diff --git a/versioned_docs/version-3.8/helm-charts/configure-custom-values-envoy.mdx b/versioned_docs/version-3.8/helm-charts/configure-custom-values-envoy.mdx
index 884d8043..41594e7c 100644
--- a/versioned_docs/version-3.8/helm-charts/configure-custom-values-envoy.mdx
+++ b/versioned_docs/version-3.8/helm-charts/configure-custom-values-envoy.mdx
@@ -1,3 +1,6 @@
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
# Configure a custom values file for Scalar Envoy
This document explains how to create your custom values file for the Scalar Envoy chart. If you want to know the details of the parameters, please refer to the [README](https://github.com/scalar-labs/helm-charts/blob/main/charts/envoy/README.md) of the Scalar Envoy chart.
@@ -146,8 +149,8 @@ envoy:
If you're using AWS or Azure, please refer to the following documents for more details:
-* [How to install Scalar products through AWS Marketplace](https://github.com/scalar-labs/scalar-kubernetes/blob/master/docs/AwsMarketplaceGuide.md)
-* [How to install Scalar products through Azure Marketplace](https://github.com/scalar-labs/scalar-kubernetes/blob/master/docs/AzureMarketplaceGuide.md)
+* [How to install Scalar products through AWS Marketplace](../scalar-kubernetes/AwsMarketplaceGuide.mdx)
+* [How to install Scalar products through Azure Marketplace](../scalar-kubernetes/AzureMarketplaceGuide.mdx)
### TLS configurations (optional based on your environment)
@@ -156,10 +159,66 @@ You can enable TLS in:
- Downstream connections between the client and Scalar Envoy.
- Upstream connections between Scalar Envoy and Scalar products.
+In addition, you have several options from the following two perspectives:
+
+1. Management of private key and certificate files
+ 1. Manage your private key and certificate files automatically by using [cert-manager](https://cert-manager.io/docs/).
+ - You can reduce maintenance or operation costs. For example, cert-manager automatically renews certificates before they expire and Scalar Helm Chart automatically mounts private key and certificate files on the Scalar product pods.
+ - You cannot use a CA that cert-manager does not support. You can see the supported issuer in the [cert-manager documentation](https://cert-manager.io/docs/configuration/issuers/).
+ 1. Manage your private key and certificate files manually.
+ - You can issue and manage your private key and certificate files by using your preferred method on your own.
+ - You can use any certificate even if cert-manager does not support it.
+ - You must update secret resources when certificates expire.
+1. Kinds of certificates
+ 1. Use a trusted CA (signed certificate by third party).
+ - You can use trusted certificates from a third-party certificate issuer.
+ - You can encrypt packets.
+ - You must pay costs to issue trusted certificates.
+ 1. Use self-signed certificates.
+ - You can reduce costs to issue certificates.
+ - Reliability of certificates is lower than a trusted CA, but you can encrypt packets.
+
+In other words, you have the following four options:
+
+1. Use a self-signed CA with automatic management.
+1. Use a trusted CA with automatic management.
+1. Use a self-signed CA with manual management.
+1. Use a trusted CA with manual management.
+
+You should consider which method you use based on your security requirements. For guidance and related documentation for each method, refer to the following decision tree:
+
+```mermaid
+flowchart TD
+ A[Do you want to use
cert-manager to manage your
private key and certificate
files automatically?]
+ A -->|Yes, I want to manage my
certificates automatically.| B
+ A -->|No, I want to manage my
certificates manually by myself.| C
+ B[Do you want to use a
self-signed CA or a trusted CA?]
+ C[Do you want to use a
self-signed CA or a trusted CA?]
+ B -->|I want to use a
self-signed CA.| D
+ B -->|I want to use a
trusted CA.| E
+ C -->|I want to use a
self-signed CA.| F
+ C -->|I want to use a
trusted CA.| G
+ D[See the Use a self-signed
CA with cert-manager to
manage your private key and
certificate files section.]
+ E[See the Use a trusted
CA with cert-manager to
manage private key and
certificate files section.]
+ F[See the Use your private
key and certificate files
section, and use the self-signed
certificate you generated.]
+ G[See the Use your private key
and certificate files section,
and use the trusted certificate
generated by the third party.]
+```
+
#### Enable TLS in downstream connections
You can enable TLS in downstream connections by using the following configurations:
+```yaml
+envoy:
+ tls:
+ downstream:
+ enabled: true
+```
+
+##### Use your private key and certificate files
+
+You can set your private key and certificate files by using the following configurations:
+
```yaml
envoy:
tls:
@@ -169,15 +228,67 @@ envoy:
privateKeySecret: "envoy-tls-key"
```
-In this case, you have to create secret resources that include private key and certificate files for Scalar Envoy as follows:
+In this case, you have to create secret resources that include private key and certificate files for Scalar Envoy as follows, replacing the contents in the angle brackets as described:
```console
-kubectl create secret generic envoy-tls-cert --from-file=cert-chain=/path/to/your/certificate/file -n
-kubectl create secret generic envoy-tls-key --from-file=private-key=/path/to/your/private/key/file -n
+kubectl create secret generic envoy-tls-cert --from-file=tls.crt=/ -n
+kubectl create secret generic envoy-tls-key --from-file=tls.key=/ -n
```
For more details on how to prepare private key and certificate files, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.mdx).
+##### Use a trusted CA with cert-manager to manage your private key and certificate files
+
+You can manage your private key and certificate files with cert-manager by using the following configurations, replacing the content in the angle brackets as described:
+
+:::note
+
+* If you want to use cert-manager, you must deploy cert-manager and prepare the `Issuers` resource. For details, see the cert-manager documentation, [Installation](https://cert-manager.io/docs/installation/) and [Issuer Configuration](https://cert-manager.io/docs/configuration/).
+* By default, Scalar Helm Chart creates a `Certificate` resource that satisfies the certificate requirements of Scalar products. The default certificate configuration is recommended, but if you use a custom certificate configuration, you must satisfy the certificate requirements of Scalar products. For details, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.mdx#certificate-requirements).
+
+:::
+
+```yaml
+envoy:
+ tls:
+ downstream:
+ enabled: true
+ certManager:
+ enabled: true
+ issuerRef:
+ name:
+ dnsNames:
+ - envoy.scalar.example.com
+```
+
+In this case, cert-manager issues your private key and certificate files by using your trusted issuer. By using cert-manager, you don't need to mount your private key and certificate files manually.
+
+##### Use a self-signed CA with cert-manager to manage your private key and certificate files
+
+You can manage your private key and self-signed certificate files with cert-manager by using the following configurations:
+
+:::note
+
+* If you want to use cert-manager, you must deploy cert-manager. For details, see the cert-manager documentation, [Installation](https://cert-manager.io/docs/installation/).
+* By default, Scalar Helm Chart creates a `Certificate` resource that satisfies the certificate requirements of Scalar products. The default certificate configuration is recommended, but if you use a custom certificate configuration, you must satisfy the certificate requirements of Scalar products. For details, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.mdx#certificate-requirements).
+
+:::
+
+```yaml
+envoy:
+ tls:
+ downstream:
+ enabled: true
+ certManager:
+ enabled: true
+ selfSigned:
+ enabled: true
+ dnsNames:
+ - envoy.scalar.example.com
+```
+
+In this case, Scalar Helm Charts and cert-manager issue your private key and self-signed certificate files. You don't need to mount your private key and certificate files manually.
+
#### Enable TLS in upstream connections
You can enable TLS in upstream connections by using the following configurations:
@@ -187,33 +298,67 @@ envoy:
tls:
upstream:
enabled: true
- overrideAuthority: "cluster.scalardb.example.com"
- caRootCertSecret: "scalardb-cluster-tls-ca"
```
-In this case, you have to create secret resources that include CA certificate files as follows. You must set the root CA certificate file based on the upstream that you use (ScalarDB Cluster, ScalarDL Ledger, or ScalarDL Auditor).
+Also, you must set root CA certificate file of upstream Scalar products. To determine which approach you should take, refer to the following decision tree:
+
+```mermaid
+flowchart TD
+ A[Are you using cert-manager?]
+ A -->|Yes| B
+ A -->|No| D
+ B[Are you using a self-signed CA with cert-manager?]
+ B -->|No| C[Are you using the same trusted CA for Envoy and
upstream Scalar products with cert-manager?]
+ C -->|No| D[You must set upstream Scalar products'
root CA certificate manually.]
+ C ---->|Yes| E[Scalar Helm Chart automatically sets the root CA certificate. You
don't need to set `envoy.tls.upstream.caRootCertSecret` explicitly.]
+ B ---->|Yes| E
+```
-* ScalarDB Cluster
+##### Set your root CA certificate file of upstream Scalar products
- ```console
- kubectl create secret generic scalardb-cluster-tls-ca --from-file=ca-root-cert=/path/to/root/ca/cert/file/for/scalardb-cluster -n
- ```
+You can set your root CA certificate file by using the following configurations:
-* ScalarDL Ledger
+```yaml
+envoy:
+ tls:
+ upstream:
+ enabled: true
+ caRootCertSecret: "envoy-upstream-scalardb-cluster-root-ca"
+```
- ```console
- kubectl create secret generic scalardl-ledger-tls-ca --from-file=ca-root-cert=/path/to/root/ca/cert/file/for/scalardl-ledger -n
- ```
+In this case, you have to create secret resources that include CA certificate files as follows. You must set the root CA certificate file based on the upstream that you use (ScalarDB Cluster, ScalarDL Ledger, or ScalarDL Auditor). Be sure to replace the contents in the angle brackets as described.
+
+
+
+ ```console
+ kubectl create secret generic envoy-upstream-scalardb-cluster-root-ca --from-file=ca.crt=/ -n
+ ```
+
+
+ ```console
+ kubectl create secret generic envoy-upstream-scalardl-ledger-root-ca --from-file=ca.crt=/ -n
+ ```
+
+
+ ```console
+ kubectl create secret generic envoy-upstream-scalardl-auditor-root-ca --from-file=ca.crt=/ -n
+ ```
+
+
-* ScalarDL Auditor
+For more details on how to prepare private key and certificate files, see [How to create key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.mdx).
- ```console
- kubectl create secret generic scalardl-auditor-tls-ca --from-file=ca-root-cert=/path/to/root/ca/cert/file/for/scalardl-auditor -n
- ```
+##### Set custom authority for TLS communications
-For more details on how to prepare private key and certificate files, see [How to create key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.mdx).
+You can set the custom authority for TLS communications by using `envoy.tls.upstream.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `scalardbCluster.tls.certChainSecret`, `ledger.tls.certChainSecret`, or `auditor.tls.certChainSecret`, depending on which product you're using. Envoy uses this value for verifying the certificate of the TLS connection with ScalarDB Cluster or ScalarDL.
-Also, you can set the custom authority for TLS communication by using `envoy.tls.upstream.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `scalardbCluster.tls.certChainSecret`, `ledger.tls.certChainSecret`, or `auditor.tls.certChainSecret`, depending on which product you're using. Envoy uses this value for verifying the certificate of the TLS connection with ScalarDB Cluster or ScalarDL.
+```yaml
+envoy:
+ tls:
+ upstream:
+ enabled: true
+ overrideAuthority: "cluster.scalardb.example.com"
+```
### Replica configurations (Optional based on your environment)
diff --git a/versioned_docs/version-3.8/helm-charts/configure-custom-values-scalardb-cluster.mdx b/versioned_docs/version-3.8/helm-charts/configure-custom-values-scalardb-cluster.mdx
index a26ad7ba..3bb632e6 100644
--- a/versioned_docs/version-3.8/helm-charts/configure-custom-values-scalardb-cluster.mdx
+++ b/versioned_docs/version-3.8/helm-charts/configure-custom-values-scalardb-cluster.mdx
@@ -16,7 +16,7 @@ scalardbCluster:
### Database configurations
-You must set `scalardbCluster.scalardbClusterNodeProperties`. Please set `scalardb-cluster-node.properties` to this parameter. For more details on the configurations of ScalarDB Cluster, see [ScalarDB Cluster Configurations](https://github.com/scalar-labs/scalardb-cluster/blob/main/docs/scalardb-cluster-configurations.md).
+You must set `scalardbCluster.scalardbClusterNodeProperties`. Please set `scalardb-cluster-node.properties` to this parameter. For more details on the configurations of ScalarDB Cluster, see [ScalarDB Cluster Configurations](https://scalardb.scalar-labs.com/docs/latest/scalardb-cluster/scalardb-cluster-configurations/).
```yaml
scalardbCluster:
@@ -139,6 +139,34 @@ scalardbCluster:
### TLS configurations (optional based on your environment)
+You can enable TLS in:
+
+- The communications between the ScalarDB Cluster node and clients.
+- The communications between all ScalarDB Cluster nodes (the cluster's internal communications).
+
+In addition, you have several options for certificate management. For more details, see [TLS configurations for Envoy](./configure-custom-values-envoy.mdx#tls-configurations-optional-based-on-your-environment).
+
+You should consider which method you use based on your security requirements. For guidance and related documentation for each method, refer to the following decision tree:
+
+```mermaid
+flowchart TD
+ A[Do you want to use
cert-manager to manage your
private key and certificate
files automatically?]
+ A -->|Yes, I want to manage my
certificates automatically.| B
+ A -->|No, I want to manage my
certificates manually by myself.| C
+ B[Do you want to use a
self-signed CA or a trusted CA?]
+ C[Do you want to use a
self-signed CA or a trusted CA?]
+ B -->|I want to use a
self-signed CA.| D
+ B -->|I want to use a
trusted CA.| E
+ C -->|I want to use a
self-signed CA.| F
+ C -->|I want to use a
trusted CA.| G
+ D[See the Use a self-signed
CA with cert-manager to
manage your private key and
certificate files section.]
+ E[See the Use a trusted
CA with cert-manager to
manage private key and
certificate files section.]
+ F[See the Use your private
key and certificate files
section, and use the self-signed
certificate you generated.]
+ G[See the Use your private key
and certificate files section,
and use the trusted certificate
generated by the third party.]
+```
+
+#### Enable TLS
+
You can enable TLS in all ScalarDB Cluster connections by using the following configurations:
```yaml
@@ -146,29 +174,97 @@ scalardbCluster:
scalardbClusterNodeProperties: |
...(omit)...
scalar.db.cluster.tls.enabled=true
- scalar.db.cluster.tls.ca_root_cert_path=/tls/certs/ca-root-cert.pem
- scalar.db.cluster.node.tls.cert_chain_path=/tls/certs/cert-chain.pem
- scalar.db.cluster.node.tls.private_key_path=/tls/certs/private-key.pem
- scalar.db.cluster.tls.override_authority=cluster.scalardb.example.com
+ scalar.db.cluster.tls.ca_root_cert_path=/tls/scalardb-cluster/certs/ca.crt
+ scalar.db.cluster.node.tls.cert_chain_path=/tls/scalardb-cluster/certs/tls.crt
+ scalar.db.cluster.node.tls.private_key_path=/tls/scalardb-cluster/certs/tls.key
+ scalar.db.cluster.tls.override_authority=
+ tls:
+ enabled: true
+```
+
+##### Use your private key and certificate files
+
+You can set your private key and certificate files by using the following configurations:
+
+```yaml
+scalardbCluster:
tls:
enabled: true
- overrideAuthority: "cluster.scalardb.example.com"
caRootCertSecret: "scalardb-cluster-tls-ca"
certChainSecret: "scalardb-cluster-tls-cert"
privateKeySecret: "scalardb-cluster-tls-key"
```
-In this case, you have to create secret resources that include private key and certificate files for ScalarDB Cluster as follows:
+In this case, you have to create secret resources that include private key and certificate files for ScalarDB Cluster as follows, replacing the contents in the angle brackets as described:
```console
-kubectl create secret generic scalardb-cluster-tls-ca --from-file=ca-root-cert=/path/to/your/ca/certificate/file -n
-kubectl create secret generic scalardb-cluster-tls-cert --from-file=cert-chain=/path/to/your/certificate/file -n
-kubectl create secret generic scalardb-cluster-tls-key --from-file=private-key=/path/to/your/private/key/file -n
+kubectl create secret generic scalardb-cluster-tls-ca --from-file=ca.crt=/ -n
+kubectl create secret generic scalardb-cluster-tls-cert --from-file=tls.crt=/ -n
+kubectl create secret generic scalardb-cluster-tls-key --from-file=tls.key=/ -n
```
For more details on how to prepare private key and certificate files, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.mdx).
