diff --git a/deploy_tee/pulumi/seismic_node/__main__.py b/deploy_tee/pulumi/seismic_node/__main__.py index b8cd655..a293282 100644 --- a/deploy_tee/pulumi/seismic_node/__main__.py +++ b/deploy_tee/pulumi/seismic_node/__main__.py @@ -57,19 +57,20 @@ def _require_str(value: str | None) -> str: # local testing. See README for the DCedsv6/local-NVMe caveat. data_disk_size_gb = cfg.get_int("data_disk_size_gb") or 32 -# Standard ports the TEE node needs open. -OPEN_PORTS = [ +# Standard TCP ports the TEE node needs open. +# +# reth's RPC (8545) and WS (8546) are deliberately NOT here: nginx terminates +# TLS on 443 and reverse-proxies /rpc + /ws to them over loopback. +# Same for metrics — summit's prom + reth's metrics are nginx /metrics/*. +OPEN_TCP_PORTS = [ # sshd only listening in the devtools image, not in the production image. (22, "ssh"), (80, "http"), (443, "https"), # Enclave currently exposes too many things on this port: get_attestation_evidence, - # get_purpose_keys, boot_share_root_key. We will eventually split it. + # get_purpose_keys, getWrappedRootKey. We will eventually split it. (7878, "enclave"), (8080, "tdx-init-config"), # one-shot listener; close after first deploy - (9090, "prometheus"), - (8545, "reth-rpc"), - (8546, "reth-ws"), # Summit consensus P2P (commonware-p2p, TCP). Left open like # the other service ports — commonware authenticates peers by pubkey (only # the validator set completes the handshake), so admission is app-layer, and @@ -119,7 +120,7 @@ def _require_str(value: str | None) -> str: destination_address_prefix="*", destination_port_range=str(port), ) - for i, (port, name) in enumerate(OPEN_PORTS) + for i, (port, name) in enumerate(OPEN_TCP_PORTS) ] nsg = azure_native.network.NetworkSecurityGroup(