Skip to main content

Signers

You may define remote signers with tezos-k8s. Bakers automatically use signers in their namespace that are configured to sign for the accounts they are baking for. By default no signer is configured.

https://tezos.gitlab.io/user/key-management.html#signer

octezSigners: {}

These signers use the octez-signer binary.

Example:

octezSigners:
 tezos-signer-0:
   accounts:
    - baker0
   authorized_keys:
    # Names of accounts used to authenticate the baker to the signer.
    # The signer will only sign a request from a baker authenticated
    # by an allowed key.
    # If set, any baker targeting this signer will automatically have
    # the associated private key accessible locally.
    - authorized-key-0

Deploys a signer using AWS KMS to sign operations. The AWS_REGION env var must be set. https://github.com/tacoinfra/tacoinfra-remote-signer

tacoinfraSigners: {}

These signers deploy the Tacoifra remote signer, a program that passes signing requests to supported HSM or KMS devices.

Example:

tacoinfraSigners
  tacoinfra-signer:
    accounts:
      - tacoinfraSigner
    env:
      AWS_REGION: us-east-2
    serviceAccount:
      create: true
      ## EKS example for setting the role-arn
      annotations:
        eks.amazonaws.com/role-arn: <SIGNER_ROLE_ARN>