-Also, you can set the custom authority for TLS communication by using `scalardbCluster.tls.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `scalardbCluster.tls.certChainSecret`. This chart uses this value for `startupProbe` and `livenessProbe`.
+##### Use a trusted CA with cert-manager to manage your private key and certificate files
+
+You can manage your private key and certificate files with cert-manager by using the following configurations, replacing the content in the angle brackets as described:
+
+:::note
+
+* If you want to use cert-manager, you must deploy cert-manager and prepare the `Issuers` resource. For details, see the cert-manager documentation, [Installation](https://cert-manager.io/docs/installation/) and [Issuer Configuration](https://cert-manager.io/docs/configuration/).
+* By default, Scalar Helm Chart creates a `Certificate` resource that satisfies the certificate requirements of Scalar products. The default certificate configuration is recommended, but if you use a custom certificate configuration, you must satisfy the certificate requirements of Scalar products. For details, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.mdx#certificate-requirements).
+
+:::
+
+```yaml
+scalardbCluster:
+ tls:
+ enabled: true
+ certManager:
+ enabled: true
+ issuerRef:
+ name:
+ dnsNames:
+ - cluster.scalardb.example.com
+```
+
+In this case, cert-manager issues your private key and certificate files by using your trusted issuer. You don't need to mount your private key and certificate files manually.
+
+##### Use a self-signed CA with cert-manager to manage your private key and certificate files
+
+You can manage your private key and self-signed certificate files with cert-manager by using the following configurations:
+
+:::note
+
+* If you want to use cert-manager, you must deploy cert-manager. For more details on how to deploy cert-manager, see the [Installation](https://cert-manager.io/docs/installation/) in the cert-manager official document.
+* By default, Scalar Helm Chart creates a `Certificate` resource that satisfies the certificate requirements of Scalar products. We recommend the default certificate configuration, but if you custom certificate configuration, you must satisfy the certificate requirements of Scalar products. See [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.mdx#certificate-requirements).
+
+:::
+
+```yaml
+scalardbCluster:
+ tls:
+ enabled: true
+ certManager:
+ enabled: true
+ selfSigned:
+ enabled: true
+ dnsNames:
+ - cluster.scalardb.example.com
+```
+
+In this case, Scalar Helm Charts and cert-manager issue your private key and self-signed certificate files. You don't need to mount your private key and certificate files manually.
+
+##### Set custom authority for TLS communications
+
+You can set the custom authority for TLS communications by using `scalardbCluster.tls.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `scalardbCluster.tls.certChainSecret`. This chart uses this value for `startupProbe` and `livenessProbe`.
+
+```yaml
+scalardbCluster:
+ tls:
+ enabled: true
+ overrideAuthority: "cluster.scalardb.example.com"
+```
### Replica configurations (optional based on your environment)
diff --git a/versioned_docs/version-3.8/helm-charts/configure-custom-values-scalardl-auditor.mdx b/versioned_docs/version-3.8/helm-charts/configure-custom-values-scalardl-auditor.mdx
index 47dd4d86..e91d2776 100644
--- a/versioned_docs/version-3.8/helm-charts/configure-custom-values-scalardl-auditor.mdx
+++ b/versioned_docs/version-3.8/helm-charts/configure-custom-values-scalardl-auditor.mdx
@@ -155,38 +155,157 @@ auditor:
### TLS configurations (optional based on your environment)
+You can enable TLS in:
+
+- The communications between the ScalarDL Auditor and clients.
+- The communications between the ScalarDL Ledger and ScalarDL Auditor.
+
+In addition, you have several options for certificate management. For more details, see [TLS configurations for Envoy](./configure-custom-values-envoy.mdx#tls-configurations-optional-based-on-your-environment).
+
+You should consider which method you use based on your security requirements. For guidance and related documentation for each method, refer to the following decision tree:
+
+```mermaid
+flowchart TD
+ A[Do you want to use
cert-manager to manage your
private key and certificate
files automatically?]
+ A -->|Yes, I want to manage my
certificates automatically.| B
+ A -->|No, I want to manage my
certificates manually by myself.| C
+ B[Do you want to use a
self-signed CA or a trusted CA?]
+ C[Do you want to use a
self-signed CA or a trusted CA?]
+ B -->|I want to use a
self-signed CA.| D
+ B -->|I want to use a
trusted CA.| E
+ C -->|I want to use a
self-signed CA.| F
+ C -->|I want to use a
trusted CA.| G
+ D[See the Use a self-signed
CA with cert-manager to
manage your private key and
certificate files section.]
+ E[See the Use a trusted
CA with cert-manager to
manage private key and
certificate files section.]
+ F[See the Use your private
key and certificate files
section, and use the self-signed
certificate you generated.]
+ G[See the Use your private key
and certificate files section,
and use the trusted certificate
generated by the third party.]
+```
+
+#### Enable TLS
+
You can enable TLS in all ScalarDL Auditor connections by using the following configurations:
```yaml
auditor:
auditorProperties: |
+ ...(omit)...
scalar.dl.auditor.server.tls.enabled=true
- scalar.dl.auditor.server.tls.cert_chain_path=/tls/certs/cert-chain.pem
- scalar.dl.auditor.server.tls.private_key_path=/tls/certs/private-key.pem
+ scalar.dl.auditor.server.tls.cert_chain_path=/tls/scalardl-auditor/certs/tls.crt
+ scalar.dl.auditor.server.tls.private_key_path=/tls/scalardl-auditor/certs/tls.key
scalar.dl.auditor.tls.enabled=true
- scalar.dl.auditor.tls.ca_root_cert_path=/tls/certs/ca-root-cert-for-ledger.pem
+ scalar.dl.auditor.tls.ca_root_cert_path=/tls/scalardl-ledger/certs/ca.crt
scalar.dl.auditor.tls.override_authority=envoy.scalar.example.com
tls:
enabled: true
- overrideAuthority: "auditor.scalardl.example.com"
+```
+
+##### Use your private key and certificate files
+
+You can set your private key and certificate files by using the following configurations:
+
+```yaml
+auditor:
+ tls:
+ enabled: true
caRootCertSecret: "scalardl-auditor-tls-ca"
certChainSecret: "scalardl-auditor-tls-cert"
privateKeySecret: "scalardl-auditor-tls-key"
- caRootCertForLedgerSecret: "scalardl-auditor-tls-ca-for-ledger"
```
-In this case, you have to create secret resources that include private key and certificate files for ScalarDL Ledger and ScalarDL Auditor as follows:
+In this case, you have to create secret resources that include private key and certificate files for ScalarDL Ledger and ScalarDL Auditor as follows, replacing the contents in the angle brackets as described:
```console
-kubectl create secret generic scalardl-auditor-tls-ca --from-file=ca-root-cert=/path/to/your/ca/certificate/file/for/auditor -n
-kubectl create secret generic scalardl-auditor-tls-cert --from-file=cert-chain=/path/to/your/auditor/certificate/file -n
-kubectl create secret generic scalardl-auditor-tls-key --from-file=private-key=/path/to/your/auditor/private/key/file -n
-kubectl create secret generic scalardl-auditor-tls-ca-for-ledger --from-file=ca-root-cert-for-ledger=/path/to/your/ca/certificate/file/for/ledger -n
+kubectl create secret generic scalardl-auditor-tls-ca --from-file=ca.crt=/ -n
+kubectl create secret generic scalardl-auditor-tls-cert --from-file=tls.crt=/ -n
+kubectl create secret generic scalardl-auditor-tls-key --from-file=tls.key=/ -n
+kubectl create secret generic scalardl-auditor-tls-ca-for-ledger --from-file=ca.crt=/ -n
```
For more details on how to prepare private key and certificate files, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.mdx).
-Also, you can set the custom authority for TLS communication by using `auditor.tls.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `auditor.tls.certChainSecret`. This chart uses this value for `startupProbe` and `livenessProbe`.
+##### Use a trusted CA with cert-manager to manage your private key and certificate files
+
+You can manage your private key and certificate files with cert-manager by using the following configurations, replacing the content in the angle brackets as described:
+
+:::note
+
+* If you want to use cert-manager, you must deploy cert-manager and prepare the `Issuers` resource. For details, see the cert-manager documentation, [Installation](https://cert-manager.io/docs/installation/) and [Issuer Configuration](https://cert-manager.io/docs/configuration/).
+* By default, Scalar Helm Chart creates a `Certificate` resource that satisfies the certificate requirements of Scalar products. The default certificate configuration is recommended, but if you use a custom certificate configuration, you must satisfy the certificate requirements of Scalar products. For details, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.mdx#certificate-requirements).
+
+:::
+
+```yaml
+auditor:
+ tls:
+ enabled: true
+ certManager:
+ enabled: true
+ issuerRef:
+ name:
+ dnsNames:
+ - auditor.scalardl.example.com
+```
+
+In this case, cert-manager issues your private key and certificate files by using your trusted issuer. You don't need to mount private key and certificate files manually.
+
+##### Use a self-signed CA with cert-manager to manage your private key and certificate files
+
+You can manage your private key and self-signed certificate files with cert-manager by using the following configurations:
+
+:::note
+
+* If you want to use cert-manager, you must deploy cert-manager. For details, see the cert-manager documentation, [Installation](https://cert-manager.io/docs/installation/).
+* By default, Scalar Helm Chart creates a `Certificate` resource that satisfies the certificate requirements of Scalar products. The default certificate configuration is recommended, but if you use a custom certificate configuration, you must satisfy the certificate requirements of Scalar products. For details, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFilesx#certificate-requirements).
+
+:::
+
+```yaml
+auditor:
+ tls:
+ enabled: true
+ certManager:
+ enabled: true
+ selfSigned:
+ enabled: true
+ dnsNames:
+ - auditor.scalardl.example.com
+```
+
+In this case, Scalar Helm Charts and cert-manager issue your private key and self-signed certificate files. You don't need to mount private key and certificate files manually.
+
+#### Set a root CA certificate for ScalarDL Ledger
+
+If you enable TLS on the ScalarDL Ledger side, you must set a root CA certificate file for Envoy in front of ScalarDL Ledger to access it from ScalarDL Auditor. To determine which approach you should take, refer to the following decision tree:
+
+```mermaid
+flowchart TD
+ A[Are you using cert-manager?]
+ A -->|Yes| B
+ A -->|No| D
+ B[Are you using a self-signed CA with cert-manager?]
+ B -->|No| C[Are you using the same trusted CA for ScalarDL
Ledger and ScalarDL Auditor with cert-manager?]
+ C -->|No| D[You must set the root
CA certificate of Envoy for ScalarDL Ledger manually.]
+ C ---->|Yes| E[Scalar Helm Chart automatically sets the root CA certificate. You
don't need to set `auditor.tls.upstream.caRootCertSecret` explicitly.]
+```
+
+If you need to set the root CA certificate file of Envoy manually, you can set it by using the following configurations:
+
+```yaml
+auditor:
+ tls:
+ enabled: true
+ caRootCertForLedgerSecret: "scalardl-auditor-tls-ca-for-ledger"
+```
+
+In this case, you have to create secret resources that include root CA certificate files as follows, replacing the contents in the angle brackets as described:
+
+```console
+kubectl create secret generic scalardl-auditor-tls-ca-for-ledger --from-file=ca.crt=//scalardl-ledger -n
+```
+
+##### Set custom authority for TLS communications
+
+You can set the custom authority for TLS communications by using `auditor.tls.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `auditor.tls.certChainSecret`. This chart uses this value for `startupProbe` and `livenessProbe`.
### Replica configurations (Optional based on your environment)
diff --git a/versioned_docs/version-3.8/helm-charts/configure-custom-values-scalardl-ledger.mdx b/versioned_docs/version-3.8/helm-charts/configure-custom-values-scalardl-ledger.mdx
index 858a8a15..c15268d3 100644
--- a/versioned_docs/version-3.8/helm-charts/configure-custom-values-scalardl-ledger.mdx
+++ b/versioned_docs/version-3.8/helm-charts/configure-custom-values-scalardl-ledger.mdx
@@ -155,33 +155,130 @@ ledger:
### TLS configurations (optional based on your environment)
+You can enable TLS in:
+
+- The communications between the ScalarDL Ledger and clients.
+- The communications between the ScalarDL Ledger and ScalarDL Auditor.
+
+Also, you have several options from the certificate management. See [TLS configurations on the Envoy document side](./configure-custom-values-envoy.mdx#tls-configurations-optional-based-on-your-environment) for more details.
+
+Please consider which you use based on your security requirements. According to your decision, you can see the related document as follows:
+
+```mermaid
+flowchart TD
+ A[Do you want to use
cert-manager to manage your
private key and certificate
files automatically?]
+ A -->|Yes, I want to manage my
certificates automatically.| B
+ A -->|No, I want to manage my
certificates manually by myself.| C
+ B[Do you want to use a
self-signed CA or a trusted CA?]
+ C[Do you want to use a
self-signed CA or a trusted CA?]
+ B -->|I want to use a
self-signed CA.| D
+ B -->|I want to use a
trusted CA.| E
+ C -->|I want to use a
self-signed CA.| F
+ C -->|I want to use a
trusted CA.| G
+ D[See the Use a self-signed
CA with cert-manager to
manage your private key and
certificate files section.]
+ E[See the Use a trusted
CA with cert-manager to
manage private key and
certificate files section.]
+ F[See the Use your private
key and certificate files
section, and use the self-signed
certificate you generated.]
+ G[See the Use your private key
and certificate files section,
and use the trusted certificate
generated by the third party.]
+```
+
+#### Enable TLS
+
You can enable TLS in all ScalarDL Ledger connections by using the following configurations:
```yaml
ledger:
ledgerProperties: |
+ ...(omit)...
scalar.dl.ledger.server.tls.enabled=true
- scalar.dl.ledger.server.tls.cert_chain_path=/tls/certs/cert-chain.pem
- scalar.dl.ledger.server.tls.private_key_path=/tls/certs/private-key.pem
+ scalar.dl.ledger.server.tls.cert_chain_path=/tls/scalardl-ledger/certs/tls.crt
+ scalar.dl.ledger.server.tls.private_key_path=/tls/scalardl-ledger/certs/tls.key
+ tls:
+ enabled: true
+```
+
+##### Use your private key and certificate files
+
+You can set your private key and certificate files by using the following configurations:
+
+```yaml
+ledger:
tls:
enabled: true
- overrideAuthority: "ledger.scalardl.example.com"
caRootCertSecret: "scalardl-ledger-tls-ca"
certChainSecret: "scalardl-ledger-tls-cert"
privateKeySecret: "scalardl-ledger-tls-key"
```
-In this case, you have to create secret resources that include private key and certificate files for ScalarDL Ledger as follows:
+In this case, you have to create secret resources that include private key and certificate files for ScalarDL Ledger as follows, replacing the contents in the angle brackets as described:
```console
-kubectl create secret generic scalardl-ledger-tls-ca --from-file=ca-root-cert=/path/to/your/ca/certificate/file -n
-kubectl create secret generic scalardl-ledger-tls-cert --from-file=cert-chain=/path/to/your/certificate/file -n
-kubectl create secret generic scalardl-ledger-tls-key --from-file=private-key=/path/to/your/private/key/file -n
+kubectl create secret generic scalardl-ledger-tls-ca --from-file=ca.crt=/ -n
+kubectl create secret generic scalardl-ledger-tls-cert --from-file=tls.crt=/ -n
+kubectl create secret generic scalardl-ledger-tls-key --from-file=tls.key=/ -n
```
For more details on how to prepare private key and certificate files, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.mdx).
