Release Canton/Daml Helm charts 0.1.0 (#37)

Co-authored-by: DA Machine <da-machine@digitalasset.com>

POSTGRES.md

@@ -14,7 +14,7 @@ Example SaaS solutions:
 - [Minimum server size](#minimum-server-size)
 - [Availability](#availability)
 - [Concurrent connections](#concurrent-connections)
-- [TLS](#tls)
+- [SSL/TLS](#tls)
 - [Debugging](#debugging)
 
 ---
@@ -57,6 +57,10 @@ An HA deployment of all the Helm charts in this repository with the default valu
 We strongly recommend to enable and enforce TLS for connections to your PostgreSQL server (Helm charts default).
 Please refer to the relevant [PostgreSQL server and client documentation](https://www.postgresql.org/docs/).
 
+On most cloud providers' SaaS solution, server SSL/TLS is enabled by default and certificates are signed by a public CA.
+In your `storage` values, `sslRootCert`, `sslCert` and `sslKey` can be left with an empty string value `""`.
+The default JVM trust store with common public CA certificates will be used.
+
 ## Scaling
 
 In case your PostgreSQL server load gets high you can either or both:

README.md

@@ -38,7 +38,10 @@ helm install myrelease digitalasset/<chart>
 
 - Kubernetes `1.24+`
 - Helm `3.9+`
-- [PostgreSQL server](https://github.com/digital-asset/daml-helm-charts/tree/main/POSTGRES.md)
+- PostgreSQL server
+- [Cert-manager](https://cert-manager.io/docs/) + CSI driver (only if TLS is enabled, optional but strongly recommended)
+
+### [PostgreSQL guidelines](./POSTGRES.md)
 
 ### The purpose of Helm
 

charts/canton-domain/templates/_certManager.tpl

@@ -0,0 +1,48 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Generate Cert-manager CSI driver block.
+
+Key encoding is enforced, only PKCS8 is supported.
+
+Params (List):
+  - Context - Dict - Required. Current context for the template evaluation.
+  - Component name - String - Required. "server", "console", etc. (can be an empty string).
+  - Name - String - Required. Kubernetes CSI name.
+  - Volume attributes - Dict - Required. Cert-manager CSI volume attributes.
+  - DNS names - String - Required. Certificate DNS names (can be an empty string).
+*/}}
+{{ define "certManager.csi" }}
+{{- $top              := index . 0 }}
+{{- $component        := index . 1 }}
+{{- $name             := index . 2 }}
+{{- $volumeAttributes := index . 3 }}
+{{- $volumeAttributes := set $volumeAttributes "dnsNames"    (index . 4) }}
+{{- $volumeAttributes := set $volumeAttributes "duration"    $top.Values.certManager.duration }}
+{{- $volumeAttributes := set $volumeAttributes "renewBefore" $top.Values.certManager.renewBefore }}
+{{- $volumeAttributes := set $volumeAttributes "commonName"  (join "-" (compact (list (include "common.fullname" $top) $component $name))) }}
+- name: {{ $name }}
+  csi:
+    driver: csi.cert-manager.io
+    readOnly: true
+    volumeAttributes:
+      csi.cert-manager.io/issuer-group: {{ $volumeAttributes.issuerGroup | default "cert-manager.io" | quote }}
+      csi.cert-manager.io/issuer-kind: {{ $volumeAttributes.issuerKind | default "Issuer" | quote }}
+      csi.cert-manager.io/issuer-name: {{ $volumeAttributes.issuerName | quote }}
+      csi.cert-manager.io/key-encoding: "PKCS8"
+      csi.cert-manager.io/common-name: {{ $volumeAttributes.commonName | quote }}
+      {{- with $volumeAttributes.dnsNames }}
+      csi.cert-manager.io/dns-names: {{ . | quote }}
+      {{- end }}
+      {{- with $volumeAttributes.ipSans }}
+      csi.cert-manager.io/ip-sans: {{ . | quote }}
+      {{- end }}
+      {{- with $volumeAttributes.fsGroup }}
+      csi.cert-manager.io/fs-group: {{ . | quote }}
+      {{- end }}
+      {{- with $volumeAttributes.duration }}
+      csi.cert-manager.io/duration: {{ $volumeAttributes.duration | quote }}
+      {{- end }}
+      {{- with $volumeAttributes.renewBefore }}
+      csi.cert-manager.io/renew-before: {{ . | quote }}
+      {{- end }}
+{{- end }}

charts/canton-domain/templates/_helpers.tpl

@@ -69,3 +69,20 @@ Return image for containers.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Create the name of the service account to use
+
+Params (List):
+  - Context - Dict - Required. Current context for the template evaluation.
+  - Component name - String - Required. Components with a sub key "serviceAccount" in values: "bootstrap", "console", "manager", "mediator" or "sequencer".
+*/}}
+{{- define "common.serviceAccountName" -}}
+{{- $top           := index . 0 -}}
+{{- $componentName := index . 1 -}}
+{{- $component     := index $top.Values $componentName -}}
+{{- if $top.Values.serviceAccount.create -}}
+    {{ default (printf "%s-%s" (include "common.fullname" $top) $componentName) $component.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" $component.serviceAccount.name }}
+{{- end -}}
+{{- end -}}

