From 1dc0e32803555783b966590ee1a5879a4e249afc Mon Sep 17 00:00:00 2001 From: Marwen Abid Date: Wed, 3 Dec 2025 16:48:11 -0800 Subject: [PATCH] SDP release 6.0.0 --- .../stellar-disbursement-platform/Chart.yaml | 4 +- .../stellar-disbursement-platform/README.md | 249 +++++++----------- .../minimal-values.yaml | 13 - .../templates/01.1-configmap-sdp.yaml | 2 - .../templates/01.2-configmap-ap.yaml | 101 ------- .../templates/02.2-deployment-ap.yaml | 130 --------- .../templates/03.2-service-ap.yaml | 21 -- .../templates/04.2-ingress-ap.yaml | 36 --- .../templates/05.1-secrets-sdp.yaml | 7 - .../templates/05.2-secrets-ap.yaml | 61 ----- .../templates/NOTES.txt | 21 +- .../templates/_helpers.tpl | 58 ---- .../stellar-disbursement-platform/values.yaml | 166 +++--------- 13 files changed, 133 insertions(+), 736 deletions(-) delete mode 100644 charts/stellar-disbursement-platform/templates/01.2-configmap-ap.yaml delete mode 100644 charts/stellar-disbursement-platform/templates/02.2-deployment-ap.yaml delete mode 100644 charts/stellar-disbursement-platform/templates/03.2-service-ap.yaml delete mode 100644 charts/stellar-disbursement-platform/templates/04.2-ingress-ap.yaml delete mode 100644 charts/stellar-disbursement-platform/templates/05.2-secrets-ap.yaml diff --git a/charts/stellar-disbursement-platform/Chart.yaml b/charts/stellar-disbursement-platform/Chart.yaml index ddc9c13..d551b09 100644 --- a/charts/stellar-disbursement-platform/Chart.yaml +++ b/charts/stellar-disbursement-platform/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: stellar-disbursement-platform description: A Helm chart for the Stellar Disbursement Platform Backend (A.K.A. `sdp`) -version: "5.0.0" -appVersion: "5.0.0" +version: "6.0.0" +appVersion: "6.0.0" type: application maintainers: - name: Stellar Development Foundation diff --git a/charts/stellar-disbursement-platform/README.md b/charts/stellar-disbursement-platform/README.md index 0a7ed4a..28bb8e6 100644 --- a/charts/stellar-disbursement-platform/README.md +++ b/charts/stellar-disbursement-platform/README.md @@ -14,7 +14,6 @@ - [Parameters](#parameters) - [Global parameters](#global-parameters) - [Stellar Disbursement Platform (SDP) parameters](#stellar-disbursement-platform-sdp-parameters) - - [Anchor Platform](#anchor-platform) - [Transaction Submission Service](#transaction-submission-service) - [Dashboard](#dashboard) @@ -22,11 +21,14 @@ This chart bootstraps a Stellar Disbursement Platform (SDP) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. The SDP is a set of services that enable organizations to disburse funds to recipients using the Stellar network. The SDP consists of the following services: -- Stellar Disbursement Platform (SDP) Core Service: the core backend service that performs several functions. -- Anchor Platform: the API server that the wallet uses to authenticate and initiate the recipient’s registration process through the SEP-24 deposit flow. +- Stellar Disbursement Platform (SDP) Core Service: the core backend service that performs several functions, including native SEP10/SEP24 implementations. - Transaction Submission Service (TSS): the service that submits all payment transactions to the Stellar network. - Dashboard: the user interface administrators use to initiate and track the progress of disbursements. +### SEP10/SEP24 Implementation + +The SDP now includes native implementations of SEP10 and SEP24 protocols, providing wallet authentication and interactive deposit flows without requiring external Anchor Platform integration. + ## Installing the Chart The chart can be installed either from a packaged chart or directly from the git repository. @@ -132,7 +134,6 @@ With the tunnel running, you can access the services using the following URLs: - Dashboard: [https://dashboard.local](https://dashboard.local) - SDP Backend: [https://sdp.local](https://sdp.local) - SDP Admin API: [https://sdp.local:8003](https://sdp.local:8003) -- Anchor Platform: [https://ap.local](https://ap.local) ## Parameters @@ -167,7 +168,7 @@ These parameters are shared by all charts. | `global.singleTenantMode` | Determines if the SDP service is running in single-tenant mode. | `false` | | `global.distributionPublicKey` | The public key of the HOST's Stellar distribution account, used to create channel accounts. | `nil` | | `global.distributionPrivateKey` | The private key of the root Stellar distribution account | `nil` | -| `global.sep10PublicKey` | Anchor platform SEP10 signing public key. | `nil` | +| `global.sep10PublicKey` | SEP10 signing public key. | `nil` | | `global.sep10PrivateKey` | The public key of the Stellar account that signs the SEP-10 transactions. It's also used to sign URLs. | `nil` | | `global.recaptchaSiteKey` | Site key for ReCaptcha V2 to verify user's non-robotic behavior. Default value is for testing. | `6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI` | | `global.recaptchaSiteSecretKey` | Secret key for ReCaptcha V2 to verify user's non-robotic behavior. Default value is for testing. | `6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe` | @@ -182,150 +183,94 @@ Configuration parameters for the SDP Core Service which is the core backend serv - Messaging Service: a recurring process that sends text messages to users prompting them to download the wallet selected for a particular disbursement and verify their phone with an OTP - Wallet Registration UI: a web application that collects and verifies the recipient's OTP code and verification information via Stellar's SEP-24: Hosted Deposit and Withdrawal protocol -| Name | Description | Value | -| ----------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- | -| `sdp.route` | Configuration related to the routing of the SDP service. | | -| `sdp.route.schema` | Protocol scheme used for the service. Can be "http" or "https". | `https` | -| `sdp.route.domain` | Public domain/address of the SDP service. If using localhost, consider including the port as part of the domain. | `nil` | -| `sdp.route.mtnDomain` | Public domain/address of the multi-tenant SDP service. This is a wild-card domain used for multi-tenant setups e.g. "*.sdp.localhost.com". | `nil` | -| `sdp.route.adminDomain` | Public domain/address of the SDP admin service. Disabled by default. When provided, the admin service will be available at this domain. | `nil` | -| `sdp.route.port` | Primary port on which the SDP service listens. | `8000` | -| `sdp.route.metricsPort` | Port dedicated to metrics collection for the SDP service. | `8002` | -| `sdp.route.adminPort` | Port dedicated to serve the SDP admin endpoints, used to manage new or existing tenants. | `8003` | -| `sdp.image` | Configuration related to the Docker image used by the SDP service. | | -| `sdp.image.repository` | Docker image repository for the SDP backend service. | `stellar/stellar-disbursement-platform-backend` | -| `sdp.image.pullPolicy` | Image pull policy for the SDP service. For locally built images, consider using "Never" or "IfNotPresent". | `Always` | -| `sdp.image.tag` | Docker image tag for the SDP service. If set, this overrides the default value from `.Chart.AppVersion`. | `5.0.0` | -| `sdp.deployment` | Configuration related to the deployment of the SDP service. | | -| `sdp.deployment.annotations` | Annotations to be added to the deployment. | `nil` | -| `sdp.deployment.podAnnotations` | Annotations specific to the pods. | `{}` | -| `sdp.deployment.podSecurityContext` | Security settings for the pods. | `{}` | -| `sdp.deployment.securityContext` | Security settings for the container within the pod. | `{}` | -| `sdp.deployment.strategy` | Configuration related to the deployment strategy, ensuring smooth updates and minimal downtime. | `{}` | -| `sdp.deployment.resources` | Resource limits and requests for the SDP service pods. If not specified, falls back to global.resources. | `{}` | -| `sdp.deployment.nodeSelector` | Node selector to determine which nodes should run the pods. | `{}` | -| `sdp.deployment.tolerations` | Tolerations to ensure pods aren't scheduled on unsuitable nodes. | `[]` | -| `sdp.deployment.affinity` | Affinity rules to determine where pods get scheduled based on node conditions. | `{}` | -| `sdp.deployment.priorityClassName` | Name of the priority class to be used by the SDP deployment. If not specified, no priority class will be used. | `""` | -| `sdp.deployment.topologySpreadConstraints` | Pod topology spread constraints for the SDP service, overrides global setting if defined. | `[]` | -| `sdp.configMap` | Configuration for the ConfigMap used by the SDP service. | | -| `sdp.configMap.annotations` | Annotations to be added to the ConfigMap. | `nil` | -| `sdp.configMap.data` | Used to inject non-sensitive environment variables into the SDP deployment; for the latest variables, consult the application's CLI `-h` command. | | -| `sdp.configMap.data.DISTRIBUTION_PUBLIC_KEY` | The public key of the HOST's Stellar distribution account, used to create channel accounts. Required if global.distributionPublicKey not set. | | -| `sdp.configMap.data.SEP10_SIGNING_PUBLIC_KEY` | Anchor platform SEP10 signing public key. Required if global.sep10PublicKey not set. | | -| `sdp.configMap.data.RECAPTCHA_SITE_KEY` | Site key for ReCaptcha. Required if using ReCaptcha. | | -| `sdp.configMap.data.INSTANCE_NAME` | The name of the SDP instance. Example: "SDP Testnet". | `SDP Testnet` | -| `sdp.configMap.data.CRASH_TRACKER_TYPE` | Determines the type of crash tracker in use. Options: "DRY_RUN", "SENTRY". | `DRY_RUN` | -| `sdp.configMap.data.ENVIRONMENT` | Specifies the environment SDP is running in (e.g. "localhost"). | `dev` | -| `sdp.configMap.data.LOG_LEVEL` | Determines the verbosity level of logs. Options: "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC" | `INFO` | -| `sdp.configMap.data.METRICS_TYPE` | Defines the type of metrics system in use. Options: "PROMETHEUS". | `PROMETHEUS` | -| `sdp.configMap.data.EMAIL_SENDER_TYPE` | The messenger type used to send invitations to new dashboard users. Options: "DRY_RUN", "AWS_EMAIL", "TWILIO_EMAIL". | `DRY_RUN` | -| `sdp.configMap.data.SMS_SENDER_TYPE` | The messenger type used to send text messages to recipients. Options: "DRY_RUN", "TWILIO_SMS", "TWILIO_WHATSAPP", "AWS_SMS". | `DRY_RUN` | -| `sdp.configMap.data.CORS_ALLOWED_ORIGINS` | Specifies the domains allowed to make cross-origin requests. "*" means all domains are allowed. | `*` | -| `sdp.configMap.data.DISABLE_RECAPTCHA` | Determines if ReCaptcha should be disabled for login ("true" or "false"). | `false` | -| `sdp.configMap.data.DISABLE_MFA` | Determines if email-based MFA should be disabled during login ("true" or "false"). | `false` | -| `sdp.configMap.data.SCHEDULER_PAYMENT_JOB_SECONDS` | The interval in seconds for the payment job that syncs payments between the SDP and the TSS. | `10` | -| `sdp.configMap.data.SCHEDULER_RECEIVER_INVITATION_JOB_SECONDS` | The interval in seconds for the receiver invitation job that sends invitations to new receivers. 