Installation

This section provides comprehensive instructions for deploying the Organization Wallet on-premise using the provided Helm charts.

Overview

The installation process consists of three main steps:

Setting up the required PostgreSQL database
Creating necessary Kubernetes secrets
Deploying the application using Helm charts

Prerequisites

Before proceeding with the installation, ensure you have:

Access to a Kubernetes cluster
PostgreSQL database server
Kubectl command-line tool configured to communicate with your cluster
Helm 3.8.0 or later installed or ArgoCD v2.3 or later

Database Setup

The Organization Wallet requires a PostgreSQL database for operation.

Create a new PostgreSQL database. In this documentation, we use the name organization_wallet. Note that the database naming in this documentation serves as examples only - you may use your own naming convention.
Create a database user organization_wallet_flyway_user for maintaining the database schema. This user requires DDL (Data Definition Language) authorizations to create and update schemas:
```
CREATE USER organization_wallet_flyway_user WITH ENCRYPTED PASSWORD 'your_flyway_password';
GRANT ALL ON DATABASE organization_wallet TO organization_wallet_flyway_user;
```

Create a database user organization_wallet_user for normal operation. This user requires DML (Data Manipulation Language) authorizations:

CREATE USER organization_wallet_user WITH ENCRYPTED PASSWORD 'your_password';

GRANT CONNECT ON DATABASE organization_wallet TO organization_wallet_user;
GRANT USAGE ON SCHEMA public TO organization_wallet_user;
GRANT ALL on ALL TABLES IN SCHEMA public TO organization_wallet_user;
GRANT ALL on ALL SEQUENCES IN SCHEMA public TO organization_wallet_user;

Kubernetes Secrets Configuration

You need to create three Kubernetes secrets for the application components:

A secret for the backend containing the database credentials. The name organization-webwallet-backend is fixed:

kubectl create secret generic organization-webwallet-backend \
--namespace=your-namespace \
--from-literal=SPRING_FLYWAY_USER=organization_wallet_flyway_user \
--from-literal=SPRING_FLYWAY_PASSWORD='your-flyway-password' \
--from-literal=SPRING_DATASOURCE_USERNAME=organization_wallet_user \
--from-literal=SPRING_DATASOURCE_PASSWORD='your-password'

An empty secret for the frontend. The name organization-webwallet-frontend is fixed:

kubectl create secret generic organization-webwallet-frontend \
--namespace=your-namespace 

An empty secret for the documentation. The name organization-webwallet-documentation is fixed:

kubectl create secret generic organization-webwallet-documentation \
--namespace=your-namespace 

Create a secret for pulling the container images. Contact Credenco for the Helm and container registry access credentials.

kubectl create secret docker-registry global-pull-secret \
--docker-server=registry.onstackit.cloud 
--docker-username=robot\$organization-wallet+customername \
--docker-password=your-password \
--namespace=your-namespace 

Important: escape $ in docker-username

Helm Chart Deployment

After setting up the database and creating the required Kubernetes secrets, you can deploy the Organization Wallet using the provided Helm charts:

Create your own git repo containing a Chart.yaml and values.yaml containing the complete deployment configuration of the Credenco Organization Wallet.

Create a 'Chart.yaml' file containing the organization-wallet as a dependency:

apiVersion: v2
name: your-organization-wallet
description: Your Helm chart for deploying the Credenco Organization Wallet in Kubernetes
type: application

version: 1.0.0
appVersion: 1.0.0

dependencies:
- name: organization-webwallet
  version: 1.0.10
  repository: oci://registry.onstackit.cloud/organization-wallet/organization-webwallet/helm

With this example you deploy version 1.0.10 of the Credenco Organization Wallet in your Kubernetes cluster.

Create a values.yaml file containing all your installation specific configuration. See all value options below.

Perform a Helm Login to be able to access the Helm Charts and containers. Contact Credenco for the Helm and container registry access credentials:

CREDENCO_HELM_REGISTRY_USERNAME=your_username
CREDENCO_HELM_REGISTRY_PASSWORD=your_password
echo "$CREDENCO_HELM_REGISTRY_PASSWORD" | helm registry login -u "$CREDENCO_HELM_REGISTRY_USERNAME" --password-stdin registry.onstackit.cloud

Install the Organization Wallet using the Helm chart:

cd your_installation_dir_containing_the_values.yaml
helm install -f values.yaml organization-wallet .

