[WIP] Feature: pgp flux app signer #1212
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This ones a pretty big deal in my opinon. Mostly done - just need a bit more real world testing and some unittests. (and check the networking)
Allows Flux apps to validate each other. So you can be sure that the inbound / outbound sockets are authenticated between apps.
Background:
Flux has an issue whereby you want to inject private data into running apps, like databases, secrets etc. This in the past has been done by FluxVault. When the app starts up, FluxVault connects to it and gives it some config. This is reliant on the public ip address, and more importantly, there is no secure way for a node to reach out to the vault and identify itself.
Now you can!
It means you can seed a FluxApp once - and then nodes can go to other nodes to get their config / secrets!
What this pull does:
Adds a service that is available to flux docker networks on the hostname
http://app.identity.service:80
where applications can request a message signed by the node.The cleartext message and encrypted message are returned to the flux application. The encrypted message contains the appname (based off container source IP by inspecting docker networks) so it is authentication on a per app basis per fluxnode.
There is also an endpoint to decrypt a message - the other end would use this, then send the cleartext message back to prove that they are part of the "app group"
This app signer service has 3 endpoints:
Suggested mesage flow for an app:
I will edit this writeup and expand a bit... just want to get this pull in.
I was going to pre fetch / cache all the pgp keys for any apps that are deployed on a node, but I'm not sure if this will actually benefit as I'm not sure how fast the application started messages are broadcast. I.e. will a new docker app spin up before the message has reached the target node. I'll do some more testing / thinking around this.