0 or negative values disable the job. | `10` | -| `sdp.configMap.data.MAX_INVITATION_RESEND_ATTEMPTS` | The maximum number of times an invitation can be resent. 0 or negative values disable the job. | `3` | -| `sdp.configMap.data.TENANT_XLM_BOOTSTRAP_AMOUNT` | The amount of XLM to be sent to a newly created tenant distribution account. | `5` | -| `sdp.configMap.data.CIRCLE_API_TYPE` | The type of Circle API to be used. Options: "TRANSFERS", "PAYOUTS". Default: "TRANSFERS". | `TRANSFERS` | -| `sdp.configMap.data.ENABLE_BRIDGE_INTEGRATION` | Determines if the bridge integration is enabled. If set to true, the bridge integration will be enabled. | | -| `sdp.configMap.data.BRIDGE_BASE_URL` | The base URL of the bridge API. Required if ENABLE_BRIDGE_INTEGRATION is set to true. | | -| `sdp.kubeSecrets` | Kubernetes secrets are used to manage sensitive information, such as API keys and private keys. It's crucial that these details are kept private. | | -| `sdp.kubeSecrets.secretName` | The name of the Kubernetes secret object. Only use this if create is false. | `sdp-backend-secret-name` | -| `sdp.kubeSecrets.create` | If true, the secret will be created. If false, it is assumed the secret already exists. | `false` | -| `sdp.kubeSecrets.annotations` | Annotations to be added to the secret. | `nil` | -| `sdp.kubeSecrets.data` | The sensitive data to be stored in the secret. | `{}` | -| `sdp.kubeSecrets.data.DATABASE_URL` | URL of the database used by the SDP. | | -| `sdp.kubeSecrets.data.AWS_ACCESS_KEY_ID` | AWS IAM user's access key ID for authenticating to AWS services. | | -| `sdp.kubeSecrets.data.AWS_REGION` | AWS region where services (like SES for email sending) are provisioned. | | -| `sdp.kubeSecrets.data.AWS_SECRET_ACCESS_KEY` | AWS IAM user's secret access key for authenticating to AWS services. | | -| `sdp.kubeSecrets.data.AWS_SES_SENDER_ID` | Identifier for the AWS SES service used for sending emails. | | -| `sdp.kubeSecrets.data.AWS_SNS_SENDER_ID` | Identifier for the AWS SNS service used for sending text messages. | | -| `sdp.kubeSecrets.data.TWILIO_ACCOUNT_SID` | Account SID for authenticating to the Twilio service, used for sending text messages. | | -| `sdp.kubeSecrets.data.TWILIO_AUTH_TOKEN` | Authentication token for the Twilio service. | | -| `sdp.kubeSecrets.data.TWILIO_SERVICE_SID` | Service SID for the specific Twilio service being utilized. | | -| `sdp.kubeSecrets.data.TWILIO_WHATSAPP_FROM_NUMBER` | The WhatsApp Business number used to send messages (with whatsapp: prefix). | | -| `sdp.kubeSecrets.data.TWILIO_WHATSAPP_RECEIVER_INVITATION_TEMPLATE_SID` | The Twilio Content SID for WhatsApp receiver invitation template (starts with HX). | | -| `sdp.kubeSecrets.data.TWILIO_WHATSAPP_RECEIVER_OTP_TEMPLATE_SID` | The Twilio Content SID for WhatsApp receiver OTP template (starts with HX). | | -| `sdp.kubeSecrets.data.TWILIO_SENDGRID_API_KEY` | API key for the Twilio SendGrid (email) service. | | -| `sdp.kubeSecrets.data.TWILIO_SENDGRID_SENDER_ADDRESS` | Email address used to send emails via Twilio SendGrid. | | -| `sdp.kubeSecrets.data.SENTRY_DSN` | The DSN for the Sentry service. it must be set if CRASH_TRACKER_TYPE is set to "SENTRY". | | -| `sdp.kubeSecrets.data.EC256_PRIVATE_KEY` | The EC256 Private Key. This key is used to sign the authentication token. This EC key needs to be at least as strong as prime256v1 (P-256). | | -| `sdp.kubeSecrets.data.ANCHOR_PLATFORM_OUTGOING_JWT_SECRET` | The JWT secret used to create a JWT token used to send requests to the anchor platform. | | -| `sdp.kubeSecrets.data.SEP24_JWT_SECRET` | The JWT secret that's used by the Anchor Platform to sign the SEP-24 JWT token. Must be the same as Anchor Platform's SECRET_SEP24_INTERACTIVE_URL_JWT_SECRET. | | -| `sdp.kubeSecrets.data.RECAPTCHA_SITE_SECRET_KEY` | Secret key for Google reCAPTCHA service to verify user's non-robotic behavior. | | -| `sdp.kubeSecrets.data.SEP10_SIGNING_PRIVATE_KEY` | The public key of the Stellar account that signs the SEP-10 transactions. It's also used to sign URLs. Required if global.sep10PrivateKey not set. | | -| `sdp.kubeSecrets.data.DISTRIBUTION_SEED` | The HOST's Stellar distribution account, used to create channel accounts. This is needed for the init container. | | -| `sdp.kubeSecrets.data.DISTRIBUTION_ACCOUNT_ENCRYPTION_PASSPHRASE` | A Stellar-compliant ed25519 private key used to encrypt and decrypt the private keys of tenants' distribution accounts. | | -| `sdp.kubeSecrets.data.CHANNEL_ACCOUNT_ENCRYPTION_PASSPHRASE` | The private key used to encrypt the channel accounts secrets in the database. | | -| `sdp.kubeSecrets.data.ADMIN_ACCOUNT` | The ID of the admin account. To use, add to the request header as 'Authorization', formatted as Base64-encoded 'ADMIN_ACCOUNT:ADMIN_API_KEY'.", | | -| `sdp.kubeSecrets.data.ADMIN_API_KEY` | The API key for the admin account. To use, add to the request header as 'Authorization', formatted as Base64-encoded 'ADMIN_ACCOUNT:ADMIN_API_KEY'.", | | -| `sdp.kubeSecrets.data.BRIDGE_API_KEY` | The API key for the bridge integration. Required if ENABLE_BRIDGE_INTEGRATION is set to true. | | -| `sdp.ingress` | Configuration for the ingress controller for the SDP service. | | -| `sdp.ingress.enabled` | If true, an ingress controller will be created for the SDP service. | `true` | -| `sdp.ingress.className` | Name of the IngressClass to be used for the ingress controller. | `nginx` | -| `sdp.ingress.tls[0].hosts` | List of hosts covered by the TLS certificate. | `["{{ include \"sdp.domain\" . }}"]` | -| `sdp.ingress.tls[0].secretName` | The name of the Kubernetes TLS secret. You need to create this secret manually. | `backend-tls-cert-name` | - -### Anchor Platform - -Configuration parameters for the Anchor Platform which is the API server that the wallet uses to authenticate and initiate -the recipient's registration process through the SEP-24 deposit flow. - -| Name | Description | Value | -| ------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------- | -| `anchorPlatform.route` | Configuration related to the routing of the Anchor Platform service. | | -| `anchorPlatform.route.schema` | Protocol scheme used for the service. Can be "http" or "https". | `https` | -| `anchorPlatform.route.domain` | Public domain/address of the Anchor Platform service. If using localhost, consider including the port as part of the domain. | `nil` | -| `anchorPlatform.route.sepPort` | The port of the sep server of the anchor platform. This is the public API that is meant to be reached by a client application, such as the stellar.toml file." | `8080` | -| `anchorPlatform.route.platformPort` | The port of the platform server of the anchor platform. This is the private API that is meant to be reached only by the SDP server, such as the PATCH /sep24/transactions endpoint.", | `8085` | -| `anchorPlatform.image` | Configuration related to the Docker image used by the Anchor Platform service. | | -| `anchorPlatform.image.repository` | Docker image repository for the Anchor Platform service. | `stellar/anchor-platform` | -| `anchorPlatform.image.pullPolicy` | Image pull policy for the Anchor Platform service. | `IfNotPresent` | -| `anchorPlatform.image.tag` | Docker image tag for the Anchor Platform service. | `2.6.2` | -| `anchorPlatform.deployment` | Configuration related to the deployment of the Anchor Platform. | | -| `anchorPlatform.deployment.annotations` | Annotations to be added to the deployment. | `{}` | -| `anchorPlatform.deployment.podAnnotations` | Annotations specific to the pods. | `{}` | -| `anchorPlatform.deployment.strategy` | Configuration related to the deployment strategy, ensuring smooth updates and minimal downtime. | `{}` | -| `anchorPlatform.deployment.podSecurityContext` | Security settings for the pods. | `{}` | -| `anchorPlatform.deployment.securityContext` | Security settings for the container within the pod. | `{}` | -| `anchorPlatform.deployment.resources` | Resource limits and requests for the Anchor Platform service pods. If not specified, falls back to global.resources. | `{}` | -| `anchorPlatform.deployment.nodeSelector` | Node selector to determine which nodes should run the pods. | `{}` | -| `anchorPlatform.deployment.tolerations` | Tolerations to ensure pods aren't scheduled on unsuitable nodes. | `[]` | -| `anchorPlatform.deployment.affinity` | Affinity