ID: 4bea628e-571c-11e9-a7ec-468ba104692f
INFO| Kubernetes     | To avoid concurrency on cluster starting we're waiting 1 second plus some random time
INFO| Kubernetes     | The exact time is 4000 ms
INFO| Kubernetes     | Checking for other remote-signer nodes...
INFO| Kubernetes     | There are 3 pods (including me). Fetching encrypted passwords...
INFO| Kubernetes     | Received 6 passwords from 10.42.15.178
INFO| GPG Endpoint   | [200] ( 0.20 ms) { 2 bytes} POST /remoteSigner/__internal/__postEncryptedPasswords from ::1
INFO| Kubernetes     | Received 6 passwords from 10.42.18.73
INFO| GPG Endpoint   | [200] ( 0.15 ms) { 2 bytes} POST /remoteSigner/__internal/__postEncryptedPasswords from ::1
INFO| Kubernetes     | Received 12 passwords from 3 pods. Triggering Local Unlock
INFO| SecretsManager | Unlocking key 6EFF0C82BE03FFD9
...

Logo

Basics

Operation Modes

Advanced

Clone this wiki locally