Contains Helm Charts for operating the most secure Cardano nodes in Kubernetes:
This Chart solves common pain points of Cardano node operations:
- Long bootstrap time for new nodes: this chart can restore testnet or mainnet data at the given epoch using a compressed file archive
- Security measures: combine this chart with Terraform modules to enforce best security practices in multiple areas (vault, acls, policies, etc)
- Upgrades: facilitate upgrades using infrastructure-as-code best practices
Thank you to all our backers! 🙏 [Become a backer]
Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]
Cardano hodlers can send donations to this wallet address: addr1q973kf48y9vxqareqvxr7flacx3pl3rz0m9lmwt4nej0zr99dw6mre74f2g48nntw5ar6mz58fm09sk70e0k4vgmkess27g47n
Refer to the Cardano forum guide for keys and secrets management.
This Cloud Native Helm Chart leverages advanced security features provided in Kubernetes and Cloud vendors extensions. 🚨 Ensure that you understand these concepts before using this Chart:
- Calico plugin: see how this network plugin in Kubernetes enforces
ingressandegresstraffic between pods and external IPs using Network Policies - Watch this KubeCon talk or check out the recipes on Network Policies. Credits: Ahmet Balkan, Google
- Key Vault: all secret keys required to run a Cardano node are stored inside a Vault and only mounted where the least access privilege applies. The Azure Vault used in this Chart requires the configuration of a User Assigned Managed Identity
- Run As NonRoot and set root filesystems Read-Only: Containers run using non-root users according to best Docker practices
Help me grow this project by becoming a backer and making a [donation]
Here: Azure Key Vault
To use Azure HSM for key storage and signature, two things must happen first:
- Azure Key Vault must add support for the ed25519 crypto algorithm used in Cardano. At this time, the current generation of managed HSM hardware does not seem to support it yet
cardano-clior another tool must be able to sign Tx raw transactions using the Azure Key Vault REST API
Tigera web site is a good place to start reading about Calico. Also, check their Definitive guide to container networking, security, and troubleshooting
See CONTRIBUTING.
If you are a vulnerability reporter (for example, a security researcher) who would like to report a vulnerability, first contact me privately via the Telegram link below.
Other issues can be reported on Github.
Chat 💬 with me on Telegram
You know the saying, anything is possible. Just know that I am in Geneva, CH, and therefore I have high expectations. 🍀
The README documentation is generated by helm-docs
You may find useful resources below:
- terraform-azure-cardano: This repo contains a set of modules in the modules folder for deploying a Cardano node on Azure using Terraform.
Install the Azure Key Vault provider:
helm repo add csi-secrets-store-provider-azure https://azure.github.io/secrets-store-csi-driver-provider-azure/charts
helm install csi-secrets-store-provider-azure/csi-secrets-store-provider-azure --generate-name --set secrets-store-csi-driver.syncSecret.enabled=true --namespace kube-system
Create a Kubernetes secret to secure internal Redis communication:
kubectl create secret generic redis-secret --from-literal=redis-username='cardano' --from-literal=redis-password='S!B\*d$zDsb'
Customize the options as needed, and install this Chart:
helm repo add cardano https://regel.github.io/cardano-charts
helm upgrade --install pool \
--values cardano/values.yaml \
--set redis.auth.existingSecret=redis-secret \
--set vault.csi.enabled=false \
--set producer.enabled=false \
cardano/cardano
Change the pod namespace and cardano-cli options according to the chain id, chart namespace and release name, and run:
kubectl exec -ti -n mainnet mainnet-cardano-relay-0 -c node -- cardano-cli query tip --mainnet
On testnet, run:
kubectl exec -ti -n testnet testnet-cardano-relay-0 -c node -- cardano-cli query tip --testnet-magic 1097911063