rules to determine where pods get scheduled based on node conditions. | `{}` | -| `anchorPlatform.deployment.priorityClassName` | Name of the priority class to be used by the Anchor Platform deployment. If not specified, no priority class will be used. | `""` | -| `anchorPlatform.deployment.topologySpreadConstraints` | Pod topology spread constraints for the Anchor Platform service, overrides global setting if defined. | `[]` | -| `anchorPlatform.configMap` | Configuration for the ConfigMap used by the anchorPlatform service. | | -| `anchorPlatform.configMap.annotations` | Annotations to be added to the ConfigMap. | `nil` | -| `anchorPlatform.configMap.data` | Used to inject non-sensitive environment variables into the Anchor Platform deployment; for the latest variables, consult Anchor Platform's public documentation. | | -| `anchorPlatform.configMap.data.APP_LOGGING_LEVEL` | Specifies the logging level for the application (e.g. "INFO", "DEBUG", "ERROR"). | `INFO` | -| `anchorPlatform.configMap.data.DATA_DATABASE` | Specifies the database connection details for the platform. Will be auto-populated in the development helm chart when `ephemeralDatabase` is enabled. | | -| `anchorPlatform.configMap.data.DATA_SERVER` | Specifies the server connection details for the platform. Will be auto-populated in the development helm chart when `ephemeralDatabase` is enabled. | | -| `anchorPlatform.configMap.data.DATA_FLYWAY_ENABLED` | Determines if Flyway, the database migration tool, is enabled. | | -| `anchorPlatform.configMap.data.ASSETS_VALUE` | Specifies the details and configuration of assets supported by the anchor platform. This includes SEP-24 enabled assets, schema type, code, issuer details, distribution account, precision details, and deposit and withdrawal configurations. Currently, it needs to be *manually* kept up to date with the SDP state. | | -| `anchorPlatform.configMap.data.DATA_DDL_AUTO` | Specifies the strategy Hibernate should use for the database schema initialization. The standard Hibernate property values are `none`, `validate`, `update`, `create-drop`. | `update` | -| `anchorPlatform.configMap.data.METRICS_ENABLED` | Determines if metrics collection is enabled for the platform. If enabled, metrics would be available at port 8082. | `false` | -| `anchorPlatform.configMap.data.METRICS_EXTRAS_ENABLED` | Determines if additional metrics (beyond the standard set) are enabled for collection. | `false` | -| `anchorPlatform.configMap.data.SEP10_CLIENT_ATTRIBUTION_REQUIRED` | When set to `true`, only SEP-10 requests from known clients listed in `SEP10_CLIENT_ATTRIBUTION_ALLOW_LIST` will be accepted. | `false` | -| `anchorPlatform.configMap.data.SEP10_CLIENT_ATTRIBUTION_ALLOW_LIST` | The comma-separated list of client domains allowed to make SEP-10 requests. | `""` | -| `anchorPlatform.kubeSecrets` | secrets are used to manage sensitive information, such as API keys and private keys. It's crucial that these details are kept private. | | -| `anchorPlatform.kubeSecrets.secretName` | The name of the Kubernetes secret object. Only use this if create is false. | `anchor-platform-secret-name` | -| `anchorPlatform.kubeSecrets.create` | If true, the secret will be created. If false, it is assumed the secret already exists. | `false` | -| `anchorPlatform.kubeSecrets.annotations` | Annotations to be added to the secret. | `nil` | -| `anchorPlatform.kubeSecrets.data` | The sensitive data to be stored in the secret. | `{}` | -| `anchorPlatform.kubeSecrets.data.SECRET_DATA_PASSWORD` | Database password for the anchor platform. | | -| `anchorPlatform.kubeSecrets.data.SECRET_DATA_USERNAME` | Database username for the anchor platform. | | -| `anchorPlatform.kubeSecrets.data.SECRET_PLATFORM_API_AUTH_SECRET` | The secret used for authenticating API requests between the SDP and the Anchor Platform. | | -| `anchorPlatform.kubeSecrets.data.SECRET_SEP10_JWT_SECRET` | The JWT secret used by the Anchor Platform to sign SEP-10 JWT tokens. These tokens are used for various authentication and transaction-related purposes. | | -| `anchorPlatform.kubeSecrets.data.SECRET_SEP10_SIGNING_SEED` | The seed for the SEP-10 signing process. It's essential for ensuring the security and authenticity of SEP-10 transactions. Required if global.sep10PrivateKey not set. | | -| `anchorPlatform.kubeSecrets.data.SECRET_SEP24_INTERACTIVE_URL_JWT_SECRET` | The JWT secret used by the Anchor Platform to sign SEP-24 interactive URLs. These URLs typically initiate user-interactive processes like deposits and withdrawals. Must be the same as SDP's SEP24_JWT_SECRET. | | -| `anchorPlatform.kubeSecrets.data.SECRET_SEP24_MORE_INFO_URL_JWT_SECRET` | The JWT secret used by the Anchor Platform to sign SEP-24 'More Info' URLs. These URLs provide users with additional details or steps related to their transactions. | | -| `anchorPlatform.ingress` | Configuration for the ingress controller for the Anchor Platform. | | -| `anchorPlatform.ingress.enabled` | If true, an ingress controller will be created for the Anchor Platform. | `true` | -| `anchorPlatform.ingress.className` | Name of the IngressClass to be used for the ingress controller. | `nginx` | -| `anchorPlatform.ingress.tls[0].hosts` | List of hosts covered by the TLS certificate. | `["{{ include \"sdp.ap.domain\" . }}"]` | -| `anchorPlatform.ingress.tls[0].secretName` | The name of the Kubernetes TLS secret. You need to create this secret manually. For more instructions, please refer to helmchart/docs/README.md | `backend-tls-cert-name` | +| Name | Description | Value | +| ----------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- | +| `sdp.route` | Configuration related to the routing of the SDP service. | | +| `sdp.route.schema` | Protocol scheme used for the service. Can be "http" or "https". | `https` | +| `sdp.route.domain` | Public domain/address of the SDP service. If using localhost, consider including the port as part of the domain. | `nil` | +| `sdp.route.mtnDomain` | Public domain/address of the multi-tenant SDP service. This is a wild-card domain used for multi-tenant setups e.g. "*.sdp.localhost.com". | `nil` | +| `sdp.route.adminDomain` | Public domain/address of the SDP admin service. Disabled by default. When provided, the admin service will be available at this domain. | `nil` | +| `sdp.route.port` | Primary port on which the SDP service listens. | `8000` | +| `sdp.route.metricsPort` | Port dedicated to metrics collection for the SDP service. | `8002` | +| `sdp.route.adminPort` | Port dedicated to serve the SDP admin endpoints, used to manage new or existing tenants. | `8003` | +| `sdp.image` | Configuration related to the Docker image used by the SDP service. | | +| `sdp.image.repository` | Docker image repository for the SDP backend service. | `stellar/stellar-disbursement-platform-backend` | +| `sdp.image.pullPolicy` | Image pull policy for the SDP service. For locally built images, consider using "Never" or "IfNotPresent". | `Always` | +| `sdp.image.tag` | Docker image tag for the SDP service. If set, this overrides the default value from `.Chart.AppVersion`. | `6.0.0` | +| `sdp.deployment` | Configuration related to the deployment of the SDP service. | | +| `sdp.deployment.annotations` | Annotations to be added to the deployment. | `nil` | +| `sdp.deployment.podAnnotations` | Annotations specific to the pods. | `{}` | +| `sdp.deployment.podSecurityContext` | Security settings for the pods. | `{}` | +| `sdp.deployment.securityContext` | Security settings for the container within the pod. | `{}` | +| `sdp.deployment.strategy` | Configuration related to the deployment strategy, ensuring smooth updates and minimal downtime. | `{}` | +| `sdp.deployment.resources` | Resource limits and requests for the SDP service pods. If not specified, falls back to global.resources. | `{}` | +| `sdp.deployment.nodeSelector` | Node selector to determine which nodes should run the pods. | `{}` | +| `sdp.deployment.tolerations` | Tolerations to ensure pods aren't scheduled on unsuitable nodes. | `[]` | +| `sdp.deployment.affinity` | Affinity rules to determine where pods get scheduled based on node conditions. | `{}` | +| `sdp.deployment.priorityClassName` | Name of the priority class to be used by the SDP deployment. If not specified, no priority class will be used. | `""` | +| `sdp.deployment.topologySpreadConstraints` | Pod topology spread constraints for the SDP service, overrides global setting if defined. | `[]` | +| `sdp.configMap` | Configuration for the ConfigMap used by the SDP service. | | +| `sdp.configMap.annotations` | Annotations to be added to the ConfigMap. | `nil` | +| `sdp.configMap.data` | Used to inject non-sensitive environment variables into the SDP deployment; for the latest variables, consult the application's CLI `-h` command. | | +| `sdp.configMap.data.DISTRIBUTION_PUBLIC_KEY` | The public key of the HOST's Stellar distribution account, used to create channel accounts. Required if global.distributionPublicKey not set. | | +| `sdp.configMap.data.SEP10_SIGNING_PUBLIC_KEY` | SEP10 signing public key. Required if global.sep10PublicKey not set. | | +| `sdp.configMap.data.RECAPTCHA_SITE_KEY` | Site key for ReCaptcha. Required if using ReCaptcha. | | +| `sdp.configMap.data.INSTANCE_NAME` | The name of the SDP instance. Example: "SDP Testnet". | `SDP Testnet` | +| `sdp.configMap.data.CRASH_TRACKER_TYPE` | Determines the type of crash tracker in use. Options: "DRY_RUN", "SENTRY". | `DRY_RUN` | +| `sdp.configMap.data.ENVIRONMENT` | Specifies the environment SDP is running in (e.g. "localhost"). | `dev` | +| `sdp.configMap.data.LOG_LEVEL` | Determines the verbosity level of logs. Options: "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC" | `INFO` | +| `sdp.configMap.data.METRICS_TYPE` | Defines the type of metrics system in use. Options: "PROMETHEUS". | `PROMETHEUS` | +| `sdp.configMap.data.EMAIL_SENDER_TYPE` | The messenger type used to send invitations to new dashboard users. Options: "DRY_RUN", "AWS_EMAIL", "TWILIO_EMAIL". | `DRY_RUN` | +| `sdp.configMap.data.SMS_SENDER_TYPE` | The messenger type used to send text messages to recipients. Options: "DRY_RUN", "TWILIO_SMS", "TWILIO_WHATSAPP", "AWS_SMS". | `DRY_RUN` | +| `sdp.configMap.data.CORS_ALLOWED_ORIGINS` | Specifies the domains allowed to make cross-origin requests. "*" means all domains are allowed. | `*` | +| `sdp.configMap.data.DISABLE_RECAPTCHA` | Determines if ReCaptcha should be disabled for login ("true" or "false"). | `false` | +| `sdp.configMap.data.DISABLE_MFA` | Determines if email-based MFA should be disabled during login ("true" or "false"). | `false` | +| `sdp.configMap.data.SCHEDULER_PAYMENT_JOB_SECONDS` | The interval in seconds for the payment job that syncs payments between the SDP and the TSS. | `10` | +| `sdp.configMap.data.SCHEDULER_RECEIVER_INVITATION_JOB_SECONDS` | The interval in seconds for the receiver invitation job that sends invitations to new receivers. 