diff --git a/charts/canton-domain/Chart.yaml b/charts/canton-domain/Chart.yaml index 717c15b..be195bd 100644 --- a/charts/canton-domain/Chart.yaml +++ b/charts/canton-domain/Chart.yaml @@ -1,8 +1,8 @@ --- apiVersion: v2 name: "canton-domain" -version: 0.3.0 -appVersion: 2.7.0 +version: 0.4.0 +appVersion: 2.7.1 kubeVersion: ">= 1.22.0-0" description: "A Helm chart for Canton Domains" home: https://github.com/digital-asset/daml-helm-charts/tree/main/charts/canton-domain diff --git a/charts/canton-domain/README.md b/charts/canton-domain/README.md index ada9656..7a873d2 100644 --- a/charts/canton-domain/README.md +++ b/charts/canton-domain/README.md @@ -196,12 +196,12 @@ sequencer: | ---------------------------- | ------------------------------------------------------------------------------------------------------------------ | ------------------------------ | | `nameOverride` | String to partially override `common.name` template (will maintain the release name) | `""` | | `fullnameOverride` | String to fully override `common.fullname` template | `""` | -| `image.registry` | Canton Docker image registry | `digitalasset-docker.jfrog.io` | -| `image.repository` | Canton Docker image repository | `canton-enterprise` | -| `image.tag` | Canton Docker image tag (immutable tags are recommended) | `""` | -| `image.digest` | Canton Docker image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` | `""` | -| `image.pullPolicy` | Canton Docker image pull policy. Allowed values: `Always`, `Never`, `IfNotPresent` | `IfNotPresent` | -| `image.pullSecrets` | Specify Docker registry existing secret names as an array | `[]` | +| `image.registry` | Canton container image registry | `digitalasset-docker.jfrog.io` | +| `image.repository` | Canton container image repository | `canton-enterprise` | +| `image.tag` | Canton container image tag (immutable tags are recommended) | `""` | +| `image.digest` | Canton container image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` | `""` | +| `image.pullPolicy` | Canton container image pull policy. Allowed values: `Always`, `Never`, `IfNotPresent` | `IfNotPresent` | +| `image.pullSecrets` | Specify container registry existing secret names as an array | `[]` | | `commonLabels` | Add labels to all the deployed resources | `{}` | | `certManager` | Cert-manager CSI driver defaults | | | `certManager.duration` | Requested certificates validity period. If empty `""` defaults to `720h` | `87660h` | @@ -288,10 +288,10 @@ sequencer: | `console` | Single console pod for administration/debug of all the other components | | | `console.enabled` | Enable Deployment | `false` | | `console.terminationGracePeriodSeconds` | Stop the pod immediately by default, tailing `/dev/null` to stay up | `0` | -| `console.image` | Specific Docker image to be able to start a Canton console. Reusing `image.registry`, `image.pullPolicy` and `image.pullSecrets` | | -| `console.image.repository` | Canton console Docker image repository | `canton-enterprise` | -| `console.image.tag` | Canton console Docker image tag (immutable tags are recommended) | `""` | -| `console.image.digest` | Canton console Docker image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` | `""` | +| `console.image` | Specific container image to be able to start a Canton console. Reusing `image.registry`, `image.pullPolicy` and `image.pullSecrets` | | +| `console.image.repository` | Canton console container image repository | `canton-enterprise` | +| `console.image.tag` | Canton console container image tag (immutable tags are recommended) | `""` | +| `console.image.digest` | Canton console container image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` | `""` | | `console.environment` | Environment variables (not merged with `common.environment`) | | | `console.environmentSecrets` | Secret environment variables (not merged with `common.environmentSecrets`) | `{}` | | `console.environment.JDK_JAVA_OPTIONS` | Java launcher environment variable | `-XX:InitialRAMPercentage=70 -XX:MaxRAMPercentage=70` | @@ -406,6 +406,7 @@ sequencer: | `manager.storage.existingSecret.name` | Name of existing secret with user credentials | `""` | | `manager.storage.existingSecret.key` | Name of key in existing secret with user password | `""` | | `manager.storage.maxConnections` | Database connection pool maximum connections | `10` | +| `manager.configOverride` | Raw Canton configuration file `canton { ... }` | `""` | | `manager.ports.admin` | Admin API container port (gRPC) | `4801` | | `manager.ports.health` | Health check port for gRPC liveness and readiness probes, not exposed (TLS always disabled) | `4803` | | `manager.ports.metrics` | Promotheus exporter container port (HTTP) | `8081` | @@ -455,6 +456,7 @@ sequencer: | `mediator.storage.existingSecret.name` | Name of existing secret with user credentials | `""` | | `mediator.storage.existingSecret.key` | Name