diff --git a/platforms/hyperledger-besu/charts/besu-genesis/README.md b/platforms/hyperledger-besu/charts/besu-genesis/README.md index bb4f540b78b..6af902b63e9 100644 --- a/platforms/hyperledger-besu/charts/besu-genesis/README.md +++ b/platforms/hyperledger-besu/charts/besu-genesis/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install genesis bevel/besu-genesis ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -54,7 +54,7 @@ These parameters are refered to as same in each parent or child chart | Name | Description | Default Value | |--------|---------|-------------| |`global.serviceAccountName` | The serviceaccount name that will be created for Vault Auth and k8S Secret management| `vault-auth` | -| `global.cluster.provider` | Kubernetes cluster provider like AWS EKS or minikube. Currently ony `aws` and `minikube` is tested | `aws` | +| `global.cluster.provider` | Kubernetes cluster provider like AWS EKS or minikube. Currently only `aws`, `azure` and `minikube` are tested | `aws` | | `global.cluster.cloudNativeServices` | only `false` is implemented, `true` to use Cloud Native Services (SecretsManager and IAM for AWS; KeyVault & Managed Identities for Azure) is for future | `false` | | `global.cluster.kubernetesUrl` | URL of the Kubernetes Cluster | `""` | | `global.vault.type` | Type of Vault to support other providers. Currently, only `hashicorp` and `kubernetes` is supported. | `hashicorp` | @@ -71,7 +71,7 @@ These parameters are refered to as same in each parent or child chart | -------------| ---------- | --------- | | `image.genesisUtils.repository` | Quorum/Besu hooks image repository | `ghcr.io/hyperledger/bevel-k8s-hooks` | | `image.genesisUtils.tag` | Quorum/Besu hooks image tag | `qgt-0.2.12` | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.pullPolicy` | Pull policy to be used for the Docker images | `IfNotPresent` | ### Settings diff --git a/platforms/hyperledger-besu/charts/besu-node/README.md b/platforms/hyperledger-besu/charts/besu-node/README.md index 434e3b1756d..fc7c1ad867c 100644 --- a/platforms/hyperledger-besu/charts/besu-node/README.md +++ b/platforms/hyperledger-besu/charts/besu-node/README.md @@ -85,7 +85,7 @@ This is where you can override the values for the [besu-tessera-node subchart](. ### Image | Name | Description | Default Value | | -------------| ---------- | --------- | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.pullPolicy` | Pull policy to be used for the Docker images | `IfNotPresent` | | `image.besu.repository` | Besu image repository | `hyperledger/besu`| | `image.besu.tag` | Besu image tag as per version of Besu | `23.10.2`| diff --git a/platforms/hyperledger-besu/charts/besu-propose-validator/README.md b/platforms/hyperledger-besu/charts/besu-propose-validator/README.md index 039243865a0..fb52300539a 100644 --- a/platforms/hyperledger-besu/charts/besu-propose-validator/README.md +++ b/platforms/hyperledger-besu/charts/besu-propose-validator/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install propose-validator bevel/besu-propose-validator ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -57,7 +57,7 @@ The command removes all the Kubernetes components associated with the chart and | -------------| ---------- | --------- | | `image.genesisUtils.repository` | Besu hooks image repository | `ghcr.io/hyperledger/bevel-k8s-hooks` | | `image.genesisUtils.tag` | Besu hooks image tag | `qgt-0.2.12` | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.pullPolicy` | Pull policy to be used for the Docker images | `IfNotPresent` | ### validators diff --git a/platforms/hyperledger-besu/charts/besu-tessera-node/README.md b/platforms/hyperledger-besu/charts/besu-tessera-node/README.md index 9b02022f3f7..3374181fbea 100644 --- a/platforms/hyperledger-besu/charts/besu-tessera-node/README.md +++ b/platforms/hyperledger-besu/charts/besu-tessera-node/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install my-tessera bevel/besu-tessera-node ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -88,7 +88,7 @@ These parameters are refered to as same in each parent or child chart | `image.mysql.tag` | MySQL image tag | `5.7` | | `image.hooks.repository` | Quorum/Besu hooks image repository | `ghcr.io/hyperledger/bevel-k8s-hooks` | | `image.hooks.tag` | Quorum/Besu hooks image tag | `qgt-0.2.12` | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.pullPolicy` | Pull policy to be used for the Docker images | `IfNotPresent` | diff --git a/platforms/hyperledger-besu/charts/besu-tlscert-gen/README.md b/platforms/hyperledger-besu/charts/besu-tlscert-gen/README.md index 50791980175..eebfdf7f89b 100644 --- a/platforms/hyperledger-besu/charts/besu-tlscert-gen/README.md +++ b/platforms/hyperledger-besu/charts/besu-tlscert-gen/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install my-release bevel/besu-tlscert-gen ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -57,9 +57,9 @@ These parameters are refered to as same in each parent or chold chart | `global.vault.address`| URL of the Vault server. | `""` | | `global.vault.authPath` | Authentication path for Vault | `supplychain` | | `global.vault.network` | Network type which will determine the vault policy | `besu` | -| `global.vault.secretEngine` | Provide the value for vault secret engine name | `secretsv2` | -| `global.vault.secretPrefix` | Provide the value for vault secret prefix which must start with `data/` | `data/supplychain` | -| `global.proxy.externalUrlSuffix` | Provide the External URL suffix which will be used as CN to generate certificate | `test.blockchaincloudpoc.com` | +| `global.vault.secretEngine` | Vault secret engine name | `secretsv2` | +| `global.vault.secretPrefix` | Vault secret prefix which must start with `data/` | `data/supplychain` | +| `global.proxy.externalUrlSuffix` | External URL suffix which will be used as CN to generate certificate | `test.blockchaincloudpoc.com` | ### Image @@ -67,14 +67,14 @@ These parameters are refered to as same in each parent or chold chart |------------|-----------|---------| | `image.repository` | Docker repository which will be used for this job | `ghcr.io/hyperledger/bevel-alpine` | | `image.tag` | Docker image tag which will be used for this job | `latest` | -| `image.pullSecret` | Provide the docker secret name | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.pullPolicy` | The pull policy for the image | `IfNotPresent` | ### Settings | Name | Description | Default Value | | ------------| -------------- | --------------- | | `settings.tmTls` | Set value to true when transaction manager like tessera uses tls. This enables TLS for the transaction manager and Besu node. | `True` | -| `settings.certSubject` | Provide the X.509 subject for root CA | `"CN=DLT Root CA,OU=DLT,O=DLT,L=London,C=GB"` | +| `settings.certSubject` | The X.509 subject for root CA | `"CN=DLT Root CA,OU=DLT,O=DLT,L=London,C=GB"` | ### Common parameters diff --git a/platforms/hyperledger-besu/charts/besu-tlscert-gen/templates/job.yaml b/platforms/hyperledger-besu/charts/besu-tlscert-gen/templates/job.yaml index 7d5f3a881e8..0270ecc814b 100644 --- a/platforms/hyperledger-besu/charts/besu-tlscert-gen/templates/job.yaml +++ b/platforms/hyperledger-besu/charts/besu-tlscert-gen/templates/job.yaml @@ -119,7 +119,7 @@ spec: mountPath: /scripts/bevel-vault.sh subPath: bevel-vault.sh containers: - - name: "generate-certs" + - name: "generate-certs" image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ $.Values.image.pullPolicy }} env: @@ -345,7 +345,7 @@ spec: rm payload.json fi; # Create tls secret with the certificates - kubectl get configmap --namespace {{ .Release.Namespace }} {{ include "besu-tlscert-gen.name" . }}-tls-certs + kubectl get secret --namespace {{ .Release.Namespace }} {{ include "besu-tlscert-gen.name" . }}-tls-certs if [ $? -ne 0 ]; then kubectl create secret tls --namespace {{ .Release.Namespace }} {{ include "besu-tlscert-gen.name" . }}-tls-certs \ --cert=${AMBASSADORTLS_PATH}/certchain.pem \ diff --git a/platforms/hyperledger-fabric/charts/README.md b/platforms/hyperledger-fabric/charts/README.md index 0dd04d70415..4f7546ba45f 100644 --- a/platforms/hyperledger-fabric/charts/README.md +++ b/platforms/hyperledger-fabric/charts/README.md @@ -6,13 +6,13 @@ # Charts for Hyperledger Fabric components ## About -This folder contains the helm charts which are used for the deployment of the Hyperledger Fabric components. Each helm that you can use has the following keys and you need to set them. The `global.cluster.provider` is used as a key for the various cloud features enabled. Also you only need to specify one cloud provider, **not** both if deploying to cloud. As of writing this doc, AWS is fully supported. +This folder contains the helm charts which are used for the deployment of the Hyperledger Fabric components. Each helm that you can use has the following keys and you need to set them. The `global.cluster.provider` is used as a key for the various cloud features enabled. Also you only need to specify one cloud provider, **not** both if deploying to cloud. As of writing this doc, AWS and Azure is fully supported. ```yaml global: serviceAccountName: vault-auth cluster: - provider: aws # choose from: minikube | aws + provider: aws # choose from: minikube | aws | azure cloudNativeServices: false # future: set to true to use Cloud Native Services kubernetesUrl: "https://yourkubernetes.com" # Provide the k8s URL, ignore if not using Hashicorp Vault vault: @@ -24,6 +24,9 @@ global: secretEngine: secretsv2 secretPrefix: "data/supplychain" role: vault-role + proxy: + provider: haproxy # choose from haproxy | none + externalUrlSuffix: test.yourdomain.com ``` ## Usage @@ -42,179 +45,201 @@ global: ### _Without Proxy or Vault_ -### To setup Orderer organization +### To setup Orderers and Peers in an organization ```bash -kubectl create namespace supplychain-net +# Install the CA Server +helm upgrade --install supplychain-ca ./fabric-ca-server --namespace supplychain-net --create-namespace --values ./values/noproxy-and-novault/ca-orderer.yaml -helm install supplychain-ca ./fabric-ca-server --namespace supplychain-net --values ./values/noproxy-and-novault/ordererOrganization/ca-server.yaml +# Install the Orderers after CA server is running +helm upgrade --install orderer1 ./fabric-orderernode --namespace supplychain-net --values ./values/noproxy-and-novault/orderer.yaml +helm upgrade --install orderer2 ./fabric-orderernode --namespace supplychain-net --values ./values/noproxy-and-novault/orderer.yaml --set certs.settings.createConfigMaps=false +helm upgrade --install orderer3 ./fabric-orderernode --namespace supplychain-net --values ./values/noproxy-and-novault/orderer.yaml --set certs.settings.createConfigMaps=false ``` -Configure `settings.generateCertificates` field with value `true` for the generation of the cryptographic materials. This value should only be set to `true` in first orderer to be installed and `false` in the others. +**Note** The orderers will remain waiting in the `Pending` state for Fabric 2.2.x, until we install the `fabric-genesis` chart. ```bash -# Install the Orderers -helm install orderer1 ./fabric-orderernode --namespace supplychain-net --values ./values/noproxy-and-novault/ordererOrganization/orderer.yaml --set settings.generateCertificates=true -helm install orderer2 ./fabric-orderernode --namespace supplychain-net --values ./values/noproxy-and-novault/ordererOrganization/orderer.yaml -helm install orderer3 ./fabric-orderernode --namespace supplychain-net --values ./values/noproxy-and-novault/ordererOrganization/orderer.yaml +# OPTIONAL: To use a custom peer configuration, copy core.yaml file into ./fabric-peernode/files +cp /home/bevel/build/peer0-core.yaml ./fabric-peernode/files/core.yaml +# Install the peers +helm upgrade --install peer0 ./fabric-peernode --namespace supplychain-net --values ./values/noproxy-and-novault/peer.yaml +helm upgrade --install peer1 ./fabric-peernode --namespace supplychain-net --values ./values/noproxy-and-novault/peer.yaml --set peer.gossipPeerAddress=peer0.supplychain-net:7051 --set peer.cliEnabled=true ``` -**Note** The orderers will remain waiting in the `Init` state in the deployment of fabric 2.2.2, until we install the `fabric-genesis` chart. - -### To setup Peer organization - -```bash -kubectl create namespace carrier-net - -helm install carrier-ca ./fabric-ca-server --namespace carrier-net --values ./values/noproxy-and-novault/peerOrganization/ca-server.yaml -``` -Configure `settings.generateCertificates` field with value `true` for the generation of the cryptographic materials. This value should only be set to `true` in first peer to be installed and `false` in the others. +### To setup Peers in another organization ```bash -# To use a custom peer configuration, copy core.yaml file into ./fabric-peernode/files -# This step is optional -cp /home/bevel/build/peer0-core.yaml ./fabric-peernode/files +# Install the CA Server +helm upgrade --install carrier-ca ./fabric-ca-server --namespace carrier-net --create-namespace --values ./values/noproxy-and-novault/ca-peer.yaml -# Get the Orderer tls certificate and place in fabric-catools/files -cd ./fabric-catools/files +# Get the Orderer tls certificate and place in fabric-peernode/files +cd ./fabric-peernode/files kubectl --namespace supplychain-net get configmap orderer-tls-cacert -o jsonpath='{.data.cacert}' > orderer.crt -# Before installing, we must use the dependencies again, due to the addition of the file in the files folder -cd ../.. -helm dependency update fabric-peernode - # Install the Peers -helm install peer0-carrier ./fabric-peernode --namespace carrier-net --values ./values/noproxy-and-novault/peerOrganization/peer.yaml --set settings.generateCertificates=true +cd ../.. +helm upgrade --install peer0 ./fabric-peernode --namespace carrier-net --values ./values/noproxy-and-novault/carrier.yaml ``` -### Generate genesis file +### Create Genesis file and other channel artifacts ```bash # Obtain certificates and the configuration file of each peer organization, place in fabric-genesis/files cd ./fabric-genesis/files -kubectl --namespace carrier-net get configmap admin-msp -o json > carrier.json -kubectl --namespace carrier-net get configmap msp-config-file -o json > carrier-config-file.json +kubectl --namespace carrier-net get secret admin-msp -o json > carrier.json +kubectl --namespace carrier-net get configmap peer0-msp-config -o json > carrier-config-file.json -# Install Genesis +# OPTIONAL: If additional orderer from a different organization is needed in genesis +kubectl --namespace carrier-net get secret orderer5-tls -o json > orderer5-orderer-tls.json + +# Generate the genesis block cd ../.. -helm install genesis ./fabric-genesis --namespace supplychain-net --values ./values/noproxy-and-novault/ordererOrganization/genesis.yaml +helm install genesis ./fabric-genesis --namespace supplychain-net --values ./values/noproxy-and-novault/genesis.yaml ``` -### Create channel for Hyperledger Fabric 2.5.4 +### Create channel for Hyperledger Fabric 2.5.x ```bash -# Install create channel -helm install allchannel ./fabric-osnadmin-channel-create --namespace supplychain-net --values ./values/noproxy-and-novault/ordererOrganization/osn-create-channel.yaml +# Create channel +helm install allchannel ./fabric-osnadmin-channel-create --namespace supplychain-net --set global.vault.type=kubernetes -# Install join channel and anchorpeer -helm install peer0-carrier-allchannel ./fabric-channel-join --namespace carrier-net --values ./values/noproxy-and-novault/peerOrganization/join-channel.yaml +# Join peer to channel and make it an anchorpeer +helm install peer0-allchannel ./fabric-channel-join --namespace supplychain-net --set global.vault.type=kubernetes +helm install peer1-allchannel ./fabric-channel-join --namespace supplychain-net --set global.vault.type=kubernetes --set peer.name=peer1 --set peer.address=peer1.supplychain-net:7051 + +# Join peer from another organization to channel and make it an anchorpeer +helm install peer0-allchannel ./fabric-channel-join --namespace carrier-net --values ./values/noproxy-and-novault/join-channel.yaml ``` **Note** Anchorpeer job is only executed if `peer.type` is set to `anchor` -### Create channel for Hyperledger Fabric 2.2.2 +### Create channel for Hyperledger Fabric 2.2.x ```bash # Obtain the file channel.tx and place it in fabric-channel-create/files -kubectl --namespace supplychain-net get configmap channel-artifacts-allchannel -o json > channel.tx.json +cd ./fabric-channel-create/files +kubectl --namespace supplychain-net get configmap allchannel-channeltx -o jsonpath='{.data.allchannel-channeltx_base64}' > channeltx.json # Install create channel -helm install allchannel ./fabric-channel-create --namespace carrier-net --values ./values/noproxy-and-novault/peerOrganization/create-channel.yaml +cd ../.. +helm install allchannel ./fabric-channel-create --namespace carrier-net --set global.vault.type=kubernetes +# Join peer to channel and make it an anchorpeer. Repeat for each peer organization. # Get the file anchors.tx and place it in fabric-channel-join/files -kubectl --namespace supplychain-net get configmap anchorpeer-artifacts-allchannel -o json > anchors.tx.json +cd ./fabric-channel-join/files +kubectl --namespace supplychain-net get configmap allchannel-supplychain-anchortx -o jsonpath='{.data.allchannel-supplychain-anchortx_base64}' > anchortx.json # Install join channel and anchorpeer -helm install peer0-carrier-allchannel ./fabric-channel-join --namespace carrier-net --values ./values/noproxy-and-novault/peerOrganization/join-channel.yaml +cd ../.. +helm install peer0-allchannel ./fabric-channel-join --namespace supplychain-net --set global.vault.type=kubernetes --set global.version=2.2.2 +helm install peer1-allchannel ./fabric-channel-join --namespace supplychain-net --set global.vault.type=kubernetes --set global.version=2.2.2 --set peer.name=peer1 --set peer.address=peer1.supplychain-net:7051 --set peer.type=general + +# Join peer from another organization to channel and make it an anchorpeer +cd ./fabric-channel-join/files +kubectl --namespace supplychain-net get configmap allchannel-carrier-anchortx -o jsonpath='{.data.allchannel-carrier-anchortx_base64}' > anchortx.json +cd ../.. +helm install peer0-allchannel ./fabric-channel-join --namespace carrier-net --values ./values/noproxy-and-novault/join-channel.yaml ``` **Note** Anchorpeer job is only executed if `peer.type` is set to `anchor` -### _With Haproxy proxy and Vault_ +### _With Haproxy Proxy and Vault_ -### To setup Orderer organization +### To setup Orderers and Peers in an organization -Replace the `global.vault.address`, `global.cluster.kubernetesUrl` and `global.proxy.externalUrlSuffix` in all the files in `./values/proxy-and-vault/` folder. +Replace the `"http://vault.url:8200"`, `"https://yourkubernetes.com"` and `"test.yourdomain.com"` in all the files in `./values/proxy-and-vault/` folder and this file. ```bash kubectl create namespace supplychain-net kubectl -n supplychain-net create secret generic roottoken --from-literal=token= -helm install supplychain-ca ./fabric-ca-server --namespace supplychain-net --values ./values/proxy-and-vault/ordererOrganization/ca-server.yaml +helm upgrade --install supplychain-ca ./fabric-ca-server --namespace supplychain-net --values ./values/proxy-and-vault/ca-orderer.yaml + +# Install the Orderers after CA server is running +helm upgrade --install orderer1 ./fabric-orderernode --namespace supplychain-net --values ./values/proxy-and-vault/orderer.yaml +helm upgrade --install orderer2 ./fabric-orderernode --namespace supplychain-net --values ./values/proxy-and-vault/orderer.yaml --set certs.settings.createConfigMaps=false +helm upgrade --install orderer3 ./fabric-orderernode --namespace supplychain-net --values ./values/proxy-and-vault/orderer.yaml --set certs.settings.createConfigMaps=false ``` -Configure `settings.generateCertificates` field with value `true` for the generation of the cryptographic materials. This value should only be set to `true` in first orderer to be installed and `false` in the others. +**Note** The orderers will remain waiting in the `Pending` state for Fabric 2.2.x, until we install the `fabric-genesis` chart. ```bash -# Install the Orderers -helm install orderer1 ./fabric-orderernode --namespace supplychain-net --values ./values/proxy-and-vault/ordererOrganization/orderer.yaml --set settings.generateCertificates=true -helm install orderer2 ./fabric-orderernode --namespace supplychain-net --values ./values/proxy-and-vault/ordererOrganization/orderer.yaml -helm install orderer3 ./fabric-orderernode --namespace supplychain-net --values ./values/proxy-and-vault/ordererOrganization/orderer.yaml +# OPTIONAL: To use a custom peer configuration, copy core.yaml file into ./fabric-peernode/files +cp /home/bevel/build/peer0-core.yaml ./fabric-peernode/files/core.yaml +# Install the peers +helm upgrade --install peer0 ./fabric-peernode --namespace supplychain-net --values ./values/proxy-and-vault/peer.yaml +helm upgrade --install peer1 ./fabric-peernode --namespace supplychain-net --values ./values/proxy-and-vault/peer.yaml --set peer.gossipPeerAddress=peer0.supplychain-net.test.yourdomain.com:443 --set peer.cliEnabled=true ``` -**Note** The orderers will remain waiting in the `Init` state in the deployment of fabric 2.2.2, until we install the `fabric-genesis` chart. - -### To setup Peer organization +### To setup Peers in another organization ```bash kubectl create namespace carrier-net - kubectl -n carrier-net create secret generic roottoken --from-literal=token= +# Install the CA Server +helm upgrade --install carrier-ca ./fabric-ca-server --namespace carrier-net --values ./values/proxy-and-vault/ca-peer.yaml -helm install carrier-ca ./fabric-ca-server --namespace carrier-net --values ./values/proxy-and-vault/peerOrganization/ca-server.yaml - -``` -Configure `settings.generateCertificates` field with value `true` for the generation of the cryptographic materials. This value should only be set to `true` in first peer to be installed and `false` in the others. - -```bash -# To use a custom peer configuration, copy core.yaml file into ./fabric-peernode/files -# This step is optional -cp /home/bevel/build/peer0-core.yaml ./fabric-peernode/files - -# Get the Orderer tls certificate and place in fabric-catools/files -cd ./fabric-catools/files +# Get the Orderer tls certificate and place in fabric-peernode/files +cd ./fabric-peernode/files kubectl --namespace supplychain-net get configmap orderer-tls-cacert -o jsonpath='{.data.cacert}' > orderer.crt -# Before installing, we must use the dependencies again, due to the addition of the file in the files folder -cd ../.. -helm dependency update fabric-peernode - # Install the Peers -helm install peer0-carrier ./fabric-peernode --namespace carrier-net --values ./values/proxy-and-vault/peerOrganization/peer.yaml --set settings.generateCertificates=true +cd ../.. +helm upgrade --install peer0 ./fabric-peernode --namespace carrier-net --values ./values/proxy-and-vault/carrier.yaml ``` -### Generate genesis file +### Create Genesis file and other channel artifacts ```bash # Obtain certificates and the configuration file of each peer organization, place in fabric-genesis/files cd ./fabric-genesis/files -kubectl --namespace carrier-net get configmap admin-msp -o json > carrier.json -kubectl --namespace carrier-net get configmap msp-config-file -o json > carrier-config-file.json +kubectl --namespace carrier-net get secret admin-msp -o json > carrier.json +kubectl --namespace carrier-net get configmap peer0-msp-config -o json > carrier-config-file.json + +# OPTIONAL: If additional orderer from a different organization is needed in genesis +kubectl --namespace carrier-net get secret orderer5-tls -o json > orderer5-orderer-tls.json -# Install Genesis +# Generate the genesis block cd ../.. -helm install genesis ./fabric-genesis --namespace supplychain-net --values ./values/proxy-and-vault/ordererOrganization/genesis.yaml +helm install genesis ./fabric-genesis --namespace supplychain-net --values ./values/proxy-and-vault/genesis.yaml ``` -### Create channel for Hyperledger Fabric 2.5.4 +### Create channel for Hyperledger Fabric 2.5.x ```bash -# Install create channel -helm install allchannel ./fabric-osnadmin-channel-create --namespace supplychain-net --values ./values/proxy-and-vault/ordererOrganization/osn-create-channel.yaml +# Create channel +helm install allchannel ./fabric-osnadmin-channel-create --namespace supplychain-net --values ./values/proxy-and-vault/osn-create-channel.yaml -# Install join channel and anchorpeer -helm install peer0-carrier-allchannel ./fabric-channel-join --namespace carrier-net --values ./values/proxy-and-vault/peerOrganization/join-channel.yaml +# Join peer to channel and make it an anchorpeer +helm install peer0-allchannel ./fabric-channel-join --namespace supplychain-net --values ./values/proxy-and-vault/join-channel.yaml +helm install peer1-allchannel ./fabric-channel-join --namespace supplychain-net --values ./values/proxy-and-vault/join-channel.yaml --set peer.name=peer1 --set peer.address=peer1.supplychain-net.test.yourdomain.com:443 + +# Join peer from another organization to channel and make it an anchorpeer +helm install peer0-allchannel ./fabric-channel-join --namespace carrier-net --values ./values/proxy-and-vault/create-channel.yaml --set global.version=2.5.4 ``` **Note** Anchorpeer job is only executed if `peer.type` is set to `anchor` -### Create channel for Hyperledger Fabric 2.2.2 +### Create channel for