Mainnet Post-Installation Upgrades

This guide assumes that you've already deployed an OpenDAX v4 VM instance or Helm release and have administrative access to the K8s cluster it's deployed on.
You may see the platform installation pending at 85% on Cloud-based installations, this is completely fine and expected until you finalize all the operations described below.
The video tutorial: V4 GCP Mainnet Installation.
Vault deployment
For an exchange to work properly in mainnet, you'd need a functional Vault deployment. Here is a detailed guide on how to install and configure it.
We recommend deploying Vault with postgresql set as the storage provider and KMS enabled for auto-unseal.
Thus, you should create KMS keys to use for the Vault deployment. We suggest using either AWS KMS or GCP Cloud KMS. You should also create a service account/IAM user that has access to KMS, and then provide its key via Helm values.
If you have chosen AWS KMS, you should set values of vault.seal.awskms.access_key and vault.seal.awskms.secret_key to the IAM account's access key and secret key respectively.
If you have chosen GCP Cloud KMS, you should create a Secret with the service account's key using the following command:
  kubectl create secret generic vault-credentials \
    -n core \
    --from-file=credentials.json=*local_path_to_sa_credentials.json*
Then you should configure vault.extraMounts and vault.extraVolumeMounts similar to this snippet:
vault:
  extraVolumes:
    - name: vault-sa-secret  # Declare the Service Account JSON secret key
      secret:
        secretName: vault-credentials
  extraVolumeMounts:
    - name: vault-sa-secret  # Mount the SA key Secret
      mountPath: /safe
      readOnly: true
Once you have configured the values, install the Helm Chart and proceed with Post Deployment steps.
After the Vault deployment is complete, you'd need to generate the Vault token for Signer component via kited(the tool used to manage configs in OpenDAX v4).
To do that, you should:
1.Update the kited Helm release with Vault root token(saved after the initial Vault deployment)
  helm upgrade kited-v4p ~deploy/kited-*version*.tgz \
    -n core \
    --reuse-values \
    --set secrets.KITE_VAULT_TOKEN="*vault_token*"
1.Wait for the new Pod to be created - kubectl get po -n core -l app=app.kubernetes.io/name=kited
2.Generate the Vault token for Signer component - kubectl exec -it -n core *pod_name* -- kite secrets generate
Signer configuration
The Signer deployment requires a separate AWS/GCP KMS key pair(you shouldn't use the Vault one).
AWS
To create an AWS KMS key with aws CLI, run:
aws kms create-key \
  --description "The AWS KMS key used for transaction signing" \
  --key-usage "SIGN_VERIFY" \
  --customer-master-key-spec "ECC_SECG_P256K1" \
  --query 'KeyMetadata.[Arn]' \
  --output 'text'
You should get an Arn in the output, save it for now into env var:
export AWS_KMS_KEY_ARN=*key_arn*
Also, make sure to create an AWS IAM role that has access to the previously created KMS key, and export its access and secret keys as env vars:
export AWS_ACCESS_KEY_ID=*access_key*
export AWS_SECRET_ACCESS_KEY=*secret_key*
Upgrade the opendax Helm release with new Signer values:
helm upgrade -n odax opendax *path_to_helm_chart* \
  --reuse-values \
  --set signer.secrets.SIGNER_VAULT_ADDR=http://vault.core:8200 \
  --set signer.secrets.SIGNER_KMS_PROVIDER=aws \
  --set signer.secrets.SIGNER_KMS_AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
  --set signer.secrets.SIGNER_KMS_AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
  --set signer.secrets.SIGNER_KMS_AWS_KEY_ARN=${AWS_KMS_KEY_ARN}
GCP
To create a GCP KMS key with gcloud CLI, run:
gcloud kms keyrings create signer-kms-key-ring \
  --location *region*
​
gcloud kms keys create signer-kms-crypto-key \
  --location=*region* \
  --keyring=signer-kms-key-ring \
  --purpose=asymmetric-signing \
  --rotation-period="100000s" \
  --default-algorithm=ec-sign-secp256k1-sha256 \
  --protection-level=hsm
Set the KMS key path as an env var formated like projects/*project_id*/locations/*region*/keyRings/*key_ring*/cryptoKeys/*crypto_key*/cryptoKeyVersions/*crypto_key_version* (*crypto_key_versions* usually is 1, if you haven't added a different one):
export GCP_KMS_KEY_PATH=*key_path*
Also, make sure to create a GCP Service Account, that has access to the previously created KMS key, and export its credentials from file into env var:
export GCP_SA_CREDENTIALS_PATH=*local_path_to_credentials*
Upgrade the opendax Helm release with new signer values:
helm upgrade -n odax opendax *path_to_helm_chart* \
  --reuse-values \
  --set signer.secrets.SIGNER_VAULT_ADDR=http://vault.core:8200 \
  --set signer.secrets.SIGNER_KMS_PROVIDER=gcp \
  --set-file signer.secrets.SIGNER_KMS_GCP_CREDENTIALS=${GCP_SA_CREDENTIALS_PATH} \
  --set signer.secrets.SIGNER_KMS_GCP_KEY_PATH=${GCP_KMS_KEY_PATH}
Restart Signer
Finally, for Signer to receive new env vars from the previously created Secret, delete the Signer Pod:
kubectl delete po -n odax -l app=signer
Last modified 5mo ago