Prerequisites

Please note these prerequisites are designed for our On-prem installation, not our SaaS solution.

1. Setup Kubernetes cluster

Supported version of Kubernetes:

  • 1.19 and later with Amazon EKS

  • 1.22 and later with AKS

You can use an existing cluster or create a new one using managed service Amazon EKS / AKS or provision one manually with kops on virtual machines.

  • Make your default storage class underlying provider resizable, so all PVCs for Corda nodes that will be created by Catalyst Blockchain Manager can be resized when needed. To enable this ability, set "allowVolumeExpansion: true” to the default storage class, or create your own custom storage class. You can edit an existing storage class using the kubectl edit sc command.

  • Assign labels “nodepooltype=corda” to constrain Corda Pods so that they can only run on particular set of Nodes.

Define your cluster size considering the following minimum requirements and your business needs:

1.Minimal requirements for the Catalyst Blockchain Manager Corda service for one organization — one instance with:

  • 2 core CPU

  • 4GB RAM

  • 10GB disk space

2. Each node (CA, orderer or peer) which will be deployed consumes additional resources. Minimal requirements for one node:

Node

CPU

Memory, Gi

Storage, Gi

Corda Open Source

0.25

1

2

Corda Enterprise

0.25

1

2

Deciding on the size of the cluster, please consider the expected load of the nodes and increase these values accordingly.

Catalyst Blockchain Manager helm chart creates “corda-console-account” service account with role binding to “cluster-admin” cluster role.

2. Install Helm to your workstation

Installation manuals: helm.sh/docs/intro/install/

No customization is needed.

Supported version of Helm: 3.*.

3. Configure ingress and DNS

Ingress Controller

Traefik ingress controller should be used.

Supported version of Traefik: 2.6.3 and later

Installation manuals: github.com/traefik/traefik-helm-chart

The ingress-controller is needed for traffic routing to expose the API and UI of the Catalyst Blockchain Manager Corda service. All components are exposed through the port :443.

  • Ingress resources for Corda nodes will be provisioned automatically by the Catalyst Blockchain Manager Corda service operator upon creation/deletion of a node. These nodes require TLS passthrough enabled because of mutual TLS.

  • Ingress resources for API and UI will be created as a part of the helm package during the installation process. It can be configured in the helm values

While Corda nodes have self-signed TLS certificates managed by the Catalyst Blockchain Manager Corda service operator, API and UI require a trusted TLS certificate.

Install cert-manager v1.8.0 or later: cert-manager.io/docs/installation/helm/

Traefik helm chart installs a load balancer of NLB type with TLS passthrough by default. TLS certificate is provisioned by cert-manager, Traefik is responsible for TLS termination for API and UI.

Create DNS record

DNS records to be put: A *.example.com → NLB address

API, UI and nodes will go through this single record.

UI

example.com:443

API

example.com:443/api

4. Create a Kubernetes namespace

Create a k8s namespace for the Catalyst Blockchain Manager Corda service application:

kubectl create ns ${ns_name}

4.1. Get the credentials to the Helm repository in the JFrog artifactory provided by the IntellectEU admin team.

4.2. Add the repo to Helm with the username and password provided:

helm repo add catbp intellecteu.jfrog.io/artifactory/catbp-helm --username ${ARTIFACTORY_USERNAME} --password ${ARTIFACTORY_PASSWORD}

As a result: "catbp" has been added to your repositories

5. Create a ImagePullSecret

Create an ImagePullSecret to access the Catalyst Blockchain Manager Corda service deployable images. For example, create this Secret, naming it intellecteu-jfrog-access

kubectl create secret intellecteu-jfrog-access regcred --docker-server=intellecteu-catbp-docker.jfrog.io --docker-username=${your-name} --docker-password=${your-password} --docker-email=${your-email} -n ${ns_name}

where:

  • ${your-name} - Docker username provided by IntellectEU.

  • ${your-password} - Docker password provided by IntellectEU.

  • ${your-email} - your email.

  • ${ns_name} - the namespace created for the Catalyst Blockchain Manager Corda service on the previous step.

6. Install & configure Keycloak server

Download and install Keycloak from www.keycloak.org/

6.1 Create realm

  1. In the Keycloak Admin Console, in the top left corner (below the banner), click Add realm and enter a name. For example, CAT-BP-Corda-Realm. Do not use spaces or special characters in the definition of the realm name. However, you can use the hyphen character (-) as a separator. Endpoints must be set to "OpenID Endpoint Configuration" On the Login tab, set Require SSL to "all requests" Click Save

  2. Endpoints must be set to "OpenID Endpoint Configuration"

  3. On the Login tab, set Require SSL to "all requests"

  4. Click Save

The newly-created realm has the standard parameters set. You can customize them according to your installation requirements.

6.2 Create client

A Client represents an instance of an application. A client is attached to a specific realm. Proceed as follows to create a client to represent your Corda Console UI application:

  1. At the top left corner, select the "CAT-BP-Corda" realm.

  2. In the left panel, under Configure, click Clients, and then click Create.

  3. Enter "cat-bp-corda-console-ui-client" as Client ID.

  4. In Client Protocol, select "openid-connect".

  5. Set Root URL to hostname:port (the URL you use to log in to Corda Console UI)

  6. Click Save.

  7. On the Settings tab, check that:

    • Enabled is ON

    • Client Protocol is set to openid-connect

    • Standard Flow Enabled is ON

    • Direct Access Grants Enabled is ON

    • Valid Redirect URIs is set to hostname:port/* (the URL you use to log in to Corda Console UI)

  8. Click Save

6.3 Define Roles

Roles are permissions assigned to users. Create roles in the Keycloak server as follows:

  1. At the top left corner, select the realm for EBICS Client. For example, CAT-BP-Corda-Realm

  2. In the left panel, under Configure, click Clients, and then open the "cat-bp-corda-console-ui-client" client.

  3. In the Roles tab, click Add Role

  4. In Role Name, enter the role name

  5. Click Save

Create the following roles:

Role

Description

corda_node_delete

Delete corda nodes

corda_node_create

Create and restart corda nodes

corda_cordapp

Manage CordApps

corda_node_read

Read node info, access monitoring

corda_client

Use corda node client and call flows

6.4 Create Groups

(Optional) In the Keycloak server, a group represents a collection of roles (permissions or rights). A group can be assigned any number of roles. In the assignment of roles, groups are used for collecting and structuring authorizations.

6.5 Create Users

All users belong to a specific realm. Before creating a user, make sure you first select the correct realm. Create a user to be able to connect to the Corda Console UI application. For example, cat-bp-corda-console-ui-client-user.

  1. In the top left corner, select the realm to hold the users. For example, CAT-BP-Corda-Realm

  2. In the left panel, under Manage, click Users

  3. Click Add user in the top right corner, and enter the desired user settings. Important: The user name can contain dashes (-) and underscore ( _ ) but must not contain any other special characters.

  4. Click Save.

  5. Go to the Credentials tab to set the user’s password:

    • Enter new password

    • Enter confirmed password

    • Set Temporary to "OFF"

    • Click Reset Password

  6. Go to the Role Mappings tab.

  7. Under Client Roles, select the client. For example, cat-bp-corda-console-ui-client.

  8. Select one or more roles from the Available Roles column. Click Add selected to move your selection to the Assigned Roles column.