Helm chart for deploying the Affinidi DIDComm Mediator on Kubernetes.
License: Apache-2.0
- Prerequisites
- Step 1 — Configure DNS Records
- Step 2 — Clone affinidi-tdk-rs
- Step 3 — Generate Config and Secrets
- Step 4 — Create Kubernetes Secrets
- Step 5 — Prepare Your Values File
- Step 6 — Deploy
- Makefile Reference
If you set up your cluster with ic3software/hetzner-k8s, all prerequisites below are already satisfied.
- Kubernetes cluster with:
- NGINX Ingress Controller
- cert-manager with a
letsencrypt-prodClusterIssuer (for TLS) - Longhorn storage class — or override
persistence.storageClasswith your own
kubectlpointed at the target cluster- Helm 3.x
- Rust toolchain — install via rustup.rs
cargo(included with Rust)
You will need the node IP from your cluster. If you used ic3software/hetzner-k8s, this is the public IP of the node printed at the end of setup.
Replace mydomain.com with your actual domain and create the following A record:
| Type | Name | Content (IPv4) | Notes |
|---|---|---|---|
| A | mediator.mydomain.com |
<NODE_IP> |
DNS only |
If you are using Cloudflare, set this record to DNS only (grey cloud, proxy disabled). We use Let's Encrypt for TLS, which requires direct DNS resolution.
git clone https://github.com/affinidi/affinidi-tdk-rs
# keep it as a sibling of this repo (default path assumed by setup-secrets.sh)make setup-secrets HOST=mediator.mydomain.comThis runs cargo run --bin generate_mediator_config, copies the generated files into secrets/, builds secrets/environments.json, and prints the ready-to-run make create-auth-secret command.
If affinidi-tdk-rs is not at ./affinidi-tdk-rs, pass its path:
make setup-secrets HOST=mediator.mydomain.com TDK_RS_DIR=/path/to/affinidi-tdk-rsStep 3 prints a ready-to-run make create-auth-secret command at the end of its output — copy and run it now.
# Auth credentials — paste the command from step 3 output here, e.g.:
# make create-auth-secret \
# JWT_AUTHORIZATION_SECRET="string://..." \
# MEDIATOR_DID="did://did:webvh:..." \
# ADMIN_DID="did://did:peer:2...."
# DID config files
make create-config-secretcp values.example.yaml my-values.yamlAdjust as needed — most defaults are fine. The main thing to review is the Mediator operating mode, which defaults to open network.
make deploy VALUES_FILE=my-values.yaml URL=mediator.mydomain.comMEDIATOR_VERSION controls which binary is baked into the Docker image and which image tag is deployed. Each build also tags the image with the current git SHA for traceability, pushing three tags total: <version>, <git-sha>, and latest.
Build and push a specific version:
make push MEDIATOR_VERSION=0.14.0Deploy a specific version:
make deploy MEDIATOR_VERSION=0.14.0 VALUES_FILE=my-values.yaml URL=mediator.mydomain.comRoll back to a previous version (no rebuild required — uses the image already in the registry):
make deploy MEDIATOR_VERSION=0.13.0 VALUES_FILE=my-values.yaml URL=mediator.mydomain.com| Target | Description |
|---|---|
setup-secrets HOST=<host> |
Generate mediator config and populate secrets/ |
create-config-secret |
Create Secret from secrets/ DID files |
create-auth-secret |
Create Secret for JWT and DID credentials |
build |
Build Docker image (tagged with version, git SHA, and latest) |
push |
Build and push image to registry |
deploy |
Install or upgrade the Helm release |
Variables (all overridable):
NAME = didcomm-mediator
IMAGE = ghcr.io/ic3software/didcomm-mediator
MEDIATOR_VERSION = 0.13.0
TAG = <git short sha>
DEPLOY_ENV = production
VALUES_FILE = # path to your values override file
URL = # required for deploy
HOST = # required for setup-secrets