Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/regel/cardano-charts
Helm Charts to deploy a secure Cardano node in Kubernetes
https://github.com/regel/cardano-charts
azure blockchain cardano cardano-node helm kubernetes opensource vault
Last synced: 11 days ago
JSON representation
Helm Charts to deploy a secure Cardano node in Kubernetes
- Host: GitHub
- URL: https://github.com/regel/cardano-charts
- Owner: regel
- License: apache-2.0
- Created: 2021-08-15T15:52:58.000Z (about 3 years ago)
- Default Branch: master
- Last Pushed: 2023-01-08T21:10:04.000Z (almost 2 years ago)
- Last Synced: 2024-04-14T04:08:50.234Z (7 months ago)
- Topics: azure, blockchain, cardano, cardano-node, helm, kubernetes, opensource, vault
- Language: Smarty
- Homepage:
- Size: 1.5 MB
- Stars: 28
- Watchers: 3
- Forks: 5
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
README
# Cardano Charts
[](https://github.com/regel/cardano-charts/actions/workflows/checkov.yml) [](https://opensource.org/licenses/Apache-2.0)
Contains Helm Charts for operating **the most secure** Cardano nodes in Kubernetes:
- [charts/cardano](./charts/cardano/README.md)
This Chart solves common pain points of Cardano node operations:
- Long bootstrap time for new nodes: this chart can restore testnet or mainnet data at the given epoch using a compressed file archive
- Security measures: combine this chart with Terraform [modules](https://github.com/regel/terraform-azure-cardano) to enforce best security practices in multiple areas (vault, acls, policies, etc)
- Upgrades: facilitate upgrades using infrastructure-as-code best practices
## Backers :dart: :heart_eyes:
Thank you to all our backers! 🙏 [[Become a backer](https://opencollective.com/gh-regel#backer)]
## Sponsors :whale:
Support this project by becoming a sponsor. Your logo will show up here with a
link to your website. [[Become a
sponsor](https://opencollective.com/gh-regel#sponsor)]
## Donations in ADA :gem:
Cardano hodlers can send donations to this wallet address: `addr1q973kf48y9vxqareqvxr7flacx3pl3rz0m9lmwt4nej0zr99dw6mre74f2g48nntw5ar6mz58fm09sk70e0k4vgmkess27g47n`
## Demo
## Security Measures Every Stake Pool Operator Should Implement
Refer to the Cardano forum [guide](https://forum.cardano.org/t/back-to-basics-security-measures-every-cardano-stake-pool-operators-should-know-and-implement/38166) for keys and secrets management.
### How This Cardano Helm Chart Implements Security Guidelines
This Cloud Native Helm Chart leverages advanced security features provided in Kubernetes and Cloud vendors extensions. :rotating_light: Ensure that you understand these concepts before using this Chart:
- [Calico](https://docs.microsoft.com/en-us/azure/aks/use-network-policies) plugin: see how this network plugin in Kubernetes enforces `ingress` and `egress` traffic between pods and external IPs using [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
- Watch this [KubeCon](https://www.youtube.com/watch?v=3gGpMmYeEO8) talk or check out the recipes on [Network Policies](https://github.com/ahmetb/kubernetes-network-policy-recipes). Credits: Ahmet Balkan, Google
- Key Vault: all secret keys required to run a Cardano node are stored inside a Vault and only mounted where the least access privilege applies. The Azure Vault used in this Chart requires the configuration of a [User Assigned Managed Identity](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview)
- Run As NonRoot and set root filesystems Read-Only: Containers run using non-root users according to best Docker practices
## Frequently Asked Questions :question:
### How can Cardano Charts be so Awesome?
Help me grow this project by becoming a backer and making a [[donation](https://opencollective.com/gh-regel#backer)]
### Where Can I Find Documentation on Azure Key Vault?
Here: [Azure Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts)