Hyperledger Fabric 2.2.x ```bash # Obtain the file channel.tx and place it in fabric-channel-create/files -kubectl --namespace supplychain-net get configmap channel-artifacts-allchannel -o json > channel.tx.json +cd ./fabric-channel-create/files +kubectl --namespace supplychain-net get configmap allchannel-channeltx -o jsonpath='{.data.allchannel-channeltx_base64}' > channeltx.json # Install create channel -helm install allchannel ./fabric-channel-create --namespace carrier-net --values ./values/proxy-and-vault/peerOrganization/create-channel.yaml +cd ../.. +helm install allchannel ./fabric-channel-create --namespace carrier-net --values ./values/proxy-and-vault/create-channel.yaml +# Join peer to channel and make it an anchorpeer. Repeat for each peer organization. # Get the file anchors.tx and place it in fabric-channel-join/files -kubectl --namespace supplychain-net get configmap anchorpeer-artifacts-allchannel -o json > anchors.tx.json +cd ./fabric-channel-join/files +kubectl --namespace supplychain-net get configmap allchannel-supplychain-anchortx -o jsonpath='{.data.allchannel-supplychain-anchortx_base64}' > anchortx.json # Install join channel and anchorpeer -helm install peer0-carrier-allchannel ./fabric-channel-join --namespace carrier-net --values ./values/proxy-and-vault/peerOrganization/join-channel.yaml +cd ../.. +helm install peer0-allchannel ./fabric-channel-join --namespace supplychain-net --values ./values/proxy-and-vault/join-channel.yaml +helm install peer1-allchannel ./fabric-channel-join --namespace supplychain-net --values ./values/proxy-and-vault/join-channel.yaml --set peer.name=peer1 --set peer.address=peer1.supplychain-net.test.yourdomain.com:443 --set peer.type=general + +# Join peer from another organization to channel and make it an anchorpeer +cd ./fabric-channel-join/files +kubectl --namespace supplychain-net get configmap allchannel-carrier-anchortx -o jsonpath='{.data.allchannel-carrier-anchortx_base64}' > anchortx.json +cd ../.. +helm install peer0-allchannel ./fabric-channel-join --namespace carrier-net --values ./values/proxy-and-vault/create-channel.yaml ``` **Note** Anchorpeer job is only executed if `peer.type` is set to `anchor` @@ -222,16 +247,12 @@ helm install peer0-carrier-allchannel ./fabric-channel-join --namespace carrier- To clean up, just uninstall the helm releases ```bash -helm uninstall --namespace carrier-net peer0-carrier-allchannel -helm uninstall --namespace supplychain-net allchannel -helm uninstall --namespace carrier-net allchannel -helm uninstall --namespace supplychain-net orderer1 -helm uninstall --namespace supplychain-net orderer2 -helm uninstall --namespace supplychain-net orderer3 -helm uninstall --namespace carrier-net peer0-carrier - -helm uninstall --namespace supplychain-net genesis - +helm uninstall --namespace supplychain-net peer1-allchannel peer0-allchannel +helm uninstall --namespace supplychain-net peer0 peer1 +helm uninstall --namespace supplychain-net orderer1 orderer2 orderer3 +helm uninstall --namespace supplychain-net genesis allchannel helm uninstall --namespace supplychain-net supplychain-ca + +helm uninstall --namespace carrier-net peer0 peer0-allchannel allchannel helm uninstall --namespace carrier-net carrier-ca ``` diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/Chart.yaml b/platforms/hyperledger-fabric/charts/fabric-ca-server/Chart.yaml index 64653b52428..9c53ad9c83a 100644 --- a/platforms/hyperledger-fabric/charts/fabric-ca-server/Chart.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-ca-server/Chart.yaml @@ -6,12 +6,12 @@ apiVersion: v1 name: fabric-ca-server -description: "Hyperledger Fabric: Deploys a CA server." -version: 1.0.0 +description: "Hyperledger Fabric: Deploys Fabric CA server" +version: 1.1.0 appVersion: latest keywords: - bevel - - ethereum + - hlf - fabric - hyperledger - enterprise diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/README.md b/platforms/hyperledger-fabric/charts/fabric-ca-server/README.md index 945b5d3a2dc..5e148f73dc6 100644 --- a/platforms/hyperledger-fabric/charts/fabric-ca-server/README.md +++ b/platforms/hyperledger-fabric/charts/fabric-ca-server/README.md @@ -3,204 +3,114 @@ [//]: # (SPDX-License-Identifier: Apache-2.0) [//]: # (##############################################################################################) - -# CA Server Hyperledger Fabric Deploymen +# fabric-ca-server -- [CA Server Hyperledger Fabric Deployment Helm Chart](#ca-server-hyperledger-fabric-deployment-helm-chart) -- [Prerequisites](#prerequisites) -- [Chart Structure](#chart-structure) -- [Configuration](#configuration) -- [Deployment](#deployment) -- [Verification](#verification) -- [Updating the Deployment](#updating-the-deployment) -- [Deletion](#deletion) -- [Contributing](#contributing) -- [License](#license) +This chart is a component of Hyperledger Bevel. The fabric-ca-server chart deploys a CA server for Hyperledger Fabric blockchain network. If enabled, the keys are then stored on the configured vault and stored as Kubernetes secrets. See [Bevel documentation](https://hyperledger-bevel.readthedocs.io/en/latest/) for details. +## TL;DR - -## CA Server Hyperledger Fabric Deployment Helm Chart ---- -A [Helm chart](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-fabric/charts/fabric-ca-server) to deploy a CA server. - - - -## Prerequisites ---- -Before deploying the Helm chart, make sure to have the following prerequisites: - -- Kubernetes cluster up and running. -- A HashiCorp Vault instance is set up and configured to use Kubernetes service account token-based authentication. -- The Vault is unsealed and initialized. -- HAproxy is required as ingress controller. -- Helm installed. - - - -## Chart Structure ---- -The structure of the Helm chart is as follows: - +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install ca bevel/fabric-ca-server ``` -fabric-ca-server/ - |- conf/ - |- fabric-ca-server-config-default.yaml - |- templates/ - |- _helpers.yaml - |- configmap.yaml - |- deployment.yaml - |- service.yaml - |- volume.yaml - |- Chart.yaml - |- README.md - |- values.yaml -``` - -- `fabric-ca-server-config-default.yaml`: Configuration file for the fabric-ca-server command. -- `templates/`: Contains the Kubernetes manifest templates that define the resources to be deployed. -- `helpers.tpl`: Contains custom label definitions used in other templates. -- `configmap.yaml`: Store the configuration for the Fabric CA server. The configuration file is stored in the fabric-ca-server-config.yaml file, and it is mounted into the Fabric CA server container. The ConfigMap is optional, and it is only used if the server.configpath value is set. Otherwise, the default configuration for the Fabric CA server will be used. -- `deployment.yaml`: Deploys CA server Pod, allowing it to handle certificate-related operations within the Hyperledger Fabric blockchain network. To ensure the security and proper configuration of the CA server, the included init-container retrieves essential secrets from a Vault server. -- `service.yaml`: Expose a Fabric CA server to the outside world either using HaProxy as a reverse proxy engine. -- `volume.yaml`: Defines a persistent volume that can be used to store the Fabric CA server's database. -- `Chart.yaml`: Contains the metadata for the Helm chart, such as the name, version, and description. -- `README.md`: Provides information and instructions about the Helm chart. -- `values.yaml`: Contains the default configuration values for the Helm chart. - - - -## Configuration ---- -The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-fabric/charts/fabric-ca-server/values.yaml) file contains configurable values for the Helm chart. We can modify these values according to the deployment requirements. Here are some important configuration options: - -## Parameters ---- - -### Metadata - -| Name | Description | Default Value | -| ----------------------| -----------------------------------------------------------------| --------------------------------------------------| -| namespace | Namespace for CA server | org1-net | -| images.ca | image name and version for fabric ca | ghcr.io/hyperledger/bevel-fabric-ca:1.4.8 | -| images.alpineutils | image name and version to read certificates from vault server | ghcr.io/hyperledger/bevel-alpine:latest | -| labels | Provide the custom labels | "" | - - -### Server -| Name | Description | Default Value | -| ----------------------| -----------------------------------------------------------------| -------------------------------------------| -| name | Name for CA server deployment | ca | -| tlsstatus | Specify if TLS is enabled or disabled for the deployment | true | -| admin | Admin name for CA server | admin | -| configpath | Path for Fabric CA Server Config | conf/fabric-ca-server-config-default.yaml | - -### Storage - -| Name | Description | Default Value | -| ----------------------| --------------------------------------| ------------- | -| storageclassname | Storage class name for CA server | aws-storageclass | -| storagesize | Size of storage for CA server | 512Mi | - -### Vault +## Prerequisites -| Name | Description | Default Value | -| ----------------------| --------------------------------------------------------------------| --------------------------------- | -| address | Vault server address | "" | -| role | Vault role for deployment | vault-role | -| authpath | Kubernetes auth backend configured in Vault for CA server | fra-demo-hlkube-cluster-cluster | -| secretcert | Path of secret certificate configured in Vault for CA server | secretsv2/data/crypto/peerOrganizations/org1-net/ca?ca.org1-net-cert.pem | -| secretkey | Path of secret key configured in Vault for CA server | secretsv2/data/crypto/peerOrganizations/org1-net/ca?org1-net-CA.key | -| secretadminpass | Secret path for admin password configured in Vault for CA server | secretsv2/data/credentials/org1-net/ca/org1?user | -| serviceaccountname | Service account name for Vault | vault-auth | -| type | Provide the type of vault | hashicorp | -| imagesecretname | Image secret name for Vault | "" | -| tls | Enable or disable TLS for Vault communication | "" | -| tlssecret | Kubernetes secret for Vault CA certificate | vaultca | +- Kubernetes 1.19+ +- Helm 3.2.0+ -### Service +If Hashicorp Vault is used, then +- HashiCorp Vault Server 1.13.1+ -| Name | Description | Default Value | -| --------------------------| ---------------------------------------------------| ---------------| -| serviceType | Service type for the pod | ClusterIP | -| ports.tcp.nodePort | TCP node port to be exposed for CA server | 30007 | -| ports.tcp.clusterIpPort | TCP cluster IP port to be exposed for CA server | 7054 | +> **Important**: Also check the dependent charts. -### Annotations +## Installing the Chart -| Name | Description | Default Value | -| ------------| ---------------------------------------| ------------- | -| service | Extra annotations for the service | "" | -| pvc | Extra annotations for the PVC | "" | +To install the chart with the release name `ca`: -### Proxy +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install ca bevel/fabric-ca-server +``` -| Name | Description | Default Value | -| ----------------------| -------------------------------------------------------------------------|--------------------------------| -| provider | Proxy/ingress provider. Possible values: "haproxy" or "none" | haproxy | -| type | Type of the deployment. Possible values: "orderer", "peer", or "test" | test | -| externalUrlSuffix | External URL suffix for the organization | org1proxy.blockchaincloudpoc.com | +The command deploys the chart on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. +> **Tip**: List all releases using `helm list` - -## Deployment ---- +## Uninstalling the Chart -To deploy the ca Helm chart, follow these steps: +To uninstall/delete the `ca` deployment: -1. Modify the [values.yaml](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-ca-server/values.yaml) file to set the desired configuration values. -2. Run the following Helm command to install the chart: - ``` - $ helm repo add bevel https://hyperledger.github.io/bevel/ - $ helm install ./fabric-ca-server - ``` -Replace `` with the desired name for the release. +```bash +helm uninstall ca +``` -This will deploy the ca server node to the Kubernetes cluster based on the provided configurations. +The command removes all the Kubernetes components associated with the chart and deletes the release. +## Parameters -a name = "verification"> -## Verification ---- - -To verify the deployment, we can use the following command: -``` -$ kubectl get deployments -n -``` -Replace `` with the actual namespace where the deployment was created. The command will display information about the deployment, including the