0 or negative values disable the job. | `10` | +| `sdp.configMap.data.MAX_INVITATION_RESEND_ATTEMPTS` | The maximum number of times an invitation can be resent. 0 or negative values disable the job. | `3` | +| `sdp.configMap.data.TENANT_XLM_BOOTSTRAP_AMOUNT` | The amount of XLM to be sent to a newly created tenant distribution account. | `5` | +| `sdp.configMap.data.CIRCLE_API_TYPE` | The type of Circle API to be used. Options: "TRANSFERS", "PAYOUTS". Default: "TRANSFERS". | `TRANSFERS` | +| `sdp.configMap.data.DB_MAX_OPEN_CONNS` | Maximum open connections per pool to the database. | `20` | +| `sdp.configMap.data.DB_MAX_IDLE_CONNS` | Maximum idle connections retained in the pool. | `2` | +| `sdp.configMap.data.DB_CONN_MAX_IDLE_TIME_SECONDS` | Close idle connections after N seconds. | `10` | +| `sdp.configMap.data.DB_CONN_MAX_LIFETIME_SECONDS` | Recycle connections after N seconds. | `300` | +| `sdp.configMap.data.ENABLE_BRIDGE_INTEGRATION` | Determines if the bridge integration is enabled. If set to true, the bridge integration will be enabled. | | +| `sdp.configMap.data.BRIDGE_BASE_URL` | The base URL of the bridge API. Required if ENABLE_BRIDGE_INTEGRATION is set to true. | | +| `sdp.kubeSecrets` | Kubernetes secrets are used to manage sensitive information, such as API keys and private keys. It's crucial that these details are kept private. | | +| `sdp.kubeSecrets.secretName` | The name of the Kubernetes secret object. Only use this if create is false. | `sdp-backend-secret-name` | +| `sdp.kubeSecrets.create` | If true, the secret will be created. If false, it is assumed the secret already exists. | `false` | +| `sdp.kubeSecrets.annotations` | Annotations to be added to the secret. | `nil` | +| `sdp.kubeSecrets.data` | The sensitive data to be stored in the secret. | `{}` | +| `sdp.kubeSecrets.data.DATABASE_URL` | URL of the database used by the SDP. | | +| `sdp.kubeSecrets.data.AWS_ACCESS_KEY_ID` | AWS IAM user's access key ID for authenticating to AWS services. | | +| `sdp.kubeSecrets.data.AWS_REGION` | AWS region where services (like SES for email sending) are provisioned. | | +| `sdp.kubeSecrets.data.AWS_SECRET_ACCESS_KEY` | AWS IAM user's secret access key for authenticating to AWS services. | | +| `sdp.kubeSecrets.data.AWS_SES_SENDER_ID` | Identifier for the AWS SES service used for sending emails. | | +| `sdp.kubeSecrets.data.AWS_SNS_SENDER_ID` | Identifier for the AWS SNS service used for sending text messages. | | +| `sdp.kubeSecrets.data.TWILIO_ACCOUNT_SID` | Account SID for authenticating to the Twilio service, used for sending text messages. | | +| `sdp.kubeSecrets.data.TWILIO_AUTH_TOKEN` | Authentication token for the Twilio service. | | +| `sdp.kubeSecrets.data.TWILIO_SERVICE_SID` | Service SID for the specific Twilio service being utilized. | | +| `sdp.kubeSecrets.data.TWILIO_WHATSAPP_FROM_NUMBER` | The WhatsApp Business number used to send messages (with whatsapp: prefix). | | +| `sdp.kubeSecrets.data.TWILIO_WHATSAPP_RECEIVER_INVITATION_TEMPLATE_SID` | The Twilio Content SID for WhatsApp receiver invitation template (starts with HX). | | +| `sdp.kubeSecrets.data.TWILIO_WHATSAPP_RECEIVER_OTP_TEMPLATE_SID` | The Twilio Content SID for WhatsApp receiver OTP template (starts with HX). | | +| `sdp.kubeSecrets.data.TWILIO_SENDGRID_API_KEY` | API key for the Twilio SendGrid (email) service. | | +| `sdp.kubeSecrets.data.TWILIO_SENDGRID_SENDER_ADDRESS` | Email address used to send emails via Twilio SendGrid. | | +| `sdp.kubeSecrets.data.SENTRY_DSN` | The DSN for the Sentry service. it must be set if CRASH_TRACKER_TYPE is set to "SENTRY". | | +| `sdp.kubeSecrets.data.EC256_PRIVATE_KEY` | The EC256 Private Key. This key is used to sign the authentication token. This EC key needs to be at least as strong as prime256v1 (P-256). | | +| `sdp.kubeSecrets.data.SEP24_JWT_SECRET` | The JWT secret used to sign SEP-24 JWT tokens for wallet registration and interactive deposit authentication. | | +| `sdp.kubeSecrets.data.RECAPTCHA_SITE_SECRET_KEY` | Secret key for Google reCAPTCHA service to verify user's non-robotic behavior. | | +| `sdp.kubeSecrets.data.SEP10_SIGNING_PRIVATE_KEY` | The public key of the Stellar account that signs the SEP-10 transactions. It's also used to sign URLs. Required if global.sep10PrivateKey not set. | | +| `sdp.kubeSecrets.data.DISTRIBUTION_SEED` | The HOST's Stellar distribution account, used to create channel accounts. This is needed for the init container. | | +| `sdp.kubeSecrets.data.DISTRIBUTION_ACCOUNT_ENCRYPTION_PASSPHRASE` | A Stellar-compliant ed25519 private key used to encrypt and decrypt the private keys of tenants' distribution accounts. | | +| `sdp.kubeSecrets.data.CHANNEL_ACCOUNT_ENCRYPTION_PASSPHRASE` | The private key used to encrypt the channel accounts secrets in the database. | | +| `sdp.kubeSecrets.data.ADMIN_ACCOUNT` | The ID of the admin account. To use, add to the request header as 'Authorization', formatted as Base64-encoded 'ADMIN_ACCOUNT:ADMIN_API_KEY'.", | | +| `sdp.kubeSecrets.data.ADMIN_API_KEY` | The API key for the admin account. To use, add to the request header as 'Authorization', formatted as Base64-encoded 'ADMIN_ACCOUNT:ADMIN_API_KEY'.", | | +| `sdp.kubeSecrets.data.BRIDGE_API_KEY` | The API key for the bridge integration. Required if ENABLE_BRIDGE_INTEGRATION is set to true. | | +| `sdp.ingress` | Configuration for the ingress controller for the SDP service. | | +| `sdp.ingress.enabled` | If true, an ingress controller will be created for the SDP service. | `true` | +| `sdp.ingress.className` | Name of the IngressClass to be used for the ingress controller. | `nginx` | +| `sdp.ingress.tls[0].hosts` | List of hosts covered by the TLS certificate. | `["{{ include \"sdp.domain\" . }}"]` | +| `sdp.ingress.tls[0].secretName` | The name of the Kubernetes TLS secret. You need to create this secret manually. | `backend-tls-cert-name` | ### Transaction Submission Service @@ -362,6 +307,10 @@ This service is designed to maximize payment throughput, handle queuing, and gra | `tss.configMap.data.NUM_CHANNEL_ACCOUNTS` | The number of channel accounts the TSS will create/use. Channel accounts provide a method for submitting transactions to the network at a high rate. | `1` | | `tss.configMap.data.MAX_BASE_FEE` | Specifies the maximum base fee (in stroops) the TSS is willing to pay per transaction. This helps to control costs and ensures transactions are economically feasible. | `100000` | | `tss.configMap.data.QUEUE_POLLING_INTERVAL` | Specifies the interval (in seconds) at which the TSS should poll the queue. | `6` | +| `tss.configMap.data.DB_MAX_OPEN_CONNS` | Maximum open connections per pool to the database. | `20` | +| `tss.configMap.data.DB_MAX_IDLE_CONNS` | Maximum idle connections retained in the pool. | `2` | +| `tss.configMap.data.DB_CONN_MAX_IDLE_TIME_SECONDS` | Close idle connections after N seconds. | `10` | +| `tss.configMap.data.DB_CONN_MAX_LIFETIME_SECONDS` | Recycle connections after N seconds. | `300` | | `tss.kubeSecrets` | Kubernetes secrets are used to manage sensitive information, such as API keys and private keys. It's crucial that these details are kept private. | | | `tss.kubeSecrets.secretName` | The name of the Kubernetes secret object. Only use this if create is false. | `tss-secret-name` | | `tss.kubeSecrets.create` | If true, the secret will be created. If false, it is assumed the secret already exists. | `false` | @@ -386,7 +335,7 @@ Configuration parameters for the Dashboard. This is the user interface administr | `dashboard.route.mtnDomain` | Public domain/address of the multi-tenant Dashboard. This is a wild-card domain used for multi-tenant setups e.g. "*.sdp-dashboard.localhost.com". | `nil` | | `dashboard.route.port` | Primary port on which the Dashboard listens. | `80` | | `dashboard.image` | Configuration related to the Docker image used by the Dashboard. | | -| `dashboard.image.fullName` | Full name of the Docker image. | `stellar/stellar-disbursement-platform-frontend:5.0.0` | +| `dashboard.image.fullName` | Full name of the Docker image. | `stellar/stellar-disbursement-platform-frontend:6.0.0` | | `dashboard.image.pullPolicy` | Image pull policy for the dashboard. For locally built images, consider using "Never" or "IfNotPresent". | `Always` | | `dashboard.deployment` | Configuration related to the deployment of the