From ac6437b9fa5d508b088355cc242fa40b905c624d Mon Sep 17 00:00:00 2001 From: Marwen Abid Date: Thu, 4 Apr 2024 19:01:31 -0700 Subject: [PATCH 1/3] SDP-1060 Publish multi-tenant helm charts for SDP 2.0.0-rc --- .../stellar-disbursement-platform/Chart.yaml | 4 +- .../stellar-disbursement-platform/README.md | 282 ++++++++++-------- .../minimal-values.yaml | 40 ++- .../templates/01.1-configmap-sdp.yaml | 7 + .../templates/01.2-configmap-ap.yaml | 4 +- .../templates/01.3-configmap-tss.yaml | 10 +- .../templates/02.1-deployment-sdp.yaml | 14 +- .../templates/02.2-deployment-ap.yaml | 2 +- .../templates/02.3-deployment-tss.yaml | 9 +- .../templates/03.1-service-sdp.yaml | 4 + .../templates/04.1-ingress-sdp.yaml | 13 + .../templates/04.3-ingress-dashboard.yaml | 12 + .../templates/05.3-secrets-tss.yaml | 2 +- .../templates/_helpers.tpl | 21 ++ .../stellar-disbursement-platform/values.yaml | 88 +++++- 15 files changed, 364 insertions(+), 148 deletions(-) diff --git a/charts/stellar-disbursement-platform/Chart.yaml b/charts/stellar-disbursement-platform/Chart.yaml index 6fb91c4..b5b4f33 100644 --- a/charts/stellar-disbursement-platform/Chart.yaml +++ b/charts/stellar-disbursement-platform/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: stellar-disbursement-platform description: A Helm chart for the Stellar Disbursement Platform Backend (A.K.A. `sdp`) -version: 0.9.4 -appVersion: "1.1.0" +version: 2.0.0-rc.1 +appVersion: "2.0.0-rc1" type: application maintainers: - name: Stellar Development Foundation diff --git a/charts/stellar-disbursement-platform/README.md b/charts/stellar-disbursement-platform/README.md index 5280081..6fcc7e6 100644 --- a/charts/stellar-disbursement-platform/README.md +++ b/charts/stellar-disbursement-platform/README.md @@ -3,7 +3,7 @@ ## Introduction This chart bootstraps a Stellar Disbursement Platform (SDP) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. -The SDP is a set of services that enable organizations to disburse funds to recipients using the Stellar network. The SDP is comprised of the following services: +The SDP is a set of services that enable organizations to disburse funds to recipients using the Stellar network. The SDP consists of the following services: - Stellar Disbursement Platform (SDP) Core Service: the core backend service that performs several functions. - Anchor Platform: the API server that the wallet uses to authenticate and initiate the recipient’s registration process through the SEP-24 deposit flow. - Transaction Submission Service (TSS): the service that submits all payment transactions to the Stellar network. @@ -13,6 +13,7 @@ The SDP is a set of services that enable organizations to disburse funds to reci - Kubernetes 1.19+ - Helm 3.2.0+ - Postgres 14.0+ database deployed in the same Kubernetes cluster +- Kafka (optional) needed for inter-service communication when `eventBroker.type` is set to "KAFKA" ## Installing the Chart @@ -78,6 +79,12 @@ These parameters are shared by all charts. | `global.serviceAccount.annotations` | Annotations to be added to the service account. | `nil` | | `global.serviceAccount.name` | Name of the service account to be used. If not set and create is set to true, a name will be generated using the fullname template. | `""` | | `global.ephemeralDatabase` | Enables or disables the creation of an ephemeral database for testing purposes. | `true` | +| `global.eventBroker` | Configuration related to the event broker used by the application. | | +| `global.eventBroker.type` | The type of event broker to be used. Options: "NONE", "KAFKA". Default: "KAFKA". | `KAFKA` | +| `global.eventBroker.urls` | A comma-separated list of broker URLs for the event broker. | `nil` | +| `global.eventBroker.consumerGroupId` | The consumer group ID for the event broker. | `nil` | +| `global.eventBroker.kafka` | Configuration related to the Kafka event broker. | | +| `global.eventBroker.kafka.securityProtocol` | The security protocol to be used for the Kafka broker. Options: "PLAINTEXT", "SASL_SSL", "SASL_PLAINTEXT", "SSL". | `nil` | ### Stellar Disbursement Platform (SDP) parameters @@ -86,69 +93,86 @@ Configuration parameters for the SDP Core Service which is the core backend serv - Messaging Service: a recurring process that sends text messages to users prompting them to download the wallet selected for a particular disbursement and verify their phone with an OTP - Wallet Registration UI: a web application that collects and verifies the recipient’s OTP code and verification information via Stellar’s SEP-24: Hosted Deposit and Withdrawal protocol -| Name | Description | Value | -| ---------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- | -| `sdp.route` | Configuration related to the routing of the SDP service. | | -| `sdp.route.schema` | Protocol scheme used for the service. Can be "http" or "https". | `https` | -| `sdp.route.domain` | Public domain/address of the SDP service. If using localhost, consider including the port as part of the domain. | `sdp.localhost.com` | -| `sdp.route.port` | Primary port on which the SDP service listens. | `8000` | -| `sdp.route.metricsPort` | Port dedicated to metrics collection for the SDP service. | `8002` | -| `sdp.image` | Configuration related to the Docker image used by the SDP service. | | -| `sdp.image.repository` | Docker image repository for the SDP backend service. | `stellar/stellar-disbursement-platform-backend` | -| `sdp.image.pullPolicy` | Image pull policy for the SDP service. For locally built images, consider using "Never" or "IfNotPresent". | `Always` | -| `sdp.image.tag` | Docker image tag for the SDP service. If set, this overrides the default value from `.Chart.AppVersion`. | `latest` | -| `sdp.deployment` | Configuration related to the deployment of the SDP service. | | -| `sdp.deployment.annotations` | Annotations to be added to the deployment. | `nil` | -| `sdp.deployment.podAnnotations` | Annotations specific to the pods. | `{}` | -| `sdp.deployment.podSecurityContext` | Security settings for the pods. | `{}` | -| `sdp.deployment.securityContext` | Security settings for the container within the pod. | `{}` | -| `sdp.deployment.strategy` | Configuration related to the deployment strategy, ensuring smooth updates and minimal downtime. | `{}` | -| `sdp.deployment.nodeSelector` | Node selector to determine which nodes should run the pods. | `{}` | -| `sdp.deployment.tolerations` | Tolerations to ensure pods aren't scheduled on unsuitable nodes. | `[]` | -| `sdp.deployment.affinity` | Affinity rules to determine where pods get scheduled based on node conditions. | `{}` | -| `sdp.configMap` | Configuration for the ConfigMap used by the SDP service. | | -| `sdp.configMap.annotations` | Annotations to be added to the ConfigMap. | `nil` | -| `sdp.configMap.data` | Used to inject non-sensitive environment variables into the SDP deployment; for the latest variables, consult the application's CLI `-h` command. | | -| `sdp.configMap.data.BASE_URL` | The base URL of the SDP backend. | `http://localhost:8000` | -| `sdp.configMap.data.CRASH_TRACKER_TYPE` | Determines the type of crash tracker in use. Options: "DRY_RUN", "SENTRY". | `DRY_RUN` | -| `sdp.configMap.data.EC256_PUBLIC_KEY` | The EC256 public key used for authentication purposes. This EC key needs to be at least as strong as prime256v1 (P-256). | `""` | -| `sdp.configMap.data.ENVIRONMENT` | Specifies the environment SDP is running in (e.g. "localhost"). | `localhost` | -| `sdp.configMap.data.LOG_LEVEL` | Determines the verbosity level of logs. Options: "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC" | `INFO` | -| `sdp.configMap.data.SEP10_SIGNING_PUBLIC_KEY` | Anchor platform SEP10 signing public key. | `nil` | -| `sdp.configMap.data.DISTRIBUTION_PUBLIC_KEY` | The public key of the Stellar distribution account that sends the Stellar payments. | `nil` | -| `sdp.configMap.data.METRICS_TYPE` | Defines the type of metrics system in use. Options: "PROMETHEUS". | `PROMETHEUS` | -| `sdp.configMap.data.EMAIL_SENDER_TYPE` | The messenger type used to send invitations to new dashboard users. Options: "DRY_RUN", "AWS_EMAIL". | `DRY_RUN` | -| `sdp.configMap.data.SMS_SENDER_TYPE` | The messenger type used to send text messages to recipients. Options: "DRY_RUN", "TWILIO_SMS". | `DRY_RUN` | -| `sdp.configMap.data.RECAPTCHA_SITE_KEY` | Site key for ReCaptcha. Required if using ReCaptcha. | `nil` | -| `sdp.configMap.data.CORS_ALLOWED_ORIGINS` | Specifies the domains allowed to make cross-origin requests. "*" means all domains are allowed. | `*` | -| `sdp.configMap.data.DISABLE_RECAPTCHA` | Determines if ReCaptcha should be disabled for login ("true" or "false"). | `false` | -| `sdp.configMap.data.DISABLE_MFA` | Determines if email-based MFA should be disabled during login ("true" or "false"). | `false` | -| `sdp.configMap.data.SDP_UI_BASE_URL` | The base URL of the SDP UI/dashboard. | `nil` | -| `sdp.kubeSecrets` | Kubernetes secrets are used to manage sensitive information, such as API keys and private keys. It's crucial that these details are kept private. | | -| `sdp.kubeSecrets.secretName` | The name of the Kubernetes secret object. Only use this if create is false. | `sdp-backend-secret-name` | -| `sdp.kubeSecrets.create` | If true, the secret will be created. If false, it is assumed the secret already exists. | `false` | -| `sdp.kubeSecrets.annotations` | Annotations to be added to the secret. | `nil` | -| `sdp.kubeSecrets.data.AWS_ACCESS_KEY_ID` | AWS IAM user's access key ID for authenticating to AWS services. | `MY_AWS_ACCESS_KEY_ID` | -| `sdp.kubeSecrets.data.AWS_REGION` | AWS region where services (like SES for email sending) are provisioned. | `MY_AWS_REGION` | -| `sdp.kubeSecrets.data.AWS_SECRET_ACCESS_KEY` | AWS IAM user's secret access key for authenticating to AWS services. | `MY_AWS_SECRET_ACCESS_KEY` | -| `sdp.kubeSecrets.data.AWS_SES_SENDER_ID` | Identifier for the AWS SES service used for sending emails. | `MY_AWS_SES_SENDER_ID` | -| `sdp.kubeSecrets.data.AWS_SNS_SENDER_ID` | Identifier for the AWS SNS service used for sending text messages. | `MY_AWS_SNS_SENDER_ID` | -| `sdp.kubeSecrets.data.TWILIO_ACCOUNT_SID` | Account SID for authenticating to the Twilio service, used for sending text messages. | `MY_TWILIO_ACCOUNT_SID` | -| `sdp.kubeSecrets.data.TWILIO_AUTH_TOKEN` | Authentication token for the Twilio service. | `MY_TWILIO_AUTH_TOKEN` | -| `sdp.kubeSecrets.data.TWILIO_SERVICE_SID` | Service SID for the specific Twilio service being utilized. | `MY_TWILIO_SERVICE_SID` | -| `sdp.kubeSecrets.data.EC256_PRIVATE_KEY` | The EC256 Private Key. This key is used to sign the authentication token. This EC key needs to be at least as strong as prime256v1 (P-256). | `""` | -| `sdp.kubeSecrets.data.SEP10_SIGNING_PRIVATE_KEY` | The public key of the Stellar account that signs the SEP-10 transactions. It's also used to sign URLs. | `nil` | -| `sdp.kubeSecrets.data.SEP24_JWT_SECRET` | The JWT secret that's used by the Anchor Platform to sign the SEP-24 JWT token. Must be the same as Anchor Platform's SECRET_SEP24_INTERACTIVE_URL_JWT_SECRET. | `nil` | -| `sdp.kubeSecrets.data.RECAPTCHA_SITE_SECRET_KEY` | Secret key for Google reCAPTCHA service to verify user's non-robotic behavior. | `nil` | -| `sdp.kubeSecrets.data.ANCHOR_PLATFORM_OUTGOING_JWT_SECRET` | The JWT secret used to create a JWT token used to send requests to the anchor platform. | `nil` | -| `sdp.kubeSecrets.data.DATABASE_URL` | URL of the database used by the SDP. | `nil` | -| `sdp.kubeSecrets.data.DISTRIBUTION_SEED` | The private key of the Stellar account used to disburse funds. This is needed for the init container | `nil` | -| `sdp.kubeSecrets.data.SENTRY_DSN` | The DSN for the Sentry service. it must be set if CRASH_TRACKER_TYPE is set to "SENTRY". | `nil` | -| `sdp.ingress` | Configuration for the ingress controller for the SDP service. | | -| `sdp.ingress.enabled` | If true, an ingress controller will be created for the SDP service. | `true` | -| `sdp.ingress.className` | Name of the IngressClass to be used for the ingress controller. | `nginx` | -| `sdp.ingress.tls[0].hosts` | List of hosts covered by the TLS certificate. | `["{{ include \"sdp.domain\" . }}"]` | -| `sdp.ingress.tls[0].secretName` | The name of the Kubernetes TLS secret. You need to create this secret manually. | `backend-tls-cert-name` | +| Name | Description | Value | +| ----------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- | +| `sdp.route` | Configuration related to the routing of the SDP service. | | +| `sdp.route.schema` | Protocol scheme used for the service. Can be "http" or "https". | `https` | +| `sdp.route.domain` | Public domain/address of the SDP service. If using localhost, consider including the port as part of the domain. | `nil` | +| `sdp.route.mtnDomain` | Public domain/address of the multi-tenant SDP service. This is a wild-card domain used for multi-tenant setups e.g. "*.sdp.localhost.com". | `nil` | +| `sdp.route.port` | Primary port on which the SDP service listens. | `8000` | +| `sdp.route.metricsPort` | Port dedicated to metrics collection for the SDP service. | `8002` | +| `sdp.route.adminPort` | Port dedicated to serve the SDP admin endpoints, used to manage new or existing tenants. | `8003` | +| `sdp.image` | Configuration related to the Docker image used by the SDP service. | | +| `sdp.image.repository` | Docker image repository for the SDP backend service. | `stellar/stellar-disbursement-platform-backend` | +| `sdp.image.pullPolicy` | Image pull policy for the SDP service. For locally built images, consider using "Never" or "IfNotPresent". | `Always` | +| `sdp.image.tag` | Docker image tag for the SDP service. If set, this overrides the default value from `.Chart.AppVersion`. | `latest` | +| `sdp.deployment` | Configuration related to the deployment of the SDP service. | | +| `sdp.deployment.annotations` | Annotations to be added to the deployment. | `nil` | +| `sdp.deployment.podAnnotations` | Annotations