-Also, you can set the custom authority for TLS communication by using `ledger.tls.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `ledger.tls.certChainSecret`. This chart uses this value for `startupProbe` and `livenessProbe`.
+##### Use a trusted CA with cert-manager to manage your private key and certificate files
+
+You can manage private key and certificate with cert-manager by using the following configurations:
+
+:::note
+
+* If you want to use cert-manager, you must deploy cert-manager and prepare the `Issuers` resource. For more details on cert-manager, see the [Installation](https://cert-manager.io/docs/installation/) and [Issuer Configuration](https://cert-manager.io/docs/configuration/) in the cert-manager official document.
+* By default, Scalar Helm Chart creates a `Certificate` resource that satisfies the certificate requirements of Scalar products. We recommend the default certificate configuration, but if you custom certificate configuration, you must satisfy the certificate requirements of Scalar products. See [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.mdx#certificate-requirements).
+
+:::
+
+```yaml
+ledger:
+ tls:
+ enabled: true
+ certManager:
+ enabled: true
+ issuerRef:
+ name: your-trusted-ca
+ dnsNames:
+ - ledger.scalardl.example.com
+```
+
+In this case, cert-manager issues private key and certificate by using your trusted issuer. You don't need to mount private key and certificate files manually.
+
+##### Use a self-signed CA with cert-manager to manage your private key and certificate files
+
+You can manage private key and self-signed certificate with cert-manager by using the following configurations:
+
+:::note
+
+* If you want to use cert-manager, you must deploy cert-manager. For more details on how to deploy cert-manager, see the [Installation](https://cert-manager.io/docs/installation/) in the cert-manager official document.
+* By default, Scalar Helm Chart creates a `Certificate` resource that satisfies the certificate requirements of Scalar products. We recommend the default certificate configuration, but if you custom certificate configuration, you must satisfy the certificate requirements of Scalar products. See [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.mdx#certificate-requirements).
+
+:::
+
+```yaml
+ledger:
+ tls:
+ enabled: true
+ certManager:
+ enabled: true
+ selfSigned:
+ enabled: true
+ dnsNames:
+ - ledger.scalardl.example.com
+```
+
+In this case, Scalar Helm Charts and cert-manager issue private key and self-signed certificate. You don't need to mount private key and certificate files manually.
+
+##### Set custom authority for TLS communications
+
+You can set the custom authority for TLS communications by using `ledger.tls.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `ledger.tls.certChainSecret`. This chart uses this value for `startupProbe` and `livenessProbe`.
+
+```yaml
+ledger:
+ tls:
+ enabled: true
+ overrideAuthority: "ledger.scalardl.example.com"
+```
### Replica configurations (optional based on your environment)
diff --git a/versioned_docs/version-3.8/helm-charts/getting-started-scalar-helm-charts.mdx b/versioned_docs/version-3.8/helm-charts/getting-started-scalar-helm-charts.mdx
index 630cfb78..cd89310b 100644
--- a/versioned_docs/version-3.8/helm-charts/getting-started-scalar-helm-charts.mdx
+++ b/versioned_docs/version-3.8/helm-charts/getting-started-scalar-helm-charts.mdx
@@ -63,8 +63,10 @@ You need to install the `cfssl` and `cfssljson` command when following these get
After the Kubernetes cluster starts, you can try each Scalar Helm Charts on it. Please refer to the following documents for more details.
* [ScalarDB Cluster with TLS](getting-started-scalardb-cluster-tls.mdx)
+* [ScalarDB Cluster with TLS by Using cert-manager](getting-started-scalardb-cluster-tls-cert-manager.mdx)
* [ScalarDB Analytics with PostgreSQL](getting-started-scalardb-analytics-postgresql.mdx)
* [ScalarDL Ledger and Auditor with TLS (Auditor mode)](getting-started-scalardl-auditor-tls.mdx)
+* [ScalarDL Ledger and Auditor with TLS by Using cert-manager (Auditor mode)](getting-started-scalardl-auditor-tls-cert-manager.mdx)
* [ScalarDL Ledger (Ledger only)](getting-started-scalardl-ledger.mdx)
* [ScalarDL Ledger and Auditor (Auditor mode)](getting-started-scalardl-auditor.mdx)
* [Monitoring using Prometheus Operator](getting-started-monitoring.mdx)
diff --git a/versioned_docs/version-3.8/helm-charts/getting-started-scalardb-cluster-tls-cert-manager.mdx b/versioned_docs/version-3.8/helm-charts/getting-started-scalardb-cluster-tls-cert-manager.mdx
new file mode 100644
index 00000000..150dadaa
--- /dev/null
+++ b/versioned_docs/version-3.8/helm-charts/getting-started-scalardb-cluster-tls-cert-manager.mdx
@@ -0,0 +1,572 @@
+# Getting Started with Helm Charts (ScalarDB Cluster with TLS by Using cert-manager)
+
+This tutorial explains how to get started with ScalarDB Cluster with TLS configurations by using Helm Charts and cert-manager on a Kubernetes cluster in a test environment. Before starting, you should already have a Mac or Linux environment for testing. In addition, although this tutorial mentions using **minikube**, the steps described should work in any Kubernetes cluster.
+
+## Requirements
+
+* You need to have a license key (trial license or commercial license) for ScalarDB Cluster. If you don't have a license key, please [contact us](https://www.scalar-labs.com/contact).
+* You need to use ScalarDB Cluster 3.12 or later, which supports TLS.
+
+## What you'll create
+
+In this tutorial, you'll deploy the following components on a Kubernetes cluster in the following way:
+
+```
++----------------------------------------------------------------------------------------------------------------------------------------------------+
+| [Kubernetes Cluster] |
+| [Pod] [Pod] [Pod] |
+| |
+| +-------+ +------------------------+ |
+| +---> | Envoy | ---+ +---> | ScalarDB Cluster node | ---+ |
+| [Pod] | +-------+ | | +------------------------+ | |
+| | | | | |
+| +-----------+ +---------+ | +-------+ | +--------------------+ | +------------------------+ | +---------------+ |
+| | Client | ---> | Service | ---+---> | Envoy | ---+---> | Service | ---+---> | ScalarDB Cluster node | ---+---> | PostgreSQL | |
+| | (SQL CLI) | | (Envoy) | | +-------+ | | (ScalarDB Cluster) | | +------------------------+ | | (For Ledger) | |
+| +-----------+ +---------+ | | +--------------------+ | | +---------------+ |
+| | +-------+ | | +------------------------+ | |
+| +---> | Envoy | ---+ +---> | ScalarDB Cluster node | ---+ |
+| +-------+ +------------------------+ |
+| |
+| +----------------------------------------------------------------------------------+ +---------------------+ |
+| | cert-manager (create private key and certificate for Envoy and ScalarDB Cluster) | | Issuer (Private CA) | |
+| +----------------------------------------------------------------------------------+ +---------------------+ |
+| |
++----------------------------------------------------------------------------------------------------------------------------------------------------+
+```
+
+cert-manager automatically creates the following private key and certificate files for TLS connections.
+
+```
+ +----------------------+
+ +---> | For Scalar Envoy |
+ | +----------------------+
+ | | tls.key |
+ | | tls.crt |
++-------------------------+ | +----------------------+
+| Issuer (Self-signed CA) | ---(Sign certificates)---+
++-------------------------+ | +----------------------+
+| tls.key | +---> | For ScalarDB Cluster |
+| tls.crt | +----------------------+
+| ca.crt | | tls.key |
++-------------------------+ | tls.crt |
+ +----------------------+
+```
+
+Scalar Helm Charts automatically mount each private key and certificate file for Envoy and ScalarDB Cluster as follows to enable TLS in each connection. You'll manually mount a root CA certificate file on the client.
+
+```
++-------------------------------------+ +------------------------------------------------+ +--------------------------------+
+| Client | ---(CRUD/SQL requests)---> | Envoy for ScalarDB Cluster | ---> | ScalarDB Cluster nodes |
++-------------------------------------+ +------------------------------------------------+ +--------------------------------+
+| ca.crt (to verify tls.crt of Envoy) | | tls.key | | tls.key |
++-------------------------------------+ | tls.crt | | tls.crt |
+ | ca.crt (to verify tls.crt of ScalarDB Cluster) | | ca.crt (to check health) |
+ +------------------------------------------------+ +--------------------------------+
+```
+
+The following connections exist amongst the ScalarDB Cluster–related components:
+
+* **`Client - Envoy for ScalarDB Cluster`:** When you execute a CRUD API or SQL API function, the client accesses Envoy for ScalarDB Cluster.
+* **`Envoy for ScalarDB Cluster - ScalarDB Cluster`:** Envoy works as an L7 (gRPC) load balancer in front of ScalarDB Cluster.
+* **`ScalarDB Cluster node - ScalarDB Cluster node`:** A ScalarDB Cluster node accesses other ScalarDB Cluster nodes. In other words, the cluster's internal communications exist amongst all ScalarDB Cluster nodes.
+
+## Step 1. Start a Kubernetes cluster and install tools
+
+You need to prepare a Kubernetes cluster and install some tools (`kubectl`, `helm`, `cfssl`, and `cfssljson`). For more details on how to install them, see [Getting Started with Scalar Helm Charts](getting-started-scalar-helm-charts.mdx).
+
+## Step 2. Start the PostgreSQL containers
+
+ScalarDB Cluster must use some type of database system as a backend database. In this tutorial, you'll use PostgreSQL.
+
+You can deploy PostgreSQL on the Kubernetes cluster as follows:
+
+1. Add the Bitnami helm repository.
+
+ ```console
+ helm repo add bitnami https://charts.bitnami.com/bitnami
+ ```
+
+1. Deploy PostgreSQL for ScalarDB Cluster.
+
+ ```console
+ helm install postgresql-scalardb-cluster bitnami/postgresql \
+ --set auth.postgresPassword=postgres \
+ --set primary.persistence.enabled=false \
+ -n default
+ ```
+
+1. Check if the PostgreSQL containers are running.
+
+ ```console
+ kubectl get pod -n default
+ ```
+
+ [Command execution result]
+
+ ```console
+ NAME READY STATUS RESTARTS AGE
+ postgresql-scalardb-cluster-0 1/1 Running 0 34s
+ ```
+
+## Step 3. Create a working directory
+
+You'll create some configuration files locally. Be sure to create a working directory for those files.
+
+1. Create a working directory.
+
+ ```console
+ mkdir -p ${HOME}/scalardb-cluster-test/
+ ```
+
+
+## Step 4. Deploy cert-manager and issuer resource
+
+This tutorial uses cert-manager to issue and manage your private keys and certificates. You can deploy cert-manager on the Kubernetes cluster as follows:
+
+1. Add the Jetstack helm repository.
+
+ ```console
+ helm repo add jetstack https://charts.jetstack.io
+ ```
+
+1. Deploy cert-manager.
+
+ ```console
+ helm install cert-manager jetstack/cert-manager \
+ --create-namespace \
+ --set installCRDs=true \
+ -n cert-manager
+ ```
+
+1. Check if the cert-manager containers are running.
+
+ ```console
+ kubectl get pod -n cert-manager
+ ```
+
+ [Command execution result]
+
+ ```console
+ NAME READY STATUS RESTARTS AGE
+ cert-manager-6dc66985d4-6lvtt 1/1 Running 0 26s
+ cert-manager-cainjector-c7d4dbdd9-xlrpn 1/1 Running 0 26s
+ cert-manager-webhook-847d7676c9-ckcz2 1/1 Running 0 26s
+ ```
+
+1. Change the working directory to `${HOME}/scalardb-cluster-test/`.
+
+ ```console
+ cd ${HOME}/scalardb-cluster-test/
+ ```
+
+1. Create a custom values file for the private CA (`private-ca-custom-values.yaml`).
+
+ ```console
+ cat << 'EOF' > ${HOME}/scalardb-cluster-test/private-ca-custom-values.yaml
+ apiVersion: cert-manager.io/v1
+ kind: Issuer
+ metadata:
+ name: self-signed-issuer
+ spec:
+ selfSigned: {}
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: self-signed-ca-cert
+ spec:
+ isCA: true
+ commonName: self-signed-ca
+ secretName: self-signed-ca-cert-secret
+ privateKey:
+ algorithm: ECDSA
+ size: 256
+ issuerRef:
+ name: self-signed-issuer
+ kind: Issuer
+ group: cert-manager.io
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Issuer
+ metadata:
+ name: self-signed-ca
+ spec:
+ ca:
+ secretName: self-signed-ca-cert-secret
+ EOF
+ ```
+
+1. Deploy a self-signed CA.
+
+ ```console
+ kubectl apply -f ./private-ca-custom-values.yaml
+ ```
+
+1. Check if the issuer resources are `True`.
+
+ ```console
+ kubectl get issuer
+ ```
+
+ [Command execution result]
+
+ ```console
+ NAME READY AGE
+ self-signed-ca True 6s
+ self-signed-issuer True 6s
+ ```
+
+## Step 5. Deploy ScalarDB Cluster on the Kubernetes cluster by using Helm Charts
+
+1. Add the Scalar Helm Charts repository.
+
+ ```console
+ helm repo add scalar-labs https://scalar-labs.github.io/helm-charts
+ ```
+
+1. Set your license key and certificate as environment variables. If you don't have a license key, please [contact us](https://www.scalar-labs.com/contact). For details about the value of ``, see [How to Configure a Product License Key](https://scalardb.scalar-labs.com/docs/latest/scalar-licensing/).
+
+ ```console
+ SCALAR_DB_CLUSTER_LICENSE_KEY=''
+ SCALAR_DB_CLUSTER_LICENSE_CHECK_CERT_PEM=''
+ ```
+
+1. Create a custom values file for ScalarDB Cluster (`scalardb-cluster-custom-values.yaml`).
+
+ ```console
+ cat << 'EOF' > ${HOME}/scalardb-cluster-test/scalardb-cluster-custom-values.yaml
+ envoy:
+
+ enabled: true
+
+ tls:
+ downstream:
+ enabled: true
+ certManager:
+ enabled: true
+ issuerRef:
+ name: self-signed-ca
+ dnsNames:
+ - envoy.scalar.example.com
+ upstream:
+ enabled: true
+ overrideAuthority: "cluster.scalardb.example.com"
+
+ scalardbCluster:
+
+ image:
+ repository: "ghcr.io/scalar-labs/scalardb-cluster-node-byol-premium"
+
+ scalardbClusterNodeProperties: |
+ ### Necessary configurations for deployment on Kuberetes
+ scalar.db.cluster.membership.type=KUBERNETES
+ scalar.db.cluster.membership.kubernetes.endpoint.namespace_name=${env:SCALAR_DB_CLUSTER_MEMBERSHIP_KUBERNETES_ENDPOINT_NAMESPACE_NAME}
+ scalar.db.cluster.membership.kubernetes.endpoint.name=${env:SCALAR_DB_CLUSTER_MEMBERSHIP_KUBERNETES_ENDPOINT_NAME}
+
+ ### Storage configurations
+ scalar.db.contact_points=jdbc:postgresql://postgresql-scalardb-cluster.default.svc.cluster.local:5432/postgres
+ scalar.db.username=${env:SCALAR_DB_CLUSTER_POSTGRES_USERNAME}
+ scalar.db.password=${env:SCALAR_DB_CLUSTER_POSTGRES_PASSWORD}
+ scalar.db.storage=jdbc
+
+ ### SQL configurations
+ scalar.db.sql.enabled=true
+
+ ### Auth configurations
+ scalar.db.cluster.auth.enabled=true
+ scalar.db.cross_partition_scan.enabled=true
+
+ ### TLS configurations
+ scalar.db.cluster.tls.enabled=true
+ scalar.db.cluster.tls.ca_root_cert_path=/tls/scalardb-cluster/certs/ca.crt
+ scalar.db.cluster.node.tls.cert_chain_path=/tls/scalardb-cluster/certs/tls.crt
+ scalar.db.cluster.node.tls.private_key_path=/tls/scalardb-cluster/certs/tls.key
+ scalar.db.cluster.tls.override_authority=cluster.scalardb.example.com
+
+ ### License key configurations
+ scalar.db.cluster.node.licensing.license_key=${env:SCALAR_DB_CLUSTER_LICENSE_KEY}
+ scalar.db.cluster.node.licensing.license_check_cert_pem=${env:SCALAR_DB_CLUSTER_LICENSE_CHECK_CERT_PEM}
+
+ tls:
+ enabled: true
+ overrideAuthority: "cluster.scalardb.example.com"
+ certManager:
+ enabled: true
+ issuerRef:
+ name: self-signed-ca
+ dnsNames:
+ - cluster.scalardb.example.com
+
+ secretName: "scalardb-credentials-secret"
+ EOF
+ ```
+
+1. Create a secret resource named `scalardb-credentials-secret` that includes credentials and license keys.