number of replicas and their current status. +### Global parameters +These parameters are refered to as same in each parent or child chart +| Name | Description | Default Value | +|--------|---------|-------------| +|`global.serviceAccountName` | The serviceaccount name that will be created for Vault Auth and k8S Secret management| `vault-auth` | +| `global.cluster.provider` | Kubernetes cluster provider like AWS EKS or minikube. Currently ony `aws`, `azure` and `minikube` are tested | `aws` | +| `global.cluster.cloudNativeServices` | only `false` is implemented, `true` to use Cloud Native Services (SecretsManager and IAM for AWS; KeyVault & Managed Identities for Azure) is for future | `false` | +| `global.cluster.kubernetesUrl` | URL of the Kubernetes Cluster | `""` | +| `global.vault.type` | Type of Vault to support other providers. Currently, only `hashicorp` and `kubernetes` is supported. | `hashicorp` | +| `global.vault.role` | Role used for authentication with Vault | `vault-role` | +| `global.vault.network` | Network type that is being deployed | `fabric` | +| `global.vault.address`| URL of the Vault server. | `""` | +| `global.vault.authPath` | Authentication path for Vault | `supplychain` | +| `global.vault.secretEngine` | Vault secret engine name | `secretsv2` | +| `global.vault.secretPrefix` | Vault secret prefix which must start with `data/` | `data/supplychain` | +| `global.vault.tls` | Name of the Kubernetes secret which has certs to connect to TLS enabled Vault | `false` | +| `global.proxy.provider` | The proxy or Ingress provider. Can be `none` or `haproxy` | `haproxy` | +| `global.proxy.externalUrlSuffix` | The External URL suffix at which the Fabric GRPC services will be available | `test.blockchaincloudpoc.com` | +### Storage - -## Updating the Deployment ---- +| Name | Description | Default Value | +|--------|---------|-------------| +| `storage.size` | Size of the PVC needed for Fabric CA | `512Mi` | +| `storage.reclaimPolicy` | Reclaim policy for the PVC. Choose from: `Delete` or `Retain` | `Delete` | +| `storage.volumeBindingMode` | Volume binding mode for the PVC. Choose from: `Immediate` or `WaitForFirstConsumer` | `Immediate` | +| `storage.allowedTopologies.enabled` | Check [bevel-storageclass](../../../shared/charts/bevel-storageclass/README.md) for details | `false` | -If we need to update the deployment with new configurations or changes, modify the same [values.yaml](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-ca-server/values.yaml) file with the desired changes and run the following Helm command: -``` -$ helm upgrade ./fabric-ca-server -``` -Replace `` with the name of the release. This command will apply the changes to the deployment, ensuring the ca server node is up to date. +### Image - -## Deletion ---- +| Name | Description | Default Value | +| -------------| ---------- | --------- | +| `image.alpineUtils` | Alpine utils image repository and tag | `ghcr.io/hyperledger/bevel-alpine:latest` | +| `image.ca` | Fabric CA image repository and tag | `ghcr.io/hyperledger/bevel-fabric-ca:latest` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | -To delete the deployment and associated resources, run the following Helm command: -``` -$ helm uninstall -``` -Replace `` with the name of the release. This command will remove all the resources created by the Helm chart. +### Server - -## Contributing ---- -If you encounter any bugs, have suggestions, or would like to contribute to the [CA Server Hyperledger Fabric Deployment Helm Chart](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-ca-server), please feel free to open an issue or submit a pull request on the [project's GitHub repository](https://github.com/hyperledger/bevel). +| Name | Description | Default Value | +|--------|---------|-------------| +| `server.removeCertsOnDelete` | Flag to delete the certificate secrets when uninstalling the release | `true` | +| `server.tlsStatus` | TLS status of the server | `true` | +| `server.adminUsername` | CA Admin Username | `admin` | +| `server.adminPassword` | CA Admin Password | `adminpw` | +| `server.subject` | CA server root subject | `"/C=GB/ST=London/L=London/O=Orderer"` | +| `server.configPath` | Local path to the CA server configuration file which will be mounted to the CA Server | `""` | +| `server.nodePort` | NodePort for the CA Server | `""` | +| `server.clusterIpPort` | TCP Port for the CA Server | `7054` | + +### Labels + +| Name | Description | Default Value | +| ----------------| ----------- | ------------- | +| `labels.service` | Array of Labels for service object | `[]` | +| `labels.pvc` | Array of Labels for PVC object | `[]` | +| `labels.deployment` | Array of Labels for deployment or statefulset object | `[]` | - ## License This chart is licensed under the Apache v2.0 license. -Copyright © 2023 Accenture +Copyright © 2024 Accenture ### Attribution diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/conf/fabric-ca-server-config-default.yaml b/platforms/hyperledger-fabric/charts/fabric-ca-server/conf/fabric-ca-server-config-default.yaml index 0624df3168e..289ec948095 100644 --- a/platforms/hyperledger-fabric/charts/fabric-ca-server/conf/fabric-ca-server-config-default.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-ca-server/conf/fabric-ca-server-config-default.yaml @@ -136,8 +136,8 @@ registry: # Contains identity information which is used when LDAP is disabled # Do not edit this value identities: - - name: {{ $.Values.server.admin }} - pass: {{ $.Values.server.admin }}pw + - name: {{ .Values.server.adminUsername }} + pass: {{ .Values.server.adminPassword }} type: client affiliation: "" attrs: diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/requirements.yaml b/platforms/hyperledger-fabric/charts/fabric-ca-server/requirements.yaml index 5e972695364..a5b2e417d4d 100644 --- a/platforms/hyperledger-fabric/charts/fabric-ca-server/requirements.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-ca-server/requirements.yaml @@ -15,9 +15,3 @@ dependencies: tags: - storage version: ~1.0.0 - - name: fabric-cacerts-gen - alias: cacerts - repository: "file://../fabric-cacerts-gen" - tags: - - cacerts - version: ~1.0.0 diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/_helpers.tpl b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/_helpers.tpl index 1670a50fd9e..26091cea227 100644 --- a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/_helpers.tpl +++ b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/_helpers.tpl @@ -28,31 +28,30 @@ Create chart name and version as used by the chart label. {{- end -}} {{- define "labels.deployment" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.deployment }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} +{{- range $value := .Values.labels.deployment }} +{{ toYaml $value }} {{- end }} {{- end }} {{- define "labels.service" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.service }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} +{{- range $value := .Values.labels.service }} +{{ toYaml $value }} {{- end }} {{- end }} {{- define "labels.pvc" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.pvc }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} +{{- range $value := .Values.labels.pvc }} +{{ toYaml $value }} {{- end }} {{- end }} + +{{/* +Create server url depending on proxy +*/}} +{{- define "fabric-ca-server.serverURL" -}} +{{- if eq .Values.global.proxy.provider "none" -}} + {{- printf "ca.%s" .Release.Namespace }} +{{- else -}} + {{- printf "ca.%s.%s" .Release.Namespace .Values.global.proxy.externalUrlSuffix }} +{{- end -}} +{{- end -}} diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/ca-job-cleanup.yaml b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/ca-job-cleanup.yaml index 01ffba1373d..a4d1654cc1b 100644 --- a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/ca-job-cleanup.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/ca-job-cleanup.yaml @@ -30,14 +30,14 @@ spec: restartPolicy: "Never" containers: - name: delete-secrets - image: "{{ $.Values.image.alpineUtils }}" + image: {{ .Values.image.alpineUtils }} securityContext: runAsUser: 0 imagePullPolicy: IfNotPresent command: ["sh", "-c"] args: - |- -{{- if .Values.settings.removeCertsOnDelete }} +{{- if .Values.server.removeCertsOnDelete }} function deleteSecret { key=$1 @@ -46,6 +46,5 @@ spec: kubectl delete secret ${key} --namespace {{ .Release.Namespace }} fi } - deleteSecret ca-certs - deleteSecret ca-credentials + deleteSecret {{ include "fabric-ca-server.name" . }}-certs {{- end}} diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/configmap.yaml b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/configmap.yaml index 70da32c3715..86f6b7bcfb5 100644 --- a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/configmap.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/configmap.yaml @@ -4,20 +4,45 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -{{- if (not (empty .Values.server.configpath)) }} +{{- if (not (empty .Values.server.configPath)) }} apiVersion: v1 kind: ConfigMap metadata: name: {{ .Release.Name }}-config namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: {{ .Release.Name }} - app.kubernetes.io/component: fabric + app.kubernetes.io/name: {{ .Release.Name }}-config + app.kubernetes.io/component: fabric-ca-config app.kubernetes.io/part-of: {{ include "fabric-ca-server.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/managed-by: helm data: fabric-ca-server-config.yaml: | - {{ (tpl (.Files.Get ( printf "%s" $.Values.server.configpath )) . ) | nindent 6 }} + {{ (tpl (.Files.Get ( printf "%s" $.Values.server.configPath )) . ) | nindent 6 }} {{- end }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: openssl-config-file + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: openssl-config-file + app.kubernetes.io/component: openssl-config + app.kubernetes.io/part-of: {{ include "fabric-ca-server.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm +data: + openssl.conf: |- + [req] + req_extensions = v3_req + distinguished_name = dn + + [dn] + + [v3_req] + basicConstraints = critical, CA:TRUE + keyUsage = critical,digitalSignature, keyEncipherment, keyCertSign, cRLSign + subjectKeyIdentifier = hash diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/service.yaml b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/service.yaml index d4301f4dd62..d249cdfcef2 100644 --- a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/service.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/service.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ .Release.Name }} + name: ca namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ .Release.Name }} @@ -16,7 +16,7 @@ metadata: app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- include "labels.service" . | nindent 2 }} + {{- include "labels.service" . | nindent 4 }} spec: type: ClusterIP selector: @@ -27,16 +27,16 @@ spec: - name: tcp protocol: TCP targetPort: 7054 - port: {{ $.Values.service.ports.tcp.clusterIpPort }} - {{- if $.Values.service.ports.tcp.nodePort }} - nodePort: {{ $.Values.service.ports.tcp.nodePort }} + port: {{ .Values.server.clusterIpPort }} + {{- if .Values.server.nodePort }} + nodePort: {{ .Values.server.nodePort }} {{- end }} - name: operations protocol: TCP targetPort: 9443 port: 9443 -{{- if eq $.Values.global.proxy.provider "haproxy" }} +{{- if eq .Values.global.proxy.provider "haproxy" }} --- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -44,38 +44,37 @@ metadata: name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} annotations: - kubernetes.io/ingress.class: "haproxy" ingress.kubernetes.io/ssl-passthrough: "true" spec: + ingressClassName: "haproxy" rules: - - host: ca.{{ .Release.Namespace }}.{{ $.Values.global.proxy.externalUrlSuffix }} + - host: ca.{{ .Release.Namespace }}.{{ .Values.global.proxy.externalUrlSuffix }} http: paths: - path: / pathType: Prefix backend: service: - name: {{ .Release.Name }} + name: ca port: - number: {{ $.Values.service.ports.tcp.clusterIpPort }} + number: {{ .Values.server.clusterIpPort }} --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: {{ .Release.Name }}-ops namespace: {{ .Release.Namespace }} - annotations: - kubernetes.io/ingress.class: "haproxy" spec: + ingressClassName: "haproxy" rules: - - host: ca-ops.{{ .Release.Namespace }}.{{ $.Values.global.proxy.externalUrlSuffix }} + - host: ca-ops.{{ .Release.Namespace }}.{{ .Values.global.proxy.externalUrlSuffix }} http: paths: - path: / pathType: Prefix backend: service: - name: {{ .Release.Name }} + name: ca port: number: 9443 {{- end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/statefulset.yaml b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/statefulset.yaml index e381cb6b1f4..6a507e85596 100644 --- a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/statefulset.