specific to the pods. | `{}` | +| `sdp.deployment.podSecurityContext` | Security settings for the pods. | `{}` | +| `sdp.deployment.securityContext` | Security settings for the container within the pod. | `{}` | +| `sdp.deployment.strategy` | Configuration related to the deployment strategy, ensuring smooth updates and minimal downtime. | `{}` | +| `sdp.deployment.nodeSelector` | Node selector to determine which nodes should run the pods. | `{}` | +| `sdp.deployment.tolerations` | Tolerations to ensure pods aren't scheduled on unsuitable nodes. | `[]` | +| `sdp.deployment.affinity` | Affinity rules to determine where pods get scheduled based on node conditions. | `{}` | +| `sdp.configMap` | Configuration for the ConfigMap used by the SDP service. | | +| `sdp.configMap.annotations` | Annotations to be added to the ConfigMap. | `nil` | +| `sdp.configMap.data` | Used to inject non-sensitive environment variables into the SDP deployment; for the latest variables, consult the application's CLI `-h` command. | | +| `sdp.configMap.data.BASE_URL` | The base URL of the SDP backend. | `http://localhost:8000` | +| `sdp.configMap.data.CRASH_TRACKER_TYPE` | Determines the type of crash tracker in use. Options: "DRY_RUN", "SENTRY". | `DRY_RUN` | +| `sdp.configMap.data.EC256_PUBLIC_KEY` | The EC256 public key used for authentication purposes. This EC key needs to be at least as strong as prime256v1 (P-256). | `""` | +| `sdp.configMap.data.ENVIRONMENT` | Specifies the environment SDP is running in (e.g. "localhost"). | `dev` | +| `sdp.configMap.data.LOG_LEVEL` | Determines the verbosity level of logs. Options: "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC" | `INFO` | +| `sdp.configMap.data.SEP10_SIGNING_PUBLIC_KEY` | Anchor platform SEP10 signing public key. | `nil` | +| `sdp.configMap.data.DISTRIBUTION_PUBLIC_KEY` | The public key of the HOST's Stellar distribution account, used to create channel accounts. | `nil` | +| `sdp.configMap.data.METRICS_TYPE` | Defines the type of metrics system in use. Options: "PROMETHEUS". | `PROMETHEUS` | +| `sdp.configMap.data.EMAIL_SENDER_TYPE` | The messenger type used to send invitations to new dashboard users. Options: "DRY_RUN", "AWS_EMAIL". | `DRY_RUN` | +| `sdp.configMap.data.SMS_SENDER_TYPE` | The messenger type used to send text messages to recipients. Options: "DRY_RUN", "TWILIO_SMS". | `DRY_RUN` | +| `sdp.configMap.data.RECAPTCHA_SITE_KEY` | Site key for ReCaptcha. Required if using ReCaptcha. | `nil` | +| `sdp.configMap.data.CORS_ALLOWED_ORIGINS` | Specifies the domains allowed to make cross-origin requests. "*" means all domains are allowed. | `*` | +| `sdp.configMap.data.DISABLE_RECAPTCHA` | Determines if ReCaptcha should be disabled for login ("true" or "false"). | `false` | +| `sdp.configMap.data.DISABLE_MFA` | Determines if email-based MFA should be disabled during login ("true" or "false"). | `false` | +| `sdp.configMap.data.SDP_UI_BASE_URL` | The base URL of the SDP UI/dashboard. | `nil` | +| `sdp.configMap.data.INSTANCE_NAME` | The name of the SDP instance. Example: "SDP Testnet". | `nil` | +| `sdp.configMap.data.ENABLE_SCHEDULER` | Whether the scheduled jobs are enabled in this instance ("true" or "false"). Default "false". | `false` | +| `sdp.configMap.data.SCHEDULER_PAYMENT_JOB_SECONDS` | The interval in seconds for the payment job that syncs payments between the SDP and the TSS. | `3600` | +| `sdp.configMap.data.SCHEDULER_RECEIVER_INVITATION_JOB_SECONDS` | The interval in seconds for the receiver invitation job that sends invitations to new receivers. 0 or negative values disable the job. | `3600` | +| `sdp.configMap.data.MAX_INVITATION_SMS_RESEND_ATTEMPTS` | The maximum number of times an invitation SMS can be resent. 0 or negative values disable the job. | `3` | +| `sdp.configMap.data.TENANT_XLM_BOOTSTRAP_AMOUNT` | The amount of XLM to be sent to a newly created tenant distribution account. | `5` | +| `sdp.kubeSecrets` | Kubernetes secrets are used to manage sensitive information, such as API keys and private keys. It's crucial that these details are kept private. | | +| `sdp.kubeSecrets.secretName` | The name of the Kubernetes secret object. Only use this if create is false. | `sdp-backend-secret-name` | +| `sdp.kubeSecrets.create` | If true, the secret will be created. If false, it is assumed the secret already exists. | `false` | +| `sdp.kubeSecrets.annotations` | Annotations to be added to the secret. | `nil` | +| `sdp.kubeSecrets.data.AWS_ACCESS_KEY_ID` | AWS IAM user's access key ID for authenticating to AWS services. | `MY_AWS_ACCESS_KEY_ID` | +| `sdp.kubeSecrets.data.AWS_REGION` | AWS region where services (like SES for email sending) are provisioned. | `MY_AWS_REGION` | +| `sdp.kubeSecrets.data.AWS_SECRET_ACCESS_KEY` | AWS IAM user's secret access key for authenticating to AWS services. | `MY_AWS_SECRET_ACCESS_KEY` | +| `sdp.kubeSecrets.data.AWS_SES_SENDER_ID` | Identifier for the AWS SES service used for sending emails. | `MY_AWS_SES_SENDER_ID` | +| `sdp.kubeSecrets.data.AWS_SNS_SENDER_ID` | Identifier for the AWS SNS service used for sending text messages. | `MY_AWS_SNS_SENDER_ID` | +| `sdp.kubeSecrets.data.TWILIO_ACCOUNT_SID` | Account SID for authenticating to the Twilio service, used for sending text messages. | `MY_TWILIO_ACCOUNT_SID` | +| `sdp.kubeSecrets.data.TWILIO_AUTH_TOKEN` | Authentication token for the Twilio service. | `MY_TWILIO_AUTH_TOKEN` | +| `sdp.kubeSecrets.data.TWILIO_SERVICE_SID` | Service SID for the specific Twilio service being utilized. | `MY_TWILIO_SERVICE_SID` | +| `sdp.kubeSecrets.data.EC256_PRIVATE_KEY` | The EC256 Private Key. This key is used to sign the authentication token. This EC key needs to be at least as strong as prime256v1 (P-256). | `""` | +| `sdp.kubeSecrets.data.SEP10_SIGNING_PRIVATE_KEY` | The public key of the Stellar account that signs the SEP-10 transactions. It's also used to sign URLs. | `nil` | +| `sdp.kubeSecrets.data.SEP24_JWT_SECRET` | The JWT secret that's used by the Anchor Platform to sign the SEP-24 JWT token. Must be the same as Anchor Platform's SECRET_SEP24_INTERACTIVE_URL_JWT_SECRET. | `nil` | +| `sdp.kubeSecrets.data.RECAPTCHA_SITE_SECRET_KEY` | Secret key for Google reCAPTCHA service to verify user's non-robotic behavior. | `nil` | +| `sdp.kubeSecrets.data.ANCHOR_PLATFORM_OUTGOING_JWT_SECRET` | The JWT secret used to create a JWT token used to send requests to the anchor platform. | `nil` | +| `sdp.kubeSecrets.data.DATABASE_URL` | URL of the database used by the SDP. | `nil` | +| `sdp.kubeSecrets.data.DISTRIBUTION_SEED` | The private key of the Stellar account used to disburse funds. This is needed for the init container. | `nil` | +| `sdp.kubeSecrets.data.CHANNEL_ACCOUNT_ENCRYPTION_PASSPHRASE` | The private key used to encrypt the channel accounts secrets in the database. | `nil` | +| `sdp.kubeSecrets.data.DISTRIBUTION_SIGNER_TYPE` | The type of the signature client used for distribution accounts. | `nil` | +| `sdp.kubeSecrets.data.DISTRIBUTION_ACCOUNT_ENCRYPTION_PASSPHRASE` | The private key used to encrypt the distribution accounts secrets in the database, mandatory when DISTRIBUTION_SIGNER_TYPE is set to DISTRIBUTION_ACCOUNT_DB. | `nil` | +| `sdp.kubeSecrets.data.SENTRY_DSN` | The DSN for the Sentry service. it must be set if CRASH_TRACKER_TYPE is set to "SENTRY". | `nil` | +| `sdp.kubeSecrets.data.KAFKA_SASL_USERNAME` | The username for SASL authentication to the Kafka broker. Required if KAFKA_SECURITY_PROTOCOL is set to "SASL_SSL" or "SASL_PLAINTEXT". | `nil` | +| `sdp.kubeSecrets.data.KAFKA_SASL_PASSWORD` | The password for SASL authentication to the Kafka broker. Required if KAFKA_SECURITY_PROTOCOL is set to "SASL_SSL" or "SASL_PLAINTEXT". | `nil` | +| `sdp.kubeSecrets.data.KAFKA_SSL_ACCESS_KEY` | Access key (keystore) in PEM format. Required if KAFKA_SECURITY_PROTOCOL is set to "SSL". | `nil` | +| `sdp.kubeSecrets.data.KAFKA_SSL_ACCESS_CERTIFICATE` | Certificate in PEM format that matches with the Kafka Access Key. Required if KAFKA_SECURITY_PROTOCOL is set to "SSL". | `nil` | +| `sdp.kubeSecrets.data.ADMIN_ACCOUNT` | The ID of the admin account. To use, add to the request header as 'Authorization', formatted as Base64-encoded 'ADMIN_ACCOUNT:ADMIN_API_KEY'.", | `nil` | +| `sdp.kubeSecrets.data.ADMIN_API_KEY` | The API key for the admin account. To use, add to the request header as 'Authorization', formatted as Base64-encoded 'ADMIN_ACCOUNT:ADMIN_API_KEY'.", | `nil` | +| `sdp.ingress` | Configuration for the ingress controller for the SDP service. | | +| `sdp.ingress.enabled` | If true, an ingress controller will be created for the SDP service. | `true` | +| `sdp.ingress.className` | Name of the IngressClass to be used for the ingress controller. | `nginx` | +| `sdp.ingress.tls[0].hosts` | List of hosts covered by the TLS certificate. | `["{{ include \"sdp.domain\" . }}"]` | +| `sdp.ingress.tls[0].secretName` | The name of the Kubernetes TLS secret. You need to create this secret manually. | `backend-tls-cert-name` | ### Anchor Platform @@ -207,68 +231,78 @@ the recipient’s registration process through the SEP-24 deposit flow. Configuration parameters for the Transaction Submission Service. This is the service that submits all payment transactions to the Stellar network. This service is designed to maximize payment throughput, handle queuing, and graceful resubmission/error handling -| Name | Description | Value | -| ------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | -| `tss.route` | Configuration related to the routing of the TSS. | | -| `tss.route.schema` | Protocol scheme used for the service. Can be "http" or "https". | `https` | -| `tss.route.port` | Primary port on which the TSS listens. | `9000` | -| `tss.route.metricsPort` | Port dedicated to metrics collection for the TSS. | `9002` | -| `tss.deployment` | Configuration related to the deployment of the TSS. | | -| `tss.deployment.annotations` | Annotations to be added to the deployment. | `nil` | -| `tss.deployment.podAnnotations` | Annotations specific to the pods. | `{}` | -| `tss.deployment.strategy` | Configuration related to the deployment strategy, ensuring smooth updates and minimal downtime. | `{}` | -| `tss.deployment.podSecurityContext` | Security settings for the pods. | `{}` | -| `tss.deployment.securityContext` | Security settings for the container within the pod. | `{}` | -| `tss.deployment.resources` | Resource limits and requests for the application pods. | `{}` | -| `tss.deployment.nodeSelector` | Node selector to determine which nodes should run the pods. | `{}` | -| `tss.deployment.tolerations` | Tolerations to ensure pods aren't scheduled on unsuitable nodes. | `[]` | -| `tss.deployment.affinity` | Affinity rules to determine where pods get scheduled based on node conditions. | `{}` | -| `tss.configMap` | Configuration settings for the Transaction Submission Service (TSS) ConfigMap. | | -| `tss.configMap.annotations` | Annotations to be added to the ConfigMap. | `nil` | -| `tss.configMap.data` | Used to inject non-sensitive environment variables into the TSS deployment; for the latest variables, consult the application's CLI `-h` command. | | -| `tss.configMap.data.CRASH_TRACKER_TYPE` | Determines the type of crash tracker in use. Options: "DRY_RUN", "SENTRY". | `DRY_RUN` | -| `tss.configMap.data.NUM_CHANNEL_ACCOUNTS` | The number of channel accounts the TSS will create/use. Channel accounts provide a method for submitting transactions to the network at a high rate. | `1` | -| `tss.configMap.data.MAX_BASE_FEE` | Specifies the maximum base fee (in stroops) the TSS is willing to pay per transaction. This helps to control costs and ensures transactions are economically feasible. | `100000` | -| `tss.configMap.data.TSS_METRICS_TYPE` | Defines the type of metrics system that the TSS should use. Options: "TSS_PROMETHEUS". | `TSS_PROMETHEUS` | -| `tss.configMap.data.QUEUE_POLLING_INTERVAL` | Specifies the interval (in seconds) at which the TSS should poll the queue. | `6` | -| `tss.configMap.data.ENVIRONMENT` | Specifies the environment TSS is running in (e.g. "localhost"). | `development` | -| `tss.configMap.data.LOG_LEVEL` | Determines the verbosity level of logs. Options: "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC" | `INFO` | -| `tss.kubeSecrets` | Kubernetes secrets are used to manage sensitive information, such as API keys and private keys. It's crucial that these details are kept private. | | -| `tss.kubeSecrets.secretName` | The name of the Kubernetes secret object. Only use this if create is false. | `tss-secret-name` | -| `tss.kubeSecrets.create` | If true, the secret will be created. If false, it is assumed the secret already exists. | `false` | -| `tss.kubeSecrets.annotations` | Annotations to be added to the secret. | `nil` | -| `tss.kubeSecrets.data.DATABASE_URL` | URL of the database used by the TSS. | `nil` | -| `tss.kubeSecrets.data.DISTRIBUTION_SEED` | The private key of the Stellar account used to disburse funds. | `nil` | -| `tss.kubeSecrets.data.SENTRY_DSN` | The DSN for the Sentry service. it must be set if CRASH_TRACKER_TYPE is set to "SENTRY". | `nil` | +| Name | Description | Value | +| ----------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | +| `tss.enabled` | If true, the tss will be deployed. | `true` | +| `tss.route` | Configuration related to the routing of the TSS. | | +| `tss.route.schema` | Protocol scheme used for the service. Can be "http" or "https". | `https` | +| `tss.route.port` | Primary port on which the TSS listens. | `9000` | +| `tss.route.metricsPort` | Port dedicated to metrics collection for the TSS. | `9002` | +| `tss.deployment` | Configuration related to the deployment of the TSS. | | +| `tss.deployment.annotations` | Annotations to be added to the deployment. | `nil` | +| `tss.deployment.podAnnotations` | Annotations specific to the pods. | `{}` | +| `tss.deployment.strategy` | Configuration related to the deployment