of key in existing secret with user password | `""` | | `mediator.storage.maxConnections` | Database connection pool maximum connections | `10` | +| `mediator.configOverride` | Raw Canton configuration file `canton { ... }` | `""` | | `mediator.ports.admin` | Admin API container port (gRPC) | `4602` | | `mediator.ports.health` | Health check port for gRPC liveness and readiness probes, not exposed (TLS always disabled) | `4603` | | `mediator.ports.metrics` | Promotheus exporter container port (HTTP) | `8081` | @@ -504,6 +506,7 @@ sequencer: | `sequencer.storage.existingSecret.key` | Name of key in existing secret with user password | `""` | | `sequencer.storage.maxConnections` | Database connection pool maximum connections | `10` | | `sequencer.config` | Sequencer extra configuration, to use along a custom `sequencer.type` (optional) | `""` | +| `sequencer.configOverride` | Raw Canton configuration file `canton { ... }` | `""` | | `sequencer.ports.public` | Ledger API container port (gRPC) | `4401` | | `sequencer.ports.admin` | Admin API container port (gRPC) | `4402` | | `sequencer.ports.health` | Health check port for gRPC liveness and readiness probes, not exposed (TLS always disabled) | `4403` | diff --git a/charts/canton-domain/templates/_remotes.tpl b/charts/canton-domain/templates/_remotes.tpl index ab869cc..04e03a0 100644 --- a/charts/canton-domain/templates/_remotes.tpl +++ b/charts/canton-domain/templates/_remotes.tpl @@ -21,7 +21,11 @@ remote-participants { address = {{ $remoteParticipant.host }} port = {{ ($remoteParticipant.ports).admin | default 4002 }} {{- if (($remoteParticipant.tls).admin).enabled }} + {{- if (($remoteParticipant.mtls).admin).enabled }} {{- include "canton.tls.remote" (list $remoteParticipant.tls.admin $remoteParticipant.mtls.admin) | indent 6 }} + {{- else }} + {{- include "canton.tls.remote" (list $remoteParticipant.tls.admin nil) | indent 6 }} + {{- end }} {{- end }} } } diff --git a/charts/canton-domain/templates/manager/configmap.yaml b/charts/canton-domain/templates/manager/configmap.yaml index d60c359..13aefac 100644 --- a/charts/canton-domain/templates/manager/configmap.yaml +++ b/charts/canton-domain/templates/manager/configmap.yaml @@ -36,3 +36,7 @@ data: {{- include "canton.monitoring" (list . "manager") | nindent 6 }} } + {{- with .Values.manager.configOverride }} + manager-override.conf: | + {{- . | nindent 4 }} + {{- end }} diff --git a/charts/canton-domain/templates/manager/deployment.yaml b/charts/canton-domain/templates/manager/deployment.yaml index bd91987..c23a6ee 100644 --- a/charts/canton-domain/templates/manager/deployment.yaml +++ b/charts/canton-domain/templates/manager/deployment.yaml @@ -63,6 +63,9 @@ spec: - "--log-level-canton={{ .Values.common.logLevel.canton }}" - "--log-level-stdout={{ .Values.common.logLevel.stdout }}" - "--config=/canton/manager.conf" + {{- if .Values.manager.configOverride }} + - "--config=/canton/manager-override.conf" + {{- end }} envFrom: {{- if or .Values.common.environment .Values.manager.environment }} - configMapRef: @@ -121,6 +124,12 @@ spec: mountPath: /canton/manager.conf subPath: manager.conf readOnly: true + {{- if .Values.manager.configOverride }} + - name: config + mountPath: /canton/manager-override.conf + subPath: manager-override.conf + readOnly: true + {{- end }} {{- if .Values.common.tls.admin.enabled }} - name: tls-admin mountPath: "/tls-admin" diff --git a/charts/canton-domain/templates/mediator/configmap.yaml b/charts/canton-domain/templates/mediator/configmap.yaml index 77c0f85..c3cfd29 100644 --- a/charts/canton-domain/templates/mediator/configmap.yaml +++ b/charts/canton-domain/templates/mediator/configmap.yaml @@ -32,3 +32,7 @@ data: {{- include "canton.monitoring" (list . "mediator") | nindent 6 }} } + {{- with .Values.mediator.configOverride }} + mediator-override.conf: | + {{- . | nindent 4 }} + {{- end }} diff --git a/charts/canton-domain/templates/mediator/deployment.yaml b/charts/canton-domain/templates/mediator/deployment.yaml index f676be0..36889ca 100644 --- a/charts/canton-domain/templates/mediator/deployment.yaml +++ b/charts/canton-domain/templates/mediator/deployment.yaml @@ -63,6 +63,9 @@ spec: - "--log-level-canton={{ .Values.common.logLevel.canton }}" - "--log-level-stdout={{ .Values.common.logLevel.stdout }}" - "--config=/canton/mediator.conf" + {{- if .Values.mediator.configOverride }} + - "--config=/canton/mediator-override.conf" + {{- end }} envFrom: {{- if or .Values.common.environment .Values.mediator.environment }} - configMapRef: @@ -121,6 +124,12 @@ spec: mountPath: /canton/mediator.conf subPath: mediator.conf readOnly: true + {{- if .Values.mediator.configOverride }} + - name: config + mountPath: /canton/mediator-override.conf + subPath: mediator-override.conf + readOnly: true + {{- end }} {{- if .Values.common.tls.admin.enabled }} - name: tls-admin mountPath: "/tls-admin" diff --git a/charts/canton-domain/templates/sequencer/configmap.yaml b/charts/canton-domain/templates/sequencer/configmap.yaml index a2dd4b7..c43dcf3 100644 --- a/charts/canton-domain/templates/sequencer/configmap.yaml +++ b/charts/canton-domain/templates/sequencer/configmap.yaml @@ -53,3 +53,7 @@ data: {{- include "canton.monitoring" (list . "sequencer") | nindent 6 }} } + {{- with .Values.sequencer.configOverride }} + sequencer-override.conf: | + {{- . | nindent 4 }} + {{- end }} diff --git a/charts/canton-domain/templates/sequencer/deployment.yaml b/charts/canton-domain/templates/sequencer/deployment.yaml index e2e1a94..fc9a5e3 100644 --- a/charts/canton-domain/templates/sequencer/deployment.yaml +++ b/charts/canton-domain/templates/sequencer/deployment.yaml @@ -64,6 +64,9 @@ spec: - "--log-level-canton={{ .Values.common.logLevel.canton }}" - "--log-level-stdout={{ .Values.common.logLevel.stdout }}" - "--config=/canton/sequencer.conf" + {{- if .Values.sequencer.configOverride }} + - "--config=/canton/sequencer-override.conf" + {{- end }} envFrom: {{- if or .Values.common.environment .Values.sequencer.environment }} - configMapRef: @@ -124,6 +127,12 @@ spec: mountPath: /canton/sequencer.conf subPath: sequencer.conf readOnly: true + {{- if .Values.sequencer.configOverride }} + - name: config + mountPath: /canton/sequencer-override.conf + subPath: sequencer-override.conf + readOnly: true + {{- end }} {{- if .Values.common.tls.public.enabled }} - name: tls-public mountPath: "/tls-public" diff --git a/charts/canton-domain/values.yaml b/charts/canton-domain/values.yaml index 3859827..3625c51 100644 --- a/charts/canton-domain/values.yaml +++ b/charts/canton-domain/values.yaml @@ -8,15 +8,15 @@ nameOverride: "" ## fullnameOverride: "" -## @param image.registry Canton Docker image registry -## @param image.repository Canton Docker image repository -## @param image.tag Canton Docker image tag (immutable tags are recommended) -## @param image.digest Canton Docker image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` -## @param image.pullPolicy Canton Docker image pull policy. Allowed values: `Always`, `Never`, `IfNotPresent` -## @param image.pullSecrets Specify Docker registry existing secret names as an array +## @param image.registry Canton container image registry +## @param image.repository Canton container image repository +## @param image.tag Canton container image tag (immutable tags are recommended) +## @param image.digest Canton container image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` +## @param image.pullPolicy Canton container image pull policy. Allowed values: `Always`, `Never`, `IfNotPresent` +## @param image.pullSecrets Specify container registry existing secret names as an array ## image: - ## Private Docker image + ## Private container image registry: digitalasset-docker.jfrog.io repository: canton-enterprise tag: "" @@ -223,13 +223,13 @@ console: ## @param console.terminationGracePeriodSeconds Stop the pod immediately by default, tailing `/dev/null` to stay up ## terminationGracePeriodSeconds: 0 - ## @extra console.image Specific Docker image to be able to start a Canton console. Reusing `image.registry`, `image.pullPolicy` and `image.pullSecrets` - ## @param console.image.repository Canton console Docker image repository - ## @param console.image.tag Canton console Docker image tag (immutable tags are recommended) - ## @param console.image.digest Canton console Docker image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` + ## @extra console.image Specific container image to be able to start a Canton console. Reusing `image.registry`, `image.pullPolicy` and `image.pullSecrets` + ## @param console.image.repository Canton console container image repository + ## @param console.image.tag Canton console container image tag (immutable tags are recommended) + ## @param console.image.digest Canton console container image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` ## image: - ## Private Docker image + ## Private container image repository: canton-enterprise tag: "" digest: "" @@ -493,6 +493,9 @@ manager: ## @param manager.storage.maxConnections Database connection pool maximum connections ## maxConnections: 10 + ## @param manager.configOverride Raw Canton configuration file `canton { ... }` + ## + configOverride: "" ## @param manager.ports.admin Admin API container port (gRPC) ## @param manager.ports.health Health check port for gRPC liveness and readiness probes, not exposed (TLS always disabled) ## @param manager.ports.metrics Promotheus exporter container port (HTTP) @@ -627,6 +630,9 @@ mediator: ## @param mediator.storage.maxConnections Database connection pool maximum connections ## maxConnections: 10 + ## @param mediator.configOverride Raw Canton configuration file `canton { ... }` + ## + configOverride: "" ## @param mediator.ports.admin Admin