+
+ ```console
+ kubectl create secret generic scalardb-credentials-secret \
+ --from-literal=SCALAR_DB_CLUSTER_POSTGRES_USERNAME=postgres \
+ --from-literal=SCALAR_DB_CLUSTER_POSTGRES_PASSWORD=postgres \
+ --from-literal=SCALAR_DB_CLUSTER_LICENSE_KEY="${SCALAR_DB_CLUSTER_LICENSE_KEY}" \
+ --from-file=SCALAR_DB_CLUSTER_LICENSE_CHECK_CERT_PEM=<(echo ${SCALAR_DB_CLUSTER_LICENSE_CHECK_CERT_PEM} | sed 's/\\n/\
+ /g') \
+ -n default
+ ```
+
+1. Set the chart version of ScalarDB Cluster.
+
+ ```console
+ SCALAR_DB_CLUSTER_VERSION=3.12.2
+ SCALAR_DB_CLUSTER_CHART_VERSION=$(helm search repo scalar-labs/scalardb-cluster -l | grep -F "${SCALAR_DB_CLUSTER_VERSION}" | awk '{print $2}' | sort --version-sort -r | head -n 1)
+ ```
+
+1. Deploy ScalarDB Cluster.
+
+ ```console
+ helm install scalardb-cluster scalar-labs/scalardb-cluster -f ${HOME}/scalardb-cluster-test/scalardb-cluster-custom-values.yaml --version ${SCALAR_DB_CLUSTER_CHART_VERSION} -n default
+ ```
+
+1. Check if the ScalarDB Cluster pods are deployed.
+
+ ```console
+ kubectl get pod -n default
+ ```
+
+ [Command execution result]
+
+ ```console
+ NAME READY STATUS RESTARTS AGE
+ postgresql-scalardb-cluster-0 1/1 Running 0 4m30s
+ scalardb-cluster-envoy-7cc948dfb-4rb8l 1/1 Running 0 18s
+ scalardb-cluster-envoy-7cc948dfb-hwt96 1/1 Running 0 18s
+ scalardb-cluster-envoy-7cc948dfb-rzbrx 1/1 Running 0 18s
+ scalardb-cluster-node-7c6959c79d-445kj 1/1 Running 0 18s
+ scalardb-cluster-node-7c6959c79d-4z54q 1/1 Running 0 18s
+ scalardb-cluster-node-7c6959c79d-vcv96 1/1 Running 0 18s
+ ```
+
+ If the ScalarDB Cluster pods are deployed properly, the `STATUS` column for those pods will be displayed as `Running`.
+
+1. Check if the ScalarDB Cluster services are deployed.
+
+ ```console
+ kubectl get svc -n default
+ ```
+
+ [Command execution result]
+
+ ```console
+ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
+ kubernetes ClusterIP 10.96.0.1 443/TCP 7h34m
+ postgresql-scalardb-cluster ClusterIP 10.96.92.27 5432/TCP 4m52s
+ postgresql-scalardb-cluster-hl ClusterIP None 5432/TCP 4m52s
+ scalardb-cluster-envoy ClusterIP 10.96.250.175 60053/TCP 40s
+ scalardb-cluster-envoy-metrics ClusterIP 10.96.40.197 9001/TCP 40s
+ scalardb-cluster-headless ClusterIP None 60053/TCP 40s
+ scalardb-cluster-metrics ClusterIP 10.96.199.135 9080/TCP 40s
+ ```
+
+ If the ScalarDB Cluster services are deployed properly, you can see private IP addresses in the `CLUSTER-IP` column.
+
+:::note
+
+The `CLUSTER-IP` values for `postgresql-scalardb-cluster-hl` and `scalardb-cluster-headless` are `None` since they have no IP addresses.
+
+:::
+
+## Step 6. Start a client container
+
+You'll use the CA certificate file in a client container. Therefore, you'll need to create a secret resource and mount it to the client container.
+
+1. Create a secret resource named `client-ca-cert`.
+
+ ```console
+ kubectl create secret generic client-ca-cert --from-file=ca.crt=<(kubectl get secret self-signed-ca-cert-secret -o "jsonpath={.data['ca\.crt']}" | base64 -d) -n default
+ ```
+
+1. Create a manifest file for a client pod (`scalardb-cluster-client-pod.yaml`).
+
+ ```console
+ cat << 'EOF' > ${HOME}/scalardb-cluster-test/scalardb-cluster-client-pod.yaml
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: "scalardb-cluster-client"
+ spec:
+ containers:
+ - name: scalardb-cluster-client
+ image: eclipse-temurin:8
+ command: ['sleep']
+ args: ['inf']
+ env:
+ - name: SCALAR_DB_CLUSTER_VERSION
+ value: SCALAR_DB_CLUSTER_CLIENT_POD_SCALAR_DB_CLUSTER_VERSION
+ volumeMounts:
+ - name: "client-ca-cert"
+ mountPath: "/certs/"
+ readOnly: true
+ volumes:
+ - name: "client-ca-cert"
+ secret:
+ secretName: "client-ca-cert"
+ restartPolicy: Never
+ EOF
+ ```
+
+1. Set the ScalarDB Cluster version in the manifest file.
+
+ ```console
+ sed -i s/SCALAR_DB_CLUSTER_CLIENT_POD_SCALAR_DB_CLUSTER_VERSION/${SCALAR_DB_CLUSTER_VERSION}/ ${HOME}/scalardb-cluster-test/scalardb-cluster-client-pod.yaml
+ ```
+
+1. Deploy the client pod.
+
+ ```console
+ kubectl apply -f ${HOME}/scalardb-cluster-test/scalardb-cluster-client-pod.yaml -n default
+ ```
+
+1. Check if the client container is running.
+
+ ```console
+ kubectl get pod scalardb-cluster-client -n default
+ ```
+
+ [Command execution result]
+
+ ```console
+ NAME READY STATUS RESTARTS AGE
+ scalardb-cluster-client 1/1 Running 0 26s
+ ```
+
+## Step 7. Run the ScalarDB Cluster SQL CLI in the client container
+
+1. Run bash in the client container.
+
+ ```console
+ kubectl exec -it scalardb-cluster-client -n default -- bash
+ ```
+
+ The commands in the following steps must be run in the client container.
+
+1. Download the ScalarDB Cluster SQL CLI from [Releases](https://github.com/scalar-labs/scalardb/releases).
+
+ ```console
+ curl -OL https://github.com/scalar-labs/scalardb/releases/download/v${SCALAR_DB_CLUSTER_VERSION}/scalardb-cluster-sql-cli-${SCALAR_DB_CLUSTER_VERSION}-all.jar
+ ```
+
+1. Create a `database.properties` file and add configurations.
+
+ ```console
+ cat << 'EOF' > /database.properties
+ # ScalarDB Cluster configurations
+ scalar.db.sql.connection_mode=cluster
+ scalar.db.sql.cluster_mode.contact_points=indirect:scalardb-cluster-envoy.default.svc.cluster.local
+
+ # Auth configurations
+ scalar.db.cluster.auth.enabled=true
+ scalar.db.sql.cluster_mode.username=admin
+ scalar.db.sql.cluster_mode.password=admin
+
+ # TLS configurations
+ scalar.db.cluster.tls.enabled=true
+ scalar.db.cluster.tls.ca_root_cert_path=/certs/ca.crt
+ scalar.db.cluster.tls.override_authority=envoy.scalar.example.com
+ EOF
+ ```
+
+1. Run the ScalarDB Cluster SQL CLI.
+
+ ```console
+ java -jar /scalardb-cluster-sql-cli-${SCALAR_DB_CLUSTER_VERSION}-all.jar --config /database.properties
+ ```
+
+1. Create a sample namespace named `ns`.
+
+ ```sql
+ CREATE NAMESPACE ns;
+ ```
+
+1. Create a sample table named `tbl` under the namespace `ns`.
+
+ ```sql
+ CREATE TABLE ns.tbl (a INT, b INT, c INT, PRIMARY KEY(a, b));
+ ```
+
+1. Insert sample records.
+
+ ```sql
+ INSERT INTO ns.tbl VALUES (1,2,3), (4,5,6), (7,8,9);
+ ```
+
+1. Select the sample records that you inserted.
+
+ ```sql
+ SELECT * FROM ns.tbl;
+ ```
+
+ [Command execution result]
+
+ ```sql
+ 0: scalardb> SELECT * FROM ns.tbl;
+ +---+---+---+
+ | a | b | c |
+ +---+---+---+
+ | 7 | 8 | 9 |
+ | 1 | 2 | 3 |
+ | 4 | 5 | 6 |
+ +---+---+---+
+ 3 rows selected (0.059 seconds)
+ ```
+
+1. Press `Ctrl + D` to exit from ScalarDB Cluster SQL CLI.
+
+ ```console
+ ^D
+ ```
+
+1. Exit from the client container.
+
+ ```console
+ exit
+ ```
+
+## Step 8. Delete all resources
+
+After completing the ScalarDB Cluster tests on the Kubernetes cluster, remove all resources.
+
+1. Uninstall ScalarDB Cluster and PostgreSQL.
+
+ ```console
+ helm uninstall -n default scalardb-cluster postgresql-scalardb-cluster
+ ```
+
+1. Uninstall cert-manager.
+
+ ```console
+ helm uninstall -n cert-manager cert-manager
+ ```
+
+1. Remove the client container.
+
+ ```
+ kubectl delete pod scalardb-cluster-client --grace-period 0 -n default
+ ```
+
+1. Remove the working directory and the sample configuration files.
+
+ ```console
+ cd ${HOME}
+ ```
+
+ ```console
+ rm -rf ${HOME}/scalardb-cluster-test/
+ ```
+
+## Further reading
+
+You can see how to get started with monitoring or logging for Scalar products in the following tutorials:
+
+* [Getting Started with Helm Charts (Monitoring using Prometheus Operator)](getting-started-monitoring.mdx)
+* [Getting Started with Helm Charts (Logging using Loki Stack)](getting-started-logging.mdx)
+* [Getting Started with Helm Charts (Scalar Manager)](getting-started-scalar-manager.mdx)
diff --git a/versioned_docs/version-3.8/helm-charts/getting-started-scalardb-cluster-tls.mdx b/versioned_docs/version-3.8/helm-charts/getting-started-scalardb-cluster-tls.mdx
index c1af1be9..3a8d915d 100644
--- a/versioned_docs/version-3.8/helm-charts/getting-started-scalardb-cluster-tls.mdx
+++ b/versioned_docs/version-3.8/helm-charts/getting-started-scalardb-cluster-tls.mdx
@@ -40,7 +40,7 @@ You'll also create the following private key and certificate files for TLS conne
| | envoy-key.pem |
| | envoy.pem |
+----------------------+ | +-------------------------------+
-| Self-managed CA | ---(Sign certificates)---+
+| Self-signed CA | ---(Sign certificates)---+
+----------------------+ | +-------------------------------+
| ca-key.pem | +---> | For ScalarDB Cluster |
| ca.pem | +-------------------------------+
@@ -117,11 +117,7 @@ You'll create some configuration files and private key and certificate files loc
## Step 4. Create private key and certificate files
-:::warning
-
-In this tutorial, a self-managed CA is used for testing. However, it is strongly recommended that these certificates **not** be used in production. Please prepare your certificate files based on the security requirements of your system.
-
-:::
+You'll create private key and a certificate files.
1. Change the working directory to `${HOME}/scalardb-cluster-test/certs/`.
@@ -277,6 +273,13 @@ In this tutorial, a self-managed CA is used for testing. However, it is strongly
helm repo add scalar-labs https://scalar-labs.github.io/helm-charts
```
+1. Set your license key and certificate as environment variables. If you don't have a license key, please [contact us](https://www.scalar-labs.com/contact). For details about the value of ``, see [How to Configure a Product License Key](https://scalardb.scalar-labs.com/docs/latest/scalar-licensing/).
+
+ ```console
+ SCALAR_DB_CLUSTER_LICENSE_KEY=''
+ SCALAR_DB_CLUSTER_LICENSE_CHECK_CERT_PEM=''
+ ```
+
1. Create a custom values file for ScalarDB Cluster (`scalardb-cluster-custom-values.yaml`).
```console
@@ -321,14 +324,14 @@ In this tutorial, a self-managed CA is used for testing. However, it is strongly
### TLS configurations
scalar.db.cluster.tls.enabled=true
- scalar.db.cluster.tls.ca_root_cert_path=/tls/certs/ca-root-cert.pem
- scalar.db.cluster.node.tls.cert_chain_path=/tls/certs/cert-chain.pem
- scalar.db.cluster.node.tls.private_key_path=/tls/certs/private-key.pem
+ scalar.db.cluster.tls.ca_root_cert_path=/tls/scalardb-cluster/certs/ca.crt
+ scalar.db.cluster.node.tls.cert_chain_path=/tls/scalardb-cluster/certs/tls.crt
+ scalar.db.cluster.node.tls.private_key_path=/tls/scalardb-cluster/certs/tls.key
scalar.db.cluster.tls.override_authority=cluster.scalardb.example.com
### License key configurations
- scalar.dl.licensing.license_key=${env:SCALAR_DB_CLUSTER_LICENSE_KEY}
- scalar.dl.licensing.license_check_cert_pem=${env:SCALAR_DB_CLUSTER_LICENSE_CHECK_CERT_PEM}
+ scalar.db.cluster.node.licensing.license_key=${env:SCALAR_DB_CLUSTER_LICENSE_KEY}
+ scalar.db.cluster.node.licensing.license_check_cert_pem=${env:SCALAR_DB_CLUSTER_LICENSE_CHECK_CERT_PEM}
tls:
enabled: true
@@ -341,37 +344,31 @@ In this tutorial, a self-managed CA is used for testing. However, it is strongly
EOF
```
-1. Set your license key and certificate as environment variables. If you don't have a license key, please [contact us](https://www.scalar-labs.com/contact).
