diff --git a/docs/3.10/helm-charts/configure-custom-values-envoy.md b/docs/3.10/helm-charts/configure-custom-values-envoy.md index 451b2b63..9c8ba997 100644 --- a/docs/3.10/helm-charts/configure-custom-values-envoy.md +++ b/docs/3.10/helm-charts/configure-custom-values-envoy.md @@ -144,6 +144,77 @@ envoy: repository: ``` +If you're using AWS or Azure, please refer to the following documents for more details: + +* [How to install Scalar products through AWS Marketplace](https://github.com/scalar-labs/scalar-kubernetes/blob/master/docs/AwsMarketplaceGuide.md) +* [How to install Scalar products through Azure Marketplace](https://github.com/scalar-labs/scalar-kubernetes/blob/master/docs/AzureMarketplaceGuide.md) + +### TLS configurations (optional based on your environment) + +You can enable TLS in: + +- Downstream connections between the client and Scalar Envoy. +- Upstream connections between Scalar Envoy and Scalar products. + +#### Enable TLS in downstream connections + +You can enable TLS in downstream connections by using the following configurations: + +```yaml +envoy: + tls: + downstream: + enabled: true + certChainSecret: "envoy-tls-cert" + privateKeySecret: "envoy-tls-key" +``` + +In this case, you have to create secret resources that include private key and certificate files for Scalar Envoy as follows: + +```console +kubectl create secret generic envoy-tls-cert --from-file=cert-chain=/path/to/your/certificate/file -n +kubectl create secret generic envoy-tls-key --from-file=private-key=/path/to/your/private/key/file -n +``` + +For more details on how to prepare private key and certificate files, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.md). + +#### Enable TLS in upstream connections + +You can enable TLS in upstream connections by using the following configurations: + +```yaml +envoy: + tls: + upstream: + enabled: true + overrideAuthority: "cluster.scalardb.example.com" + caRootCertSecret: "scalardb-cluster-tls-ca" +``` + +In this case, you have to create secret resources that include CA certificate files as follows. You must set the root CA certificate file based on the upstream that you use (ScalarDB Cluster, ScalarDL Ledger, or ScalarDL Auditor). + +* ScalarDB Cluster + + ```console + kubectl create secret generic scalardb-cluster-tls-ca --from-file=ca-root-cert=/path/to/root/ca/cert/file/for/scalardb-cluster -n + ``` + +* ScalarDL Ledger + + ```console + kubectl create secret generic scalardl-ledger-tls-ca --from-file=ca-root-cert=/path/to/root/ca/cert/file/for/scalardl-ledger -n + ``` + +* ScalarDL Auditor + + ```console + kubectl create secret generic scalardl-auditor-tls-ca --from-file=ca-root-cert=/path/to/root/ca/cert/file/for/scalardl-auditor -n + ``` + +For more details on how to prepare private key and certificate files, see [How to create key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.md). + +Also, you can set the custom authority for TLS communication by using `envoy.tls.upstream.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `scalardbCluster.tls.certChainSecret`, `ledger.tls.certChainSecret`, or `auditor.tls.certChainSecret`, depending on which product you're using. Envoy uses this value for verifying the certificate of the TLS connection with ScalarDB Cluster or ScalarDL. + ### Replica configurations (Optional based on your environment) You can specify the number of replicas (pods) of Scalar Envoy using `envoy.replicaCount`. diff --git a/docs/3.10/helm-charts/configure-custom-values-scalardb-cluster.md b/docs/3.10/helm-charts/configure-custom-values-scalardb-cluster.md index 85aeaeb8..dd023045 100644 --- a/docs/3.10/helm-charts/configure-custom-values-scalardb-cluster.md +++ b/docs/3.10/helm-charts/configure-custom-values-scalardb-cluster.md @@ -137,6 +137,39 @@ scalardbCluster: allowPrivilegeEscalation: false ``` +### TLS configurations (optional based on your environment) + +You can enable TLS in all ScalarDB Cluster connections by using the following configurations: + +```yaml +scalardbCluster: + scalardbClusterNodeProperties: | + ...(omit)... + scalar.db.cluster.tls.enabled=true + scalar.db.cluster.tls.ca_root_cert_path=/tls/certs/ca-root-cert.pem + scalar.db.cluster.node.tls.cert_chain_path=/tls/certs/cert-chain.pem + scalar.db.cluster.node.tls.private_key_path=/tls/certs/private-key.pem + scalar.db.cluster.tls.override_authority=cluster.scalardb.example.com + tls: + enabled: true + overrideAuthority: "cluster.scalardb.example.com" + caRootCertSecret: "scalardb-cluster-tls-ca" + certChainSecret: "scalardb-cluster-tls-cert" + privateKeySecret: "scalardb-cluster-tls-key" +``` + +In this case, you have to create secret resources that include private key and certificate files for ScalarDB Cluster as follows: + +```console +kubectl create secret generic scalardb-cluster-tls-ca --from-file=ca-root-cert=/path/to/your/ca/certificate/file -n +kubectl create secret generic scalardb-cluster-tls-cert --from-file=cert-chain=/path/to/your/certificate/file -n +kubectl create secret generic scalardb-cluster-tls-key --from-file=private-key=/path/to/your/private/key/file -n +``` + +For more details on how to prepare private key and certificate files, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.md). + +Also, you can set the custom authority for TLS communication by using `scalardbCluster.tls.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `scalardbCluster.tls.certChainSecret`. This chart uses this value for `startupProbe` and `livenessProbe`. + ### Replica configurations (optional based on your environment) You can specify the number of ScalarDB Cluster replicas (pods) by using `scalardbCluster.replicaCount`. diff --git a/docs/3.10/helm-charts/configure-custom-values-scalardl-auditor.md b/docs/3.10/helm-charts/configure-custom-values-scalardl-auditor.md index b1c72ca6..ee178285 100644 --- a/docs/3.10/helm-charts/configure-custom-values-scalardl-auditor.md +++ b/docs/3.10/helm-charts/configure-custom-values-scalardl-auditor.md @@ -153,6 +153,41 @@ auditor: allowPrivilegeEscalation: false ``` +### TLS configurations (optional based on your environment) + +You can enable TLS in all ScalarDL Auditor connections by using the following configurations: + +```yaml +auditor: + auditorProperties: | + scalar.dl.auditor.server.tls.enabled=true + scalar.dl.auditor.server.tls.cert_chain_path=/tls/certs/cert-chain.pem + scalar.dl.auditor.server.tls.private_key_path=/tls/certs/private-key.pem + scalar.dl.auditor.tls.enabled=true + scalar.dl.auditor.tls.ca_root_cert_path=/tls/certs/ca-root-cert-for-ledger.pem + scalar.dl.auditor.tls.override_authority=envoy.scalar.example.com + tls: + enabled: true + overrideAuthority: "auditor.scalardl.example.com" + caRootCertSecret: "scalardl-auditor-tls-ca" + certChainSecret: "scalardl-auditor-tls-cert" + privateKeySecret: "scalardl-auditor-tls-key" + caRootCertForLedgerSecret: "scalardl-auditor-tls-ca-for-ledger" +``` + +In this case, you have to create secret resources that include private key and certificate files for ScalarDL Ledger and ScalarDL Auditor as follows: + +```console +kubectl create secret generic scalardl-auditor-tls-ca --from-file=ca-root-cert=/path/to/your/ca/certificate/file/for/auditor -n +kubectl create secret generic scalardl-auditor-tls-cert --from-file=cert-chain=/path/to/your/auditor/certificate/file -n +kubectl create secret generic scalardl-auditor-tls-key --from-file=private-key=/path/to/your/auditor/private/key/file -n +kubectl create secret generic scalardl-auditor-tls-ca-for-ledger --from-file=ca-root-cert-for-ledger=/path/to/your/ca/certificate/file/for/ledger -n +``` + +For more details on how to prepare private key and certificate files, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.md). + +Also, you can set the custom authority for TLS communication by using `auditor.tls.