API container port (gRPC) ## @param mediator.ports.health Health check port for gRPC liveness and readiness probes, not exposed (TLS always disabled) ## @param mediator.ports.metrics Promotheus exporter container port (HTTP) @@ -760,6 +766,9 @@ sequencer: ## @param sequencer.config Sequencer extra configuration, to use along a custom `sequencer.type` (optional) ## config: "" + ## @param sequencer.configOverride Raw Canton configuration file `canton { ... }` + ## + configOverride: "" ## @param sequencer.ports.public Ledger API container port (gRPC) ## @param sequencer.ports.admin Admin API container port (gRPC) ## @param sequencer.ports.health Health check port for gRPC liveness and readiness probes, not exposed (TLS always disabled) diff --git a/charts/canton-participant/Chart.yaml b/charts/canton-participant/Chart.yaml index 7bfcc92..e9023f3 100644 --- a/charts/canton-participant/Chart.yaml +++ b/charts/canton-participant/Chart.yaml @@ -1,8 +1,8 @@ --- apiVersion: v2 name: "canton-participant" -version: 0.3.0 -appVersion: 2.7.0 +version: 0.4.0 +appVersion: 2.7.1 kubeVersion: ">= 1.22.0-0" description: "A Helm chart for Canton Participants" home: https://github.com/digital-asset/daml-helm-charts/tree/main/charts/canton-participant diff --git a/charts/canton-participant/README.md b/charts/canton-participant/README.md index df2f921..4c2f559 100644 --- a/charts/canton-participant/README.md +++ b/charts/canton-participant/README.md @@ -148,12 +148,12 @@ ingressRouteTCP: | `nameOverride` | String to partially override `common.name` template (will maintain the release name) | `""` | | `fullnameOverride` | String to fully override `common.fullname` template | `""` | | `replicaCount` | Number of Participant pods to deploy. Allowed values: `1` (active/passive HA, scaling up does not work) | `1` | -| `image.registry` | Canton Docker image registry | `digitalasset-docker.jfrog.io` | -| `image.repository` | Canton Docker image repository | `canton-enterprise` | -| `image.tag` | Canton Docker image tag (immutable tags are recommended) | `""` | -| `image.digest` | Canton Docker image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` | `""` | -| `image.pullPolicy` | Canton Docker image pull policy. Allowed values: `Always`, `Never`, `IfNotPresent` | `IfNotPresent` | -| `image.pullSecrets` | Specify Docker registry existing secret names as an array | `[]` | +| `image.registry` | Canton container image registry | `digitalasset-docker.jfrog.io` | +| `image.repository` | Canton container image repository | `canton-enterprise` | +| `image.tag` | Canton container image tag (immutable tags are recommended) | `""` | +| `image.digest` | Canton container image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` | `""` | +| `image.pullPolicy` | Canton container image pull policy. Allowed values: `Always`, `Never`, `IfNotPresent` | `IfNotPresent` | +| `image.pullSecrets` | Specify container registry existing secret names as an array | `[]` | | `commonLabels` | Add labels to all the deployed resources | `{}` | | `certManager` | Cert-manager CSI driver defaults | | | `certManager.duration` | Requested certificates validity period. If empty `""` defaults to `720h` | `87660h` | @@ -168,6 +168,7 @@ ingressRouteTCP: | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | | `participantName` | Mandatory Canton Participant name | `participant1` | | `uniqueContractKeys` | When enabled, Participant can only connect to a Domain with unique contract keys enabled as well | `false` | +| `configOverride` | Raw Canton configuration file `canton { ... }` | `""` | | `storage` | PostgreSQL configuration | | | `storage.host` | Server hostname | `postgres` | | `storage.port` | Server port | `5432` | @@ -193,8 +194,9 @@ ingressRouteTCP: | `bootstrap.activeDeadlineSeconds` | Specifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it | `600` | | `bootstrap.commandsTimeout` | Script commands timeout. Example values: `10s`, `10m' or `10h` | `1m` | | `bootstrap.remoteSequencer` | Remote sequencer connection configuration | | -| `bootstrap.remoteSequencer.domainAlias` | Domain alias | `mydomain` | -| `bootstrap.remoteSequencer.domainId` | Mandatory Domain ID | `""` | +| `bootstrap.remoteSequencer.domain.alias` | Domain alias | `mydomain` | +| `bootstrap.remoteSequencer.domain.id` | Domain ID (mandatory if `verifyId` is `true`) | `""` | +| `bootstrap.remoteSequencer.domain.verifyId` | Verify the ID of the domain this participant will connect to, strongly advised | `true` | | `bootstrap.remoteSequencer.host` | Sequencer host | `mysequencer.domain.com` | | `bootstrap.remoteSequencer.port` | Sequencer port, if empty `""` HTTP/HTTPS default is used (`80`/`443`) | `""` | | `bootstrap.remoteSequencer.tls.enabled` | Enable TLS to Sequencer | `false` | @@ -250,10 +252,10 @@ ingressRouteTCP: | `console` | Single console pod for administration/debug of all the