-
- ```console
- SCALAR_DB_CLUSTER_LICENSE_KEY=
- SCALAR_DB_CLUSTER_LICENSE_CHECK_CERT_PEM=
- ```
-
1. Create a secret resource named `scalardb-credentials-secret` that includes credentials and license keys.
```console
kubectl create secret generic scalardb-credentials-secret \
- --from-literal=SCALAR_DB_CLUSTER_POSTGRES_USERNAME=postgres \
- --from-literal=SCALAR_DB_CLUSTER_POSTGRES_PASSWORD=postgres \
- --from-literal=SCALAR_DB_CLUSTER_LICENSE_KEY=${SCALAR_DB_CLUSTER_LICENSE_KEY} \
- --from-literal=SCALAR_DB_CLUSTER_LICENSE_CHECK_CERT_PEM=${SCALAR_DB_CLUSTER_LICENSE_CHECK_CERT_PEM} \
- -n default
+ --from-literal=SCALAR_DB_CLUSTER_POSTGRES_USERNAME=postgres \
+ --from-literal=SCALAR_DB_CLUSTER_POSTGRES_PASSWORD=postgres \
+ --from-literal=SCALAR_DB_CLUSTER_LICENSE_KEY="${SCALAR_DB_CLUSTER_LICENSE_KEY}" \
+ --from-file=SCALAR_DB_CLUSTER_LICENSE_CHECK_CERT_PEM=<(echo ${SCALAR_DB_CLUSTER_LICENSE_CHECK_CERT_PEM} | sed 's/\\n/\
+ /g') \
+ -n default
```
1. Create secret resources that include the private key and certificate files for Envoy.
```console
- kubectl create secret generic envoy-tls-cert --from-file=cert-chain=${HOME}/scalardb-cluster-test/certs/envoy.pem -n default
- kubectl create secret generic envoy-tls-key --from-file=private-key=${HOME}/scalardb-cluster-test/certs/envoy-key.pem -n default
+ kubectl create secret generic envoy-tls-cert --from-file=tls.crt=${HOME}/scalardb-cluster-test/certs/envoy.pem -n default
+ kubectl create secret generic envoy-tls-key --from-file=tls.key=${HOME}/scalardb-cluster-test/certs/envoy-key.pem -n default
```
1. Create secret resources that include the key, certificate, and CA certificate files for ScalarDB Cluster.
```console
- kubectl create secret generic scalardb-cluster-tls-ca --from-file=ca-root-cert=${HOME}/scalardb-cluster-test/certs/ca.pem -n default
- kubectl create secret generic scalardb-cluster-tls-cert --from-file=cert-chain=${HOME}/scalardb-cluster-test/certs/scalardb-cluster.pem -n default
- kubectl create secret generic scalardb-cluster-tls-key --from-file=private-key=${HOME}/scalardb-cluster-test/certs/scalardb-cluster-key.pem -n default
+ kubectl create secret generic scalardb-cluster-tls-ca --from-file=ca.crt=${HOME}/scalardb-cluster-test/certs/ca.pem -n default
+ kubectl create secret generic scalardb-cluster-tls-cert --from-file=tls.crt=${HOME}/scalardb-cluster-test/certs/scalardb-cluster.pem -n default
+ kubectl create secret generic scalardb-cluster-tls-key --from-file=tls.key=${HOME}/scalardb-cluster-test/certs/scalardb-cluster-key.pem -n default
```
1. Set the chart version of ScalarDB Cluster.
@@ -441,7 +438,7 @@ You'll use the CA certificate file in a client container. Therefore, you'll need
1. Create a secret resource named `client-ca-cert`.
```console
- kubectl create secret generic client-ca-cert --from-file=certificate=${HOME}/scalardb-cluster-test/certs/ca.pem -n default
+ kubectl create secret generic client-ca-cert --from-file=ca.crt=${HOME}/scalardb-cluster-test/certs/ca.pem -n default
```
1. Create a manifest file for a client pod (`scalardb-cluster-client-pod.yaml`).
@@ -463,8 +460,7 @@ You'll use the CA certificate file in a client container. Therefore, you'll need
value: SCALAR_DB_CLUSTER_CLIENT_POD_SCALAR_DB_CLUSTER_VERSION
volumeMounts:
- name: "client-ca-cert"
- mountPath: "/certs/ca/ca.pem"
- subPath: certificate
+ mountPath: "/certs/"
readOnly: true
volumes:
- name: "client-ca-cert"
@@ -499,24 +495,20 @@ You'll use the CA certificate file in a client container. Therefore, you'll need
scalardb-cluster-client 1/1 Running 0 26s
```
-## Step 7. Download and copy the ScalarDB Cluster SQL CLI to the client container
-
-1. Download the ScalarDB Cluster SQL CLI from [Releases](https://github.com/scalar-labs/scalardb/releases) into the directory `${HOME}/scalardb-cluster-test/`.
+## Step 7. Run the ScalarDB Cluster SQL CLI in the client container
-1. Copy the ScalarDB Cluster SQL CLI to the client container.
+1. Run bash in the client container.
```console
- kubectl cp ${HOME}/scalardb-cluster-test/scalardb-cluster-sql-cli-${SCALAR_DB_CLUSTER_VERSION}-all.jar scalardb-cluster-client:/
+ kubectl exec -it scalardb-cluster-client -n default -- bash
```
+ The commands in the following steps must be run in the client container.
-## Step 8. Run the ScalarDB Cluster SQL CLI in the client container
-
-1. Run bash in the client container.
+1. Download the ScalarDB Cluster SQL CLI from [Releases](https://github.com/scalar-labs/scalardb/releases).
```console
- kubectl exec -it scalardb-cluster-client -n default -- bash
+ curl -OL https://github.com/scalar-labs/scalardb/releases/download/v${SCALAR_DB_CLUSTER_VERSION}/scalardb-cluster-sql-cli-${SCALAR_DB_CLUSTER_VERSION}-all.jar
```
- The commands in the following steps must be run in the client container.
1. Create a `database.properties` file and add configurations.
@@ -533,7 +525,7 @@ You'll use the CA certificate file in a client container. Therefore, you'll need
# TLS configurations
scalar.db.cluster.tls.enabled=true
- scalar.db.cluster.tls.ca_root_cert_path=/certs/ca/ca.pem
+ scalar.db.cluster.tls.ca_root_cert_path=/certs/ca.crt
scalar.db.cluster.tls.override_authority=envoy.scalar.example.com
EOF
```
@@ -582,7 +574,19 @@ You'll use the CA certificate file in a client container. Therefore, you'll need
3 rows selected (0.059 seconds)
```
-## Step 9. Delete all resources
+1. Press `Ctrl + D` to exit from ScalarDB Cluster SQL CLI.
+
+ ```console
+ ^D
+ ```
+
+1. Exit from the client container.
+
+ ```console
+ exit
+ ```
+
+## Step 8. Delete all resources
After completing the ScalarDB Cluster tests on the Kubernetes cluster, remove all resources.
diff --git a/versioned_docs/version-3.8/helm-charts/getting-started-scalardl-auditor-tls-cert-manager.mdx b/versioned_docs/version-3.8/helm-charts/getting-started-scalardl-auditor-tls-cert-manager.mdx
new file mode 100644
index 00000000..f9d4d2a1
--- /dev/null
+++ b/versioned_docs/version-3.8/helm-charts/getting-started-scalardl-auditor-tls-cert-manager.mdx
@@ -0,0 +1,927 @@
+# Getting Started with Helm Charts (ScalarDL Ledger and Auditor with TLS by Using cert-manager / Auditor Mode)
+
+This tutorial explains how to get started with ScalarDL Ledger and ScalarDL Auditor with TLS configurations by using Helm Charts and cert-manager on a Kubernetes cluster as a test environment. Before starting, you should already have a Mac or Linux environment for testing. In addition, although this tutorial mentions using **minikube**, the steps described should work in any Kubernetes cluster.
+
+## Requirements
+
+* You need to have a license key (trial license or commercial license) for ScalarDL. If you don't have a license key, please [contact us](https://www.scalar-labs.com/contact).
+* You need to use ScalarDL 3.9 or later, which supports TLS.
+
+:::note
+
+To make Byzantine-fault detection with auditing work properly, ScalarDL Ledger and ScalarDL Auditor should be deployed and managed in different administrative domains. However, in this tutorial, we will deploy ScalarDL Ledger and ScalarDL Auditor in the same Kubernetes cluster to make the test easier.
+
+:::
+
+## What you'll create
+
+In this tutorial, you'll deploy the following components on a Kubernetes cluster in the following way:
+
+```
++-----------------------------------------------------------------------------------------------------------------------------+
+| [Kubernetes Cluster] |
+| [Pod] [Pod] [Pod] |
+| |
+| +-------+ +---------+ |
+| +---> | Envoy | ---+ +---> | Ledger | ---+ |
+| | +-------+ | | +---------+ | |
+| | | | | |
+| +---------+ | +-------+ | +-----------+ | +---------+ | +---------------+ |
+| +---> | Service | ---+---> | Envoy | ---+---> | Service | ---+---> | Ledger | ---+---> | PostgreSQL | |
+| | | (Envoy) | | +-------+ | | (Ledger) | | +---------+ | | (For Ledger) | |
+| | +---------+ | | +-----------+ | | +---------------+ |
+| [Pod] | | +-------+ | | +---------+ | |
+| | +---> | Envoy | ---+ +---> | Ledger | ---+ |
+| +--------+ | +-------+ +---------+ |
+| | Client | ---+ |
+| +--------+ | +-------+ +---------+ |
+| | +---> | Envoy | ---+ +---> | Auditor | ---+ |
+| | | +-------+ | | +---------+ | |
+| | | | | | |
+| | +---------+ | +-------+ | +-----------+ | +---------+ | +---------------+ |
+| +---> | Service | ---+---> | Envoy | ---+---> | Service | ---+---> | Auditor | ---+---> | PostgreSQL | |
+| | (Envoy) | | +-------+ | | (Auditor) | | +---------+ | | (For Auditor) | |
+| +---------+ | | +-----------+ | | +---------------+ |
+| | +-------+ | | +---------+ | |
+| +---> | Envoy | ---+ +---> | Auditor | ---+ |
+| +-------+ +---------+ |
+| |
+| +--------------------------------------------------------------------------+ +---------------------+ |
+| | cert-manager (create private key and certificate for Envoy and ScalarDL) | | Issuer (Private CA) | |
+| +--------------------------------------------------------------------------+ +---------------------+ |
+| |
++-----------------------------------------------------------------------------------------------------------------------------+
+```
+
+cert-manager automatically creates the following private key and certificate files for TLS connections.
+
+```
+ +----------------------+
+ +---> | For Scalar Envoy |
+ | +----------------------+
+ | | tls.key |
+ | | tls.crt |
+ | +----------------------+
+ |
++-------------------------+ | +----------------------+
+| Issuer (Self-signed CA) | ---(Sign certificates)---+---> | For ScalarDL Ledger |
++-------------------------+ | +----------------------+
+| tls.key | | | tls.key |
+| tls.crt | | | tls.crt |
+| ca.crt | | +----------------------+
++-------------------------+ |
+ | +----------------------+
+ +---> | For ScalarDL Auditor |
+ +----------------------+
+ | tls.key |
+ | tls.crt |
+ +----------------------+
+```
+
+Scalar Helm Charts automatically mount each private key and certificate file for Envoy and ScalarDL as follows to enable TLS in each connection. You'll manually mount a root CA certificate file on the client.
+
+```
+ +------------------------------------------------+ +--------------------------------------+
+ +-------(Normal request)-----> | Envoy for ScalarDL Ledger | ---> | ScalarDL Ledger |
+ | +------------------------------------------------+ +--------------------------------------+
+ | +---(Recovery request)---> | tls.key | ---> | tls.key |
+ | | | tls.crt | | tls.crt |
+ | | | ca.crt (to verify tls.crt of ScalarDL Ledger) | | ca.crt (to check health) |
+ | | +------------------------------------------------+ +--------------------------------------+
++---------------------------------------+ | |
+| Client | ---+ |
++---------------------------------------+ | +------------------------------------------------------------------------------------------------------------------------------+
+| ca.crt (to verify tls.crt of Envoy) | | |
++---------------------------------------+ | |
+ | +------------------------------------------------+ +--------------------------------------+ |
+ +-------(Normal request)-----> | Envoy for ScalarDL Auditor | ---> | ScalarDL Auditor | ---+
+ +------------------------------------------------+ +--------------------------------------+
+ | tls.key | | tls.key |
+ | tls.crt | | tls.crt |
+ | ca.crt (to verify tls.crt of ScalarDL Auditor) | | ca.crt (to check health) |
+ +------------------------------------------------+ | ca.crt (to verify tls.crt of Envoy) |
+ +--------------------------------------+
+```
+
+The following connections exist amongst the ScalarDL-related components:
+
+* **`Client - Envoy for ScalarDL Ledger`:** When you execute a ScalarDL API function, the client accesses Envoy for ScalarDL Ledger.
+* **`Client - Envoy for ScalarDL Auditor`:** When you execute a ScalarDL API function, the client accesses Envoy for ScalarDL Auditor.
+* **`Envoy for ScalarDL Ledger - ScalarDL Ledger`:** Envoy works as an L7 (gRPC) load balancer in front of ScalarDL Ledger.
+* **`Envoy for ScalarDL Auditor - ScalarDL Auditor`:** Envoy works as an L7 (gRPC) load balancer in front of ScalarDL Auditor.
+* **`ScalarDL Auditor - Envoy for ScalarDL Ledger (ScalarDL Ledger)`:** When ScalarDL needs to run the recovery process to keep data consistent, ScalarDL Auditor runs the request against ScalarDL Ledger via Envoy.
+
+## Step 1. Start a Kubernetes cluster and install tools
+
+You need to prepare a Kubernetes cluster and install some tools (`kubectl`, `helm`, `cfssl`, and `cfssljson`). For more details on how to install them, see [Getting Started with Scalar Helm Charts](getting-started-scalar-helm-charts.mdx).
+
+## Step 2. Start the PostgreSQL containers
+
+ScalarDL Ledger and ScalarDL Auditor must use some type of database system as a backend database. In this tutorial, you'll use PostgreSQL.
+
+You can deploy PostgreSQL on the Kubernetes cluster as follows:
+
+1. Add the Bitnami helm repository.
+
+ ```console
+ helm repo add bitnami https://charts.bitnami.com/bitnami
+ ```
+
+1. Deploy PostgreSQL for Ledger.
+
+ ```console
+ helm install postgresql-ledger bitnami/postgresql \
+ --set auth.postgresPassword=postgres \
+ --set primary.persistence.enabled=false \
+ -n default
+ ```
+
+1. Deploy PostgreSQL for Auditor.
+
+ ```console
+ helm install postgresql-auditor bitnami/postgresql \
+ --set auth.postgresPassword=postgres \
+ --set primary.persistence.enabled=false \
+ -n default
+ ```
+
+1. Check if the PostgreSQL containers are running.
+
+ ```console
+ kubectl get pod -n default
+ ```
+
+ [Command execution result]
+
+ ```console
+ NAME READY STATUS RESTARTS AGE
+ postgresql-auditor-0 1/1 Running 0 11s
+ postgresql-ledger-0 1/1 Running 0 16s
+ ```
+
+## Step 3. Create a working directory
+
+You'll create some configuration files and private key and certificate files locally. Be sure to create a working directory for those files.
+
+1. Create a working directory.
+
+ ```console
+ mkdir -p ${HOME}/scalardl-test/
+ ```
+
+## Step 4. Deploy cert-manager and issuer resource
+
+This tutorial uses cert-manager to issue and manage private keys and certificates. You can deploy cert-manager on the Kubernetes cluster as follows:
+
+1. Add the Jetstack helm repository.
+
+ ```console
+ helm repo add jetstack https://charts.jetstack.io
+ ```
+
+1. Deploy cert-manager.
+
+ ```console
+ helm install cert-manager jetstack/cert-manager \
+ --create-namespace \
+ --set installCRDs=true \
+ -n cert-manager
+ ```
+
+1. Check if the cert-manager containers are running.
+
+ ```console
+ kubectl get pod -n cert-manager
+ ```
+
+ [Command execution result]
+
+ ```console
+ NAME READY STATUS RESTARTS AGE
+ cert-manager-6dc66985d4-6lvtt 1/1 Running 0 26s
+ cert-manager-cainjector-c7d4dbdd9-xlrpn 1/1 Running 0 26s
+ cert-manager-webhook-847d7676c9-ckcz2 1/1 Running 0 26s
+ ```
+
+1. Change the working directory to `${HOME}/scalardl-test/`.
+
+ ```console
+ cd ${HOME}/scalardl-test/
+ ```
+
+1. Create a custom values file for private CA (`private-ca-custom-values.yaml`).
