Launching the PlatformSelf-hosted: On-prem
Platform Install
Step-by-step enterprise deployment guide for SettleMint Platform using Helm with production-ready configurations, security hardening, and multi-cluster support
Overview
This guide walks you through installing the SettleMint Platform using Helm for enterprise production environments, providing a command-line based installation method with full control over the deployment process, security hardening, and compliance configurations.
What deployment approaches work best for enterprise environments?
Single Production Cluster
- Simplified management
- Lower operational overhead
- Suitable for smaller enterprises
- Cost-effective for moderate workloads
Multi-Cluster Enterprise
- Development, staging, production isolation
- Geographic distribution
- Enhanced disaster recovery
- Compliance boundary separation
Hybrid Multi-Cloud
- Cloud provider redundancy
- Regulatory compliance across regions
- Maximum availability and resilience
- Enterprise-grade disaster recovery
Prerequisites checklist for enterprise deployment
Before starting the installation, ensure you have completed enterprise-grade prerequisite setup:
Infrastructure & Access
- ✅ Completed all prerequisite services setup
- ✅ Validated infrastructure meets enterprise requirements
- ✅ Helm 3.x installed and configured
- ✅ kubectl access with cluster-admin permissions
- ✅ SettleMint license issued (includes registry credentials)
- ✅ Container registry access credentials
- ✅ SMTP server configured if using passwordless email login
Security & Compliance
- ✅ SSL/TLS certificates configured and validated
- ✅ HashiCorp Vault or equivalent secret management setup
- ✅ OAuth provider integration configured
- ✅ Network security policies reviewed and approved
- ✅ Backup and disaster recovery procedures established
Enterprise Security Validation
Before proceeding with production deployment, ensure your security team has reviewed and approved:
- Network firewall rules and ingress configuration
- SSL/TLS certificate chain and rotation procedures
- Secret management and encryption key handling
- Access control policies and RBAC configuration
- Audit logging and monitoring setup
Enterprise deployment workflow
Production installation steps
1. Sign in to the SettleMint helm registry
helm registry login harbor.settlemint.com --username <username> --password <password>Replace <username> and <password> with your provided enterprise credentials.
Enterprise Registry Access
Enterprise customers receive dedicated registry credentials with access to enterprise-specific images and configurations. Contact your account manager if you need registry access.
2. Review enterprise configuration options
View all available configuration options for enterprise deployment:
helm show values oci://harbor.settlemint.com/settlemint/settlemint --version v7.31.11Security Review
Before configuring production values, have your security team review all available configuration options, especially those related to network policies, RBAC, and data encryption.
3. Prepare enterprise production configuration
Create a values file (values.yaml) with your configuration:
imagePullCredentials:
registries:
harbor:
enabled: true
registry: "harbor.settlemint.com"
username: '<registry-username>'
password: '<registry-password>'
email: '<registry-email>'
license:
accountName: <registry-username>
accountToken: <registry-password>
email: <registry-email>
expirationDate: <expirationDate>
blockchainNetworks:
limit: 3
blockchainNodes:
limit: 4
loadBalancers:
limit: 5
privateKeys:
limit: 5
smartContractSets:
limit: 5
storages:
limit: 5
middlewares:
limit: 5
integrations:
limit: 5
insights:
limit: 5
customDeployments:
limit: 5
signature: <signature>
ingress:
enabled: true
className: "<your-ingressClass>" # client ingress classname
host: '<your-domain>'
annotations: {}
tls: []
#- secretName: 'platform-tls'
# hosts:
# - '<your-domain>'
# - '*.<your-domain>'
redis:
host: '<redis-host>'
port: '<redis-port>'
password: '<redis-password>'
postgresql:
host: '<postgresql-host>'
port: '<postgresql-port>'
user: '<postgresql-user>'
password: '<postgresql-password>'
database: '<database-name>'
vault:
enabled: true
address: '<vault-address>'
roleId: '<vault-role-id>'
secretId: '<vault-secret-id>'
namespace: 'vault'
googleSecretManager:
enabled: false
projectId: "<project-id>"
credentials: "<json-creds>"
awsSecretManager:
enabled: false
region: "<region>"
accessKeyId: "<access-key>"
secretAccessKey: "<secret-access-key>"
azureKeyVault:
enabled: false
vaultUrl: "<vault-url>"
tenantId: "<tenant-id>"
clientId: "<client-id>"
clientSecret: "<client-secret>"
useManagedIdentity: false
managedIdentityClientId: ""
auth:
jwtSigningKey: '<your-jwt-signing-key>'
providers:
passwordless:
enabled: true
from: "<from-email>"
server:
host: "<smtp-host>"
port: "<smtp-port>"
user: "<smtp-user>"
password: "<smtp-password>"
google:
enabled: true
clientID: '<google-client-id>'
clientSecret: '<google-client-secret>'
microsoftEntraId:
enabled: true
clientID: '<microsoft-client-id>'
clientSecret: '<microsoft-client-secret>'
tenantId: '<microsoft-tenant-id>'
app:
metrics:
enabled: true
replicaCount: '<replicas>'
resources:
requests:
cpu: '<cpu-request>'
memory: '<memory-request>'
api:
metrics:
enabled: true
replicaCount: '<replicas>'
resources:
requests:
cpu: '<cpu-request>'
memory: '<memory-request>'
job:
metrics:
enabled: true
resources:
requests:
cpu: '<cpu-request>'
memory: '<memory-request>'
deployWorker:
metrics:
enabled: true
resources:
requests:
cpu: '<cpu-request>'
memory: '<memory-request>'
replicaCount: 5
docs:
replicaCount: '<replicas>'
resources:
requests:
cpu: '<cpu-request>'
memory: '<memory-request>'
singleton:
metrics:
enabled: true
resources:
requests:
cpu: '<cpu-request>'
memory: '<memory-request>'
support:
ipfs-cluster:
enabled: false
sharedSecret: "<shared-secret>"
cluster:
replicaCount: <replicas>
apiAuth: "<username>:<password>"
storage:
storageClassName: "local-path"
ipfs:
replicaCount: <replicas>
storage:
storageClassName: "local-path"
ingress:
hosts:
- host: "<your-ipfs-domain>"
observability:
enabled: true
metrics-server:
enabled: true
service:
labels:
kubernetes.io/cluster-service: "true"
kubernetes.io/name: "Metrics-server"
kube-state-metrics:
enabled: true
victoria-metrics-single:
enabled: true
alloy:
enabled: true
clustername: "dev"
endpoints:
external:
prometheus:
enabled: false
url: ""
loki:
enabled: false
url: ""
otel:
enabled: false
url: ""
grafana:
enabled: true
auth:
username: <grafana-username>
password: <grafana-password>
ingress:
enabled: true
hosts:
- <your-grafana-domain>
grafana.ini:
server:
root_url: https://<your-grafana-domain>
tempo:
enabled: true
tempoQuery:
service:
port: 4318
loki:
enabled: true
gateway:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution: null
prometheus-node-exporter:
enabled: true
features:
billing:
enabled: false
autoDelete:
enabled: true
deploymentEngine:
platform:
domain:
tls: true
hostname: '<your-domain>'
state:
connectionUrl: 's3://<bucket-name>?region=<region>'
secretsProvider: 'passphrase'
credentials:
encryptionKey: '<your-encryption-key>'
aws:
accessKeyId: '<aws-access-key>'
secretAccessKey: '<aws-secret-key>'
region: '<aws-region>'
targets:
- id: '<cluster-id>'
name: '<cluster-name>'
icon: '<cluster-icon>'
clusters:
- id: '<cluster-instance-id>'
name: '<cluster-instance-name>'
icon: '<cluster-instance-icon>'
location:
lat: '<latitude>'
lon: '<longitude>'
connection:
sameCluster:
enabled: true
namespace:
single:
enabled: true
name: '<namespace>'
runAsUser: 2024
fsGroup: 2024
multiple:
enabled: false
prefix: "sm"
domains:
service:
tls: true
hostname: '<your-domain>'
storage:
storageClass: '<storage-class>'
ingress:
ingressClass: '<ingress-class>'
capabilities:
mixedLoadBalancers: true
nodePorts:
enabled: true
range:
min: 30000
max: 32767
advancedDeploymentConfig:
enabled: false
customDomains:
enabled: falseReplace all placeholder values with your actual configuration - The license section should be configured with your provided license file - Image tags should be verified for the latest stable versions - Remove any unused features to keep the configuration clean
Click to see a complete example values file
imagePullCredentials:
registries:
harbor:
enabled: true
registry: "harbor.settlemint.com"
username: "sm_rat_example"
password: "passw0rd"
email: "[email protected]"
license:
accountName: sm_rat_example
accountToken: passw0rd
email: [email protected]
expirationDate: 2030-11-11
blockchainNetworks:
limit: 4
blockchainNodes:
limit: 6
loadBalancers:
limit: 6
privateKeys:
limit: 6
smartContractSets:
limit: 6
storages:
limit: 6
middlewares:
limit: 6
integrations:
limit: 6
insights:
limit: 6
customDeployments:
limit: 6
signature: "0xkldjfg90898dkjfghsf0994jdf7bghbdkj4fgjg9430ebae0dc9e77887aad2a33066e984ebbe6e3282fd6ab5d23bdcd82320jdfkbornb835hs84nglb63htblbnnb"
ingress:
enabled: true
host: settlemint.example.com
redis:
host: "development-redis.development.svc.cluster.local"
port: 6379
password: passw0rd
postgresql:
enabled: true
host: development-postgresql.development.svc.cluster.local
port: 5432
user: settlemint
password: passw0rd
database: settlemint
auth:
# -- generate a secure random string to secure the cookie and JWT token: openssl rand -base64 32
jwtSigningKey: "K8/Jkdfn78BdhffKfngkasnsdhg+OaHZ63sSI="
providers:
passwordless:
enabled: true
from: "[email protected]"
server:
host: "smtp.gmail.com"
port: "465"
user: "admin"
password: "passw0rd"
google:
enabled: false
clientID: ""
clientSecret: ""
vault:
enabled: true
address: http://vault.development.svc.cluster.local:8200
namespace: admin
roleId: "dev-role-id"
secretId: "dev-secret-id"
googleSecretManager:
enabled: false
projectId: ""
credentials: ""
awsSecretManager:
enabled: false
region: "eu-central-1"
accessKeyId: ""
secretAccessKey: ""
azureKeyVault:
enabled: false
vaultUrl: ""
tenantId: ""
clientId: ""
clientSecret: ""
useManagedIdentity: false
managedIdentityClientId: ""
api:
metrics:
enabled: true
resources:
requests:
memory: "512Mi"
cpu: "100m"
app:
resources:
requests:
memory: "512Mi"