Values

global

Key	Type	Default	Description
global.deployEnvironment	string	`"prod"`	the environment in which the software is deployed. Allowed values: test, acc, prod
global.networkPolicy.database	object	`{"enabled":true,"ipBased":{"allowedCidrs":["10.0.0.0/32"]},"namespaceBased":{"allowedNamespace":"postgres","podSelectorLabels":{"app.kubernetes.io/name":"postgres"}}}`	Access to the database is controlled based on IP ranges or namespace and pod labels
global.networkPolicy.database.enabled	bool	`true`	Enable this NetworkPolicie. When disabled, no NetworkPolicy will be created.
global.networkPolicy.database.ipBased	object	`{"allowedCidrs":["10.0.0.0/32"]}`	Configuration for database access based on IP/CIDR ranges
global.networkPolicy.database.ipBased.allowedCidrs	list	`["10.0.0.0/32"]`	A list of CIDR ranges that are allowed to be accessed (e.g., managed database IPs)
global.networkPolicy.database.namespaceBased	object	`{"allowedNamespace":"postgres","podSelectorLabels":{"app.kubernetes.io/name":"postgres"}}`	Configuration for database access based on namespace and pod labels
global.networkPolicy.database.namespaceBased.allowedNamespace	string	`"postgres"`	The namespace where the database is running
global.networkPolicy.database.namespaceBased.podSelectorLabels	object	`{"app.kubernetes.io/name":"postgres"}`	The labels used to select the database pods
global.networkPolicy.denyAll.enabled	bool	`true`	Enable this NetworkPolicie. When disabled, no NetworkPolicy will be created.
global.networkPolicy.enabled	bool	`false`	Enable NetworkPolicies for the namespace. When disabled, no NetworkPolicies will be created.
global.networkPolicy.ingressController.enabled	bool	`true`	Enable this NetworkPolicie. When disabled, no NetworkPolicy will be created.
global.networkPolicy.ingressController.namespace	string	`"ingress-nginx"`	The namespace where the ingress controller is running
global.networkPolicy.ingressController.podSelectorLabels	object	`{"app.kubernetes.io/name":"ingress-nginx"}`	The labels used to select the ingress controller pods
global.networkPolicy.internal.enabled	bool	`true`	Enable this NetworkPolicie. When disabled, no NetworkPolicy will be created.
global.networkPolicy.monitoring.enabled	bool	`true`	Enable this NetworkPolicie. When disabled, no NetworkPolicy will be created.
global.networkPolicy.monitoring.namespace	string	`"monitoring"`	The namespace where the monitoring system (e.g., Prometheus) is running
global.networkPolicy.monitoring.podSelectorLabels	object	`{"app.kubernetes.io/name":"prometheus"}`	The labels used to select the monitoring pods