### Storing Cold Keys in Luna HSM when Using Azure Key Vault?
[Microsoft](https://azure.microsoft.com/): [[Become a sponsor](https://opencollective.com/gh-regel#sponsor)]
To use Azure HSM for key storage and signature, two things must happen first:
- Azure Key Vault must add support for the [ed25519](https://fr.wikipedia.org/wiki/Curve25519) crypto algorithm used in Cardano. At this time, the current generation of managed HSM hardware does not seem to support it yet
- `cardano-cli` or another tool must be able to sign Tx raw transactions using the Azure Key Vault [REST API](https://docs.microsoft.com/en-us/rest/api/keyvault/)
### Where Can I Find Documentation on Network Policies?
[Tigera](https://tigera.io): [[Become a sponsor](https://opencollective.com/gh-regel#sponsor)]
Tigera web site is a good place to start reading about [Calico](https://docs.projectcalico.org/reference/public-cloud/azure). Also, check their [Definitive guide to container networking, security, and troubleshooting](https://www.tigera.io/lp/calico-open-source-white-paper/)
### Can You Add Support For Other Vaults And Other Cloud Vendors?
See [CONTRIBUTING](./CONTRIBUTING.md).
### Where To File Issues?
If you are a vulnerability reporter (for example, a security researcher) who would like to report a vulnerability, first contact me privately via the Telegram link below.
Other issues can be reported on Github.
### How to Contact?
Chat :speech_balloon: with me on [Telegram](https://t.me/ghregel)
### Want to Offer A Dream Job? :necktie:
You know the saying, anything is possible. Just know that I am in Geneva, CH, and therefore I have high expectations. :four_leaf_clover:
## Documentation
The README documentation is generated by [helm-docs](https://github.com/norwoodj/helm-docs)
### Deploy Using Terraform
You may find useful resources below:
- [terraform-azure-cardano](https://github.com/regel/terraform-azure-cardano): This repo contains a set of modules in the [modules folder](https://github.com/regel/terraform-azure-cardano/tree/main/modules) for deploying a Cardano node on [Azure](https://portal.azure.com/) using [Terraform](https://www.terraform.io/).
#### Running this Helm Chart :rocket: the hard way
Install the Azure Key Vault provider:
```
helm repo add csi-secrets-store-provider-azure https://azure.github.io/secrets-store-csi-driver-provider-azure/charts
helm install csi-secrets-store-provider-azure/csi-secrets-store-provider-azure --generate-name --set secrets-store-csi-driver.syncSecret.enabled=true --namespace kube-system
```
Customize the options as needed, and install this Chart:
```
helm repo add cardano https://regel.github.io/cardano-charts
helm upgrade --install pool \
--values cardano/values.yaml \
--set vault.csi.enabled=false \
--set producer.enabled=false \
--set environment.name=testnet \
--set persistence.sourceFile.enabled=true \
--set persistence.sourceFile.url=$(curl -s https://downloads.csnapshots.io/snapshots/testnet/testnet-db-snapshot.json| jq -r .[].file_name) \
cardano/cardano
```
#### Query the Blockchain Tip :rocket:
Change the pod namespace and `cardano-cli` options according to the chain id, chart namespace and release name, and run:
```
kubectl exec -ti -n mainnet mainnet-cardano-relay-0 -c node -- cardano-cli query tip --mainnet
```
## FAQ
### Solving Init:Error when producer starts for the first time
Synchronizing the Cardano blockchain from scratch takes a long time. To prevent long waiting times, the Init container
attempts to download a snapshot of the blockchain during their first installation. However, egress traffic
is blocked for producer nodes and the 'restore' init container cannot download the snapshot:
```
$ kubectl get po -w
NAME READY STATUS RESTARTS AGE
pool-cardano-producer-0 0/1 Init:3/4 0 46s
pool-cardano-relay-0 2/2 Running 0 52m
pool-cardano-producer-0 0/1 Init:Error 0 2m35s
```
The workaround is to disable network policies manually during Init:
```
$ kubectl delete networkpolicy -l app.kubernetes.io/name=cardano,app.kubernetes.io/component=producer
```
Enable policies again with `helm upgrade` when the producer node is running.