From 2c5cba9f7d0f0260a595b4c01304cbe8c3b28d0f Mon Sep 17 00:00:00 2001 From: saurabhkumarkardam Date: Tue, 11 Jun 2024 09:45:14 +0000 Subject: [PATCH] feat(indy): enable platform deployment via ansible-server This commit introduces support for deploying a decentralized ledger technology (DLT) network using Ansible automation. The changes include: 1. Updated the Ansible codebase to support network deployment in respect of the standalone Helm chart. 2. The following Ansible roles have been introduced to appropriately deploy the network: - 1. Generate keys for each node of each organization. - 2. Fetch generated keys in JSON format to deploy genesis with known nodes only. - 3. Utilize keys stored in the JSON file to configure the genesis with known nodes and then install the genesis block. - 4. A secondary genesis setup is also included to support deployment in multiple namespaces for a multi-organization Indy network. - 5. Deploy stewards for all organizations. - 6. Deploy the endorser. 3. Updated the Reset Ansible code to delete each node's key from the vault, along with the organization policy and Authentication engine. 4. Added an individual role to clean all the network-supported local files (JSON files). 5. Updated the sample network configuration file to provide information on which networks can be deployed using this file and how to customize the network by following the network rules specified in the file itself. This PR will allow users to set an Indy network with support of the following rules: 1. Exactly 1 trustee is required per organization. 2. Up to 1 endorser is allowed per organization. 3. At least 4 stewards are required collectively across the entire Indy network. fixes #2557 Signed-off-by: saurabhkumarkardam --- platforms/hyperledger-indy/charts/README.md | 13 +- .../configuration/cleanup.yaml | 20 +- .../configuration/deploy-network.yaml | 222 +++++----------- .../check/validation/tasks/check_count.yaml | 47 ++-- .../roles/check/validation/tasks/main.yaml | 47 ++-- .../clean/local_directories/tasks/main.yaml | 33 +++ .../clean/vault/tasks/delete_node_keys.yaml | 19 ++ .../clean/vault/tasks/delete_policy_auth.yaml | 29 +++ .../roles/clean/vault/tasks/main.yaml | 184 ++------------ .../helm_component/peer/tasks/main.yaml | 24 ++ .../peer/templates/generate_genesis.tpl | 53 ++++ .../peer/templates/generate_keys.tpl | 52 ++++ .../peer/templates/stewards.tpl | 50 ++++ .../create/helm_component/peer/vars/main.yaml | 10 + .../roles/create/namespace/tasks/main.yaml | 2 +- .../roles/create/secrets/tasks/main.yaml | 32 +++ .../setup/endorser/tasks/endorser_keys.yaml | 41 +++ .../roles/setup/endorser/tasks/main.yaml | 24 ++ .../roles/setup/endorsers/tasks/main.yaml | 49 ---- .../setup/endorsers/tasks/nested_main.yaml | 131 ---------- .../roles/setup/generate-keys/tasks/main.yaml | 56 +++++ .../setup/genesis-node-keys/tasks/main.yaml | 22 ++ .../genesis-node-keys/tasks/steward_keys.yaml | 68 +++++ .../genesis-node-keys/tasks/trustee_keys.yaml | 41 +++ .../roles/setup/genesis/tasks/main.yaml | 14 ++ .../setup/genesis/tasks/primary_genesis.yaml | 66 +++++ .../genesis/tasks/primary_genesis_peers.yaml | 20 ++ .../genesis/tasks/secondary_genesis.yaml | 60 +++++ .../genesis/tasks/secondary_genesis_orgs.yaml | 35 +++ .../roles/setup/stewards/tasks/main.yaml | 49 +--- .../roles/setup/stewards/tasks/nested.yaml | 38 +++ .../network-indy-newnode-to-baf-network.yaml | 25 -- ...twork-indy-newnode-to-non-baf-network.yaml | 5 - .../samples/network-indyv3-aries.yaml | 14 +- .../configuration/samples/network-indyv3.yaml | 237 ++++++++++++------ .../samples/network-minikube-aries.yaml | 6 +- .../samples/network-minikube.yaml | 18 +- platforms/network-schema.json | 6 +- .../shared/configuration/delete-network.yaml | 2 - .../create/job_component/tasks/main.yaml | 6 +- .../job_component/templates/indy_endorser.tpl | 8 + .../job_component/templates/indy_genesis.tpl | 34 +++ .../roles/create/job_component/vars/main.yaml | 4 + .../roles/git_push/tasks/main.yaml | 17 +- .../roles/helm_lint/vars/main.yaml | 3 + .../configuration/setup-k8s-environment.yaml | 2 +- run.sh | 4 +- 47 files changed, 1171 insertions(+), 771 deletions(-) create mode 100644 platforms/hyperledger-indy/configuration/roles/clean/local_directories/tasks/main.yaml create mode 100644 platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/delete_node_keys.yaml create mode 100644 platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/delete_policy_auth.yaml create mode 100644 platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/tasks/main.yaml create mode 100644 platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/generate_genesis.tpl create mode 100644 platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/generate_keys.tpl create mode 100644 platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/stewards.tpl create mode 100644 platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/vars/main.yaml create mode 100644 platforms/hyperledger-indy/configuration/roles/create/secrets/tasks/main.yaml create mode 100644 platforms/hyperledger-indy/configuration/roles/setup/endorser/tasks/endorser_keys.yaml create mode 100644 platforms/hyperledger-indy/configuration/roles/setup/endorser/tasks/main.yaml delete mode 100644 platforms/hyperledger-indy/configuration/roles/setup/endorsers/tasks/main.yaml delete mode 100644 platforms/hyperledger-indy/configuration/roles/setup/endorsers/tasks/nested_main.yaml create mode 100644 platforms/hyperledger-indy/configuration/roles/setup/generate-keys/tasks/main.yaml create mode 100644 platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/main.yaml create mode 100644 platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/steward_keys.yaml create mode 100644 platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/trustee_keys.yaml create mode 100644 platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/main.yaml create mode 100644 platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/primary_genesis.yaml create mode 100644 platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/primary_genesis_peers.yaml create mode 100644 platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/secondary_genesis.yaml create mode 100644 platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/secondary_genesis_orgs.yaml create mode 100644 platforms/hyperledger-indy/configuration/roles/setup/stewards/tasks/nested.yaml create mode 100644 platforms/shared/configuration/roles/create/job_component/templates/indy_endorser.tpl create mode 100644 platforms/shared/configuration/roles/create/job_component/templates/indy_genesis.tpl diff --git a/platforms/hyperledger-indy/charts/README.md b/platforms/hyperledger-indy/charts/README.md index 397176f1b13..d0255bf7122 100644 --- a/platforms/hyperledger-indy/charts/README.md +++ b/platforms/hyperledger-indy/charts/README.md @@ -79,7 +79,8 @@ helm install university-steward-3 ./indy-node --namespace university-ns --values cd ./indy-register-identity/files kubectl --namespace university-ns get secret university-endorser-identity-public -o jsonpath='{.data.value}' | base64 -d | jq '.["did"]'> university-endorser-did.json kubectl --namespace university-ns get secret university-endorser-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["verification-key"]' > university-endorser-verkey.json -# Register endorser identity from admin +# Register the endorser identity using the trustee's credentials +# Deploy the endorser identity registration Helm chart in the authority namespace, where the trustee resides cd ../.. helm install university-endorser-id ./indy-register-identity --namespace authority-ns ``` @@ -130,24 +131,26 @@ helm install university-steward-4 ./indy-node --namespace university-ns --values cd ./indy-register-identity/files kubectl --namespace university-ns get secret university-endorser-identity-public -o jsonpath='{.data.value}' | base64 -d | jq '.["did"]'> university-endorser-did.json kubectl --namespace university-ns get secret university-endorser-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["verification-key"]' > university-endorser-verkey.json -# Register endorser identity from admin +# Register the endorser identity using the trustee's credentials +# Deploy the endorser identity registration Helm chart in the authority namespace, where the trustee resides cd ../.. helm install university-endorser-id ./indy-register-identity --namespace authority-ns ``` ### Clean-up -To clean up, simply uninstall the Helm releases. It's important to uninstall the genesis Helm chart at the end to prevent any cleanup failure. +To clean up, simply uninstall the Helm charts. +> **NOTE**: It's important to uninstall the genesis Helm chart at the end to prevent any cleanup failure. ```bash helm uninstall --namespace university-ns university-steward-1 helm uninstall --namespace university-ns university-steward-2 helm uninstall --namespace university-ns university-steward-3 helm uninstall --namespace university-ns university-steward-4 -helm uninstall --namespace university-ns genesis helm uninstall --namespace university-ns university-keys +helm uninstall --namespace university-ns genesis helm uninstall --namespace authority-ns university-endorser-id -helm uninstall --namespace authority-ns genesis helm uninstall --namespace authority-ns authority-keys +helm uninstall --namespace authority-ns genesis ``` diff --git a/platforms/hyperledger-indy/configuration/cleanup.yaml b/platforms/hyperledger-indy/configuration/cleanup.yaml index a0b5da8760c..92b70722c2e 100644 --- a/platforms/hyperledger-indy/configuration/cleanup.yaml +++ b/platforms/hyperledger-indy/configuration/cleanup.yaml @@ -13,17 +13,19 @@ no_log: "{{ no_ansible_log | default(false) }}" tasks: # Cleanup all organizations' vault indy crypto - - name: Cleanup Vault indy crypto + - name: "Clean up Vault indy crypto" include_role: name: clean/vault vars: - organization: "{{ organizationItem.name | lower }}" - organization_ns: "{{ organization }}-ns" - services: "{{ organizationItem.services }}" - acount: "{{ organization }}-admin-vault-auth" - vault: "{{ organizationItem.vault }}" - role: "rw" - auth_path: "kubernetes-{{ organization }}" + org_name: "{{ org.name | lower }}" + org_ns: "{{ org_name }}-ns" + services: "{{ org.services }}" + vault: "{{ org.vault }}" loop: "{{ network['organizations'] }}" loop_control: - loop_var: organizationItem + loop_var: org + + # Clean up helpers directory + - name: "Clean up helpers directory" + include_role: + name: clean/local_directories diff --git a/platforms/hyperledger-indy/configuration/deploy-network.yaml b/platforms/hyperledger-indy/configuration/deploy-network.yaml index d75e640101d..bb2a555fdb7 100644 --- a/platforms/hyperledger-indy/configuration/deploy-network.yaml +++ b/platforms/hyperledger-indy/configuration/deploy-network.yaml @@ -4,10 +4,11 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -######################### +############################################################################################## # Playbook to create deployment files for namespaces, service account and clusterrolebinding # Playbook arguments: complete network.yaml -######################### +############################################################################################## +--- - hosts: ansible_provisioners gather_facts: no no_log: "{{ no_ansible_log | default(false) }}" @@ -24,203 +25,100 @@ name: check/validation # Create namespaces for organizations - - name: 'Create namespace' + - name: "Create namespace" include_role: name: create/namespace vars: - component_name: "{{ organizationItem.name | lower }}-ns" - component_type_name: "{{ organizationItem.type | lower }}" - kubernetes: "{{ organizationItem.k8s }}" - release_dir: "{{playbook_dir}}/../../../{{organizationItem.gitops.release_dir}}/{{ organizationItem.name | lower }}" + component_name: "{{ org.name | lower }}-ns" + component_type_name: "{{ org.type | lower }}" + kubernetes: "{{ org.k8s }}" + release_dir: "{{playbook_dir}}/../../../{{org.gitops.release_dir}}/{{ org.name | lower }}" loop: "{{ network['organizations'] }}" loop_control: - loop_var: organizationItem + loop_var: org - # Create service accounts - - name: 'Create service accounts' + # Create necessary Kubernetes secrets for each organization + - name: "Create k8s secrets" include_role: - name: create/serviceaccount/main + name: create/secrets vars: - component_ns: "{{ organizationItem.name | lower }}-ns" - organization: "{{ organizationItem.name | lower }}" - component_type_name: "{{ organization }}" - services: "{{ organizationItem.services }}" - gitops: "{{ organizationItem.gitops }}" - kubernetes: "{{ organizationItem.k8s }}" + component_ns: "{{ org.name | lower }}-ns" + kubernetes: "{{ org.k8s }}" + vault: "{{ org.vault }}" loop: "{{ network['organizations'] }}" loop_control: - loop_var: organizationItem - when: organizationItem.org_status is not defined or organizationItem.org_status == 'new' + loop_var: org - # Create StorageClass - - name: Create Storage Class + # Generate keys for each nodes + - name: "Generate keys" include_role: - name: "{{ playbook_dir }}/../../../platforms/shared/configuration/roles/setup/storageclass" + name: setup/generate-keys vars: org_name: "{{ org.name | lower }}" - sc_name: "{{ org_name }}-bevel-storageclass" - region: "{{ org.k8s.region | default('eu-west-1') }}" + stewards: "{{ org.services.stewards }}" + cloud_provider: "{{ org.cloud_provider | lower }}" + vault: "{{ org.vault }}" + kubernetes: "{{ org.k8s }}" + component_type: "generate-keys" + component_ns: "{{ org_name }}-ns" + component_name: "{{ org_name }}-keys" + values_dir: "{{playbook_dir}}/../../../{{org.gitops.release_dir}}" + charts_dir: "{{ org.gitops.chart_source }}" loop: "{{ network['organizations'] }}" loop_control: loop_var: org - when: org.org_status is not defined or org.org_status == 'new' - - # Admin K8S auth - - name: Admin K8S auth - include_role: - name: setup/vault_kubernetes - vars: - organization: "{{ organizationItem.name | lower }}" - component_ns: "{{ organizationItem.name | lower }}-ns" - component_name: "{{ organization }}-bevel-ac-vault-auth" - component_type: "GetServiceAccount" - vault: "{{ organizationItem.vault }}" - auth_path: "kubernetes-{{ organization }}-admin-auth" - kubernetes: "{{ organizationItem.k8s }}" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: organizationItem - when: organizationItem.org_status is not defined or organizationItem.org_status == 'new' - - # Generate auth job - - name: 'Generate auth job' - include_role: - name: setup/auth_job - vars: - organization: "{{ organizationItem.name | lower }}" - component_ns: "{{ organizationItem.name | lower }}-ns" - component_name: "{{ organization }}" - services: "{{ organizationItem.services }}" - kubernetes: "{{ organizationItem.k8s }}" - vault: "{{ organizationItem.vault }}" - gitops: "{{ organizationItem.gitops }}" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: organizationItem - when: organizationItem.org_status is not defined or organizationItem.org_status == 'new' - - # Get Vault AC Token via Service Account - - name: Get Vault AC Token via Service Account - include_role: - name: check/k8_component - vars: - organization: "{{ organizationItem.name | lower }}" - component_ns: "{{ organizationItem.name | lower }}-ns" - component_name: "{{ organization }}-bevel-ac-vault-auth" - component_type: "GetServiceAccount" - vault: "{{ organizationItem.vault }}" - kubernetes: "{{ organizationItem.k8s }}" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: organizationItem - # Generate indy crypto and insert into Vault - - name: 'Generate indy crypto and insert into Vault' + # Get each node keys for the Genesis setup + - name: "Get keys for the Genesis setup" include_role: - name: setup/crypto + name: setup/genesis-node-keys vars: - organization: "{{ organizationItem.name | lower }}" - component_ns: "{{ organizationItem.name | lower }}-ns" - component_name: "{{ organization }}" - services: "{{ organizationItem.services }}" - kubernetes: "{{ organizationItem.k8s }}" - vault: "{{ organizationItem.vault }}" - gitops: "{{ organizationItem.gitops }}" - vault_ac_token: "{{ ac_vault_tokens[organization] }}" + component_ns: "{{ org.name | lower }}-ns" + kubernetes: "{{ org.k8s }}" loop: "{{ network['organizations'] }}" loop_control: - loop_var: organizationItem - when: organizationItem.org_status is not defined or organizationItem.org_status == 'new' - - # Create and deploy domain genesis - - name: 'Create domain genesis' - include_role: - name: setup/domain_genesis - - # Create and deploy pool genesis - - name: 'Create pool genesis' - include_role: - name: setup/pool_genesis + loop_var: org - # Add new Trustees via existing Trustee - - name: "Add New Trustees via existing Trustee" + # Install Genesis + - name: "Install Genesis" include_role: - name: setup/trustees - vars: - new_org_query: "organizations[?org_status=='new']" - neworg: "{{ network | json_query(new_org_query) | first }}" - organization: "{{ organizationItem.name | lower }}" - component_ns: "{{ organizationItem.name | lower }}-ns" - component_name: "{{ organization }}" - kubernetes: "{{ organizationItem.k8s }}" - gitops: "{{ organizationItem.gitops }}" - vault: "{{ organizationItem.vault }}" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: organizationItem - when: - - (add_new_org|bool and add_new_org_network_trustee_present|bool) - - (organizationItem.org_status is not defined or organizationItem.org_status == 'existing') + name: setup/genesis - # Add new Stewards via existing Trustee - - name: "Add New Stewards via existing Trustee" + # Install Steward nodes + - name: Install Steward nodes include_role: name: setup/stewards vars: - new_org_query: "organizations[?org_status=='new']" - neworg: "{{ network | json_query(new_org_query) | first }}" - organization: "{{ organizationItem.name | lower }}" - component_ns: "{{ organizationItem.name | lower }}-ns" - component_name: "{{ organization }}" - kubernetes: "{{ organizationItem.k8s }}" - gitops: "{{ organizationItem.gitops }}" - vault: "{{ organizationItem.vault }}" + org_name: "{{ org.name | lower }}" + cloud_provider: "{{ org.cloud_provider | lower }}" + kubernetes: "{{ org.k8s }}" + component_ns: "{{ org_name }}-ns" + component_type: "stewards" + values_dir: "{{playbook_dir}}/../../../{{org.gitops.release_dir}}" + charts_dir: "{{ org.gitops.chart_source }}" loop: "{{ network['organizations'] }}" loop_control: - loop_var: organizationItem - when: - - (add_new_org|bool and add_new_org_network_trustee_present|bool) - - (organizationItem.org_status is not defined or organizationItem.org_status == 'existing') + loop_var: org - # Deploy all other nodes - - name: 'Deploy nodes' + # Install Endorser node + - name: "Install Endorser node" include_role: - name: setup/node + name: setup/endorser vars: - organization: "{{ organizationItem.name | lower }}" - sc_name: "{{ organization }}-bevel-storageclass" - component_ns: "{{ organizationItem.name | lower }}-ns" - services: "{{ organizationItem.services }}" - kubernetes: "{{ organizationItem.k8s }}" - vault: "{{ organizationItem.vault }}" - gitops: "{{ organizationItem.gitops }}" - genesis: "{{ network.genesis }}" + org_name: "{{ org.name | lower }}" + endorser: "{{ org.services.endorser.name | lower }}" + trustee: "{{ org.services.trustee.name | lower }}" + kubernetes: "{{ org.k8s }}" + component_name: "{{ endorser }}" + component_ns: "{{ org_name }}-ns" + values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}/{{ org_name }}/build" + charts_dir: "{{ org.gitops.chart_source }}" loop: "{{ network['organizations'] }}" loop_control: - loop_var: organizationItem + loop_var: org when: - - (organizationItem.type == 'peer') - - (organizationItem.org_status is not defined or organizationItem.org_status == 'new') - - (not add_new_org|bool or (add_new_org|bool and add_new_org_new_nyms_on_ledger_present|bool)) + - (org.services.endorser is defined) and (org.services.endorser.name | length > 0) - # Create and deploy Endorser Identities - - name: 'Create Endorser Identities' - include_role: - name: setup/endorsers - vars: - organization: "{{ organizationItem.name | lower }}" - component_ns: "{{ organizationItem.name | lower }}-ns" - kubernetes: "{{ organizationItem.k8s }}" - gitops: "{{ organizationItem.gitops }}" - vault: "{{ organizationItem.vault }}" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: organizationItem - when: - - (organizationItem.type == 'peer') - - (organizationItem.org_status is not defined or organizationItem.org_status == 'new') - - (not add_new_org|bool or (add_new_org|bool and add_new_org_new_nyms_on_ledger_present|bool)) - # These variables can be overriden from the command line vars: install_os: "linux" # Default to linux OS diff --git a/platforms/hyperledger-indy/configuration/roles/check/validation/tasks/check_count.yaml b/platforms/hyperledger-indy/configuration/roles/check/validation/tasks/check_count.yaml index 3f90de962ae..10131d9f5b6 100644 --- a/platforms/hyperledger-indy/configuration/roles/check/validation/tasks/check_count.yaml +++ b/platforms/hyperledger-indy/configuration/roles/check/validation/tasks/check_count.yaml @@ -4,40 +4,23 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -# Reset counters -- name: Reset counters +# Counting the number of steward nodes +- name: "Count steward nodes" set_fact: - trustee_count=0 - steward_count=0 - endorser_count=0 + total_stewards: "{{ total_stewards | int + 1 }}" + loop: "{{ org.services.stewards }}" + loop_control: + loop_var: stewards + when: (stewards is defined) and (stewards | length > 0) -# Counting Genesis Stewards -- name: "Counting Genesis Stewards" +# Counting the number of trustee nodes +- name: "Count trustee nodes" set_fact: - steward_count={{ steward_count|default(0)|int + 1 }} - total_stewards={{ total_stewards|default(0)|int + 1 }} - loop: "{{ stewards }}" + total_trustee: "{{ total_trustee | int + 1 }}" + when: (org.services.trustee is defined) and (org.services.trustee.name | length > 0) -# Counting trustees per Org -- name: "Counting trustees per Org" +# Counting the number of endorser nodes +- name: "Count endorser nodes" set_fact: - trustee_count={{ trustee_count|default(0)|int + 1 }} - total_trustees={{ total_trustees|default(0)|int + 1 }} - loop: "{{ trustees }}" - -# Print error and end playbook if trustee count limit fails -- name: Print error and end playbook if trustee count limit fails - debug: msg="The trustee count is {{ trustee_count }}. There should be max 1 trustee per organization." - failed_when: trustee_count|int > 1 - -# Counting Endorsers -- name: "Counting Endorsers" - set_fact: - endorser_count={{ endorser_count|default(0)|int + 1 }} - loop: "{{ endorsers }}" - -# Print error abd end playbook if endorser count limit fails -- name: Print error abd end playbook if endorser count limit fails - debug: msg="The endorser count is {{ endorser_count }}. There should be max 1 endorser per organization." - failed_when: endorser_count|int > 1 - when: endorser_count is defined + total_endorser: "{{ total_endorser | int + 1 }}" + when: (org.services.endorser is defined) and (org.services.endorser.name | length > 0) diff --git a/platforms/hyperledger-indy/configuration/roles/check/validation/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/check/validation/tasks/main.yaml index aa4835adeaa..da3abda8212 100644 --- a/platforms/hyperledger-indy/configuration/roles/check/validation/tasks/main.yaml +++ b/platforms/hyperledger-indy/configuration/roles/check/validation/tasks/main.yaml @@ -6,36 +6,43 @@ ############################################################################################## # This role checks for validation of network.yaml -# Conditions to be checked -# At least 4 genesis stewards -# Max 1 trustee per org -# Max 1 endorser per org -# At least one trustee per network.yaml +# Conditions to be checked: +# - Exactly 1 trustee is required per organization. +# - Up to 1 endorser is allowed per organization. +# - At least 4 stewards are required collectively across the entire Indy network. ############################################################################################## # Set variables - name: Set counters set_fact: total_stewards=0 - total_trustees=0 + total_trustee=0 + total_endorser=0 + organization_count="{{ network['organizations'] | length }}" -# Check Validation -- name: "Check Validation" +# Loop through each organization to count nodes +- name: Count nodes include_tasks: check_count.yaml vars: - trustees: "{{ organizationItem.services.trustees|default([]) }}" - endorsers: "{{ organizationItem.services.endorsers|default([]) }}" - stewards: "{{ organizationItem.services.stewards|default([]) }}" + peers: "{{ item.services.peers }}" loop: "{{ network['organizations'] }}" loop_control: - loop_var: organizationItem + loop_var: org -# Print error and end playbook if genesis steward count limit fails -- name: Print error and end playbook if genesis steward count limit fails - debug: msg="The total genesis steward count is {{ total_stewards }}. There should be at least 4 genesis stewards (in case of a fully Hyperledger Bevel-managed cluster)." - failed_when: not add_new_org and total_stewards|int < 4 +# Stop execution if total trustee is not equal to 1 +- name: "Stop execution if total trustee is not equal to 1" + fail: + msg: "Exactly 1 trustee is required per indy network." + when: (total_trustee | int) != (organization_count | int) -# Print error and end playbook if total trustee count limit fails -- name: Print error and end playbook if total trustee count limit fails - debug: msg="The total trustee count is {{ total_trustees }}. There should be at least 1 trustee per network (in case of a fully Hyperledger Bevel-managed cluster)." - failed_when: not add_new_org and total_trustees|int < 1 +# Stop execution if total endorser is not equal to 1 +- name: "Stop execution if total endorser is not equal to 1" + fail: + msg: "Up to 1 endorser is allowed per organization." + when: (total_endorser | int) > (organization_count | int) + +# Stop execution if total stewards are less than 4 +- name: Stop execution if total stewards are less than 4 + fail: + msg: "At least 4 stewards are required collectively across the entire Indy network." + when: (total_stewards | int) < 4 diff --git a/platforms/hyperledger-indy/configuration/roles/clean/local_directories/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/clean/local_directories/tasks/main.yaml new file mode 100644 index 00000000000..113569f1da5 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/clean/local_directories/tasks/main.yaml @@ -0,0 +1,33 @@ +# Find and delete .json files in platforms/hyperledger-indy/charts/indy-genesis/files directory +- name: "Find .json files in indy-genesis files directory" + find: + paths: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-genesis/files" + patterns: "*.json" + register: genesis_files_to_delete + +# Delete .json files in indy-genesis files directory +- name: "Delete .json files in indy-genesis files directory" + file: + path: "{{ item.path }}" + state: absent + loop: "{{ genesis_files_to_delete.files }}" + +# Find and delete .json files in platforms/hyperledger-indy/charts/indy-register-identity/files directory +- name: "Find .json files in indy-register-identity files directory" + find: + paths: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-register-identity/files" + patterns: "*.json" + register: register_files_to_delete + +# Delete .json files in indy-register-identity files directory +- name: "Delete .json files in indy-register-identity files directory" + file: + path: "{{ item.path }}" + state: absent + loop: "{{ register_files_to_delete.files }}" + +# Delete the build directory in platforms/hyperledger-indy/configuration +- name: "Remove build directory from configuration" + file: + path: "{{ playbook_dir }}/../../hyperledger-indy/configuration/build" + state: absent diff --git a/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/delete_node_keys.yaml b/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/delete_node_keys.yaml new file mode 100644 index 00000000000..7d1f0436b98 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/delete_node_keys.yaml @@ -0,0 +1,19 @@ +# Delete keys from HashiCorp Vault +- name: "Delete keys for {{ node_name }} in {{ org_name }} organization from Vault" + shell: | + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/client/private/private_keys + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/client/private/sig_keys + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/client/public/public_keys + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/client/public/verif_keys + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/identity/private + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/identity/public + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/node/private/bls_keys + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/node/private/private_keys + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/node/private/sig_keys + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/node/public/bls_keys + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/node/public/public_keys + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/node/public/verif_keys + environment: + VAULT_ADDR: "{{ vault.url }}" + VAULT_TOKEN: "{{ vault.root_token }}" + ignore_errors: true diff --git a/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/delete_policy_auth.yaml b/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/delete_policy_auth.yaml new file mode 100644 index 00000000000..95fb4f0ebc6 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/delete_policy_auth.yaml @@ -0,0 +1,29 @@ +# Remove Policies of trustees +- name: Remove Policies of trustees + environment: + vault_token: "{{ vault.root_token }}" + shell: | + validateVaultResponse () { + if [ ${1} != 204 ]; then + echo "ERROR: Unable to retrieve. Http status: ${1}" + exit 1 + fi + } + response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/policy/bevel-vault-mgmt-{{ org_name }}-keys-{{ org_ns }}-policy) + validateVaultResponse ${response_status} + ignore_errors: true + +# Remove Kubernetes Authentication Methods of organizations +- name: Remove Kubernetes Authentication Methods of {{ org_name }} + environment: + vault_token: "{{ vault.root_token }}" + shell: | + validateVaultResponse () { + if [ ${1} != 204 ]; then + echo "ERROR: Unable to retrieve. Http status: ${1}" + exit 1 + fi + } + response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/auth/{{ org_name }}) + validateVaultResponse ${response_status} + ignore_errors: true diff --git a/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/main.yaml index 2eae964156e..38f2d696771 100644 --- a/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/main.yaml +++ b/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/main.yaml @@ -9,166 +9,34 @@ ############################################################################################## --- -# Remove Indy Crypto -- name: Remove Indy Crypto of {{ organization }} - environment: - vault_token: "{{ vault.root_token }}" - shell: | - validateVaultResponse () { - if [ ${1} != 200 ]; then - echo "ERROR: Unable to retrieve. Http status: ${1}" - exit 1 - fi - } - # Check if vault URL is valid - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" {{ vault.url }}/ui/) - validateVaultResponse ${response_status} - - curl --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/mounts/{{ organization }} - -# Remove Policies of trustees -- name: Remove Policies of trustees - environment: - vault_token: "{{ vault.root_token }}" - shell: | - validateVaultResponse () { - if [ ${1} != 204 ]; then - echo "ERROR: Unable to retrieve. Http status: ${1}" - exit 1 - fi - } - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/policy/{{ organization }}-{{ serviceItem.name }}-ro) - validateVaultResponse ${response_status} - loop: "{{ services.trustees }}" - loop_control: - loop_var: serviceItem - when: services.trustees is defined - -# Remove Policies of stewards -- name: Remove Policies of stewards - environment: - vault_token: "{{ vault.root_token }}" - shell: | - validateVaultResponse () { - if [ ${1} != 204 ]; then - echo "ERROR: Unable to retrieve. Http status: ${1}" - exit 1 - fi - } - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/policy/{{ organization }}-{{ serviceItem.name }}-ro) - validateVaultResponse ${response_status} - loop: "{{ services.stewards }}" - loop_control: - loop_var: serviceItem - when: services.stewards is defined - -# Remove Policies of endorsers -- name: Remove Policies of endorsers - environment: - vault_token: "{{ vault.root_token }}" - shell: | - validateVaultResponse () { - if [ ${1} != 204 ]; then - echo "ERROR: Unable to retrieve. Http status: ${1}" - exit 1 - fi - } - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/policy/{{ organization }}-{{ serviceItem.name }}-ro) - validateVaultResponse ${response_status} - loop: "{{ services.endorsers }}" - loop_control: - loop_var: serviceItem - when: services.endorsers is defined - -# Remove Policies of organization -- name: Remove Policies of {{ organization }} - environment: - vault_token: "{{ vault.root_token }}" - shell: | - validateVaultResponse () { - if [ ${1} != 204 ]; then - echo "ERROR: Unable to retrieve. Http status: ${1}" - exit 1 - fi - } - - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/policy/{{ organization }}-bevel-ac-ro) - validateVaultResponse ${response_status} - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/policy/{{ organization }}-admin-rw) - validateVaultResponse ${response_status} - -# Remove Kubernetes Authentication Methods of organizations -- name: Remove Kubernetes Authentication Methods of {{ organization }} +# Delete keys associated with trustee nodes +- name: Delete trustee keys + include_tasks: delete_node_keys.yaml vars: - auth_path: "kubernetes-{{ organization }}" - environment: - vault_token: "{{ vault.root_token }}" - shell: | - validateVaultResponse () { - if [ ${1} != 204 ]; then - echo "ERROR: Unable to retrieve. Http status: ${1}" - exit 1 - fi - } - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/auth/{{ auth_path }}-admin-auth) - validateVaultResponse ${response_status} - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/auth/{{ auth_path }}-bevel-ac-auth) - validateVaultResponse ${response_status} - when: vault.root_token is defined + node_name: "{{ org.services.trustee.name | lower }}" + node_type: "trustees" + when: (org.services.trustee is defined) and (org.services.trustee.name | length > 0) -# Remove Kubernetes Authentication Methods of trustees -- name: Remove Kubernetes Authentication Methods of {{ organization }} of trustees - environment: - vault_token: "{{ vault.root_token }}" - shell: | - validateVaultResponse () { - if [ ${1} != 204 ]; then - echo "ERROR: Unable to retrieve. Http status: ${1}" - exit 1 - fi - } - auth_path="kubernetes-{{ organization }}-{{ serviceItem.name }}-auth" - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/auth/${auth_path}) - validateVaultResponse ${response_status} - loop: "{{ services.trustees }}" - loop_control: - loop_var: serviceItem - when: vault.root_token is defined and services.trustees is defined +# Delete keys associated with endorser nodes +- name: Delete endorser keys + include_tasks: delete_node_keys.yaml + vars: + node_name: "{{ org.services.endorser.name | lower }}" + node_type: "endorsers" + when: (org.services.endorser is defined) and (org.services.endorser.name | length > 0) -# Remove Kubernetes Authentication Methods of stewards -- name: Remove Kubernetes Authentication Methods of {{ organization }} of stewards - environment: - vault_token: "{{ vault.root_token }}" - shell: | - validateVaultResponse () { - if [ ${1} != 204 ]; then - echo "ERROR: Unable to retrieve. Http status: ${1}" - exit 1 - fi - } - auth_path="kubernetes-{{ organization }}-{{ serviceItem.name }}-auth" - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/auth/${auth_path}) - validateVaultResponse ${response_status} - loop: "{{ services.stewards }}" +# Delete keys associated with steward nodes +- name: Delete steward keys + include_tasks: delete_node_keys.yaml + vars: + node_name: "{{ stewards.name | lower }}" + node_type: "stewards" + loop: "{{ org.services.stewards }}" loop_control: - loop_var: serviceItem - when: vault.root_token is defined and services.stewards is defined + loop_var: stewards + when: (stewards is defined) and (stewards | length > 0) -# Remove Kubernetes Authentication Methods of endorsers -- name: Remove Kubernetes Authentication Methods of {{ organization }} of endorsers - environment: - vault_token: "{{ vault.root_token }}" - shell: | - validateVaultResponse () { - if [ ${1} != 204 ]; then - echo "ERROR: Unable to retrieve. Http status: ${1}" - exit 1 - fi - } - auth_path="kubernetes-{{ organization }}-{{ serviceItem.name }}-auth" - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/auth/${auth_path}) - validateVaultResponse ${response_status} - loop: "{{ services.endorsers }}" - loop_control: - loop_var: serviceItem - when: vault.root_token is defined and services.endorsers is defined +# Delete Organization policy and auth engine +- name: "Delete Organization {{ org_name }} policy and auth engine" + include_tasks: delete_policy_auth.yaml + when: vault.root_token is defined diff --git a/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/tasks/main.yaml new file mode 100644 index 00000000000..e48cdedcb61 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/tasks/main.yaml @@ -0,0 +1,24 @@ +# Ensure teh required dir exists +- name: "Ensure {{ values_dir }}/{{ org_name }} dir exists" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/directory" + vars: + path: "{{ values_dir }}/{{ org_name }}" + +# Generate Indy vault policy and role for stewards +- name: Stewards vault policy and role generating + template: + src: "{{ dlt_templates[component_type] }}" + dest: "{{ values_dir }}/{{ org_name }}/{{ component_name }}.yaml" + +############################################################################################ +# Test the value file for syntax errors/ missing values +# This is done by calling the helm_lint role and passing the value file parameter +# When a new helm_component is added, changes should be made in helm_lint role as well +- name: Helm lint + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/helm_lint" + vars: + helmtemplate_type: "{{ component_type }}" + chart_path: "{{ charts_dir }}" + value_file: "{{ values_dir }}/{{ org_name }}/{{ component_name }}.yaml" diff --git a/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/generate_genesis.tpl b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/generate_genesis.tpl new file mode 100644 index 00000000000..f0886271502 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/generate_genesis.tpl @@ -0,0 +1,53 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: "{{ component_name }}" + annotations: + fluxcd.io/automated: "false" + namespace: "{{ component_ns }}" +spec: + releaseName: "{{ component_name }}" + interval: 1m + chart: + spec: + interval: 1m + chart: "{{ charts_dir }}/indy-genesis" + sourceRef: + kind: GitRepository + name: flux-{{ network.env.type }} + namespace: flux-{{ network.env.type }} + values: + global: + serviceAccountName: vault-auth + cluster: + provider: "{{ cloud_provider }}" + cloudNativeServices: false + kubernetesUrl: "{{ kubernetes_server }}" + vault: + type: hashicorp + role: vault-role + network: indy + address: "{{ vault.url }}" + authPath: "{{ org_name }}" + secretEngine: secretsv2 + secretPrefix: "data/{{ org_name }}" + proxy: + provider: ambassador + image: + alpineutils: "{{ network.docker.url }}/bevel-alpine-ext:latest" + settings: + removeKeysOnDelete: true + secondaryGenesis: {{ secondaryGenesis }} +{% if (not secondaryGenesis) and (trustee_name is defined) %} + trustees: + - name: "{{ trustee_name }}" +{% if steward_list is defined %} + stewards: +{% for steward in steward_list %} + - name: {{ steward.name }} + publicIp: {{ steward.publicIp }} + nodePort: {{ steward.nodePort }} + clientPort: {{ steward.clientPort }} +{% endfor %} +{% endif %} +{% endif %} diff --git a/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/generate_keys.tpl b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/generate_keys.tpl new file mode 100644 index 00000000000..7d64eaf4b67 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/generate_keys.tpl @@ -0,0 +1,52 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: "{{ component_name }}" + annotations: + fluxcd.io/automated: "false" + namespace: "{{ component_ns }}" +spec: + releaseName: "{{ component_name }}" + interval: 1m + chart: + spec: + interval: 1m + chart: "{{ charts_dir }}/indy-key-mgmt" + sourceRef: + kind: GitRepository + name: flux-{{ network.env.type }} + namespace: flux-{{ network.env.type }} + values: + global: + serviceAccountName: vault-auth + cluster: + provider: "{{ cloud_provider }}" + cloudNativeServices: false + kubernetesUrl: "{{ kubernetes_server }}" + vault: + type: hashicorp + role: vault-role + network: indy + address: "{{ vault.url }}" + authPath: "{{ org_name }}" + secretEngine: secretsv2 + secretPrefix: "data/{{ org_name }}" + proxy: + provider: ambassador + image: + alpineutils: "{{ network.docker.url }}/bevel-indy-key-mgmt:1.12.6" + settings: + removeKeysOnDelete: true + identities: +{% if trustee_name %} + trustee: "{{ trustee_name }}" +{% endif %} +{% if endorser_name %} + endorser: "{{ endorser_name }}" +{% endif %} +{% if steward_list %} + stewards: +{% for steward in steward_list %} + - "{{ steward }}" +{% endfor %} +{% endif %} diff --git a/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/stewards.tpl b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/stewards.tpl new file mode 100644 index 00000000000..e3ac494f6f7 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/stewards.tpl @@ -0,0 +1,50 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: "{{ component_name }}" + annotations: + fluxcd.io/automated: "false" + namespace: "{{ component_ns }}" +spec: + releaseName: "{{ component_name }}" + interval: 1m + chart: + spec: + interval: 1m + chart: "{{ charts_dir }}/indy-node" + sourceRef: + kind: GitRepository + name: flux-{{ network.env.type }} + namespace: flux-{{ network.env.type }} + values: + global: + serviceAccountName: vault-auth + cluster: + provider: "{{ cloud_provider }}" + cloudNativeServices: false + proxy: + provider: ambassador + storage: + keys: "512Mi" + data: "4Gi" + reclaimPolicy: "Delete" + volumeBindingMode: Immediate + allowedTopologies: + enabled: false + image: + initContainer: "{{ network.docker.url }}/bevel-alpine-ext:latest" + cli: "{{ network.docker.url }}/bevel-indy-ledger-txn:latest" + indyNode: + repository: "{{ network.docker.url }}/bevel-indy-node" + tag: 1.12.6 + settings: + network: bevel + serviceType: ClusterIP + node: + publicIp: {{ node_public_ip }} + port: {{ node_port }} + externalPort: {{ node_external_port }} + client: + publicIp: {{ client_public_ip }} + port: {{ client_port }} + externalPort: {{ client_external_port }} diff --git a/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/vars/main.yaml b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/vars/main.yaml new file mode 100644 index 00000000000..80c755ef91e --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/vars/main.yaml @@ -0,0 +1,10 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +dlt_templates: + generate-keys: generate_keys.tpl + generate-genesis: generate_genesis.tpl + stewards: stewards.tpl diff --git a/platforms/hyperledger-indy/configuration/roles/create/namespace/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/create/namespace/tasks/main.yaml index 001241ccc72..19ecefdf744 100644 --- a/platforms/hyperledger-indy/configuration/roles/create/namespace/tasks/main.yaml +++ b/platforms/hyperledger-indy/configuration/roles/create/namespace/tasks/main.yaml @@ -35,5 +35,5 @@ name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" vars: GIT_DIR: "{{ playbook_dir }}/../../../" - gitops: "{{ organizationItem.gitops }}" + gitops: "{{ org.gitops }}" msg: "[ci skip] Pushing deployment files for namespace" diff --git a/platforms/hyperledger-indy/configuration/roles/create/secrets/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/create/secrets/tasks/main.yaml new file mode 100644 index 00000000000..cc31dd73c32 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/create/secrets/tasks/main.yaml @@ -0,0 +1,32 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Wait for namespace to be created by flux +- name: "Wait for the namespace {{ component_ns }} to be created" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" + vars: + component_type: "Namespace" + component_name: "{{ component_ns }}" + type: "retry" + +# Create the vault roottoken secret +- name: "Create vault token secret" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/create/shared_k8s_secrets" + vars: + namespace: "{{ component_ns }}" + check: "token_secret" + +# Create the docker pull credentials for image registry +- name: "Create docker credentials secret" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/create/shared_k8s_secrets" + vars: + namespace: "{{ component_ns }}" + check: "docker_credentials" + when: + - network.docker.username is defined diff --git a/platforms/hyperledger-indy/configuration/roles/setup/endorser/tasks/endorser_keys.yaml b/platforms/hyperledger-indy/configuration/roles/setup/endorser/tasks/endorser_keys.yaml new file mode 100644 index 00000000000..f93e9a74075 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/endorser/tasks/endorser_keys.yaml @@ -0,0 +1,41 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Get endorser public identity secret +- name: "Get endorser public identity secret" + k8s_info: + kind: Secret + name: "{{ endorser }}-identity-public" + namespace: "{{ component_ns }}" + kubeconfig: "{{ kubernetes.config_file }}" + register: endorser_identity_public + +# Extract and save the endorser's DID to a JSON file +- name: "Extract and save endorser DID to a JSON file" + copy: + content: "{{ endorser_identity_public.resources[0].data.value | b64decode | from_json | json_query('did') }}" + dest: "{{ files_dir }}/{{ endorser }}-did.json" + vars: + files_dir: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-register-identity/files" + when: endorser_identity_public is defined and endorser_identity_public.resources[0].data.value is defined + +# Get endorser node public verification keys secret +- name: "Get endorser node public verification keys secret" + k8s_info: + kind: Secret + name: "{{ endorser }}-node-public-verif-keys" + namespace: "{{ component_ns }}" + kubeconfig: "{{ kubernetes.config_file }}" + register: endorser_node_public_verif_keys + +# Extract and save the endorser's verification key to a JSON file +- name: "Extract and save the endorser's verification key to a JSON file" + copy: + content: "{{ endorser_node_public_verif_keys.resources[0].data.value | b64decode | from_json | json_query('\"verification-key\"') }}" + dest: "{{ files_dir }}/{{ endorser }}-verkey.json" + vars: + files_dir: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-register-identity/files" + when: endorser_node_public_verif_keys is defined and endorser_node_public_verif_keys.resources[0].data.value is defined diff --git a/platforms/hyperledger-indy/configuration/roles/setup/endorser/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/setup/endorser/tasks/main.yaml new file mode 100644 index 00000000000..fc0d4e0d4ab --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/endorser/tasks/main.yaml @@ -0,0 +1,24 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Get Endorser keys +- name: "Get Endorser keys" + include_tasks: endorser_keys.yaml + +# Deploy endorser node +- name: "Deploy endorser node" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/create/job_component" + vars: + type: "indy_endorser" + +# Check if endorser job is completed +- name: "Check if endorser job is completed" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" + vars: + component_type: Job + namespace: "{{ component_ns }}" diff --git a/platforms/hyperledger-indy/configuration/roles/setup/endorsers/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/setup/endorsers/tasks/main.yaml deleted file mode 100644 index ab771d7c78f..00000000000 --- a/platforms/hyperledger-indy/configuration/roles/setup/endorsers/tasks/main.yaml +++ /dev/null @@ -1,49 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -################################################################################################### -# This role creates the deployment files for endorsers and pushes them to repository -################################################################################################### - -# Wait for namespace creation for identities - - name: "Wait for namespace creation for identities" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" - vars: - component_type: "Namespace" - component_name: "{{ component_ns }}" - type: "retry" - -# Create image pull secrets - - name: "Create image pull secret for identities" - include_role: - name: create/imagepullsecret - -# Create Deployment files for new Identities - - name: "Create Deployment files" - include_tasks: nested_main.yaml - vars: - component_type: "identity" - component_name: "{{ organizationItem.name }}" - indy_version: "indy-{{ network.version }}" - release_dir: "{{playbook_dir}}/../../../{{organizationItem.gitops.release_dir}}/{{ organizationItem.name | lower }}" - newIdentity: "{{ organizationItem.services.endorsers }}" - component_ns: "{{ organizationItem.name | lower }}-ns" - org_vault_url: "{{ organizationItem.vault.url}}" - when: organizationItem is defined and organizationItem.services.endorsers is defined - -# Wait until identities are creating - - name: "Wait until identities are creating" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Job" - namespace: "{{ component_ns }}" - component_name: "{{ organizationItem.name }}-{{ endorserItem.name }}-transaction" - loop: "{{ organizationItem.services.endorsers }}" - when: organizationItem is defined and organizationItem.services.endorsers is defined - loop_control: - loop_var: endorserItem diff --git a/platforms/hyperledger-indy/configuration/roles/setup/endorsers/tasks/nested_main.yaml b/platforms/hyperledger-indy/configuration/roles/setup/endorsers/tasks/nested_main.yaml deleted file mode 100644 index fbc71bacc26..00000000000 --- a/platforms/hyperledger-indy/configuration/roles/setup/endorsers/tasks/nested_main.yaml +++ /dev/null @@ -1,131 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# This Selects the Admin Identity for an organization from Network yaml. -# If trustee is present the first trustee will be the admin -# If Steward is present the first steward will be the admin -# If both trustee and steward are not present in a particular organization, -# the first global admin will be the trustee for this organization. ---- -- name: Select Admin Identity for Organisation {{ component_name }} - shell: | - selectedAdmin="" - first_global_admin="" - admin_Org="" - global_Org="" - admin_url="" - global_url="" - global_type="" - admin_type="" - {% if network['organizations'] is defined %} - {% for organization in network['organizations'] %} - first_admin_in_org="" - {% if organization.services.trustees is defined %} - {% for trustee in organization.services.trustees %} - if [ -z "$first_admin_in_org" ] - then - if [ {{ organization.name }} == "{{ component_name }}" ] - then - first_admin_in_org="{{ trustee.name }}" - admin_Org="{{ organization.name }}" - admin_url="{{ organization.vault.url }}" - admin_type="trustees" - fi - fi - if [ -z "$first_global_admin" ] - then - first_global_admin="{{ trustee.name }}" - global_Org="{{ organization.name }}" - global_url="{{ organization.vault.url }}" - global_type="trustees" - fi - {% endfor %} - {% endif %} - {% if organization.services.stewards is defined %} - {% for steward in organization.services.stewards %} - if [ -z "$first_admin_in_org" ] - then - if [ {{ organization.name }} == "{{ component_name }}" ] - then - first_admin_in_org="{{ steward.name }}" - admin_Org="{{ organization.name }}" - admin_url="{{ organization.vault.url }}" - admin_type="stewards" - fi - fi - if [ -z "$first_global_admin" ] - then - first_global_admin="{{ steward.name }}" - global_Org="{{ organization.name }}" - global_url="{{ organization.vault.url }}" - global_type="stewards" - fi - {% endfor %} - {% endif %} - {% endfor %} - {% endif %} - - if [ ! -z "$first_admin_in_org" ] - then - selectedAdmin="${first_admin_in_org}" - adminUrl="${admin_url}" - adminOrg="${admin_Org}" - admin_type="${admin_type}" - else - selectedAdmin="${first_global_admin}" - adminUrl="${global_url}" - adminOrg="${global_Org}" - admin_type="${global_type}" - fi - rm -rf admin.yaml - echo "selectedAdmin: ${selectedAdmin}" >> admin.yaml - echo "adminUrl: ${adminUrl}" >> admin.yaml - echo "adminOrg: ${adminOrg}" >> admin.yaml - echo "type: ${admin_type}" >> admin.yaml - register: admin_file - -#---------------------------------------------------------------------------------------------- -- name: "Inserting file into Variable" - include_vars: - file: admin.yaml - name: admin_var - -#---------------------------------------------------------------------------------------------- -# Create Deployment files for new Identities -- name: "Calling Helm Release Development Role..." - include_role: - name: create/helm_component/ledger_txn - vars: - component_type: "identity" - component_name: "{{ organizationItem.name }}" - indy_version: "indy-{{ network.version }}" - release_dir: "{{playbook_dir}}/../../../{{organizationItem.gitops.release_dir}}/{{ organizationItem.name | lower }}" - component_ns: "{{ organizationItem.name | lower }}-ns" - newIdentityName: "{{ newIdentityItem.name }}" - newIdentityRole: "ENDORSER" - adminIdentityName: "{{ admin_var.selectedAdmin }}" - admin_component_name: "{{ admin_var.adminOrg }}" - admin_org_vault_url: "{{ admin_var.adminUrl }}" - new_org_vault_url: "{{ organizationItem.vault.url}}" - new_component_name: "{{ component_name }}" - admin_type: "{{ admin_var.type }}" - identity_type: "endorsers" - loop: "{{ newIdentity }}" - loop_control: - loop_var: newIdentityItem - when: newIdentity is defined - -- name: "Delete file" - shell: | - rm admin.yaml -# --------------------------------------------------------------------- -# push the created deployment files to repository -- name: "Push the created deployment files to repository" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" - vars: - GIT_DIR: "{{ playbook_dir }}/../../../" - msg: "[ci skip] Pushing deployment files" diff --git a/platforms/hyperledger-indy/configuration/roles/setup/generate-keys/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/setup/generate-keys/tasks/main.yaml new file mode 100644 index 00000000000..e5c9dc3a183 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/generate-keys/tasks/main.yaml @@ -0,0 +1,56 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Initialize variables for trustee, endorser, and stewards +- name: "Initialize trustee, endorser and stewards variables" + set_fact: + trustee_name: "{{ org.services.trustee.name | default('') }}" + endorser_name: "{{ org.services.endorser.name | default('') }}" + steward_list: [] + +# Add stewards to the steward list +- name: "Add stewards to the steward list" + set_fact: + steward_list: "{{ steward_list + [stewards_item.name] }}" + loop: "{{ stewards }}" + loop_control: + loop_var: stewards_item + ignore_errors: true + +# Gather Kubernetes cluster information +- name: Gather Kubernetes cluster information + community.kubernetes.k8s_cluster_info: + kubeconfig: "{{ kubernetes.config_file }}" + register: cluster_info + +# Set the Kubernetes server URL fact +- name: Set kubernetes_server_url fact + set_fact: + kubernetes_server_url: "{{ cluster_info.connection.host }}" + +# Generate the HR file for the specified organization +- name: "Generate HR file for {{ org_name }} organization" + include_role: + name: create/helm_component/peer + vars: + kubernetes_server: "{{ kubernetes_server_url }}" + +# Push the created deployment files to repository +- name: "Push the created deployment files to repository" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" + vars: + GIT_DIR: "{{ playbook_dir }}/../../../" + msg: "[ci skip] Pushing key management job files for {{ component_ns }}" + gitops: "{{ org.gitops }}" + +# Check if the job is completed +- name: "Check if {{ component_name }} job is completed in the {{ org_name }} organization" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" + vars: + component_type: Job + namespace: "{{ component_ns }}" diff --git a/platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/main.yaml new file mode 100644 index 00000000000..b8030a3f871 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/main.yaml @@ -0,0 +1,22 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Retrieve Trustee's keys if Trustee service is defined +- name: "Retrieve Trustee's keys" + include_tasks: trustee_keys.yaml + when: + - org.services.trustee is defined + - org.services.trustee.name | length > 0 + +# Retrieve Steward's keys for each steward in the list of stewards if stewards are defined +- name: "Retrieve Steward's keys" + include_tasks: steward_keys.yaml + loop: "{{ org.services.stewards }}" + loop_control: + loop_var: steward + when: + - steward is defined + - steward | length > 0 diff --git a/platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/steward_keys.yaml b/platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/steward_keys.yaml new file mode 100644 index 00000000000..a68683bb5d2 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/steward_keys.yaml @@ -0,0 +1,68 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Get steward public identity secret +- name: "Get steward public identity secret" + k8s_info: + kind: Secret + name: "{{ steward.name }}-identity-public" + namespace: "{{ component_ns }}" + kubeconfig: "{{ kubernetes.config_file }}" + register: steward_identity_public + +# Extract and save steward DID to a JSON file +- name: "Extract and save steward DID to a JSON file" + copy: + content: "{{ steward_identity_public.resources[0].data.value | b64decode | from_json | json_query('did') }}" + dest: "{{ files_dir }}/{{ steward.name }}-did.json" + vars: + files_dir: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-genesis/files" + when: steward_identity_public is defined and steward_identity_public.resources[0].data.value is defined + +# Get steward node public verif keys +- name: "Get steward node public verif keys" + k8s_info: + kind: Secret + name: "{{ steward.name }}-node-public-verif-keys" + namespace: "{{ component_ns }}" + kubeconfig: "{{ kubernetes.config_file }}" + register: steward_node_public_verif_keys + +# Extract and save the steward's verification key to a JSON file +- name: "Extract and save the steward's verification key to a JSON file" + copy: + content: "{{ steward_node_public_verif_keys.resources[0].data.value | b64decode | from_json | json_query('\"verification-key\"') }}" + dest: "{{ files_dir }}/{{ steward.name }}-verkey.json" + vars: + files_dir: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-genesis/files" + when: steward_node_public_verif_keys is defined and steward_node_public_verif_keys.resources[0].data.value is defined + +# Get steward's node public BLS keys +- name: "Get steward's node public BLS keys" + k8s_info: + kind: Secret + name: "{{ steward.name }}-node-public-bls-keys" + namespace: "{{ component_ns }}" + kubeconfig: "{{ kubernetes.config_file }}" + register: steward_node_public_bls_keys + +# Extract and save the steward's BLS POP to a JSON file +- name: "Extract and save the steward's BLS POP to a JSON file" + copy: + content: "{{ steward_node_public_bls_keys.resources[0].data.value | b64decode | from_json | json_query('\"bls-key-pop\"') }}" + dest: "{{ files_dir }}/{{ steward.name }}-blspop.json" + vars: + files_dir: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-genesis/files" + when: steward_node_public_bls_keys is defined and steward_node_public_bls_keys.resources[0].data.value is defined + +# Extract and save the steward's BLS public key to a JSON file +- name: "Extract and save the steward's BLS public key to a JSON file" + copy: + content: "{{ steward_node_public_bls_keys.resources[0].data.value | b64decode | from_json | json_query('\"bls-public-key\"') }}" + dest: "{{ files_dir }}/{{ steward.name }}-blspub.json" + vars: + files_dir: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-genesis/files" + when: steward_node_public_bls_keys is defined and steward_node_public_bls_keys.resources[0].data.value is defined diff --git a/platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/trustee_keys.yaml b/platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/trustee_keys.yaml new file mode 100644 index 00000000000..dbe0c679490 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/trustee_keys.yaml @@ -0,0 +1,41 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Get trustee public identity secret +- name: "Get trustee public identity secret" + k8s_info: + kind: Secret + name: "{{ org.services.trustee.name }}-identity-public" + namespace: "{{ component_ns }}" + kubeconfig: "{{ kubernetes.config_file }}" + register: trustee_identity_public_secret + +# Extract and save trustee DID to a JSON file +- name: "Extract and save trustee DID to a JSON file" + copy: + content: "{{ trustee_identity_public_secret.resources[0].data.value | b64decode | from_json | json_query('did') }}" + dest: "{{ files_dir }}/{{ org.services.trustee.name }}-did.json" + vars: + files_dir: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-genesis/files" + when: trustee_identity_public_secret is defined and trustee_identity_public_secret.resources[0].data.value is defined + +# Get trustee node public verif keys +- name: "Get trustee node public verif keys" + k8s_info: + kind: Secret + name: "{{ org.services.trustee.name }}-node-public-verif-keys" + namespace: "{{ component_ns }}" + kubeconfig: "{{ kubernetes.config_file }}" + register: trustee_node_public_verif_keys + +# Extract and save the trustee's verification key to a JSON file +- name: "Extract and save the trustee's verification key to a JSON file" + copy: + content: "{{ trustee_node_public_verif_keys.resources[0].data.value | b64decode | from_json | json_query('\"verification-key\"') }}" + dest: "{{ files_dir }}/{{ org.services.trustee.name }}-verkey.json" + vars: + files_dir: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-genesis/files" + when: trustee_node_public_verif_keys is defined and trustee_node_public_verif_keys.resources[0].data.value is defined diff --git a/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/main.yaml new file mode 100644 index 00000000000..f36a00cfc33 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/main.yaml @@ -0,0 +1,14 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Primary genesis setup +- name: "Primary genesis setup" + include_tasks: primary_genesis.yaml + +# Secondary genesis setup if there are multiple organizations +- name: "Secondary genesis Setup" + include_tasks: secondary_genesis.yaml + when: network['organizations'] | length > 1 diff --git a/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/primary_genesis.yaml b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/primary_genesis.yaml new file mode 100644 index 00000000000..e92de1006d5 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/primary_genesis.yaml @@ -0,0 +1,66 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Initialize variable and list +- name: "Initialize variable and list" + set_fact: + trustee_list: [] + steward_list: [] + +# Store Trustee, Endorser and Stewards info +- name: "Store Trustee, Endorser and Stewards info" + include_tasks: primary_genesis_peers.yaml + vars: + org_name: "{{ org.name | lower }}" + stewards: "{{ org.services.stewards }}" + loop: "{{ network['organizations'] }}" + loop_control: + loop_var: org + +# Gather Kubernetes cluster information +- name: Gather Kubernetes cluster information + community.kubernetes.k8s_cluster_info: + kubeconfig: "{{ network['organizations'][0].k8s.config_file }}" + register: cluster_info + +# Set the Kubernetes server URL fact +- name: Set kubernetes_server_url fact + set_fact: + kubernetes_server_url: "{{ cluster_info.connection.host }}" + +# Install primary genesis +- name: "Install primary genesis" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/create/job_component" + vars: + type: "indy_genesis" + org: "{{ network['organizations'] | first }}" + org_name: "{{ org.name | lower }}" + stewards: "{{ org.services.stewards }}" + cloud_provider: "{{ org.cloud_provider | lower }}" + vault: "{{ org.vault }}" + kubernetes_server: "{{ kubernetes_server_url }}" + kubernetes: "{{ org.k8s }}" + component_type: "generate-genesis" + component_ns: "{{ org_name }}-ns" + component_name: "{{ org_name }}-genesis" + secondaryGenesis: false + values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}/{{ org_name }}/build" + charts_dir: "{{ org.gitops.chart_source }}" + +# Check if primary genesis job is completed +- name: "Check if primary genesis job is completed" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" + vars: + org: "{{ network['organizations'] | first }}" + org_name: "{{ org.name | lower }}" + component_name: "{{ org_name }}-genesis" + component_type: Job + org: "{{ network['organizations'] | first }}" + component_ns: "{{ org.name | lower }}-ns" + namespace: "{{ component_ns }}" + kubernetes: "{{ org.k8s }}" diff --git a/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/primary_genesis_peers.yaml b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/primary_genesis_peers.yaml new file mode 100644 index 00000000000..849461468b3 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/primary_genesis_peers.yaml @@ -0,0 +1,20 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Store trustee's name if it is not already set +- name: "Store trustee's name" + set_fact: + trustee_list: "{{ trustee_list + [org.services.trustee.name] }}" + when: (org.services.trustee is defined) and (org.services.trustee.name | length > 0) + +# Add each steward's details (name, public IP, node port, client port) to the steward_list +- name: "Maintain each steward's node info" + set_fact: + steward_list: "{{ steward_list + [{'name': stewards_item.name, 'publicIp': stewards_item.publicIp, 'nodePort': stewards_item.node.ambassador, 'clientPort': stewards_item.client.ambassador}] }}" + loop: "{{ stewards }}" + loop_control: + loop_var: stewards_item + ignore_errors: true diff --git a/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/secondary_genesis.yaml b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/secondary_genesis.yaml new file mode 100644 index 00000000000..e2820cea0a2 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/secondary_genesis.yaml @@ -0,0 +1,60 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Initialize variables for the first organization +- name: "Initialize variables for the first organization" + set_fact: + first_org_name: "{{ network.organizations[0].name | lower }}" + first_org_kubernetes: "{{ network.organizations[0].k8s }}" + +# Retrieve the ConfigMap for domain transactions genesis for the first organization +- name: "Get domain transactions genesis ConfigMap" + community.kubernetes.k8s_info: + api_version: v1 + kind: ConfigMap + name: dtg + namespace: "{{ first_org_name }}-ns" + kubeconfig: "{{ first_org_kubernetes.config_file }}" + register: dtg_configmap + +# Retrieve the ConfigMap for pool transactions genesis for the first organization +- name: "Get pool transactions genesis ConfigMap" + community.kubernetes.k8s_info: + api_version: v1 + kind: ConfigMap + name: ptg + namespace: "{{ first_org_name }}-ns" + kubeconfig: "{{ first_org_kubernetes.config_file }}" + register: ptg_configmap + +# Save the domain transactions genesis content to a file +- name: "Save domain transactions genesis to file" + copy: + content: "{{ dtg_configmap.resources[0].data.domain_transactions_genesis }}" + dest: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-genesis/files/domain_transactions_genesis.json" + when: dtg_configmap.resources[0].data.domain_transactions_genesis is defined + +# Save the pool transactions genesis content to a file +- name: "Save pool transactions genesis to file" + copy: + content: "{{ ptg_configmap.resources[0].data.pool_transactions_genesis }}" + dest: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-genesis/files/pool_transactions_genesis.json" + when: ptg_configmap.resources[0].data.pool_transactions_genesis is defined + +# Generate secondary genesis HR files for the remaining organizations +- name: "Generate secondary genesis HR file for the remaining organization" + include_tasks: secondary_genesis_orgs.yaml + vars: + org_name: "{{ org.name | lower }}" + component_name: "{{ org_name }}-genesis" + component_ns: "{{ org_name }}-ns" + component_type: "generate-genesis" + cloud_provider: "{{ org.cloud_provider | lower }}" + kubernetes: "{{ org.k8s }}" + vault: "{{ org.vault }}" + loop: "{{ network['organizations'][1:] }}" # Skip the first organization + loop_control: + loop_var: org diff --git a/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/secondary_genesis_orgs.yaml b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/secondary_genesis_orgs.yaml new file mode 100644 index 00000000000..1e3d3a34b66 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/secondary_genesis_orgs.yaml @@ -0,0 +1,35 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Gather Kubernetes cluster information +- name: Gather cluster info + community.kubernetes.k8s_cluster_info: + kubeconfig: "{{ kubernetes.config_file }}" + register: cluster_info + +# Set the Kubernetes server URL fact +- name: Set kubernetes_server_url fact + set_fact: + kubernetes_server_url: "{{ cluster_info.connection.host }}" + +# Install the secondary genesis component for the specified organization +- name: "Install secondary genesis for the {{ org_name }} organization" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/create/job_component" + vars: + type: "indy_genesis" + kubernetes_server: "{{ kubernetes_server_url }}" + secondaryGenesis: true + values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}/{{ org_name }}/build" + charts_dir: "{{ org.gitops.chart_source }}" + +# Check if the secondary genesis job for the specified organization is completed +- name: "Check if secondary genesis job {{ org_name }} for is completed" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" + vars: + component_type: Job + namespace: "{{ component_ns }}" diff --git a/platforms/hyperledger-indy/configuration/roles/setup/stewards/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/setup/stewards/tasks/main.yaml index f7ef830772c..7d966e3a485 100644 --- a/platforms/hyperledger-indy/configuration/roles/setup/stewards/tasks/main.yaml +++ b/platforms/hyperledger-indy/configuration/roles/setup/stewards/tasks/main.yaml @@ -4,45 +4,10 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -################################################################################################### -# This role creates the deployment files for stewards and pushes them to repository -################################################################################################### - -# Wait for namespace creation for identities - - name: "Wait for namespace creation for identities" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" - vars: - component_type: "Namespace" - component_name: "{{ component_ns }}" - type: "retry" - -# Create image pull secrets - - name: "Create image pull secret for identities" - include_role: - name: create/imagepullsecret - -# Create Deployment files for new Identities - - name: "Create Deployment files" - include_tasks: nested_main.yaml - vars: - component_type: "identity" - component_name: "{{ organizationItem.name }}" - indy_version: "indy-{{ network.version }}" - release_dir: "{{playbook_dir}}/../../../{{organizationItem.gitops.release_dir}}/{{ organizationItem.name | lower }}" - newIdentity: "{{ neworg.services.stewards }}" - org_vault_url: "{{ organizationItem.vault.url }}" - when: organizationItem is defined and organizationItem.services.stewards is defined - -# Wait until identities are creating - - name: "Wait until identities are creating" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Job" - namespace: "{{ component_ns }}" - component_name: "{{ organizationItem.name }}-{{ stewardItem.name }}-transaction" - loop: "{{ neworg.services.stewards }}" - when: neworg is defined and neworg.services.stewards is defined - loop_control: - loop_var: stewardItem +# Deploy Steward nodes +- name: "Deploy Steward nodes" + include_tasks: nested.yaml + loop: "{{ org.services.stewards }}" + loop_control: + loop_var: steward + when: steward is defined and steward | length > 0 diff --git a/platforms/hyperledger-indy/configuration/roles/setup/stewards/tasks/nested.yaml b/platforms/hyperledger-indy/configuration/roles/setup/stewards/tasks/nested.yaml new file mode 100644 index 00000000000..b0a778572b4 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/stewards/tasks/nested.yaml @@ -0,0 +1,38 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Deploy Steward's node +- name: "Deploy {{ steward.name }} node in the {{ org.name }} organization" + include_role: + name: create/helm_component/peer + vars: + node_public_ip: "{{ steward.publicIp }}" + node_port: "{{ steward.node.port | int }}" + node_external_port: "{{ steward.node.ambassador | int }}" + client_public_ip: "{{ steward.publicIp }}" + client_port: "{{ steward.client.port | int }}" + client_external_port: "{{ steward.client.ambassador | int }}" + component_name: "{{ steward.name | lower }}" + +# Push the created deployment files to repository +- name: "Push the created deployment files to repository" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" + vars: + GIT_DIR: "{{ playbook_dir }}/../../../" + msg: "[ci skip] Pushing key management job files for {{ component_ns }}" + gitops: "{{ org.gitops }}" + +# Check if Steward's node is running +- name: "Check if {{ steward.name }} node is running in the {{ org.name }} organization" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" + vars: + component_type: Pod + component_name: "{{ steward.name | lower }}" + label_selectors: + - app = {{ component_name }} + namespace: "{{ component_ns }}" diff --git a/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-baf-network.yaml b/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-baf-network.yaml index acdf23a9647..891e610abfb 100644 --- a/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-baf-network.yaml +++ b/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-baf-network.yaml @@ -97,10 +97,6 @@ network: # Services maps to the pods that will be deployed on the k8s cluster # This sample has trustee, 2 stewards and endoorser services: - trustees: - - trustee: - name: university-trustee - genesis: true stewards: - steward: name: university-steward-1 @@ -154,18 +150,6 @@ network: port: 9720 targetPort: 9720 ambassador: 9720 # Port for ambassador service - endorsers: - - endorser: - name: university-endorser - full_name: Some Decentralized Identity Mobile Services Partner - avatar: http://university.com/avatar.png - # public endpoint will be {{ endorser.name}}.{{ external_url_suffix}}:{{endorser.server.httpPort}} - # Eg. In this sample http://university-endorser.indy.blockchaincloudpoc.com:15033/ - # For minikube: http://>:15033 - server: - httpPort: 15033 - apiPort: 15034 - webhookPort: 15035 - organization: name: bank type: peer @@ -211,10 +195,6 @@ network: # Services maps to the pods that will be deployed on the k8s cluster # This sample has trustee, 2 stewards and endoorser services: - trustees: - - trustee: - name: bank-trustee - genesis: true stewards: - steward: name: bank-steward-1 @@ -229,8 +209,3 @@ network: port: 9712 targetPort: 9712 ambassador: 9712 # Port for ambassador service - endorsers: - - endorser: - name: bank-endorser - full_name: Some Decentralized Identity Mobile Services Provider - avatar: http://bank.com/avatar.png diff --git a/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-non-baf-network.yaml b/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-non-baf-network.yaml index d26e88b9bb4..40e6149037f 100644 --- a/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-non-baf-network.yaml +++ b/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-non-baf-network.yaml @@ -110,8 +110,3 @@ network: port: 9712 targetPort: 9712 ambassador: 9712 # Port for ambassador service - endorsers: - - endorser: - name: bank-endorser - full_name: Some Decentralized Identity Mobile Services Provider - avatar: http://bank.com/avatar.png diff --git a/platforms/hyperledger-indy/configuration/samples/network-indyv3-aries.yaml b/platforms/hyperledger-indy/configuration/samples/network-indyv3-aries.yaml index 6f6b4cebbd4..ea7ada93189 100644 --- a/platforms/hyperledger-indy/configuration/samples/network-indyv3-aries.yaml +++ b/platforms/hyperledger-indy/configuration/samples/network-indyv3-aries.yaml @@ -96,8 +96,7 @@ network: # Services maps to the pods that will be deployed on the k8s cluster # This sample has trustee services: - trustees: - - trustee: + trustee: name: authority-trustee genesis: true server: @@ -150,6 +149,12 @@ network: # Services maps to the pods that will be deployed on the k8s cluster # This sample has trustee, 4 stewards and endorser services: + trustee: + name: university-trustee + genesis: true + server: + port: 8000 + ambassador: 15010 stewards: - steward: name: university-steward-1 @@ -203,8 +208,7 @@ network: port: 15742 targetPort: 15742 ambassador: 15742 # Port for ambassador service - endorsers: - - endorser: + endorser: name: university-endorser full_name: Faber university of the Demo. avatar: http://faber.com/avatar.png @@ -214,4 +218,4 @@ network: server: httpPort: 15033 apiPort: 15034 - webhookPort: 15035 + webhookPort: 15035 diff --git a/platforms/hyperledger-indy/configuration/samples/network-indyv3.yaml b/platforms/hyperledger-indy/configuration/samples/network-indyv3.yaml index ea514813973..cd33f02c6e3 100644 --- a/platforms/hyperledger-indy/configuration/samples/network-indyv3.yaml +++ b/platforms/hyperledger-indy/configuration/samples/network-indyv3.yaml @@ -5,33 +5,48 @@ ############################################################################################## --- -# yaml-language-server: $schema=../../../../platforms/network-schema.json -# This is a sample configuration file for hyperledger indy which can