Dashboard. | | | `dashboard.deployment.annotations` | Annotations to be added to the deployment. | `{}` | diff --git a/charts/stellar-disbursement-platform/minimal-values.yaml b/charts/stellar-disbursement-platform/minimal-values.yaml index 19d90d5..16b171b 100644 --- a/charts/stellar-disbursement-platform/minimal-values.yaml +++ b/charts/stellar-disbursement-platform/minimal-values.yaml @@ -27,19 +27,6 @@ sdp: image: tag: "edge" -# =========================== START Anchor ======================== -anchorPlatform: - route: - schema: "http" - domain: "ap.local" - ## Disable the TLS for the Anchor Platform ingress - ingress: - tls: [] - ## Generate secrets for the Anchor Platform - kubeSecrets: - secretName: sdp-ap - create: true - # =========================== START TSS =========================== tss: ## Generate secrets for the TSS diff --git a/charts/stellar-disbursement-platform/templates/01.1-configmap-sdp.yaml b/charts/stellar-disbursement-platform/templates/01.1-configmap-sdp.yaml index 46d72e9..f2203b6 100644 --- a/charts/stellar-disbursement-platform/templates/01.1-configmap-sdp.yaml +++ b/charts/stellar-disbursement-platform/templates/01.1-configmap-sdp.yaml @@ -24,8 +24,6 @@ data: PORT: {{ include "sdp.port" . | quote }} METRICS_PORT: {{ include "sdp.metricsPort" . | quote }} ADMIN_PORT: {{ include "sdp.adminPort" . | quote }} - ANCHOR_PLATFORM_BASE_SEP_URL: {{ include "sdp.ap.baseURL" . | quote }} - ANCHOR_PLATFORM_BASE_PLATFORM_URL: {{ include "sdp.ap.platformServiceAddress" . | quote }} {{- /* Values from the `global` section */}} diff --git a/charts/stellar-disbursement-platform/templates/01.2-configmap-ap.yaml b/charts/stellar-disbursement-platform/templates/01.2-configmap-ap.yaml deleted file mode 100644 index a7bf954..0000000 --- a/charts/stellar-disbursement-platform/templates/01.2-configmap-ap.yaml +++ /dev/null @@ -1,101 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "sdp.fullname" . }}-ap - namespace: {{ .Release.Namespace }} - labels: - {{- include "sdp.labelsWithSuffix" (list . "-ap") | nindent 4 }} - - {{- if .Values.anchorPlatform.configMap.annotations }} - annotations: - {{- toYaml .Values.anchorPlatform.configMap.annotations | nindent 4 }} - {{- end }} - -data: - {{- if eq (include "isPubnet" .) "true" }} - STELLAR_NETWORK_NETWORK: "PUBLIC" - STELLAR_NETWORK_NETWORK_PASSPHRASE: "Public Global Stellar Network ; September 2015" - STELLAR_NETWORK_HORIZON_URL: "https://horizon.stellar.org" - {{- else }} - STELLAR_NETWORK_NETWORK: "TESTNET" - STELLAR_NETWORK_NETWORK_PASSPHRASE: "Test SDF Network ; September 2015" - STELLAR_NETWORK_HORIZON_URL: "https://horizon-testnet.stellar.org" - {{- end }} - HOST_URL: {{ include "sdp.ap.baseURL" . | quote }} - SEP_SERVER_PORT: {{ include "sdp.ap.sepPort" . | quote }} - CALLBACK_API_BASE_URL: 'http://{{ include "sdp.fullname" . }}.{{ .Release.Namespace }}:{{ include "sdp.port" . }}' - DATA_TYPE: postgres - SEP1_ENABLED: "true" - SEP1_TOML_TYPE: url - SEP1_TOML_VALUE: 'http://{{ include "sdp.fullname" . }}.{{ .Release.Namespace }}:{{ include "sdp.port" . }}/.well-known/stellar.toml' - SEP10_ENABLED: "true" - SEP10_WEB_AUTH_DOMAIN: {{ include "sdp.ap.domain" . | quote }} - SEP10_HOME_DOMAIN: "" - SEP10_HOME_DOMAINS: "{{ include "sdp.domain" . }},{{ include "sdp.mtnDomain" . }}" - SEP24_ENABLED: "true" - SEP24_INTERACTIVE_URL_JWT_EXPIRATION: "1800" # 1800 seconds is 30 minutes - ASSETS_TYPE: json - SEP24_INTERACTIVE_URL_BASE_URL: {{ include "sdp.schema" . }}://{{ include "sdp.domain" . }}/wallet-registration/start - SEP24_MORE_INFO_URL_BASE_URL: {{ include "sdp.schema" . }}://{{ include "sdp.domain" . }}/wallet-registration/start - CALLBACK_API_AUTH_TYPE: none # TODO: update to jwt later - PLATFORM_SERVER_AUTH_TYPE: JWT - {{- if and .Values.global.distributionPublicKey (not .Values.anchorPlatform.configMap.data.ASSETS_VALUE) }} - ASSETS_VALUE: | # TODO: keep this up to date with the latest assets supported by the SDP - { - "assets": [ - { - "sep24_enabled": true, - "schema": "stellar", - "code": "native", - "issuer": "", - "distribution_account": {{ .Values.global.distributionPublicKey | quote }}, - "significant_decimals": 7, - "deposit": { - "enabled": true, - "fee_minimum": 0, - "fee_percent": 0, - "min_amount": 1, - "max_amount": 10000 - }, - "withdraw": {"enabled": false} - }, - { - "sep24_enabled": true, - "schema": "stellar", - "code": "USDC", - "issuer": {{- include "sdp.usdcIssuer" . | quote }}, - "distribution_account": {{ .Values.global.distributionPublicKey | quote }}, - "significant_decimals": 7, - "deposit": { - "enabled": true, - "fee_minimum": 0, - "fee_percent": 0, - "min_amount": 1, - "max_amount": 10000 - }, - "withdraw": {"enabled": false} - }, - { - "sep24_enabled": true, - "schema": "stellar", - "code": "EURC", - "issuer": {{- include "sdp.eurcIssuer" . | quote }}, - "distribution_account": {{ .Values.global.distributionPublicKey | quote }}, - "significant_decimals": 7, - "deposit": { - "enabled": true, - "fee_minimum": 0, - "fee_percent": 0, - "min_amount": 1, - "max_amount": 10000 - }, - "withdraw": {"enabled": false} - } - ] - } - {{- end }} - {{- /* -Values from the ap configmap section - These will override the global values - */}} - {{- tpl (toYaml .Values.anchorPlatform.configMap.data | nindent 2) . }} \ No newline at end of file diff --git a/charts/stellar-disbursement-platform/templates/02.2-deployment-ap.yaml b/charts/stellar-disbursement-platform/templates/02.2-deployment-ap.yaml deleted file mode 100644 index 4eaff1b..0000000 --- a/charts/stellar-disbursement-platform/templates/02.2-deployment-ap.yaml +++ /dev/null @@ -1,130 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "sdp.fullname" . }}-ap - namespace: {{ .Release.Namespace }} - labels: - {{- include "sdp.labelsWithSuffix" (list . "-ap") | nindent 4 }} - {{- if .Values.anchorPlatform.deployment.annotations }} - annotations: - {{- tpl (toYaml .Values.anchorPlatform.deployment.annotations) . | nindent 4 }} - {{- end }} -spec: - {{- if not .Values.global.autoscaling.enabled }} - replicas: {{ .Values.global.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "sdp.selectorLabelsWithSuffix" (list . "-ap") | nindent 6 }} - - {{- if .Values.anchorPlatform.deployment.strategy }} - strategy: - {{- toYaml .Values.anchorPlatform.deployment.strategy | nindent 4 }} - {{- end }} - - template: - metadata: - {{- if .Values.anchorPlatform.deployment.podAnnotations }} - annotations: - {{- tpl (toYaml .Values.anchorPlatform.deployment.podAnnotations) . | nindent 8 }} - {{- end }} - labels: - {{- include "sdp.selectorLabelsWithSuffix" (list . "-ap") | nindent 8 }} - spec: - {{- if .Values.global.serviceAccount.name }} - serviceAccountName: {{ tpl .Values.global.serviceAccount.name $ }} - {{- end }} - {{- if or .Values.anchorPlatform.deployment.priorityClassName .Values.global.deployment.priorityClassName }} - priorityClassName: {{ .Values.anchorPlatform.deployment.priorityClassName | default .Values.global.deployment.priorityClassName | quote }} - {{- end }} - securityContext: - {{- tpl (toYaml .Values.anchorPlatform.deployment.podSecurityContext) . | nindent 8 }} - - {{- with default .Values.global.deployment.topologySpreadConstraints .Values.anchorPlatform.deployment.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - - containers: - # ============================= Anchor Platform: ============================= - - name: {{ .Chart.Name }}-ap - securityContext: - {{- tpl (toYaml .Values.anchorPlatform.deployment.securityContext) . | nindent 12 }} - image: "{{ .Values.anchorPlatform.image.repository }}:{{ .Values.anchorPlatform.image.tag }}" - imagePullPolicy: {{ .Values.anchorPlatform.image.pullPolicy }} - {{- if .Values.global.ephemeralDatabase }} - env: - - name: DATA_TYPE - value: 'postgres' - - name: DATA_SERVER - value: '{{ include "sdp.fullname" . }}-psql.{{ .Release.Namespace }}.svc.cluster.local:5433' - - name: DATA_DATABASE - value: 'postgres-ap' - - name: SECRET_DATA_USERNAME - value: 'postgres' - - name: SECRET_DATA_PASSWORD - value: 'postgres' - - name: SDP_IMAGE_TAG # This env is used to force the AP to be redeployed every time the SDP is deployed. This is used to force the SDP to re-fetch the toml file and assets to ensure the latest ones are used. - value: {{ .Values.sdp.image.tag }} - {{- end }} - args: - - "--sep-server" - - "--platform-server" - ports: - - name: ap-sep - containerPort: {{ include "sdp.ap.sepPort" . }} - protocol: TCP - - name: ap-platform - containerPort: {{ include "sdp.ap.platformPort" . }} - protocol: TCP - - name: ap-metrics - containerPort: {{ include "sdp.ap.metricsPort" . }} - protocol: TCP - livenessProbe: - httpGet: - path: /health?checks=config - port: ap-sep - initialDelaySeconds: 60 - periodSeconds: 15 - failureThreshold: 10 - readinessProbe: - httpGet: - path: /health?checks=config - port: ap-sep - initialDelaySeconds: 60 - periodSeconds: 15 - failureThreshold: 10 - startupProbe: - httpGet: - path: /health?checks=config - port: ap-sep - initialDelaySeconds: 60 - periodSeconds: 15 - failureThreshold: 10 - - {{- if or .Values.anchorPlatform.deployment.resources .Values.global.resources }} - resources: - {{- tpl (toYaml (.Values.anchorPlatform.deployment.resources | default .Values.global.resources)) . | nindent 12 }} - {{- end }} - - envFrom: - - configMapRef: - name: {{ include "sdp.fullname" . }}-ap - - {{- if .Values.anchorPlatform.kubeSecrets.secretName }} - - secretRef: - name: {{ .Values.anchorPlatform.kubeSecrets.secretName }} - {{ end }} - - {{- with .Values.anchorPlatform.deployment.nodeSelector | default .Values.global.deployment.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.anchorPlatform.deployment.affinity | default .Values.global.deployment.