I’ve multiple api instances installed on the on premise servers that are sometimes offline. I’d like to setup one master admin node that would allow me to connect to all of them when they are online. The further concern is that it would be nice to connect tenants only to admin node but not to each other, so that only admin node should know about all tenants.
To achieve this goal I’ve setup admin project with Elixir 1.9 with Dockerfile that exposes following ports:
ENV APP_PORT=4000 BEAM_PORT=9000 ERL_EPMD_PORT=4369 EXPOSE $APP_PORT $BEAM_PORT $ERL_EPMD_PORT
and configured release with limited range of ephemeral ports of Beam node:
case $RELEASE_COMMAND in start*|daemon*) ELIXIR_ERL_OPTIONS="-kernel inet_dist_listen_min $BEAM_PORT inet_dist_listen_max $BEAM_PORT" export ELIXIR_ERL_OPTIONS ;; *) ;; esac export RELEASE_DISTRIBUTION=name export RELEASE_NODE=<%= @release.name %>@my_brodcast_domain.com
The dockerimage is deployed in the Kubernetes cluster and this setup is valid until I’m using this ports only inside the k8s cluster. As I’ve mentioned my most of tenant applications are outside k8s cluster on the on premise servers, so I’ve setup
my_brodcast_domain.com domain that resolves Kubernetes LoadBalnacer Service witch 4369, 9000, 4000 ports publicly:
apiVersion: v1 kind: Service metadata: name: admin-api namespace: admin-api labels: app.kubernetes.io/name: admin-api app.kubernetes.io/part-of: admin-api spec: selector: app.kubernetes.io/name: admin-api app.kubernetes.io/part-of: admin-api type: LoadBalancer ports: - port: 4369 targetPort: 4369 name: epmd - port: 9000 targetPort: 9000 name: erlang - port: 80 targetPort: 4000 protocol: TCP name: app
I’m able to connect to admin node from tenant servers instances:
iex --name "myapp2@my_brodcast_domain.com" --cookie "super_super_secret"
Also I’m able to login by remote console “remsh” to admin node and I’ve got access to all connected nodes, hurray I was happy for a while:
iex(admin_api@my_brodcast_domain.com)2> Node.list [:"myapp2@my_brodcast_domain.com", :"myapp1@my_brodcast_domain.com", :"myapp3@my_brodcast_domain.com", :"myapp4@my_brodcast_domain.com"]
but now my concern is about security, I’ve read that I shouldn’t never expose Beam port and epmd port in the public network.
Since Erlang/OTP 20.2 release there is
ssl_dist_optfile option with following description:
A new command line option -ssl_dist_optfile has been
added to facilitate specifying the many options needed
when using SSL as the distribution protocol.
I couldn’t find any interesting resource that would answer my question if is it possible to use it to secure my described cluster? If yes how to configure it with Elixir 1.9 release?
I need to exclude using of SSH port tunnels because clients are installing this apps by docker-compose and with just run command and they don’t have technical skills to configure SSH to pass communication over bastion host etc.
Are there some other options to achieve my goal?