> For the complete documentation index, see [llms.txt](https://docs.catalyx.solutions/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.catalyx.solutions/catalyx-blockchain-manager/canton-network/version-2.0/installation-instructions-canton/set-up.md). # Setup Before installing the CatalyX Blockchain Manager Canton Service, you must configure the Helm chart values file. This page documents every available configuration option and explains how to prepare your `values.yaml` file for deployment. {% hint style="info" %} You will need values from the previous steps, including your domain name, identity provider credentials, JFrog credentials, and license key, before filling in this file. {% endhint %} ### Required Configuration At a minimum, the following fields must be set before installation: | Field | Description | | --------------------------- | ------------------------------------------------------------------------------------------------------------------------- | | `domainName` | The domain where CAT-BM will be hosted (wildcard DNS must be configured). | | `auth.keycloakUrl` | The base URL of your Keycloak instance. **Only required when using integrated Keycloak** (`auth.keycloak.enabled: true`). | | `auth.keycloakRealm` | The name of the Keycloak realm created in the prerequisites step. **Only required when using integrated Keycloak.** | | `api.licenseKey.key` | Your CAT-BM license key (or configure via Kubernetes secret — see below). | | `api.imagePullSecrets` | The name of the `ImagePullSecret` created in the prerequisites step. | | `operator.imagePullSecrets` | Same `ImagePullSecret` for the operator component. | {% hint style="info" %} If you are using an external Identity Provider (Okta, Microsoft Entra ID, Auth0, or other OIDC-compatible provider) instead of integrated Keycloak, set `auth.keycloak.enabled: false` and configure `auth.url`, `auth.client.idApiOperator`, `auth.client.idUI`, and `auth.client.secret` instead. See the [External Identity Provider Configuration](/catalyx-blockchain-manager/canton-network/version-1.11/installation-instructions-canton/external-identity-provider-configuration-optional.md) page for full setup instructions. {% endhint %} ### Configure helm chart values ```yaml # -- address where application will be hosted. domainName: "" auth: enabled: true ## -- Keycloak is enabled by default. Additional configuration of keycloakUrl and keycloakRealm values is needed keycloak: enabled: true keycloakUrl: "" keycloakRealm: "" ## -- Configure values below only if keycloak.enabled=false ## -- OpenID provider endpoint for obtaining an access token url: "" ## - OpenID client IDs and secret client: idApiOperator: "" # client_id for api and operator components idUI: "" #client_id for ui component secret: "" externalSecret: enabled: false # If enabled, will be used instead of 'secret' field remoteSecretRef: "" # Name of the remote secret secretStoreRef: name: "" # SecretStore Name kind: "SecretStore" # Type of SecretStore ("SecretStore" or "ClusterSecretStore") rbac: # -- Whether to create RBAC Resourses (Role, SA, RoleBinding) enabled: true # -- Service Account Name to use for api, ui, operator serviceAccountName: canton-console # -- Automount API credentials for a Service Account. automountServiceAccountToken: false # operator component values operator: # -- number of operator pods to run replicaCount: 1 # -- operator image settings image: repository: intellecteu-catbp-docker.jfrog.io/catbp/canton/canton-operator pullPolicy: IfNotPresent # defaults to appVersion tag: "" # -- operator image pull secrets imagePullSecrets: [] # - name: "" # -- extra env variables for operator pods extraEnv: {} # -- labels for operator pods labels: {} # -- annotations for operator pods podAnnotations: {} # -- Automount API credentials for a Service Account. automountServiceAccountToken: true # -- security context on a pod level podSecurityContext: # runAsNonRoot: true # runAsUser: 4444 # runAsGroup: 5555 # fsGroup: 4444 # -- security context on a container level securityContext: {} # Define update strategy for Operator pods updateStrategy: {} # -- CPU and Memory requests and limits # TO TEST resources: {} # requests: # cpu: "200m" # memory: "500Mi" # limits: # cpu: "500m" # memory: "700Mi" # -- Specify Node Labels to place operator pods on nodeSelector: {} # -- https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] # -- https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity affinity: {} # -- keycloak client secret is used to get token from keycloak # -- Can be fetched from ExternalSecret or provided directly in the 'secret' field keycloakClient: secret: "" # Keycloak client secret externalSecret: enabled: false # If enabled, will be used instead of 'secret' field remoteSecretRef: "" # Name of the remote secret secretStoreRef: name: "" # SecretStore Name kind: "SecretStore" # Type of SecretStore ("SecretStore" or "ClusterSecretStore") ## Readiness and Liveness probes for Operator component ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ probes: # -- Enable Kubernetes Liveness and Readiness probes enabled: true # -- Liveness probe for