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.anchorPlatform.deployment.tolerations | default .Values.global.deployment.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/stellar-disbursement-platform/templates/03.2-service-ap.yaml b/charts/stellar-disbursement-platform/templates/03.2-service-ap.yaml deleted file mode 100644 index 7e7719a..0000000 --- a/charts/stellar-disbursement-platform/templates/03.2-service-ap.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "sdp.fullname" . }}-ap - namespace: {{ .Release.Namespace }} - labels: - {{- include "sdp.labelsWithSuffix" (list . "-ap") | nindent 4 }} -spec: - type: {{ .Values.global.service.type }} - ports: - - port: {{ include "sdp.ap.sepPort" . }} - targetPort: ap-sep - protocol: TCP - name: ap-sep - - port: {{ include "sdp.ap.platformPort" . }} - targetPort: ap-platform - protocol: TCP - name: ap-platform - - selector: - {{- include "sdp.selectorLabelsWithSuffix" (list . "-ap") | nindent 4 }} diff --git a/charts/stellar-disbursement-platform/templates/04.2-ingress-ap.yaml b/charts/stellar-disbursement-platform/templates/04.2-ingress-ap.yaml deleted file mode 100644 index 77084b1..0000000 --- a/charts/stellar-disbursement-platform/templates/04.2-ingress-ap.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{- if .Values.anchorPlatform.ingress.enabled -}} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ include "sdp.fullname" . }}-ap - namespace: {{ .Release.Namespace }} - labels: - {{- include "sdp.labels" . | nindent 4 }} - annotations: - {{- toYaml .Values.anchorPlatform.ingress.annotations | nindent 4 }} -spec: - {{- if .Values.anchorPlatform.ingress.className }} - ingressClassName: {{ .Values.anchorPlatform.ingress.className }} - {{- end }} - {{- if .Values.anchorPlatform.ingress.tls }} - tls: - {{- tpl (toYaml .Values.anchorPlatform.ingress.tls) . | nindent 4 }} - {{- end }} - rules: - - host: {{ include "sdp.ap.domain" . | quote }} - http: - paths: - # Only enable the AP endpints that are needed for this application: - {{- $service_name := printf "%s-ap" (include "sdp.fullname" .) }} - {{- $service_sep_port := include "sdp.ap.sepPort" . }} - {{- $paths := list "/health" "/.well-known" "/auth" "/sep24" -}} - {{- range $path := $paths }} - - path: {{ $path }} - pathType: Prefix - backend: - service: - name: {{ $service_name }} - port: - number: {{ $service_sep_port }} - {{- end }} -{{- end }} diff --git a/charts/stellar-disbursement-platform/templates/05.1-secrets-sdp.yaml b/charts/stellar-disbursement-platform/templates/05.1-secrets-sdp.yaml index f7a5912..d73fd8e 100644 --- a/charts/stellar-disbursement-platform/templates/05.1-secrets-sdp.yaml +++ b/charts/stellar-disbursement-platform/templates/05.1-secrets-sdp.yaml @@ -43,13 +43,6 @@ data: {{- required "sdp.kubeSecrets.data.SEP24_JWT_SECRET is required" .Values.sdp.kubeSecrets.data.SEP24_JWT_SECRET }} {{- end }} - {{- /* ANCHOR_PLATFORM_OUTGOING_JWT_SECRET */ -}} - {{- if or .Values.global.autoGenerateSecrets .Values.sdp.kubeSecrets.data.ANCHOR_PLATFORM_OUTGOING_JWT_SECRET }} - ANCHOR_PLATFORM_OUTGOING_JWT_SECRET: {{ default (include "sdp.platformAuthSecret" . | b64enc) .Values.sdp.kubeSecrets.data.ANCHOR_PLATFORM_OUTGOING_JWT_SECRET | quote }} - {{- else }} - {{- required "sdp.kubeSecrets.data.ANCHOR_PLATFORM_OUTGOING_JWT_SECRET is required" .Values.sdp.kubeSecrets.data.ANCHOR_PLATFORM_OUTGOING_JWT_SECRET }} - {{- end }} - {{- /* Values from the global section */}} diff --git a/charts/stellar-disbursement-platform/templates/05.2-secrets-ap.yaml b/charts/stellar-disbursement-platform/templates/05.2-secrets-ap.yaml deleted file mode 100644 index 4ba3196..0000000 --- a/charts/stellar-disbursement-platform/templates/05.2-secrets-ap.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{- if .Values.anchorPlatform.kubeSecrets.create -}} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "sdp.fullname" . }}-ap - namespace: {{ .Release.Namespace }} - labels: - {{- include "sdp.labels" . | nindent 4 }} - - {{- if .Values.anchorPlatform.kubeSecrets.annotations }} - annotations: - {{- toYaml .Values.anchorPlatform.kubeSecrets.annotations | nindent 4 }} - {{- end }} - -data: - {{- /* SECRET_PLATFORM_API_AUTH_SECRET */ -}} - {{- if or .Values.global.autoGenerateSecrets .Values.anchorPlatform.kubeSecrets.data.SECRET_PLATFORM_API_AUTH_SECRET }} - SECRET_PLATFORM_API_AUTH_SECRET: {{ default (include "sdp.platformAuthSecret" . | b64enc) .Values.anchorPlatform.kubeSecrets.data.SECRET_PLATFORM_API_AUTH_SECRET | quote }} - {{- else }} - {{- required "anchorPlatform.kubeSecrets.data.SECRET_PLATFORM_API_AUTH_SECRET is required" .Values.anchorPlatform.kubeSecrets.data.SECRET_PLATFORM_API_AUTH_SECRET }} - {{- end }} - - {{- $jwtSecret := include "sdp.jwtSecret" . -}} - {{- /* SECRET_SEP10_JWT_SECRET */ -}} - {{- if or .Values.global.autoGenerateSecrets .Values.anchorPlatform.kubeSecrets.data.SECRET_SEP10_JWT_SECRET }} - SECRET_SEP10_JWT_SECRET: {{ default ($jwtSecret | b64enc) .Values.anchorPlatform.kubeSecrets.data.SECRET_SEP10_JWT_SECRET | quote }} - {{- else }} - {{- required "anchorPlatform.kubeSecrets.data.SECRET_SEP10_JWT_SECRET is required" .Values.anchorPlatform.kubeSecrets.data.SECRET_SEP10_JWT_SECRET }} - {{- end }} - - {{- /* SECRET_SEP24_INTERACTIVE_URL_JWT_SECRET */ -}} - {{- if or .Values.global.autoGenerateSecrets .Values.anchorPlatform.kubeSecrets.data.SECRET_SEP24_INTERACTIVE_URL_JWT_SECRET }} - SECRET_SEP24_INTERACTIVE_URL_JWT_SECRET: {{ default ($jwtSecret | b64enc) .Values.anchorPlatform.kubeSecrets.data.SECRET_SEP24_INTERACTIVE_URL_JWT_SECRET | quote }} - {{- else }} - {{- required "anchorPlatform.kubeSecrets.data.SECRET_SEP24_INTERACTIVE_URL_JWT_SECRET is required" .Values.anchorPlatform.kubeSecrets.data.SECRET_SEP24_INTERACTIVE_URL_JWT_SECRET }} - {{- end }} - - {{- /* SECRET_SEP24_MORE_INFO_URL_JWT_SECRET */ -}} - {{- if or .Values.global.autoGenerateSecrets .Values.anchorPlatform.kubeSecrets.data.SECRET_SEP24_MORE_INFO_URL_JWT_SECRET }} - SECRET_SEP24_MORE_INFO_URL_JWT_SECRET: {{ default ($jwtSecret | b64enc) .Values.anchorPlatform.kubeSecrets.data.SECRET_SEP24_MORE_INFO_URL_JWT_SECRET | quote }} - {{- else }} - {{- required "anchorPlatform.kubeSecrets.data.SECRET_SEP24_MORE_INFO_URL_JWT_SECRET is required" .Values.anchorPlatform.kubeSecrets.data.SECRET_SEP24_MORE_INFO_URL_JWT_SECRET }} - {{- end }} - -{{- /* -Values from the global section - */}} - {{- if .Values.global.sep10PrivateKey }} - SECRET_SEP10_SIGNING_SEED: {{ .Values.global.sep10PrivateKey | b64enc | quote }} - {{- end }} - - {{- /* -Values from the ap secrets section - These will override the template values - */}} - {{- range $key, $value := .Values.tss.kubeSecrets.data }} - {{- if $value }} - {{ $key }}: {{ $value | b64enc | quote }} - {{- end }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/stellar-disbursement-platform/templates/NOTES.txt b/charts/stellar-disbursement-platform/templates/NOTES.txt index b378e6e..3b02de2 100644 --- a/charts/stellar-disbursement-platform/templates/NOTES.txt +++ b/charts/stellar-disbursement-platform/templates/NOTES.txt @@ -72,26 +72,7 @@ Your release is named {{ .Release.Name }} and deployed to namespace {{ .Release. Visit http://127.0.0.1:8081 to use the Dashboard {{- end }} -{{- if .Values.anchorPlatform.ingress.enabled }} -3. Access the Anchor Platform: - {{- if .Values.anchorPlatform.ingress.tls }} - https://{{ include "sdp.ap.domain" . }} - {{- else }} - http://{{ include "sdp.ap.domain" . }} - {{- end }} -{{- else }} -3. Access the AP Service: - AP SEP Port: {{ include "sdp.ap.sepPort" . }} - AP Platform Port: {{ include "sdp.ap.platformPort" . }} - {{- if contains "ClusterIP" .Values.global.service.type }} - - Run these commands to port-forward to the AP service: - export AP_POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "sdp.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=ap" -o jsonpath="{.items[0].metadata.name}") - kubectl --namespace {{ .Release.Namespace }} port-forward $AP_POD_NAME {{ include "sdp.ap.sepPort" . }}:ap-sep {{ include "sdp.ap.platformPort" . }}:ap-platform - {{- end }} -{{- end }} - -4. View logs: +3. View logs: # SDP logs kubectl logs --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "sdp.name" . }}" -f diff --git a/charts/stellar-disbursement-platform/templates/_helpers.tpl b/charts/stellar-disbursement-platform/templates/_helpers.tpl index 482e00b..dfcd18f 100644 --- a/charts/stellar-disbursement-platform/templates/_helpers.tpl +++ b/charts/stellar-disbursement-platform/templates/_helpers.tpl @@ -138,57 +138,6 @@ TSS Metrics port {{- .Values.tss.route.metricsPort | default "9002" }} {{- end }} - -{{/* -Anchor Platform domain -*/}} -{{- define "sdp.ap.domain" -}} -{{- .Values.anchorPlatform.route.domain | default (printf "localhost:%s" (include "sdp.ap.sepPort" .)) }} -{{- end }} - -{{/* -Anchor Platform schema -*/}} -{{- define "sdp.ap.schema" -}} -{{- .Values.anchorPlatform.route.schema | default "https" }} -{{- end }} - -{{/* -Anchor Platform SEP/public port -*/}} -{{- define "sdp.ap.sepPort" -}} -{{- .Values.anchorPlatform.route.sepPort | default "8080" }} -{{- end }} - -{{/* -Anchor Platform internal communication port -*/}} -{{- define "sdp.ap.platformPort" -}} -{{- .Values.anchorPlatform.route.platformPort | default "8085" }} -{{- end }} - -{{/* -Anchor Platform metrics port -*/}} -{{- define "sdp.ap.metricsPort" -}} -{{- 8082 }} -{{- end }} - -{{/* -AP SEP full service address -*/}} -{{- define "sdp.ap.sepServiceAddress" -}} -http://{{ include "sdp.fullname" . }}-ap.{{ .Release.Namespace }}.svc.cluster.local:{{ include "sdp.ap.sepPort" . }} -{{- end -}} - -{{/* -AP Platform full service address -*/}} -{{- define "sdp.ap.platformServiceAddress" -}} -http://{{ include "sdp.fullname" . }}-ap.