Cardano Charts

Contains Helm Charts for operating the most secure Cardano nodes in Kubernetes:

• charts/cardano

This Chart solves common pain points of Cardano node operations:

• Long bootstrap time for new nodes: this chart can restore testnet or mainnet data at the given epoch using a compressed file archive
• Security measures: combine this chart with Terraform modules to enforce best security practices in multiple areas (vault, acls, policies, etc)
• Upgrades: facilitate upgrades using infrastructure-as-code best practices

Backers 🎯 😍

Thank you to all our backers! 🙏 [Become a backer]

Sponsors 🐳

Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]

Donations in ADA 💎

Cardano hodlers can send donations to this wallet address: addr1q973kf48y9vxqareqvxr7flacx3pl3rz0m9lmwt4nej0zr99dw6mre74f2g48nntw5ar6mz58fm09sk70e0k4vgmkess27g47n

Demo

Security Measures Every Stake Pool Operator Should Implement

Refer to the Cardano forum guide for keys and secrets management.

How This Cardano Helm Chart Implements Security Guidelines

This Cloud Native Helm Chart leverages advanced security features provided in Kubernetes and Cloud vendors extensions. 🚨 Ensure that you understand these concepts before using this Chart:

• Calico plugin: see how this network plugin in Kubernetes enforces ingress and egress traffic between pods and external IPs using Network Policies
• Watch this KubeCon talk or check out the recipes on Network Policies. Credits: Ahmet Balkan, Google
• Key Vault: all secret keys required to run a Cardano node are stored inside a Vault and only mounted where the least access privilege applies. The Azure Vault used in this Chart requires the configuration of a User Assigned Managed Identity
• Run As NonRoot and set root filesystems Read-Only: Containers run using non-root users according to best Docker practices

Frequently Asked Questions ❓

How can Cardano Charts be so Awesome?

Help me grow this project by becoming a backer and making a [donation]

Where Can I Find Documentation on Azure Key Vault?

Here: Azure Key Vault

Storing Cold Keys in Luna HSM when Using Azure Key Vault?

Microsoft: [Become a sponsor]

To use Azure HSM for key storage and signature, two things must happen first:

• Azure Key Vault must add support for the ed25519 crypto algorithm used in Cardano. At this time, the current generation of managed HSM hardware does not seem to support it yet
• cardano-cli or another tool must be able to sign Tx raw transactions using the Azure Key Vault REST API

Where Can I Find Documentation on Network Policies?

Tigera: [Become a sponsor]

Tigera web site is a good place to start reading about Calico. Also, check their Definitive guide to container networking, security, and troubleshooting

Can You Add Support For Other Vaults And Other Cloud Vendors?

See CONTRIBUTING.

Where To File Issues?

If you are a vulnerability reporter (for example, a security researcher) who would like to report a vulnerability, first contact me privately via the Telegram link below.

Other issues can be reported on Github.

How to Contact?

Chat 💬 with me on Telegram

Want to Offer A Dream Job? 👔

You know the saying, anything is possible. Just know that I am in Geneva, CH, and therefore I have high expectations. 🍀

Documentation

The README documentation is generated by helm-docs

Deploy Using Terraform

You may find useful resources below:

• terraform-azure-cardano: This repo contains a set of modules in the modules folder for deploying a Cardano node on Azure using Terraform.

Running this Helm Chart 🚀 the hard way

Install the Azure Key Vault provider:

helm repo add csi-secrets-store-provider-azure https://azure.github.io/secrets-store-csi-driver-provider-azure/charts
helm install csi-secrets-store-provider-azure/csi-secrets-store-provider-azure --generate-name --set secrets-store-csi-driver.syncSecret.enabled=true --namespace kube-system

Customize the options as needed, and install this Chart:

helm repo add cardano https://regel.github.io/cardano-charts
helm upgrade --install pool \
  --values cardano/values.yaml \
  --set vault.csi.enabled=false \
  --set producer.enabled=false \
  --set environment.name=testnet \
  --set persistence.sourceFile.enabled=true \
  --set persistence.sourceFile.url=$(curl -s https://downloads.csnapshots.io/snapshots/testnet/testnet-db-snapshot.json| jq -r .[].file_name) \
    cardano/cardano

Query the Blockchain Tip 🚀

Change the pod namespace and cardano-cli options according to the chain id, chart namespace and release name, and run:

kubectl exec -ti -n mainnet mainnet-cardano-relay-0 -c node -- cardano-cli query tip --mainnet

FAQ

Solving Init:Error when producer starts for the first time

Synchronizing the Cardano blockchain from scratch takes a long time. To prevent long waiting times, the Init container attempts to download a snapshot of the blockchain during their first installation. However, egress traffic is blocked for producer nodes and the 'restore' init container cannot download the snapshot:

$ kubectl get po -w
NAME                     READY   STATUS     RESTARTS   AGE
pool-cardano-producer-0  0/1     Init:3/4   0          46s
pool-cardano-relay-0     2/2     Running    0          52m
pool-cardano-producer-0  0/1     Init:Error   0          2m35s

The workaround is to disable network policies manually during Init:

$ kubectl delete networkpolicy -l app.kubernetes.io/name=cardano,app.kubernetes.io/component=producer

Enable policies again with helm upgrade when the producer node is running.