reused for a sample indy network of 9 nodes. -# It has 3 organizations: -# 1. organization "authority" with 1 trustee -# 2. organization "provider" with 1 trustee, 2 stewards and 1 endorser -# 3. organization "partner" with 1 trustee, 2 stewards and 1 endorser +############################################################################################## +# Network Configuration File for HyperLedger-Indy Distributed Ledger Technology (DLT) Platform + +## Overview +# This configuration file is intended for deploying a HyperLedger-Indy platform. +# The deployment must adhere to the following network rules: +# - Exactly 1 trustee is required per organization. +# - Up to 1 endorser is allowed per organization. +# - At least 4 stewards are required collectively across the entire Indy network. + +## Sample Configuration +# This sample configuration file demonstrates a HyperLedger-Indy network with four organizations: +# - Organization 1: Contains only the Trustee. +# - Organization 2: Contains one Trustee, two Stewards, and one Endorser. +# - Organization 3: Contains one Trustee, two Stewards, and one Endorser. +# - Organization 4: Contains one Trustee and one Endorser. + +## Customization +# We can customize this configuration to include any number of organizations. +# However, it is imperative to comply with the network rules mentioned in the Overview section. +############################################################################################## network: # Network level configuration specifies the attributes required for each organization # to join an existing network. type: indy - version: 1.12.1 # Supported versions 1.11.0 and 1.12.1 + version: 1.12.1 # Supported versions 1.11.0 and 1.12.1 #Environment section for Kubernetes setup env: - type: "dev" # tag for the environment. Important to run multiple flux on single cluster - proxy: ambassador # value has to be 'ambassador' as 'haproxy' has not been implemented for Indy - proxy_namespace: "ambassador" + type: "dev" # Environment tag, useful for running multiple instances on a single cluster + proxy: ambassador # Must be 'ambassador' as 'haproxy' is not implemented for Indy + proxy_namespace: "ambassador" # Namespace for the proxy # These ports are enabled per cluster, so if you have multiple clusters you do not need so many ports # This sample uses a single cluster, so we have to open 3 ports for each Node. These ports are again specified for each organization below - ambassadorPorts: # Any additional Ambassador ports can be given here, this is valid only if proxy='ambassador' - portRange: # For a range of ports + ambassadorPorts: # Any additional Ambassador ports can be given here, this is valid only if proxy='ambassador' + portRange: # Range of ports for Ambassador from: 15010 to: 15052 - loadBalancerSourceRanges: # (Optional) Default value is '0.0.0.0/0', this value can be changed to any other IP adres or list (comma-separated without spaces) of IP adresses, this is valid only if proxy='ambassador' - retry_count: 20 # Retry count for the checks - external_dns: enabled # Should be enabled if using external-dns for automatic route configuration + loadBalancerSourceRanges: # (Optional) Default value is '0.0.0.0/0', this value can be changed to any other IP adres or list (comma-separated without spaces) of IP adresses, this is valid only if proxy='ambassador' + retry_count: 20 # Retry count for the checks + external_dns: enabled # Should be enabled if using external-dns for automatic route configuration # Docker registry details where images are stored. This will be used to create k8s secrets # Please ensure all required images are built and stored in this registry. @@ -41,15 +56,6 @@ network: username: "docker_username" password: "docker_password" - # It's used as the Indy network name (has impact e.g. on paths where the Indy nodes look for crypto files on their local filesystem) - name: bevel - - # Information about pool transaction genesis and domain transactions genesis - genesis: - state: absent # must be absent when network is created from scratch - pool: /path/to/pool_transactions_genesis # path where pool_transactions_genesis will be stored locally - domain: /path/to/domain_transactions_genesis # path where domain_transactions_genesis will be stored locally - # Allows specification of one or many organizations that will be connecting to a network. organizations: # Specification for the 1st organization. Each organization maps to a VPC and a separate k8s cluster @@ -57,7 +63,7 @@ network: name: authority type: peer external_url_suffix: indy.blockchaincloudpoc.com # Provide the external dns suffix. Only used when Indy webserver/Clients are deployed. - cloud_provider: aws-baremetal # Values can be 'aws-baremetal', 'aws' or 'minikube' + cloud_provider: aws # Supported values: 'aws-baremetal' | 'aws' | 'azure' | 'gcp' | 'minikube' | aws: access_key: "aws_access_key" # AWS Access key @@ -69,6 +75,7 @@ network: publicIps: ["1.1.1.1", "2.2.2.2"] # List of all public IP addresses of each availability zone from all organizations in the same k8s cluster azure: node_resource_group: "MC_myResourceGroup_myCluster_westeurope" + # Kubernetes cluster deployment variables. The config file path has to be provided in case # the cluster has already been created. k8s: @@ -98,8 +105,7 @@ network: # Services maps to the pods that will be deployed on the k8s cluster # This sample has trustee services: - trustees: - - trustee: + trustee: name: authority-trustee genesis: true server: @@ -108,9 +114,9 @@ network: # Specification for the 2nd organization. Each organization maps to a VPC and a separate k8s cluster - organization: - name: provider + name: university type: peer - cloud_provider: aws + cloud_provider: aws # Supported values: 'aws-baremetal' | 'aws' | 'azure' | 'gcp' | 'minikube' | external_url_suffix: indy.blockchaincloudpoc.com # Provide the external dns suffix. Only used when Indy webserver/Clients are deployed. aws: @@ -123,6 +129,7 @@ network: publicIps: ["3.221.78.194"] # List of all public IP addresses of each availability zone from all organizations in the same k8s cluster azure: node_resource_group: "MC_myResourceGroup_myCluster_westeurope" + # Kubernetes cluster deployment variables. The config file path has to be provided in case # the cluster has already been created. k8s: @@ -152,13 +159,15 @@ network: # Services maps to the pods that will be deployed on the k8s cluster # This sample has trustee, 2 stewards and endoorser services: - trustees: - - trustee: - name: provider-trustee + trustee: + name: university-trustee genesis: true + server: + port: 8001 + ambassador: 15011 stewards: - steward: - name: provider-steward-1 + name: university-steward-1 type: VALIDATOR genesis: true publicIp: 3.221.78.194 # IP address of current organization in current availability zone @@ -171,48 +180,48 @@ network: targetPort: 9712 ambassador: 9712 # Port for ambassador service - steward: - name: provider-steward-2 + name: university-steward-2 type: VALIDATOR genesis: true - publicIp: 3.221.78.194 # IP address of current organization in current availability zone + publicIp: 108.142.59.4 # 3.221.78.194 # IP address of current organization in current availability zone node: port: 9721 targetPort: 9721 - ambassador: 9721 # Port for ambassador service + ambassador: 9721 # Port for ambassador service client: port: 9722 targetPort: 9722 - ambassador: 9722 # Port for ambassador service - endorsers: - - endorser: - name: provider-endorser - full_name: Some Decentralized Identity Mobile Services Provider - avatar: http://provider.com/avatar.png + ambassador: 9722 # Port for ambassador service + endorser: + name: university-endorser + full_name: Some Decentralized Identity Mobile Services Partner + avatar: http://partner.com/avatar.png # public endpoint will be {{ endorser.name}}.{{ external_url_suffix}}:{{endorser.server.httpPort}} - # Eg. In this sample http://provider-endorser.indy.blockchaincloudpoc.com:15023/ - # For minikube: http://>:15023 + # Eg. In this sample http://partner-endorser.indy.blockchaincloudpoc.com:15012/ + # For minikube: http://>:15012 server: - httpPort: 15023 - apiPort: 15024 - webhookPort: 15025 - - # Specification for the 3rd organization. Each organization maps to a VPC and a separate k8s cluster + httpPort: 15012 + apiPort: 15013 + webhookPort: 15014 + + # Specification for the 3nd organization. Each organization maps to a VPC and a separate k8s cluster - organization: - name: partner + name: provider type: peer - cloud_provider: aws + cloud_provider: aws # Supported values: 'aws-baremetal' | 'aws' | 'azure' | 'gcp' | 'minikube' | external_url_suffix: indy.blockchaincloudpoc.com # Provide the external dns suffix. Only used when Indy webserver/Clients are deployed. - + aws: access_key: "aws_access_key" # AWS Access key secret_key: "aws_secret_key" # AWS Secret key encryption_key: "encryption_key_id" # AWS encryption key. If present, it's used as the KMS key id for K8S storage class encryption. zone: "availability_zone" # AWS availability zone region: "region" # AWS region - - publicIps: ["3.221.78.194"] # List of all public IP addresses of each availability zone from all organizations in the same k8s cluster + + publicIps: ["3.221.78.194"] # List of all public IP addresses of each availability zone from all organizations in the same k8s cluster azure: node_resource_group: "MC_myResourceGroup_myCluster_westeurope" + # Kubernetes cluster deployment variables. The config file path has to be provided in case # the cluster has already been created. k8s: @@ -229,59 +238,125 @@ network: # Do not check-in git_access_token gitops: git_protocol: "https" # Option for git over https or ssh - git_url: "https://github.com//bevel.git" # Gitops https or ssh url for flux value files - branch: "develop" # Git branch where release is being made - release_dir: "platforms/hyperledger-indy/releases/dev" # Relative Path in the Git repo for flux sync per environment. - chart_source: "platforms/hyperledger-indy/charts" # Relative Path where the Helm charts are stored in Git repo - git_repo: "github.com//bevel.git" # Gitops git repository URL for git push - username: "git_username" # Git Service user who has rights to check-in in all branches - password: "git_access_token" # Git Server user password - email: "git@email.com" # Email to use in git config - private_key: "path_to_private_key" # Path to private key file which has write-access to the git repo (Optional for https; Required for ssh) + git_url: "https://github.com//bevel.git" # Gitops https or ssh url for flux value files + branch: "develop" # Git branch where release is being made + release_dir: "platforms/hyperledger-indy/releases/dev" # Relative Path in the Git repo for flux sync per environment. + chart_source: "platforms/hyperledger-indy/charts" # Relative Path where the Helm charts are stored in Git repo + git_repo: "github.com//bevel.git" # Gitops git repository URL for git push + username: "git_username" # Git Service user who has rights to check-in in all branches + password: "git_access_token" # Git Server user password + email: "git@email.com" # Email to use in git config + private_key: "path_to_private_key" # Path to private key file which has write-access to the git repo (Optional for https; Required for ssh) # Services maps to the pods that will be deployed on the k8s cluster # This sample has trustee, 2 stewards and endoorser services: - trustees: - - trustee: - name: partner-trustee + trustee: + name: provider-trustee genesis: true + server: + port: 8002 + ambassador: 15021 stewards: - steward: - name: partner-steward-1 + name: provider-steward-1 type: VALIDATOR genesis: true - publicIp: 3.221.78.194 # IP address of current organization in current availability zone + publicIp: 3.221.78.194 # IP address of the ambassador proxy node: port: 9731 targetPort: 9731 - ambassador: 9731 # Port for ambassador service + ambassador: 9721 # Port for ambassador service client: port: 9732 targetPort: 9732 - ambassador: 9732 # Port for ambassador service + ambassador: 9722 # Port for ambassador service - steward: - name: partner-steward-2 + name: provider-steward-2 type: VALIDATOR genesis: true - publicIp: 3.221.78.194 # IP address of current organization in current availability zone + publicIp: 3.221.78.194 # IP address of the ambassador proxy node: port: 9741 targetPort: 9741 - ambassador: 9741 # Port for ambassador service + ambassador: 9721 # Port for ambassador service client: port: 9742 targetPort: 9742 - ambassador: 9742 # Port for ambassador service - endorsers: - - endorser: + ambassador: 9722 # Port for ambassador service + endorser: + name: provider-endorser + full_name: Some Decentralized Identity Mobile Services Provider + avatar: http://provider.com/avatar.png + # public endpoint will be {{ endorser.name}}.