OpenShift installation
OpenShift deployment guidance for self-hosted DALP environments that use restricted SCCs, Routes, and OpenShift Data Foundation or another CSI-backed storage class.
Overview
DALP runs on Red Hat OpenShift Container Platform (OCP) and OKD when the cluster provides the Kubernetes APIs, Route API, storage classes, and security policy required by the charts. The OpenShift path keeps DALP workloads non-root, exposes selected services through Routes, and leaves registry approval, storage selection, secret handling, and disaster recovery evidence with the operator.
DALP workloads are designed for OpenShift's restricted Security Context Constraints (SCC) profile. Keep that profile in force unless SettleMint support has reviewed a narrower exception for your environment.
The chart renders Kubernetes and OpenShift resources. Your platform team controls the cluster policy that admits images, injects secrets, assigns storage, exposes hostnames, and restores state after an incident.
Platform requirements
| Requirement | Minimum | Recommended | Notes |
|---|---|---|---|
| OpenShift version | 4.14 | 4.16+ | OCP or OKD supported |
| Worker nodes | 3 | 6+ | Spread across failure domains |
| vCPU per worker | 8 | 16 | More for indexing workloads |
| Memory per worker | 32 GB | 64 GB | More for blockchain nodes |
| Storage | ODF or CSI | ODF | Must support RWX for some services |
Security context constraints
DALP images run as non-root and do not require privilege escalation. The charts avoid fixed user IDs so OpenShift can assign a UID from the target project's range.
Required security settings
Review rendered manifests for these settings before production promotion:
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefaultUser ID handling
OpenShift assigns arbitrary UIDs from each project's UID range. DALP charts set runAsUser: null to allow OpenShift's admission controller to inject the appropriate UID. Do not specify explicit UIDs in your values overrides.
Image security and evidence handoff
DALP can run as containerized workloads on enterprise OpenShift using non-root images, restricted SCC-compatible runtime settings, image evidence, and runtime secret injection. SettleMint provides the DALP images and Helm values. Your OpenShift team decides which registry, scanner, admission policy, and vault controls approve those images for production.
| Area | DALP deployment behavior | Operator control |
|---|---|---|
| Image registry | DALP images are pulled from harbor.settlemint.com, or from a customer registry if the images are mirrored before installation. | Allow the approved registry only, pin image versions in the release values, and apply the bank's image admission policy. |
| Runtime image posture | DALP compiled services run from non-root distroless images. Web runtimes and migration tooling use pinned Alpine Bun images with a non-root application user. | Scan SettleMint-provided and third-party support images before promotion into the production registry. |
| OpenShift runtime controls | OpenShift values set non-root execution, disabled privilege escalation, dropped Linux capabilities, RuntimeDefault seccomp where configured, and OpenShift-assigned UIDs. | Keep the restricted SCC profile in force and reject overrides that add fixed root users, extra capabilities, or privileged containers. |
| SBOM and vulnerability evidence | The deployment evidence pack can include the release-specific dependency manifest, software bill of materials, container provenance where available, and vulnerability-scan disposition for the delivered images. | Archive the scan results used for registry promotion and tie them to the deployed image digests and chart version. |
| Credentials | Runtime credentials are injected at startup through the environment's approved secret path. The chart supports enterprise secret-store mapping through Conjur and summon, and DALP services also consume runtime values supplied by the deployment. | Store secret values in the bank vault or approved Kubernetes secret process, rotate them there, and restart or roll workloads according to the bank's rotation runbook. Do not put production secret values into application images. |
For the audit evidence model behind SBOMs, source review, and deployed image provenance, see Source verification and auditability.
Networking with Routes
OpenShift uses Routes for external access. DALP charts render Route resources only when the cluster exposes the OpenShift Route API and the relevant openShiftRoute.enabled value is true.
Route configuration
Enable only the public surfaces that the OpenShift Router should expose. The dApp, Blockscout, and Grafana use separate chart surfaces and separate Route values:
# DALP dApp Route
dapp:
openShiftRoute:
enabled: true
host: dalp.apps.example.com
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
# Blockscout UI and API Routes
blockscout:
blockscout:
openShiftRoute:
enabled: true
host: explorer-api.apps.example.com
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
frontend:
openShiftRoute:
enabled: true
host: explorer.apps.example.com
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
# Grafana Route in observability chart values
grafana:
openShiftRoute:
enabled: true
host: grafana.apps.example.com
tls:
termination: edge
insecureEdgeTerminationPolicy: RedirectThe settlemint/dalp application chart consumes the dApp and Blockscout Route values. Configure the Grafana Route in the observability chart values when you install observability. If an umbrella chart nests observability under an observability key, put the same Grafana values under that chart key. Leave the Grafana Route disabled when operators should reach Grafana through a private network path or another ingress pattern. See Observability for the monitoring components behind that route.