cpu: "100m"
deployWorker:
metrics:
enabled: true
resources:
requests:
memory: "512Mi"
cpu: "100m"
replicaCount: 5
job:
metrics:
enabled: true
resources:
requests:
memory: "512Mi"
cpu: "100m"
singleton:
metrics:
enabled: true
resources:
requests:
memory: "512Mi"
cpu: "100m"
support:
ipfs-cluster:
enabled: false
sharedSecret: ""
cluster:
replicaCount: 2
apiAuth: "admin:passw0rd"
storage:
storageClassName: "local-path"
ipfs:
replicaCount: 2
storage:
storageClassName: "local-path"
ingress:
hosts:
- host: "ipfs.settlemint.example.com"
observability:
enabled: true
metrics-server:
enabled: true
service:
labels:
kubernetes.io/cluster-service: "true"
kubernetes.io/name: "Metrics-server"
kube-state-metrics:
enabled: true
victoria-metrics-single:
enabled: true
server:
ingress:
enabled: true
hosts:
- name: "metrics.settlemint.example.com"
path: /
port: http
alloy:
enabled: true
clustername: "dev"
endpoints:
external:
prometheus:
enabled: false
url: ""
loki:
enabled: false
url: ""
otel:
enabled: false
url: ""
grafana:
enabled: true
auth:
username: admin
password: passw0rd
ingress:
enabled: true
hosts:
- grafana.settlemint.example.com
grafana.ini:
server:
root_url: https://grafana.settlemint.example.com
tempo:
enabled: true
tempoQuery:
service:
port: 4318
ingress:
enabled: true
ingressClassName: settlemint-nginx
hosts:
- "traces.settlemint.example.com"
loki:
enabled: true
gateway:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution: null
ingress:
enabled: true
hosts:
- host: "logs.settlemint.example.com"
paths:
- path: /
pathType: Prefix
prometheus-node-exporter:
enabled: true
features:
billing:
enabled: false
autoDelete:
enabled: true
deploymentEngine:
platform:
domain:
tls: true
hostname: settlemint.example.com
state:
connectionUrl: "s3://pulumi?region=eu-central-1&endpoint=minio.development.svc.cluster.local:9000&disableSSL=true&s3ForcePathStyle=true"
secretsProvider: "passphrase"
credentials:
encryptionKey: "passw0rd123"
aws:
accessKeyId: "DHfkkj8sdfjKhasdfk*"
secretAccessKey: "NkhjkHKjhdfjn7383hHBmdfkjshsdff38"
region: eu-central-1
targets:
- id: "local"
name: "Local"
icon: "kubernetes"
clusters:
- id: k8s
name: k8s
icon: "global"
location:
lat: 50.8505
lon: 4.3488
namespace:
single:
enabled: true
name: deployments
runAsUser: 2024
fsGroup: 2024
multiple:
enabled: false
prefix: "sm"
connection:
sameCluster:
enabled: true
kubeconfig:
enabled: false
kubeconfig: ""
domains:
service:
tls: true
hostname: settlemint.example.com
storage:
storageClass: "local-path"
ingress:
ingressClass: "settlemint-nginx"
capabilities:
mixedLoadBalancers: true
nodePorts:
enabled: true
range:
min: 30000
max: 32767
advancedDeploymentConfig:
enabled: true
customDomains:
enabled: falseInstall the platform:
helm upgrade --install SettleMint oci://harbor.settlemint.com/settlemint/settlemint \
--namespace SettleMint \
--version v7.33.0 \
--create-namespace \
--values values.yaml4. Verify installation
Check the deployment status:
kubectl get pods -n settlemintVerify all pods are running and ready.
5. Access the platform
Once all pods are running, access the platform at https://<your-domain>.
6. Target clusters configuration
The platform supports deploying blockchain nodes and applications to multiple target clusters across different cloud providers and regions. This section explains how to configure target clusters in your values file.