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/statefulset.yaml @@ -3,7 +3,6 @@ # # SPDX-License-Identifier: Apache-2.0 ############################################################################################## - --- apiVersion: apps/v1 kind: StatefulSet @@ -13,14 +12,14 @@ metadata: labels: app: {{ .Release.Name }} app.kubernetes.io/name: {{ .Release.Name }} - app.kubernetes.io/component: fabric + app.kubernetes.io/component: fabric-ca-statefulset app.kubernetes.io/part-of: {{ include "fabric-ca-server.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - annotations: - {{- include "labels.deployment" . | nindent 2 }} + {{- include "labels.deployment" . | nindent 4 }} spec: + serviceName: {{ .Release.Name }} replicas: 1 podManagementPolicy: OrderedReady updateStrategy: @@ -29,148 +28,175 @@ spec: matchLabels: app: {{ .Release.Name }} app.kubernetes.io/name: {{ .Release.Name }} - app.kubernetes.io/component: fabric + app.kubernetes.io/component: fabric-ca-statefulset app.kubernetes.io/part-of: {{ include "fabric-ca-server.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - serviceName: {{ .Release.Name }} - volumeClaimTemplates: - - metadata: - name: ca-server-db-pvc - labels: - {{- include "labels.deployment" . | nindent 2 }} - spec: - accessModes: [ "ReadWriteOnce" ] - storageClassName: storage-{{ .Release.Name }} - resources: - requests: - storage: "{{ .Values.storage.size }}" template: metadata: labels: - name: {{ .Release.Name }} app: {{ .Release.Name }} app.kubernetes.io/name: {{ .Release.Name }} - app.kubernetes.io/component: fabric + app.kubernetes.io/component: fabric-ca-statefulset app.kubernetes.io/part-of: {{ include "fabric-ca-server.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - {{- if $.Values.labels }} - {{- range $key, $value := $.Values.labels.deployment }} - {{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} - {{- end }} - {{- end }} - {{- end }} + {{- include "labels.deployment" . | nindent 8 }} spec: serviceAccountName: {{ .Values.global.serviceAccountName }} {{- if .Values.image.pullSecret }} imagePullSecrets: - - name: {{ $.Values.image.pullSecret }} + - name: {{ .Values.image.pullSecret }} {{- end }} - volumes: - - name: certificates - emptyDir: - medium: Memory - {{- if (not (empty .Values.server.configpath)) }} - - name: {{ .Release.Name }}-config-volume - configMap: - name: {{ .Release.Name }}-config - items: - - key: fabric-ca-server-config.yaml - path: fabric-ca-server-config.yaml - {{- end }} - {{ if .Values.global.vault.tls }} - - name: vaultca - secret: - secretName: "{{ .Values.global.vault.tls }}" - items: - - key: ca.crt.pem - path: ca-certificates.crt - {{- end }} - - name: scripts-volume - configMap: - name: bevel-vault-script initContainers: - name: ca-certs-init - image: {{ $.Values.image.alpineUtils }} + image: {{ .Values.image.alpineUtils }} imagePullPolicy: IfNotPresent + volumeMounts: + - name: certificates + mountPath: /secret + {{ if .Values.global.vault.tls }} + - name: vaultca + mountPath: "/etc/ssl/certs/" + readOnly: true + {{ end }} + - name: package-manager + mountPath: /scripts/package-manager.sh + subPath: package-manager.sh + - name: openssl-config + mountPath: /openssl/openssl.conf + subPath: openssl.conf + {{- if eq .Values.global.vault.type "hashicorp" }} + - name: scripts-volume + mountPath: /scripts/bevel-vault.sh + subPath: bevel-vault.sh + {{- end }} env: + - name: CA_URL + value: {{ include "fabric-ca-server.serverURL" . }} + - name: CA_SUBJECT + value: "{{ .Values.server.subject }}/CN={{ include "fabric-ca-server.serverURL" . }}" + - name: COMPONENT_NAME + value: {{ .Release.Namespace }} + {{- if eq .Values.global.vault.type "hashicorp" }} - name: VAULT_ADDR - value: {{ $.Values.global.vault.address }} + value: "{{ .Values.global.vault.address }}" - name: VAULT_APP_ROLE - value: {{ $.Values.global.vault.role }} + value: "{{ .Values.global.vault.role }}" - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.global.vault.authPath }} + value: "{{ .Values.global.vault.authPath }}" - name: VAULT_SECRET_ENGINE value: "{{ .Values.global.vault.secretEngine }}" - name: VAULT_SECRET_PREFIX value: "{{ .Values.global.vault.secretPrefix }}" - name: VAULT_TYPE - value: "{{ $.Values.global.vault.type }}" - - name: COMPONENT_NAME - value: {{ .Release.Namespace }} - - name: MOUNT_PATH - value: /secret + value: "{{ .Values.global.vault.type }}" + {{- end }} command: ["sh", "-c"] args: - |- - #!/usr/bin/env sh + + . /scripts/package-manager.sh + # Define the packages to install + packages_to_install="jq curl openssl kubectl" + install_packages "$packages_to_install" + + formatCertificate () { + NAME="${1##*/}" + while IFS= read -r line + do + echo "$line\n" + done < ${1} > ${2}/${NAME}.txt + } {{- if eq .Values.global.vault.type "hashicorp" }} - source /scripts/bevel-vault.sh + . /scripts/bevel-vault.sh + echo "Getting vault Token..." # Calling a function to retrieve the vault token. vaultBevelFunc "init" - - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/ca" + function safeWriteSecret { + path=$1 + key=$2 + # Check if certs already exist in Vault + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/ca" + if [ "$SECRETS_AVAILABLE" == "yes" ] + then + # Create the Kubernetes Secret with data from Vault + echo "Secret found in Vault, only creating k8s secrets" + ca_cert=$(echo ${VAULT_SECRET} | jq -r ".[\"rootca_pem\"]") + echo "${ca_cert}" > ${path}/server.crt + + ca_key=$(echo ${VAULT_SECRET} | jq -r ".[\"rootca_key\"]") + echo "${ca_key}" > ${path}/server.key + else + echo "Secret to be created on Vault and k8s" + # Store the value in Vault + FORMAT_CERTIFICATE_PATH="${path}/formatcertificate" + mkdir -p ${FORMAT_CERTIFICATE_PATH} + formatCertificate "${path}/server.key" "${FORMAT_CERTIFICATE_PATH}" + formatCertificate "${path}/server.crt" "${FORMAT_CERTIFICATE_PATH}" - ca_cert=$(echo ${VAULT_SECRET} | jq -r ".[\"ca.${COMPONENT_NAME}-cert.pem\"]") - echo "${ca_cert}" > ${MOUNT_PATH}/server.crt + PEM_CERTIFICATE=$(cat ${FORMAT_CERTIFICATE_PATH}/server.crt.txt) + KEY_CERTIFICATE=$(cat ${FORMAT_CERTIFICATE_PATH}/server.key.txt) - ca_key=$(echo ${VAULT_SECRET} | jq -r ".[\"${COMPONENT_NAME}-CA.key\"]") - echo "${ca_key}" > ${MOUNT_PATH}/server.key - - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/credentials" - user=$(echo ${VAULT_SECRET} | jq -r ".[\"user\"]") - echo "${user}" > ${MOUNT_PATH}/user_cred + # create a JSON file for the data related to node crypto + echo " + { + \"data\": + { + \"rootca_pem\": \"${PEM_CERTIFICATE}\", + \"rootca_key\": \"${KEY_CERTIFICATE}\" + } + }" > payload.json + + # Calling a function to write secrets to the vault. + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/ca" 'payload.json' + rm payload.json + + fi + # Create the Kubernetes Secret using kubectl after secrets ae stored in Vault + kubectl create secret tls ${key} --namespace ${COMPONENT_NAME} \ + --cert=${path}/server.crt \ + --key=${path}/server.key + } {{- else }} - KUBENETES_SECRET=$(kubectl get secret ca-certs --namespace ${COMPONENT_NAME} -o json) - if [ "$KUBENETES_SECRET" = "" ]; then - echo "Certficates absent in kuberenetes secrets" - exit 1 - else - CA_KEY=$(echo "$KUBENETES_SECRET" | jq -r ".data.\"ca-${COMPONENT_NAME}-key\"" | base64 -d) - CA_CERT=$(echo "$KUBENETES_SECRET" | jq -r ".data.\"ca-${COMPONENT_NAME}-cert\"" | base64 -d) - echo "${CA_KEY}" > ${MOUNT_PATH}/server.key - echo "${CA_CERT}" > ${MOUNT_PATH}/server.crt - fi - KUBENETES_SECRET=$(kubectl get secret ca-credentials --namespace ${COMPONENT_NAME} -o json) - if [ "$KUBENETES_SECRET" = "" ]; then - echo "Certficates absent in kuberenetes secrets" - exit 1 + function safeWriteSecret { + path=$1 + key=$2 + # Create the Kubernetes Secret using kubectl + kubectl create secret tls ${key} --namespace ${COMPONENT_NAME} \ + --cert=${path}/server.crt \ + --key=${path}/server.key + } +{{- end }} + kubectl get secret --namespace {{ .Release.Namespace }} {{ include "fabric-ca-server.name" . }}-certs -o json > /dev/null 2>&1 + if [ $? -ne 0 ]; then + echo "Generating CA certs ..." + # this commands generate the CA certificate + cd /secret + openssl ecparam -name prime256v1 -genkey -noout -out server.key + openssl req -x509 -config "/openssl/openssl.conf" -new -nodes -key server.key \ + -days 1024 -out server.crt -extensions v3_req -subj "${CA_SUBJECT}" -addext "subjectAltName = DNS:${CA_URL}" + safeWriteSecret /secret {{ include "fabric-ca-server.name" . }}-certs else - CA_USER=$(echo "$KUBENETES_SECRET" | jq -r '.data.user' | base64 -d) - echo "${CA_USER}" > ${MOUNT_PATH}/user_cred + echo "CA certs already present." + KUBENETES_SECRET=$(kubectl get secret {{ include "fabric-ca-server.name" . }}-certs --namespace ${COMPONENT_NAME} -o json) + if [ "$KUBENETES_SECRET" = "" ]; then + echo "Certficates absent in Kubernetes secrets" + exit 1 + else + CA_KEY=$(echo "$KUBENETES_SECRET" | jq -r ".data.\"tls.key\"" | base64 -d) + CA_CERT=$(echo "$KUBENETES_SECRET" | jq -r ".data.\"tls.crt\"" | base64 -d) + echo "${CA_KEY}" > /secret/server.key + echo "${CA_CERT}" > /secret/server.crt + fi fi - -{{- end }} - volumeMounts: - - name: certificates - mountPath: /secret - {{ if .Values.global.vault.tls }} - - name: vaultca - mountPath: "/etc/ssl/certs/" - readOnly: true - {{ end }} - - name: scripts-volume - mountPath: /scripts/bevel-vault.sh - subPath: bevel-vault.sh containers: - name: ca - image: {{ $.Values.image.ca }} + image: {{ .Values.image.ca }} imagePullPolicy: IfNotPresent command: ["sh", "-c"] args: @@ -180,7 +206,7 @@ spec: cp /custom-config/fabric-ca-server-config.yaml $FABRIC_CA_HOME/fabric-ca-server-config.yaml fabric-ca-server start --config $FABRIC_CA_HOME/fabric-ca-server-config.yaml -d else - sleep 1 && fabric-ca-server start -b {{ $.Values.server.admin }}:`cat /etc/hyperledger/fabric-ca-server-config/user_cred` -d + sleep 1 && fabric-ca-server start -b {{ .Values.server.adminUsername }}:{{ .Values.server.adminPassword }} -d fi ports: - containerPort: 7054 @@ -195,7 +221,7 @@ spec: - name: FABRIC_CA_SERVER_CA_KEYFILE value: /etc/hyperledger/fabric-ca-server-config/server.key - name: FABRIC_CA_SERVER_TLS_ENABLED - value: "{{ $.Values.server.tlsStatus }}" + value: "{{ .Values.server.tlsStatus }}" - name: FABRIC_CA_SERVER_DEBUG value: "true" - name: FABRIC_CA_SERVER_TLS_CERTFILE @@ -212,7 +238,55 @@ spec: readOnly: true - name: ca-server-db-pvc mountPath: /var/hyperledger/fabric-ca-server/db/ - {{- if (not (empty .Values.server.configpath)) }} + {{- if (not (empty .Values.server.configPath)) }} - name: {{ .Release.Name }}-config-volume mountPath: /custom-config/ {{- end }} + volumes: + - name: certificates + emptyDir: + medium: Memory + {{- if (not (empty .Values.server.configPath)) }} + - name: {{ .Release.Name }}-config-volume + configMap: + name: {{ .Release.Name }}-config + items: + - key: fabric-ca-server-config.yaml + path: fabric-ca-server-config.yaml + {{- end }} + {{ if .Values.global.vault.tls }} + - name: vaultca + secret: + secretName: "{{ .Values.global.vault.tls }}" + items: + - key: ca-crt.pem + path: ca-certificates.crt + {{- end }} + {{- if eq .Values.global.vault.type "hashicorp" }} + - name: scripts-volume + configMap: + name: bevel-vault-script + defaultMode: 0777 + {{- end }} + - name: package-manager + configMap: + name: package-manager + defaultMode: 0777 + - name: openssl-config + configMap: + name: openssl-config-file + defaultMode: 0775 + items: + - key: openssl.conf + path: openssl.conf + volumeClaimTemplates: + - metadata: + name: ca-server-db-pvc + labels: + {{- include "labels.pvc" . | nindent 8 }} + spec: + accessModes: ["ReadWriteOnce"] + storageClassName: storage-{{ .Release.Name }} + resources: + requests: + storage: "{{ .Values.storage.size }}" diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/values.yaml b/platforms/hyperledger-fabric/charts/fabric-ca-server/values.yaml index f09907c20be..ade6983421f 100644 --- a/platforms/hyperledger-fabric/charts/fabric-ca-server/values.