| Surface | Route value | Expose when | Keep private when |
|---|---|---|---|
| dApp | dapp.openShiftRoute | Users need browser access through the OpenShift Router. | Access is through a private ingress, VPN, or another approved entry point. |
| Blockscout API | blockscout.blockscout.openShiftRoute | The Blockscout UI must call the explorer API through Route. | API access is supplied through an internal hostname or private ingress. |
| Blockscout UI | blockscout.frontend.openShiftRoute | Operators or approved users need browser explorer access. | Explorer access is limited to an internal network or not deployed. |
| Grafana | grafana.openShiftRoute in observability values | Operators need browser access through the OpenShift Router. | Observability is reached through the bank's monitoring network path. |
TLS termination options
| Option | Use case | Notes |
|---|---|---|
| edge | Standard HTTPS termination | Router terminates TLS, backend uses HTTP |
| passthrough | End-to-end encryption | TLS passes to pod, requires cert in pod |
| reencrypt | Internal encryption with own certs | Router terminates and re-encrypts to pod |
Most deployments should use edge termination with OpenShift's wildcard certificate or a custom certificate.
Storage configuration
OpenShift data foundation (ODF)
For production deployments, OpenShift Data Foundation provides:
- Ceph-based distributed storage
- RWX support for shared volumes
- Built-in replication and recovery
- S3-compatible object storage
Storage class selection
global:
storageClass: ocs-storagecluster-ceph-rbd # ODF block storageFor object storage (RustFS alternative):
rustfs:
enabled: false # Use ODF object storage instead
objectStorage:
endpoint: s3://rook-ceph-rgw-ocs-storagecluster-cephobjectstore.openshift-storage.svc
bucket: dalp-assets
existingSecret: dalp-s3-credentialsOperator integration
OpenShift operators manage supporting infrastructure outside the DALP application chart.
CloudNativePG
The CloudNativePG operator works on OpenShift without modification. Install via OperatorHub or Helm.
Velero
For backup and disaster recovery, Velero integrates with OpenShift through the OADP (OpenShift API for Data Protection) operator available in OperatorHub.
NetworkPolicy considerations
OpenShift Network Policies work identically to Kubernetes, with one addition: the OpenShift Router requires explicit ingress rules.
DALP charts automatically add router access when running on OpenShift:
# Automatically included when route.openshift.io/v1 API is detected
ingress:
- from:
- namespaceSelector:
matchLabels:
network.openshift.io/policy-group: ingressInstallation outline
1. Prepare the project
# Create project (namespace)
oc new-project dalp-production
# Verify SCC assignment
oc get scc restricted-v2 -o yaml2. Add the Helm repository
helm repo add settlemint https://harbor.settlemint.com/chartrepo/dalp
helm repo update3. Configure values
Create an OpenShift-specific values file by merging the base values-openshift.yaml with your environment configuration:
# values-production.yaml
global:
platform: openshift
storageClass: ocs-storagecluster-ceph-rbd
# Enable Routes for user-facing services
dapp:
openShiftRoute:
enabled: true
host: dalp.apps.example.com
blockscout:
blockscout:
openShiftRoute:
enabled: true
host: explorer-api.apps.example.com
frontend:
openShiftRoute:
enabled: true
host: explorer.apps.example.com
# Disable Traefik (OpenShift Router handles ingress)
traefik:
enabled: false4. Install the chart
helm install dalp settlemint/dalp \
-n dalp-production \
-f values-openshift.yaml \
-f values-production.yaml5. Verify the deployment
# Check pod status
oc get pods -n dalp-production
# Verify Routes
oc get routes -n dalp-production
# Check Route TLS
oc get route dalp -n dalp-production -o jsonpath='{.spec.tls.termination}'Troubleshooting
Pod fails with SCC denied
Verify your deployment does not specify explicit UIDs:
oc get deployment <name> -o yaml | grep -A5 securityContextRemove any runAsUser with explicit values. Use null or omit the field entirely.
Route not accessible
Check that the Route hostname resolves correctly:
oc get route <name> -o jsonpath='{.spec.host}'
nslookup <hostname>Verify the router pod is running:
oc get pods -n openshift-ingressStorage provisioning fails
Confirm the storage class exists and is default:
oc get storageclass
oc get pvc -n dalp-productionFor ODF, verify the storage cluster is healthy:
oc get storagecluster -n openshift-storageSee also
- Prerequisites for infrastructure requirements.
- Installation process for the full deployment sequence.
- High availability for backup, recovery, and RTO/RPO planning.
- Source verification and auditability for evidence packs and image provenance.
Installation process
Overview of the SettleMint-managed installation process for self-hosted DALP deployments. Covers pre-installation verification, deployment phases, and post-installation handoff.
High availability
How self-hosted DALP operators choose a high availability and disaster recovery pattern, with recovery metrics, ownership boundaries, and links to the supported deployment scenarios.