strategy, ensuring smooth updates and minimal downtime. | `{}` | +| `tss.deployment.podSecurityContext` | Security settings for the pods. | `{}` | +| `tss.deployment.securityContext` | Security settings for the container within the pod. | `{}` | +| `tss.deployment.resources` | Resource limits and requests for the application pods. | `{}` | +| `tss.deployment.nodeSelector` | Node selector to determine which nodes should run the pods. | `{}` | +| `tss.deployment.tolerations` | Tolerations to ensure pods aren't scheduled on unsuitable nodes. | `[]` | +| `tss.deployment.affinity` | Affinity rules to determine where pods get scheduled based on node conditions. | `{}` | +| `tss.configMap` | Configuration settings for the Transaction Submission Service (TSS) ConfigMap. | | +| `tss.configMap.annotations` | Annotations to be added to the ConfigMap. | `nil` | +| `tss.configMap.data` | Used to inject non-sensitive environment variables into the TSS deployment; for the latest variables, consult the application's CLI `-h` command. | | +| `tss.configMap.data.CRASH_TRACKER_TYPE` | Determines the type of crash tracker in use. Options: "DRY_RUN", "SENTRY". | `DRY_RUN` | +| `tss.configMap.data.DISTRIBUTION_PUBLIC_KEY` | The public key of the HOST's Stellar distribution account, used to create channel accounts. | `nil` | +| `tss.configMap.data.NUM_CHANNEL_ACCOUNTS` | The number of channel accounts the TSS will create/use. Channel accounts provide a method for submitting transactions to the network at a high rate. | `1` | +| `tss.configMap.data.MAX_BASE_FEE` | Specifies the maximum base fee (in stroops) the TSS is willing to pay per transaction. This helps to control costs and ensures transactions are economically feasible. | `100000` | +| `tss.configMap.data.TSS_METRICS_TYPE` | Defines the type of metrics system that the TSS should use. Options: "TSS_PROMETHEUS". | `TSS_PROMETHEUS` | +| `tss.configMap.data.QUEUE_POLLING_INTERVAL` | Specifies the interval (in seconds) at which the TSS should poll the queue. | `6` | +| `tss.configMap.data.ENVIRONMENT` | Specifies the environment TSS is running in (e.g. "localhost"). | `development` | +| `tss.configMap.data.LOG_LEVEL` | Determines the verbosity level of logs. Options: "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC" | `INFO` | +| `tss.kubeSecrets` | Kubernetes secrets are used to manage sensitive information, such as API keys and private keys. It's crucial that these details are kept private. | | +| `tss.kubeSecrets.secretName` | The name of the Kubernetes secret object. Only use this if create is false. | `tss-secret-name` | +| `tss.kubeSecrets.create` | If true, the secret will be created. If false, it is assumed the secret already exists. | `false` | +| `tss.kubeSecrets.annotations` | Annotations to be added to the secret. | `nil` | +| `tss.kubeSecrets.data.DATABASE_URL` | URL of the database used by the TSS. | `nil` | +| `tss.kubeSecrets.data.DISTRIBUTION_SEED` | The private key of the Stellar account used to disburse funds. | `nil` | +| `tss.kubeSecrets.data.CHANNEL_ACCOUNT_ENCRYPTION_PASSPHRASE` | The private key used to encrypt the channel accounts secrets in the database. | `nil` | +| `tss.kubeSecrets.data.DISTRIBUTION_SIGNER_TYPE` | The type of the signature client used for distribution accounts. | `nil` | +| `tss.kubeSecrets.data.DISTRIBUTION_ACCOUNT_ENCRYPTION_PASSPHRASE` | The private key used to encrypt the distribution accounts secrets in the database, mandatory when DISTRIBUTION_SIGNER_TYPE is set to DISTRIBUTION_ACCOUNT_DB. | `nil` | +| `tss.kubeSecrets.data.SENTRY_DSN` | The DSN for the Sentry service. it must be set if CRASH_TRACKER_TYPE is set to "SENTRY". | `nil` | +| `tss.kubeSecrets.data.KAFKA_SASL_USERNAME` | The username for SASL authentication to the Kafka broker. Required if KAFKA_SECURITY_PROTOCOL is set to "SASL_SSL" or "SASL_PLAINTEXT". | `nil` | +| `tss.kubeSecrets.data.KAFKA_SASL_PASSWORD` | The password for SASL authentication to the Kafka broker. Required if KAFKA_SECURITY_PROTOCOL is set to "SASL_SSL" or "SASL_PLAINTEXT". | `nil` | +| `tss.kubeSecrets.data.KAFKA_SSL_ACCESS_KEY` | Access key (keystore) in PEM format. Required if KAFKA_SECURITY_PROTOCOL is set to "SSL". | `nil` | +| `tss.kubeSecrets.data.KAFKA_SSL_ACCESS_CERTIFICATE` | Certificate in PEM format that matches with the Kafka Access Key. Required if KAFKA_SECURITY_PROTOCOL is set to "SSL". | `nil` | ### Dashboard Configuration parameters for the Dashboard. This is the user interface administrators use to initiate and track the progress of disbursements. -| Name | Description | Value | -| --------------------------------------------- | -------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | -| `dashboard.enabled` | If true, the dashboard will be deployed. | `false` | -| `dashboard.route` | Configuration related to the routing of the Dashboard. | | -| `dashboard.route.schema` | Protocol scheme used for the service. Can be "http" or "https". | `https` | -| `dashboard.route.domain` | Public domain/address of the Dashboard. | `sdp-dashboard.localhost.com` | -| `dashboard.route.port` | Primary port on which the Dashboard listens. | `80` | -| `dashboard.image` | Configuration related to the Docker image used by the Dashboard. | | -| `dashboard.image.fullName` | Full name of the Docker image. | `stellar/stellar-disbursement-platform-frontend:latest` | -| `dashboard.image.pullPolicy` | Image pull policy for the dashboard. For locally built images, consider using "Never" or "IfNotPresent". | `Always` | -| `dashboard.deployment` | Configuration related to the deployment of the Dashboard. | | -| `dashboard.deployment.annotations` | Annotations to be added to the deployment. | `{}` | -| `dashboard.deployment.podAnnotations` | Annotations specific to the pods. | `{}` | -| `dashboard.deployment.strategy` | Configuration related to the deployment strategy, ensuring smooth updates and minimal downtime. | `{}` | -| `dashboard.deployment.podSecurityContext` | Security settings for the pods. | `{}` | -| `dashboard.deployment.securityContext` | Security settings for the container within the pod. | `{}` | -| `dashboard.deployment.resources` | Resource limits and requests for the application pods. | `{}` | -| `dashboard.configMap` | Configuration settings for the Dashboard ConfigMap. | | -| `dashboard.configMap.annotations` | Annotations to be added to the ConfigMap. | `{}` | -| `dashboard.configMap.data` | Used to inject non-sensitive environment variables into the Dashboard deployment. | | -| `dashboard.configMap.data.API_URL` | The URL for the API the dashboard should interact with. | `{{ include "sdp.schema" . }}://{{ include "sdp.domain" . }}` | -| `dashboard.configMap.data.RECAPTCHA_SITE_KEY` | The site key for Google reCAPTCHA service. | `reCaptchaSiteKey` | -| `dashboard.ingress` | Configuration for the ingress controller for the dashboard. | | -| `dashboard.ingress.enabled` | If true, an ingress controller will be created for the dashboard. | `false` | -| `dashboard.ingress.className` | Name of the IngressClass to be used for the ingress controller. | `nginx` | -| `dashboard.ingress.tls[0].hosts` | List of hosts covered by the TLS certificate. | `["{{ include \"dashboard.domain\" . }}"]` | -| `dashboard.ingress.tls[0].secretName` | The name of the Kubernetes TLS secret. You need to create this secret manually. | `dashboard-tls-cert-name` | +| Name | Description | Value | +| --------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | +| `dashboard.enabled` | If true, the dashboard will be deployed. | `false` | +| `dashboard.route` | Configuration related to the routing of the Dashboard. | | +| `dashboard.route.schema` | Protocol scheme used for the service. Can be "http" or "https". | `https` | +| `dashboard.route.domain` | Public domain/address of the Dashboard. | `nil` | +| `dashboard.route.mtnDomain` | Public domain/address of the multi-tenant Dashboard. This is a wild-card domain used for multi-tenant setups e.g. "*.sdp-dashboard.localhost.com". | `nil` | +| `dashboard.route.port` | Primary port on which the Dashboard listens. | `80` | +| `dashboard.image` | Configuration related to the Docker image used by the Dashboard. | | +| `dashboard.image.fullName` | Full name of the Docker image. | `stellar/stellar-disbursement-platform-frontend:latest` | +| `dashboard.image.pullPolicy` | Image pull policy for the dashboard. For locally built images, consider using "Never" or "IfNotPresent". | `Always` | +| `dashboard.deployment` | Configuration related to the deployment of the Dashboard. | | +| `dashboard.deployment.annotations` | Annotations to be added to the deployment. | `{}` | +| `dashboard.deployment.podAnnotations` | Annotations specific to the pods. | `{}` | +| `dashboard.deployment.strategy` | Configuration related to the deployment strategy, ensuring smooth updates and minimal downtime. | `{}` | +| `dashboard.deployment.podSecurityContext` | Security settings for the pods. | `{}` | +| `dashboard.deployment.securityContext` | Security settings for the container within the pod. | `{}` | +| `dashboard.deployment.resources` | Resource limits and requests for the application pods. | `{}` | +| `dashboard.configMap` | Configuration settings for the Dashboard ConfigMap. | | +| `dashboard.configMap.annotations` | Annotations to be added to the ConfigMap. | `{}` | +| `dashboard.configMap.data` | Used to inject non-sensitive environment variables into the Dashboard deployment. | | +| `dashboard.configMap.data.API_URL` | The URL for the API the dashboard should interact with. | `{{ include "sdp.schema" . }}://{{ include "sdp.domain" . }}` | +| `dashboard.configMap.data.RECAPTCHA_SITE_KEY` | The site key for Google reCAPTCHA service. | `reCaptchaSiteKey` | +| `dashboard.ingress` | Configuration for the ingress controller for the dashboard. | | +| `dashboard.ingress.enabled` | If true, an ingress controller will be created for the dashboard. | `false` | +| `dashboard.ingress.className` | Name of the IngressClass to be used for the ingress controller. | `nginx` | +| `dashboard.ingress.tls[0].hosts` | List of hosts covered by the TLS certificate. | `["{{ include \"dashboard.domain\" . }}"]` | +| `dashboard.ingress.tls[0].secretName` | The name of the Kubernetes TLS secret. You need to create this secret manually. | `dashboard-tls-cert-name` | diff --git a/charts/stellar-disbursement-platform/minimal-values.yaml b/charts/stellar-disbursement-platform/minimal-values.yaml index 81e3704..e28bb39 100644 --- a/charts/stellar-disbursement-platform/minimal-values.yaml +++ b/charts/stellar-disbursement-platform/minimal-values.yaml @@ -4,16 +4,34 @@ ## These are the minimal values required to deploy the SDP helm chart. ## @descriptionEnd +global: + ## @extra global.eventBroker Configuration related to the event broker used by the application. + ## @param global.eventBroker.type The type of event broker to be used. Options: "NONE", "KAFKA". Default: "KAFKA". + ## @param global.eventBroker.urls A comma-separated list of broker URLs for the event broker. + ## @param global.eventBroker.consumerGroupId The consumer group ID for the event broker. + eventBroker: + type: "KAFKA" + urls: #required + consumerGroupId: #required + + ## @extra global.eventBroker.kafka Configuration related to the Kafka event broker. + ## @param global.eventBroker.kafka.securityProtocol The security protocol to be used for the Kafka broker. Options: "PLAINTEXT", "SASL_SSL", "SASL_PLAINTEXT", "SSL". + kafka: + securityProtocol: #required + sdp: ## @param sdp.route.domain Public domain/address of the SDP service. + ## @param sdp.route.mtnDomain Public domain/address of the multi-tenant SDP service. This is a wild-card domain used for multi-tenant setups e.g. "*.sdp.localhost.com". route: domain: #required + mtnDomain: #required ## @param sdp.configMap.data.EC256_PUBLIC_KEY [string] The EC256 public key used for authentication purposes. ## @param sdp.configMap.data.SEP10_SIGNING_PUBLIC_KEY Anchor platform SEP10 signing public key. ## @param sdp.configMap.data.DISTRIBUTION_PUBLIC_KEY The public key of the Stellar distribution account that sends the Stellar payments. ## @param sdp.configMap.data.RECAPTCHA_SITE_KEY Site key for ReCaptcha. Required if using ReCaptcha. + ## @param sdp.configMap.data.INSTANCE_NAME The name of the SDP instance. Example: "SDP Testnet". configMap: annotations: data: @@ -21,6 +39,7 @@ sdp: SEP10_SIGNING_PUBLIC_KEY: #required DISTRIBUTION_PUBLIC_KEY: #required RECAPTCHA_SITE_KEY: #required + INSTANCE_NAME: #required ## @param sdp.kubeSecrets.data.EC256_PRIVATE_KEY [string] The EC256 Private Key. This key is used to sign the authentication token. ## @param sdp.kubeSecrets.data.SEP10_SIGNING_PRIVATE_KEY The public key of the Stellar account that signs the SEP-10 transactions. It's also used to sign URLs. @@ -29,6 +48,9 @@ sdp: ## @param sdp.kubeSecrets.data.ANCHOR_PLATFORM_OUTGOING_JWT_SECRET The JWT secret used to create a JWT token used to send requests to the anchor platform. ## @param sdp.kubeSecrets.data.DATABASE_URL URL of the database used by the SDP. ## @param sdp.kubeSecrets.data.DISTRIBUTION_SEED The private key of the Stellar account used to disburse funds. This is needed for the init container + ## @param sdp.kubeSecrets.data.CHANNEL_ACCOUNT_ENCRYPTION_PASSPHRASE The private key used to encrypt the channel account secrets in the database. + ## @param sdp.kubeSecrets.data.ADMIN_ACCOUNT The ID of the admin account. To use, add to the request header as 'Authorization', formatted as Base64-encoded 'ADMIN_ACCOUNT:ADMIN_API_KEY'.", + ## @param sdp.kubeSecrets.data.ADMIN_API_KEY The API key for the admin account. To use, add to the request header as 'Authorization', formatted as Base64-encoded 'ADMIN_ACCOUNT:ADMIN_API_KEY'.", kubeSecrets: create: true data: @@ -39,6 +61,9 @@ sdp: ANCHOR_PLATFORM_OUTGOING_JWT_SECRET: #required for mySdpToAnchorPlatformSecret DATABASE_URL: #required DISTRIBUTION_SEED: #required + CHANNEL_ACCOUNT_ENCRYPTION_PASSPHRASE: #required + ADMIN_ACCOUNT: #required + ADMIN_API_KEY: #required ## @extra sdp.ingress Configuration for the ingress controller for the SDP service. ingress: #required @@ -78,22 +103,33 @@ anchorPlatform: tss: + ## @extra tss.configMap Configuration settings for the Transaction Submission Service (TSS) ConfigMap. + ## @param tss.configMap.data.DISTRIBUTION_PUBLIC_KEY The public key of the HOST's Stellar distribution account, used to create channel accounts. + configMap: + data: + DISTRIBUTION_PUBLIC_KEY: #required + ## @param tss.kubeSecrets.data.DATABASE_URL URL of the database used by the TSS. ## @param tss.kubeSecrets.data.DISTRIBUTION_SEED The private key of the Stellar account used to disburse funds. + ## @param tss.kubeSecrets.data.CHANNEL_ACCOUNT_ENCRYPTION_PASSPHRASE The private key used to encrypt the channel account secrets in the database. kubeSecrets: create: true data: DATABASE_URL: #required DISTRIBUTION_SEED: #required + CHANNEL_ACCOUNT_ENCRYPTION_PASSPHRASE: #required dashboard: ## @param dashboard.enabled If true, the dashboard will be deployed. enabled: true + ## @extra dashboard.route Configuration related to the routing of the Dashboard. ## @param dashboard.route.domain Public domain/address of the Dashboard. + ## @param dashboard.route.mtnDomain Public domain/address of the multi-tenant Dashboard. This is a wild-card domain used for multi-tenant setups e.g. "*.sdp-dashboard.localhost.com". route: domain: #required + mtnDomain: #required ## @param dashboard.configMap.data.RECAPTCHA_SITE_KEY The site key for Google reCAPTCHA service. configMap: @@ -101,6 +137,4 @@ dashboard: RECAPTCHA_SITE_KEY: #required ## @extra dashboard.ingress Configuration for the ingress controller for the dashboard. - ingress: #required - - + ingress: #required \ No newline at end of file diff --git a/charts/stellar-disbursement-platform/templates/01.1-configmap-sdp.yaml b/charts/stellar-disbursement-platform/templates/01.1-configmap-sdp.yaml index 6371406..3e9498f 100644 --- a/charts/stellar-disbursement-platform/templates/01.1-configmap-sdp.yaml +++ b/charts/stellar-disbursement-platform/templates/01.1-configmap-sdp.yaml @@ -24,7 +24,14 @@ data: BASE_URL: {{ include "sdp.schema" . }}://{{ include "sdp.domain" . }} PORT: {{ include "sdp.port" . | quote }} METRICS_PORT: {{ include "sdp.metricsPort" . | quote }} + ADMIN_PORT: {{ include "sdp.adminPort" . | quote }} ANCHOR_PLATFORM_BASE_SEP_URL: {{ include "sdp.ap.schema" . }}://{{ include "sdp.ap.domain" . }} ANCHOR_PLATFORM_BASE_PLATFORM_URL: {{ include "sdp.ap.platformServiceAddress" . }} + EVENT_BROKER_TYPE: {{ .Values.global.eventBroker.type | quote }} + BROKER_URLS: {{ .Values.global.eventBroker.urls | quote }} + CONSUMER_GROUP_ID: {{ .Values.global.eventBroker.consumerGroupId | quote }} + {{- if eq .Values.global.eventBroker.type "KAFKA" }} + KAFKA_SECURITY_PROTOCOL: {{ .Values.global.eventBroker.kafka.securityProtocol | quote }} + {{- end }} {{- tpl (toYaml .Values.sdp.configMap.data | nindent 2) . }} {{- end }} diff --git a/charts/stellar-disbursement-platform/templates/01.2-configmap-ap.yaml b/charts/stellar-disbursement-platform/templates/01.2-configmap-ap.yaml index ee19d8f..0284b12 100644 --- a/charts/stellar-disbursement-platform/templates/01.2-configmap-ap.yaml +++ b/charts/stellar-disbursement-platform/templates/01.2-configmap-ap.yaml @@ -32,7 +32,9 @@ data: SEP1_TOML_TYPE: url SEP1_TOML_VALUE: 'http://{{ include "sdp.fullname" . }}.{{ .Release.Namespace }}:{{ include "sdp.port" . }}/.well-known/stellar.toml' SEP10_ENABLED: "true" - SEP10_HOME_DOMAIN: {{ include "sdp.ap.domain" . }} + SEP10_WEB_AUTH_DOMAIN: {{ include "sdp.ap.domain" . | quote }} + SEP10_HOME_DOMAIN: "" + SEP10_HOME_DOMAINS: {{ include "sdp.mtnDomain" . | quote }} SEP24_ENABLED: "true" SEP24_INTERACTIVE_URL_JWT_EXPIRATION: "1800" # 1800 seconds is 30 minutes ASSETS_TYPE: json diff --git a/charts/stellar-disbursement-platform/templates/01.3-configmap-tss.yaml b/charts/stellar-disbursement-platform/templates/01.3-configmap-tss.yaml index a39480f..4de607e 100644 --- a/charts/stellar-disbursement-platform/templates/01.3-configmap-tss.yaml +++ b/charts/stellar-disbursement-platform/templates/01.3-configmap-tss.yaml @@ -1,3 +1,4 @@ +{{- if .Values.tss.enabled -}} --- apiVersion: v1 kind: ConfigMap @@ -5,7 +6,7 @@ metadata: name: {{ include "sdp.fullname" . }}-tss namespace: {{ .Release.Namespace }} labels: - {{- include "sdp.labels" . | nindent 4 }} + {{- include "sdp.labelsWithSuffix" (list . "-tss") | nindent 4 }} {{- if .Values.tss.configMap.annotations }} annotations: @@ -21,4 +22,11 @@ data: HORIZON_URL: "https://horizon-testnet.stellar.org" {{- end }} TSS_METRICS_PORT: {{ include "tss.metricsPort" . | quote }} + EVENT_BROKER_TYPE: {{ .Values.global.eventBroker.type | quote }} + BROKER_URLS: {{ .Values.global.eventBroker.urls | quote }} + CONSUMER_GROUP_ID: {{ .Values.global.eventBroker.consumerGroupId | quote }} + {{- if eq .Values.global.eventBroker.type "KAFKA" }} + KAFKA_SECURITY_PROTOCOL: {{ .Values.global.eventBroker.kafka.securityProtocol | quote }} + {{- end }} {{- tpl (toYaml .Values.tss.configMap.data | nindent 2) . }} +{{- end }} \ No newline at end of file diff --git a/charts/stellar-disbursement-platform/templates/02.1-deployment-sdp.yaml b/charts/stellar-disbursement-platform/templates/02.1-deployment-sdp.yaml index 4920c41..d0a7828 100644 --- a/charts/stellar-disbursement-platform/templates/02.1-deployment-sdp.yaml +++ b/charts/stellar-disbursement-platform/templates/02.1-deployment-sdp.yaml @@ -59,11 +59,12 @@ spec: - sh - -c - | - ./stellar-disbursement-platform db migrate up && - ./stellar-disbursement-platform db auth migrate up && - ./stellar-disbursement-platform db setup-for-network && - ./stellar-disbursement-platform channel-accounts verify --delete-invalid-accounts - ./stellar-disbursement-platform channel-accounts ensure --num-channel-accounts-ensure {{ .Values.tss.configMap.data.NUM_CHANNEL_ACCOUNTS | default 1 }} + ./stellar-disbursement-platform db admin migrate up + ./stellar-disbursement-platform db tss migrate up + ./stellar-disbursement-platform db auth migrate up --all + ./stellar-disbursement-platform db sdp migrate up --all + ./stellar-disbursement-platform db setup-for-network --all + ./stellar-disbursement-platform channel-accounts ensure {{ .Values.tss.configMap.data.NUM_CHANNEL_ACCOUNTS | default 1 }} containers: # ============================= Stellar Disbursement Platform: ============================= @@ -86,6 +87,9 @@ spec: - name: metrics containerPort: {{ include "sdp.metricsPort" . }} protocol: TCP + - name: admin + containerPort: {{ include "sdp.adminPort" . }} + protocol: TCP livenessProbe: httpGet: path: /health diff --git a/charts/stellar-disbursement-platform/templates/02.2-deployment-ap.yaml b/charts/stellar-disbursement-platform/templates/02.2-deployment-ap.yaml index 3a61c9e..1d0ae15 100644 --- a/charts/stellar-disbursement-platform/templates/02.2-deployment-ap.yaml +++ b/charts/stellar-disbursement-platform/templates/02.2-deployment-ap.yaml @@ -42,7 +42,7 @@ spec: - name: {{ .Chart.Name }}-ap securityContext: {{- tpl (toYaml .Values.anchorPlatform.deployment.securityContext) . | nindent 12 }} - image: "stellar/anchor-platform:2.1.3" + image: "stellar/anchor-platform:2.6.2" imagePullPolicy: "IfNotPresent" {{- if .Values.global.ephemeralDatabase }} env: diff --git a/charts/stellar-disbursement-platform/templates/02.3-deployment-tss.yaml b/charts/stellar-disbursement-platform/templates/02.3-deployment-tss.yaml index 99a4646..9c73fb9 100644 --- a/charts/stellar-disbursement-platform/templates/02.3-deployment-tss.yaml +++ b/charts/stellar-disbursement-platform/templates/02.3-deployment-tss.yaml @@ -1,10 +1,12 @@ +{{- if .Values.tss.enabled -}} +--- apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "sdp.fullname" . }}-tss namespace: {{ .Release.Namespace }} labels: - {{- include "sdp.labels" . | nindent 4 }} + {{- include "sdp.labelsWithSuffix" (list . "-tss") | nindent 4 }} {{- if .Values.tss.deployment.annotations }} annotations: {{- tpl (toYaml .Values.tss.deployment.annotations) . | nindent 4 }} @@ -15,7 +17,7 @@ spec: {{- end }} selector: matchLabels: - {{- include "sdp.selectorLabels" . | nindent 6 }} + {{- include "sdp.selectorLabelsWithSuffix" (list . "-tss") | nindent 6 }} {{- if .Values.tss.deployment.strategy }} strategy: @@ -29,7 +31,7 @@ spec: {{- tpl (toYaml .Values.tss.deployment.podAnnotations) . | nindent 8 }} {{- end }} labels: - {{- include "sdp.selectorLabels" . | nindent 8 }} + {{- include "sdp.selectorLabelsWithSuffix" (list . "-tss") | nindent 8 }} spec: {{- if .Values.global.serviceAccount.name }} serviceAccountName: {{ tpl .Values.global.serviceAccount.name $ }} @@ -84,3 +86,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/stellar-disbursement-platform/templates/03.1-service-sdp.yaml b/charts/stellar-disbursement-platform/templates/03.1-service-sdp.yaml index d9416ee..9073dea 100644 --- a/charts/stellar-disbursement-platform/templates/03.1-service-sdp.yaml +++ b/charts/stellar-disbursement-platform/templates/03.1-service-sdp.yaml @@ -12,6 +12,10 @@ spec: targetPort: http protocol: TCP name: http + - port: {{ include "sdp.adminPort" . }} + targetPort: admin + protocol: TCP + name: admin selector: {{- include "sdp.selectorLabels" . | nindent 4 }} diff --git a/charts/stellar-disbursement-platform/templates/04.1-ingress-sdp.yaml b/charts/stellar-disbursement-platform/templates/04.1-ingress-sdp.yaml index 03fd807..b326c11 100644 --- a/charts/stellar-disbursement-platform/templates/04.1-ingress-sdp.yaml +++ b/charts/stellar-disbursement-platform/templates/04.1-ingress-sdp.yaml @@ -32,4 +32,17 @@ spec: name: {{ include "sdp.fullname" . }} port: number: {{ include "sdp.port" . }} +{{- if .Values.sdp.route.mtnDomain }} + - host: {{ include "sdp.mtnDomain" . | quote }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ include "sdp.fullname" . }} + port: + number: {{ include "sdp.port" . }} +{{- end }} + {{- end }} diff --git a/charts/stellar-disbursement-platform/templates/04.3-ingress-dashboard.yaml b/charts/stellar-disbursement-platform/templates/04.3-ingress-dashboard.yaml index 2a9610a..405e988 100644 --- a/charts/stellar-disbursement-platform/templates/04.3-ingress-dashboard.yaml +++ b/charts/stellar-disbursement-platform/templates/04.3-ingress-dashboard.yaml @@ -27,5 +27,17 @@ spec: name: {{ include "sdp.fullname" . }}-dashboard port: number: {{ include "dashboard.port" . }} + {{- if .Values.sdp.route.mtnDomain }} + - host: {{ include "dashboard.mtnDomain" . | quote }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ include "sdp.fullname" . }}-dashboard + port: + number: {{ include "dashboard.port" . }} + {{- end }} {{- end }} diff --git a/charts/stellar-disbursement-platform/templates/05.3-secrets-tss.yaml b/charts/stellar-disbursement-platform/templates/05.3-secrets-tss.yaml index 2f6b846..4a8d143 100644 --- a/charts/stellar-disbursement-platform/templates/05.3-secrets-tss.yaml +++ b/charts/stellar-disbursement-platform/templates/05.3-secrets-tss.yaml @@ -1,4 +1,4 @@ -{{- if .Values.tss.kubeSecrets.create -}} +{{- if and .Values.tss.enabled .Values.tss.kubeSecrets.create -}} --- apiVersion: v1 kind: Secret diff --git a/charts/stellar-disbursement-platform/templates/_helpers.tpl b/charts/stellar-disbursement-platform/templates/_helpers.tpl index d60e522..bd2a44e 100644 --- a/charts/stellar-disbursement-platform/templates/_helpers.tpl +++ b/charts/stellar-disbursement-platform/templates/_helpers.tpl @@ -74,6 +74,13 @@ SDP domain {{- .Values.sdp.route.domain | default "localhost" }} {{- end }} +{{/* +SDP MTN domain +*/}} +{{- define "sdp.mtnDomain" -}} +{{- .Values.sdp.route.mtnDomain | default "localhost" }} +{{- end }} + {{/* SDP domain schema */}} @@ -95,6 +102,13 @@ SDP Metrics port {{- .Values.sdp.route.metricsPort | default "8002" }} {{- end }} +{{/* +SDP Admin port +*/}} +{{- define "sdp.adminPort" -}} +{{- .Values.sdp.route.adminPort | default "8003" }} +{{- end }} + {{/* Define the full address to the SDP service. */}} @@ -175,6 +189,13 @@ Dashboard domain {{- .Values.dashboard.route.domain | default "localhost" }} {{- end }} +{{/* +Dashboard MTN domain +*/}} +{{- define "dashboard.mtnDomain" -}} +{{- .Values.dashboard.route.mtnDomain | default "localhost" }} +{{- end }} + {{/* Dashboard domain schema */}} diff --git a/charts/stellar-disbursement-platform/values.yaml b/charts/stellar-disbursement-platform/values.yaml index 8cf9efd..59721a1 100644 --- a/charts/stellar-disbursement-platform/values.yaml +++ b/charts/stellar-disbursement-platform/values.yaml @@ -63,6 +63,20 @@ global: ## - postgres://postgres:postgres@{{ include "sdp.fullname" . }}-psql:5433/postgres-ap?sslmode=disable ephemeralDatabase: true + ## @extra global.eventBroker Configuration related to the event broker used by the application. + ## @param global.eventBroker.type The type of event broker to be used. Options: "NONE", "KAFKA". Default: "KAFKA". + ## @param global.eventBroker.urls A comma-separated list of broker URLs for the event broker. + ## @param global.eventBroker.consumerGroupId The consumer group ID for the event broker. + eventBroker: + type: "KAFKA" + urls: #required + consumerGroupId: #required + + ## @extra global.eventBroker.kafka Configuration related to the Kafka event broker. + ## @param global.eventBroker.kafka.securityProtocol The security protocol to be used for the Kafka broker. Options: "PLAINTEXT", "SASL_SSL", "SASL_PLAINTEXT", "SSL". + kafka: + securityProtocol: #required + # =========================== START sdp =========================== ## @section Stellar Disbursement Platform (SDP) parameters ## @descriptionStart @@ -75,13 +89,17 @@ sdp: ## @extra sdp.route Configuration related to the routing of the SDP service. ## @param sdp.route.schema Protocol scheme used for the service. Can be "http" or "https". ## @param sdp.route.domain Public domain/address of the SDP service. If using