+
+ ```console
+ cat << 'EOF' > ${HOME}/scalardl-test/private-ca-custom-values.yaml
+ apiVersion: cert-manager.io/v1
+ kind: Issuer
+ metadata:
+ name: self-signed-issuer
+ spec:
+ selfSigned: {}
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: self-signed-ca-cert
+ spec:
+ isCA: true
+ commonName: self-signed-ca
+ secretName: self-signed-ca-cert-secret
+ privateKey:
+ algorithm: ECDSA
+ size: 256
+ issuerRef:
+ name: self-signed-issuer
+ kind: Issuer
+ group: cert-manager.io
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Issuer
+ metadata:
+ name: self-signed-ca
+ spec:
+ ca:
+ secretName: self-signed-ca-cert-secret
+ EOF
+ ```
+
+1. Deploy self-signed CA.
+
+ ```console
+ kubectl apply -f ./private-ca-custom-values.yaml
+ ```
+
+1. Check if the issuer resources are `True`.
+
+ ```console
+ kubectl get issuer
+ ```
+
+ [Command execution result]
+
+ ```console
+ NAME READY AGE
+ self-signed-ca True 6s
+ self-signed-issuer True 6s
+ ```
+
+## Step 5. Create database schemas for ScalarDL Ledger and ScalarDL Auditor by using Helm Charts
+
+You'll deploy two ScalarDL Schema Loader pods on the Kubernetes cluster by using Helm Charts. The ScalarDL Schema Loader will create the database schemas for ScalarDL Ledger and Auditor in PostgreSQL.
+
+1. Add the Scalar Helm Charts repository.
+
+ ```console
+ helm repo add scalar-labs https://scalar-labs.github.io/helm-charts
+ ```
+
+1. Create a custom values file for ScalarDL Schema Loader for Ledger (`schema-loader-ledger-custom-values.yaml`).
+
+ ```console
+ cat << 'EOF' > ${HOME}/scalardl-test/schema-loader-ledger-custom-values.yaml
+ schemaLoading:
+ schemaType: "ledger"
+ databaseProperties: |
+ scalar.db.contact_points=jdbc:postgresql://postgresql-ledger.default.svc.cluster.local:5432/postgres
+ scalar.db.username=${env:SCALAR_DL_LEDGER_POSTGRES_USERNAME}
+ scalar.db.password=${env:SCALAR_DL_LEDGER_POSTGRES_PASSWORD}
+ scalar.db.storage=jdbc
+ secretName: "schema-ledger-credentials-secret"
+ EOF
+ ```
+
+1. Create a custom values file for ScalarDL Schema Loader for Auditor (`schema-loader-auditor-custom-values.yaml`).
+
+ ```console
+ cat << 'EOF' > ${HOME}/scalardl-test/schema-loader-auditor-custom-values.yaml
+ schemaLoading:
+ schemaType: "auditor"
+ databaseProperties: |
+ scalar.db.contact_points=jdbc:postgresql://postgresql-auditor.default.svc.cluster.local:5432/postgres
+ scalar.db.username=${env:SCALAR_DL_AUDITOR_POSTGRES_USERNAME}
+ scalar.db.password=${env:SCALAR_DL_AUDITOR_POSTGRES_PASSWORD}
+ scalar.db.storage=jdbc
+ secretName: "schema-auditor-credentials-secret"
+ EOF
+ ```
+
+1. Create a secret resource named `schema-ledger-credentials-secret` that includes a username and password for PostgreSQL for ScalarDL Ledger.
+
+ ```console
+ kubectl create secret generic schema-ledger-credentials-secret \
+ --from-literal=SCALAR_DL_LEDGER_POSTGRES_USERNAME=postgres \
+ --from-literal=SCALAR_DL_LEDGER_POSTGRES_PASSWORD=postgres \
+ -n default
+ ```
+
+1. Create a secret resource named `schema-auditor-credentials-secret` that includes a username and password for PostgreSQL for ScalarDL Auditor.
+
+ ```console
+ kubectl create secret generic schema-auditor-credentials-secret \
+ --from-literal=SCALAR_DL_AUDITOR_POSTGRES_USERNAME=postgres \
+ --from-literal=SCALAR_DL_AUDITOR_POSTGRES_PASSWORD=postgres \
+ -n default
+ ```
+
+1. Set the chart version of ScalarDL Schema Loader.
+
+ ```console
+ SCALAR_DL_VERSION=3.9.0
+ SCALAR_DL_SCHEMA_LOADER_CHART_VERSION=$(helm search repo scalar-labs/schema-loading -l | grep -F "${SCALAR_DL_VERSION}" | awk '{print $2}' | sort --version-sort -r | head -n 1)
+ ```
+
+1. Deploy ScalarDL Schema Loader for ScalarDL Ledger.
+
+ ```console
+ helm install schema-loader-ledger scalar-labs/schema-loading -f ${HOME}/scalardl-test/schema-loader-ledger-custom-values.yaml --version ${SCALAR_DL_SCHEMA_LOADER_CHART_VERSION} -n default
+ ```
+
+1. Deploy ScalarDL Schema Loader for ScalarDL Auditor.
+
+ ```console
+ helm install schema-loader-auditor scalar-labs/schema-loading -f ${HOME}/scalardl-test/schema-loader-auditor-custom-values.yaml --version ${SCALAR_DL_SCHEMA_LOADER_CHART_VERSION} -n default
+ ```
+
+1. Check if the ScalarDL Schema Loader pods are deployed with the status `Completed`.
+
+ ```console
+ kubectl get pod -n default
+ ```
+
+ [Command execution result]
+
+ ```console
+ NAME READY STATUS RESTARTS AGE
+ postgresql-auditor-0 1/1 Running 0 2m56s
+ postgresql-ledger-0 1/1 Running 0 3m1s
+ schema-loader-auditor-schema-loading-dvc5r 0/1 Completed 0 6s
+ schema-loader-ledger-schema-loading-mtllb 0/1 Completed 0 10s
+ ```
+
+ If the status of the ScalarDL Schema Loader pods are **ContainerCreating** or **Running**, wait for the `STATUS` column for those pods to show as `Completed`.
+
+## Step 6. Deploy ScalarDL Ledger and ScalarDL Auditor on the Kubernetes cluster by using Helm Charts
+
+1. Set your license key and certificate as environment variables. If you don't have a license key, please [contact us](https://www.scalar-labs.com/contact). For details about the value of `` and ``, see [How to Configure a Product License Key](https://scalardl.scalar-labs.com/docs/latest/scalar-licensing/).
+
+ ```console
+ SCALAR_DL_LEDGER_LICENSE_KEY=''
+ SCALAR_DL_LEDGER_LICENSE_CHECK_CERT_PEM=''
+ SCALAR_DL_AUDITOR_LICENSE_KEY=''
+ SCALAR_DL_AUDITOR_LICENSE_CHECK_CERT_PEM=''
+ ```
+
+1. Create a custom values file for ScalarDL Ledger (`scalardl-ledger-custom-values.yaml`).
+
+ ```console
+ cat << 'EOF' > ${HOME}/scalardl-test/scalardl-ledger-custom-values.yaml
+ envoy:
+
+ tls:
+ downstream:
+ enabled: true
+ certManager:
+ enabled: true
+ issuerRef:
+ name: self-signed-ca
+ dnsNames:
+ - envoy.scalar.example.com
+ upstream:
+ enabled: true
+ overrideAuthority: "ledger.scalardl.example.com"
+
+ ledger:
+
+ image:
+ repository: "ghcr.io/scalar-labs/scalardl-ledger-byol"
+
+ ledgerProperties: |
+ ### Storage configurations
+ scalar.db.storage=jdbc
+ scalar.db.contact_points=jdbc:postgresql://postgresql-ledger.default.svc.cluster.local:5432/postgres
+ scalar.db.username=${env:SCALAR_DL_LEDGER_POSTGRES_USERNAME}
+ scalar.db.password=${env:SCALAR_DL_LEDGER_POSTGRES_PASSWORD}
+
+ ### Ledger configurations
+ scalar.dl.ledger.proof.enabled=true
+ scalar.dl.ledger.auditor.enabled=true
+ scalar.dl.ledger.authentication.method=hmac
+ scalar.dl.ledger.authentication.hmac.cipher_key=${env:SCALAR_DL_LEDGER_HMAC_CIPHER_KEY}
+ scalar.dl.ledger.servers.authentication.hmac.secret_key=${env:SCALAR_DL_LEDGER_HMAC_SECRET_KEY}
+
+ ### TLS configurations
+ scalar.dl.ledger.server.tls.enabled=true
+ scalar.dl.ledger.server.tls.cert_chain_path=/tls/scalardl-ledger/certs/tls.crt
+ scalar.dl.ledger.server.tls.private_key_path=/tls/scalardl-ledger/certs/tls.key
+
+ ### License key configurations
+ scalar.dl.licensing.license_key=${env:SCALAR_DL_LEDGER_LICENSE_KEY}
+ scalar.dl.licensing.license_check_cert_pem=${env:SCALAR_DL_LEDGER_LICENSE_CHECK_CERT_PEM}
+
+ tls:
+ enabled: true
+ overrideAuthority: "ledger.scalardl.example.com"
+ certManager:
+ enabled: true
+ issuerRef:
+ name: self-signed-ca
+ dnsNames:
+ - ledger.scalardl.example.com
+
+ secretName: "ledger-credentials-secret"
+ EOF
+ ```
+
+1. Create a custom values file for ScalarDL Auditor (`scalardl-auditor-custom-values.yaml`).
+
+ ```console
+ cat << 'EOF' > ${HOME}/scalardl-test/scalardl-auditor-custom-values.yaml
+ envoy:
+
+ tls:
+ downstream:
+ enabled: true
+ certManager:
+ enabled: true
+ issuerRef:
+ name: self-signed-ca
+ dnsNames:
+ - envoy.scalar.example.com
+ upstream:
+ enabled: true
+ overrideAuthority: "auditor.scalardl.example.com"
+
+
+ auditor:
+
+ image:
+ repository: "ghcr.io/scalar-labs/scalardl-auditor-byol"
+
+ auditorProperties: |
+ ### Storage configurations
+ scalar.db.storage=jdbc
+ scalar.db.contact_points=jdbc:postgresql://postgresql-auditor.default.svc.cluster.local:5432/postgres
+ scalar.db.username=${env:SCALAR_DL_AUDITOR_POSTGRES_USERNAME}
+ scalar.db.password=${env:SCALAR_DL_AUDITOR_POSTGRES_PASSWORD}
+
+ ### Auditor configurations
+ scalar.dl.auditor.ledger.host=scalardl-ledger-envoy.default.svc.cluster.local
+ scalar.dl.auditor.authentication.method=hmac
+ scalar.dl.auditor.authentication.hmac.cipher_key=${env:SCALAR_DL_AUDITOR_HMAC_CIPHER_KEY}
+ scalar.dl.auditor.servers.authentication.hmac.secret_key=${env:SCALAR_DL_AUDITOR_HMAC_SECRET_KEY}
+
+ ### TLS configurations
+ scalar.dl.auditor.server.tls.enabled=true
+ scalar.dl.auditor.server.tls.cert_chain_path=/tls/scalardl-auditor/certs/tls.crt
+ scalar.dl.auditor.server.tls.private_key_path=/tls/scalardl-auditor/certs/tls.key
+ scalar.dl.auditor.tls.enabled=true
+ scalar.dl.auditor.tls.ca_root_cert_path=/tls/scalardl-ledger/certs/ca.crt
+ scalar.dl.auditor.tls.override_authority=envoy.scalar.example.com
+
+ ### License key configurations
+ scalar.dl.licensing.license_key=${env:SCALAR_DL_AUDITOR_LICENSE_KEY}
+ scalar.dl.licensing.license_check_cert_pem=${env:SCALAR_DL_AUDITOR_LICENSE_CHECK_CERT_PEM}
+
+ tls:
+ enabled: true
+ overrideAuthority: "auditor.scalardl.example.com"
+ certManager:
+ enabled: true
+ issuerRef:
+ name: self-signed-ca
+ dnsNames:
+ - auditor.scalardl.example.com
+
+ secretName: "auditor-credentials-secret"
+ EOF
+ ```
+
+1. Create a secret resource named `ledger-credentials-secret` that includes credentials and a license key.
+
+ ```console
+ kubectl create secret generic ledger-credentials-secret \
+ --from-literal=SCALAR_DL_LEDGER_POSTGRES_USERNAME=postgres \
+ --from-literal=SCALAR_DL_LEDGER_POSTGRES_PASSWORD=postgres \
+ --from-literal=SCALAR_DL_LEDGER_HMAC_CIPHER_KEY=ledger-hmac-cipher-key \
+ --from-literal=SCALAR_DL_LEDGER_HMAC_SECRET_KEY=scalardl-hmac-secret-key \
+ --from-literal=SCALAR_DL_LEDGER_LICENSE_KEY="${SCALAR_DL_LEDGER_LICENSE_KEY}" \
+ --from-file=SCALAR_DL_LEDGER_LICENSE_CHECK_CERT_PEM=<(echo ${SCALAR_DL_LEDGER_LICENSE_CHECK_CERT_PEM} | sed 's/\\n/\
+ /g') \
+ -n default
+ ```
+
+1. Create a secret resource named `auditor-credentials-secret` that includes credentials and a license key.
+
+ ```console
+ kubectl create secret generic auditor-credentials-secret \
+ --from-literal=SCALAR_DL_AUDITOR_POSTGRES_USERNAME=postgres \
+ --from-literal=SCALAR_DL_AUDITOR_POSTGRES_PASSWORD=postgres \
+ --from-literal=SCALAR_DL_AUDITOR_HMAC_CIPHER_KEY=auditor-hmac-cipher-key \
+ --from-literal=SCALAR_DL_AUDITOR_HMAC_SECRET_KEY=scalardl-hmac-secret-key \
+ --from-literal=SCALAR_DL_AUDITOR_LICENSE_KEY="${SCALAR_DL_AUDITOR_LICENSE_KEY}" \
+ --from-file=SCALAR_DL_AUDITOR_LICENSE_CHECK_CERT_PEM=<(echo ${SCALAR_DL_AUDITOR_LICENSE_CHECK_CERT_PEM} | sed 's/\\n/\
+ /g') \
+ -n default
+ ```
+
+1. Create a secret resource named `auditor-keys` to disable the `digital-signature` authentication method. In this tutorial, you'll use the `hmac` authentication method instead of `digital-signature`.
+
+ ```console
+ kubectl create secret generic auditor-keys \
+ --from-literal=tls.key=dummy-data-to-disable-digital-signature-method \
+ --from-literal=certificate=dummy-data-to-disable-digital-signature-method \
+ -n default
+ ```
+
+ Note: If you use `hmac` as an authentication method, you have to create a dummy secret `auditor-key` to disable `digital-signature` on the Helm Chart side.
+
+1. Set the chart version of ScalarDL Ledger and ScalarDL Auditor.
+
+ ```console
+ SCALAR_DL_LEDGER_CHART_VERSION=$(helm search repo scalar-labs/scalardl -l | grep -v -e "scalar-labs/scalardl-audit" | grep -F "${SCALAR_DL_VERSION}" | awk '{print $2}' | sort --version-sort -r | head -n 1)
+ SCALAR_DL_AUDITOR_CHART_VERSION=$(helm search repo scalar-labs/scalardl-audit -l | grep -F "${SCALAR_DL_VERSION}" | awk '{print $2}' | sort --version-sort -r | head -n 1)
+ ```
+
+1. Deploy ScalarDL Ledger.
+
+ ```console
+ helm install scalardl-ledger scalar-labs/scalardl -f ${HOME}/scalardl-test/scalardl-ledger-custom-values.yaml --version ${SCALAR_DL_LEDGER_CHART_VERSION} -n default
+ ```
+
+1. Deploy ScalarDL Auditor.
+
+ ```console
+ helm install scalardl-auditor scalar-labs/scalardl-audit -f ${HOME}/scalardl-test/scalardl-auditor-custom-values.yaml --version ${SCALAR_DL_AUDITOR_CHART_VERSION} -n default
+ ```
+
+1. Check if the ScalarDL Ledger and ScalarDL Auditor pods are deployed.
