regel / cardano-charts

Helm Charts to deploy a secure Cardano node in Kubernetes
Apache License 2.0
28 stars 6 forks source link
azure blockchain cardano cardano-node helm kubernetes opensource vault

Cardano Charts

Checkov License

Contains Helm Charts for operating the most secure Cardano nodes in Kubernetes:

This Chart solves common pain points of Cardano node operations:

Backers :dart: :heart_eyes:

Thank you to all our backers! 🙏 [Become a backer]

Sponsors :whale:

Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]

Donations in ADA :gem:

Cardano hodlers can send donations to this wallet address: addr1q973kf48y9vxqareqvxr7flacx3pl3rz0m9lmwt4nej0zr99dw6mre74f2g48nntw5ar6mz58fm09sk70e0k4vgmkess27g47n

Demo

helm install

Security Measures Every Stake Pool Operator Should Implement

Refer to the Cardano forum guide for keys and secrets management.

How This Cardano Helm Chart Implements Security Guidelines

This Cloud Native Helm Chart leverages advanced security features provided in Kubernetes and Cloud vendors extensions. :rotating_light: Ensure that you understand these concepts before using this Chart:

Frequently Asked Questions :question:

How can Cardano Charts be so Awesome?

Help me grow this project by becoming a backer and making a [donation]

Where Can I Find Documentation on Azure Key Vault?

Here: Azure Key Vault

Storing Cold Keys in Luna HSM when Using Azure Key Vault?

Microsoft: [Become a sponsor]

To use Azure HSM for key storage and signature, two things must happen first:

Where Can I Find Documentation on Network Policies?

Tigera: [Become a sponsor]

Tigera web site is a good place to start reading about Calico. Also, check their Definitive guide to container networking, security, and troubleshooting

Can You Add Support For Other Vaults And Other Cloud Vendors?

See CONTRIBUTING.

Where To File Issues?

If you are a vulnerability reporter (for example, a security researcher) who would like to report a vulnerability, first contact me privately via the Telegram link below.

Other issues can be reported on Github.

How to Contact?

Chat :speech_balloon: with me on Telegram

Want to Offer A Dream Job? :necktie:

You know the saying, anything is possible. Just know that I am in Geneva, CH, and therefore I have high expectations. :four_leaf_clover:

Documentation

The README documentation is generated by helm-docs

Deploy Using Terraform

You may find useful resources below:

Running this Helm Chart :rocket: the hard way

Install the Azure Key Vault provider:

helm repo add csi-secrets-store-provider-azure https://azure.github.io/secrets-store-csi-driver-provider-azure/charts
helm install csi-secrets-store-provider-azure/csi-secrets-store-provider-azure --generate-name --set secrets-store-csi-driver.syncSecret.enabled=true --namespace kube-system

Customize the options as needed, and install this Chart:

helm repo add cardano https://regel.github.io/cardano-charts
helm upgrade --install pool \
  --values cardano/values.yaml \
  --set vault.csi.enabled=false \
  --set producer.enabled=false \
  --set environment.name=testnet \
  --set persistence.sourceFile.enabled=true \
  --set persistence.sourceFile.url=$(curl -s https://downloads.csnapshots.io/snapshots/testnet/testnet-db-snapshot.json| jq -r .[].file_name) \
    cardano/cardano

Query the Blockchain Tip :rocket:

Change the pod namespace and cardano-cli options according to the chain id, chart namespace and release name, and run:

kubectl exec -ti -n mainnet mainnet-cardano-relay-0 -c node -- cardano-cli query tip --mainnet

FAQ

Solving Init:Error when producer starts for the first time

Synchronizing the Cardano blockchain from scratch takes a long time. To prevent long waiting times, the Init container attempts to download a snapshot of the blockchain during their first installation. However, egress traffic is blocked for producer nodes and the 'restore' init container cannot download the snapshot:

$ kubectl get po -w
NAME                     READY   STATUS     RESTARTS   AGE
pool-cardano-producer-0  0/1     Init:3/4   0          46s
pool-cardano-relay-0     2/2     Running    0          52m
pool-cardano-producer-0  0/1     Init:Error   0          2m35s

The workaround is to disable network policies manually during Init:

$ kubectl delete networkpolicy -l app.kubernetes.io/name=cardano,app.kubernetes.io/component=producer

Enable policies again with helm upgrade when the producer node is running.