Operator container livenessProbe: # -- Number of seconds after the container has started before probe is initiated initialDelaySeconds: 60 # -- How often (in seconds) to perform the probe periodSeconds: 10 # -- Number of seconds after which the probe times out timeoutSeconds: 1 # -- Minimum consecutive successes for the probe to be considered successful after having failed successThreshold: 1 # -- Minimum consecutive failures for the probe to be considered failed after having succeeded failureThreshold: 3 # -- Readiness probe for Operator container readinessProbe: # -- Number of seconds after the container has started before probe is initiated initialDelaySeconds: 40 # -- How often (in seconds) to perform the probe periodSeconds: 10 # -- Number of seconds after which the probe times out timeoutSeconds: 1 # -- Minimum consecutive successes for the probe to be considered successful after having failed successThreshold: 1 # -- Minimum consecutive failures for the probe to be considered failed after having succeeded failureThreshold: 5 # API component values api: # -- the persistence volume claim for DARs darsPvc: enabled: true size: 5Gi mountPath: /dars-storage # If defined, storageClassName: # If undefined, no storageClassName spec is set, choosing the default provisioner. (gp2 on AWS, standard on GKE, AWS & OpenStack) storageClass: "" # Annotations for darsPvc # Example: # annotations: # example.io/disk-volume-type: SSD annotations: {} # -- environment for api pods environment: "dev" # -- gateway configuration for channel subscription gateway gateway: events: heartbeat: enabled: false interval: 60 # interval in seconds # -- number of api pods to run replicaCount: 1 # -- api image settings image: repository: intellecteu-catbp-docker.jfrog.io/catbp/canton/canton-console pullPolicy: IfNotPresent # defaults to appVersion tag: "" # -- api image pull secrets imagePullSecrets: [] # - name: "" # -- extra env variables for api pods extraEnv: {} # -- labels for api pods labels: {} # -- api service port and name service: port: 8080 portName: http # -- annotations for api pods podAnnotations: {} # -- Automount API credentials for a Service Account. automountServiceAccountToken: true # -- securtiry context on a pod level podSecurityContext: # runAsNonRoot: true # runAsUser: 4444 # runAsGroup: 5555 # fsGroup: 4444 # -- security context on a container level securityContext: {} # Define update strategy for API pods updateStrategy: {} # type: RollingUpdate # rollingUpdate: # maxUnavailable: 0 # maxSurge: 1 # -- CPU and Memory requests and limits # TO TEST resources: {} # requests: # cpu: "200m" # memory: "900Mi" # limits: # cpu: "500m" # memory: "1000Mi" # -- Specify Node Labels to place api pods on nodeSelector: {} # -- https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] # -- https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity affinity: {} # -- keycloak client secret is used to get token from keycloak # -- Can be fetched from ExternalSecret or provided directly in the 'secret' field keycloakClient: secret: "" # Keycloak client secret externalSecret: enabled: false # If enabled, will be used instead of 'secret' field remoteSecretRef: "" # Name of the external secret secretStoreRef: name: "" # SecretStore Name kind: "SecretStore" # Type of SecretStore ("SecretStore" or "ClusterSecretStore") ## Readiness and Liveness probes for API component ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ probes: # -- Enable Kubernetes Liveness and Readiness probes enabled: true # -- Liveness probe for API container livenessProbe: # -- Number of seconds after the container has started before probe is initiated initialDelaySeconds: 90 # -- How often (in seconds) to perform the probe periodSeconds: 10 # -- Number of seconds after which the probe times out timeoutSeconds: 3 # -- Minimum consecutive successes for the probe to be considered successful after having failed successThreshold: 1 # -- Minimum consecutive failures for the probe to be considered failed after having succeeded failureThreshold: 3 # -- Readiness probe for API container readinessProbe: # -- Number of seconds after the container has started before probe is initiated initialDelaySeconds: 60 # -- How often (in seconds) to perform the probe periodSeconds: 10 # -- Number of seconds after which the probe times out timeoutSeconds: 10 # -- Minimum consecutive successes for the probe to be considered successful after having failed successThreshold: 1 # -- Minimum consecutive failures for the probe to be considered failed after having succeeded failureThreshold: 5 # -- License Key for canton console licenseKey: key: "" # Set licenseKey if NOT using a Kubernetes secret secret: enabled: false # Set to 'true' to use a Kubernetes Secret name: "" # Name of the Kubernetes secret key: "" # Key inside the secret that contains licenseKey # -- Auth providers configuration for ledger ledgerAuth: auth0: enabled: false domain: "" apiIdentifier: "" clientId: "" clientSecret: "" # UI component values ui: # -- gateway configuration for channel subscription gateway gateway: events: heartbeat: enabled: false interval: 60 # interval