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-ca-server/values.yaml @@ -23,6 +23,8 @@ global: #Provide the vaultrole for an organization #Eg. vaultrole: org1-vault-role role: vault-role + #Provide the network type + network: fabric #Provide the vault server address #Eg. vaultaddress: http://Vault-884963190.eu-west-1.elb.amazonaws.com address: @@ -33,31 +35,27 @@ global: secretEngine: secretsv2 #Provide the vault path where the secrets will be stored secretPrefix: "data/supplychain" - #Enable or disable TLS for vault communication + #Enable or disable TLS for Vault communication #Eg. tls: true - tls: + tls: false - proxy: - #This will be the proxy/ingress provider. Can have values "haproxy" or "none" - #Eg. provider: "haproxy" - provider: haproxy - #This field specifies the external url for the organization - #Eg. externalUrlSuffix: test.blockchaincloudpoc.com - externalUrlSuffix: test.blockchaincloudpoc.com - -cacerts: - ca: - #Provide organization's name - orgName: supplychain - #Provide the subject of the services ca organization's - #Eg. subject: "/C=GB/ST=London/L=London/O=Carrier/CN=carrier-net" - subject: /C=GB/ST=London/L=London/O=Orderer - # Flag to ensure the certificates secrets are removed on helm uninstall + proxy: + #This will be the proxy/ingress provider. Can have values "haproxy" or "none" + #Eg. provider: "haproxy" + provider: haproxy + #This field specifies the external url for the organization + #Eg. externalUrlSuffix: test.blockchaincloudpoc.com + externalUrlSuffix: test.blockchaincloudpoc.com storage: #Provide the size for CA #Eg. size: 512Mi size: 512Mi + # NOTE: when you set this to Retain, the volume WILL persist after the chart is delete and you need to manually delete it + reclaimPolicy: "Delete" # choose from: Delete | Retain + volumeBindingMode: Immediate # choose from: Immediate | WaitForFirstConsumer + allowedTopologies: + enabled: false image: #Provide the valid image name and version to read certificates from vault server @@ -71,30 +69,34 @@ image: pullSecret: server: - #Provide the value for tlsStatus to be true or false for deployment + # Flag to ensure the certificates secrets are removed on helm uninstall + removeCertsOnDelete: true + #Provide the value for tls setting for CA server #Eg. tlsStatus: true tlsStatus: true - #Provide the admin name for CA server - #Eg. admin: admin - admin: admin + #Provide the admin username for CA server + #Eg. adminUsername: admin + adminUsername: admin + #Provide the admin password for CA server + adminPassword: adminpw + #Provide the subject of the services ca organization's + #Eg. subject: "/C=GB/ST=London/L=London/O=Carrier/CN=carrier-net" + subject: "/C=GB/ST=London/L=London/O=Orderer" # Provide the path for Fabric CA Server Config - # Eg. configpath: conf/ca-config-default.yaml - -service: - ports: - tcp: - #Provide tcp node port to be exposed for ca server - #Eg. nodePort: 30007 - nodePort: - #Provide tcp cluster IP port to be exposed for ca server - #Eg. clusterIpPort: 7054 - clusterIpPort: 7054 - -settings: - # Flag to ensure the certificates secrets are removed on helm uninstall - removeCertsOnDelete: true + # Eg. configPath: conf/ca-config-default.yaml + configPath: + #Provide tcp node port to be exposed for ca server + #Eg. nodePort: 30007 + nodePort: + #Provide tcp cluster IP port to be exposed for ca server + #Eg. clusterIpPort: 7054 + clusterIpPort: 7054 +# Provide additional labels in array format labels: + #Eg. service: + # - label1: value1 + # - label2: value2 service: [] pvc: [] deployment: [] diff --git a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/.helmignore b/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/.helmignore deleted file mode 100644 index 014fa775608..00000000000 --- a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -generated_config/ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/Chart.yaml b/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/Chart.yaml deleted file mode 100644 index eb70defb6cc..00000000000 --- a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/Chart.yaml +++ /dev/null @@ -1,26 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -apiVersion: v1 -name: fabric-cacerts-gen -description: "Hyperledger Fabric: Generates CA Server certs." -version: 1.0.0 -appVersion: latest -keywords: - - bevel - - ethereum - - fabric - - hyperledger - - enterprise - - blockchain - - deployment - - accenture -home: https://hyperledger-bevel.readthedocs.io/en/latest/ -sources: - - https://github.com/hyperledger/bevel -maintainers: - - name: Hyperledger Bevel maintainers - email: bevel@lists.hyperledger.org diff --git a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/README.md b/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/README.md deleted file mode 100644 index 26e99913dc2..00000000000 --- a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/README.md +++ /dev/null @@ -1,174 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Accenture. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - - -# Generate Cacerts Hyperledger Fabric Deployment - -- [Generate Cacerts Hyperledger Fabric Deployment Helm Chart](#generate-cacerts-hyperledger-fabric-deployment-helm-chart) -- [Prerequisites](#prerequisites) -- [Chart Structure](#chart-structure) -- [Configuration](#configuration) -- [Deployment](#deployment) -- [Verification](#verification) -- [Updating the Deployment](#updating-the-deployment) -- [Deletion](#deletion) -- [Contributing](#contributing) -- [License](#license) - - - -## Generate Cacerts Hyperledger Fabric Deployment Helm Chart ---- -A [Helm chart](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-fabric/charts/fabric-cacerts-gen) to generate CA Server certs. - - -## Prerequisites ---- -Before deploying the Helm chart, make sure to have the following prerequisites: - -- Kubernetes cluster up and running. -- A HashiCorp Vault instance is set up and configured to use Kubernetes service account token-based authentication. -- The Vault is unsealed and initialized. -- Helm installed. - - - -## Chart Structure ---- -The structure of the Helm chart is as follows: - -``` -fabric-cacerts-gen/ - |- templates/ - |- _helpers.yaml - |- job.yaml - |- Chart.yaml - |- README.md - |- values.yaml -``` - -- `templates/`: Contains the Kubernetes manifest templates that define the resources to be deployed. -- `helpers.tpl`: Contains custom label definitions used in other templates. -- `job.yaml`: The init-check-certificates checks if the certificates are present in the Vault server. If the certificates are not present, the cacerts generates and uploads CA certificates and admin credentials to Vault. -- `Chart.yaml`: Contains the metadata for the Helm chart, such as the name, version, and description. -- `README.md`: Provides information and instructions about the Helm chart. -- `values.yaml`: Contains the default configuration values for the Helm chart. - - - -## Configuration ---- -The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/values.yaml) file contains configurable values for the Helm chart. We can modify these values according to the deployment requirements. Here are some important configuration options: - - -### Metadata - -| Name | Description | Default Value | -| ---------------------| -------------------------------------------------------------------------- | --------------------------------------------------| -| namespace | Namespace for the organization's peer | org1-net | -| name | Organization's name | org1 | -| component_name | Organization's component name | org1-net | -| images.alpineutils | Valid image name and version to read certificates from the vault server | ghcr.io/hyperledger/bevel-alpine:latest | -| labels | Custom labels for the organization | "" | - -### Vault - -| Name | Description | Default Value | -| --------------------------| ------------------------------------------------ | -----------------------------------| -| role | Vault role for the organization | vault-role | -| address | Vault server address | "" | -| authpath | Kubernetes auth backend configured in vault | devorg1-net-auth | -| secretcryptoprefix | Vault secret prefix for crypto | secrets/secretsv2/data/crypto/ordererOrganizations/org1-net/ca | -| secretcredentialsprefix | Vault secret prefix for credentials | secrets/secretsv2/data/credentials/org1-net/ca/smari | -| serviceaccountname | Service account name for vault | vault-auth | -| type | Provide the type of vault | hashicorp | -| imagesecretname | Image secret name for vault | "" | - -### CA - -| Name | Description | Default Value | -| ---------| ------------------------------------------------ | --------------------------------------------------------| -| subject | Subject of the services CA organization's | /C=GB/ST=London/L=London/O=Orderer/CN=ca.org1-net | - - - -## Deployment ---- - -To deploy the fabric-cacerts-gen Helm chart, follow these steps: - -1. Modify the [values.yaml](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/values.yaml) file to set the desired configuration values. -2. Run the following Helm command to install the chart: - ``` - $ helm repo add bevel https://hyperledger.github.io/bevel/ - $ helm install ./fabric-cacerts-gen - ``` -Replace `` with the desired name for the release. - -This will deploy the fabric-cacerts-gen node to the Kubernetes cluster based on the provided configurations. - - - -## Verification ---- - -To verify the deployment, we can use the following command: -``` -$ kubectl get jobs -n -``` -Replace `` with the actual namespace where the Job was created. This command will display information about the Job, including the number of completions and the current status of the Job's pods. - - - -## Updating the Deployment ---- - -If we need to update the deployment with new configurations or changes, modify the same [values.yaml](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/values.yaml) file with the desired changes and run the following Helm command: -``` -$ helm upgrade ./fabric-cacerts-gen -``` -Replace `` with the name of the release. This command will apply the changes to the deployment, ensuring the fabric-cacerts-gen node is up to date. - - - -## Deletion ---- - -To delete the deployment and associated resources, run the following Helm command: -``` -$ helm uninstall -``` -Replace `` with the name of the release. This command will remove all the resources created by the Helm chart. - - -## Contributing ---- -If you encounter any bugs, have suggestions, or would like to contribute to the [Generate Cacerts Hyperledger Fabric Deployment Helm Chart](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-cacerts-gen), please feel free to open an issue or submit a pull request on the [project's GitHub repository](https://github.com/hyperledger/bevel). - - - -## License - -This chart is licensed under the Apache v2.0 license. - -Copyright © 2023 Accenture - -### Attribution - -This chart is adapted from the [charts](https://hyperledger.github.io/bevel/) which is licensed under the Apache v2.0 License which is reproduced here: - -``` -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -``` diff --git a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/_helpers.tpl b/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/_helpers.tpl deleted file mode 100644 index 50542fe2e53..00000000000 --- a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/_helpers.tpl +++ /dev/null @@ -1,28 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "fabric-cacerts-gen.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "fabric-cacerts-gen.fullname" -}} -{{- $name := default .Chart.Name -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" $name .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "fabric-cacerts-gen.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/configmap.yaml b/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/configmap.yaml deleted file mode 100644 index 3dc1dbe44b6..00000000000 --- a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/configmap.yaml +++ /dev/null @@ -1,33 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: openssl-config-file - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Release.Name }} - app.kubernetes.io/name: fabric-cacerts-gen-job - app.kubernetes.io/component: fabric-cacerts-gen-job - app.kubernetes.io/part-of: {{ include "fabric-cacerts-gen.fullname" . }} - app.kubernetes.io/namespace: {{ .Release.Namespace }} - app.kubernetes.io/release: {{ .Release.Name }} - app.kubernetes.io/managed-by: helm -data: - openssl.conf: |- - [req] - req_extensions = v3_req - distinguished_name = dn - - [dn] - - [v3_req] - basicConstraints = critical, CA:TRUE - keyUsage = critical,digitalSignature, keyEncipherment, keyCertSign, cRLSign - subjectKeyIdentifier = hash - diff --git a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/job.yaml b/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/job.yaml deleted file mode 100644 index a4c336da1e1..00000000000 --- a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/job.yaml +++ /dev/null @@ -1,185 +0,0 @@ ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "fabric-cacerts-gen.name" . }}-init - labels: - app: {{ .Release.Name }} - app.kubernetes.io/name: fabric-cacerts-gen-job - app.kubernetes.io/component: fabric-cacerts-gen-job - app.kubernetes.io/part-of: {{ include "fabric-cacerts-gen.fullname" . }} - app.kubernetes.io/namespace: {{ .Release.Namespace }} - app.kubernetes.io/release: {{ .Release.Name }} - app.kubernetes.io/managed-by: helm - namespace: {{ .Release.Namespace }} -spec: - backoffLimit: 6 - template: - metadata: - labels: - app: {{ .Release.Name }} - app.kubernetes.io/name: fabric-cacerts-gen-job - app.kubernetes.io/component: cacerts-gen-job - app.kubernetes.io/part-of: {{ include "fabric-cacerts-gen.fullname" . }} - app.kubernetes.io/namespace: {{ .Release.Namespace }} - app.kubernetes.io/managed-by: helm - spec: - serviceAccountName: {{ .Values.global.serviceAccountName }} - restartPolicy: OnFailure - imagePullSecrets: - {{- if .Values.image.pullSecret }} - - name: {{ .Values.image.pullSecret }} - {{- end }} - volumes: - - name: scripts-volume - configMap: - name: bevel-vault-script - - name: package-manager - configMap: - name: package-manager - - name: openssl-config - configMap: - name: openssl-config-file - defaultMode: 0775 - items: - - key: openssl.conf - path: openssl.conf - containers: - - name: "cacerts" - image: {{ $.Values.image.alpineUtils }} - imagePullPolicy: IfNotPresent - env: - - name: VAULT_ADDR - value: {{ $.Values.global.vault.address }} - - name: VAULT_APP_ROLE - value: {{ $.Values.global.vault.role }} - - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.global.vault.authPath }} - - name: VAULT_SECRET_ENGINE - value: "{{ .Values.global.vault.secretEngine }}" - - name: VAULT_SECRET_PREFIX - value: "{{ .Values.global.vault.secretPrefix }}" - - name: VAULT_TYPE - value: "{{ $.Values.global.vault.type }}" - - name: COMPONENT_NAME - value: {{ .Release.Namespace }} - - name: ORG_NAME - value: {{ $.Values.ca.orgName }} - - name: CA_URL - value: {{ .Release.Name }}.