+
+ ```console
+ kubectl get pod -n default
+ ```
+
+ [Command execution result]
+
+ ```console
+ NAME READY STATUS RESTARTS AGE
+ postgresql-auditor-0 1/1 Running 0 14m
+ postgresql-ledger-0 1/1 Running 0 14m
+ scalardl-auditor-auditor-5b885ff4c8-fwkpf 1/1 Running 0 18s
+ scalardl-auditor-auditor-5b885ff4c8-g69cb 1/1 Running 0 18s
+ scalardl-auditor-auditor-5b885ff4c8-nsmnq 1/1 Running 0 18s
+ scalardl-auditor-envoy-689bcbdf65-5mn6v 1/1 Running 0 18s
+ scalardl-auditor-envoy-689bcbdf65-fpq8j 1/1 Running 0 18s
+ scalardl-auditor-envoy-689bcbdf65-lsz2t 1/1 Running 0 18s
+ scalardl-ledger-envoy-547bbf7546-n7p5x 1/1 Running 0 26s
+ scalardl-ledger-envoy-547bbf7546-p8nwp 1/1 Running 0 26s
+ scalardl-ledger-envoy-547bbf7546-pskpb 1/1 Running 0 26s
+ scalardl-ledger-ledger-6db5dc8774-5zsbj 1/1 Running 0 26s
+ scalardl-ledger-ledger-6db5dc8774-vnmrw 1/1 Running 0 26s
+ scalardl-ledger-ledger-6db5dc8774-wpjvs 1/1 Running 0 26s
+ schema-loader-auditor-schema-loading-dvc5r 0/1 Completed 0 11m
+ schema-loader-ledger-schema-loading-mtllb 0/1 Completed 0 11m
+ ```
+
+ If the ScalarDL Ledger and ScalarDL Auditor pods are deployed properly, the `STATUS` column for those pods will be displayed as `Running`.
+
+1. Check if the ScalarDL Ledger and ScalarDL Auditor services are deployed.
+
+ ```console
+ kubectl get svc -n default
+ ```
+
+ [Command execution result]
+
+ ```console
+ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
+ kubernetes ClusterIP 10.96.0.1 443/TCP 47d
+ postgresql-auditor ClusterIP 10.107.9.78 5432/TCP 15m
+ postgresql-auditor-hl ClusterIP None 5432/TCP 15m
+ postgresql-ledger ClusterIP 10.108.241.181 5432/TCP 15m
+ postgresql-ledger-hl ClusterIP None 5432/TCP 15m
+ scalardl-auditor-envoy ClusterIP 10.100.61.202 40051/TCP,40052/TCP 55s
+ scalardl-auditor-envoy-metrics ClusterIP 10.99.6.227 9001/TCP 55s
+ scalardl-auditor-headless ClusterIP None 40051/TCP,40053/TCP,40052/TCP 55s
+ scalardl-auditor-metrics ClusterIP 10.108.1.147 8080/TCP 55s
+ scalardl-ledger-envoy ClusterIP 10.101.191.116 50051/TCP,50052/TCP 61s
+ scalardl-ledger-envoy-metrics ClusterIP 10.106.52.103 9001/TCP 61s
+ scalardl-ledger-headless ClusterIP None 50051/TCP,50053/TCP,50052/TCP 61s
+ scalardl-ledger-metrics ClusterIP 10.99.122.106 8080/TCP 61s
+ ```
+
+ If the ScalarDL Ledger and ScalarDL Auditor services are deployed properly, you can see private IP addresses in the `CLUSTER-IP` column.
+
+:::note
+
+The `CLUSTER-IP` values for `scalardl-ledger-headless`, `scalardl-auditor-headless`, `postgresql-ledger-hl`, and `postgresql-auditor-hl` are `None` since they have no IP addresses.
+
+:::
+
+## Step 7. Start a client container
+
+You'll use the CA certificate file in a client container. Therefore, you'll need to create a secret resource and mount it to the client container.
+
+1. Create a secret resource named `client-ca-cert`.
+
+ ```console
+ kubectl create secret generic client-ca-cert --from-file=ca.crt=<(kubectl get secret self-signed-ca-cert-secret -o "jsonpath={.data['ca\.crt']}" | base64 -d) -n default
+ ```
+
+1. Create a manifest file for a client pod (`scalardl-client-pod.yaml`).
+
+ ```console
+ cat << 'EOF' > ${HOME}/scalardl-test/scalardl-client-pod.yaml
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: "scalardl-client"
+ spec:
+ containers:
+ - name: scalardl-client
+ image: eclipse-temurin:8
+ command: ['sleep']
+ args: ['inf']
+ env:
+ - name: SCALAR_DL_VERSION
+ value: SCALAR_DL_CLIENT_POD_SCALAR_DL_VERSION
+ volumeMounts:
+ - name: "client-ca-cert"
+ mountPath: "/certs/"
+ readOnly: true
+ volumes:
+ - name: "client-ca-cert"
+ secret:
+ secretName: "client-ca-cert"
+ restartPolicy: Never
+ EOF
+ ```
+
+1. Set the ScalarDL version in the manifest file.
+
+ ```console
+ sed -i s/SCALAR_DL_CLIENT_POD_SCALAR_DL_VERSION/${SCALAR_DL_VERSION}/ ${HOME}/scalardl-test/scalardl-client-pod.yaml
+ ```
+
+1. Deploy the client pod.
+
+ ```console
+ kubectl apply -f ${HOME}/scalardl-test/scalardl-client-pod.yaml -n default
+ ```
+
+1. Check if the client container is running.
+
+ ```console
+ kubectl get pod scalardl-client -n default
+ ```
+
+ [Command execution result]
+
+ ```console
+ NAME READY STATUS RESTARTS AGE
+ scalardl-client 1/1 Running 0 4s
+ ```
+
+## Step 8. Run ScalarDL sample contracts in the client container
+
+The following explains the minimum steps needed to run sample contracts. For more details about ScalarDL Ledger and ScalarDL Auditor, see the following:
+
+* [Getting Started with ScalarDL](https://scalardl.scalar-labs.com/docs/latest/getting-started/)
+* [Getting Started with ScalarDL Auditor](https://scalardl.scalar-labs.com/docs/latest/getting-started-auditor/)
+
+1. Run bash in the client container.
+
+ ```console
+ kubectl exec -it scalardl-client -n default -- bash
+ ```
+
+ The commands in the following steps must be run in the client container.
+
+1. Install the git, curl, and unzip commands in the client container.
+
+ ```console
+ apt update && apt install -y git curl unzip
+ ```
+
+1. Clone the ScalarDL Java Client SDK git repository.
+
+ ```console
+ git clone https://github.com/scalar-labs/scalardl-java-client-sdk.git
+ ```
+
+1. Change the working directory to `scalardl-java-client-sdk/`.
+
+ ```console
+ cd scalardl-java-client-sdk/
+ ```
+
+ ```console
+ pwd
+ ```
+
+ [Command execution result]
+
+ ```console
+ /scalardl-java-client-sdk
+ ```
+
+1. Change the branch to the version you're using.
+
+ ```console
+ git checkout -b v${SCALAR_DL_VERSION} refs/tags/v${SCALAR_DL_VERSION}
+ ```
+
+1. Build the sample contracts.
+
+ ```console
+ ./gradlew assemble
+ ```
+
+1. Download the CLI tools for ScalarDL from [ScalarDL Java Client SDK Releases](https://github.com/scalar-labs/scalardl-java-client-sdk/releases).
+
+ ```console
+ curl -OL https://github.com/scalar-labs/scalardl-java-client-sdk/releases/download/v${SCALAR_DL_VERSION}/scalardl-java-client-sdk-${SCALAR_DL_VERSION}.zip
+ ```
+
+1. Unzip the `scalardl-java-client-sdk-${SCALAR_DL_VERSION}.zip` file.
+
+ ```console
+ unzip ./scalardl-java-client-sdk-${SCALAR_DL_VERSION}.zip
+ ```
+
+1. Create a configuration file named `client.properties` to access ScalarDL Ledger and ScalarDL Auditor on the Kubernetes cluster.
+
+ ```console
+ cat << 'EOF' > client.properties
+ # Ledger configuration
+ scalar.dl.client.server.host=scalardl-ledger-envoy.default.svc.cluster.local
+ scalar.dl.client.tls.enabled=true
+ scalar.dl.client.tls.ca_root_cert_path=/certs/ca.crt
+ scalar.dl.client.tls.override_authority=envoy.scalar.example.com
+
+ # Auditor configuration
+ scalar.dl.client.auditor.enabled=true
+ scalar.dl.client.auditor.host=scalardl-auditor-envoy.default.svc.cluster.local
+ scalar.dl.client.auditor.tls.enabled=true
+ scalar.dl.client.auditor.tls.ca_root_cert_path=/certs/ca.crt
+ scalar.dl.client.auditor.tls.override_authority=envoy.scalar.example.com
+
+ # Client configuration
+ scalar.dl.client.authentication_method=hmac
+ scalar.dl.client.entity.id=client
+ scalar.dl.client.entity.identity.hmac.secret_key=scalardl-hmac-client-secert-key
+ EOF
+ ```
+
+1. Register the client secret.
+
+ ```console
+ ./scalardl-java-client-sdk-${SCALAR_DL_VERSION}/bin/scalardl register-secret --config ./client.properties
+ ```
+
+1. Register the sample contract `StateUpdater`.
+
+ ```console
+ ./scalardl-java-client-sdk-${SCALAR_DL_VERSION}/bin/scalardl register-contract --config ./client.properties --contract-id StateUpdater --contract-binary-name com.org1.contract.StateUpdater --contract-class-file ./build/classes/java/main/com/org1/contract/StateUpdater.class
+ ```
+
+1. Register the sample contract `StateReader`.
+
+ ```console
+ ./scalardl-java-client-sdk-${SCALAR_DL_VERSION}/bin/scalardl register-contract --config ./client.properties --contract-id StateReader --contract-binary-name com.org1.contract.StateReader --contract-class-file ./build/classes/java/main/com/org1/contract/StateReader.class
+ ```
+
+1. Register the contract `ValidateLedger` to execute a validate request.
+
+ ```console
+ ./scalardl-java-client-sdk-${SCALAR_DL_VERSION}/bin/scalardl register-contract --config ./client.properties --contract-id validate-ledger --contract-binary-name com.scalar.dl.client.contract.ValidateLedger --contract-class-file ./build/classes/java/main/com/scalar/dl/client/contract/ValidateLedger.class
+ ```
+
+1. Execute the contract `StateUpdater`.
+
+ ```console
+ ./scalardl-java-client-sdk-${SCALAR_DL_VERSION}/bin/scalardl execute-contract --config ./client.properties --contract-id StateUpdater --contract-argument '{"asset_id": "test_asset", "state": 3}'
+ ```
+
+ This sample contract updates the `state` (value) of the asset named `test_asset` to `3`.
+
+1. Execute the contract `StateReader`.
+
+ ```console
+ ./scalardl-java-client-sdk-${SCALAR_DL_VERSION}/bin/scalardl execute-contract --config ./client.properties --contract-id StateReader --contract-argument '{"asset_id": "test_asset"}'
+ ```
+
+ [Command execution result]
+
+ ```console
+ Contract result:
+ {
+ "id" : "test_asset",
+ "age" : 0,
+ "output" : {
+ "state" : 3
+ }
+ }
+ ```
+
+ ### Reference
+
+ * If the asset data is not tampered with, running the `execute-contract` command to request contract execution will return `OK` as a result.
+ * If the asset data is tampered with (for example, if the `state` value in the database is tampered with), running the `execute-contract` command to request contract execution will return a value other than `OK` (for example, `INCONSISTENT_STATES`) as a result. See the following as an example for how ScalarDL detects data tampering.
+
+ [Command execution result (if the asset data is tampered with)]
+
+ ```console
+ {
+ "status_code" : "INCONSISTENT_STATES",
+ "error_message" : "The results from Ledger and Auditor don't match"
+ }
+ ```
+
+1. Execute a validation request for the asset.
+
+ ```console
+ ./scalardl-java-client-sdk-${SCALAR_DL_VERSION}/bin/scalardl validate-ledger --config ./client.properties --asset-id "test_asset"
+ ```
+
+ [Command execution result]
+
+ ```console
+ {
+ "status_code" : "OK",
+ "Ledger" : {
+ "id" : "test_asset",
+ "age" : 0,
+ "nonce" : "3533427d-03cf-41d1-bf95-4d31eb0cb24d",
+ "hash" : "FiquvtPMKLlxKf4VGoccSAGsi9ptn4ozYVVTwdSzEQ0=",
+ "signature" : "MEYCIQDiiXqzw6K+Ml4uvn8rK43o5wHWESU3hoXnZPi6/OeKVwIhAM+tFBcapl6zg47Uq0Uc8nVNGWNHZLBDBGve3F0xkzTR"
+ },
+ "Auditor" : {
+ "id" : "test_asset",
+ "age" : 0,
+ "nonce" : "3533427d-03cf-41d1-bf95-4d31eb0cb24d",
+ "hash" : "FiquvtPMKLlxKf4VGoccSAGsi9ptn4ozYVVTwdSzEQ0=",
+ "signature" : "MEUCIQDLsfUR2PmxSvfpL3YvHJUkz00RDpjCdctkroZKXE8d5QIgH73FQH2e11jfnynD00Pp9DrIG1vYizxDsvxUsMPo9IU="
+ }
+ }
+ ```
+
+ ### Reference
+
+ * If the asset data is not tampered with, running the `validate-ledger` command to request validation will return `OK` as the result.
+ * If the asset data is tampered with (for example, if the `state` value in the database is tampered with), running the `validate-ledger` command to request validation will return a value other than `OK` (for example, `INVALID_OUTPUT`) as a result. See the following as an example for how ScalarDL detects data tampering.
+
+ [Command execution result (if the asset data is tampered with)]
+
+ ```console
+ {
+ "status_code" : "INCONSISTENT_STATES",
+ "error_message" : "The results from Ledger and Auditor don't match"
+ }
+ ```
+
+1. Exit from the client container.
+
+ ```console
+ exit
+ ```
+
+## Step 9. Delete all resources
+
+After completing the ScalarDL Ledger and ScalarDL Auditor tests on the Kubernetes cluster, remove all resources.
+
+1. Uninstall ScalarDL Ledger, ScalarDL Auditor, ScalarDL Schema Loader, and PostgreSQL.
+
+ ```console
+ helm uninstall -n default scalardl-ledger schema-loader-ledger postgresql-ledger scalardl-auditor schema-loader-auditor postgresql-auditor
+ ```
+
+1. Uninstall cert-manager.
+
+ ```console
+ helm uninstall -n cert-manager cert-manager
+ ```
+
+1. Remove the client container.
+
+ ```
+ kubectl delete pod scalardl-client --grace-period 0 -n default
+ ```
+
+1. Remove the working directory and sample files (configuration files).
+
+ ```console
+ cd ${HOME}
+ ```
+
+ ```console
+ rm -rf ${HOME}/scalardl-test/
+ ```
+
+## Further reading
+
+You can see how to get started with monitoring or logging for Scalar products in the following tutorials:
+
+* [Getting Started with Helm Charts (Monitoring using Prometheus Operator)](getting-started-monitoring.mdx)
+* [Getting Started with Helm Charts (Logging using Loki Stack)](getting-started-logging.mdx)
+* [Getting Started with Helm Charts (Scalar Manager)](getting-started-scalar-manager.mdx)
diff --git a/versioned_docs/version-3.8/helm-charts/getting-started-scalardl-auditor-tls.mdx b/versioned_docs/version-3.8/helm-charts/getting-started-scalardl-auditor-tls.mdx
index ffff8a66..44edd182 100644
--- a/versioned_docs/version-3.8/helm-charts/getting-started-scalardl-auditor-tls.mdx
+++ b/versioned_docs/version-3.8/helm-charts/getting-started-scalardl-auditor-tls.mdx
@@ -60,7 +60,7 @@ You'll also create the following private key and certificate files for TLS conne
| +----------------------+
|
+----------------------+ | +----------------------+
-| Self-managed CA | ---(Sign certificates)---+---> | For ScalarDL Ledger |
+| Self-signed CA | ---(Sign certificates)---+---> | For ScalarDL Ledger |
+----------------------+ | +----------------------+
| ca-key.pem | | | ledger-key.pem |
| ca.pem | | | ledger.pem |
@@ -167,11 +167,7 @@ You'll create some configuration files and private key and certificate files loc
## Step 4. Create private key and certificate files
-:::warning
-
-In this tutorial, a self-managed CA is used for testing. However, it is strongly recommended that these certificates **not** be used in production. Please prepare your certificate files based on the security requirements of your system.
