Substra charts assume at least kubernetes 1.19.
In a production setting, Organizations should do mutual TLS when communicating with the Orchestrator. To that end, a certificate authority is required. We recommend cert-manager.
Both the orchestrator and the backend are deployed as Helm charts. The charts are available in the Substra repository:
helm repo add substra https://substra.github.io/charts
For each component section below, configuration options relates to the component’s chart unless specified otherwise.
The Orchestrator being a standalone component, it should be deployed first.
For detailed information, please refer to the chart documentation.
There are two main attention point when configuring the orchestrator:
the TLS settings
Channel configuration list every Channel the orchestrator should manage and allowed Organizations per channel.
Organization name should match the one defined in backend deployment under the
Regarding TLS configuration, the orchestrator should have its CA certificate passed under
The easiest way to pass the orchestrator a valid certificate is to enable the
The keypair will be available as a secret named
Mutual TLS should be enabled and each organization having access to the orchestrator should have its cacert listed under
<org_name> should match the organization’s name (
orchestrator.mspID option on backend side).
In order to communicate with the orchestrator over mutual TLS, the backend should be configured according to the orchestrator settings.
Note that this is unrelated to the backend ingress configuration, which can also have a TLS layer.
The orchestrator CA certificate secret name should be passed under
The client certificate secret name should be passed under
User access are created by a dedicated pod (
account-operator), credentials are listed under
There are also shared credentials to allow direct backend to backend communication.
They are listed under
Now you understand some of the concepts, you can read how to deploy Substra.