Skip to main content

SettleMint Platform Sandbox Installation Guide with all prerequisites from managed service providers, using KOTS

This sandbox installation guide provides the steps for setting up and installing the SettleMint Blockchain Transformation Platform on a managed Kubernetes cluster. The guide assumes a prior understanding of Kubernetes, CIVO Cloud, and other relevant technologies.

NOTE: Sandbox installations are not designed or suitable for production use and cannot be upgraded to a production-ready state. Use this sandbox setup at your own risk.

Requirements

Before proceeding with the installation, ensure the following requirements are met:

  • Access to a CIVO account
  • Knowledge of Kubernetes and CIVO

Managed Kubernetes Cluster Setup

Establish a Cluster

In this guide, we are using a CIVO cluster as an example.

  • Large standard size (3 nodes)
  • A firewall with port 80 and 443 open
  • From the marketplace
    • Civo cluster autoscaler
    • Nginx ingress controller

Configure the Kubeconfig

To set up access to the cluster, get the kubeconfig for the cluster by downloading it from the CIVO dashboard and merge it into your kubeconfig file

cp ~/.kube/config ~/.kube/config_bk
KUBECONFIG=~/.kube/config:~/Downloads/civo.yaml kubectl config view --flatten > ~/.kube/config_tmp
mv ~/.kube/config_tmp ~/.kube/config

Ensure the cluster is set as the active context in the kubeconfig. Use kubectl config current-context to verify.

Prerequisites Installation

This section covers the installation prerequisites, including setting up an ingress controller, installing Redis, Postgresql, Minio, and more.

An Ingress Controller

From the marketplace install Nginx, if you have not during the cluster install

Then, you need to link a domain name to the external load balancer IP. Create an A record in your DNS provider that points to this IP and ensure that it resolves:

dig sandbox-demo.blockchaintransformationplatform.com

You will also need to create a wildcard CNAME *.sandbox-demo.blockchaintransformationplatform.com that points to sandbox-demo.blockchaintransformationplatform.com and confirm that it resolves:

dig random.sandbox-demo.blockchaintransformationplatform.com

TLS Configuration

The platform can run without TLS, but it is highly insecure and not recommended. There are many options to add a TLS certificate to this URL. In this guide we will leverage Cloudflare to provide TLS termination.

For your domain, purchase ACM and enable Total TLS. This will provide TLS certificates for each of the domainnames configured.

Redis Setup

Create an account at RedisCloud and create a new subscription. A fixed plan of 1GB should suffice for now. Then create a new database, all the defaults are correct.

Note the commections details as we will need them later, it will look something like

Public endpoint: redis-17220.c250.eu-central-1-1.ec2.cloud.redislabs.com:17220
Default user password: redacted

Postgresql Setup

For the Postgresql database we will be using the Serverless Postgres offering from Neon.

Create a new database and note the connections details (with pooling enabled) as we will need them later, it will look something like

postgresql://sandbox-demo_owner:************@ep-morning-moon-a20p0s24-pooler.eu-central-1.aws.neon.tech/sandbox-demo?sslmode=require

S3 Storage Setup

We are using an AWS s3 bucket in this guide. Create a new bucket in your AWS account and again, all the defaults are correct. Note the region and name of your bucket.

To be able to access it use AWS IAM to generate a user with an access key, make sure to note the access key and the secret access key.

Generate a state encryption key using openssl rand -base64 32 and note it down.

Hashicorp Vault Setup

Hashicorp Vault is a tool for managing secrets and protecting sensitive data. It is open-source but only under a BSL-license that prevents anyone from offering it as a service. So we will leverage their cloud offering for this.

Create a new Vault cluster on the Hashicorp Cloud. For this demo the Development tier and extra small size is sufficient. As a template choose Start from Scratch.

When it is running, generate a new admin token from the UI and launch the web UI.

Then, create three secret engines for the private keys of the platform:

  • Generic KV
  • Path:
    • ethereum
    • ipfs
    • fabric

Next go to Authentication Methods and add a new AppRole method. Then go to Policies and create a new role named btp with the following policy:

path "ethereum/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "fabric/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "ipfs/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}

Next, open up the terminal create your app role:

vault write auth/approle/role/platform-role \
token_ttl=1h \
token_max_ttl=4h \
secret_id_ttl=6h \
policies="btp"

To retrieve the Role ID and Secret ID for the platform-role, run:

vault read auth/approle/role/platform-role/role-id
vault write -force auth/approle/role/platform-role/secret-id

Record the role id and secret id as they will be needed later.

Kubernetes Target clusters

Next we will need to configure where the platform will deploy the services. We will set it up with a single namespace on the same cluster.

We need to create the namespace we are going to deploy in:

kubectl apply -f - <<EOF
apiVersion: v1
kind: Namespace
metadata:
name: deployments
labels:
reloader: 'enabled'
kots.io/app-slug: 'settlemint-platform'
spec: {}
status: {}
EOF

Now check wich storage classes are available

kubectl get storageclasses

and make/use one with WaitForFirstConsumer and with volume expansion set to true.

OAuth2 Provider Setup

In this example we will use Google login. Browse to https://console.developers.google.com/apis/credentials and on the top use + CREATE CREDENTIALS, choose OAuth client ID and then as type Web application.

In Authorised JavaScript origins add the domain name you created in the Ingress controller section, in this example https://sandbox-demo.blockchaintransformationplatform.com. In Authorised redirect URIs use https://sandbox-demo.blockchaintransformationplatform.com/api/auth/callback/google.

You will get a Client ID and Client secret at the end of this process, note them down for later.

We will also need a secret to encrypt the JWT token. Generate a random key with openssl rand -base64 32 and record this for later.

SettleMint Platform Installation

Installing the platform, and its full lifecycle is handled by KOTS. Install the plugin and then launch the platform installer

curl https://kots.io/install | bash
kubectl kots install settlemint-platform

Answer the questions and wait for it to install the KOTS admin panel.

Enter the namespace to deploy to: settlemint
• Deploying Admin Console
• Creating namespace ✓
• Waiting for datastore to be ready ✓
Enter a new password for the admin console (6+ characters): ••••••••••
• Waiting for Admin Console to be ready ✓
• Press Ctrl+C to exit
• Go to http://localhost:8800 to access the Admin Console

Browse to http://localhost:8800 and log in with the password you chose.

From your CS contact you will have received a license file, upload it in the next screen.

Then we will need to configure the platform using the values we collected above and then press continue.

You should now be able to access the platform at https://sandbox-demo.blockchaintransformationplatform.com.

IMPORTANT: Please refer to the actual SettleMint documentation for the most up-to-date, detailed, and accurate instructions. This is an illustrative guide and may be outdated or incorrect, and there may be additional configuration steps required for a fully functional deployment.

Additional Steps

Should an error occur during installation, debug the installation with the following command:

helm upgrade --install --debug --dry-run ...

To delete the installation and try again, use:

helm delete settlemint --namespace settlemint

And if you are stuck after this, there is a built in way to collect all the information SettleMint's Customer Success team needs to help you out.

Install the support bundle plugin

curl https://krew.sh/support-bundle | bash

Run the support bundle checks

kubectl support-bundle --load-cluster-specs

You can then send the generated file to support@settlemint.com

Enjoy exploring the SettleMint Platform!

NOTE: This sandbox installation of the SettleMint platform might not include the full functionalities of the platform. To explore a full-scale, premium tier of the SettleMint Platform, consider reaching out to the SettleMint team for a premium sandbox or subscription.