{{ .Release.Namespace }}.svc.cluster.local:{{ include "sdp.ap.platformPort" . }} -{{- end -}} - - {{/* Dashboard domain */}} @@ -305,13 +254,6 @@ SDP base URL with schema and domain {{- printf "%s://%s" (include "sdp.schema" .) (include "sdp.domain" .) -}} {{- end -}} -{{/* -AP SEP base URL with schema and domain -*/}} -{{- define "sdp.ap.baseURL" -}} -{{- printf "%s://%s" (include "sdp.ap.schema" .) (include "sdp.ap.domain" .) -}} -{{- end -}} - {{/* Dashboard base URL with schema and domain */}} diff --git a/charts/stellar-disbursement-platform/values.yaml b/charts/stellar-disbursement-platform/values.yaml index e91a294..a761db2 100644 --- a/charts/stellar-disbursement-platform/values.yaml +++ b/charts/stellar-disbursement-platform/values.yaml @@ -83,7 +83,7 @@ global: distributionPublicKey: #required distributionPrivateKey: #required - ## @param global.sep10PublicKey Anchor platform SEP10 signing public key. + ## @param global.sep10PublicKey SEP10 signing public key. ## @param global.sep10PrivateKey The public key of the Stellar account that signs the SEP-10 transactions. It's also used to sign URLs. sep10PublicKey: #required sep10PrivateKey: #required @@ -135,7 +135,7 @@ sdp: image: repository: stellar/stellar-disbursement-platform-backend pullPolicy: Always - tag: "5.0.0" + tag: "6.0.0" ## @extra sdp.deployment Configuration related to the deployment of the SDP service. ## @param sdp.deployment.annotations Annotations to be added to the deployment. @@ -166,7 +166,7 @@ sdp: ## @param sdp.configMap.annotations Annotations to be added to the ConfigMap. ## @extra sdp.configMap.data Used to inject non-sensitive environment variables into the SDP deployment; for the latest variables, consult the application's CLI `-h` command. ## @extra sdp.configMap.data.DISTRIBUTION_PUBLIC_KEY The public key of the HOST's Stellar distribution account, used to create channel accounts. Required if global.distributionPublicKey not set. - ## @extra sdp.configMap.data.SEP10_SIGNING_PUBLIC_KEY Anchor platform SEP10 signing public key. Required if global.sep10PublicKey not set. + ## @extra sdp.configMap.data.SEP10_SIGNING_PUBLIC_KEY SEP10 signing public key. Required if global.sep10PublicKey not set. ## @extra sdp.configMap.data.RECAPTCHA_SITE_KEY Site key for ReCaptcha. Required if using ReCaptcha. ## @param sdp.configMap.data.INSTANCE_NAME The name of the SDP instance. Example: "SDP Testnet". ## @param sdp.configMap.data.CRASH_TRACKER_TYPE Determines the type of crash tracker in use. Options: "DRY_RUN", "SENTRY". @@ -183,6 +183,10 @@ sdp: ## @param sdp.configMap.data.MAX_INVITATION_RESEND_ATTEMPTS The maximum number of times an invitation can be resent. 0 or negative values disable the job. ## @param sdp.configMap.data.TENANT_XLM_BOOTSTRAP_AMOUNT The amount of XLM to be sent to a newly created tenant distribution account. ## @param sdp.configMap.data.CIRCLE_API_TYPE The type of Circle API to be used. Options: "TRANSFERS", "PAYOUTS". Default: "TRANSFERS". + ## @param sdp.configMap.data.DB_MAX_OPEN_CONNS Maximum open connections per pool to the database. + ## @param sdp.configMap.data.DB_MAX_IDLE_CONNS Maximum idle connections retained in the pool. + ## @param sdp.configMap.data.DB_CONN_MAX_IDLE_TIME_SECONDS Close idle connections after N seconds. + ## @param sdp.configMap.data.DB_CONN_MAX_LIFETIME_SECONDS Recycle connections after N seconds. ## @extra sdp.configMap.data.ENABLE_BRIDGE_INTEGRATION Determines if the bridge integration is enabled. If set to true, the bridge integration will be enabled. ## @extra sdp.configMap.data.BRIDGE_BASE_URL The base URL of the bridge API. Required if ENABLE_BRIDGE_INTEGRATION is set to true. configMap: @@ -221,6 +225,12 @@ sdp: TENANT_XLM_BOOTSTRAP_AMOUNT: "5" CIRCLE_API_TYPE: "TRANSFERS" + ## Database connection pool tuning (SDP/Core) + DB_MAX_OPEN_CONNS: "20" + DB_MAX_IDLE_CONNS: "2" + DB_CONN_MAX_IDLE_TIME_SECONDS: "10" + DB_CONN_MAX_LIFETIME_SECONDS: "300" + ## @extra sdp.kubeSecrets Kubernetes secrets are used to manage sensitive information, such as API keys and private keys. It's crucial that these details are kept private. ## @param sdp.kubeSecrets.secretName The name of the Kubernetes secret object. Only use this if create is false. ## @param sdp.kubeSecrets.create If true, the secret will be created. If false, it is assumed the secret already exists. @@ -242,8 +252,7 @@ sdp: ## @extra sdp.kubeSecrets.data.TWILIO_SENDGRID_SENDER_ADDRESS Email address used to send emails via Twilio SendGrid. ## @extra sdp.kubeSecrets.data.SENTRY_DSN The DSN for the Sentry service. it must be set if CRASH_TRACKER_TYPE is set to "SENTRY". ## @extra sdp.kubeSecrets.data.EC256_PRIVATE_KEY [string] The EC256 Private Key. This key is used to sign the authentication token. This EC key needs to be at least as strong as prime256v1 (P-256). - ## @extra sdp.kubeSecrets.data.ANCHOR_PLATFORM_OUTGOING_JWT_SECRET The JWT secret used to create a JWT token used to send requests to the anchor platform. - ## @extra sdp.kubeSecrets.data.SEP24_JWT_SECRET The JWT secret that's used by the Anchor Platform to sign the SEP-24 JWT token. Must be the same as Anchor Platform's SECRET_SEP24_INTERACTIVE_URL_JWT_SECRET. + ## @extra sdp.kubeSecrets.data.SEP24_JWT_SECRET The JWT secret used to sign SEP-24 JWT tokens for wallet registration and interactive deposit authentication. ## @extra sdp.kubeSecrets.data.RECAPTCHA_SITE_SECRET_KEY Secret key for Google reCAPTCHA service to verify user's non-robotic behavior. ## @extra sdp.kubeSecrets.data.SEP10_SIGNING_PRIVATE_KEY The public key of the Stellar account that signs the SEP-10 transactions. It's also used to sign URLs. Required if global.sep10PrivateKey not set. ## @extra sdp.kubeSecrets.data.DISTRIBUTION_SEED The HOST's Stellar distribution account, used to create channel accounts. This is needed for the init container. @@ -288,7 +297,6 @@ sdp: ## Security configuration # EC256_PRIVATE_KEY: #required -# ANCHOR_PLATFORM_OUTGOING_JWT_SECRET: #required for mySdpToAnchorPlatformSecret # SEP24_JWT_SECRET: #required # RECAPTCHA_SITE_SECRET_KEY: #required when using ReCaptcha @@ -324,134 +332,12 @@ sdp: secretName: backend-tls-cert-name # You need to create this secret manually. For more instructions, please refer to helmchart/docs/README.md # NOTE: the hosts to be used here will be the same ones as in the sdp.route section. - # =========================== START anchorPlatform =========================== - ## @section Anchor Platform - ## @descriptionStart - ## Configuration parameters for the Anchor Platform which is the API server that the wallet uses to authenticate and initiate - ## the recipient's registration process through the SEP-24 deposit flow. - ## @descriptionEnd -anchorPlatform: - - ## @extra anchorPlatform.route Configuration related to the routing of the Anchor Platform service. - ## @param anchorPlatform.route.schema Protocol scheme used for the service. Can be "http" or "https". - ## @param anchorPlatform.route.domain Public domain/address of the Anchor Platform service. If using localhost, consider including the port as part of the domain. - ## @param anchorPlatform.route.sepPort The port of the sep server of the anchor platform. This is the public API that is meant to be reached by a client application, such as the stellar.toml file." - ## @param anchorPlatform.route.platformPort The port of the platform server of the anchor platform. This is the private API that is meant to be reached only by the SDP server, such as the PATCH /sep24/transactions endpoint.", - route: - schema: "https" - domain: #required - sepPort: "8080" - platformPort: "8085" - - ## @extra anchorPlatform.image Configuration related to the Docker image used by the Anchor Platform service. - ## @param anchorPlatform.image.repository Docker image repository for the Anchor Platform service. - ## @param anchorPlatform.image.pullPolicy Image pull policy for the Anchor Platform service. - ## @param anchorPlatform.image.tag Docker image tag for the Anchor Platform service. - image: - repository: stellar/anchor-platform - pullPolicy: IfNotPresent - tag: "2.6.2" - - ## @extra anchorPlatform.deployment Configuration related to the deployment of the Anchor Platform. - ## @param anchorPlatform.deployment.annotations Annotations to be added to the deployment. - ## @param anchorPlatform.deployment.podAnnotations Annotations specific to the pods. - ## @param anchorPlatform.deployment.strategy Configuration related to the deployment strategy, ensuring smooth updates and minimal downtime. - ## @param anchorPlatform.deployment.podSecurityContext Security settings for the pods. - ## @param anchorPlatform.deployment.securityContext Security settings for the container within the pod. - ## @param anchorPlatform.deployment.resources Resource limits and requests for the Anchor Platform service pods. If not specified, falls back to global.resources. - ## @param anchorPlatform.deployment.nodeSelector Node selector to determine which nodes should run the pods. - ## @param anchorPlatform.deployment.tolerations Tolerations to ensure pods aren't scheduled on unsuitable nodes. - ## @param anchorPlatform.deployment.affinity Affinity rules to determine where pods get scheduled based on node conditions. - ## @param anchorPlatform.deployment.priorityClassName Name of the priority class to be used by the Anchor Platform deployment. If not specified, no priority class will be used. - ## @param anchorPlatform.deployment.topologySpreadConstraints Pod topology spread constraints for the Anchor Platform service, overrides global setting if