charts/canton-domain/templates/_monitoring.tpl

@@ -11,12 +11,16 @@ Params (List):
 */}}
 {{- define "canton.monitoring" -}}
 {{- $top       := index . 0 -}}
-{{- $component := index $top.Values (index . 1) -}}
+{{- $componentName := index . 1 -}}
+{{- $component := index $top.Values $componentName -}}
 {{- if $top.Values.metrics.enabled }}
-monitoring.metrics.reporters = [{
-  type = prometheus
-  address = "0.0.0.0"
-  port = {{ $component.ports.metrics }}
-}]
+monitoring.metrics {
+    report-jvm-metrics = yes
+    reporters = [{
+        type = prometheus
+        address = "0.0.0.0"
+        port = {{ $component.ports.metrics }}
+    }]
+}
 {{- end }}
 {{- end -}}

charts/canton-domain/templates/_remotes.tpl

@@ -2,26 +2,26 @@
 {{/*
 Generate remote-participants configuration block.
 Ports and TLS configuration might be missing.
+The bootstrap and console are not using the remote participant(s) public API (aka Ledger API),
+hence the empty string address and default port number.
 
 Params:
   - Context - Dict - Required. Current context for the template evaluation.
 */}}
-{{ define "canton.remoteParticipants" }}
-{{ range $participant := .Values.common.remoteParticipants }}
+{{ define "remoteParticipants" }}
+{{ range $remoteParticipant := .Values.common.remoteParticipants }}
 remote-participants {
-  {{ $participant.name }} {
+  {{ $remoteParticipant.name }} {
     ledger-api {
-      address = {{ $participant.host }}
-      port = {{ ($participant.ports).public | default 4001 }}
-      {{- if or (($participant.tls).public).enabled (($participant.tls).admin).enabled }}
-      {{- include "canton.tls.remote" (list $participant.tls.public) | indent 6 }}
-      {{- end }}
+      address = ""
+      port = 4001
     }
+
     admin-api {
-      address = {{ $participant.host }}
-      port = {{ ($participant.ports).admin | default 4002 }}
-      {{- if or (($participant.tls).public).enabled (($participant.tls).admin).enabled }}
-      {{- include "canton.tls.remote" (list $participant.tls.admin) | indent 6 }}
+      address = {{ $remoteParticipant.host }}
+      port = {{ ($remoteParticipant.ports).admin | default 4002 }}
+      {{- if (($remoteParticipant.tls).admin).enabled }}
+      {{- include "canton.tls.remote" (list $remoteParticipant.tls.admin $remoteParticipant.mtls.admin) | indent 6 }}
       {{- end }}
     }
   }
@@ -30,57 +30,70 @@ remote-participants {
 {{ end }}
 
 {{/*
-Find if any of the participant requires TLS for either the admin or public API.
-TLS configuration might be missing.
+Generate bootstrap and console TLS and mTLS certificate volumeMounts for remote participant(s) using the Cert-manager CSI driver.
 
 Params:
   - Context - Dict - Required. Current context for the template evaluation.
 */}}
-{{- define "canton.participant.isTLS" -}}
-{{- range $participant := .Values.common.remoteParticipants -}}
-{{- if or (($participant.tls).public).enabled (($participant.tls).admin).enabled -}}
-true
-{{- end -}}
-{{- end -}}
+{{- define "remoteParticipants.volumeMounts" }}
+{{- range $remoteParticipant := .Values.common.remoteParticipants }}
+{{- if (($remoteParticipant.tls).admin).enabled }}
+- name: tls-{{ $remoteParticipant.name }}
+  mountPath: "/tls-{{ $remoteParticipant.name }}"
+  readOnly: true
+{{- if (($remoteParticipant.mtls).admin).enabled }}
+- name: mtls-{{ $remoteParticipant.name }}
+  mountPath: "/mtls-{{ $remoteParticipant.name }}"
+  readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Generate remote participant TLS name.
+
+Params:
+  - Context - Dict - Required. Current context for the template evaluation.
+*/}}
+{{- define "remoteParticipant.tls.name" -}}
+{{- print "tls-" . -}}
 {{- end -}}
 
 {{/*
-Generate remote-sequencers configuration block.
+Generate remote participant mTLS name.
 