{{ external_url_suffix}}:{{endorser.server.httpPort}} + # Eg. In this sample http://provider-endorser.indy.blockchaincloudpoc.com:15022/ + # For minikube: http://>:15022 + server: + httpPort: 15022 + apiPort: 15023 + webhookPort: 15024 + + # Specification for the 4th organization. Each organization maps to a VPC and a separate k8s cluster + - organization: + name: partner + type: peer + cloud_provider: aws # Supported values: 'aws-baremetal' | 'aws' | 'azure' | 'gcp' | 'minikube' | + external_url_suffix: indy.blockchaincloudpoc.com # Provide the external dns suffix. Only used when Indy webserver/Clients are deployed. + + aws: + access_key: "aws_access_key" # AWS Access key + secret_key: "aws_secret_key" # AWS Secret key + encryption_key: "encryption_key_id" # AWS encryption key. If present, it's used as the KMS key id for K8S storage class encryption. + zone: "availability_zone" # AWS availability zone + region: "region" # AWS region + + publicIps: ["3.221.78.194"] # List of all public IP addresses of each availability zone from all organizations in the same k8s cluster + azure: + node_resource_group: "MC_myResourceGroup_myCluster_westeurope" + + # Kubernetes cluster deployment variables. The config file path has to be provided in case + # the cluster has already been created. + k8s: + config_file: "/path/to/cluster_config" + context: "kubernetes-admin@kubernetes" + + # Hashicorp Vault server address and root-token. Vault should be unsealed. + # Do not check-in root_token + vault: + url: "vault_addr" + root_token: "vault_root_token" + + # Git Repo details which will be used by GitOps/Flux. + # Do not check-in git_access_token + gitops: + git_protocol: "https" # Option for git over https or ssh + git_url: "https://github.com//bevel.git" # Gitops https or ssh url for flux value files + branch: "develop" # Git branch where release is being made + release_dir: "platforms/hyperledger-indy/releases/dev" # Relative Path in the Git repo for flux sync per environment. + chart_source: "platforms/hyperledger-indy/charts" # Relative Path where the Helm charts are stored in Git repo + git_repo: "github.com//bevel.git" # Gitops git repository URL for git push + username: "git_username" # Git Service user who has rights to check-in in all branches + password: "git_access_token" # Git Server user password + email: "git@email.com" # Email to use in git config + private_key: "path_to_private_key" # Path to private key file which has write-access to the git repo (Optional for https; Required for ssh) + + # Services maps to the pods that will be deployed on the k8s cluster + # This sample has trustee, 2 stewards and endoorser + services: + trustee: + name: partner-trustee + genesis: true + server: + port: 8004 + ambassador: 15031 + endorser: name: partner-endorser full_name: Some Decentralized Identity Mobile Services Partner avatar: http://partner.com/avatar.png # public endpoint will be {{ endorser.name}}.{{ external_url_suffix}}:{{endorser.server.httpPort}} - # Eg. In this sample http://partner-endorser.indy.blockchaincloudpoc.com:15033/ - # For minikube: http://>:15033 + # Eg. In this sample http://partner-endorser.indy.blockchaincloudpoc.com:15032/ + # For minikube: http://>:15032 server: - httpPort: 15033 - apiPort: 15034 - webhookPort: 15035 + httpPort: 15032 + apiPort: 15033 + webhookPort: 15034 diff --git a/platforms/hyperledger-indy/configuration/samples/network-minikube-aries.yaml b/platforms/hyperledger-indy/configuration/samples/network-minikube-aries.yaml index 24285b2ff32..fc4aedd0899 100644 --- a/platforms/hyperledger-indy/configuration/samples/network-minikube-aries.yaml +++ b/platforms/hyperledger-indy/configuration/samples/network-minikube-aries.yaml @@ -78,8 +78,7 @@ network: # Services maps to the pods that will be deployed on the k8s cluster # This sample has trustee services: - trustees: - - trustee: + trustee: name: authority-trustee genesis: true server: @@ -175,8 +174,7 @@ network: port: 15742 targetPort: 15742 ambassador: 15742 - endorsers: - - endorser: + endorser: name: university-endorser full_name: Faber university of the Demo. avatar: http://faber.com/avatar.png diff --git a/platforms/hyperledger-indy/configuration/samples/network-minikube.yaml b/platforms/hyperledger-indy/configuration/samples/network-minikube.yaml index 70ccc3ec684..efda66868fe 100644 --- a/platforms/hyperledger-indy/configuration/samples/network-minikube.yaml +++ b/platforms/hyperledger-indy/configuration/samples/network-minikube.yaml @@ -75,8 +75,7 @@ network: # Services maps to the pods that will be deployed on the k8s cluster # This sample has trustee services: - trustees: - - trustee: + trustee: name: authority-trustee genesis: true server: @@ -146,8 +145,7 @@ network: port: 15722 targetPort: 15722 ambassador: 15722 - endorsers: - - endorser: + endorser: name: provider-endorser full_name: Some Decentralized Identity Mobile Services Provider avatar: http://provider.com/avatar.png @@ -222,15 +220,3 @@ network: port: 15742 targetPort: 15742 ambassador: 15742 - endorsers: - - endorser: - name: partner-endorser - full_name: Some Decentralized Identity Mobile Services Partner - avatar: http://partner.com/avatar.png - # public endpoint will be {{ endorser.name}}.{{ external_url_suffix}}:{{endorser.server.httpPort}} - # Eg. In this sample http://provider-endorser.indy.blockchaincloudpoc.com:15033/ - # For minikube: http://>:15033 - server: - httpPort: 15033 - apiPort: 15034 - webhookPort: 15035 diff --git a/platforms/network-schema.json b/platforms/network-schema.json index 848014438a3..45d6670c50b 100755 --- a/platforms/network-schema.json +++ b/platforms/network-schema.json @@ -2433,8 +2433,7 @@ "indy_services": { "type": "object", "properties": { - "trustees": { - "type": "array", + "trustee": { "items": { "$ref": "#/definitions/indy_service_trustee" } @@ -2445,8 +2444,7 @@ "$ref": "#/definitions/indy_service_steward" } }, - "endorsers": { - "type": "array", + "endorser": { "items": { "$ref": "#/definitions/indy_service_endorser" } diff --git a/platforms/shared/configuration/delete-network.yaml b/platforms/shared/configuration/delete-network.yaml index 5d152ddd387..5ecbd6ad4a2 100644 --- a/platforms/shared/configuration/delete-network.yaml +++ b/platforms/shared/configuration/delete-network.yaml @@ -12,8 +12,6 @@ gather_facts: no no_log: "{{ no_ansible_log | default(false) }}" tasks: - # ---------------------------------------------------------------------- - # Uninstalling Flux for organisation - name: Delete Flux include_role: diff --git a/platforms/shared/configuration/roles/create/job_component/tasks/main.yaml b/platforms/shared/configuration/roles/create/job_component/tasks/main.yaml index aed786c8241..3be1a403b78 100644 --- a/platforms/shared/configuration/roles/create/job_component/tasks/main.yaml +++ b/platforms/shared/configuration/roles/create/job_component/tasks/main.yaml @@ -25,8 +25,8 @@ # Dependency update and test the value file for syntax errors/ missing values - name: Helm dependency update and lint shell: | - helm dependency update "{{playbook_dir}}/../../../{{charts_dir}}/{{charts[type]}}" - helm lint -f "{{ values_dir }}/{{ component_name }}.yaml" "{{playbook_dir}}/../../../{{charts_dir}}/{{charts[type]}}" + helm dependency update "{{ playbook_dir }}/../../../{{ charts_dir }}/{{ charts[type] }}" + helm lint -f "{{ values_dir }}/{{ component_name }}.yaml" "{{ playbook_dir }}/../../../{{ charts_dir }}/{{ charts[type] }}" - name: Check if helm release already exists in {{ component_ns }} kubernetes.core.helm_info: @@ -40,7 +40,7 @@ kubernetes.core.helm: release_name: "{{ component_name }}" release_namespace: "{{ component_ns }}" - chart_ref: "{{playbook_dir}}/../../../{{charts_dir}}/{{charts[type]}}" + chart_ref: "{{ playbook_dir }}/../../../{{ charts_dir }}/{{ charts[type] }}" values_files: - "{{ values_dir }}/{{ component_name }}.yaml" force: true diff --git a/platforms/shared/configuration/roles/create/job_component/templates/indy_endorser.tpl b/platforms/shared/configuration/roles/create/job_component/templates/indy_endorser.tpl new file mode 100644 index 00000000000..d139fd07a55 --- /dev/null +++ b/platforms/shared/configuration/roles/create/job_component/templates/indy_endorser.tpl @@ -0,0 +1,8 @@ +image: + cli: ghcr.io/hyperledger/bevel-indy-ledger-txn:latest + pullSecret: +network: bevel +admin: {{ trustee }} +newIdentity: + name: {{ endorser }} + role: ENDORSER diff --git a/platforms/shared/configuration/roles/create/job_component/templates/indy_genesis.tpl b/platforms/shared/configuration/roles/create/job_component/templates/indy_genesis.tpl new file mode 100644 index 00000000000..b287c74c623 --- /dev/null +++ b/platforms/shared/configuration/roles/create/job_component/templates/indy_genesis.tpl @@ -0,0 +1,34 @@ +global: + serviceAccountName: vault-auth + cluster: + provider: "{{ cloud_provider }}" + cloudNativeServices: false + kubernetesUrl: "{{ kubernetes_server }}" + vault: + type: hashicorp + role: vault-role + network: indy + address: "{{ vault.url }}" + authPath: "{{ org_name }}" + secretEngine: secretsv2 + secretPrefix: "data/{{ org_name }}" +proxy: + provider: ambassador +settings: + removeKeysOnDelete: true + secondaryGenesis: {{ secondaryGenesis }} +{% if (not secondaryGenesis) and (trustee_list is defined) %} + trustees: +{% for trustee in trustee_list %} + - name: "{{ trustee }}" +{% endfor %} +{% if steward_list is defined %} + stewards: +{% for steward in steward_list %} + - name: "{{ steward.name }}" + publicIp: {{ steward.publicIp }} + nodePort: {{ steward.nodePort }} + clientPort: {{ steward.clientPort }} +{% endfor %} +{% endif %} +{% endif %} diff --git a/platforms/shared/configuration/roles/create/job_component/vars/main.yaml b/platforms/shared/configuration/roles/create/job_component/vars/main.yaml index 77488d3b028..a6bdd050905 100644 --- a/platforms/shared/configuration/roles/create/job_component/vars/main.yaml +++ b/platforms/shared/configuration/roles/create/job_component/vars/main.yaml @@ -9,8 +9,12 @@ job_templates: secondary_genesis: secondary_genesis.tpl primary_init: primary_init.tpl secondary_init: secondary_init.tpl + indy_genesis: indy_genesis.tpl + indy_endorser: indy_endorser.tpl charts: primary_genesis: "{{ network.type }}-genesis" secondary_genesis: "{{ network.type }}-genesis" primary_init: corda-init secondary_init: corda-init + indy_genesis: indy-genesis + indy_endorser: indy-register-identity diff --git a/platforms/shared/configuration/roles/git_push/tasks/main.yaml b/platforms/shared/configuration/roles/git_push/tasks/main.yaml index 36fdda731b0..e9624b56178 100644 --- a/platforms/shared/configuration/roles/git_push/tasks/main.yaml +++ b/platforms/shared/configuration/roles/git_push/tasks/main.yaml @@ -28,9 +28,8 @@ when: - gitops.git_protocol is defined - gitops.git_protocol == "ssh" - ignore_errors: yes - tags: - - notest + ignore_errors: true + # Git push the new files, reset config files - name: "Execute git push for https" @@ -47,9 +46,7 @@ register: GIT_OUTPUT when: gitops.git_protocol is not defined or gitops.git_protocol == "https" - ignore_errors: yes - tags: - - notest + ignore_errors: true # Display output of shell excution - name: "stdout for SSH gitpush" @@ -58,8 +55,6 @@ when: - gitops.git_protocol is defined - gitops.git_protocol == "ssh" - tags: - - notest - name: "stderr for SSH gitpush" debug: @@ -67,21 +62,15 @@ when: - gitops.git_protocol is defined - gitops.git_protocol == "ssh" - tags: - - notest # Display output of shell excution - name: "stdout for gitpush" debug: msg: "{{ GIT_OUTPUT.stdout.split('\n') }}" when: gitops.git_protocol is not defined or gitops.git_protocol == "https" - tags: - - notest # Display error of shell task - name: "stderr for git_push" debug: msg: "{{ GIT_OUTPUT.stderr.split('\n') }}" when: gitops.git_protocol is not defined or gitops.git_protocol == "https" - tags: - - notest diff --git a/platforms/shared/configuration/roles/helm_lint/vars/main.yaml b/platforms/shared/configuration/roles/helm_lint/vars/main.yaml index d81b402eddb..a1f7669809b 100644 --- a/platforms/shared/configuration/roles/helm_lint/vars/main.yaml +++ b/platforms/shared/configuration/roles/helm_lint/vars/main.yaml @@ -67,3 +67,6 @@ charts: quorum-connector: quorum-cacti-connector external_chaincode: fabric-external-chaincode install_external_chaincode_job: fabric-external-chaincode-install + generate-keys: indy-key-mgmt + generate-genesis: indy-genesis + stewards: indy-node diff --git a/platforms/shared/configuration/setup-k8s-environment.yaml b/platforms/shared/configuration/setup-k8s-environment.yaml index d92faddc203..558b34de2ee 100644 --- a/platforms/shared/configuration/setup-k8s-environment.yaml +++ b/platforms/shared/configuration/setup-k8s-environment.yaml @@ -30,7 +30,7 @@ git_protocol: "{{ item.gitops.git_protocol | default('https') }}" git_url: "{{ item.gitops.git_url }}" git_key: "{{ item.gitops.private_key | default() }}" - flux_version: "0.41.2" + flux_version: "2.3.0" with_items: "{{ network.organizations }}" when: network.env.type != 'operator' diff --git a/run.sh b/run.sh index fcf014bd3fd..ef19ba134e8 100644 --- a/run.sh +++ b/run.sh @@ -12,8 +12,8 @@ echo "Starting build process..." echo "Adding env variables..." export PATH=/root/bin:$PATH -#Path to k8s config file -KUBECONFIG=/home/bevel/build/config +# Path to k8s config file +export KUBECONFIG=/home/bevel/build/config echo "Validatin network yaml" ajv validate -s /home/bevel/platforms/network-schema.json -d /home/bevel/build/network.yaml