CENM Signer Helm chart

This Helm chart is to configure, deploy and run CENM Signing service.

As the initial step this chart runs automatically PKI tool which creates and stores certificates necessary for correct Corda Network operation. By default the certificates have sample X.500 subject names (e.g. Identity Manager certificate has the subject name “CN=Test Identity Manager Service Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US”). The subject name can be set by configuration options starting with pki.certificates. prefix.

For more information about PKI Tool and Certificate Hierarchy refer to:

Example usage

Using default values:

helm install signer signer

Overwriting default values with password for SSH console:

helm install signer signer --set shell.password="superDifficultPassword"

Parameters starting with prefix “pki.certificates.” allow to override the default subject/issuer X500 names of the Corda certificates. The example command to bootstrap Signer with the X500 name “CN=Company A TLS Signer Certificate […]” of the subject and the issuer of the certificate for signing the CRL:

helm install signer signer --set idmanPublicIP=13.71.57.219 --set pki.certificates.tlscrlsigner.subject="CN=Company A TLS Signer Certificate\, OU=HQ\, O=HoldCo LLC\, L=London\, C=UK" --set pki.certificates.tlscrlsigner.crl.issuer="CN=Company A TLS Signer Certificate\, OU=Corda\, O=R3 HoldCo LLC\, L=New York\, C=US"

The name needs to be a valid X500 name and commas need to be escaped by backslash ().

Configuration variables

ParameterDescriptionDefault value
bashDebugDisplay additional information while running bash scripts (useful while investigating issues)false
dockerImage.nameURL to Signer Docker imagecorda/enterprise-signer
dockerImage.tagDocker image Tag1.2-zulu-openjdk8u242
dockerImage.pullPolicyImage pull policy. Ref.: https://kubernetes.io/docs/concepts/containers/images/#updating-imagesAlways
service.typeKubernetes service type, https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-typesLoadBalancer
service.portKubernetes service port/targetPort for external communication10000
serviceInternal.typeKubernetes service type for internal communication between CENM componentsLoadBalancer
serviceInternal.portKubernetes service port/targetPort5052
serviceRevocation.portKubernetes service port to access Identity Manager’s revocation endpoint (targetPort)5053
serviceSsh.typeKubernetes service type to access Signer ssh consoleLoadBalancer
shell.sshdPortSigner ssh port2222
shell.userSigner ssh usersigner
shell.passwordSigner ssh passwordsignerP
cordaJarMxInitial value for memory allocation (GB)1
jarPathPath to a folder which contains Signer jar filesbin
configPathPath to a folder which contains Signer configuration fileetc
pki.certificates.tlscrlsigner.subjectSubject of the certificate for signing the CRL for the Corda Node’s TLS-level certificate (alias: tlscrlsigner)CN=Test TLS Signer Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US
pki.certificates.tlscrlsigner.crl.issuerIssuer of the certificate for signing the CRL for the Corda Node’s TLS-level certificate (alias tlscrlsigner)CN=Corda TLS Signer Certificate, OU=Corda, O=R3 HoldCo LLC, L=New York, C=US
pki.certificates.cordarootca.subjectSubject of Corda Root certificate (alias: cordarootca)CN=Test Root CA Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US
pki.certificates.subordinateca.subjectSubject of Corda Subordinate certificate (alias: subordinateca)CN=Test Subordinate CA Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US
pki.certificates.identitymanagerca.subjectSubject of Corda Identity Manager certificate (alias: identitymanagerca)CN=Test Identity Manager Service Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US
pki.certificates.networkmap.subjectSubject of Corda Network Map certificate (alias: networkmap)CN=Test Network Map Service Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US