defined. - deployment: - annotations: {} - podAnnotations: {} - strategy: {} - podSecurityContext: {} - securityContext: {} - resources: {} - nodeSelector: {} - tolerations: [] - affinity: {} - priorityClassName: "" - topologySpreadConstraints: [] - - ## @extra anchorPlatform.configMap Configuration for the ConfigMap used by the anchorPlatform service. - ## @param anchorPlatform.configMap.annotations Annotations to be added to the ConfigMap. - ## @extra anchorPlatform.configMap.data Used to inject non-sensitive environment variables into the Anchor Platform deployment; for the latest variables, consult Anchor Platform's public documentation. - ## @param anchorPlatform.configMap.data.APP_LOGGING_LEVEL Specifies the logging level for the application (e.g. "INFO", "DEBUG", "ERROR"). - ## @extra anchorPlatform.configMap.data.DATA_DATABASE Specifies the database connection details for the platform. Will be auto-populated in the development helm chart when `ephemeralDatabase` is enabled. - ## @extra anchorPlatform.configMap.data.DATA_SERVER Specifies the server connection details for the platform. Will be auto-populated in the development helm chart when `ephemeralDatabase` is enabled. - ## @extra anchorPlatform.configMap.data.DATA_FLYWAY_ENABLED Determines if Flyway, the database migration tool, is enabled. - ## @extra anchorPlatform.configMap.data.ASSETS_VALUE [string] Specifies the details and configuration of assets supported by the anchor platform. This includes SEP-24 enabled assets, schema type, code, issuer details, distribution account, precision details, and deposit and withdrawal configurations. Currently, it needs to be *manually* kept up to date with the SDP state. - ## @param anchorPlatform.configMap.data.DATA_DDL_AUTO Specifies the strategy Hibernate should use for the database schema initialization. The standard Hibernate property values are `none`, `validate`, `update`, `create-drop`. - ## @param anchorPlatform.configMap.data.METRICS_ENABLED Determines if metrics collection is enabled for the platform. If enabled, metrics would be available at port 8082. - ## @param anchorPlatform.configMap.data.METRICS_EXTRAS_ENABLED Determines if additional metrics (beyond the standard set) are enabled for collection. - ## @param anchorPlatform.configMap.data.SEP10_CLIENT_ATTRIBUTION_REQUIRED When set to `true`, only SEP-10 requests from known clients listed in `SEP10_CLIENT_ATTRIBUTION_ALLOW_LIST` will be accepted. - ## @param anchorPlatform.configMap.data.SEP10_CLIENT_ATTRIBUTION_ALLOW_LIST The comma-separated list of client domains allowed to make SEP-10 requests. - configMap: - annotations: - data: - APP_LOGGING_LEVEL: INFO - DATA_DDL_AUTO: update - METRICS_ENABLED: "false" # Metrics would be available at port 8082 - METRICS_EXTRAS_ENABLED: "false" - SEP10_CLIENT_ATTRIBUTION_REQUIRED: "false" # RECOMMENDED value is `true` - SEP10_CLIENT_ATTRIBUTION_ALLOW_LIST: "" # RECOMMENDED value is a comma-separated list of client domains allowed to make SEP-10 requests. - - ## @extra anchorPlatform.kubeSecrets secrets are used to manage sensitive information, such as API keys and private keys. It's crucial that these details are kept private. - ## @param anchorPlatform.kubeSecrets.secretName The name of the Kubernetes secret object. Only use this if create is false. - ## @param anchorPlatform.kubeSecrets.create If true, the secret will be created. If false, it is assumed the secret already exists. - ## @param anchorPlatform.kubeSecrets.annotations Annotations to be added to the secret. - ## @param anchorPlatform.kubeSecrets.data The sensitive data to be stored in the secret. - ## @extra anchorPlatform.kubeSecrets.data.SECRET_DATA_PASSWORD Database password for the anchor platform. - ## @extra anchorPlatform.kubeSecrets.data.SECRET_DATA_USERNAME Database username for the anchor platform. - ## @extra anchorPlatform.kubeSecrets.data.SECRET_PLATFORM_API_AUTH_SECRET The secret used for authenticating API requests between the SDP and the Anchor Platform. - ## @extra anchorPlatform.kubeSecrets.data.SECRET_SEP10_JWT_SECRET The JWT secret used by the Anchor Platform to sign SEP-10 JWT tokens. These tokens are used for various authentication and transaction-related purposes. - ## @extra anchorPlatform.kubeSecrets.data.SECRET_SEP10_SIGNING_SEED The seed for the SEP-10 signing process. It's essential for ensuring the security and authenticity of SEP-10 transactions. Required if global.sep10PrivateKey not set. - ## @extra anchorPlatform.kubeSecrets.data.SECRET_SEP24_INTERACTIVE_URL_JWT_SECRET The JWT secret used by the Anchor Platform to sign SEP-24 interactive URLs. These URLs typically initiate user-interactive processes like deposits and withdrawals. Must be the same as SDP's SEP24_JWT_SECRET. - ## @extra anchorPlatform.kubeSecrets.data.SECRET_SEP24_MORE_INFO_URL_JWT_SECRET The JWT secret used by the Anchor Platform to sign SEP-24 'More Info' URLs. These URLs provide users with additional details or steps related to their transactions. - kubeSecrets: - secretName: "anchor-platform-secret-name" - create: false - annotations: - data: {} -# SECRET_DATA_PASSWORD: #required -# SECRET_DATA_USERNAME: #required -# SECRET_PLATFORM_API_AUTH_SECRET: #required for mySdpToAnchorPlatformSecret -# SECRET_SEP10_JWT_SECRET: #required -# SECRET_SEP10_SIGNING_SEED: #required -# SECRET_SEP24_INTERACTIVE_URL_JWT_SECRET: #required -# SECRET_SEP24_MORE_INFO_URL_JWT_SECRET: #required - - - ## @extra anchorPlatform.ingress Configuration for the ingress controller for the Anchor Platform. - ## @param anchorPlatform.ingress.enabled If true, an ingress controller will be created for the Anchor Platform. - ## @param anchorPlatform.ingress.className Name of the IngressClass to be used for the ingress controller. - ## @skip anchorPlatform.ingress.annotations - ## @param anchorPlatform.ingress.tls[0].hosts List of hosts covered by the TLS certificate. - ## @param anchorPlatform.ingress.tls[0].secretName The name of the Kubernetes TLS secret. You need to create this secret manually. For more instructions, please refer to helmchart/docs/README.md - ingress: - enabled: true - className: "nginx" - annotations: - nginx.ingress.kubernetes.io/custom-response-headers: "X-Frame-Options: DENY || X-Content-Type-Options: nosniff || Strict-Transport-Security: max-age=31536000; includeSubDomains" - nginx.ingress.kubernetes.io/limit-rpm: "120" - nginx.ingress.kubernetes.io/limit-burst-multiplier: "5" - tls: - - hosts: - - '{{ include "sdp.ap.domain" . }}' - secretName: backend-tls-cert-name - # NOTE: the hosts to be used here will be the same ones as in the anchorPlatform.route section. - - - # =========================== START tss =========================== - ## @section Transaction Submission Service - ## @descriptionStart - ## Configuration parameters for the Transaction Submission Service. This is the service that submits all payment transactions to the Stellar network. - ## This service is designed to maximize payment throughput, handle queuing, and graceful resubmission/error handling - ## @descriptionEnd +# =========================== START tss =========================== +## @section Transaction Submission Service +## @descriptionStart +## Configuration parameters for the Transaction Submission Service. This is the service that submits all payment transactions to the Stellar network. +## This service is designed to maximize payment throughput, handle queuing, and graceful resubmission/error handling +## @descriptionEnd tss: ## @param tss.enabled If true, the tss will be deployed. @@ -502,6 +388,10 @@ tss: ## @param tss.configMap.data.NUM_CHANNEL_ACCOUNTS The number of channel accounts the TSS will create/use. Channel accounts provide a method for submitting transactions to the network at a high rate. ## @param tss.configMap.data.MAX_BASE_FEE Specifies the maximum base fee (in stroops) the TSS is willing to pay per transaction. This helps to control costs and ensures transactions are economically feasible. ## @param tss.configMap.data.QUEUE_POLLING_INTERVAL Specifies the interval (in seconds) at which the TSS should poll the queue. + ## @param tss.configMap.data.DB_MAX_OPEN_CONNS Maximum open connections per pool to the database. + ## @param tss.configMap.data.DB_MAX_IDLE_CONNS Maximum idle connections retained in the pool. + ## @param tss.configMap.data.DB_CONN_MAX_IDLE_TIME_SECONDS Close idle connections after N seconds. + ## @param tss.configMap.data.DB_CONN_MAX_LIFETIME_SECONDS Recycle connections after N seconds. configMap: annotations: data: @@ -523,6 +413,12 @@ tss: ## Background tasks configuration QUEUE_POLLING_INTERVAL: "6" + ## Database connection pool tuning (tss) + DB_MAX_OPEN_CONNS: "20" + DB_MAX_IDLE_CONNS: "2" + DB_CONN_MAX_IDLE_TIME_SECONDS: "10" + DB_CONN_MAX_LIFETIME_SECONDS: "300" + ## @extra tss.kubeSecrets Kubernetes secrets are used to manage sensitive information, such as API keys and private keys. It's crucial that these details are kept private. ## @param tss.kubeSecrets.secretName The name of the Kubernetes secret object. Only use this if create is false. ## @param tss.kubeSecrets.create If true, the secret will be created. If false, it is assumed the secret already exists. @@ -574,7 +470,7 @@ dashboard: ## @param dashboard.image.fullName Full name of the Docker image. ## @param dashboard.image.pullPolicy Image pull policy for the dashboard. For locally built images, consider using "Never" or "IfNotPresent". image: - fullName: stellar/stellar-disbursement-platform-frontend:5.0.0 + fullName: stellar/stellar-disbursement-platform-frontend:6.0.0 pullPolicy: Always ## @extra dashboard.deployment Configuration related to the deployment of the Dashboard.