localhost, consider including the port as part of the domain. + ## @param sdp.route.mtnDomain Public domain/address of the multi-tenant SDP service. This is a wild-card domain used for multi-tenant setups e.g. "*.sdp.localhost.com". ## @param sdp.route.port Primary port on which the SDP service listens. ## @param sdp.route.metricsPort Port dedicated to metrics collection for the SDP service. + ## @param sdp.route.adminPort Port dedicated to serve the SDP admin endpoints, used to manage new or existing tenants. route: schema: "https" - domain: sdp.localhost.com + domain: #required + mtnDomain: #required port: "8000" metricsPort: "8002" + adminPort: "8003" ## @extra sdp.image Configuration related to the Docker image used by the SDP service. ## @param sdp.image.repository Docker image repository for the SDP backend service. @@ -120,7 +138,7 @@ sdp: ## @param sdp.configMap.data.ENVIRONMENT Specifies the environment SDP is running in (e.g. "localhost"). ## @param sdp.configMap.data.LOG_LEVEL Determines the verbosity level of logs. Options: "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC" ## @param sdp.configMap.data.SEP10_SIGNING_PUBLIC_KEY Anchor platform SEP10 signing public key. - ## @param sdp.configMap.data.DISTRIBUTION_PUBLIC_KEY The public key of the Stellar distribution account that sends the Stellar payments. + ## @param sdp.configMap.data.DISTRIBUTION_PUBLIC_KEY The public key of the HOST's Stellar distribution account, used to create channel accounts. ## @param sdp.configMap.data.METRICS_TYPE Defines the type of metrics system in use. Options: "PROMETHEUS". ## @param sdp.configMap.data.EMAIL_SENDER_TYPE The messenger type used to send invitations to new dashboard users. Options: "DRY_RUN", "AWS_EMAIL". ## @param sdp.configMap.data.SMS_SENDER_TYPE The messenger type used to send text messages to recipients. Options: "DRY_RUN", "TWILIO_SMS". @@ -129,13 +147,19 @@ sdp: ## @param sdp.configMap.data.DISABLE_RECAPTCHA Determines if ReCaptcha should be disabled for login ("true" or "false"). ## @param sdp.configMap.data.DISABLE_MFA Determines if email-based MFA should be disabled during login ("true" or "false"). ## @param sdp.configMap.data.SDP_UI_BASE_URL The base URL of the SDP UI/dashboard. + ## @param sdp.configMap.data.INSTANCE_NAME The name of the SDP instance. Example: "SDP Testnet". + ## @param sdp.configMap.data.ENABLE_SCHEDULER Whether the scheduled jobs are enabled in this instance ("true" or "false"). Default "false". + ## @param sdp.configMap.data.SCHEDULER_PAYMENT_JOB_SECONDS The interval in seconds for the payment job that syncs payments between the SDP and the TSS. + ## @param sdp.configMap.data.SCHEDULER_RECEIVER_INVITATION_JOB_SECONDS The interval in seconds for the receiver invitation job that sends invitations to new receivers. 0 or negative values disable the job. + ## @param sdp.configMap.data.MAX_INVITATION_SMS_RESEND_ATTEMPTS The maximum number of times an invitation SMS can be resent. 0 or negative values disable the job. + ## @param sdp.configMap.data.TENANT_XLM_BOOTSTRAP_AMOUNT The amount of XLM to be sent to a newly created tenant distribution account. configMap: annotations: data: BASE_URL: "http://localhost:8000" CRASH_TRACKER_TYPE: "DRY_RUN" EC256_PUBLIC_KEY: #required - ENVIRONMENT: "localhost" + ENVIRONMENT: "dev" LOG_LEVEL: "INFO" SEP10_SIGNING_PUBLIC_KEY: #required DISTRIBUTION_PUBLIC_KEY: #required @@ -144,9 +168,15 @@ sdp: SMS_SENDER_TYPE: DRY_RUN RECAPTCHA_SITE_KEY: #required CORS_ALLOWED_ORIGINS: "*" + SDP_UI_BASE_URL: #required DISABLE_RECAPTCHA: "false" DISABLE_MFA: "false" - SDP_UI_BASE_URL: #required + INSTANCE_NAME: #required + ENABLE_SCHEDULER: "false" + SCHEDULER_PAYMENT_JOB_SECONDS: "3600" + SCHEDULER_RECEIVER_INVITATION_JOB_SECONDS: "3600" + MAX_INVITATION_SMS_RESEND_ATTEMPTS: "3" + TENANT_XLM_BOOTSTRAP_AMOUNT: "5" ## @extra sdp.kubeSecrets Kubernetes secrets are used to manage sensitive information, such as API keys and private keys. It's crucial that these details are kept private. ## @param sdp.kubeSecrets.secretName The name of the Kubernetes secret object. Only use this if create is false. @@ -166,8 +196,17 @@ sdp: ## @param sdp.kubeSecrets.data.RECAPTCHA_SITE_SECRET_KEY Secret key for Google reCAPTCHA service to verify user's non-robotic behavior. ## @param sdp.kubeSecrets.data.ANCHOR_PLATFORM_OUTGOING_JWT_SECRET The JWT secret used to create a JWT token used to send requests to the anchor platform. ## @param sdp.kubeSecrets.data.DATABASE_URL URL of the database used by the SDP. - ## @param sdp.kubeSecrets.data.DISTRIBUTION_SEED The private key of the Stellar account used to disburse funds. This is needed for the init container + ## @param sdp.kubeSecrets.data.DISTRIBUTION_SEED The private key of the Stellar account used to disburse funds. This is needed for the init container. + ## @param sdp.kubeSecrets.data.CHANNEL_ACCOUNT_ENCRYPTION_PASSPHRASE The private key used to encrypt the channel accounts secrets in the database. + ## @param sdp.kubeSecrets.data.DISTRIBUTION_SIGNER_TYPE The type of the signature client used for distribution accounts. + ## @param sdp.kubeSecrets.data.DISTRIBUTION_ACCOUNT_ENCRYPTION_PASSPHRASE The private key used to encrypt the distribution accounts secrets in the database, mandatory when DISTRIBUTION_SIGNER_TYPE is set to DISTRIBUTION_ACCOUNT_DB. ## @param sdp.kubeSecrets.data.SENTRY_DSN The DSN for the Sentry service. it must be set if CRASH_TRACKER_TYPE is set to "SENTRY". + ## @param sdp.kubeSecrets.data.KAFKA_SASL_USERNAME The username for SASL authentication to the Kafka broker. Required if KAFKA_SECURITY_PROTOCOL is set to "SASL_SSL" or "SASL_PLAINTEXT". + ## @param sdp.kubeSecrets.data.KAFKA_SASL_PASSWORD The password for SASL authentication to the Kafka broker. Required if KAFKA_SECURITY_PROTOCOL is set to "SASL_SSL" or "SASL_PLAINTEXT". + ## @param sdp.kubeSecrets.data.KAFKA_SSL_ACCESS_KEY Access key (keystore) in PEM format. Required if KAFKA_SECURITY_PROTOCOL is set to "SSL". + ## @param sdp.kubeSecrets.data.KAFKA_SSL_ACCESS_CERTIFICATE Certificate in PEM format that matches with the Kafka Access Key. Required if KAFKA_SECURITY_PROTOCOL is set to "SSL". + ## @param sdp.kubeSecrets.data.ADMIN_ACCOUNT The ID of the admin account. To use, add to the request header as 'Authorization', formatted as Base64-encoded 'ADMIN_ACCOUNT:ADMIN_API_KEY'.", + ## @param sdp.kubeSecrets.data.ADMIN_API_KEY The API key for the admin account. To use, add to the request header as 'Authorization', formatted as Base64-encoded 'ADMIN_ACCOUNT:ADMIN_API_KEY'.", kubeSecrets: secretName: "sdp-backend-secret-name" create: false @@ -189,6 +228,15 @@ sdp: ANCHOR_PLATFORM_OUTGOING_JWT_SECRET: #required for mySdpToAnchorPlatformSecret DATABASE_URL: #required DISTRIBUTION_SEED: #required + DISTRIBUTION_SIGNER_TYPE: #optional + DISTRIBUTION_ACCOUNT_ENCRYPTION_PASSPHRASE: #required when DISTRIBUTION_SIGNER_TYPE=DISTRIBUTION_ACCOUNT_DB + CHANNEL_ACCOUNT_ENCRYPTION_PASSPHRASE: #required + KAFKA_SASL_USERNAME: #optional, depends on value of KAFKA_SECURITY_PROTOCOL + KAFKA_SASL_PASSWORD: #optional, depends on value of KAFKA_SECURITY_PROTOCOL + KAFKA_SSL_ACCESS_KEY: #optional, depends on value of KAFKA_SECURITY_PROTOCOL + KAFKA_SSL_ACCESS_CERTIFICATE: #optional, depends on value of KAFKA_SECURITY_PROTOCOL + ADMIN_ACCOUNT: #required + ADMIN_API_KEY: #required ## @extra sdp.ingress Configuration for the ingress controller for the SDP service. @@ -202,6 +250,8 @@ sdp: className: "nginx" annotations: nginx.ingress.kubernetes.io/custom-response-headers: "X-XSS-Protection: 1; mode=block || X-Frame-Options: DENY || X-Content-Type-Options: nosniff || Strict-Transport-Security: max-age=31536000; includeSubDomains" + nginx.ingress.kubernetes.io/limit-rpm: "120" + nginx.ingress.kubernetes.io/limit-burst-multiplier: "5" tls: - hosts: - '{{ include "sdp.domain" . }}' @@ -345,6 +395,8 @@ anchorPlatform: className: "nginx" annotations: nginx.ingress.kubernetes.io/custom-response-headers: "X-XSS-Protection: 1; mode=block || X-Frame-Options: DENY || X-Content-Type-Options: nosniff || Strict-Transport-Security: max-age=31536000; includeSubDomains" + nginx.ingress.kubernetes.io/limit-rpm: "120" + nginx.ingress.kubernetes.io/limit-burst-multiplier: "5" tls: - hosts: - '{{ include "sdp.ap.domain" . }}' @@ -359,6 +411,10 @@ anchorPlatform: ## This service is designed to maximize payment throughput, handle queuing, and graceful resubmission/error handling ## @descriptionEnd tss: + + ## @param tss.enabled If true, the tss will be deployed. + enabled: true + ## @extra tss.route Configuration related to the routing of the TSS. ## @param tss.route.schema Protocol scheme used for the service. Can be "http" or "https". ## @param tss.route.port Primary port on which the TSS listens. @@ -394,6 +450,7 @@ tss: ## @param tss.configMap.annotations Annotations to be added to the ConfigMap. ## @extra tss.configMap.data Used to inject non-sensitive environment variables into the TSS deployment; for the latest variables, consult the application's CLI `-h` command. ## @param tss.configMap.data.CRASH_TRACKER_TYPE Determines the type of crash tracker in use. Options: "DRY_RUN", "SENTRY". + ## @param tss.configMap.data.DISTRIBUTION_PUBLIC_KEY The public key of the HOST's Stellar distribution account, used to create channel accounts. ## @param tss.configMap.data.NUM_CHANNEL_ACCOUNTS The number of channel accounts the TSS will create/use. Channel accounts provide a method for submitting transactions to the network at a high rate. ## @param tss.configMap.data.MAX_BASE_FEE Specifies the maximum base fee (in stroops) the TSS is willing to pay per transaction. This helps to control costs and ensures transactions are economically feasible. ## @param tss.configMap.data.TSS_METRICS_TYPE Defines the type of metrics system that the TSS should use. Options: "TSS_PROMETHEUS". @@ -404,6 +461,7 @@ tss: annotations: data: CRASH_TRACKER_TYPE: "DRY_RUN" + DISTRIBUTION_PUBLIC_KEY: #required NUM_CHANNEL_ACCOUNTS: "1" MAX_BASE_FEE: "100000" TSS_METRICS_TYPE: "TSS_PROMETHEUS" @@ -417,7 +475,14 @@ tss: ## @param tss.kubeSecrets.annotations Annotations to be added to the secret. ## @param tss.kubeSecrets.data.DATABASE_URL URL of the database used by the TSS. ## @param tss.kubeSecrets.data.DISTRIBUTION_SEED The private key of the Stellar account used to disburse funds. + ## @param tss.kubeSecrets.data.CHANNEL_ACCOUNT_ENCRYPTION_PASSPHRASE The private key used to encrypt the channel accounts secrets in the database. + ## @param tss.kubeSecrets.data.DISTRIBUTION_SIGNER_TYPE The type of the signature client used for distribution accounts. + ## @param tss.kubeSecrets.data.DISTRIBUTION_ACCOUNT_ENCRYPTION_PASSPHRASE The private key used to encrypt the distribution accounts secrets in the database, mandatory when DISTRIBUTION_SIGNER_TYPE is set to DISTRIBUTION_ACCOUNT_DB. ## @param tss.kubeSecrets.data.SENTRY_DSN The DSN for the Sentry service. it must be set if CRASH_TRACKER_TYPE is set to "SENTRY". + ## @param tss.kubeSecrets.data.KAFKA_SASL_USERNAME The username for SASL authentication to the Kafka broker. Required if KAFKA_SECURITY_PROTOCOL is set to "SASL_SSL" or "SASL_PLAINTEXT". + ## @param tss.kubeSecrets.data.KAFKA_SASL_PASSWORD The password for SASL authentication to the Kafka broker. Required if KAFKA_SECURITY_PROTOCOL is set to "SASL_SSL" or "SASL_PLAINTEXT". + ## @param tss.kubeSecrets.data.KAFKA_SSL_ACCESS_KEY Access key (keystore) in PEM format. Required if KAFKA_SECURITY_PROTOCOL is set to "SSL". + ## @param tss.kubeSecrets.data.KAFKA_SSL_ACCESS_CERTIFICATE Certificate in PEM format that matches with the Kafka Access Key. Required if KAFKA_SECURITY_PROTOCOL is set to "SSL". kubeSecrets: secretName: "tss-secret-name" create: false @@ -425,7 +490,15 @@ tss: data: DATABASE_URL: #required DISTRIBUTION_SEED: #required + CHANNEL_ACCOUNT_ENCRYPTION_PASSPHRASE: #required + DISTRIBUTION_SIGNER_TYPE: #optional + DISTRIBUTION_ACCOUNT_ENCRYPTION_PASSPHRASE: #required when DISTRIBUTION_SIGNER_TYPE=DISTRIBUTION_ACCOUNT_DB SENTRY_DSN: #optional + KAFKA_SASL_USERNAME: #optional, depends on value of KAFKA_SECURITY_PROTOCOL + KAFKA_SASL_PASSWORD: #optional, depends on value of KAFKA_SECURITY_PROTOCOL + KAFKA_SSL_ACCESS_KEY: #optional, depends on value of KAFKA_SECURITY_PROTOCOL + KAFKA_SSL_ACCESS_CERTIFICATE: #optional, depends on value of KAFKA_SECURITY_PROTOCOL + @@ -442,10 +515,12 @@ dashboard: ## @extra dashboard.route Configuration related to the routing of the Dashboard. ## @param dashboard.route.schema Protocol scheme used for the service. Can be "http" or "https". ## @param dashboard.route.domain Public domain/address of the Dashboard. + ## @param dashboard.route.mtnDomain Public domain/address of the multi-tenant Dashboard. This is a wild-card domain used for multi-tenant setups e.g. "*.sdp-dashboard.localhost.com". ## @param dashboard.route.port Primary port on which the Dashboard listens. route: schema: "https" - domain: "sdp-dashboard.localhost.com" + domain: #required + mtnDomain: #required port: "80" ## @extra dashboard.image Configuration related to the Docker image used by the Dashboard. @@ -497,4 +572,3 @@ dashboard: secretName: dashboard-tls-cert-name # You need to create this secret manually. For more instructions, please refer to helmchart/docs/README.md - From a1f517df7347ea36969c8a94180419c615201df5 Mon Sep 17 00:00:00 2001 From: Marwen Abid Date: Tue, 23 Apr 2024 16:38:51 -0700 Subject: [PATCH 2/3] PR comments - extract AnchorPlatform image property --- charts/stellar-disbursement-platform/README.md | 4 ++++ .../templates/02.2-deployment-ap.yaml | 4 ++-- charts/stellar-disbursement-platform/values.yaml | 8 ++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/charts/stellar-disbursement-platform/README.md b/charts/stellar-disbursement-platform/README.md index 6fcc7e6..39f504e 100644 --- a/charts/stellar-disbursement-platform/README.md +++ b/charts/stellar-disbursement-platform/README.md @@ -186,6 +186,10 @@ the recipient’s