-
-:::
+You'll create private key and a certificate files.
1. Change the working directory to `${HOME}/scalardl-test/certs/`.
@@ -458,6 +454,15 @@ You'll deploy two ScalarDL Schema Loader pods on the Kubernetes cluster by using
## Step 6. Deploy ScalarDL Ledger and ScalarDL Auditor on the Kubernetes cluster by using Helm Charts
+1. Set your license key and certificate as environment variables. If you don't have a license key, please [contact us](https://www.scalar-labs.com/contact). Also, you can see the value of `` and `` in [our document](https://scalardb.scalar-labs.com/docs/latest/scalar-licensing/README/).
+
+ ```console
+ SCALAR_DL_LEDGER_LICENSE_KEY=''
+ SCALAR_DL_LEDGER_LICENSE_CHECK_CERT_PEM=''
+ SCALAR_DL_AUDITOR_LICENSE_KEY=''
+ SCALAR_DL_AUDITOR_LICENSE_CHECK_CERT_PEM=''
+ ```
+
1. Create a custom values file for ScalarDL Ledger (`scalardl-ledger-custom-values.yaml`).
```console
@@ -495,12 +500,12 @@ You'll deploy two ScalarDL Schema Loader pods on the Kubernetes cluster by using
### TLS configurations
scalar.dl.ledger.server.tls.enabled=true
- scalar.dl.ledger.server.tls.cert_chain_path=/tls/certs/cert-chain.pem
- scalar.dl.ledger.server.tls.private_key_path=/tls/certs/private-key.pem
+ scalar.dl.ledger.server.tls.cert_chain_path=/tls/scalardl-ledger/certs/tls.crt
+ scalar.dl.ledger.server.tls.private_key_path=/tls/scalardl-ledger/certs/tls.key
### License key configurations
- scalar.dl.licensing.license_key=${env:SCALAR_DL_LICENSE_KEY}
- scalar.dl.licensing.license_check_cert_pem=${env:SCALAR_DL_LICENSE_CHECK_CERT_PEM}
+ scalar.dl.licensing.license_key=${env:SCALAR_DL_LEDGER_LICENSE_KEY}
+ scalar.dl.licensing.license_check_cert_pem=${env:SCALAR_DL_LEDGER_LICENSE_CHECK_CERT_PEM}
tls:
enabled: true
@@ -548,15 +553,15 @@ You'll deploy two ScalarDL Schema Loader pods on the Kubernetes cluster by using
### TLS configurations
scalar.dl.auditor.server.tls.enabled=true
- scalar.dl.auditor.server.tls.cert_chain_path=/tls/certs/cert-chain.pem
- scalar.dl.auditor.server.tls.private_key_path=/tls/certs/private-key.pem
+ scalar.dl.auditor.server.tls.cert_chain_path=/tls/scalardl-auditor/certs/tls.crt
+ scalar.dl.auditor.server.tls.private_key_path=/tls/scalardl-auditor/certs/tls.key
scalar.dl.auditor.tls.enabled=true
- scalar.dl.auditor.tls.ca_root_cert_path=/tls/certs/ca-root-cert-for-ledger.pem
+ scalar.dl.auditor.tls.ca_root_cert_path=/tls/scalardl-ledger/certs/ca.crt
scalar.dl.auditor.tls.override_authority=envoy.scalar.example.com
### License key configurations
- scalar.dl.licensing.license_key=${env:SCALAR_DL_LICENSE_KEY}
- scalar.dl.licensing.license_check_cert_pem=${env:SCALAR_DL_LICENSE_CHECK_CERT_PEM}
+ scalar.dl.licensing.license_key=${env:SCALAR_DL_AUDITOR_LICENSE_KEY}
+ scalar.dl.licensing.license_check_cert_pem=${env:SCALAR_DL_AUDITOR_LICENSE_CHECK_CERT_PEM}
tls:
enabled: true
@@ -570,68 +575,63 @@ You'll deploy two ScalarDL Schema Loader pods on the Kubernetes cluster by using
EOF
```
-1. Set your license key and certificate as environment variables. If you don't have a license key, please [contact us](https://www.scalar-labs.com/contact).
-
- ```console
- SCALAR_DL_LICENSE_KEY=
- SCALAR_DL_LICENSE_CHECK_CERT_PEM=
- ```
-
1. Create a secret resource named `ledger-credentials-secret` that includes credentials and a license key.
```console
kubectl create secret generic ledger-credentials-secret \
- --from-literal=SCALAR_DL_LEDGER_POSTGRES_USERNAME=postgres \
- --from-literal=SCALAR_DL_LEDGER_POSTGRES_PASSWORD=postgres \
- --from-literal=SCALAR_DL_LEDGER_HMAC_CIPHER_KEY=ledger-hmac-cipher-key \
- --from-literal=SCALAR_DL_LEDGER_HMAC_SECRET_KEY=scalardl-hmac-secret-key \
- --from-literal=SCALAR_DL_LICENSE_KEY=${SCALAR_DL_LICENSE_KEY} \
- --from-literal=SCALAR_DL_LICENSE_CHECK_CERT_PEM=${SCALAR_DL_LICENSE_CHECK_CERT_PEM} \
- -n default
+ --from-literal=SCALAR_DL_LEDGER_POSTGRES_USERNAME=postgres \
+ --from-literal=SCALAR_DL_LEDGER_POSTGRES_PASSWORD=postgres \
+ --from-literal=SCALAR_DL_LEDGER_HMAC_CIPHER_KEY=ledger-hmac-cipher-key \
+ --from-literal=SCALAR_DL_LEDGER_HMAC_SECRET_KEY=scalardl-hmac-secret-key \
+ --from-literal=SCALAR_DL_LEDGER_LICENSE_KEY="${SCALAR_DL_LEDGER_LICENSE_KEY}" \
+ --from-file=SCALAR_DL_LEDGER_LICENSE_CHECK_CERT_PEM=<(echo ${SCALAR_DL_LEDGER_LICENSE_CHECK_CERT_PEM} | sed 's/\\n/\
+ /g') \
+ -n default
```
1. Create a secret resource named `auditor-credentials-secret` that includes credentials and a license key.
```console
kubectl create secret generic auditor-credentials-secret \
- --from-literal=SCALAR_DL_AUDITOR_POSTGRES_USERNAME=postgres \
- --from-literal=SCALAR_DL_AUDITOR_POSTGRES_PASSWORD=postgres \
- --from-literal=SCALAR_DL_AUDITOR_HMAC_CIPHER_KEY=auditor-hmac-cipher-key \
- --from-literal=SCALAR_DL_AUDITOR_HMAC_SECRET_KEY=scalardl-hmac-secret-key \
- --from-literal=SCALAR_DL_LICENSE_KEY=${SCALAR_DL_LICENSE_KEY} \
- --from-literal=SCALAR_DL_LICENSE_CHECK_CERT_PEM=${SCALAR_DL_LICENSE_CHECK_CERT_PEM} \
- -n default
+ --from-literal=SCALAR_DL_AUDITOR_POSTGRES_USERNAME=postgres \
+ --from-literal=SCALAR_DL_AUDITOR_POSTGRES_PASSWORD=postgres \
+ --from-literal=SCALAR_DL_AUDITOR_HMAC_CIPHER_KEY=auditor-hmac-cipher-key \
+ --from-literal=SCALAR_DL_AUDITOR_HMAC_SECRET_KEY=scalardl-hmac-secret-key \
+ --from-literal=SCALAR_DL_AUDITOR_LICENSE_KEY="${SCALAR_DL_AUDITOR_LICENSE_KEY}" \
+ --from-file=SCALAR_DL_AUDITOR_LICENSE_CHECK_CERT_PEM=<(echo ${SCALAR_DL_AUDITOR_LICENSE_CHECK_CERT_PEM} | sed 's/\\n/\
+ /g') \
+ -n default
```
1. Create secret resources that include the private key and certificate files for Envoy.
```console
- kubectl create secret generic envoy-tls-cert --from-file=cert-chain=${HOME}/scalardl-test/certs/envoy.pem -n default
- kubectl create secret generic envoy-tls-key --from-file=private-key=${HOME}/scalardl-test/certs/envoy-key.pem -n default
+ kubectl create secret generic envoy-tls-cert --from-file=tls.crt=${HOME}/scalardl-test/certs/envoy.pem -n default
+ kubectl create secret generic envoy-tls-key --from-file=tls.key=${HOME}/scalardl-test/certs/envoy-key.pem -n default
```
1. Create secret resources that include the private key, certificate, and CA certificate files for ScalarDL Ledger.
```console
- kubectl create secret generic scalardl-ledger-tls-ca --from-file=ca-root-cert=${HOME}/scalardl-test/certs/ca.pem -n default
- kubectl create secret generic scalardl-ledger-tls-cert --from-file=cert-chain=${HOME}/scalardl-test/certs/ledger.pem -n default
- kubectl create secret generic scalardl-ledger-tls-key --from-file=private-key=${HOME}/scalardl-test/certs/ledger-key.pem -n default
+ kubectl create secret generic scalardl-ledger-tls-ca --from-file=ca.crt=${HOME}/scalardl-test/certs/ca.pem -n default
+ kubectl create secret generic scalardl-ledger-tls-cert --from-file=tls.crt=${HOME}/scalardl-test/certs/ledger.pem -n default
+ kubectl create secret generic scalardl-ledger-tls-key --from-file=tls.key=${HOME}/scalardl-test/certs/ledger-key.pem -n default
```
1. Create secret resources that include the private key, certificate, and CA certificate files for ScalarDL Auditor.
```console
- kubectl create secret generic scalardl-auditor-tls-ca --from-file=ca-root-cert=${HOME}/scalardl-test/certs/ca.pem -n default
- kubectl create secret generic scalardl-auditor-tls-cert --from-file=cert-chain=${HOME}/scalardl-test/certs/auditor.pem -n default
- kubectl create secret generic scalardl-auditor-tls-key --from-file=private-key=${HOME}/scalardl-test/certs/auditor-key.pem -n default
- kubectl create secret generic scalardl-auditor-tls-ca-for-ledger --from-file=ca-root-cert-for-ledger=${HOME}/scalardl-test/certs/ca.pem -n default
+ kubectl create secret generic scalardl-auditor-tls-ca --from-file=ca.crt=${HOME}/scalardl-test/certs/ca.pem -n default
+ kubectl create secret generic scalardl-auditor-tls-cert --from-file=tls.crt=${HOME}/scalardl-test/certs/auditor.pem -n default
+ kubectl create secret generic scalardl-auditor-tls-key --from-file=tls.key=${HOME}/scalardl-test/certs/auditor-key.pem -n default
+ kubectl create secret generic scalardl-auditor-tls-ca-for-ledger --from-file=ca.crt=${HOME}/scalardl-test/certs/ca.pem -n default
```
1. Create a secret resource named `auditor-keys` to disable the `digital-signature` authentication method. In this tutorial, you'll use the `hmac` authentication method instead of `digital-signature`.
```console
kubectl create secret generic auditor-keys \
- --from-literal=private-key=dummy-data-to-disable-digital-signature-method \
+ --from-literal=tls.key=dummy-data-to-disable-digital-signature-method \
--from-literal=certificate=dummy-data-to-disable-digital-signature-method \
-n default
```
@@ -723,11 +723,10 @@ The `CLUSTER-IP` values for `scalardl-ledger-headless`, `scalardl-auditor-headle
You'll use the CA certificate file in a client container. Therefore, you'll need to create a secret resource and mount it to the client container.
-
1. Create a secret resource named `client-ca-cert`.
```console
- kubectl create secret generic client-ca-cert --from-file=certificate=${HOME}/scalardl-test/certs/ca.pem -n default
+ kubectl create secret generic client-ca-cert --from-file=ca.crt=${HOME}/scalardl-test/certs/ca.pem -n default
```
1. Create a manifest file for a client pod (`scalardl-client-pod.yaml`).
@@ -749,8 +748,7 @@ You'll use the CA certificate file in a client container. Therefore, you'll need
value: SCALAR_DL_CLIENT_POD_SCALAR_DL_VERSION
volumeMounts:
- name: "client-ca-cert"
- mountPath: "/certs/ca/ca.pem"
- subPath: certificate
+ mountPath: "/certs/"
readOnly: true
volumes:
- name: "client-ca-cert"
@@ -789,8 +787,8 @@ You'll use the CA certificate file in a client container. Therefore, you'll need
The following explains the minimum steps needed to run sample contracts. For more details about ScalarDL Ledger and ScalarDL Auditor, see the following:
-* [Getting Started with ScalarDL](https://github.com/scalar-labs/scalardl/blob/master/docs/getting-started.md)
-* [Getting Started with ScalarDL Auditor](https://github.com/scalar-labs/scalardl/blob/master/docs/getting-started-auditor.md)
+* [Getting Started with ScalarDL](https://scalardl.scalar-labs.com/docs/latest/getting-started/)
+* [Getting Started with ScalarDL Auditor](https://scalardl.scalar-labs.com/docs/latest/getting-started-auditor/)
1. Run bash in the client container.
@@ -859,14 +857,14 @@ The following explains the minimum steps needed to run sample contracts. For mor
# Ledger configuration
scalar.dl.client.server.host=scalardl-ledger-envoy.default.svc.cluster.local
scalar.dl.client.tls.enabled=true
- scalar.dl.client.tls.ca_root_cert_path=/certs/ca/ca.pem
+ scalar.dl.client.tls.ca_root_cert_path=/certs/ca.crt
scalar.dl.client.tls.override_authority=envoy.scalar.example.com
# Auditor configuration
scalar.dl.client.auditor.enabled=true
scalar.dl.client.auditor.host=scalardl-auditor-envoy.default.svc.cluster.local
scalar.dl.client.auditor.tls.enabled=true
- scalar.dl.client.auditor.tls.ca_root_cert_path=/certs/ca/ca.pem
+ scalar.dl.client.auditor.tls.ca_root_cert_path=/certs/ca.crt
scalar.dl.client.auditor.tls.override_authority=envoy.scalar.example.com
# Client configuration
@@ -982,6 +980,12 @@ The following explains the minimum steps needed to run sample contracts. For mor
}
```
+1. Exit from the client container.
+
+ ```console
+ exit
+ ```
+
## Step 9. Delete all resources
After completing the ScalarDL Ledger and ScalarDL Auditor tests on the Kubernetes cluster, remove all resources.
diff --git a/versioned_docs/version-3.8/helm-charts/mount-files-or-volumes-on-scalar-pods.mdx b/versioned_docs/version-3.8/helm-charts/mount-files-or-volumes-on-scalar-pods.mdx
index c81106aa..6921196e 100644
--- a/versioned_docs/version-3.8/helm-charts/mount-files-or-volumes-on-scalar-pods.mdx
+++ b/versioned_docs/version-3.8/helm-charts/mount-files-or-volumes-on-scalar-pods.mdx
@@ -62,12 +62,12 @@ In this example, you need to mount a **private-key** and a **certificate** file
* ScalarDL Ledger
```console
kubectl create secret generic ledger-keys \
- --from-file=private-key=./ledger-key.pem
+ --from-file=tls.key=./ledger-key.pem
```
* ScalarDL Auditor
```console
kubectl create secret generic auditor-keys \
- --from-file=private-key=./auditor-key.pem \
+ --from-file=tls.key=./auditor-key.pem \
--from-file=certificate=./auditor-cert.pem
```