in seconds # -- ui autoscaling settings autoscaling: enabled: false minReplicas: 1 maxReplicas: 5 targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 # -- number of ui pods to run replicaCount: 1 # -- api image settings image: repository: intellecteu-catbp-docker.jfrog.io/catbp/canton/canton-console-ui pullPolicy: IfNotPresent # defaults to appVersion tag: "" # -- api image pull secrets imagePullSecrets: [] # - name: "" # -- extra env variables for ui pods extraEnv: {} # -- labels for ui pods labels: {} # -- api service port and name service: port: 80 portName: http # -- annotations for api pods podAnnotations: {} # -- Automount API credentials for a Service Account. automountServiceAccountToken: true # -- securtiry context on a pod level podSecurityContext: # runAsNonRoot: true # runAsUser: 4444 # runAsGroup: 5555 # fsGroup: 4444 # -- security context on a container level securityContext: {} # Define update strategy for UI pods updateStrategy: {} # -- CPU and Memory requests and limits # TO TEST resources: {} # requests: # cpu: "100m" # memory: "50Mi" # limits: # cpu: "200m" # memory: "200Mi" # -- Specify Node Labels to place api pods on nodeSelector: {} # -- https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] # -- https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity affinity: {} # -- metrics server and Prometheus Operator configuration # -- keycloak client secret is used to get token from keycloak (set in env-specific values) keycloakClient: id: "" # -- Ingress for any ingress controller. ingressConfig: provider: # -- #Currently supported: [traefik, traefikCRD] name: traefikCRD traefik: ingressClass: "" traefikCRD: tlsStore: enabled: false name: default # -- specify whether to create Ingres resources for API and UI enabled: false tls: enabled: false # -- Certificate and Issuer will be created with Cert-Manager. Names will be autogenerated. # if `certManager.enabled` `ingressConfig.tls.secretName` will be ignored certManager: enabled: false email: "" server: "https://acme-staging-v02.api.letsencrypt.org/directory" # -- secret name with own tls certificate to use with ingress secretName: "" # Strip Application prefix middleware configuration stripApplicationPrefix: enabled: true regex: - "/.*(/api)?/" # -- Whether to parse and send logs to centralised storage # FluentD Output Configuration. Fluentd aggregates and parses logs # FluentD is a part of Logging Operator. CRs `Output` and `Flow`s will be created logOutput: # Configuration specific to ElasticSearch logging elasticSearch: enabled: false # -- The hostname of your Elasticsearch node host: "" # -- The port number of your Elasticsearch node port: 443 # -- The index name to write events index_name: "" # -- Data stream configuration data_stream: enabled: false name: "" data_stream_template_name: "" # -- The login username to connect to the Elasticsearch node user: "" # -- Specify secure password with Kubernetes secret secret: create: false password: "" annotations: {} # Buffer configuration for handling logs buffer: chunk_limit_size: 4M total_limit_size: 512MB flush_mode: interval flush_interval: 10s flush_thread_count: 2 overflow_action: block # Configuration specific to Loki logging loki: enabled: false # URL of the Loki instance to send logs to url: "" # Labels to attach to log streams sent to Loki # Format: label_name: log_field_name labels: {} # Format to use when flattening the record to a log line: key_value, json line_format: "" # Buffer configuration for handling logs buffer: chunk_limit_size: 4m timekey: 1m timekey_wait: 30s timekey_use_utc: true # Configuration specific to Logz.io logging logzIo: enabled: false # Logz.io endpoint configuration endpoint: url: "" port: 8071 # Logz.io secret configuration secret: create: false token: "" annotations: {} # Include tags in the log output output_include_tags: true # Include timestamp in the log output output_include_time: true # Buffer configuration for handling logs buffer: type: file flush_mode: interval flush_thread_count: 4 flush_interval: 5s chunk_limit_size: 16m queue_limit_length: 4096 monitoring: # -- Enable integration with a prometheus-operator. The module fetches metrics from the canton nodes in the system. # Prometheus operator and grafana need to be installed beforehand enabled: false url: # -- Configuration for ServiceMonitor resource serviceMonitor: # -- How often to pull metrics from resources interval: 30s # -- Configuration for prometheusRules resource prometheusRules: enabled: false # Additional prometheusRules labels labels: {} grafana: enabled: false # -- grafana default admin username and email. Grafana is authenticated through default API authentication automatically. # -- grafana normal URL url: "" user: admin email: admin@domain.com # -- grafana default path to dashboard clusterDashboard: "" # -- grafana service and port for ingress service: name: grafana namespace: monitoring port: 80 ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.catalyx.solutions/catalyx-blockchain-manager/canton-network/version-2.0/installation-instructions-canton/set-up.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.