registration process through the SEP-24 deposit flow. | `anchorPlatform.route.domain` | Public domain/address of the Anchor Platform service. If using localhost, consider including the port as part of the domain. | `ap.localhost.com` | | `anchorPlatform.route.sepPort` | The port of the sep server of the anchor platform. This is the public API that is meant to be reached by a client application, such as the stellar.toml file." | `8080` | | `anchorPlatform.route.platformPort` | The port of the platform server of the anchor platform. This is the private API that is meant to be reached only by the SDP server, such as the PATCH /sep24/transactions endpoint.", | `8085` | +| `anchorPlatform.image` | Configuration related to the Docker image used by the Anchor Platform service. | | +| `anchorPlatform.image.repository` | Docker image repository for the Anchor Platform service. | `stellar/anchor-platform` | +| `anchorPlatform.image.pullPolicy` | Image pull policy for the Anchor Platform service. | `IfNotPresent` | +| `anchorPlatform.image.tag` | Docker image tag for the Anchor Platform service. | `2.6.2` | | `anchorPlatform.deployment` | Configuration related to the deployment of the Anchor Platform. | | | `anchorPlatform.deployment.annotations` | Annotations to be added to the deployment. | `{}` | | `anchorPlatform.deployment.podAnnotations` | Annotations specific to the pods. | `{}` | diff --git a/charts/stellar-disbursement-platform/templates/02.2-deployment-ap.yaml b/charts/stellar-disbursement-platform/templates/02.2-deployment-ap.yaml index 1d0ae15..4d70dfe 100644 --- a/charts/stellar-disbursement-platform/templates/02.2-deployment-ap.yaml +++ b/charts/stellar-disbursement-platform/templates/02.2-deployment-ap.yaml @@ -42,8 +42,8 @@ spec: - name: {{ .Chart.Name }}-ap securityContext: {{- tpl (toYaml .Values.anchorPlatform.deployment.securityContext) . | nindent 12 }} - image: "stellar/anchor-platform:2.6.2" - imagePullPolicy: "IfNotPresent" + image: "{{ .Values.anchorPlatform.image.repository }}:{{ .Values.anchorPlatform.image.tag }}" + imagePullPolicy: {{ .Values.anchorPlatform.image.pullPolicy }} {{- if .Values.global.ephemeralDatabase }} env: - name: DATA_TYPE diff --git a/charts/stellar-disbursement-platform/values.yaml b/charts/stellar-disbursement-platform/values.yaml index 59721a1..7edda12 100644 --- a/charts/stellar-disbursement-platform/values.yaml +++ b/charts/stellar-disbursement-platform/values.yaml @@ -277,6 +277,14 @@ anchorPlatform: sepPort: "8080" platformPort: "8085" + ## @extra anchorPlatform.image Configuration related to the Docker image used by the Anchor Platform service. + ## @param anchorPlatform.image.repository Docker image repository for the Anchor Platform service. + ## @param anchorPlatform.image.pullPolicy Image pull policy for the Anchor Platform service. + ## @param anchorPlatform.image.tag Docker image tag for the Anchor Platform service. + image: + repository: stellar/anchor-platform + pullPolicy: IfNotPresent + tag: "2.6.2" ## @extra anchorPlatform.deployment Configuration related to the deployment of the Anchor Platform. ## @param anchorPlatform.deployment.annotations Annotations to be added to the deployment. From dd2400672c423487b9c41cd15c3d71bdbbcfd9ee Mon Sep 17 00:00:00 2001 From: Marwen Abid Date: Thu, 6 Jun 2024 22:16:48 +0100 Subject: [PATCH 3/3] Address PR comments --- .../stellar-disbursement-platform/Chart.yaml | 4 +- .../stellar-disbursement-platform/README.md | 244 +++++++++--------- .../stellar-disbursement-platform/values.yaml | 8 +- 3 files changed, 128 insertions(+), 128 deletions(-) diff --git a/charts/stellar-disbursement-platform/Chart.yaml b/charts/stellar-disbursement-platform/Chart.yaml index b5b4f33..9554057 100644 --- a/charts/stellar-disbursement-platform/Chart.yaml +++ b/charts/stellar-disbursement-platform/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: stellar-disbursement-platform description: A Helm chart for the Stellar Disbursement Platform Backend (A.K.A. `sdp`) -version: 2.0.0-rc.1 -appVersion: "2.0.0-rc1" +version: 2.0.0 +appVersion: "2.0.0" type: application maintainers: - name: Stellar Development Foundation diff --git a/charts/stellar-disbursement-platform/README.md b/charts/stellar-disbursement-platform/README.md index 39f504e..56715e9 100644 --- a/charts/stellar-disbursement-platform/README.md +++ b/charts/stellar-disbursement-platform/README.md @@ -93,86 +93,86 @@ Configuration parameters for the SDP Core Service which is the core backend serv - Messaging Service: a recurring process that sends text messages to users prompting them to download the wallet selected for a particular disbursement and verify their phone with an OTP - Wallet Registration UI: a web application that collects and verifies the recipient’s OTP code and verification information via Stellar’s SEP-24: Hosted Deposit and Withdrawal protocol -| Name | Description | Value | -| ----------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- | -| `sdp.route` | Configuration related to the routing of the SDP service. | | -| `sdp.route.schema` | Protocol scheme used for the service. Can be "http" or "https". | `https` | -| `sdp.route.domain` | Public domain/address of the SDP service. If using localhost, consider including the port as part of the domain. | `nil` | -| `sdp.route.mtnDomain` | Public domain/address of the multi-tenant SDP service. This is a wild-card domain used for multi-tenant setups e.g. "*.sdp.localhost.com". | `nil` | -| `sdp.route.port` | Primary port on which the SDP service listens. | `8000` | -| `sdp.route.metricsPort` | Port dedicated to metrics collection for the SDP service. | `8002` | -| `sdp.route.adminPort` | Port dedicated to serve the SDP admin endpoints, used to manage new or existing tenants. | `8003` | -| `sdp.image` | Configuration related to the Docker image used by the SDP service. | | -| `sdp.image.repository` | Docker image repository for the SDP backend service. | `stellar/stellar-disbursement-platform-backend` | -| `sdp.image.pullPolicy` | Image pull policy for the SDP service. For locally built images, consider using "Never" or "IfNotPresent". | `Always` | -| `sdp.image.tag` | Docker image tag for the SDP service. If set, this overrides the default value from `.Chart.AppVersion`. | `latest` | -| `sdp.deployment` | Configuration related to the deployment of the SDP service. | | -| `sdp.deployment.annotations` | Annotations to be added to the deployment. | `nil` | -| `sdp.deployment.podAnnotations` | Annotations specific to the pods. | `{}` | -| `sdp.deployment.podSecurityContext` | Security settings for the pods. | `{}` | -| `sdp.deployment.securityContext` | Security settings for the container within the pod. | `{}` | -| `sdp.deployment.strategy` | Configuration related to the deployment strategy, ensuring smooth updates and minimal downtime. | `{}` | -| `sdp.deployment.nodeSelector` | Node selector to determine which nodes should run the pods. | `{}` | -| `sdp.deployment.tolerations` | Tolerations to ensure pods aren't scheduled on unsuitable nodes. | `[]` | -| `sdp.deployment.affinity` | Affinity rules to determine where pods get scheduled based on node conditions. | `{}` | -| `sdp.configMap` | Configuration for the ConfigMap used by the SDP service. | | -| `sdp.configMap.annotations` | Annotations to be added to the ConfigMap. | `nil` | -| `sdp.configMap.data` | Used to inject non-sensitive environment variables into the SDP deployment; for the latest variables, consult the application's CLI `-h` command. | | -| `sdp.configMap.data.BASE_URL` | The base URL of the SDP backend. | `http://localhost:8000` | -| `sdp.configMap.data.CRASH_TRACKER_TYPE` | Determines the type of crash tracker in use. Options: "DRY_RUN", "SENTRY". | `DRY_RUN` | -| `sdp.configMap.data.EC256_PUBLIC_KEY` | The EC256 public key used for authentication purposes. This EC key needs to be at least as strong as prime256v1 (P-256). | `""` | -| `sdp.configMap.data.ENVIRONMENT` | Specifies the environment SDP is running in (e.g. "localhost"). | `dev` | -| `sdp.configMap.data.LOG_LEVEL` | Determines the verbosity level of logs. Options: "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC" | `INFO` | -| `sdp.configMap.data.SEP10_SIGNING_PUBLIC_KEY` | Anchor platform SEP10 signing public key. | `nil` | -| `sdp.configMap.data.DISTRIBUTION_PUBLIC_KEY` | The public key of the HOST's Stellar distribution account, used to create channel accounts. | `nil` | -| `sdp.configMap.data.METRICS_TYPE` | Defines the type of metrics system in use. Options: "PROMETHEUS". | `PROMETHEUS` | -| `sdp.configMap.data.EMAIL_SENDER_TYPE` | The messenger type used to send invitations to new dashboard users. Options: "DRY_RUN", "AWS_EMAIL". | `DRY_RUN` | -| `sdp.configMap.data.SMS_SENDER_TYPE` | The messenger type used to send text messages to recipients. Options: "DRY_RUN", "TWILIO_SMS". | `DRY_RUN` | -| `sdp.configMap.data.RECAPTCHA_SITE_KEY` | Site key for ReCaptcha. Required if using ReCaptcha. | `nil` | -| `sdp.configMap.data.CORS_ALLOWED_ORIGINS` | Specifies the domains allowed to make cross-origin requests. "*" means all domains are allowed. | `*` | -| `sdp.configMap.data.DISABLE_RECAPTCHA` | Determines if ReCaptcha should be disabled for login ("true" or "false"). | `false` | -| `sdp.configMap.data.DISABLE_MFA` | Determines if email-based MFA should be disabled during login ("true" or "false"). | `false` | -| `sdp.configMap.data.SDP_UI_BASE_URL` | The base URL of the SDP UI/dashboard. | `nil` | -| `sdp.configMap.data.INSTANCE_NAME` | The name of the SDP instance. Example: "SDP Testnet". | `nil` | -| `sdp.configMap.data.ENABLE_SCHEDULER` | Whether the scheduled jobs are enabled in this instance ("true" or "false"). Default "false". | `false` | -| `sdp.configMap.data.SCHEDULER_PAYMENT_JOB_SECONDS` | The interval in seconds for the payment job that syncs payments between the SDP and the TSS. | `3600` | -| `sdp.configMap.data.SCHEDULER_RECEIVER_INVITATION_JOB_SECONDS` | The interval in seconds for the receiver invitation job that sends invitations to new receivers. 0 or negative values disable the job. | `3600` | -| `sdp.configMap.data.MAX_INVITATION_SMS_RESEND_ATTEMPTS` | The maximum number of times an invitation SMS can be resent. 0 or negative values disable the job. | `3` | -| `sdp.configMap.data.TENANT_XLM_BOOTSTRAP_AMOUNT` | The amount of XLM to be sent to a newly created tenant distribution account. | `5` | -| `sdp.kubeSecrets` | Kubernetes secrets are used to manage sensitive information, such as API keys and private keys. It's crucial that these details are kept private. | | -| `sdp.kubeSecrets.secretName` | The name of the Kubernetes secret object. Only use this if create is false. | `sdp-backend-secret-name` | -| `sdp.kubeSecrets.create` | If true, the secret will be created. If false, it is assumed the secret already exists. | `false` | -| `sdp.kubeSecrets.annotations` | Annotations to be added to the secret. | `nil` | -| `sdp.kubeSecrets.data.AWS_ACCESS_KEY_ID` | AWS IAM user's access key ID for authenticating to AWS services. | `MY_AWS_ACCESS_KEY_ID` | -| `sdp.kubeSecrets.data.AWS_REGION` | AWS region where services (like SES for email sending) are provisioned. | `MY_AWS_REGION` | -| `sdp.kubeSecrets.data.AWS_SECRET_ACCESS_KEY` | AWS IAM user's secret access key for authenticating to AWS services. | `MY_AWS_SECRET_ACCESS_KEY` | -| `sdp.kubeSecrets.data.AWS_SES_SENDER_ID` | Identifier for the AWS SES service used for sending emails. | `MY_AWS_SES_SENDER_ID` | -| `sdp.kubeSecrets.data.AWS_SNS_SENDER_ID` | Identifier for the AWS SNS service used for sending text messages. | `MY_AWS_SNS_SENDER_ID` | -| `sdp.kubeSecrets.data.TWILIO_ACCOUNT_SID` | Account SID for authenticating to the Twilio service, used for sending text messages. | `MY_TWILIO_ACCOUNT_SID` | -| `sdp.kubeSecrets.data.TWILIO_AUTH_TOKEN` | Authentication token for the Twilio service. | `MY_TWILIO_AUTH_TOKEN` | -| `sdp.kubeSecrets.data.TWILIO_SERVICE_SID` | Service SID for the specific Twilio service being utilized. | `MY_TWILIO_SERVICE_SID` | -| `sdp.kubeSecrets.data.EC256_PRIVATE_KEY` | The EC256 Private Key. This key is used to sign the authentication token. This EC key needs to be at least as strong as prime256v1 (P-256). | `""` | -| `sdp.kubeSecrets.data.SEP10_SIGNING_PRIVATE_KEY` | The public key of the Stellar account that signs the SEP-10 transactions. It's also used to sign URLs. | `nil` | -| `sdp.kubeSecrets.data.SEP24_JWT_SECRET` | The JWT secret that's used by the Anchor Platform to sign the SEP-24 JWT token. Must be the same as Anchor Platform's SECRET_SEP24_INTERACTIVE_URL_JWT_SECRET. | `nil` | -| `sdp.kubeSecrets.data.RECAPTCHA_SITE_SECRET_KEY` | Secret key for Google reCAPTCHA service to verify user's non-robotic behavior. | `nil` | -| `sdp.kubeSecrets.data.ANCHOR_PLATFORM_OUTGOING_JWT_SECRET` | The JWT secret used to create a JWT token used to send requests to the anchor platform. | `nil` | -| `sdp.kubeSecrets.data.DATABASE_URL` | URL of the database used by the SDP. | `nil` | -| `sdp.kubeSecrets.data.DISTRIBUTION_SEED` | The private key of the Stellar account used to disburse funds. This is needed for the init container. | `nil` | -| `sdp.kubeSecrets.data.CHANNEL_ACCOUNT_ENCRYPTION_PASSPHRASE` | The private key used to encrypt the channel accounts secrets in the database. | `nil` | -| `sdp.kubeSecrets.data.DISTRIBUTION_SIGNER_TYPE` | The type of the signature client used for distribution accounts. | `nil` | -| `sdp.kubeSecrets.data.DISTRIBUTION_ACCOUNT_ENCRYPTION_PASSPHRASE` | The private key used to encrypt the distribution accounts secrets in the database, mandatory when DISTRIBUTION_SIGNER_TYPE is set to DISTRIBUTION_ACCOUNT_DB. | `nil` | -| `sdp.kubeSecrets.data.SENTRY_DSN` | The DSN for the Sentry service. it must be set if CRASH_TRACKER_TYPE is set to "SENTRY". | `nil` | -| `sdp.kubeSecrets.data.KAFKA_SASL_USERNAME` | The username for SASL authentication to the Kafka broker. Required if KAFKA_SECURITY_PROTOCOL