Target structure
The targets configuration uses a simple 2-level hierarchy:
- Target (top level grouping)
- Clusters (individual Kubernetes clusters)
Basic configuration example
features:
deploymentEngine:
targets:
- id: GROUP1
name: First Group
icon: cloud
clusters:
- id: CLUSTER1
name: Primary Cluster
icon: kubernetes
location:
lat: 50.8505
lon: 4.3488
namespace:
multiple:
enabled: true
prefix: "sm"
connection:
kubeconfig:
enabled: true
domains:
service:
tls: true
hostname: "cluster1.example.com"
storage:
storageClass: "standard"
ingress:
ingressClass: "nginx"
capabilities:
mixedLoadBalancers: false
nodePorts:
enabled: true
range:
min: 30000
max: 32767
- id: GROUP2
name: Second Group
icon: cloud
clusters:
- id: CLUSTER2
name: Secondary Cluster
icon: kubernetes
location:
lat: 1.3521
lon: 103.8198
namespace:
multiple:
enabled: true
prefix: "prod"
connection:
kubeconfig:
enabled: true
domains:
service:
tls: true
hostname: "cluster2.example.com"
storage:
storageClass: "standard"
ingress:
ingressClass: "nginx"
capabilities:
mixedLoadBalancers: true
nodePorts:
enabled: true
range:
min: 30000
max: 32767Configuration options
Target level
id: Unique identifier for the target groupname: Display nameicon: Icon identifier for the UI
Cluster level
id: Unique identifier for the clustername: Display name for the region/locationicon: Icon identifier for the UIdisabled: (Optional) Set to true to disable this clusterlocation: Geographic coordinates for visualizationlat: Latitudelon: Longitude
Namespace configuration
namespace:
single:
enabled: false # Use for single namespace deployments
name: deployments
runAsUser: 2024
fsGroup: 2024
multiple:
enabled: true # Use for multiple namespace deployments
prefix: "sm" # Prefix for created namespacesConnection settings
connection:
sameCluster:
enabled: false
kubeconfig:
enabled: trueDomain configuration
domains:
service:
tls: true # Enable TLS for the domain
hostname: "cluster.example.com" # Domain for accessing servicesThe domain configuration determines how services in the cluster will be accessed. Each cluster needs a unique domain that resolves to its ingress controller.
Storage configuration
storage:
storageClass: "standard" # Default storage class for the clusterStorage class recommendations per cloud provider:
- GKE: Use
"standard"for general purpose or"premium-rwo"for better performance - EKS: Use
"gp3"for general purpose or"io1"for high-performance workloads - AKS: Use
"managed-premium"for production or"default"for development
Ingress configuration
ingress:
ingressClass: "nginx" # Ingress controller class name of client ingressThe ingress class should match your installed ingress controller. Common options:
"nginx"for NGINX Ingress Controller"azure/application-gateway"for Azure Application Gateway"alb"for AWS Application Load Balancer
Capabilities configuration
capabilities:
mixedLoadBalancers: false # Support for mixed LoadBalancer services
nodePorts:
enabled: true # Enable NodePort service type
range: # Port range for NodePort services
min: 30000
max: 32767Capabilities determine what features are available in the cluster:
mixedLoadBalancers: Enable if your cluster supports both internal and external load balancersnodePorts: Configure if you need to expose services using NodePort type- The port range should be within Kubernetes defaults (30000-32767)
- Ensure the range doesn't conflict with other services
Important considerations
-
Domain Names
- Each cluster must have a unique domain name
- Domains should be properly configured in your DNS provider
- TLS certificates will be automatically managed if cert-manager is configured
-
Storage Classes
- Verify the storage class exists in your cluster before using it
- Consider performance requirements when selecting storage classes
- Some features may require specific storage capabilities (e.g., RWX support)
-
Network Capabilities
mixedLoadBalancersshould match your cloud provider's capabilities- NodePort ranges should not conflict with other services
- Ensure network policies allow required communication
When setting up a new cluster, start with the basic configuration and gradually enable additional capabilities as needed. This approach helps in identifying potential issues early in the deployment process.
Troubleshooting
If you encounter issues during installation:
- Debug the installation:
helm upgrade --install --debug --dry-run SettleMint oci://harbor.settlemint.com/settlemint/settlemint \
--namespace SettleMint \
--values values.yaml- Check pod logs:
kubectl logs -n SettleMint <pod-name>- Generate a support bundle:
# Install support bundle plugin
curl https://krew.sh/support-bundle | bash
# Generate bundle
kubectl support-bundle --load-cluster-specsSend the generated support bundle to [email protected] for assistance.
Uninstalling
To remove the platform:
helm delete SettleMint --namespace settlemintNote: This will not delete persistent volumes or other resources outside of Helm's control. You may need to clean these up manually.
Infrastructure Reqs
Complete enterprise infrastructure requirements for self-hosted SettleMint deployment including compute, storage, network, and compliance considerations
Prerequisites
Complete enterprise architecture guide for setting up prerequisite services including databases, security, monitoring, and compliance infrastructure for SettleMint Platform