{{ .Release.Namespace }} - - name: CA_SUBJECT - value: "{{ $.Values.ca.subject }}/CN={{ .Release.Name }}.{{ .Release.Namespace }}" - command: ["sh", "-c"] - args: - - |- - . /scripts/package-manager.sh - # Define the packages to install - packages_to_install="jq curl openssl kubectl" - install_packages "$packages_to_install" - - formatCertificate () { - NAME="${1##*/}" - while IFS= read -r line - do - echo "$line\n" - done < ${1} > ${2}/${NAME}.txt - } - -{{- if eq .Values.global.vault.type "hashicorp" }} - . /scripts/bevel-vault.sh - echo "Getting vault Token..." - vaultBevelFunc "init" - #Read if genesis exists in Vault - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/ca" - function safeWriteSecret { - key=$1 - FORMAT_CERTIFICATE_PATH="/formatcertificate" - mkdir -p ${FORMAT_CERTIFICATE_PATH} - formatCertificate "${COMPONENT_NAME}-CA.key" "${FORMAT_CERTIFICATE_PATH}" - formatCertificate "ca.${COMPONENT_NAME}-cert.pem" "${FORMAT_CERTIFICATE_PATH}" - - PEM_CERTIFICATE=$(cat ${FORMAT_CERTIFICATE_PATH}/ca.${COMPONENT_NAME}-cert.pem.txt) - KEY_CERTIFICATE=$(cat ${FORMAT_CERTIFICATE_PATH}/${COMPONENT_NAME}-CA.key.txt) - - # create a JSON file for the data related to node crypto - echo " - { - \"data\": - { - \"ca.${COMPONENT_NAME}-cert.pem\": \"${PEM_CERTIFICATE}\", - \"${COMPONENT_NAME}-CA.key\": \"${KEY_CERTIFICATE}\" - } - }" > payload.json - - # Calling a function to write secrets to the vault. - vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${key}" 'payload.json' - rm payload.json - } - -{{- else }} - function safeWriteSecret { - key=$1 - kubectl get secret ${key}-certs --namespace ${COMPONENT_NAME} -o json > /dev/null 2>&1 - if [ $? -ne 0 ]; then - kubectl create secret generic ${key}-certs --namespace ${COMPONENT_NAME} --from-file=ca-${COMPONENT_NAME}-key=${COMPONENT_NAME}-CA.key \ - --from-file=ca-${COMPONENT_NAME}-cert=ca.${COMPONENT_NAME}-cert.pem - fi - } -{{- end }} - - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - echo "The certificates are already created, skipping..." - else - - # this commands generate the CA certificate - openssl ecparam -name prime256v1 -genkey -noout -out ${COMPONENT_NAME}-CA.key - openssl req -x509 -config "/openssl/openssl.conf" -new -nodes -key ${COMPONENT_NAME}-CA.key -days 1024 -out ca.${COMPONENT_NAME}-cert.pem -extensions v3_req -subj "${CA_SUBJECT}" -addext "subjectAltName = DNS:${CA_URL}" - - safeWriteSecret ca - - fi - -{{- if eq .Values.global.vault.type "hashicorp" }} - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/credentials" - function safeWriteCredentials { - key=$1 - echo " - { - \"data\": - { - \"user\": \"${ORG_NAME}-adminpw\" - } - }" > payload.json - - # Calling a function to write a secret to the vault. - vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${key}" 'payload.json' - # Calling a function to retrieve secrets from Vault only if they exist. - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${key}" - } -{{- else }} - function safeWriteCredentials { - key=$1 - kubectl get secret ca-${key} --namespace ${COMPONENT_NAME} -o json > /dev/null 2>&1 - if [ $? -ne 0 ]; then - kubectl create secret generic ca-${key} --namespace ${COMPONENT_NAME} --from-literal=user="${ORG_NAME}-adminpw" - fi - } -{{- end }} - - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - echo "The credentials are already created, skipping..." - else - safeWriteCredentials credentials - fi - volumeMounts: - - name: scripts-volume - mountPath: /scripts/bevel-vault.sh - subPath: bevel-vault.sh - - name: package-manager - mountPath: /scripts/package-manager.sh - subPath: package-manager.sh - - name: openssl-config - mountPath: /openssl/openssl.conf - subPath: openssl.conf diff --git a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/values.yaml b/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/values.yaml deleted file mode 100644 index 7d54f459929..00000000000 --- a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/values.yaml +++ /dev/null @@ -1,50 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. ---- -# The following are for overriding global values -global: - #Provide the service account name which will be created. - serviceAccountName: vault-auth - cluster: - provider: aws # choose from: minikube | aws | azure | gcp - cloudNativeServices: false # only 'false' is implemented - vault: - #Provide the type of vault - #Eg. type: hashicorp - type: hashicorp - #Provide the vaultrole for an organization - #Eg. vaultrole: org1-vault-role - role: vault-role - #Provide the network type - network: fabric - #Provide the vault server address - #Eg. vaultaddress: http://Vault-884963190.eu-west-1.elb.amazonaws.com - address: - #Provide the kubernetes auth backed configured in vault for an organization - #Eg. authpath: supplychain - authPath: supplychain - #Provide the secret engine. - secretEngine: secretsv2 - #Provide the vault path where the secrets will be stored - secretPrefix: "data/supplychain" - -image: - #Provide the valid image name and version to read certificates from vault server - #Eg.alpineutils: ghcr.io/hyperledger/bevel-alpine:latest - alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest - #Provide the secret to use if private repository - #Eg. pullSecret: regcred - pullSecret: - -ca: - #Provide organization's name - orgName: supplychain - #Provide the subject of the services ca organization's - #Eg. subject: "/C=GB/ST=London/L=London/O=Carrier/CN=supplychain-net" - subject: /C=GB/ST=London/L=London/O=Orderer - # Flag to ensure the certificates secrets are removed on helm uninstall diff --git a/platforms/hyperledger-fabric/charts/fabric-catools/Chart.yaml b/platforms/hyperledger-fabric/charts/fabric-catools/Chart.yaml index 1256cb248cb..8a692565134 100644 --- a/platforms/hyperledger-fabric/charts/fabric-catools/Chart.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-catools/Chart.yaml @@ -6,12 +6,12 @@ apiVersion: v1 name: fabric-catools -description: "Hyperledger Fabric: Deploys a Fabric CA tools." -version: 1.0.0 +description: "Hyperledger Fabric: Generates Fabric Certificates and Keys" +version: 1.1.0 appVersion: latest keywords: - bevel - - ethereum + - hlf - fabric - hyperledger - enterprise diff --git a/platforms/hyperledger-fabric/charts/fabric-catools/README.md b/platforms/hyperledger-fabric/charts/fabric-catools/README.md index 89e81b97909..a77580f726d 100644 --- a/platforms/hyperledger-fabric/charts/fabric-catools/README.md +++ b/platforms/hyperledger-fabric/charts/fabric-catools/README.md @@ -3,233 +3,117 @@ [//]: # (SPDX-License-Identifier: Apache-2.0) [//]: # (##############################################################################################) - -# CA Tools Hyperledger Fabric Deployment +# fabric-catools -- [CA Tools Hyperledger Fabric Deployment Helm Chart](#ca-tools-hyperledger-fabric-deployment-helm-chart) -- [Prerequisites](#prerequisites) -- [Chart Structure](#chart-structure) -- [Configuration](#configuration) -- [Deployment](#deployment) -- [Verification](#verification) -- [Updating the Deployment](#updating-the-deployment) -- [Deletion](#deletion) -- [Contributing](#contributing) -- [License](#license) +This chart is a component of Hyperledger Bevel. The fabric-catools chart creates job(s) to generate the certificates and keys required for Hyperledger Fabric network. If enabled, the keys are then stored on the configured vault and stored as Kubernetes secrets. See [Bevel documentation](https://hyperledger-bevel.readthedocs.io/en/latest/) for details. +## TL;DR - -## CA Tools Hyperledger Fabric Deployment Helm Chart ---- -A [Helm chart](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-fabric/charts/fabric-catools) to deploy Fabric CA tools. - +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install catools bevel/fabric-catools +``` - ## Prerequisites ---- -Before deploying the Helm chart, make sure to have the following prerequisites: -- Kubernetes cluster up and running. -- A HashiCorp Vault instance is set up and configured to use Kubernetes service account token-based authentication. -- The Vault is unsealed and initialized. -- Helm installed. +- Kubernetes 1.19+ +- Helm 3.2.0+ +If Hashicorp Vault is used, then +- HashiCorp Vault Server 1.13.1+ - -## Chart Structure ---- -The structure of the Helm chart is as follows: +## Installing the Chart -``` -fabric-catools/ - |- templates/ - |- _helpers.yaml - |- configmap.yaml - |- deployment.yaml - |- volume.yaml - |- Chart.yaml - |- README.md - |- values.yaml -``` +To install the chart with the release name `catools`: -- `templates/`: Contains the Kubernetes manifest templates that define the resources to be deployed. -- `helpers.tpl`: Contains custom label definitions used in other templates. -- `configmap.yaml`: Contains definitions for six different configmaps. These configmaps will be used by the main and store-vault containers through volume mounting to support their respective tasks. -- `deployment.yaml`: The init-container generates the cryptographic material for the Fabric CA server and checks if the cryptographic material already exists in Vault. If it does, the init-container will skip the generation process. The main container runs the Fabric CA server, issues certificates to clients in the organization, and has a liveness probe that checks if the Fabric CA server is running. The store-vault container stores the cryptographic material in Vault, Checks if any certificates have not been stored correctly. -- `volume.yaml`: Defines 2 persistent volume to store the data. -- `Chart.yaml`: Contains the metadata for the Helm chart, such as the name, version, and description. -- `README.md`: Provides information and instructions about the Helm chart. -- `values.yaml`: Contains the default configuration values for the Helm chart. +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install catools bevel/fabric-catools +``` +The command deploys the chart on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. - -## Configuration ---- -The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-fabric/charts/fabric-catools/values.yaml) file contains configurable values for the Helm chart. We can modify these values according to the deployment requirements. Here are some important configuration options: +> **Tip**: List all releases using `helm list` -### Metadata +## Uninstalling the Chart -| Name | Description | Default Value | -| ----------------------| --------------------------------------------------| ------------------- | -| namespace | Namespace for CA deployment | org1-net | -| name | Name for CA server deployment | ca-tools | -| component_type | Organization's type (orderer or peer) | orderer | -| org_name | Organization's name in lowercase | org1 | -| proxy | Proxy/ingress provider (haproxy or none) | haproxy | +To uninstall/delete the `catools` deployment: -### Replica +```bash +helm uninstall catools +``` -| Name | Description | Default Value | -| ----------------------| --------------------------- | ---------------| -| replicaCount | Number of replica pods | 1 | +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +### Global parameters +These parameters are refered to as same in each parent or child chart +| Name | Description | Default Value | +|--------|---------|-------------| +|`global.serviceAccountName` | The serviceaccount name that will be created for Vault Auth and k8S Secret