is set to "SASL_SSL" or "SASL_PLAINTEXT". | `nil` | -| `sdp.kubeSecrets.data.KAFKA_SASL_PASSWORD` | The password for SASL authentication to the Kafka broker. Required if KAFKA_SECURITY_PROTOCOL is set to "SASL_SSL" or "SASL_PLAINTEXT". | `nil` | -| `sdp.kubeSecrets.data.KAFKA_SSL_ACCESS_KEY` | Access key (keystore) in PEM format. Required if KAFKA_SECURITY_PROTOCOL is set to "SSL". | `nil` | -| `sdp.kubeSecrets.data.KAFKA_SSL_ACCESS_CERTIFICATE` | Certificate in PEM format that matches with the Kafka Access Key. Required if KAFKA_SECURITY_PROTOCOL is set to "SSL". | `nil` | -| `sdp.kubeSecrets.data.ADMIN_ACCOUNT` | The ID of the admin account. To use, add to the request header as 'Authorization', formatted as Base64-encoded 'ADMIN_ACCOUNT:ADMIN_API_KEY'.", | `nil` | -| `sdp.kubeSecrets.data.ADMIN_API_KEY` | The API key for the admin account. To use, add to the request header as 'Authorization', formatted as Base64-encoded 'ADMIN_ACCOUNT:ADMIN_API_KEY'.", | `nil` | -| `sdp.ingress` | Configuration for the ingress controller for the SDP service. | | -| `sdp.ingress.enabled` | If true, an ingress controller will be created for the SDP service. | `true` | -| `sdp.ingress.className` | Name of the IngressClass to be used for the ingress controller. | `nginx` | -| `sdp.ingress.tls[0].hosts` | List of hosts covered by the TLS certificate. | `["{{ include \"sdp.domain\" . }}"]` | -| `sdp.ingress.tls[0].secretName` | The name of the Kubernetes TLS secret. You need to create this secret manually. | `backend-tls-cert-name` | +| Name | Description | Value | +| ----------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- | +| `sdp.route` | Configuration related to the routing of the SDP service. | | +| `sdp.route.schema` | Protocol scheme used for the service. Can be "http" or "https". | `https` | +| `sdp.route.domain` | Public domain/address of the SDP service. If using localhost, consider including the port as part of the domain. | `nil` | +| `sdp.route.mtnDomain` | Public domain/address of the multi-tenant SDP service. This is a wild-card domain used for multi-tenant setups e.g. "*.sdp.localhost.com". | `nil` | +| `sdp.route.port` | Primary port on which the SDP service listens. | `8000` | +| `sdp.route.metricsPort` | Port dedicated to metrics collection for the SDP service. | `8002` | +| `sdp.route.adminPort` | Port dedicated to serve the SDP admin endpoints, used to manage new or existing tenants. | `8003` | +| `sdp.image` | Configuration related to the Docker image used by the SDP service. | | +| `sdp.image.repository` | Docker image repository for the SDP backend service. | `stellar/stellar-disbursement-platform-backend` | +| `sdp.image.pullPolicy` | Image pull policy for the SDP service. For locally built images, consider using "Never" or "IfNotPresent". | `Always` | +| `sdp.image.tag` | Docker image tag for the SDP service. If set, this overrides the default value from `.Chart.AppVersion`. | `latest` | +| `sdp.deployment` | Configuration related to the deployment of the SDP service. | | +| `sdp.deployment.annotations` | Annotations to be added to the deployment. | `nil` | +| `sdp.deployment.podAnnotations` | Annotations specific to the pods. | `{}` | +| `sdp.deployment.podSecurityContext` | Security settings for the pods. | `{}` | +| `sdp.deployment.securityContext` | Security settings for the container within the pod. | `{}` | +| `sdp.deployment.strategy` | Configuration related to the deployment strategy, ensuring smooth updates and minimal downtime. | `{}` | +| `sdp.deployment.nodeSelector` | Node selector to determine which nodes should run the pods. | `{}` | +| `sdp.deployment.tolerations` | Tolerations to ensure pods aren't scheduled on unsuitable nodes. | `[]` | +| `sdp.deployment.affinity` | Affinity rules to determine where pods get scheduled based on node conditions. | `{}` | +| `sdp.configMap` | Configuration for the ConfigMap used by the SDP service. | | +| `sdp.configMap.annotations` | Annotations to be added to the ConfigMap. | `nil` | +| `sdp.configMap.data` | Used to inject non-sensitive environment variables into the SDP deployment; for the latest variables, consult the application's CLI `-h` command. | | +| `sdp.configMap.data.BASE_URL` | The base URL of the SDP backend. | `http://localhost:8000` | +| `sdp.configMap.data.CRASH_TRACKER_TYPE` | Determines the type of crash tracker in use. Options: "DRY_RUN", "SENTRY". | `DRY_RUN` | +| `sdp.configMap.data.EC256_PUBLIC_KEY` | The EC256 public key used for authentication purposes. This EC key needs to be at least as strong as prime256v1 (P-256). | `""` | +| `sdp.configMap.data.ENVIRONMENT` | Specifies the environment SDP is running in (e.g. "localhost"). | `dev` | +| `sdp.configMap.data.LOG_LEVEL` | Determines the verbosity level of logs. Options: "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC" | `INFO` | +| `sdp.configMap.data.SEP10_SIGNING_PUBLIC_KEY` | Anchor platform SEP10 signing public key. | `nil` | +| `sdp.configMap.data.DISTRIBUTION_PUBLIC_KEY` | The public key of the HOST's Stellar distribution account, used to create channel accounts. | `nil` | +| `sdp.configMap.data.METRICS_TYPE` | Defines the type of metrics system in use. Options: "PROMETHEUS". | `PROMETHEUS` | +| `sdp.configMap.data.EMAIL_SENDER_TYPE` | The messenger type used to send invitations to new dashboard users. Options: "DRY_RUN", "AWS_EMAIL". | `DRY_RUN` | +| `sdp.configMap.data.SMS_SENDER_TYPE` | The messenger type used to send text messages to recipients. Options: "DRY_RUN", "TWILIO_SMS". | `DRY_RUN` | +| `sdp.configMap.data.RECAPTCHA_SITE_KEY` | Site key for ReCaptcha. Required if using ReCaptcha. | `nil` | +| `sdp.configMap.data.CORS_ALLOWED_ORIGINS` | Specifies the domains allowed to make cross-origin requests. "*" means all domains are allowed. | `*` | +| `sdp.configMap.data.DISABLE_RECAPTCHA` | Determines if ReCaptcha should be disabled for login ("true" or "false"). | `false` | +| `sdp.configMap.data.DISABLE_MFA` | Determines if email-based MFA should be disabled during login ("true" or "false"). | `false` | +| `sdp.configMap.data.SDP_UI_BASE_URL` | The base URL of the SDP UI/dashboard. | `nil` | +| `sdp.configMap.data.INSTANCE_NAME` | The name of the SDP instance. Example: "SDP Testnet". | `nil` | +| `sdp.configMap.data.ENABLE_SCHEDULER` | Whether the scheduled jobs are enabled in this instance ("true" or "false"). Default "false". | `false` | +| `sdp.configMap.data.SCHEDULER_PAYMENT_JOB_SECONDS` | The interval in seconds for the payment job that syncs payments between the SDP and the TSS. | `3600` | +| `sdp.configMap.data.SCHEDULER_RECEIVER_INVITATION_JOB_SECONDS` | The interval in seconds for the receiver invitation job that sends invitations to new receivers. 0 or negative values disable the job. | `3600` | +| `sdp.configMap.data.MAX_INVITATION_SMS_RESEND_ATTEMPTS` | The maximum number of times an invitation SMS can be resent. 0 or negative values disable the job. | `3` | +| `sdp.configMap.data.TENANT_XLM_BOOTSTRAP_AMOUNT` | The amount of XLM to be sent to a newly created tenant distribution account. | `5` | +| `sdp.kubeSecrets` | Kubernetes secrets are used to manage sensitive information, such as API keys and private keys. It's crucial that these details are kept private. | | +| `sdp.kubeSecrets.secretName` | The name of the Kubernetes secret object. Only use this if create is false. | `sdp-backend-secret-name` | +| `sdp.kubeSecrets.create` | If true, the secret will be created. If false, it is assumed the secret already exists. | `false` | +| `sdp.kubeSecrets.annotations` | Annotations to be added to the secret. | `nil` | +| `sdp.kubeSecrets.data.AWS_ACCESS_KEY_ID` | AWS IAM user's access key ID for authenticating to AWS services. | `MY_AWS_ACCESS_KEY_ID` | +| `sdp.kubeSecrets.data.AWS_REGION` | AWS region where services (like SES for email sending) are provisioned. | `MY_AWS_REGION` | +| `sdp.kubeSecrets.data.AWS_SECRET_ACCESS_KEY` | AWS IAM user's secret access key for authenticating to AWS services. | `MY_AWS_SECRET_ACCESS_KEY` | +| `sdp.kubeSecrets.data.AWS_SES_SENDER_ID` | Identifier for the AWS SES service used for sending emails. | `MY_AWS_SES_SENDER_ID` | +| `sdp.kubeSecrets.data.AWS_SNS_SENDER_ID` | Identifier for the AWS SNS service used for sending text messages. | `MY_AWS_SNS_SENDER_ID` | +| `sdp.kubeSecrets.data.TWILIO_ACCOUNT_SID` | Account SID for authenticating to the Twilio service, used for sending text messages. | `MY_TWILIO_ACCOUNT_SID` | +| `sdp.kubeSecrets.data.TWILIO_AUTH_TOKEN` | Authentication token for the Twilio service. | `MY_TWILIO_AUTH_TOKEN` | +| `sdp.kubeSecrets.data.TWILIO_SERVICE_SID` | Service SID for the specific Twilio service being utilized. | `MY_TWILIO_SERVICE_SID` | +| `sdp.kubeSecrets.data.EC256_PRIVATE_KEY` | The EC256 Private Key. This key is used to sign the authentication token. This EC key needs to be at least as strong as prime256v1 (P-256). | `""` | +| `sdp.kubeSecrets.data.SEP10_SIGNING_PRIVATE_KEY` | The public key of the Stellar account that signs the SEP-10 transactions. It's also used to sign URLs. | `nil` | +| `sdp.kubeSecrets.data.SEP24_JWT_SECRET` | The JWT secret that's used by the Anchor Platform to sign the SEP-24 JWT token. Must be the same as Anchor Platform's SECRET_SEP24_INTERACTIVE_URL_JWT_SECRET. | `nil` | +| `sdp.kubeSecrets.data.RECAPTCHA_SITE_SECRET_KEY` | Secret key for Google reCAPTCHA service to verify user's non-robotic behavior. | `nil` | +| `sdp.kubeSecrets.data.ANCHOR_PLATFORM_OUTGOING_JWT_SECRET` | The JWT secret used to create a JWT token used to send requests to the anchor platform. | `nil` | +| `sdp.kubeSecrets.data.DATABASE_URL` | URL of the database used by the SDP. | `nil` | +| `sdp.kubeSecrets.data.DISTRIBUTION_SEED` | The HOST's Stellar distribution account, used to create channel accounts. This is needed for the init container. | `nil` | +| `sdp.kubeSecrets.data.CHANNEL_ACCOUNT_ENCRYPTION_PASSPHRASE` | The private key used to encrypt the channel accounts secrets in the database. | `nil` | +| `sdp.kubeSecrets.data.DISTRIBUTION_SIGNER_TYPE` | The type of signer used to sign Stellar transactions for the tenants' distribution accounts. Options: DISTRIBUTION_ACCOUNT_ENV: uses the same distribution account for all tenants, as well as for the HOST, through the secret configured in DISTRIBUTION_SEED. DISTRIBUTION_ACCOUNT_DB: uses the one different distribution account private key per tenant, and stores them in the database, encrypted with the DISTRIBUTION_ACCOUNT_ENCRYPTION_PASSPHRASE. | `nil` | +| `sdp.kubeSecrets.data.DISTRIBUTION_ACCOUNT_ENCRYPTION_PASSPHRASE` | The private key used to encrypt the distribution accounts secrets in the database, mandatory when DISTRIBUTION_SIGNER_TYPE is set to DISTRIBUTION_ACCOUNT_DB. | `nil` | +| `sdp.kubeSecrets.data.SENTRY_DSN` | The DSN for the Sentry service. it must be set if CRASH_TRACKER_TYPE is set to "SENTRY". | `nil` | +| `sdp.kubeSecrets.data.KAFKA_SASL_USERNAME` | The username for SASL authentication to the Kafka broker. Required if KAFKA_SECURITY_PROTOCOL is set to "SASL_SSL" or "SASL_PLAINTEXT". | `nil` | +| `sdp.kubeSecrets.data.KAFKA_SASL_PASSWORD` | The password for SASL authentication to the Kafka broker. Required if KAFKA_SECURITY_PROTOCOL is set to "SASL_SSL" or "SASL_PLAINTEXT". | `nil` | +| `sdp.kubeSecrets.data.KAFKA_SSL_ACCESS_KEY` | Access key (keystore) in PEM format. Required if KAFKA_SECURITY_PROTOCOL is set to "SSL". | `nil` | +| `sdp.kubeSecrets.data.KAFKA_SSL_ACCESS_CERTIFICATE` | Certificate in PEM format that matches with the Kafka Access Key. Required if KAFKA_SECURITY_PROTOCOL is set to "SSL". | `nil` | +| `sdp.kubeSecrets.data.ADMIN_ACCOUNT` | The ID of the admin account. To use, add to the request header as 'Authorization', formatted as Base64-encoded 'ADMIN_ACCOUNT:ADMIN_API_KEY'.", | `nil` | +| `sdp.kubeSecrets.data.ADMIN_API_KEY` | The API key for the admin account. To use, add to the request header as 'Authorization', formatted as Base64-encoded 'ADMIN_ACCOUNT:ADMIN_API_KEY'.", | `nil` | +| `sdp.ingress` | Configuration for the ingress controller for the SDP service. | | +| `sdp.ingress.enabled` | If true, an ingress controller will be created for the SDP service. | `true` | +| `sdp.ingress.className` | Name of the IngressClass to be used for the ingress controller. | `nginx` | +| `sdp.ingress.tls[0].hosts` | List of hosts covered by the TLS certificate. | `["{{ include \"sdp.domain\" . }}"]` | +| `sdp.ingress.tls[0].secretName` | The name of the Kubernetes TLS secret. You need to create this secret manually. | `backend-tls-cert-name` | ### Anchor Platform @@ -235,48 +235,48 @@ the recipient’s registration process through the SEP-24 deposit flow. Configuration parameters for the Transaction Submission Service. This is the service that submits all payment transactions to the Stellar network. This service is designed to maximize payment throughput, handle queuing, and graceful resubmission/error handling -| Name | Description | Value | -| ----------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | -| `tss.enabled` | If true, the tss will be deployed. | `true` | -| `tss.route` | Configuration related to the routing of the TSS. | | -| `tss.route.schema` | Protocol scheme used for the service. Can be "http" or "https". | `https` | -| `tss.route.port` | Primary port on which the TSS listens. | `9000` | -| `tss.route.metricsPort` | Port dedicated to metrics collection for the TSS. | `9002` | -| `tss.deployment` | Configuration related to the deployment of the TSS. | | -| `tss.deployment.annotations` | Annotations to be added to the deployment. | `nil` | -| `tss.deployment.podAnnotations` | Annotations specific to the pods. | `{}` | -| `tss.deployment.strategy` | Configuration related to the deployment strategy, ensuring smooth updates and minimal downtime. | `{}` | -| `tss.deployment.podSecurityContext` | Security settings for the pods. | `{}` | -| `tss.deployment.securityContext` | Security settings for the