Skip to content

Consensys/quorum-key-manager-helm

Repository files navigation

Quorum Key-manager-helm

Quorum Key Manager

Quorum Key Manager(QKM) is a key management service developed under the BSL 1.1 license and written in Go.

Quorum Key Manager exposes a HTTP API service to manage your secrets, keys and ethereum accounts. QKM supports the integration with Amazon Key Management Service, Azure Key Vault and Hashicorp Vault.

In addition, using QKM, you can connect to your ethereum nodes to sign your transaction using the ethereum account stored in your secure key vault.

Installing the Chart

To install the chart with the release name qkm:

$ helm repo add helm-consensys https://artifacts.consensys.net/public/helm/helm/charts/
$ helm install qkm helm-consensys/quorumkeymanager

These commands deploy Quorum Key Manager on the Kubernetes cluster with the default configuration. The Parameters section lists the parameters that can be configured during installation.

Uninstalling the Chart

To uninstall/delete the qkm deployment:

$ helm delete qkm

The command removes all the Kubernetes components associated with the chart and deletes the release.

Parameters

The following tables lists the configurable parameters of the Quoum Key Manager chart and their default values.

Parameter Description Default
replicaCount Number of Quorum Key Manager replicas 1
nameOverride String to partially override quorumkeymanager.fullname template with a string (will prepend the release name) nil
fullnameOverride String to fully override quorumkeymanager.fullname template with a string nil
image.repository Path to Orchestrate image docker.consensys.net/pub/quorum-key-manager
image.tag Orchestrate image tag latest
image.pullPolicy Orchestrate image pull policy IfNotPresent
imageCredentials.create If true, create a secret containing the image credentials false
imageCredentials.name Name of the secret existing-secret
imageCredentials.registry Docker registry where Quorum Key Manager images are stored docker.consensys.net
imageCredentials.username Username of the registry someone
imageCredentials.password Password of the registry sillyness
serviceAccount.create If true, create a service account false
serviceAccount.annotations Annotations for service account {}
serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated using the fullname template ``
podAnnotations Annotations to add to the Quorum Key Manager's pods {}
podSecurityContext Pod security context {}
securityContext Container security context {}
service.type Kubernetes Service type ClusterIP
service.http.port Quorum Key Manager port 8080
service.metrics.port Quorum Key Manager metrics port 8081
ingress.enabled Enable ingress controller resource false
ingress.annotations Ingress annotations {}
ingress.hosts[0].host Hostname to your Quorum Key Manager qkm.local
ingress.hosts[0].http.paths[0].path Path within the url structure /
ingress.hosts[0].http.paths[0].backend.servicePort Service port to serve http-svc
ingress.tls[0].secretName TLS Secret Name nil
ingress.tls[0].hosts Array of TLS hosts for ingress record []
resources.limits The resources limits for Quorum Key Manager containers {}
resources.requests The requested resources for Quorum Key Manager containers {}
nodeSelector Node labels for pod assignment {}
tolerations Tolerations for pod assignment []
affinity Affinity for pod assignment {}
environment Environment variables passed to Quorum Key Manager containers {}
environmentSecrets Environment variables (as Kubernetes secrets) passed to Quorum Key Manager containers {}
existingSecret Already existing Secret name used to inject Environment variables nil
manifests List of manifests to be loaded by the Quorumm Key Manager ``
auth.apikey.enabled Is authentication based on passing an API-KEY enabled true
auth.apikey.file file path to the api keys file /apikey/api-keys.csv
auth.apikey.contents contents of your api-keys file formatted according to the provided sample.csv ""
auth.oidc.enabled Is authentication based on OIDC / OAuth2 remote service enabled true
auth.oidc.issuer The .well-known configuration url to your jwks file ""
auth.oidc.pubKey The public key that verifies your jwt tokens ""
auth.tls.enabled Is authentication based on client certificates enabled true
auth.tls.secretName k8s secret name that holds the auth server certificate + key qkm-tls
auth.tls.cacert the CA certificates file contents ""
vault.tls.enabled At least one agent requires tls activated true
vault.agents Vault agents descriptors array {}
vault.agents[0].name name of one vault agent in the array ""
vault.agents[0].ca base64 ca crt of one vault agent in the array ""
vault.agents[0].crt base64 tls certificate of one vault agent in the array ""
vault.agents[0].key base64 tls key of one vault agent in the array ""
vault.agents[0].mountPath mount path of tls files of one vault agent in the array ""
storage.nfs.enabled Aws Elastik File System is enabled true
storage.nfs.fsID Your nfs filesystem IDentifier as found in your aws account []
storage.nfs.mountPath mount path of the shared storage common to qkm and agents /vault/token
storage.nfs.driver Your nfs filesystem driver efs.csi.aws.com
storage.nfs.provisioner Your nfs file system provisioner efs.csi.aws.com
migrate.environment Environment variables passed to the DB migration Job {}
migrate.environmentSecrets Environment variables (as Kubernetes secrets) passed to the DB migration Job {}
migrate.existingSecret Already existing Secret name used to inject Environment variables passed to the DB migration Job nil
migrate.ttlSecondsAfterFinished Time to live before a TTL controller can actually remove the job and its dependencies 120
sync.enabled Accounts synchronisation is enabled and will run the appropriate sync Job fo you true
sync.storeName Name of the store you want to sync with ""
sync.environment Environment variables passed to the sync Job {}