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `auditor.tls.certChainSecret`. This chart uses this value for `startupProbe` and `livenessProbe`. + ### Replica configurations (Optional based on your environment) You can specify the number of replicas (pods) of ScalarDL Auditor using `auditor.replicaCount`. diff --git a/docs/3.10/helm-charts/configure-custom-values-scalardl-ledger.md b/docs/3.10/helm-charts/configure-custom-values-scalardl-ledger.md index 91a19fde..3c848959 100644 --- a/docs/3.10/helm-charts/configure-custom-values-scalardl-ledger.md +++ b/docs/3.10/helm-charts/configure-custom-values-scalardl-ledger.md @@ -153,7 +153,37 @@ ledger: allowPrivilegeEscalation: false ``` -### Replica configurations (Optional based on your environment) +### TLS configurations (optional based on your environment) + +You can enable TLS in all ScalarDL Ledger connections by using the following configurations: + +```yaml +ledger: + ledgerProperties: | + scalar.dl.ledger.server.tls.enabled=true + scalar.dl.ledger.server.tls.cert_chain_path=/tls/certs/cert-chain.pem + scalar.dl.ledger.server.tls.private_key_path=/tls/certs/private-key.pem + tls: + enabled: true + overrideAuthority: "ledger.scalardl.example.com" + caRootCertSecret: "scalardl-ledger-tls-ca" + certChainSecret: "scalardl-ledger-tls-cert" + privateKeySecret: "scalardl-ledger-tls-key" +``` + +In this case, you have to create secret resources that include private key and certificate files for ScalarDL Ledger as follows: + +```console +kubectl create secret generic scalardl-ledger-tls-ca --from-file=ca-root-cert=/path/to/your/ca/certificate/file -n +kubectl create secret generic scalardl-ledger-tls-cert --from-file=cert-chain=/path/to/your/certificate/file -n +kubectl create secret generic scalardl-ledger-tls-key --from-file=private-key=/path/to/your/private/key/file -n +``` + +For more details on how to prepare private key and certificate files, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.md). + +Also, you can set the custom authority for TLS communication by using `ledger.tls.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `ledger.tls.certChainSecret`. This chart uses this value for `startupProbe` and `livenessProbe`. + +### Replica configurations (optional based on your environment) You can specify the number of replicas (pods) of ScalarDL Ledger using `ledger.replicaCount`. diff --git a/docs/3.10/helm-charts/getting-started-scalar-helm-charts.md b/docs/3.10/helm-charts/getting-started-scalar-helm-charts.md index 3270b3f3..f523c711 100644 --- a/docs/3.10/helm-charts/getting-started-scalar-helm-charts.md +++ b/docs/3.10/helm-charts/getting-started-scalar-helm-charts.md @@ -15,15 +15,27 @@ We will use the following tools for testing. First, you need to install the following tools used in this guide. -1. Install the minikube according to the [minikube document](https://minikube.sigs.k8s.io/docs/start/) +1. Install the `minikube` command according to the [minikube documentation](https://minikube.sigs.k8s.io/docs/start/) -1. Install the kubectl according to the [Kubernetes document](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/) +1. Install the `kubectl` command according to the [Kubernetes documentation](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/) -1. Install the helm command according to the [Helm document](https://helm.sh/docs/intro/install/) +1. Install the `helm` command according to the [Helm documentation](https://helm.sh/docs/intro/install/) -1. Install the cfssl and cfssljson according to the [CFSSL document](https://github.com/cloudflare/cfssl) - * Note: - * You need the cfssl and cfssljson when you try ScalarDL. If you try Scalar Helm Charts other than ScalarDL (e.g., ScalarDB, Monitoring, Logging, etc...), the cfssl and cfssljson are not necessary. +1. Install the `cfssl` and `cfssljson` according to the [CFSSL documentation](https://github.com/cloudflare/cfssl) + +{% capture notice--info %} +**Note** + +You need to install the `cfssl` and `cfssljson` command when following these getting started guides: + +* [ScalarDB Cluster with TLS](getting-started-scalardb-cluster-tls.md) +* [ScalarDL Ledger and Auditor with TLS (Auditor mode)](getting-started-scalardl-auditor-tls.md) +* [ScalarDL Ledger (Ledger only)](getting-started-scalardl-ledger.md) +* [ScalarDL Ledger and Auditor (Auditor mode)](getting-started-scalardl-auditor.md) + +{% endcapture %} + +
{{ notice--info | markdownify }}
## Step 2. Start minikube with docker driver (Optional / If you use minikube) @@ -53,7 +65,9 @@ First, you need to install the following tools used in this guide. After the Kubernetes cluster starts, you can try each Scalar Helm Charts on it. Please refer to the following documents for more details. +* [ScalarDB Cluster with TLS](getting-started-scalardb-cluster-tls.md) * [ScalarDB Analytics with PostgreSQL](getting-started-scalardb-analytics-postgresql.md) +* [ScalarDL Ledger and Auditor with TLS (Auditor mode)](getting-started-scalardl-auditor-tls.md) * [ScalarDL Ledger (Ledger only)](getting-started-scalardl-ledger.md) * [ScalarDL Ledger and Auditor (Auditor mode)](getting-started-scalardl-auditor.md) * [Monitoring using Prometheus Operator](getting-started-monitoring.md) diff --git a/docs/3.10/helm-charts/getting-started-scalardb-cluster-tls.md b/docs/3.10/helm-charts/getting-started-scalardb-cluster-tls.md new file mode 100644 index 00000000..f9d6a188 --- /dev/null +++ b/docs/3.10/helm-charts/getting-started-scalardb-cluster-tls.md @@ -0,0 +1,623 @@ +# Getting Started with Helm Charts (ScalarDB Cluster with TLS) + +This tutorial explains how to get started with ScalarDB Cluster with TLS configurations by using Helm Charts on a Kubernetes cluster in a test environment. Before starting, you should already have a Mac or Linux environment for testing. In addition, although this tutorial mentions using **minikube**, the steps described should work in any Kubernetes cluster. + +## Requirements + +* You need to have a license key (trial license or commercial license) for ScalarDB Cluster. If you don't have a license key, please [contact us](https://www.scalar-labs.com/contact). +* You need to use ScalarDB Cluster 3.12 or later, which supports TLS. + +## What you'll create + +In this tutorial, you'll deploy the following components on a Kubernetes cluster in the following way: + +``` ++----------------------------------------------------------------------------------------------------------------------------------------------------+ +| [Kubernetes Cluster] | +| [Pod] [Pod] [Pod] | +| | +| +-------+ +------------------------+ | +| +---> | Envoy | ---+ +---> | ScalarDB Cluster node | ---+ | +| [Pod] | +-------+ | | +------------------------+ | | +| | | | | | +| +-----------+ +---------+ | +-------+ | +--------------------+ | +------------------------+ | +---------------+ | +| | Client | ---> | Service | ---+---> | Envoy | ---+---> | Service | ---+---> | ScalarDB Cluster node | ---+---> | PostgreSQL | | +| | (SQL CLI) | | (Envoy) | | +-------+ | | (ScalarDB Cluster) | | +------------------------+ | | (For Ledger) | | +| +-----------+ +---------+ | | +--------------------+ | | +---------------+ | +| | +-------+ | | +------------------------+ | | +| +---> | Envoy | ---+ +---> | ScalarDB Cluster node | ---+ | +| +-------+ +------------------------+ | +| | ++----------------------------------------------------------------------------------------------------------------------------------------------------+ +``` + +You'll also create the following private key and certificate files for TLS connections. + +``` + +-------------------------------+ + +---> | For Scalar Envoy | + | +-------------------------------+ + | | envoy-key.pem | + | | envoy.pem | ++----------------------+ | +-------------------------------+ +| Self-managed CA | ---(Sign certificates)---+ ++----------------------+ | +-------------------------------+ +| ca-key.pem | +---> | For ScalarDB Cluster | +| ca.pem | +-------------------------------+ ++----------------------+ | scalardb-cluster-key.pem | + | scalardb-cluster.pem | + +-------------------------------+ +``` + +You'll set each private key and certificate file as follows to enable TLS in each connection. + +``` ++--------------------------------+ +-----------------------------------------+ +-----------------------------------------+ +| Client | ---(CRUD/SQL requests)---> | Envoy for ScalarDB Cluster | ---> | ScalarDB Cluster nodes | ++--------------------------------+ +-----------------------------------------+ +-----------------------------------------+ +| ca.pem (to verify envoy.pem) | | envoy-key.pem | | scalardb-cluster-key.pem | ++--------------------------------+ | envoy.pem | | scalardb-cluster.pem | + | ca.pem (to verify scalardb-cluster.pem) | | ca.pem (used for health check) | + +-----------------------------------------+ +-----------------------------------------+ +``` + +The following connections exist amongst the ScalarDB Cluster–related components: + +* **`Client - Envoy for ScalarDB Cluster`:** When you execute a CRUD API or SQL API function, the client accesses Envoy for ScalarDB Cluster. +* **`Envoy for ScalarDB Cluster - ScalarDB Cluster`:** Envoy works as an L7 (gRPC) load balancer in front of ScalarDB Cluster. +* **`ScalarDB Cluster node - ScalarDB Cluster node`:** A ScalarDB Cluster node accesses other ScalarDB Cluster nodes. In other words, the cluster's internal communications exist amongst all ScalarDB Cluster nodes. + +## Step 1. Start a Kubernetes cluster and install