other components | | | `console.enabled` | Enable Deployment | `false` | | `console.terminationGracePeriodSeconds` | Stop the pod immediately by default, tailing `/dev/null` to stay up | `0` | -| `console.image` | Specific Docker image to be able to start a Canton console. Reusing `image.registry`, `image.pullPolicy` and `image.pullSecrets` | | -| `console.image.repository` | Canton console Docker image repository | `canton-enterprise` | -| `console.image.tag` | Canton console Docker image tag (immutable tags are recommended) | `""` | -| `console.image.digest` | Canton console Docker image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` | `""` | +| `console.image` | Specific container image to be able to start a Canton console. Reusing `image.registry`, `image.pullPolicy` and `image.pullSecrets` | | +| `console.image.repository` | Canton console container image repository | `canton-enterprise` | +| `console.image.tag` | Canton console container image tag (immutable tags are recommended) | `""` | +| `console.image.digest` | Canton console container image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` | `""` | | `console.environment` | Environment variables | | | `console.environmentSecrets` | Secret environment variables | `{}` | | `console.environment.JDK_JAVA_OPTIONS` | Java launcher environment variable | `-XX:InitialRAMPercentage=70 -XX:MaxRAMPercentage=70` | diff --git a/charts/canton-participant/templates/_fails.tpl b/charts/canton-participant/templates/_fails.tpl new file mode 100644 index 0000000..134801f --- /dev/null +++ b/charts/canton-participant/templates/_fails.tpl @@ -0,0 +1,27 @@ +{{/* vim: set filetype=mustache: */}} +{{/* Safeguards to avoid contradicting configuration values */}} + +{{/* +Ensure type is correct if want to enable JWT authentication +*/}} +{{- define "participant.authServicesType" -}} +type = {{ .Values.authServices.type | quote }} +{{- if eq .Values.authServices.type "jwt-rs-256-jwks" }} +url = {{ .Values.authServices.url | quote }} +{{- else if has .Values.authServices.type (list "jwt-rs-256-crt" "jwt-es-256-crt" "jwt-es-512-crt") }} +certificate = {{ .Values.authServices.certificate | quote }} +{{- else }} +{{- fail (printf "invalid value '%s' for key 'authServices.type' (JWT authentication authorization type)" .Values.authServices.type) }} +{{- end }} +{{- end -}} + +{{/* +Ensure domain ID is defined if want to use it in the bootstrap +*/}} +{{- define "participant.bootstrapDomainId" -}} +{{- if .Values.bootstrap.remoteSequencer.domain.id }} +val domainId = Some(DomainId.tryFromString({{ .Values.bootstrap.remoteSequencer.domain.id | quote }})) +{{- else }} +{{- fail "empty value for key 'bootstrap.remoteSequencer.domain.id' (Canton Domain ID)" }} +{{- end }} +{{- end -}} diff --git a/charts/canton-participant/templates/_tls.tpl b/charts/canton-participant/templates/_tls.tpl index d1c96a9..17a7d07 100644 --- a/charts/canton-participant/templates/_tls.tpl +++ b/charts/canton-participant/templates/_tls.tpl @@ -93,5 +93,5 @@ Params: - Context - Dict - Required. Current context for the template evaluation. */}} {{- define "sequencer.tls.name" -}} -{{- print "tls-" .Values.bootstrap.remoteSequencer.domainAlias -}} +{{- print "tls-" .Values.bootstrap.remoteSequencer.domain.alias -}} {{- end -}} diff --git a/charts/canton-participant/templates/bootstrap/configmap.yaml b/charts/canton-participant/templates/bootstrap/configmap.yaml index df887d1..e5d7224 100644 --- a/charts/canton-participant/templates/bootstrap/configmap.yaml +++ b/charts/canton-participant/templates/bootstrap/configmap.yaml @@ -34,19 +34,24 @@ data: logger.warn("TLS to sequencer is disabled ⚠️") {{- end }} - val domainAlias = {{ .Values.bootstrap.remoteSequencer.domainAlias | quote }} + val domainAlias = {{ .Values.bootstrap.remoteSequencer.domain.alias | quote }} {{- if .Values.testing.bootstrap.automaticDomainRegistration }} val domainManager = domainManagers.remote.head - val domainId = domainManager.id + val domainId = Some(domainManager.id) if (domainManager.participants.list.exists(_.item.participant == participant.id)) { logger.info(s"Participant ${participant.name} already registered to domain ${domainManager.name}") } else { logger.info(s"Registering participant ${participant.name} to domain ${domainManager.name}") domainManager.participants.set_state(participant.id, ParticipantPermission.Submission, TrustLevel.Ordinary) } - {{- else -}} - val domainId = DomainId.tryFromString({{ .Values.bootstrap.remoteSequencer.domainId | quote }}) + {{- else }} + {{- if .Values.bootstrap.remoteSequencer.domain.verifyId }} + {{- include "participant.bootstrapDomainId" . | nindent 4 }} + {{- else }} + logger.warn("You are not checking the target domain ID, you could join any domain ⚠️") + val domainId = None + {{- end }} {{- end }} val sequencerURL = {{ include "sequencer.url" . | quote }} @@ -65,10 +70,10 @@ data: domainAlias, connection, false, - Some(domainId), + domainId, 100, - Some(NonNegativeFiniteDuration.ofSeconds(Duration({{ .Values.bootstrap.remoteSequencer.initialRetryDelay | quote }}).toSeconds)), - Some(NonNegativeFiniteDuration.ofSeconds(Duration({{ .Values.bootstrap.remoteSequencer.maxRetryDelay | quote }}).toSeconds)) + Some(NonNegativeFiniteDuration.tryOfSeconds(Duration({{ .Values.bootstrap.remoteSequencer.initialRetryDelay | quote }}).toSeconds)), + Some(NonNegativeFiniteDuration.tryOfSeconds(Duration({{ .Values.bootstrap.remoteSequencer.maxRetryDelay | quote }}).toSeconds)) ) if (participant.domains.is_registered(domainAlias)) { diff --git a/charts/canton-participant/templates/configmap-remote.yaml b/charts/canton-participant/templates/configmap-remote.yaml index b799028..cdbdd54 100644 --- a/charts/canton-participant/templates/configmap-remote.yaml +++ b/charts/canton-participant/templates/configmap-remote.yaml @@ -57,7 +57,7 @@ data: } {{- if .Values.testing.bootstrap.automaticDomainRegistration }} remote-domain-managers { - {{ .Values.bootstrap.remoteSequencer.domainAlias }} { + {{ .Values.bootstrap.remoteSequencer.domain.alias }} { {{- with .Values.testing.bootstrap.remoteDomainManager }} admin-api { address = {{ .host | quote }} diff --git a/charts/canton-participant/templates/configmap.yaml b/charts/canton-participant/templates/configmap.yaml index 509a9b0..ae60e55 100644 --- a/charts/canton-participant/templates/configmap.yaml +++ b/charts/canton-participant/templates/configmap.yaml @@ -41,14 +41,7 @@ data: {{- if .Values.authServices.enabled }} auth-services = [{ - type = {{ .Values.authServices.type | quote }} - {{- if eq .Values.authServices.type "jwt-rs-256-jwks" }} - url = {{ .Values.authServices.url | quote }} - {{- else if has .Values.authServices.type (list "jwt-rs-256-crt" "jwt-es-256-crt" "jwt-es-512-crt") }} - certificate = {{ .Values.authServices.certificate | quote }} - {{- else }} - {{- fail (printf "invalid value '%s' for JWT authentication type" .Values.authServices.type) }} - {{- end }} + {{- include "participant.authServicesType" . | nindent 14 }} {{- with .Values.authServices.targetAudience }} target-audience = {{ . | quote }} {{- end }} @@ -108,3 +101,7 @@ data: } {{- end }} } + {{- with .Values.configOverride }} + participant-override.conf: | + {{- . | nindent 4 }} + {{- end }} diff --git a/charts/canton-participant/templates/deployment.yaml b/charts/canton-participant/templates/deployment.yaml index bb77e41..8e04721 100644 --- a/charts/canton-participant/templates/deployment.yaml +++ b/charts/canton-participant/templates/deployment.yaml @@ -63,6 +63,9 @@ spec: - "--log-level-canton={{ .Values.logLevel.canton }}" - "--log-level-stdout={{ .Values.logLevel.stdout }}" - "--config=/canton/participant.conf" + {{- if .Values.configOverride }} + - "--config=/canton/participant-override.conf" + {{- end }} envFrom: {{- if .Values.environment }} - configMapRef: @@ -123,6 +126,12 @@ spec: mountPath: /canton/participant.conf subPath: participant.conf readOnly: true + {{- if .Values.configOverride }} + - name: config + mountPath: /canton/participant-override.conf + subPath: participant-override.conf + readOnly: true + {{- end }} {{- if .Values.tls.public.enabled }} - name: tls-public mountPath: "/tls-public" diff --git a/charts/canton-participant/values.yaml b/charts/canton-participant/values.yaml index e254944..da7e0c8 100644 --- a/charts/canton-participant/values.yaml +++ b/charts/canton-participant/values.yaml @@ -12,15 +12,15 @@ fullnameOverride: "" ## Participant is using active/passive HA which is incompatible with Kubernetes => run only one pod at a time replicaCount: 1 -## @param image.registry Canton Docker image registry -## @param image.repository Canton Docker image repository -## @param image.tag Canton Docker image tag (immutable tags are recommended) -## @param image.digest Canton Docker image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` -## @param image.pullPolicy Canton Docker image pull policy. Allowed values: `Always`, `Never`, `IfNotPresent` -## @param image.pullSecrets Specify Docker registry existing secret names as an array +## @param image.registry Canton container image registry +## @param image.repository Canton container image repository +## @param image.tag Canton container image tag (immutable tags are recommended) +## @param image.digest Canton container image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` +## @param image.pullPolicy Canton container image pull policy. Allowed values: `Always`, `Never`, `IfNotPresent` +## @param image.pullSecrets Specify container registry existing secret names as an array ## image: - ## Private Docker image + ## Private container image registry: digitalasset-docker.jfrog.io repository: canton-enterprise tag: "" @@ -50,9 +50,11 @@ certManager: ## @param participantName Mandatory Canton