> For the complete documentation index, see [llms.txt](https://docs.catalyx.solutions/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.catalyx.solutions/catalyx-blockchain-manager/canton-network/version-2.0/installation-instructions-canton/prerequisites.md).
# Prerequisites
{% stepper %}
{% step %}
**Setup Kubernetes or OpenShift cluster**
{% hint style="info" %}
Supported version of **Kubernetes**: 1.21 and later.\
\
We recommend AWS (EKS) or Google Cloud (GKE), but you can install it on a standalone cluster as well.
{% endhint %}
**Define your cluster size considering the following minimum requirements and your business needs:**
1. Minimal requirements for the Catalyst Blockchain Manager Canton service for 1 instance with:
* 2 core CPU
* 4GB RAM
* 10GB disk space
2. Each node (Domain, participant, or application) that will be deployed consumes additional resources. Minimal requirements for one node:
| Node | CPUe | Memory, Gi | Storage, Gi |
| ----------- | ---- | ---------- | ----------- |
| Domain | 1 | 1 | 1 |
| Participant | 1 | 1 | 1 |
| Application | 1 | 1 | 1 |
{% hint style="info" %}
Deciding on the size of the cluster, please consider the expected load of the nodes and increase these values accordingly.
{% endhint %}
{% endstep %}
{% step %}
**Install Helm to your workstation**
Helm can be installed either from source, or from pre-built binary releases.
**Follow the installation manual below:**
{% embed url="" %}
{% hint style="info" %}
Supported version of **Helm**: 3.X.\
\
No customisation is needed.
{% endhint %}
{% endstep %}
{% step %}
**Install Traefik ingress**
The ingress-controller is needed for traffic routing to expose nodes (domains & applications).\
\
The Catalyst Blockchain Manager Canton service creates a CRD resource (IngressRoute in case of using Traefik), that is automatically started and deleted along with each application (and on demand for domains).
**Follow the installation manual below:**
{% embed url="" %}
{% hint style="info" %}
Supported version of **Traefik**: 2.3.
No customisation is needed, the default port ( :443 ) for HTTPS traffic will be used.
We recommend installing Traefik to a separate namespace from the application (creation of a namespace for the CatalyX Blockchain Manager Canton service is described in step 6).
{% endhint %}
{% endstep %}
{% step %}
**Install cert-manager to create TLS certificate**
TLS certificate is needed for secured communication between a User and the СatalyX Blockchain Manager Canton service components.
**Follow the installation manual below:**
{% embed url="" %}
We recommend using the last release of the official helm chart.
{% hint style="info" %}
You can skip this step and specify your TLS certificate and key as a Kubernetes secret in Helm chart values instead later (Helm chart values are described in the Setup section).\
You can find the manual on how to create a Kubernetes secret here:
[kubernetes.io/docs/concepts/configuration/secret/#tls-secrets](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets)
{% endhint %}
{% endstep %}
{% step %}
**Create an A-record in a zone in your domain’s DNS management panel and assign it to the load balancer created upon Traefik or OpenShift installation**
CatalyX Blockchain Manager Canton service needs a wildcard record *`*.`* to expose nodes. All created nodes (domains, participants, applications) will have a *`.`* address.
**For example, in case you are using AWS, follow these steps:**
1. Go to the Route53 service.
2. Create a new domain or choose the existing domain.
3. Create an A record.
4. Switch “alias” to ON.
5. In the “Route traffic to” field select “Alias to application and classic load balancer.”
6. Select your region (where the cluster is installed).
7. Select an ELB balancer from the drop-down list.\*
{% hint style="warning" %}
Choose the ELB balancer, which was automatically configured upon the Traefik chart installation as described in step 3 (or upon OpenShift installation in case of using OpenShift).\
You can check the ELB by the following command:
```bash
kubectl get svc -n ${ingress-namespace}
```
* where:
* *`${ingress-namespace}`* is the name of the namespace, where the ingress was installed.
* ELB is displayed in the *`EXTERNAL-IP`* field.
{% endhint %}
{% endstep %}
{% step %}
**Create a namespace for the CatalyX Blockchain Manager Canton service application**
```bash
kubectl create ns ${ns_name}
```
where *`${ns_name}`* — name of namespace (can be any).
{% endstep %}
{% step %}
**Get the credentials to the Helm repository in the JFrog artifactory provided by the IntellectEU admin team**
Add the repo to Helm with the username and password provided:
```bash
helm repo add catbp --username ${ARTIFACTORY_USERNAME} --password ${ARTIFACTORY_PASSWORD}
```
As a result: *`"catbp" has been added to your repositories`*
{% endstep %}
{% step %}
**Create an ImagePullSecret to access the Catalyst Blockchain Manager Canton service deployable images**
For example, create this Secret, naming it *`intellecteu-jfrog-access:`*
```bash
kubectl create secret intellecteu-jfrog-access regcred --docker-server=intellecteu-catbp-docker.jfrog.io --docker-username=${your-name} --docker-password=${your-password} --docker-email=${your-email} -n ${ns_name}
```
where:
* `${your-name}+` — your Docker username.
* `${your-password}` — your Docker password.
* `${your-email}` — your Docker email.
* `${ns_name}` — the namespace created for the Catalyst Blockchain Manager Canton service on the previous step.
{% hint style="warning" %}
In case you want to use a readiness check and use a private repository for the image, you should create a “secret” file with your credentials in Kubernetes for further specifying it in the Helm chart upon Catalyst Blockchain Manager installation.\
\
Please refer to the official Kubernetes documentation: [kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)\
\
Helm chart configuration instructions you will find [here.](#helmChartVals)
{% endhint %}
{% endstep %}
{% step %}
**Setup Keycloak realm or Auth0 tenant**
**For Keycloak**
Download [the realm.json](https://docs.catalyx.solutions/canton/_attachments/realm-v1.8.json) file and import it to create necessary clients, scopes & users in your keycloak realm.
{% hint style="info" %}
User roles `canton_viewer` & `canton_writer` will be evaluated by the Catalyst Blockchain Manager Canton service
{% endhint %}
{% hint style="info" %}
After creating realm, set url and realm name in [helm values.](#helmChartVals)
{% endhint %}
**For Keycloak Auth0 tenant**
If you want to enable Auth0 as an option for ledger authentication, set up a tenant.
{% hint style="info" %}
After creating tenant, make sure set 'enabled', domain, api id, client id and client secret in [helm values.](#helmChartVals)
{% endhint %}
{% endstep %}
{% step %}
**(Optional) Setup Monitoring & Dashboard**
The installation of the CatalyX Blockchain Manager Canton service includes templates to assist monitoring. If you use Grafana, to observe the metrics of all nodes, install the [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) on your cluster.
Once installed, configure Keycloak OAuth2 authentication on Grafana following the detailed steps provided in the [Grafana documentation](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/keycloak/)
[This file](https://docs.catalyx.solutions/canton/_attachments/dashboard-v1.5.json) is a default dashboard that can be [imported in Grafana](https://grafana.com/docs/grafana/latest/dashboards/build-dashboards/import-dashboards/).
{% hint style="info" %}
After configuring Grafana, make sure set 'url' & 'clusterDashboard' in the Grafana section in [helm values.](#helmChartVals)
{% endhint %}
{% endstep %}
{% step %}
**Enter License Key**
Request a license key and set it in [helm values.](#helmChartVals)
{% endstep %}
{% endstepper %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.catalyx.solutions/catalyx-blockchain-manager/canton-network/version-2.0/installation-instructions-canton/prerequisites.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.