tools + +You need to prepare a Kubernetes cluster and install some tools (`kubectl`, `helm`, `cfssl`, and `cfssljson`). For more details on how to install them, see [Getting Started with Scalar Helm Charts](getting-started-scalar-helm-charts.md). + +## Step 2. Start the PostgreSQL containers + +ScalarDB Cluster must use some type of database system as a backend database. In this tutorial, you'll use PostgreSQL. + +You can deploy PostgreSQL on the Kubernetes cluster as follows: + +1. Add the Bitnami helm repository. + + ```console + helm repo add bitnami https://charts.bitnami.com/bitnami + ``` + +1. Deploy PostgreSQL for ScalarDB Cluster. + + ```console + helm install postgresql-scalardb-cluster bitnami/postgresql \ + --set auth.postgresPassword=postgres \ + --set primary.persistence.enabled=false \ + -n default + ``` + +1. Check if the PostgreSQL containers are running. + + ```console + kubectl get pod -n default + ``` + + [Command execution result] + + ```console + NAME READY STATUS RESTARTS AGE + postgresql-scalardb-cluster-0 1/1 Running 0 34s + ``` + +## Step 3. Create a working directory + +You'll create some configuration files and private key and certificate files locally. Be sure to create a working directory for those files. + +1. Create a working directory. + + ```console + mkdir -p ${HOME}/scalardb-cluster-test/certs/ + ``` + +## Step 4. Create private key and certificate files + +{% capture notice--warning %} +**Attention** + +In this tutorial, a self-managed CA is used for testing. However, it is strongly recommended that these certificates **not** be used in production. Please prepare your certificate files based on the security requirements of your system. +{% endcapture %} + +
{{ notice--warning | markdownify }}
+ +1. Change the working directory to `${HOME}/scalardb-cluster-test/certs/`. + + ```console + cd ${HOME}/scalardb-cluster-test/certs/ + ``` + +1. Create a JSON file that includes CA information. + + ```console + cat << 'EOF' > ${HOME}/scalardb-cluster-test/certs/ca.json + { + "CN": "scalar-test-ca", + "key": { + "algo": "ecdsa", + "size": 256 + }, + "names": [ + { + "C": "JP", + "ST": "Tokyo", + "L": "Shinjuku", + "O": "Scalar Test CA" + } + ] + } + EOF + ``` + +1. Create the CA private key and certificate files. + + ```console + cfssl gencert -initca ca.json | cfssljson -bare ca + ``` + +1. Create a JSON file that includes CA configurations. + + ```console + cat << 'EOF' > ${HOME}/scalardb-cluster-test/certs/ca-config.json + { + "signing": { + "default": { + "expiry": "87600h" + }, + "profiles": { + "scalar-test-ca": { + "expiry": "87600h", + "usages": [ + "signing", + "key encipherment", + "server auth" + ] + } + } + } + } + EOF + ``` + +1. Create a JSON file that includes Envoy information. + + ```console + cat << 'EOF' > ${HOME}/scalardb-cluster-test/certs/envoy.json + { + "CN": "scalar-envoy", + "hosts": [ + "envoy.scalar.example.com", + "localhost" + ], + "key": { + "algo": "ecdsa", + "size": 256 + }, + "names": [ + { + "C": "JP", + "ST": "Tokyo", + "L": "Shinjuku", + "O": "Scalar Envoy Test" + } + ] + } + EOF + ``` + +1. Create a JSON file that includes ScalarDB Cluster information. + + ```console + cat << 'EOF' > ${HOME}/scalardb-cluster-test/certs/scalardb-cluster.json + { + "CN": "scalardb-cluster", + "hosts": [ + "cluster.scalardb.example.com", + "localhost" + ], + "key": { + "algo": "ecdsa", + "size": 256 + }, + "names": [ + { + "C": "JP", + "ST": "Tokyo", + "L": "Shinjuku", + "O": "ScalarDB Cluster Test" + } + ] + } + EOF + ``` + +1. Create private key and certificate files for Envoy. + + ```console + cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile scalar-test-ca envoy.json | cfssljson -bare envoy + ``` + +1. Create private key and certificate files for ScalarDB Cluster. + + ```console + cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile scalar-test-ca scalardb-cluster.json | cfssljson -bare scalardb-cluster + ``` + +1. Confirm that the private key and certificate files were created. + + ```console + ls -1 + ``` + + [Command execution result] + + ```console + ca-config.json + ca-key.pem + ca.csr + ca.json + ca.pem + envoy-key.pem + envoy.csr + envoy.json + envoy.pem + scalardb-cluster-key.pem + scalardb-cluster.csr + scalardb-cluster.json + scalardb-cluster.pem + ``` + +## Step 5. Deploy ScalarDB Cluster on the Kubernetes cluster by using Helm Charts + +1. Add the Scalar Helm Charts repository. + + ```console + helm repo add scalar-labs https://scalar-labs.github.io/helm-charts + ``` + +1. Create a custom values file for ScalarDB Cluster (`scalardb-cluster-custom-values.yaml`). + + {% raw %} + ```console + cat << 'EOF' > ${HOME}/scalardb-cluster-test/scalardb-cluster-custom-values.yaml + envoy: + + enabled: true + + tls: + downstream: + enabled: true + certChainSecret: "envoy-tls-cert" + privateKeySecret: "envoy-tls-key" + upstream: + enabled: true + overrideAuthority: "cluster.scalardb.example.com" + caRootCertSecret: "scalardb-cluster-tls-ca" + + scalardbCluster: + + image: + repository: "ghcr.io/scalar-labs/scalardb-cluster-node-byol-premium" + + scalardbClusterNodeProperties: | + ### Necessary configurations for deployment on Kuberetes + scalar.db.cluster.membership.type=KUBERNETES + scalar.db.cluster.membership.kubernetes.endpoint.namespace_name=${env:SCALAR_DB_CLUSTER_MEMBERSHIP_KUBERNETES_ENDPOINT_NAMESPACE_NAME} + scalar.db.cluster.membership.kubernetes.endpoint.name=${env:SCALAR_DB_CLUSTER_MEMBERSHIP_KUBERNETES_ENDPOINT_NAME} + + ### Storage configurations + scalar.db.contact_points=jdbc:postgresql://postgresql-scalardb-cluster.default.svc.cluster.local:5432/postgres + scalar.db.username=${env:SCALAR_DB_CLUSTER_POSTGRES_USERNAME} + scalar.db.password=${env:SCALAR_DB_CLUSTER_POSTGRES_PASSWORD} + scalar.db.storage=jdbc + + ### SQL configurations + scalar.db.sql.enabled=true + + ### Auth configurations + scalar.db.cluster.auth.enabled=true + scalar.db.cross_partition_scan.enabled=true + + ### TLS configurations + scalar.db.cluster.tls.enabled=true + scalar.db.cluster.tls.ca_root_cert_path=/tls/certs/ca-root-cert.pem + scalar.db.cluster.node.tls.cert_chain_path=/tls/certs/cert-chain.pem + scalar.db.cluster.node.tls.private_key_path=/tls/certs/private-key.pem + scalar.db.cluster.tls.override_authority=cluster.scalardb.example.com + + ### License key configurations + scalar.dl.licensing.license_key=${env:SCALAR_DB_CLUSTER_LICENSE_KEY} + scalar.dl.licensing.license_check_cert_pem=${env:SCALAR_DB_CLUSTER_LICENSE_CHECK_CERT_PEM} + + tls: + enabled: true + overrideAuthority: "cluster.scalardb.example.com" + caRootCertSecret: "scalardb-cluster-tls-ca" + certChainSecret: "scalardb-cluster-tls-cert" + privateKeySecret: "scalardb-cluster-tls-key" + + secretName: "scalardb-credentials-secret" + EOF + ``` + {% endraw %} + +1. Set your license key and certificate as environment variables. If you don't have a license key, please [contact us](https://www.scalar-labs.com/contact). + + ```console + SCALAR_DB_CLUSTER_LICENSE_KEY= + SCALAR_DB_CLUSTER_LICENSE_CHECK_CERT_PEM= + ``` + +1. Create a secret resource named `scalardb-credentials-secret` that includes credentials and license keys. + + ```console + kubectl create secret generic scalardb-credentials-secret \ + --from-literal=SCALAR_DB_CLUSTER_POSTGRES_USERNAME=postgres \ + --from-literal=SCALAR_DB_CLUSTER_POSTGRES_PASSWORD=postgres \ + --from-literal=SCALAR_DB_CLUSTER_LICENSE_KEY=${SCALAR_DB_CLUSTER_LICENSE_KEY} \ + --from-literal=SCALAR_DB_CLUSTER_LICENSE_CHECK_CERT_PEM=${SCALAR_DB_CLUSTER_LICENSE_CHECK_CERT_PEM} \ + -n default + ``` + +1. Create secret resources that include the private key and certificate files for Envoy. + + ```console + kubectl create secret generic envoy-tls-cert --from-file=cert-chain=${HOME}/scalardb-cluster-test/certs/envoy.pem -n default + kubectl create secret generic envoy-tls-key --from-file=private-key=${HOME}/scalardb-cluster-test/certs/envoy-key.pem -n default + ``` + +1. Create secret resources that include the key, certificate, and CA certificate files for ScalarDB Cluster. + + ```console + kubectl create secret generic scalardb-cluster-tls-ca --from-file=ca-root-cert=${HOME}/scalardb-cluster-test/certs/ca.pem -n default + kubectl create secret generic scalardb-cluster-tls-cert --from-file=cert-chain=${HOME}/scalardb-cluster-test/certs/scalardb-cluster.pem -n default + kubectl create secret generic scalardb-cluster-tls-key --from-file=private-key=${HOME}/scalardb-cluster-test/certs/scalardb-cluster-key.pem -n default + ``` + +1. Set the chart version of ScalarDB Cluster. + + ```console + SCALAR_DB_CLUSTER_VERSION=3.12.1 + SCALAR_DB_CLUSTER_CHART_VERSION=$(helm search repo scalar-labs/scalardb-cluster -l | grep -F "${SCALAR_DB_CLUSTER_VERSION}" | awk '{print $2}' | sort --version-sort -r | head -n 1) + ``` + +1. Deploy ScalarDB Cluster. + + ```console + helm install scalardb-cluster scalar-labs/scalardb-cluster -f ${HOME}/scalardb-cluster-test/scalardb-cluster-custom-values.yaml --version ${SCALAR_DB_CLUSTER_CHART_VERSION} -n default + ``` + +1. Check if the ScalarDB Cluster pods are deployed. + + ```console + kubectl get pod -n default + ``` + + [Command execution result] + + ```console + NAME READY STATUS RESTARTS AGE + postgresql-scalardb-cluster-0 1/1 Running 0 4m30s + scalardb-cluster-envoy-7cc948dfb-4rb8l 1/1 Running 0 18s + scalardb-cluster-envoy-7cc948dfb-hwt96 1/1 Running 0 18s + scalardb-cluster-envoy-7cc948dfb-rzbrx 1/1 Running 0 18s + scalardb-cluster-node-7c6959c79d-445kj 1/1 Running 0 18s + scalardb-cluster-node-7c6959c79d-4z54q 1/1 Running 0 18s + scalardb-cluster-node-7c6959c79d-vcv96 1/1 Running 0 18s + ``` + If the ScalarDB Cluster pods are deployed properly, the `STATUS` column for those pods will be displayed as `Running`. + +1. Check if the ScalarDB Cluster services are deployed. + + ```console + kubectl get svc -n default + ``` + + [Command execution result] + + ```console + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + kubernetes ClusterIP 10.96.0.1 443/TCP 7h34m + postgresql-scalardb-cluster ClusterIP 10.96.92.27 5432/TCP 4m52s + postgresql-scalardb-cluster-hl ClusterIP None 5432/TCP 4m52s + scalardb-cluster-envoy ClusterIP 10.96.250.175 60053/TCP 40s + scalardb-cluster-envoy-metrics ClusterIP 10.96.40.197 9001/TCP 40s + scalardb-cluster-headless ClusterIP None 60053/TCP 40s + scalardb-cluster-metrics ClusterIP 10.96.199.135 9080/TCP 40s + ``` + + If the ScalarDB Cluster services are deployed properly, you can see private IP addresses in the `CLUSTER-IP` column. + +{% capture notice--info %} +**Note** + +The `CLUSTER-IP` values for `postgresql-scalardb-cluster-hl` and `scalardb-cluster-headless` are `None` since they have no IP addresses. +{% endcapture %} + +
{{ notice--info | markdownify }}
+ +## Step 6. Start a client container + +You'll use the CA certificate file in a client container. Therefore, you'll need to create a secret resource and mount it to the client container. + +1. Create a secret resource named `client-ca-cert`. + + ```console + kubectl create secret generic client-ca-cert --from-file=certificate=${HOME}/scalardb-cluster-test/certs/ca.pem -n default + ``` + +1. Create a manifest file for a client pod (`scalardb-cluster-client-pod.yaml`). + + ```console + cat << 'EOF' > ${HOME}/scalardb-cluster-test/scalardb-cluster-client-pod.yaml + apiVersion: v1 + kind: Pod + metadata: + name: "scalardb-cluster-client" + spec: + containers: + - name: scalardb-cluster-client + image: eclipse-temurin:8 + command: ['sleep'] + args: ['inf'] + env: + - name: SCALAR_DB_CLUSTER_VERSION + value: SCALAR_DB_CLUSTER_CLIENT_POD_SCALAR_DB_CLUSTER_VERSION + volumeMounts: + - name: "client-ca-cert" + mountPath: "/certs/ca/ca.pem" + subPath: certificate + readOnly: true + volumes: + - name: "client-ca-cert" + secret: + secretName: "client-ca-cert" + restartPolicy: Never + EOF + ``` + +1. Set the ScalarDB Cluster version in the manifest file. + + ```console + sed -i s/SCALAR_DB_CLUSTER_CLIENT_POD_SCALAR_DB_CLUSTER_VERSION/${SCALAR_DB_CLUSTER_VERSION}/ ${HOME}/scalardb-cluster-test/scalardb-cluster-client-pod.yaml + ``` + +1. Deploy the client pod. + + ```console + kubectl apply -f ${HOME}/scalardb-cluster-test/scalardb-cluster-client-pod.yaml -n default + ``` + +1. Check if the client container is running. + + ```console + kubectl get pod scalardb-cluster-client -n default + ``` + + [Command execution result] + + ```console + NAME READY STATUS RESTARTS AGE + scalardb-cluster-client 1/1 Running 0 26s + ``` + +## Step 7. Download and copy the ScalarDB Cluster SQL CLI to the client container + +1. Download the ScalarDB Cluster SQL CLI from [Releases](https://github.com/scalar-labs/scalardb/releases) into the directory `${HOME}/scalardb-cluster-test/`. + +1. Copy the ScalarDB Cluster SQL CLI to the client container. + + ```console + kubectl cp ${HOME}/scalardb-cluster-test/scalardb-cluster-sql-cli-${SCALAR_DB_CLUSTER_VERSION}-all.jar scalardb-cluster-client:/ + ``` + +## Step 8. Run the ScalarDB Cluster SQL CLI in the client container + +1. Run bash in the client container. + + ```console + kubectl exec -it scalardb-cluster-client -n default -- bash + ``` + The commands in the following steps must be run in the client container. + +1. Create a `database.properties` file and add configurations. + + ```console + cat << 'EOF' > /database.properties + # ScalarDB Cluster configurations + scalar.db.sql.connection_mode=cluster + scalar.db.sql.cluster_mode.contact_points=indirect:scalardb-cluster-envoy.default.svc.cluster.local + + # Auth configurations + scalar.db.cluster.auth.enabled=true + scalar.db.sql.cluster_mode.username=admin + scalar.db.sql.cluster_mode.password=admin + + # TLS configurations + scalar.db.cluster.tls.enabled=true + scalar.db.cluster.tls.ca_root_cert_path=/certs/ca/ca.pem + scalar.db.cluster.tls.override_authority=envoy.scalar.example.com + EOF + ``` + +1. Run the ScalarDB Cluster SQL CLI. + + ```console + java -jar /scalardb-cluster-sql-cli-${SCALAR_DB_CLUSTER_VERSION}-all.jar --config /database.properties + ``` + +1. Create a sample namespace named `ns`. + + ```sql + CREATE NAMESPACE ns; + ``` + +1. Create a sample table named `tbl` under the namespace `ns`. + + ```sql + CREATE TABLE ns.tbl (a INT, b INT, c INT, PRIMARY KEY(a, b)); + ``` + +1. Insert sample records. + + ```sql + INSERT INTO ns.tbl VALUES (1,2,3), (4,5,6), (7,8,9); + ``` + +1. Select the sample records that you inserted. + + ```sql + SELECT * FROM ns.tbl; + ``` + + [Command execution result] + + ```sql + 0: scalardb> SELECT * FROM ns.tbl; + +---+---+---+ + | a | b | c | + +---+---+---+ + | 7 | 8 | 9 | + | 1 | 2 | 3 | + | 4 | 5 | 6 | + +---+---+---+ + 3 rows selected (0.059 seconds) + ``` + +## Step 9. Delete all resources + +After completing the ScalarDB Cluster tests on the Kubernetes cluster, remove all resources. + +1. Uninstall ScalarDB Cluster and PostgreSQL. + + ```console + helm uninstall -n default scalardb-cluster postgresql-scalardb-cluster + ``` + +1. Remove the client container. + + ``` + kubectl delete pod scalardb-cluster-client --grace-period 0 -n default + ``` + +1. Remove the working directory and sample files (configuration file, private key, and certificate). + + ```console + cd ${HOME} + ``` + + ```console + rm -rf ${HOME}/scalardb-cluster-test/ + ``` + +## Further reading + +You can see how to get started with monitoring or logging for Scalar products in the following tutorials: + +* [Getting Started with Helm Charts (Monitoring using Prometheus Operator)](getting-started-monitoring.md) +* [Getting Started with Helm Charts (Logging using Loki Stack)](getting-started-logging.md) +* [Getting Started with Helm Charts (Scalar Manager)](getting-started-scalar-manager.md) diff --git a/docs/3.10/helm-charts/getting-started-scalardl-auditor-tls.md b/docs/3.10/helm-charts/getting-started-scalardl-auditor-tls.md new file mode 100644 index 00000000..c2275a48 --- /dev/null +++ b/docs/3.10/helm-charts/getting-started-scalardl-auditor-tls.md @@ -0,0 +1,1031 @@ +# Getting Started with Helm Charts (ScalarDL Ledger and Auditor with TLS / Auditor Mode) + +This tutorial explains how to get started with ScalarDL Ledger and ScalarDL Auditor with TLS configurations by using Helm Charts on a Kubernetes cluster as a test environment. Before starting, you should already have a Mac or Linux environment for testing. In addition, although this tutorial mentions using **minikube**, the steps described should work in any Kubernetes cluster. + +## Requirements + +* You need to have a license key (trial license or commercial license) for ScalarDL. If you don't have a license key, please [contact us](https://www.scalar-labs.com/contact). +* You need to use ScalarDL 3.9 or later, which supports TLS. + +{% capture notice--info %} +**Note** + +To make Byzantine fault detection with auditing work properly, ScalarDL Ledger and ScalarDL Auditor should be deployed and managed in different administrative domains. However, in this tutorial, we will deploy ScalarDL Ledger and ScalarDL Auditor in the same Kubernetes cluster to make the test easier. +{% endcapture %} + +
{{ notice--info | markdownify }}
