Beacon Relay Installation¶
The beacon relay is a stateless TCP relay that enables outbound-only connectivity between your EU-hosted secret store and your Kubernetes cluster. Both sides connect outbound to the beacon on TCP 443; the beacon matches them cryptographically and forwards encrypted mTLS bytes between them. It stores no secrets, no keys, and no configuration state.
No inbound ports required
Neither the secret store nor the cluster needs to expose an inbound port. Both sides initiate outbound TCP 443 connections to the beacon. This eliminates the need for VPN, IPsec, or SSH tunnels.
When you need a beacon¶
Beacon relay is the default connectivity mode. You need a beacon when:
- Your secret store and cluster have no direct network path
- Both sides are behind NAT or firewalls
- You only allow outbound TCP 443 traffic
- You want zero-config connectivity without VPN or tunnel infrastructure
For other connectivity modes, see Beacon Relay Architecture.
Deployment options¶
Option A: SaaS beacon (pilots only)¶
A public demo relay at beacon.cloudtaser.io:443 exists for the live demo and quick-look pilots. It is not for production use:
- No production support SLA
- Can be taken offline for maintenance at any time
- Places connection metadata on infrastructure you do not operate
For production deployments, regulated workloads, or any deployment under a DPIA, deploy your own beacon (Option B).
Option B: Self-hosted (production)¶
Deploy the beacon on infrastructure you control -- a small VM, a bare-metal host, or a Kubernetes cluster. The beacon needs a public IP or DNS name reachable from both the secret-store side and the cluster side on TCP 443. It requires no access to either your secret store or your cluster.
Installation¶
The CLI provides cloudtaser beacon install with three deployment targets.
Systemd (VM or bare metal)¶
Install the beacon as a systemd service on a Linux host. Requires root.
sudo cloudtaser-cli beacon install \
--type systemd \
--advertise-addr beacon.example.com:443 \
--public-cert-file /etc/letsencrypt/live/beacon.example.com/fullchain.pem \
--public-key-file /etc/letsencrypt/live/beacon.example.com/privkey.pem
This downloads the beacon binary, creates a systemd unit, and starts the service.
Audit before applying
Pass --dry-run to print the install script, systemd unit, and environment file to stdout without modifying the host:
Docker Compose¶
Generate a docker-compose.yaml for single-host deployments:
cloudtaser-cli beacon install \
--type docker \
--advertise-addr beacon.example.com:443 \
--public-cert-file ./cert.pem \
--public-key-file ./key.pem
Kubernetes (Helm)¶
Deploy via the cloudtaser-beacon Helm chart:
helm repo add cloudtaser https://charts.cloudtaser.io
helm repo update
helm install cloudtaser-beacon cloudtaser/cloudtaser-beacon \
--namespace cloudtaser-beacon \
--create-namespace \
--set service.type=LoadBalancer \
--set tls.existingSecret=beacon-tls
For HA deployments with 3 or more replicas:
cloudtaser-cli beacon install \
--type kubernetes \
--replicas 3 \
--namespace cloudtaser-beacon \
--bootstrap-from beacon.example.com \
--existing-gossip-secret beacon-gossip \
--existing-ca-secret beacon-internal-ca \
--existing-tls-secret beacon-public-tls
Two-node clusters are refused
A 2-node beacon cluster has no tiebreaker and strictly adds a failure mode over a single instance. Use --replicas=1 or --replicas=3 (or higher odd numbers).
TLS certificates¶
The beacon requires a TLS certificate for its public listener on port 443. Use a certificate from your PKI or a provider such as Let's Encrypt.
| Flag | Purpose |
|---|---|
--public-cert-file |
Path to the TLS certificate (PEM) for the public listener |
--public-key-file |
Path to the corresponding private key (PEM) |
For Kubernetes deployments, provide the certificate via a TLS Secret referenced with --set tls.existingSecret=<name>.
Auth key¶
The beacon uses an HMAC auth key to authenticate port and broker registrations. The key is auto-generated during cloudtaser-cli beacon install and stored in your secret store if --vault-addr and --vault-token are provided. The port reads it from the secret store at startup.
Secure key loading
Use --auth-key-file (not --auth-key) to avoid exposing the key in process listings. The Helm chart handles this automatically when deploying on Kubernetes.
After deployment¶
- Save the ctb1 token printed by
beacon install, for example by copying thectb1...value into./beacon.token. You will use it withsource install porton the secret-store side andtarget installon the cluster side.source registeris only for optional advanced pre-registration. -
Verify the beacon is running:
-
Proceed to Secret Store & Port Installation to deploy the port that connects your secret store to the beacon.
Network requirements¶
| Side | Direction | Destination | Port | Protocol |
|---|---|---|---|---|
| Secret store (port) | Outbound | Beacon | 443 | TCP/TLS |
| Cluster (broker) | Outbound | Beacon | 443 | TCP/TLS |
| Beacon | Inbound | From port and broker | 443 | TCP/TLS |
High availability¶
For production deployments, run 3 or more beacon instances. HA requires:
- A gossip encryption key (
--gossip-key-file) - Internal mTLS certificates for inter-beacon communication (
--internal-ca-cert-file,--internal-cert-file, etc.) - Either
--bootstrap-from(DNS-based discovery) or--peers(explicit seed list)
HA is supported only on Kubernetes (--type=kubernetes). Systemd and Docker modes are single-instance.
See Beacon Relay Architecture for the full HA design including consistent-hash ring and inner-hop mTLS forwarding.
Related¶
- Secret Store & Port Installation -- next step: deploy the port alongside your secret store
- Beacon Relay Architecture -- trust model, security properties, and connectivity comparison
- Beacon Trust Model -- threat model for the relay
- Self-Bootstrap Protocol -- zero-config cluster onboarding via fingerprint