Azure
The Relay Server is the plumbing that all MPC communication goes through. It is built in a way that it is completely untrusted and so the MPC SDKs and MPC Vertex will encrypt all data before sending it through the Relay. To deploy the Relay server on your cloud environment please read the guide below.
Architecture
The self-hosted solution comes in two forms: a dedicated Terraform module per cloud provider, and a general use Helm chart. Both should be run on your organization's computing infrastructure. We recommend you first look at our example Terraform module and modify it according to your organization's needs.
Requirements
Before starting the installation process, make sure you have the following installed:
- The
terraformCLI. - The relevant cloud provider CLI (e.g.
azfor Azure).- Make sure you are logged in (i.e
az login). - Make sure your account has permissions to create resources (such as clusters, load balancers, etc...).
- Make sure you are logged in (i.e
In addition, this guide assumes you're running the provided example Terraform module as the root module (although most steps are applicable when running it as a submodule as well).
Installation Process
The installation process consists of the following steps:
- Collecting installation parameters
- Obtaining a TLS certificate
- Setting a preconfigured API key
- Obtaining the Terraform Module
- Applying the Terraform module
- Setting the DNS record to
URL_ENDPOINT - Modify existing code
1. Collecting Parameters
At this step you should collect the following pieces of information, listed down below. At the end of each bullet we put in parentheses a capitalized name which will be used to refer to the value being set throughout the rest of this guide.
- The endpoint URL that you wish to host your relay server at (
URL_ENDPOINT). - The Sodot Artifactory user and token which provide access to the Terraform modules, Helm charts, and Docker images (
ARTIFACTORY_USERandARTIFACTORY_TOKEN). You can obtain these by following the Obtaining Credentials guide.
2. Obtaining a TLS Certificate
You should obtain a TLS certificate for the URL_ENDPOINT domain. It should be generated for the exact URL_ENDPOINT.
The certificate should be configured inside an instance of Azure Key Vault (KEY_VAULT_NAME). To use this certificate for the relay server, please pass the following variables when performing the terraform apply operation (more on that specifically below):
resource_group_location=<LOCATION>- the location at which the cluster will be provisioned. Not to be confused withkey_vault_resource_group.key_vault_name=<KEY_VAULT_NAME>- configure the name of the key vault holding the certificate.key_vault_resource_group=<KEY_VAULT_RESOURCE_GROUP>- configure which Resource Group the key vault is associated with.- NOTE: This is not the Resource Group that the Relay cluster will be created under.
certificate_id=<CERTIFICATE_ID>- the ID (URI) of the certificate that will be used for TLS termination.
3. Setting a Preconfigured API Key
When setting up your relay server, you should configure an API key.
This is done by passing the relay_api_key variable to the terraform apply invocation (more on that below).
The relay_api_key value is encoded as KEY,NAME where KEY is the base64url encoding (not plain base64) of a 16-byte value and NAME is the name of the API key.
To set a 16-byte API key with the following hexadecimal representation: 00112233445566778899aabbccddeeff with the name AdminKey pass relay_api_key=ABEiM0RVZneImaq7zN3u_w==,AdminKey when invoking terraform apply.
A hexadecimal string can be base64url-encoded in bash-like shells using the following command.
$ echo -n '00112233445566778899aabbccddeeff' | xxd -r -p | base64 | tr '+/' '-_'
ABEiM0RVZneImaq7zN3u_w==
4. Obtaining the Terraform Module
You can consume the Relay Server Terraform module from the Sodot private registry in one of two ways:
A. Use the module directly from the registry
First, you'll need to log in to the Sodot Docker registry using the credentials you obtained in the previous step.
terraform login repo.sodot.dev
Then, you can use the module directly from the registry by adding it to your Terraform configuration.
Add the following block to your main.tf (or similar) and run terraform init. Terraform will pull the module from your JFrog Artifactory registry at runtime.
module "relay" {
source = "repo.sodot.dev/sodot-terraform-modules__sodot/relay/azure"
...
}
B. Download the raw Terraform module to customize it
-
Fetch the desired release (replace
<VERSION>with a tag such asv1.3.12):curl -u "<ARTIFACTORY_USER>:<ARTIFACTORY_TOKEN>" \
-O "https://repo.sodot.dev/artifactory/sodot-terraform-modules/sodot/relay/azure/<VERSION>.zip"Alternatively, you can use the Artifactory GUI instead.
-
Unzip and make it your root module:
unzip <VERSION>.zip -d relay
cd relay
5. Applying the Terraform Module to Your Cloud Environment
Setting up the Relay infrastructure is done with terraform apply (after terraform init).
Where you run those commands depends on the option you chose in Obtaining the Terraform Module.
Configuring Terraform
The module’s inputs are declared in variables.tf and have sensible defaults where appropriate.
You must supply the following variables when invoking both terraform apply and terraform destroy:
artifactory_user=<ARTIFACTORY_USER>- allows Terraform to install the relevant Helm chart and access the Relay image.artifactory_token=<ARTIFACTORY_TOKEN>- allows Terraform to install the relevant Helm chart and access the Relay image.relay_helm_version=<RELAY_HELM_VERSION>- the Helm chart version for the Relay deployment (for example:4.0.0).relay_api_key=<RELAY_API_KEY>- described above.relay_dns_address=<URL_ENDPOINT>- described above.resource_group_location=<LOCATION>- described above.key_vault_name=<KEY_VAULT_NAME>- described above.key_vault_resource_group=<KEY_VAULT_RESOURCE_GROUP>- described above.certificate_id=<CERTIFICATE_ID>- described above.
If you chose to download the zip, run this terraform command from the root module directory:
terraform init
terraform apply \
-var "resource_group_location=westus" \
-var "certificate_id=https://keyvault-xx.vault.azure.net/secrets/cert-xx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
-var "key_vault_name=keyvault-xx" \
-var "key_vault_resource_group=DefaultResourceGroup-XXX" \
-var "artifactory_user=a_user" \
-var "artifactory_token=XXXXXXXXXXX" \
-var "relay_helm_version=4.0.0" \
-var "relay_dns_address=my-relay.XXX.com" \
-var "relay_api_key=ABEiM0RVZneImaq7zN3u8g==,AdminKey"
If not and you chose to use the module directly from the registry, run the same command from the root module directory which references module "relay".
6. Setting the DNS Record for URL_ENDPOINT to Point to the Relay Server
After running terraform apply successfully, the resulting raw IP address will be output under the name load_balancer_ip.
After getting the IP address of your Relay Server, you will need to create an A record for URL_ENDPOINT that points to that IP.
Then, at https://URL_ENDPOINT you will be able to communicate with your Relay server.
To verify, you can run:
curl -H "Authorization: Bearer <RELAY_API_KEY>" https://URL_ENDPOINT/create_room/2
Which should yield a new room ID string if a Relay Server is configured behind the address correctly.
7. Modify Existing Code
By default, the Ecdsa,Ed25519,StatefulEcdsa and StatefulEd25519 classes are routed to a Sodot owned Relay Server. This can be changed by supplying an additional parameter specifying the URL of the on-prem Relay Server.
For instance, consider the const ecdsa = new Ecdsa() constructor call.
Calling it should now be made with the extra parameter of URL_ENDPOINT like so:
const ecdsa = new Ecdsa(URL_ENDPOINT);
The same holds for the calling to any of the following constructors as well:
const ed25519 = new Ed25519(URL_ENDPOINT);
const ecdsa = new StatefulEcdsa(URL_ENDPOINT);
const ed25519 = new StatefulEd25519(URL_ENDPOINT);
More information can be reviewed in the API references for each of the different classes.