+ +## What you'll create + +In this tutorial, you'll deploy the following components on a Kubernetes cluster in the following way: + +``` ++-----------------------------------------------------------------------------------------------------------------------------+ +| [Kubernetes Cluster] | +| [Pod] [Pod] [Pod] | +| | +| +-------+ +---------+ | +| +---> | Envoy | ---+ +---> | Ledger | ---+ | +| | +-------+ | | +---------+ | | +| | | | | | +| +---------+ | +-------+ | +-----------+ | +---------+ | +---------------+ | +| +---> | Service | ---+---> | Envoy | ---+---> | Service | ---+---> | Ledger | ---+---> | PostgreSQL | | +| | | (Envoy) | | +-------+ | | (Ledger) | | +---------+ | | (For Ledger) | | +| | +---------+ | | +-----------+ | | +---------------+ | +| [Pod] | | +-------+ | | +---------+ | | +| | +---> | Envoy | ---+ +---> | Ledger | ---+ | +| +--------+ | +-------+ +---------+ | +| | Client | ---+ | +| +--------+ | +-------+ +---------+ | +| | +---> | Envoy | ---+ +---> | Auditor | ---+ | +| | | +-------+ | | +---------+ | | +| | | | | | | +| | +---------+ | +-------+ | +-----------+ | +---------+ | +---------------+ | +| +---> | Service | ---+---> | Envoy | ---+---> | Service | ---+---> | Auditor | ---+---> | PostgreSQL | | +| | (Envoy) | | +-------+ | | (Auditor) | | +---------+ | | (For Auditor) | | +| +---------+ | | +-----------+ | | +---------------+ | +| | +-------+ | | +---------+ | | +| +---> | Envoy | ---+ +---> | Auditor | ---+ | +| +-------+ +---------+ | +| | ++-----------------------------------------------------------------------------------------------------------------------------+ +``` + +You'll also create the following private key and certificate files for TLS connections. + +``` + +----------------------+ + +---> | For Scalar Envoy | + | +----------------------+ + | | envoy-key.pem | + | | envoy.pem | + | +----------------------+ + | ++----------------------+ | +----------------------+ +| Self-managed CA | ---(Sign certificates)---+---> | For ScalarDL Ledger | ++----------------------+ | +----------------------+ +| ca-key.pem | | | ledger-key.pem | +| ca.pem | | | ledger.pem | ++----------------------+ | +----------------------+ + | + | +----------------------+ + +---> | For ScalarDL Auditor | + +----------------------+ + | auditor-key.pem | + | auditor.pem | + +----------------------+ +``` + +You'll set each private key and certificate file as follows to enable TLS in each connection. + +``` + +--------------------------------+ +--------------------------------+ + +-------(Normal request)-----> | Envoy for ScalarDL Ledger | ---> | ScalarDL Ledger | + | +--------------------------------+ +--------------------------------+ + | +---(Recovery request)---> | envoy-key.pem | ---> | ledger-key.pem | + | | | envoy.pem | | ledger.pem | + | | | ca.pem (to verify ledger.pem) | | ca.pem (used for health check) | + | | +--------------------------------+ +--------------------------------+ ++--------------------------------+ | | +| Client | ---+ | ++--------------------------------+ | +--------------------------------------------------------------------------------------------------------+ +| ca.pem (to verify envoy.pem) | | | ++--------------------------------+ | | + | +--------------------------------+ +--------------------------------+ | + +-------(Normal request)-----> | Envoy for ScalarDL Auditor | ---> | ScalarDL Auditor | ---+ + +--------------------------------+ +--------------------------------+ + | envoy-key.pem | | auditor-key.pem | + | envoy.pem | | auditor.pem | + | ca.pem (to verify auditor.pem) | | ca.pem (used for health check) | + +--------------------------------+ | ca.pem (to verify ledger.pem) | + +--------------------------------+ +``` + +The following connections exist amongst the ScalarDL-related components: + +* **`Client - Envoy for ScalarDL Ledger`:** When you execute a ScalarDL API function, the client accesses Envoy for ScalarDL Ledger. +* **`Client - Envoy for ScalarDL Auditor`:** When you execute a ScalarDL API function, the client accesses Envoy for ScalarDL Auditor. +* **`Envoy for ScalarDL Ledger - ScalarDL Ledger`:** Envoy works as an L7 (gRPC) load balancer in front of ScalarDL Ledger. +* **`Envoy for ScalarDL Auditor - ScalarDL Auditor`:** Envoy works as an L7 (gRPC) load balancer in front of ScalarDL Auditor. +* **`ScalarDL Auditor - Envoy for ScalarDL Ledger (ScalarDL Ledger)`:** When ScalarDL needs to run the recovery process to keep data consistent, ScalarDL Auditor runs the request against ScalarDL Ledger via Envoy. + +## Step 1. Start a Kubernetes cluster and install tools + +You need to prepare a Kubernetes cluster and install some tools (`kubectl`, `helm`, `cfssl`, and `cfssljson`). For more details on how to install them, see [Getting Started with Scalar Helm Charts](getting-started-scalar-helm-charts.md). + +## Step 2. Start the PostgreSQL containers + +ScalarDL Ledger and ScalarDL Auditor must use some type of database system as a backend database. In this tutorial, you'll use PostgreSQL. + +You can deploy PostgreSQL on the Kubernetes cluster as follows: + +1. Add the Bitnami helm repository. + + ```console + helm repo add bitnami https://charts.bitnami.com/bitnami + ``` + +1. Deploy PostgreSQL for Ledger. + + ```console + helm install postgresql-ledger bitnami/postgresql \ + --set auth.postgresPassword=postgres \ + --set primary.persistence.enabled=false \ + -n default + ``` + +1. Deploy PostgreSQL for Auditor. + + ```console + helm install postgresql-auditor bitnami/postgresql \ + --set auth.postgresPassword=postgres \ + --set primary.persistence.enabled=false \ + -n default + ``` + +1. Check if the PostgreSQL containers are running. + + ```console + kubectl get pod -n default + ``` + + [Command execution result] + + ```console + NAME READY STATUS RESTARTS AGE + postgresql-auditor-0 1/1 Running 0 11s + postgresql-ledger-0 1/1 Running 0 16s + ``` + +## Step 3. Create a working directory + +You'll create some configuration files and private key and certificate files locally. Be sure to create a working directory for those files. + +1. Create a working directory. + + ```console + mkdir -p ${HOME}/scalardl-test/certs/ + ``` + +## Step 4. Create private key and certificate files + +{% capture notice--warning %} +**Attention** + +In this tutorial, a self-managed CA is used for testing. However, it is strongly recommended that these certificates **not** be used in production. Please prepare your certificate files based on the security requirements of your system. +{% endcapture %} + +
{{ notice--warning | markdownify }}
+ +1. Change the working directory to `${HOME}/scalardl-test/certs/`. + + ```console + cd ${HOME}/scalardl-test/certs/ + ``` + +1. Create a JSON file that includes CA information. + + ```console + cat << 'EOF' > ${HOME}/scalardl-test/certs/ca.json + { + "CN": "scalar-test-ca", + "key": { + "algo": "ecdsa", + "size": 256 + }, + "names": [ + { + "C": "JP", + "ST": "Tokyo", + "L": "Shinjuku", + "O": "Scalar Test CA" + } + ] + } + EOF + ``` + +1. Create the CA private key and certificate files. + + ```console + cfssl gencert -initca ca.json | cfssljson -bare ca + ``` + +1. Create a JSON file that includes CA configurations. + + ```console + cat << 'EOF' > ${HOME}/scalardl-test/certs/ca-config.json + { + "signing": { + "default": { + "expiry": "87600h" + }, + "profiles": { + "scalar-test-ca": { + "expiry": "87600h", + "usages": [ + "signing", + "key encipherment", + "server auth" + ] + } + } + } + } + EOF + ``` + +1. Create a JSON file that includes Envoy information. + + ```console + cat << 'EOF' > ${HOME}/scalardl-test/certs/envoy.json + { + "CN": "scalar-envoy", + "hosts": [ + "envoy.scalar.example.com", + "localhost" + ], + "key": { + "algo": "ecdsa", + "size": 256 + }, + "names": [ + { + "C": "JP", + "ST": "Tokyo", + "L": "Shinjuku", + "O": "Scalar Envoy Test" + } + ] + } + EOF + ``` + +1. Create a JSON file that includes ScalarDL Ledger information. + + ```console + cat << 'EOF' > ${HOME}/scalardl-test/certs/ledger.json + { + "CN": "scalardl-ledger", + "hosts": [ + "ledger.scalardl.example.com", + "localhost" + ], + "key": { + "algo": "ecdsa", + "size": 256 + }, + "names": [ + { + "C": "JP", + "ST": "Tokyo", + "L": "Shinjuku", + "O": "ScalarDL Ledger Test" + } + ] + } + EOF + ``` + +1. Create a JSON file that includes ScalarDL Auditor information. + + ```console + cat << 'EOF' > ${HOME}/scalardl-test/certs/auditor.json + { + "CN": "scalardl-auditor", + "hosts": [ + "auditor.scalardl.example.com", + "localhost" + ], + "key": { + "algo": "ecdsa", + "size": 256 + }, + "names": [ + { + "C": "JP", + "ST": "Tokyo", + "L": "Shinjuku", + "O": "ScalarDL Auditor Test" + } + ] + } + EOF + ``` + +1. Create private key and certificate files for Envoy. + + ```console + cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile scalar-test-ca envoy.json | cfssljson -bare envoy + ``` + +1. Create private key and