organization-webwallet-backend

Key	Type	Default	Description
organization-webwallet-backend.microservice.configMap.environmentVars.config_wallet_url	string	`"https://wallet.yoursite.com"`	The hostname used to access the Organization Wallet
organization-webwallet-backend.microservice.configMap.environmentVars.environment_checkers_internet_enabled	string	`"true"`	Enables the internet connectivity checker that verifies internet access on application startup. The checker retries with exponential backoff if the internet is not available.
organization-webwallet-backend.microservice.configMap.environmentVars.features_flags_AITRANSLATIONS	string	`"true"`	The feature flag AI_TRANSLATIONS enables the option to translate texts in the frontend vai the AI translation service. This service is connected to Mistral AI. A Mistal API key is required.
organization-webwallet-backend.microservice.configMap.environmentVars.features_flags_APPLICATIONSINVOICE	string	`"true"`	The feature flag APPLICATIONS_INVOICE enables the invoice application
organization-webwallet-backend.microservice.configMap.environmentVars.features_flags_AUTOREFRESHEXTERNALISSUERCONFIGURATION	string	`"true"`	The feature flag AUTO_REFRESH_EXTERNAL_ISSUER_CONFIGURATION enables the auto refresh of external issuer configurations
organization-webwallet-backend.microservice.configMap.environmentVars.features_flags_FIDESBLUEPAGES	string	`"true"`	The feature flag FIDES_BLUE_PAGES enables the Fides Blue Pages.
organization-webwallet-backend.microservice.configMap.environmentVars.features_flags_FIDESCREDENTIALCATALOG	string	`"true"`	The feature flag FIDES_CREDENTIAL_CATALOG enables the Fides Credential Catalog.
organization-webwallet-backend.microservice.configMap.environmentVars.features_flags_IAMAPIMANAGEMENT	string	`"true"`	The feature flag IAM_API_MANAGEMENT enables the option to manage keycloak OAuth2 clients and api-keys in the frontend. The OAuth2 clients and api-keys can be used to access the backend API.
organization-webwallet-backend.microservice.configMap.environmentVars.features_flags_IAMUSERMANAGEMENT	string	`"true"`	The feature flag IAM_USER_MANAGEMENT enables the option to manage keycloak users in the frontend
organization-webwallet-backend.microservice.configMap.environmentVars.oauth2_baseUrl	string	`"https://iam.yoursite.com"`	The url of the oAuth2 Identity Provider
organization-webwallet-backend.microservice.configMap.environmentVars.oauth2_frontend_clientid	string	`"organization-wallet-frontend"`	The Client ID used by the frontend during authentication
organization-webwallet-backend.microservice.configMap.environmentVars.oauth2_realm	string	`"organization-wallet"`	The Realm to authenticate against
organization-webwallet-backend.microservice.configMap.environmentVars.spring_datasource_url	string	`"jdbc:postgresql://yourpostgesql-host:2506/organization_wallet"`	The PostresQL jdbc connection url to your postgresql database
organization-webwallet-backend.microservice.configMap.environmentVars.spring_flyway_url	string	`"jdbc:postgresql://yourpostgesql-host:2506/organization_wallet"`	The PostresQL jdbc connection url to your postgresql database
organization-webwallet-backend.microservice.configMap.extraLabels	object	`{}`	Extra labels to add to the ConfigMap resource
organization-webwallet-backend.microservice.deployment.extraLabels	object	`{}`	Extra labels to add to the Deployment resource
organization-webwallet-backend.microservice.deployment.image.pullPolicy	string	`"IfNotPresent"`	The pull policy for the container image
organization-webwallet-backend.microservice.deployment.image.registry	string	`"oci-registry.yoursite.com"`	The OCI registry you want to use to download the container images from
organization-webwallet-backend.microservice.deployment.imagePullSecretName	string	`"global-pull-secret"`	The name of the secret containing the credentials to pull containers from the OCI container registry
organization-webwallet-backend.microservice.deployment.replicaCount	int	`2`	The number of pods to be started
organization-webwallet-backend.microservice.ingress.default.extraLabels	object	`{}`	Extra labels to add to the default Ingress resource
organization-webwallet-backend.microservice.ingress.default.hosts[0].configName	string	`"organization-webwallet"`	Keep this name to organization-webwallet for the primary hostname
organization-webwallet-backend.microservice.ingress.default.hosts[0].hostname	string	`"wallet.yoursite.com"`	The hostname used to access the Organization Wallet
organization-webwallet-backend.microservice.ingress.default.hosts[0].maxUploadFilesize	string	`"100m"`	A limit to the maximum file upload size
organization-webwallet-backend.microservice.ingress.default.name	string	`"default"`	An arbitrary unique name to name the ingresses in k8s
organization-webwallet-backend.microservice.ingress.default.paths[0].path	string	`"/"`	The path to access the Organization Wallet. Keep on /
organization-webwallet-backend.microservice.ingress.extraIngresses[0].extraLabels	object	`{}`	Extra labels to add to this extra Ingress resource
organization-webwallet-backend.microservice.ingress.extraIngresses[0].hosts[0].hostname	string	`"did.wallet.yoursite.com"`	The hostname used to access the Organization Wallet
organization-webwallet-backend.microservice.ingress.extraIngresses[0].hosts[0].maxUploadFilesize	string	`"100m"`	A limit to the maximum file upload size
organization-webwallet-backend.microservice.ingress.extraIngresses[0].name	string	`"did"`	An arbitrary unique name to name the ingresses in k8s
organization-webwallet-backend.microservice.ingress.extraIngresses[0].paths[0].path	string	`"/did"`	The path to access the Organization Wallet.
organization-webwallet-backend.microservice.service.extraLabels	object	`{}`	Extra labels to add to the Service resource

