Contains Helm Charts for operating the most secure Cardano nodes in Kubernetes:
This Chart solves common pain points of Cardano node operations:
Thank you to all our backers! 🙏 [Become a backer]
Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]
Cardano hodlers can send donations to this wallet address: addr1q973kf48y9vxqareqvxr7flacx3pl3rz0m9lmwt4nej0zr99dw6mre74f2g48nntw5ar6mz58fm09sk70e0k4vgmkess27g47n
Refer to the Cardano forum guide for keys and secrets management.
This Cloud Native Helm Chart leverages advanced security features provided in Kubernetes and Cloud vendors extensions. :rotating_light: Ensure that you understand these concepts before using this Chart:
ingress
and egress
traffic between pods and external IPs using Network PoliciesHelp me grow this project by becoming a backer and making a [donation]
Here: Azure Key Vault
To use Azure HSM for key storage and signature, two things must happen first:
cardano-cli
or another tool must be able to sign Tx raw transactions using the Azure Key Vault REST APITigera web site is a good place to start reading about Calico. Also, check their Definitive guide to container networking, security, and troubleshooting
See CONTRIBUTING.
If you are a vulnerability reporter (for example, a security researcher) who would like to report a vulnerability, first contact me privately via the Telegram link below.
Other issues can be reported on Github.
Chat :speech_balloon: with me on Telegram
You know the saying, anything is possible. Just know that I am in Geneva, CH, and therefore I have high expectations. :four_leaf_clover:
The README documentation is generated by helm-docs
You may find useful resources below:
Install the Azure Key Vault provider:
helm repo add csi-secrets-store-provider-azure https://azure.github.io/secrets-store-csi-driver-provider-azure/charts
helm install csi-secrets-store-provider-azure/csi-secrets-store-provider-azure --generate-name --set secrets-store-csi-driver.syncSecret.enabled=true --namespace kube-system
Customize the options as needed, and install this Chart:
helm repo add cardano https://regel.github.io/cardano-charts
helm upgrade --install pool \
--values cardano/values.yaml \
--set vault.csi.enabled=false \
--set producer.enabled=false \
--set environment.name=testnet \
--set persistence.sourceFile.enabled=true \
--set persistence.sourceFile.url=$(curl -s https://downloads.csnapshots.io/snapshots/testnet/testnet-db-snapshot.json| jq -r .[].file_name) \
cardano/cardano
Change the pod namespace and cardano-cli
options according to the chain id, chart namespace and release name, and run:
kubectl exec -ti -n mainnet mainnet-cardano-relay-0 -c node -- cardano-cli query tip --mainnet
Synchronizing the Cardano blockchain from scratch takes a long time. To prevent long waiting times, the Init container attempts to download a snapshot of the blockchain during their first installation. However, egress traffic is blocked for producer nodes and the 'restore' init container cannot download the snapshot:
$ kubectl get po -w
NAME READY STATUS RESTARTS AGE
pool-cardano-producer-0 0/1 Init:3/4 0 46s
pool-cardano-relay-0 2/2 Running 0 52m
pool-cardano-producer-0 0/1 Init:Error 0 2m35s
The workaround is to disable network policies manually during Init:
$ kubectl delete networkpolicy -l app.kubernetes.io/name=cardano,app.kubernetes.io/component=producer
Enable policies again with helm upgrade
when the producer node is running.