certificate files for ScalarDL Ledger. + + ```console + cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile scalar-test-ca ledger.json | cfssljson -bare ledger + ``` + +1. Create private key and certificate files for ScalarDL Auditor. + + ```console + cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile scalar-test-ca auditor.json | cfssljson -bare auditor + ``` + +1. Confirm that the private key and certificate files were created. + + ```console + ls -1 + ``` + + [Command execution result] + + ```console + auditor-key.pem + auditor.csr + auditor.json + auditor.pem + ca-config.json + ca-key.pem + ca.csr + ca.json + ca.pem + envoy-key.pem + envoy.csr + envoy.json + envoy.pem + ledger-key.pem + ledger.csr + ledger.json + ledger.pem + ``` + +## Step 5. Create database schemas for ScalarDL Ledger and ScalarDL Auditor by using Helm Charts + +You'll deploy two ScalarDL Schema Loader pods on the Kubernetes cluster by using Helm Charts. The ScalarDL Schema Loader will create the database schemas for ScalarDL Ledger and Auditor in PostgreSQL. + +1. Change the working directory to `${HOME}/scalardl-test/`. + + ```console + cd ${HOME}/scalardl-test/ + ``` + +1. Add the Scalar Helm Charts repository. + + ```console + helm repo add scalar-labs https://scalar-labs.github.io/helm-charts + ``` + +1. Create a custom values file for ScalarDL Schema Loader for Ledger (`schema-loader-ledger-custom-values.yaml`). + + {% raw %} + ```console + cat << 'EOF' > ${HOME}/scalardl-test/schema-loader-ledger-custom-values.yaml + schemaLoading: + schemaType: "ledger" + databaseProperties: | + scalar.db.contact_points=jdbc:postgresql://postgresql-ledger.default.svc.cluster.local:5432/postgres + scalar.db.username=${env:SCALAR_DL_LEDGER_POSTGRES_USERNAME} + scalar.db.password=${env:SCALAR_DL_LEDGER_POSTGRES_PASSWORD} + scalar.db.storage=jdbc + secretName: "schema-ledger-credentials-secret" + EOF + ``` + {% endraw %} + +1. Create a custom values file for ScalarDL Schema Loader for Auditor (`schema-loader-auditor-custom-values.yaml`). + + {% raw %} + ```console + cat << 'EOF' > ${HOME}/scalardl-test/schema-loader-auditor-custom-values.yaml + schemaLoading: + schemaType: "auditor" + databaseProperties: | + scalar.db.contact_points=jdbc:postgresql://postgresql-auditor.default.svc.cluster.local:5432/postgres + scalar.db.username=${env:SCALAR_DL_AUDITOR_POSTGRES_USERNAME} + scalar.db.password=${env:SCALAR_DL_AUDITOR_POSTGRES_PASSWORD} + scalar.db.storage=jdbc + secretName: "schema-auditor-credentials-secret" + EOF + ``` + {% endraw %} + +1. Create a secret resource named `schema-ledger-credentials-secret` that includes a username and password for PostgreSQL for ScalarDL Ledger. + + ```console + kubectl create secret generic schema-ledger-credentials-secret \ + --from-literal=SCALAR_DL_LEDGER_POSTGRES_USERNAME=postgres \ + --from-literal=SCALAR_DL_LEDGER_POSTGRES_PASSWORD=postgres \ + -n default + ``` + +1. Create a secret resource named `schema-auditor-credentials-secret` that includes a username and password for PostgreSQL for ScalarDL Auditor. + + ```console + kubectl create secret generic schema-auditor-credentials-secret \ + --from-literal=SCALAR_DL_AUDITOR_POSTGRES_USERNAME=postgres \ + --from-literal=SCALAR_DL_AUDITOR_POSTGRES_PASSWORD=postgres \ + -n default + ``` + +1. Set the chart version of ScalarDL Schema Loader. + + ```console + SCALAR_DL_VERSION=3.9.0 + SCALAR_DL_SCHEMA_LOADER_CHART_VERSION=$(helm search repo scalar-labs/schema-loading -l | grep -F "${SCALAR_DL_VERSION}" | awk '{print $2}' | sort --version-sort -r | head -n 1) + ``` + +1. Deploy ScalarDL Schema Loader for ScalarDL Ledger. + + ```console + helm install schema-loader-ledger scalar-labs/schema-loading -f ${HOME}/scalardl-test/schema-loader-ledger-custom-values.yaml --version ${SCALAR_DL_SCHEMA_LOADER_CHART_VERSION} -n default + ``` + +1. Deploy ScalarDL Schema Loader for ScalarDL Auditor. + + ```console + helm install schema-loader-auditor scalar-labs/schema-loading -f ${HOME}/scalardl-test/schema-loader-auditor-custom-values.yaml --version ${SCALAR_DL_SCHEMA_LOADER_CHART_VERSION} -n default + ``` + +1. Check if the ScalarDL Schema Loader pods are deployed with the status `Completed`. + + ```console + kubectl get pod -n default + ``` + + [Command execution result] + + ```console + NAME READY STATUS RESTARTS AGE + postgresql-auditor-0 1/1 Running 0 2m56s + postgresql-ledger-0 1/1 Running 0 3m1s + schema-loader-auditor-schema-loading-dvc5r 0/1 Completed 0 6s + schema-loader-ledger-schema-loading-mtllb 0/1 Completed 0 10s + ``` + + If the status of the ScalarDL Schema Loader pods are **ContainerCreating** or **Running**, wait for the `STATUS` column for those pods to show as `Completed`. + +## Step 6. Deploy ScalarDL Ledger and ScalarDL Auditor on the Kubernetes cluster by using Helm Charts + +1. Create a custom values file for ScalarDL Ledger (`scalardl-ledger-custom-values.yaml`). + + {% raw %} + ```console + cat << 'EOF' > ${HOME}/scalardl-test/scalardl-ledger-custom-values.yaml + envoy: + + tls: + downstream: + enabled: true + certChainSecret: "envoy-tls-cert" + privateKeySecret: "envoy-tls-key" + upstream: + enabled: true + overrideAuthority: "ledger.scalardl.example.com" + caRootCertSecret: "scalardl-ledger-tls-ca" + + ledger: + + image: + repository: "ghcr.io/scalar-labs/scalardl-ledger-byol" + + ledgerProperties: | + ### Storage configurations + scalar.db.storage=jdbc + scalar.db.contact_points=jdbc:postgresql://postgresql-ledger.default.svc.cluster.local:5432/postgres + scalar.db.username=${env:SCALAR_DL_LEDGER_POSTGRES_USERNAME} + scalar.db.password=${env:SCALAR_DL_LEDGER_POSTGRES_PASSWORD} + + ### Ledger configurations + scalar.dl.ledger.proof.enabled=true + scalar.dl.ledger.auditor.enabled=true + scalar.dl.ledger.authentication.method=hmac + scalar.dl.ledger.authentication.hmac.cipher_key=${env:SCALAR_DL_LEDGER_HMAC_CIPHER_KEY} + scalar.dl.ledger.servers.authentication.hmac.secret_key=${env:SCALAR_DL_LEDGER_HMAC_SECRET_KEY} + + ### TLS configurations + scalar.dl.ledger.server.tls.enabled=true + scalar.dl.ledger.server.tls.cert_chain_path=/tls/certs/cert-chain.pem + scalar.dl.ledger.server.tls.private_key_path=/tls/certs/private-key.pem + + ### License key configurations + scalar.dl.licensing.license_key=${env:SCALAR_DL_LICENSE_KEY} + scalar.dl.licensing.license_check_cert_pem=${env:SCALAR_DL_LICENSE_CHECK_CERT_PEM} + + tls: + enabled: true + overrideAuthority: "ledger.scalardl.example.com" + caRootCertSecret: "scalardl-ledger-tls-ca" + certChainSecret: "scalardl-ledger-tls-cert" + privateKeySecret: "scalardl-ledger-tls-key" + + secretName: "ledger-credentials-secret" + EOF + ``` + {% endraw %} + +1. Create a custom values file for ScalarDL Auditor (`scalardl-auditor-custom-values.yaml`). + + {% raw %} + ```console + cat << 'EOF' > ${HOME}/scalardl-test/scalardl-auditor-custom-values.yaml + envoy: + + tls: + downstream: + enabled: true + certChainSecret: "envoy-tls-cert" + privateKeySecret: "envoy-tls-key" + upstream: + enabled: true + overrideAuthority: "auditor.scalardl.example.com" + caRootCertSecret: "scalardl-auditor-tls-ca" + + auditor: + image: + repository: "ghcr.io/scalar-labs/scalardl-auditor-byol" + + auditorProperties: | + ### Storage configurations + scalar.db.storage=jdbc + scalar.db.contact_points=jdbc:postgresql://postgresql-auditor.default.svc.cluster.local:5432/postgres + scalar.db.username=${env:SCALAR_DL_AUDITOR_POSTGRES_USERNAME} + scalar.db.password=${env:SCALAR_DL_AUDITOR_POSTGRES_PASSWORD} + + ### Auditor configurations + scalar.dl.auditor.ledger.host=scalardl-ledger-envoy.default.svc.cluster.local + scalar.dl.auditor.authentication.method=hmac + scalar.dl.auditor.authentication.hmac.cipher_key=${env:SCALAR_DL_AUDITOR_HMAC_CIPHER_KEY} + scalar.dl.auditor.servers.authentication.hmac.secret_key=${env:SCALAR_DL_AUDITOR_HMAC_SECRET_KEY} + + ### TLS configurations + scalar.dl.auditor.server.tls.enabled=true + scalar.dl.auditor.server.tls.cert_chain_path=/tls/certs/cert-chain.pem + scalar.dl.auditor.server.tls.private_key_path=/tls/certs/private-key.pem + scalar.dl.auditor.tls.enabled=true + scalar.dl.auditor.tls.ca_root_cert_path=/tls/certs/ca-root-cert-for-ledger.pem + scalar.dl.auditor.tls.override_authority=envoy.scalar.example.com + + ### License key configurations + scalar.dl.licensing.license_key=${env:SCALAR_DL_LICENSE_KEY} + scalar.dl.licensing.license_check_cert_pem=${env:SCALAR_DL_LICENSE_CHECK_CERT_PEM} + + tls: + enabled: true + overrideAuthority: "auditor.scalardl.example.com" + caRootCertSecret: "scalardl-auditor-tls-ca" + certChainSecret: "scalardl-auditor-tls-cert" + privateKeySecret: "scalardl-auditor-tls-key" + caRootCertForLedgerSecret: "scalardl-auditor-tls-ca-for-ledger" + + secretName: "auditor-credentials-secret" + EOF + ``` + {% endraw %} + +1. Set your license key and certificate as environment variables. If you don't have a license key, please [contact us](https://www.scalar-labs.com/contact). + + ```console + SCALAR_DL_LICENSE_KEY= + SCALAR_DL_LICENSE_CHECK_CERT_PEM= + ``` + +1. Create a secret resource named `ledger-credentials-secret` that includes credentials and a license key. + + ```console + kubectl create secret generic ledger-credentials-secret \ + --from-literal=SCALAR_DL_LEDGER_POSTGRES_USERNAME=postgres \ + --from-literal=SCALAR_DL_LEDGER_POSTGRES_PASSWORD=postgres \ + --from-literal=SCALAR_DL_LEDGER_HMAC_CIPHER_KEY=ledger-hmac-cipher-key \ + --from-literal=SCALAR_DL_LEDGER_HMAC_SECRET_KEY=scalardl-hmac-secret-key \ + --from-literal=SCALAR_DL_LICENSE_KEY=${SCALAR_DL_LICENSE_KEY} \ + --from-literal=SCALAR_DL_LICENSE_CHECK_CERT_PEM=${SCALAR_DL_LICENSE_CHECK_CERT_PEM} \ + -n default + ``` + +1. Create a secret resource named `auditor-credentials-secret` that includes credentials and a license key. + + ```console + kubectl create secret generic auditor-credentials-secret \ + --from-literal=SCALAR_DL_AUDITOR_POSTGRES_USERNAME=postgres \ + --from-literal=SCALAR_DL_AUDITOR_POSTGRES_PASSWORD=postgres \ + --from-literal=SCALAR_DL_AUDITOR_HMAC_CIPHER_KEY=auditor-hmac-cipher-key \ + --from-literal=SCALAR_DL_AUDITOR_HMAC_SECRET_KEY=scalardl-hmac-secret-key \ + --from-literal=SCALAR_DL_LICENSE_KEY=${SCALAR_DL_LICENSE_KEY} \ + --from-literal=SCALAR_DL_LICENSE_CHECK_CERT_PEM=${SCALAR_DL_LICENSE_CHECK_CERT_PEM} \ + -n default + ``` + +1. Create secret resources that include the private key and certificate files for Envoy. + + ```console + kubectl create secret generic envoy-tls-cert --from-file=cert-chain=${HOME}/scalardl-test/certs/envoy.pem -n default + kubectl create secret generic envoy-tls-key --from-file=private-key=${HOME}/scalardl-test/certs/envoy-key.pem -n default + ``` + +1. Create secret resources that include the private key, certificate, and CA certificate files for ScalarDL Ledger. + + ```console + kubectl create secret generic scalardl-ledger-tls-ca --from-file=ca-root-cert=${HOME}/scalardl-test/certs/ca.pem -n default + kubectl create secret generic scalardl-ledger-tls-cert --from-file=cert-chain=${HOME}/scalardl-test/certs/ledger.pem -n default + kubectl create secret generic scalardl-ledger-tls-key --from-file=private-key=${HOME}/scalardl-test/certs/ledger-key.pem -n default + ``` + +1. Create secret resources that include the private key, certificate, and CA certificate files for ScalarDL Auditor. + + ```console + kubectl create secret generic scalardl-auditor-tls-ca --from-file=ca-root-cert=${HOME}/scalardl-test/certs/ca.pem -n default + kubectl create secret generic scalardl-auditor-tls-cert --from-file=cert-chain=${HOME}/scalardl-test/certs/auditor.pem -n default + kubectl create secret generic scalardl-auditor-tls-key --from-file=private-key=${HOME}/scalardl-test/certs/auditor-key.pem -n default + kubectl create secret generic scalardl-auditor-tls-ca-for-ledger --from-file=ca-root-cert-for-ledger=${HOME}/scalardl-test/certs/ca.pem -n default + ``` + +1. Create a secret resource named `auditor-keys` to disable the `digital-signature` authentication method. In this tutorial, you'll use the `hmac` authentication method instead of `digital-signature`. + + ```console + kubectl create secret generic auditor-keys \ + --from-literal=private-key=dummy-data-to-disable-digital-signature-method \ + --from-literal=certificate=dummy-data-to-disable-digital-signature-method \ + -n default + ``` + Note: If you use `hmac` as an authentication method, you have to create a dummy secret `auditor-key` to disable `digital-signature` on the helm chart side. + +1. Set the chart version of ScalarDL Ledger and ScalarDL Auditor. + + ```console + SCALAR_DL_LEDGER_CHART_VERSION=$(helm search repo scalar-labs/scalardl -l | grep -v -e "scalar-labs/scalardl-audit" | grep -F "${SCALAR_DL_VERSION}" | awk '{print $2}' | sort --version-sort -r | head -n 1) + SCALAR_DL_AUDITOR_CHART_VERSION=$(helm search repo scalar-labs/scalardl-audit -l | grep -F "${SCALAR_DL_VERSION}" | awk '{print $2}' | sort --version-sort -r | head -n 1) + ``` + +1. Deploy ScalarDL Ledger. + + ```console + helm install scalardl-ledger scalar-labs/scalardl -f ${HOME}/scalardl-test/scalardl-ledger-custom-values.yaml --version ${SCALAR_DL_LEDGER_CHART_VERSION} -n default + ``` + +1. Deploy ScalarDL Auditor. + + ```console + helm install scalardl-auditor scalar-labs/scalardl-audit -f ${HOME}/scalardl-test/scalardl-auditor-custom-values.yaml --version ${SCALAR_DL_AUDITOR_CHART_VERSION} -n default + ``` + +1. Check if the ScalarDL Ledger and ScalarDL Auditor pods are deployed. + + ```console + kubectl get pod -n default + ``` + + [Command execution result] + + ```console + NAME READY STATUS RESTARTS AGE + postgresql-auditor-0 1/1 Running 0 14m + postgresql-ledger-0 1/1 Running 0 14m + scalardl-auditor-auditor-5b885ff4c8-fwkpf 1/1 Running 0 18s + scalardl-auditor-auditor-5b885ff4c8-g69cb 1/1 Running 0 18s + scalardl-auditor-auditor-5b885ff4c8-nsmnq 1/1 Running 0 18s + scalardl-auditor-envoy-689bcbdf65-5mn6v 1/1 Running 0 18s + scalardl-auditor-envoy-689bcbdf65-fpq8j 1/1 Running 0 18s + scalardl-auditor-envoy-689bcbdf65-lsz2t 1/1 Running 0 18s + scalardl-ledger-envoy-547bbf7546-n7p5x 1/1 Running 0 26s + scalardl-ledger-envoy-547bbf7546-p8nwp 1/1 Running 0 26s + scalardl-ledger-envoy-547bbf7546-pskpb 1/1 Running 0 26s + scalardl-ledger-ledger-6db5dc8774-5zsbj 1/1 Running 0 26s + scalardl-ledger-ledger-6db5dc8774-vnmrw 1/1 Running 0 26s + scalardl-ledger-ledger-6db5dc8774-wpjvs 1/1 Running 0 26s + schema-loader-auditor-schema-loading-dvc5r 0/1 Completed 0 11m + schema-loader-ledger-schema-loading-mtllb 0/1 Completed 0 11m + ``` + + If the ScalarDL Ledger and ScalarDL Auditor pods are deployed properly, the `STATUS` column for those pods will be displayed as `Running`. + +1. Check if the ScalarDL Ledger and ScalarDL Auditor services are deployed. + + ```console + kubectl get svc -n default + ``` + + [Command execution result] + + ```console + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + kubernetes ClusterIP 10.96.0.1 443/TCP 47d + postgresql-auditor ClusterIP 10.107.9.78 5432/TCP 15m + postgresql-auditor-hl ClusterIP None 5432/TCP 15m + postgresql-ledger ClusterIP 10.108.241.181 5432/TCP 15m + postgresql-ledger-hl ClusterIP None 5432/TCP 15m + scalardl-auditor-envoy ClusterIP 10.100.61.202 40051/TCP,40052/TCP 55s + scalardl-auditor-envoy-metrics ClusterIP 10.99.6.227 9001/TCP 55s + scalardl-auditor-headless ClusterIP None 40051/TCP,40053/TCP,40052/TCP 55s + scalardl-auditor-metrics ClusterIP 10.108.1.147 8080/TCP 55s + scalardl-ledger-envoy ClusterIP 10.101.191.116 50051/TCP,50052/TCP 61s + scalardl-ledger-envoy-metrics ClusterIP 10.106.52.103 9001/TCP 61s + scalardl-ledger-headless ClusterIP None 50051/TCP,50053/TCP,50052/TCP 61s + scalardl-ledger-metrics ClusterIP 10.99.122.106 8080/TCP 61s + ``` + + If the ScalarDL Ledger and ScalarDL Auditor services are deployed properly, you can see private IP addresses in the `CLUSTER-IP` column. + +{% capture notice--info %} +**Note** + +The `CLUSTER-IP` values for `scalardl-ledger-headless`, `scalardl-auditor-headless`, `postgresql-ledger-hl`, and `postgresql-auditor-hl` are `None` since they have no IP addresses. +{% endcapture %} + +
{{ notice--info | markdownify }}