Participant name ## @param uniqueContractKeys When enabled, Participant can only connect to a Domain with unique contract keys enabled as well +## @param configOverride Raw Canton configuration file `canton { ... }` ## participantName: "participant1" uniqueContractKeys: false +configOverride: "" ## @extra storage PostgreSQL configuration @@ -107,13 +109,16 @@ bootstrap: commandsTimeout: "1m" ## @extra bootstrap.remoteSequencer Remote sequencer connection configuration remoteSequencer: - ## @param bootstrap.remoteSequencer.domainAlias Domain alias - ## @param bootstrap.remoteSequencer.domainId Mandatory Domain ID + ## @param bootstrap.remoteSequencer.domain.alias Domain alias + ## @param bootstrap.remoteSequencer.domain.id Domain ID (mandatory if `verifyId` is `true`) + ## @param bootstrap.remoteSequencer.domain.verifyId Verify the ID of the domain this participant will connect to, strongly advised ## @param bootstrap.remoteSequencer.host Sequencer host ## @param bootstrap.remoteSequencer.port Sequencer port, if empty `""` HTTP/HTTPS default is used (`80`/`443`) ## - domainAlias: "mydomain" - domainId: "" + domain: + alias: "mydomain" + id: "" + verifyId: true host: "mysequencer.domain.com" port: "" tls: @@ -244,13 +249,13 @@ console: ## @param console.terminationGracePeriodSeconds Stop the pod immediately by default, tailing `/dev/null` to stay up ## terminationGracePeriodSeconds: 0 - ## @extra console.image Specific Docker image to be able to start a Canton console. Reusing `image.registry`, `image.pullPolicy` and `image.pullSecrets` - ## @param console.image.repository Canton console Docker image repository - ## @param console.image.tag Canton console Docker image tag (immutable tags are recommended) - ## @param console.image.digest Canton console Docker image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` + ## @extra console.image Specific container image to be able to start a Canton console. Reusing `image.registry`, `image.pullPolicy` and `image.pullSecrets` + ## @param console.image.repository Canton console container image repository + ## @param console.image.tag Canton console container image tag (immutable tags are recommended) + ## @param console.image.digest Canton console container image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` ## image: - ## Private Docker image + ## Private container image repository: canton-enterprise tag: "" digest: "" diff --git a/charts/daml-http-json/Chart.yaml b/charts/daml-http-json/Chart.yaml index 77056b2..432f7d6 100644 --- a/charts/daml-http-json/Chart.yaml +++ b/charts/daml-http-json/Chart.yaml @@ -1,8 +1,8 @@ --- apiVersion: v2 name: "daml-http-json" -version: 0.3.0 -appVersion: 2.7.0 +version: 0.4.0 +appVersion: 2.7.1 kubeVersion: ">= 1.22.0-0" description: "A Helm chart for Daml HTTP JSON API service" home: https://github.com/digital-asset/daml-helm-charts/tree/main/charts/daml-http-json diff --git a/charts/daml-http-json/README.md b/charts/daml-http-json/README.md index 71f92e1..b4ce585 100644 --- a/charts/daml-http-json/README.md +++ b/charts/daml-http-json/README.md @@ -121,12 +121,12 @@ it will be mounted as files into folder `/tls`. | `nameOverride` | String to partially override `common.name` template (will maintain the release name) | `""` | | `fullnameOverride` | String to fully override `common.fullname` template | `""` | | `replicaCount` | Number of Participant pods to deploy | `1` | -| `image.registry` | Docker image registry | `digitalasset-docker.jfrog.io` | -| `image.repository` | Docker image repository | `http-json` | -| `image.tag` | Docker image tag (immutable tags are recommended) | `""` | -| `image.digest` | Docker image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` | `""` | -| `image.pullPolicy` | Docker image pull policy. Allowed values: `Always`, `Never`, `IfNotPresent` | `IfNotPresent` | -| `image.pullSecrets` | Specify Docker registry existing secret names as an array | `[]` | +| `image.registry` | Container image registry | `digitalasset-docker.jfrog.io` | +| `image.repository` | Container image repository | `http-json` | +| `image.tag` | Container image tag (immutable tags are recommended) | `""` | +| `image.digest` | Container image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` | `""` | +| `image.pullPolicy` | Container image pull policy. Allowed values: `Always`, `Never`, `IfNotPresent` | `IfNotPresent` | +| `image.pullSecrets` | Specify container registry existing secret names as an array | `[]` | | `commonLabels` | Add labels to all the deployed resources | `{}` | | `certManager` | Cert-manager CSI driver defaults | | | `certManager.duration` | Requested certificates validity period. If empty `""` defaults to `720h` | `87660h` | diff --git a/charts/daml-http-json/values.yaml b/charts/daml-http-json/values.yaml index e21a5e1..8bde2b6 100644 --- a/charts/daml-http-json/values.yaml +++ b/charts/daml-http-json/values.yaml @@ -11,15 +11,15 @@ fullnameOverride: "" ## @param replicaCount Number of Participant pods to deploy replicaCount: 1 -## @param image.registry Docker image registry -## @param image.repository Docker image repository -## @param image.tag Docker image tag (immutable tags are recommended) -## @param image.digest Docker image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` -## @param image.pullPolicy Docker image pull policy. Allowed values: `Always`, `Never`, `IfNotPresent` -## @param image.pullSecrets Specify Docker registry existing secret names as an array +## @param image.registry Container image registry +## @param image.repository Container image repository +## @param image.tag Container image tag (immutable tags are recommended) +## @param image.digest Container image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` +## @param image.pullPolicy Container image pull policy. Allowed values: `Always`, `Never`, `IfNotPresent` +## @param image.pullSecrets Specify container registry existing secret names as an array ## image: - ## Private Docker image + ## Private container image registry: digitalasset-docker.jfrog.io repository: http-json tag: "" diff --git a/charts/daml-trigger/Chart.yaml b/charts/daml-trigger/Chart.yaml index 5d532de..ff755cc 100644 --- a/charts/daml-trigger/Chart.yaml +++ b/charts/daml-trigger/Chart.yaml @@ -1,8 +1,8 @@ --- apiVersion: v2 name: "daml-trigger" -version: 0.3.0 -appVersion: 2.7.0 +version: 0.4.0 +appVersion: 2.7.1 kubeVersion: ">= 1.22.0-0" description: "A Helm chart for Daml Trigger service" home: https://github.com/digital-asset/daml-helm-charts/tree/main/charts/daml-trigger diff --git a/charts/daml-trigger/README.md b/charts/daml-trigger/README.md index 970aef2..4bb033d 100644 --- a/charts/daml-trigger/README.md +++ b/charts/daml-trigger/README.md @@ -121,12 +121,12 @@ it will be mounted as files into folder `/tls`. | `nameOverride` | String to partially override `common.name` template (will maintain the release name) | `""` | | `fullnameOverride` | String to fully override `common.fullname` template | `""` | | `replicaCount` | Number of Participant pods to deploy | `1` | -| `image.registry` | Docker image registry | `digitalasset-docker.jfrog.io` | -| `image.repository` | Docker image repository | `trigger-service` | -| `image.tag` | Docker image tag (immutable tags are recommended) | `""` | -| `image.digest` | Docker image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` | `""` | -| `image.pullPolicy` | Docker image pull policy. Allowed values: `Always`, `Never`, `IfNotPresent` | `IfNotPresent` | -| `image.pullSecrets` | Specify Docker registry existing secret names as an array | `[]` | +| `image.registry` | Container image registry | `digitalasset-docker.jfrog.io` | +| `image.repository` | Container image repository | `trigger-service` | +| `image.tag` | Container image tag (immutable tags are recommended) | `""` | +| `image.digest` | Container image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` | `""` | +| `image.pullPolicy` | Container image pull policy. Allowed values: `Always`, `Never`, `IfNotPresent` | `IfNotPresent` | +| `image.pullSecrets` | Specify container registry existing secret names as an array | `[]` | | `commonLabels` | Add labels to all the deployed resources | `{}` | | `certManager` | Cert-manager CSI driver defaults | | | `certManager.duration` | Requested certificates validity period. If empty `""` defaults to `720h` | `87660h` | diff --git a/charts/daml-trigger/values.yaml b/charts/daml-trigger/values.yaml index fefdc88..8a01b9e 100644 --- a/charts/daml-trigger/values.yaml +++ b/charts/daml-trigger/values.yaml @@ -11,15 +11,15 @@ fullnameOverride: "" ## @param replicaCount Number of Participant pods to deploy replicaCount: 1 -## @param image.registry Docker image registry -## @param image.repository Docker image repository -## @param image.tag Docker image tag (immutable tags are recommended) -## @param image.digest Docker image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` -## @param image.pullPolicy Docker image pull policy. Allowed values: `Always`, `Never`, `IfNotPresent` -## @param image.pullSecrets Specify Docker registry existing secret names as an array +## @param image.registry Container image registry +## @param image.repository Container image repository +## @param image.tag Container image tag (immutable tags are recommended) +## @param image.digest Container image digest in the way `sha256:aa...`. If this parameter is set, overrides `image.tag` +## @param image.pullPolicy Container image pull policy. Allowed values: `Always`, `Never`, `IfNotPresent` +## @param image.pullSecrets Specify container registry existing secret names as an array ## image: - ## Private Docker image + ## Private container image registry: digitalasset-docker.jfrog.io repository: trigger-service tag: ""