container within the pod. | `{}` | -| `tss.deployment.resources` | Resource limits and requests for the application pods. | `{}` | -| `tss.deployment.nodeSelector` | Node selector to determine which nodes should run the pods. | `{}` | -| `tss.deployment.tolerations` | Tolerations to ensure pods aren't scheduled on unsuitable nodes. | `[]` | -| `tss.deployment.affinity` | Affinity rules to determine where pods get scheduled based on node conditions. | `{}` | -| `tss.configMap` | Configuration settings for the Transaction Submission Service (TSS) ConfigMap. | | -| `tss.configMap.annotations` | Annotations to be added to the ConfigMap. | `nil` | -| `tss.configMap.data` | Used to inject non-sensitive environment variables into the TSS deployment; for the latest variables, consult the application's CLI `-h` command. | | -| `tss.configMap.data.CRASH_TRACKER_TYPE` | Determines the type of crash tracker in use. Options: "DRY_RUN", "SENTRY". | `DRY_RUN` | -| `tss.configMap.data.DISTRIBUTION_PUBLIC_KEY` | The public key of the HOST's Stellar distribution account, used to create channel accounts. | `nil` | -| `tss.configMap.data.NUM_CHANNEL_ACCOUNTS` | The number of channel accounts the TSS will create/use. Channel accounts provide a method for submitting transactions to the network at a high rate. | `1` | -| `tss.configMap.data.MAX_BASE_FEE` | Specifies the maximum base fee (in stroops) the TSS is willing to pay per transaction. This helps to control costs and ensures transactions are economically feasible. | `100000` | -| `tss.configMap.data.TSS_METRICS_TYPE` | Defines the type of metrics system that the TSS should use. Options: "TSS_PROMETHEUS". | `TSS_PROMETHEUS` | -| `tss.configMap.data.QUEUE_POLLING_INTERVAL` | Specifies the interval (in seconds) at which the TSS should poll the queue. | `6` | -| `tss.configMap.data.ENVIRONMENT` | Specifies the environment TSS is running in (e.g. "localhost"). | `development` | -| `tss.configMap.data.LOG_LEVEL` | Determines the verbosity level of logs. Options: "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC" | `INFO` | -| `tss.kubeSecrets` | Kubernetes secrets are used to manage sensitive information, such as API keys and private keys. It's crucial that these details are kept private. | | -| `tss.kubeSecrets.secretName` | The name of the Kubernetes secret object. Only use this if create is false. | `tss-secret-name` | -| `tss.kubeSecrets.create` | If true, the secret will be created. If false, it is assumed the secret already exists. | `false` | -| `tss.kubeSecrets.annotations` | Annotations to be added to the secret. | `nil` | -| `tss.kubeSecrets.data.DATABASE_URL` | URL of the database used by the TSS. | `nil` | -| `tss.kubeSecrets.data.DISTRIBUTION_SEED` | The private key of the Stellar account used to disburse funds. | `nil` | -| `tss.kubeSecrets.data.CHANNEL_ACCOUNT_ENCRYPTION_PASSPHRASE` | The private key used to encrypt the channel accounts secrets in the database. | `nil` | -| `tss.kubeSecrets.data.DISTRIBUTION_SIGNER_TYPE` | The type of the signature client used for distribution accounts. | `nil` | -| `tss.kubeSecrets.data.DISTRIBUTION_ACCOUNT_ENCRYPTION_PASSPHRASE` | The private key used to encrypt the distribution accounts secrets in the database, mandatory when DISTRIBUTION_SIGNER_TYPE is set to DISTRIBUTION_ACCOUNT_DB. | `nil` | -| `tss.kubeSecrets.data.SENTRY_DSN` | The DSN for the Sentry service. it must be set if CRASH_TRACKER_TYPE is set to "SENTRY". | `nil` | -| `tss.kubeSecrets.data.KAFKA_SASL_USERNAME` | The username for SASL authentication to the Kafka broker. Required if KAFKA_SECURITY_PROTOCOL is set to "SASL_SSL" or "SASL_PLAINTEXT". | `nil` | -| `tss.kubeSecrets.data.KAFKA_SASL_PASSWORD` | The password for SASL authentication to the Kafka broker. Required if KAFKA_SECURITY_PROTOCOL is set to "SASL_SSL" or "SASL_PLAINTEXT". | `nil` | -| `tss.kubeSecrets.data.KAFKA_SSL_ACCESS_KEY` | Access key (keystore) in PEM format. Required if KAFKA_SECURITY_PROTOCOL is set to "SSL". | `nil` | -| `tss.kubeSecrets.data.KAFKA_SSL_ACCESS_CERTIFICATE` | Certificate in PEM format that matches with the Kafka Access Key. Required if KAFKA_SECURITY_PROTOCOL is set to "SSL". | `nil` | +| Name | Description | Value | +| ----------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | +| `tss.enabled` | If true, the tss will be deployed. | `true` | +| `tss.route` | Configuration related to the routing of the TSS. | | +| `tss.route.schema` | Protocol scheme used for the service. Can be "http" or "https". | `https` | +| `tss.route.port` | Primary port on which the TSS listens. | `9000` | +| `tss.route.metricsPort` | Port dedicated to metrics collection for the TSS. | `9002` | +| `tss.deployment` | Configuration related to the deployment of the TSS. | | +| `tss.deployment.annotations` | Annotations to be added to the deployment. | `nil` | +| `tss.deployment.podAnnotations` | Annotations specific to the pods. | `{}` | +| `tss.deployment.strategy` | Configuration related to the deployment strategy, ensuring smooth updates and minimal downtime. | `{}` | +| `tss.deployment.podSecurityContext` | Security settings for the pods. | `{}` | +| `tss.deployment.securityContext` | Security settings for the container within the pod. | `{}` | +| `tss.deployment.resources` | Resource limits and requests for the application pods. | `{}` | +| `tss.deployment.nodeSelector` | Node selector to determine which nodes should run the pods. | `{}` | +| `tss.deployment.tolerations` | Tolerations to ensure pods aren't scheduled on unsuitable nodes. | `[]` | +| `tss.deployment.affinity` | Affinity rules to determine where pods get scheduled based on node conditions. | `{}` | +| `tss.configMap` | Configuration settings for the Transaction Submission Service (TSS) ConfigMap. | | +| `tss.configMap.annotations` | Annotations to be added to the ConfigMap. | `nil` | +| `tss.configMap.data` | Used to inject non-sensitive environment variables into the TSS deployment; for the latest variables, consult the application's CLI `-h` command. | | +| `tss.configMap.data.CRASH_TRACKER_TYPE` | Determines the type of crash tracker in use. Options: "DRY_RUN", "SENTRY". | `DRY_RUN` | +| `tss.configMap.data.DISTRIBUTION_PUBLIC_KEY` | The public key of the HOST's Stellar distribution account, used to create channel accounts. | `nil` | +| `tss.configMap.data.NUM_CHANNEL_ACCOUNTS` | The number of channel accounts the TSS will create/use. Channel accounts provide a method for submitting transactions to the network at a high rate. | `1` | +| `tss.configMap.data.MAX_BASE_FEE` | Specifies the maximum base fee (in stroops) the TSS is willing to pay per transaction. This helps to control costs and ensures transactions are economically feasible. | `100000` | +| `tss.configMap.data.TSS_METRICS_TYPE` | Defines the type of metrics system that the TSS should use. Options: "TSS_PROMETHEUS". | `TSS_PROMETHEUS` | +| `tss.configMap.data.QUEUE_POLLING_INTERVAL` | Specifies the interval (in seconds) at which the TSS should poll the queue. | `6` | +| `tss.configMap.data.ENVIRONMENT` | Specifies the environment TSS is running in (e.g. "localhost"). | `development` | +| `tss.configMap.data.LOG_LEVEL` | Determines the verbosity level of logs. Options: "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC" | `INFO` | +| `tss.kubeSecrets` | Kubernetes secrets are used to manage sensitive information, such as API keys and private keys. It's crucial that these details are kept private. | | +| `tss.kubeSecrets.secretName` | The name of the Kubernetes secret object. Only use this if create is false. | `tss-secret-name` | +| `tss.kubeSecrets.create` | If true, the secret will be created. If false, it is assumed the secret already exists. | `false` | +| `tss.kubeSecrets.annotations` | Annotations to be added to the secret. | `nil` | +| `tss.kubeSecrets.data.DATABASE_URL` | URL of the database used by the TSS. | `nil` | +| `tss.kubeSecrets.data.DISTRIBUTION_SEED` | The HOST's Stellar distribution account, used to create channel accounts. | `nil` | +| `tss.kubeSecrets.data.CHANNEL_ACCOUNT_ENCRYPTION_PASSPHRASE` | The private key used to encrypt the channel accounts secrets in the database. | `nil` | +| `tss.kubeSecrets.data.DISTRIBUTION_SIGNER_TYPE` | The type of signer used to sign Stellar transactions for the tenants' distribution accounts. Options: DISTRIBUTION_ACCOUNT_ENV: uses the the same distribution account for all tenants, as well as for the HOST, through the secret configured in DISTRIBUTION_SEED. DISTRIBUTION_ACCOUNT_DB: uses the one different distribution account private key per tenant, and stores them in the database, encrypted with the DISTRIBUTION_ACCOUNT_ENCRYPTION_PASSPHRASE. | `nil` | +| `tss.kubeSecrets.data.DISTRIBUTION_ACCOUNT_ENCRYPTION_PASSPHRASE` | The private key used to encrypt the distribution accounts secrets in the database, mandatory when DISTRIBUTION_SIGNER_TYPE is set to DISTRIBUTION_ACCOUNT_DB. | `nil` | +| `tss.kubeSecrets.data.SENTRY_DSN` | The DSN for the Sentry service. it must be set if CRASH_TRACKER_TYPE is set to "SENTRY". | `nil` | +| `tss.kubeSecrets.data.KAFKA_SASL_USERNAME` | The username for SASL authentication to the Kafka broker. Required if KAFKA_SECURITY_PROTOCOL is set to "SASL_SSL" or "SASL_PLAINTEXT". | `nil` | +| `tss.kubeSecrets.data.KAFKA_SASL_PASSWORD` | The password for SASL authentication to the Kafka broker. Required if KAFKA_SECURITY_PROTOCOL is set to "SASL_SSL" or "SASL_PLAINTEXT". | `nil` | +| `tss.kubeSecrets.data.KAFKA_SSL_ACCESS_KEY` | Access key (keystore) in PEM format. Required if KAFKA_SECURITY_PROTOCOL is set to "SSL". | `nil` | +| `tss.kubeSecrets.data.KAFKA_SSL_ACCESS_CERTIFICATE` | Certificate in PEM format that matches with the Kafka Access Key. Required if KAFKA_SECURITY_PROTOCOL is set to "SSL". | `nil` | ### Dashboard diff --git a/charts/stellar-disbursement-platform/values.yaml b/charts/stellar-disbursement-platform/values.yaml index 7edda12..dc99a45 100644 --- a/charts/stellar-disbursement-platform/values.yaml +++ b/charts/stellar-disbursement-platform/values.yaml @@ -196,9 +196,9 @@ sdp: ## @param sdp.kubeSecrets.data.RECAPTCHA_SITE_SECRET_KEY Secret key for Google reCAPTCHA service to verify user's non-robotic behavior. ## @param sdp.kubeSecrets.data.ANCHOR_PLATFORM_OUTGOING_JWT_SECRET The JWT secret used to create a JWT token used to send requests to the anchor platform. ## @param sdp.kubeSecrets.data.DATABASE_URL URL of the database used by the SDP. - ## @param sdp.kubeSecrets.data.DISTRIBUTION_SEED The private key of the Stellar account used to disburse funds. This is needed for the init container. + ## @param sdp.kubeSecrets.data.DISTRIBUTION_SEED The HOST's Stellar distribution account, used to create channel accounts. This is needed for the init container. ## @param sdp.kubeSecrets.data.CHANNEL_ACCOUNT_ENCRYPTION_PASSPHRASE The private key used to encrypt the channel accounts secrets in the database. - ## @param sdp.kubeSecrets.data.DISTRIBUTION_SIGNER_TYPE The type of the signature client used for distribution accounts. + ## @param sdp.kubeSecrets.data.DISTRIBUTION_SIGNER_TYPE The type of signer used to sign Stellar transactions for the tenants' distribution accounts. Options: DISTRIBUTION_ACCOUNT_ENV: uses the same distribution account for all tenants, as well as for the HOST, through the secret configured in DISTRIBUTION_SEED. DISTRIBUTION_ACCOUNT_DB: uses the one different distribution account private key per tenant, and stores them in the database, encrypted with the DISTRIBUTION_ACCOUNT_ENCRYPTION_PASSPHRASE. ## @param sdp.kubeSecrets.data.DISTRIBUTION_ACCOUNT_ENCRYPTION_PASSPHRASE The private key used to encrypt the distribution accounts secrets in the database, mandatory when DISTRIBUTION_SIGNER_TYPE is set to DISTRIBUTION_ACCOUNT_DB. ## @param sdp.kubeSecrets.data.SENTRY_DSN The DSN for the Sentry service. it must be set if CRASH_TRACKER_TYPE is set to "SENTRY". ## @param sdp.kubeSecrets.data.KAFKA_SASL_USERNAME The username for SASL authentication to the Kafka broker. Required if KAFKA_SECURITY_PROTOCOL is set to "SASL_SSL" or "SASL_PLAINTEXT". @@ -482,9 +482,9 @@ tss: ## @param tss.kubeSecrets.create If true, the secret will be created. If false, it is assumed the secret already exists. ## @param tss.kubeSecrets.annotations Annotations to be added to the secret. ## @param tss.kubeSecrets.data.DATABASE_URL URL of the database used by the TSS. - ## @param tss.kubeSecrets.data.DISTRIBUTION_SEED The private key of the Stellar account used to disburse funds. + ## @param tss.kubeSecrets.data.DISTRIBUTION_SEED The HOST's Stellar distribution account, used to create channel accounts. ## @param tss.kubeSecrets.data.CHANNEL_ACCOUNT_ENCRYPTION_PASSPHRASE The private key used to encrypt the channel accounts secrets in the database. - ## @param tss.kubeSecrets.data.DISTRIBUTION_SIGNER_TYPE The type of the signature client used for distribution accounts. + ## @param tss.kubeSecrets.data.DISTRIBUTION_SIGNER_TYPE The type of signer used to sign Stellar transactions for the tenants' distribution accounts. Options: DISTRIBUTION_ACCOUNT_ENV: uses the the same distribution account for all tenants, as well as for the HOST, through the secret configured in DISTRIBUTION_SEED. DISTRIBUTION_ACCOUNT_DB: uses the one different distribution account private key per tenant, and stores them in the database, encrypted with the DISTRIBUTION_ACCOUNT_ENCRYPTION_PASSPHRASE. ## @param tss.kubeSecrets.data.DISTRIBUTION_ACCOUNT_ENCRYPTION_PASSPHRASE The private key used to encrypt the distribution accounts secrets in the database, mandatory when DISTRIBUTION_SIGNER_TYPE is set to DISTRIBUTION_ACCOUNT_DB. ## @param tss.kubeSecrets.data.SENTRY_DSN The DSN for the Sentry service. it must be set if CRASH_TRACKER_TYPE is set to "SENTRY". ## @param tss.kubeSecrets.data.KAFKA_SASL_USERNAME The username for SASL authentication to the Kafka broker. Required if KAFKA_SECURITY_PROTOCOL is set to "SASL_SSL" or "SASL_PLAINTEXT".