organization-webwallet-documentation

Key	Type	Default	Description
organization-webwallet-documentation.frontend.configMap.extraLabels	object	`{}`	Extra labels to add to the ConfigMap resource
organization-webwallet-documentation.frontend.deployment.extraLabels	object	`{}`	Extra labels to add to the Deployment resource
organization-webwallet-documentation.frontend.deployment.image.pullPolicy	string	`"IfNotPresent"`	The pull policy for the container image
organization-webwallet-documentation.frontend.deployment.image.registry	string	`"oci-registry.yoursite.com"`	The OCI registry you want to use to download the container images from
organization-webwallet-documentation.frontend.deployment.imagePullSecretName	string	`"global-pull-secret"`	The name of the secret containing the credentials to pull containers from the OCI container registry
organization-webwallet-documentation.frontend.deployment.replicaCount	int	`1`	The number of pods to be started
organization-webwallet-documentation.frontend.ingress.default.extraLabels	object	`{}`	Extra labels to add to the default Ingress resource
organization-webwallet-documentation.frontend.ingress.default.hosts[0].configName	string	`"organization-webwallet-documentation"`	Keep this name to organization-webwallet-documentation for the primary hostname
organization-webwallet-documentation.frontend.ingress.default.hosts[0].hostname	string	`"docs.yoursite.com"`	The hostname used to access the Organization Wallet
organization-webwallet-documentation.frontend.ingress.default.name	string	`"web"`	An arbitrary unique name to name the ingresses in k8s
organization-webwallet-documentation.frontend.ingress.default.paths[0].path	string	`"/"`	The path to access the Organization Wallet. Keep on /
organization-webwallet-documentation.frontend.service.extraLabels	object	`{}`	Extra labels to add to the Service resource

organization-webwallet-frontend

Key	Type	Default	Description
organization-webwallet-frontend.frontend.configMap.extraLabels	object	`{}`	Extra labels to add to the ConfigMap resource
organization-webwallet-frontend.frontend.deployment.extraLabels	object	`{}`	Extra labels to add to the Deployment resource
organization-webwallet-frontend.frontend.deployment.image.pullPolicy	string	`"IfNotPresent"`	The pull policy for the container image
organization-webwallet-frontend.frontend.deployment.image.registry	string	`"oci-registry.yoursite.com"`	The OCI registry you want to use to download the container images from
organization-webwallet-frontend.frontend.deployment.imagePullSecretName	string	`"global-pull-secret"`	The name of the secret containing the credentials to pull containers from the OCI container registry
organization-webwallet-frontend.frontend.deployment.replicaCount	int	`2`	The number of pods to be started
organization-webwallet-frontend.frontend.ingress.default.extraLabels	object	`{}`	Extra labels to add to the default Ingress resource
organization-webwallet-frontend.frontend.ingress.default.hosts[0].hostname	string	`"wallet.yoursite.com"`	The hostname used to access the Organization Wallet
organization-webwallet-frontend.frontend.ingress.default.name	string	`"web"`	An arbitrary unique name to name the ingresses in k8s
organization-webwallet-frontend.frontend.ingress.default.paths[0].path	string	`"/"`	The path to access the Organization Wallet. Keep on /
organization-webwallet-frontend.frontend.ingress.extraIngresses[0].extraLabels	object	`{}`	Extra labels to add to this extra Ingress resource
organization-webwallet-frontend.frontend.ingress.extraIngresses[0].hosts[0].hostname	string	`"wallet.yoursite2.com"`	The hostname used to access the Organization Wallet
organization-webwallet-frontend.frontend.ingress.extraIngresses[0].name	string	`"extra"`	An arbitrary unique name to name the ingresses in k8s
organization-webwallet-frontend.frontend.ingress.extraIngresses[0].paths[0].path	string	`"/"`	The path to access the Organization Wallet. Keep on /
organization-webwallet-frontend.frontend.service.extraLabels	object	`{}`	Extra labels to add to the Service resource