+ +## Step 7. Start a client container + +You'll use the CA certificate file in a client container. Therefore, you'll need to create a secret resource and mount it to the client container. + + +1. Create a secret resource named `client-ca-cert`. + + ```console + kubectl create secret generic client-ca-cert --from-file=certificate=${HOME}/scalardl-test/certs/ca.pem -n default + ``` + +1. Create a manifest file for a client pod (`scalardl-client-pod.yaml`). + + ```console + cat << 'EOF' > ${HOME}/scalardl-test/scalardl-client-pod.yaml + apiVersion: v1 + kind: Pod + metadata: + name: "scalardl-client" + spec: + containers: + - name: scalardl-client + image: eclipse-temurin:8 + command: ['sleep'] + args: ['inf'] + env: + - name: SCALAR_DL_VERSION + value: SCALAR_DL_CLIENT_POD_SCALAR_DL_VERSION + volumeMounts: + - name: "client-ca-cert" + mountPath: "/certs/ca/ca.pem" + subPath: certificate + readOnly: true + volumes: + - name: "client-ca-cert" + secret: + secretName: "client-ca-cert" + restartPolicy: Never + EOF + ``` + +1. Set the ScalarDL version in the manifest file. + + ```console + sed -i s/SCALAR_DL_CLIENT_POD_SCALAR_DL_VERSION/${SCALAR_DL_VERSION}/ ${HOME}/scalardl-test/scalardl-client-pod.yaml + ``` + +1. Deploy the client pod. + + ```console + kubectl apply -f ${HOME}/scalardl-test/scalardl-client-pod.yaml -n default + ``` + +1. Check if the client container is running. + + ```console + kubectl get pod scalardl-client -n default + ``` + + [Command execution result] + + ```console + NAME READY STATUS RESTARTS AGE + scalardl-client 1/1 Running 0 4s + ``` + +## Step 8. Run ScalarDL sample contracts in the client container + +The following explains the minimum steps needed to run sample contracts. For more details about ScalarDL Ledger and ScalarDL Auditor, see the following: + +* [Getting Started with ScalarDL](https://github.com/scalar-labs/scalardl/blob/master/docs/getting-started.md) +* [Getting Started with ScalarDL Auditor](https://github.com/scalar-labs/scalardl/blob/master/docs/getting-started-auditor.md) + +1. Run bash in the client container. + + ```console + kubectl exec -it scalardl-client -n default -- bash + ``` + The commands in the following steps must be run in the client container. + +1. Install the git, curl, and unzip commands in the client container. + + ```console + apt update && apt install -y git curl unzip + ``` + +1. Clone the ScalarDL Java Client SDK git repository. + + ```console + git clone https://github.com/scalar-labs/scalardl-java-client-sdk.git + ``` + +1. Change the working directory to `scalardl-java-client-sdk/`. + + ```console + cd scalardl-java-client-sdk/ + ``` + + ```console + pwd + ``` + + [Command execution result] + + ```console + /scalardl-java-client-sdk + ``` + +1. Change the branch to the version you're using. + + ```console + git checkout -b v${SCALAR_DL_VERSION} refs/tags/v${SCALAR_DL_VERSION} + ``` + +1. Build the sample contracts. + + ```console + ./gradlew assemble + ``` + +1. Download the CLI tools for ScalarDL from [ScalarDL Java Client SDK Releases](https://github.com/scalar-labs/scalardl-java-client-sdk/releases). + + ```console + curl -OL https://github.com/scalar-labs/scalardl-java-client-sdk/releases/download/v${SCALAR_DL_VERSION}/scalardl-java-client-sdk-${SCALAR_DL_VERSION}.zip + ``` + You need to use the same version of CLI tools and ScalarDL Ledger. + +1. Unzip the `scalardl-java-client-sdk-${SCALAR_DL_VERSION}.zip` file. + + ```console + unzip ./scalardl-java-client-sdk-${SCALAR_DL_VERSION}.zip + ``` + +1. Create a configuration file named `client.properties` to access ScalarDL Ledger and ScalarDL Auditor on the Kubernetes cluster. + + ```console + cat << 'EOF' > client.properties + # Ledger configuration + scalar.dl.client.server.host=scalardl-ledger-envoy.default.svc.cluster.local + scalar.dl.client.tls.enabled=true + scalar.dl.client.tls.ca_root_cert_path=/certs/ca/ca.pem + scalar.dl.client.tls.override_authority=envoy.scalar.example.com + + # Auditor configuration + scalar.dl.client.auditor.enabled=true + scalar.dl.client.auditor.host=scalardl-auditor-envoy.default.svc.cluster.local + scalar.dl.client.auditor.tls.enabled=true + scalar.dl.client.auditor.tls.ca_root_cert_path=/certs/ca/ca.pem + scalar.dl.client.auditor.tls.override_authority=envoy.scalar.example.com + + # Client configuration + scalar.dl.client.authentication_method=hmac + scalar.dl.client.entity.id=client + scalar.dl.client.entity.identity.hmac.secret_key=scalardl-hmac-client-secert-key + EOF + ``` + +1. Register the client secret. + + ```console + ./scalardl-java-client-sdk-${SCALAR_DL_VERSION}/bin/scalardl register-secret --config ./client.properties + ``` + +1. Register the sample contract `StateUpdater`. + + ```console + ./scalardl-java-client-sdk-${SCALAR_DL_VERSION}/bin/scalardl register-contract --config ./client.properties --contract-id StateUpdater --contract-binary-name com.org1.contract.StateUpdater --contract-class-file ./build/classes/java/main/com/org1/contract/StateUpdater.class + ``` + +1. Register the sample contract `StateReader`. + + ```console + ./scalardl-java-client-sdk-${SCALAR_DL_VERSION}/bin/scalardl register-contract --config ./client.properties --contract-id StateReader --contract-binary-name com.org1.contract.StateReader --contract-class-file ./build/classes/java/main/com/org1/contract/StateReader.class + ``` + +1. Register the contract `ValidateLedger` to execute a validate request. + + ```console + ./scalardl-java-client-sdk-${SCALAR_DL_VERSION}/bin/scalardl register-contract --config ./client.properties --contract-id validate-ledger --contract-binary-name com.scalar.dl.client.contract.ValidateLedger --contract-class-file ./build/classes/java/main/com/scalar/dl/client/contract/ValidateLedger.class + ``` + +1. Execute the contract `StateUpdater`. + + ```console + ./scalardl-java-client-sdk-${SCALAR_DL_VERSION}/bin/scalardl execute-contract --config ./client.properties --contract-id StateUpdater --contract-argument '{"asset_id": "test_asset", "state": 3}' + ``` + This sample contract updates the `state` (value) of the asset named `test_asset` to `3`. + +1. Execute the contract `StateReader`. + + ```console + ./scalardl-java-client-sdk-${SCALAR_DL_VERSION}/bin/scalardl execute-contract --config ./client.properties --contract-id StateReader --contract-argument '{"asset_id": "test_asset"}' + ``` + + [Command execution result] + + ```console + Contract result: + { + "id" : "test_asset", + "age" : 0, + "output" : { + "state" : 3 + } + } + ``` + + ### Reference + + * If the asset data is not tampered with, running the `execute-contract` command to request contract execution will return `OK` as a result. + * If the asset data is tampered with (for example, if the `state` value in the database is tampered with), running the `execute-contract` command to request contract execution will return a value other than `OK` (for example, `INCONSISTENT_STATES`) as a result. See the following as an example for how ScalarDL detects data tampering. + + [Command execution result (if the asset data is tampered with)] + + ```console + { + "status_code" : "INCONSISTENT_STATES", + "error_message" : "The results from Ledger and Auditor don't match" + } + ``` + +1. Execute a validation request for the asset. + + ```console + ./scalardl-java-client-sdk-${SCALAR_DL_VERSION}/bin/scalardl validate-ledger --config ./client.properties --asset-id "test_asset" + ``` + + [Command execution result] + + ```console + { + "status_code" : "OK", + "Ledger" : { + "id" : "test_asset", + "age" : 0, + "nonce" : "3533427d-03cf-41d1-bf95-4d31eb0cb24d", + "hash" : "FiquvtPMKLlxKf4VGoccSAGsi9ptn4ozYVVTwdSzEQ0=", + "signature" : "MEYCIQDiiXqzw6K+Ml4uvn8rK43o5wHWESU3hoXnZPi6/OeKVwIhAM+tFBcapl6zg47Uq0Uc8nVNGWNHZLBDBGve3F0xkzTR" + }, + "Auditor" : { + "id" : "test_asset", + "age" : 0, + "nonce" : "3533427d-03cf-41d1-bf95-4d31eb0cb24d", + "hash" : "FiquvtPMKLlxKf4VGoccSAGsi9ptn4ozYVVTwdSzEQ0=", + "signature" : "MEUCIQDLsfUR2PmxSvfpL3YvHJUkz00RDpjCdctkroZKXE8d5QIgH73FQH2e11jfnynD00Pp9DrIG1vYizxDsvxUsMPo9IU=" + } + } + ``` + + ### Reference + + * If the asset data is not tampered with, running the `validate-ledger` command to request validation will return `OK` as the result. + * If the asset data is tampered with (for example, if the `state` value in the database is tampered with), running the `validate-ledger` command to request validation will return a value other than `OK` (for example, `INVALID_OUTPUT`) as a result. See the following as an example for how ScalarDL detects data tampering. + + [Command execution result (if the asset data is tampered with)] + + ```console + { + "status_code" : "INCONSISTENT_STATES", + "error_message" : "The results from Ledger and Auditor don't match" + } + ``` + +## Step 9. Delete all resources + +After completing the ScalarDL Ledger and ScalarDL Auditor tests on the Kubernetes cluster, remove all resources. + +1. Uninstall ScalarDL Ledger, ScalarDL Auditor, ScalarDL Schema Loader, and PostgreSQL. + + ```console + helm uninstall -n default scalardl-ledger schema-loader-ledger postgresql-ledger scalardl-auditor schema-loader-auditor postgresql-auditor + ``` + +1. Remove the client container. + + ``` + kubectl delete pod scalardl-client --grace-period 0 -n default + ``` + +1. Remove the working directory and sample files (configuration file, private key, and certificate). + + ```console + cd ${HOME} + ``` + + ```console + rm -rf ${HOME}/scalardl-test/ + ``` + +## Further reading + +You can see how to get started with monitoring or logging for Scalar products in the following tutorials: + +* [Getting Started with Helm Charts (Monitoring using Prometheus Operator)](getting-started-monitoring.md) +* [Getting Started with Helm Charts (Logging using Loki Stack)](getting-started-logging.md) +* [Getting Started with Helm Charts (Scalar Manager)](getting-started-scalar-manager.md)