 Params:
   - Context - Dict - Required. Current context for the template evaluation.
 */}}
-{{ define "canton.remoteSequencers" }}
-remote-sequencers {
-  {{ .Values.common.sequencerName }} {
-    public-api {
-      address = "{{ template "common.fullname" . }}-sequencer.{{ .Release.Namespace }}.svc.cluster.local"
-      port = {{ .Values.sequencer.service.ports.public }}
-      {{- include "canton.remoteSequencer.tls.public" (list .Values.common.tls.public) | indent 6 }}
-    }
-    admin-api {
-      address = "{{ template "common.fullname" . }}-sequencer.{{ .Release.Namespace }}.svc.cluster.local"
-      port = {{ .Values.sequencer.service.ports.admin }}
-      {{- include "canton.tls.remote" (list .Values.common.tls.admin) | indent 6 }}
-    }
-  }
-}
-{{ end }}
+{{- define "remoteParticipant.mtls.name" -}}
+{{- print "mtls-" . -}}
+{{- end -}}
 
 {{/*
-Generate remote-mediators configuration block.
+Generate bootstrap and console TLS and mTLS certificate volumes for remote participant(s) using the Cert-manager CSI driver.
+
+Optional sub keys:
+- "remoteParticipant.tls.admin.certManager.issuerGroup"
+- "remoteParticipant.tls.admin.certManager.issuerKind"
+- "remoteParticipant.tls.admin.certManager.fsGroup"
+- "remoteParticipant.mtls.admin.certManager.issuerGroup"
+- "remoteParticipant.mtls.admin.certManager.issuerKind"
+- "remoteParticipant.mtls.admin.certManager.fsGroup"
 
 Params:
   - Context - Dict - Required. Current context for the template evaluation.
 */}}
-{{ define "canton.remoteMediators" }}
-remote-mediators {
-  {{ .Values.common.mediatorName }} {
-    admin-api {
-      address = "{{ template "common.fullname" . }}-mediator.{{ .Release.Namespace }}.svc.cluster.local"
-      port = {{ .Values.mediator.service.ports.admin }}
-      {{- include "canton.tls.remote" (list .Values.common.tls.admin) | indent 6 }}
-    }
-  }
-}
-{{ end }}
+{{- define "remoteParticipants.volumes" }}
+{{- $top              := index . 0 }}
+{{- $component        := index . 1 }}
+{{- range $remoteParticipant := $top.Values.common.remoteParticipants }}
+{{- if and (($remoteParticipant.tls).admin).enabled ((($remoteParticipant.tls).admin).certManager).issuerName }}
+# Dummy certificate only used to mount the root CA certificate
+{{- include "certManager.csi" (list $top $component (include "remoteParticipant.tls.name" $remoteParticipant.name) $remoteParticipant.tls.admin.certManager "") }}
+{{- if and (($remoteParticipant.mtls).admin).enabled ((($remoteParticipant.mtls).admin).certManager).issuerName }}
+{{- include "certManager.csi" (list $top $component (include "remoteParticipant.mtls.name" $remoteParticipant.name) $remoteParticipant.mtls.admin.certManager "") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/canton-domain/templates/_storage.tpl

@@ -10,8 +10,9 @@ Params (List):
   - Component name - String - Required. Components with a sub key "storage" in values: "manager", "mediator" or "sequencer".
 */}}
 {{ define "canton.storage" }}
-{{- $top       := index . 0 -}}
-{{- $component := index $top.Values (index . 1) }}
+{{- $top       := index . 0 }}
+{{- $componentName := index . 1 }}
+{{- $component := index $top.Values $componentName }}
 storage {
   type = postgres
   config {
@@ -25,40 +26,19 @@ storage {
       ssl = {{ $top.Values.storage.ssl }}
       {{- if $top.Values.storage.ssl }}
       sslmode = {{ $top.Values.storage.sslMode | quote }}
-      {{- if $top.Values.storage.certCAFilename }}
-      sslrootcert = {{- include "postgresql.certPath" (list $top "certCAFilename") | quote -}}
+      {{- if $top.Values.storage.sslRootCert }}
+      sslrootcert = {{ $top.Values.storage.sslRootCert | quote }}
       {{- end }}
-      {{- if $top.Values.storage.certFilename }}
-      sslcert = {{- include "postgresql.certPath" (list $top "certFilename") | quote -}}
+      {{- if $top.Values.storage.sslCert }}
+      sslcert = {{ $top.Values.storage.sslCert | quote }}
       {{- end }}
-      {{- if $top.Values.storage.certKeyFilename }}
-      sslkey = {{- include "postgresql.certPath" (list $top "certKeyFilename") | quote -}}
+      {{- if $top.Values.storage.sslKey }}
+      sslkey = {{ $top.Values.storage.sslKey | quote }}
       {{- end }}
       {{- end }}
+
     }
   }
   max-connections = {{ $component.storage.maxConnections }}
 }
 {{- end -}}
-
-{{/*
-Return the path to the provided PostgreSQL certificate.
-
-Usage:
-{{ include "postgresql.certPath" (list . "key") }}
-
-Params (List):
-  - Context - Dict - Required. Current context for the template evaluation.
-  - Filename - String - Required. Cert file sub key of "storage" in values: "certCAFilename", "certFilename" or "certKeyFilename".
-    If an existing certificatesSecret is used, everything is mounted into /pgtls,
-    provide a secret key name like "tls.crt". Otherwise provide the full path like "/path/to/file".
-*/}}
-{{- define "postgresql.certPath" -}}
-{{- $top  := index . 0 -}}
-{{- $file := index $top.Values.storage (index . 1) -}}
-{{- if $top.Values.storage.certificatesSecret -}}
-{{- printf "/pgtls/%s" $file -}}
-{{- else -}}
-{{- $file -}}
-{{- end -}}
-{{- end -}}