Example values.yaml configuration file:

global:
  deployEnvironment: prod
 
    networkPolicy:
      enabled: false
      ingressController:
        enabled: true
        namespace: ingress-nginx
        podSelectorLabels:
          app.kubernetes.io/name: ingress-nginx
      monitoring:
        enabled: true
        namespace: monitoring
        podSelectorLabels:
          app.kubernetes.io/name: prometheus
      database:
        enabled: true
        ipBased:
          allowedCidrs:
            - 10.0.0.0/32
        namespaceBased:
          allowedNamespace: postgres
          podSelectorLabels:
            app.kubernetes.io/name: postgres
      internal:
        enabled: true
      denyAll:
        enabled: true
 
 
organization-webwallet:
  organization-webwallet-frontend:
    frontend:
      configMap:
        extraLabels: {}
      deployment:
        imagePullSecretName: global-pull-secret
        extraLabels: {}
        replicaCount: 2
        image:
          registry: oci-registry.yoursite.com
          pullPolicy: IfNotPresent
      service:
        extraLabels: {}
      ingress:
        default:
          name: web
          extraLabels: {}
          paths:
            - # -- The path to access the Organization Wallet. Keep on /
              path: /
          hosts:
            - # -- The hostname used to access the Organization Wallet
              hostname: wallet.yoursite.com
        extraIngresses:
          - # -- An arbitrary unique name to name the ingresses in k8s
            name: extra
            extraLabels: {}
            paths:
              - # -- The path to access the Organization Wallet. Keep on /
                path: /
            hosts:
              - # -- The hostname used to access the Organization Wallet
                hostname: wallet.yoursite2.com
 
  organization-webwallet-backend:
    microservice:
      configMap:
        extraLabels: {}
        environmentVars:
          spring_datasource_url: jdbc:postgresql://yourpostgesql-host:2506/organization_wallet
          spring_flyway_url: jdbc:postgresql://yourpostgesql-host:2506/organization_wallet
          oauth2_baseUrl: https://iam.yoursite.com
          oauth2_realm: organization-wallet
          oauth2_frontend_clientid: organization-wallet-frontend
          config_wallet_url: https://wallet.yoursite.com
          features_flags_IAMUSERMANAGEMENT: "true"
          features_flags_IAMAPIMANAGEMENT: "true"
          features_flags_AITRANSLATIONS: "true"
          features_flags_FIDESCREDENTIALCATALOG: "true"
          features_flags_FIDESBLUEPAGES: "true"
          features_flags_AUTOREFRESHEXTERNALISSUERCONFIGURATION: "true"
          features_flags_APPLICATIONSINVOICE: "true"
          environment_checkers_internet_enabled: "true"
 
      deployment:
        imagePullSecretName: global-pull-secret
        extraLabels: {}
        replicaCount: 2
        image:
          registry: oci-registry.yoursite.com
          pullPolicy: IfNotPresent
      service:
        extraLabels: {}
      ingress:
        default:
          name: default
          extraLabels: {}
          paths:
            - # -- The path to access the Organization Wallet. Keep on /
              path: /
          hosts:
            - # -- The hostname used to access the Organization Wallet
              hostname: wallet.yoursite.com
              configName: organization-webwallet
              maxUploadFilesize: 100m
        extraIngresses:
          - # -- An arbitrary unique name to name the ingresses in k8s
            name: did
            extraLabels: {}
            paths:
              - # -- The path to access the Organization Wallet.
                path: /did
            hosts:
              - # -- The hostname used to access the Organization Wallet
                hostname: did.wallet.yoursite.com
                maxUploadFilesize: 100m
 
 
  organization-webwallet-documentation:
    frontend:
      configMap:
        extraLabels: {}
      deployment:
        imagePullSecretName: global-pull-secret
        extraLabels: {}
        replicaCount: 1
        image:
          registry: oci-registry.yoursite.com
          pullPolicy: IfNotPresent
      service:
        extraLabels: {}
      ingress:
        default:
          name: web
          extraLabels: {}
          paths:
            - # -- The path to access the Organization Wallet. Keep on /
              path: /
          hosts:
            - # -- The hostname used to access the Organization Wallet
              hostname: docs.yoursite.com
              configName: organization-webwallet-documentation
 

Overview​

Prerequisites​

Database Setup​

Kubernetes Secrets Configuration​

Helm Chart Deployment​

Values​

global​

organization-webwallet-backend​

organization-webwallet-documentation​

organization-webwallet-frontend​

Example values.yaml configuration file:​