CENM Signing Service Helm Chart

This Helm chart is to configure, deploy, and run the CENM Signing Service on Kubernetes.

As the initial step this chart runs automatically PKI tool which creates and stores certificates necessary for correct Corda Network operation. By default, the certificates have sample X.500 subject names (for example, the Identity Manager Service certificate has the subject name “CN=Test Identity Manager Service Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US”). The subject name can be set by configuration options starting with pki.certificates. prefix.

Passwords to the security certificates keys and keystores cannot be configurable.

For more information about PKI Tool and Certificate Hierarchy refer to:

Example usage

In the example below, the default values are used:

helm install cenm-signer signer --set prefix=cenm --set acceptLicense=Y

In the example below, the default values are overwritten:

helm install cenm-signer signer --set idmanPublicIP=X.X.X.X --set prefix=cenm --set acceptLicense=Y --set volumeSizeSignerLogs=5Gi

Parameters starting with prefix “pki.certificates.” allow to override the default subject/issuer X500 names of the Corda certificates. The example command to bootstrap Signing Service with the X500 name “CN=Company A TLS Signer Certificate […]” of the subject and the issuer of the certificate for signing the CRL:

helm install signer signer --set idmanPublicIP=13.71.57.219 --set pki.certificates.tlscrlsigner.subject="CN=Company A TLS Signer Certificate\, OU=HQ\, O=HoldCo LLC\, L=London\, C=UK" --set pki.certificates.tlscrlsigner.crl.issuer="CN=Company A TLS Signer Certificate\, OU=Corda\, O=R3 HoldCo LLC\, L=New York\, C=US"

The name needs to be a valid X500 name and commas need to be escaped by a backslash character “\".

Configuration variables

ParameterDescriptionDefault value
bashDebugDisplay additional information while running bash scripts (useful while investigating issues)false
signerImage.repositoryURL to Signing Service Docker image repositoryacrcenm.azurecr.io/signer/signer
signerImage.tagDocker image Tag1.4
signerImage.pullPolicyImage pull policy. Ref.: https://kubernetes.io/docs/concepts/containers/images/#updating-imagesAlways
dockerImageCli.repositoryURL to CLI image repositoryacrcenm.azurecr.io/cli/cli
dockerImageCli.tagDocker image tag1.4
dockerImageCli.pullPolicyImage pull policy. Ref.: https://kubernetes.io/docs/concepts/containers/images/#updating-imagesAlways
volumeSizeSignerEtcVolume size for the etc/ directory1Mi
volumeSizeSignerLogsVolume size for the logs/ directory10Gi
signerJar.xmxValue for java -Xmx memory settings1G
signerJar.pathThe directory where the Signing Service .jar file is storedbin
signerJar.configPathThe directory where the Signing Service configuration is storedetc
signerJar.configFileThe file name of the Signing Service configuration filesigner.conf
signers.CSR.schedule.intervalThe schedule interval for the CSR signing process1m
signers.CRL.schedule.intervalThe schedule interval for the CRL signing process1d
signers.NetworkMap.schedule.intervalThe schedule interval for the Network Map signing process1m
signers.NetworkParameters.schedule.intervalThe schedule interval for the Network Parameters signing process1m
signingKeys.keyStore.keyVaultUrlThe Azure Key Vault URL, only applicable if using Azure Key Vault instead of local key storehttps://vault.vault.azure.net
signingKeys.credentials.keyStorePasswordThe key store password, only applicable if using Azure Key Vault instead of local key store""
signingKeys.credentials.keyStoreAliasThe key store alias, only applicable if using Azure Key Vault instead of local key store1
signingKeys.credentials.clientIdThe application client id to access the Azure Key Vault, only applicable if using Azure Key Vault instead of local key storeabcdefgh-1234-5678-9012-123456789012
pki.certificates.tlscrlsigner.subjectSubject of the certificate for signing the CRL for the Corda Node’s TLS-level certificate (alias: tlscrlsigner)CN=Test TLS Signer Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US
pki.certificates.tlscrlsigner.crl.issuerIssuer of the certificate for signing the CRL for the Corda Node’s TLS-level certificate (alias tlscrlsigner)CN=Corda TLS Signer Certificate, OU=Corda, O=R3 HoldCo LLC, L=New York, C=US
pki.certificates.cordarootca.subjectSubject of Corda Root certificate (alias: cordarootca)CN=Test Root CA Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US
pki.certificates.subordinateca.subjectSubject of Corda Subordinate certificate (alias: subordinateca)CN=Test Subordinate CA Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US
pki.certificates.identitymanagerca.subjectSubject of Corda Identity Manager certificate (alias: identitymanagerca)CN=Test Identity Manager Service Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US
pki.certificates.networkmap.subjectSubject of Corda Network Map certificate (alias: networkmap)CN=Test Network Map Service Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US
sleepTimeAfterErrorSleep time (in seconds) after an error occurred120
logsContainersEnabledEnable container displaying live logstrue