management| `vault-auth` | +| `global.cluster.provider` | Kubernetes cluster provider like AWS EKS or minikube. Currently ony `aws`, `azure` and `minikube` are tested | `aws` | +| `global.cluster.cloudNativeServices` | only `false` is implemented, `true` to use Cloud Native Services (SecretsManager and IAM for AWS; KeyVault & Managed Identities for Azure) is for future | `false` | +| `global.vault.type` | Type of Vault to support other providers. Currently, only `hashicorp` and `kubernetes` is supported. | `hashicorp` | +| `global.vault.role` | Role used for authentication with Vault | `vault-role` | +| `global.vault.address`| URL of the Vault server. | `""` | +| `global.vault.authPath` | Authentication path for Vault | `supplychain` | +| `global.vault.secretEngine` | Vault secret engine name | `secretsv2` | +| `global.vault.secretPrefix` | Vault secret prefix which must start with `data/` | `data/supplychain` | +| `global.vault.tls` | Name of the Kubernetes secret which has certs to connect to TLS enabled Vault | `false` | +| `global.proxy.provider` | The proxy or Ingress provider. Can be `none` or `haproxy` | `haproxy` | +| `global.proxy.externalUrlSuffix` | The External URL suffix at which the Fabric GRPC services will be available | `test.blockchaincloudpoc.com` | ### Image -| Name | Description | Default Value | -| --------------| ------------------------------------------------------------------------| ----------------------------------------------------| -| repository | Image name for the server container | ghcr.io/hyperledger/bevel-fabric-ca-tools:1.2.1 | -| pullPolicy | Image pull policy | IfNotPresent | -| alpineutils | Valid image name and version to read certificates from the vault server | ghcr.io/hyperledger/bevel-alpine:latest | - - -### Annotations - -| Name | Description | Default Value | -| ---------------| --------------------------------------|-----------------| -| pvc | Extra annotations for PVC | "" | -| deployment | Extra annotations for Deployment | "" | - -### Storage - -| Name | Description | Default Value | -| ----------------------| --------------------------- | ------------------- | -| storageclassname | Storage class name | aws-storageclass | -| size | Storage size for CA | 512Mi | - -### Vault - -| Name | Description | Default Value | -| ----------------------| ------------------------------------------------------------------|-----------------------------------| -| role | Vault role for an organization | vault-role | -| address | Vault server address | "" | -| authpath | Kubernetes auth backend configured in vault for an organization | devorg1-net-auth | -| secretusers | Path configured in vault for users certificates | secretsv2/data/crypto/ordererOrganizations/org1-net/users | -| secretorderer | Path configured in vault for orderers | secretsv2/data/crypto/ordererOrganizations/org1-net/orderers | -| secretpeerorderertls | Path configured in vault for peer orderer TLS | secretsv2/data/crypto/peerOrganizations/org1-net/orderer/tls | -| secretcert | Path configured in vault for CA server certificate | secretsv2/data/crypto/ordererOrganizations/org1-net/ca?ca.org1-net-cert.pem | -| secretkey | Path configured in vault for CA server private key | secretsv2/data/crypto/ordererOrganizations/org1-net/ca?org1-net-CA.key | -| secretconfigfile | Path configured in vault for MSP config.yaml file | secretsv2/data/crypto/ordererOrganizations/org1-net/msp/config | -| secretcouchdb | Path configured in vault for CouchDB credentials | secretsv2/data/credentials/org1-net/couchdb/org1 | -| serviceaccountname | Service account name for Vault | vault-auth | -| type | Provide the type of vault | hashicorp | -| imagesecretname | Image secret name for Vault | "" | - -### HealthCheck - -| Name | Description | Default Value | -| ----------------------| --------------------------------------------------------------------------| ---------------| -| retries | Number of times to retry fetching from/writing to Vault before giving up | 10 | -| sleepTimeAfterError | Time in seconds to wait after an error occurs when interacting with Vault | 15 | - -### Org_data - -| Name | Description | Default Value | -| ----------------------| ----------------------------------| ----------------| -| external_url_suffix | External URL of the organization | org1proxy.blockchaincloudpoc.com | -| componentSubject | Organization's subject | "" | -| certSubject | Organization's subject | "" | -| componentCountry | Organization's country | UK | -| componentState | Organization's state | London | -| componentLocation | Organization's location | London | - -### Orderers - -| Name | Description | Default Value | -| ---------------| --------------------------------------| ---------------| -| name | Orderer's name | orderer1 | -| orderers_info | Orderer's names and CA certificates | "" | - -### Peers - -| Name | Description | Default Value | -| --------------| --------------------------- | -----------------| -| name | Peer's name | peer1 | -| peerCount | Total number of peers | 4 | - -### Users - -| Name | Description | Default Value | -| ----------------------| --------------------------- | ----------------| -| usersList | Base64 encoded list of users | "" | -| usersIdentities | List of user identities | "" | - -### Checks - -| Name | Description | Default Value | -| ----------------------| --------------------------- | ------------------- | -| refresh_cert_value | Refresh user certificates | false | -| addPeerValue | Add a peer to an existing network | false | - +| Name | Description | Default Value | +| -------------| ---------- | --------- | +| `image.caTools` | Fabric CA Tools image repository and tag | `ghcr.io/hyperledger/bevel-fabric-ca:latest` | +| `image.alpineUtils` | Alpine utils image repository and tag | `ghcr.io/hyperledger/bevel-alpine:latest` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | - -## Deployment ---- +### OrgData -To deploy the fabric-catools Helm chart, follow these steps: - -1. Modify the [values.yaml](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-catools/values.yaml) file to set the desired configuration values. -2. Run the following Helm command to install the chart: - ``` - $ helm repo add bevel https://hyperledger.github.io/bevel/ - $ helm install ./fabric-catools - ``` -Replace `` with the desired name for the release. - -This will deploy the fabric-catools node to the Kubernetes cluster based on the provided configurations. - - - -## Verification ---- - -To verify the deployment, we can use the following command: -``` -$ kubectl get deployments -n -``` -Replace `` with the actual namespace where the deployment was created. The command will display information about the deployment, including the number of replicas and their current status. +| Name | Description | Default Value | +|--------|---------|-------------| +| `orgData.caAddress` | Address of the CA Server without https | `""` | +| `orgData.caAdminUser` | CA Admin Username | `supplychain-admin` | +| `orgData.caAdminPassword` | CA Admin Password | `supplychain-adminpw` | +| `orgData.orgName` | Organization Name | `supplychain` | +| `orgData.type` | Type of certificate to generate, choosed from `orderer` or `peer` | `orderer` | +| `orgData.componentSubject` | X.509 subject for the organization | `"O=Orderer,L=51.50/-0.13/London,C=GB"` | +### Users - -## Updating the Deployment ---- +| Name | Description | Default Value | +| ----------------| ----------- | ------------- | +| `users.usersList` | Array of Users with their attributes | `- identity: user1`
`attributes:`
`- key: "hf.Revoker"`
`value: "true"` | +| `users.usersListAnsible` | Base64 encoded list of Users generally passed from Ansible | `""` | -If we need to update the deployment with new configurations or changes, modify the same [values.yaml](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-catools/values.yaml) file with the desired changes and run the following Helm command: -``` -$ helm upgrade ./fabric-catools -``` -Replace `` with the name of the release. This command will apply the changes to the deployment, ensuring the fabric-catools node is up to date. +### Settings - -## Deletion ---- +| Name | Description | Default Value | +| ----------------| ----------- | ------------- | +| `settings.createConfigMaps` | Flag to create configmaps. Must be set to `false` for additional orderers/peers in the same organization. | `true` | +| `settings.refreshCertValue` | Flag to refresh User certificates | `false` | +| `settings.addPeerValue` | Flag to be used when adding a new peer to the organization | `false` | +| `settings.removeCertsOnDelete` | Flag to delete the user and peer certificates on uninstall | `false` | +| `settings.removeOrdererTlsOnDelete` | Flag to delete the orderer TLS certificates on uninstall | `false` | -To delete the deployment and associated resources, run the following Helm command: -``` -$ helm uninstall -``` -Replace `` with the name of the release. This command will remove all the resources created by the Helm chart. +### Labels - -## Contributing ---- -If you encounter any bugs, have suggestions, or would like to contribute to the [CA Tools Hyperledger Fabric Deployment Helm Chart](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-catools), please feel free to open an issue or submit a pull request on the [project's GitHub repository](https://github.com/hyperledger/bevel). +| Name | Description | Default Value | +| ----------------| ----------- | ------------- | +| `labels.service` | Array of Labels for service object | `[]` | +| `labels.pvc` | Array of Labels for PVC object | `[]` | +| `labels.deployment` | Array of Labels for deployment or statefulset object | `[]` | - ## License This chart is licensed under the Apache v2.0 license. -Copyright © 2023 Accenture +Copyright © 2024 Accenture ### Attribution diff --git a/platforms/hyperledger-fabric/charts/fabric-catools/templates/_helpers.tpl b/platforms/hyperledger-fabric/charts/fabric-catools/templates/_helpers.tpl index d4e68a15afc..89092a8c24e 100644 --- a/platforms/hyperledger-fabric/charts/fabric-catools/templates/_helpers.tpl +++ b/platforms/hyperledger-fabric/charts/fabric-catools/templates/_helpers.tpl @@ -28,31 +28,27 @@ Create chart name and version as used by the chart label. {{- end -}} {{- define "labels.deployment" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.deployment }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} +{{- range $value := .Values.labels.deployment }} +{{ toYaml $value }} {{- end }} {{- end }} {{- define "labels.service" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.service }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} +{{- range $value := .Values.labels.service }} +{{ toYaml $value }} {{- end }} {{- end }} {{- define "labels.pvc" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.pvc }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} +{{- range $value := .Values.labels.pvc }} +{{ toYaml $value }} {{- end }} {{- end }} + +{{/* +Create server name depending on proxy +*/}} +{{- define "fabric-catools.caFileName" -}} +{{- $serverAddress := .Values.orgData.caAddress | replace "." "-" | replace ":" "-" -}} +{{- printf "%s.pem" $serverAddress -}} +{{- end -}} diff --git a/platforms/hyperledger-fabric/charts/fabric-catools/templates/configmap.yaml b/platforms/hyperledger-fabric/charts/fabric-catools/templates/configmap.yaml index 6d389fdfc1b..12ddce59656 100644 --- a/platforms/hyperledger-fabric/charts/fabric-catools/templates/configmap.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-catools/templates/configmap.yaml @@ -3,7 +3,7 @@ # # SPDX-License-Identifier: Apache-2.0 ############################################################################################## - +{{- if .Values.settings.createConfigMaps }} --- apiVersion: v1 kind: ConfigMap @@ -20,97 +20,87 @@ metadata: data: generate-crypto-orderer.sh: |- #!/bin/bash - + # IMP: Do not add newline before the #!/bin/bash line above as then the shell scripts don't work set -x CURRENT_DIR=${PWD} FULLY_QUALIFIED_ORG_NAME="{{ .Release.Namespace }}" EXTERNAL_URL_SUFFIX="{{ .Values.global.proxy.externalUrlSuffix }}" - ALTERNATIVE_ORG_NAMES=("{{ .Values.global.proxy.externalUrlSuffix }}") - ORG_NAME="{{ .Values.orgData.orgName }}" - SUBJECT="C={{ .Values.orgData.componentCountry }},ST={{ .Values.orgData.componentState }},L={{ .Values.orgData.componentLocation }},O={{ .Values.orgData.orgName }}" - SUBJECT_PEER="{{ .Values.orgData.componentSubject }}" - CA="${ORG_NAME}-ca.{{ .Release.Namespace }}:7054" - CA_ADMIN_USER="${ORG_NAME}-admin" - CA_ADMIN_PASS="${ORG_NAME}-adminpw" + SUBJECT="{{ .Values.orgData.componentSubject }}" + AFFILIATION="{{ .Values.orgData.orgName }}" + CA="{{ .Values.orgData.caAddress }}" + CA_ADMIN_USER="{{ .Values.orgData.caAdminUser }}" + CA_ADMIN_PASS="{{ .Values.orgData.caAdminPassword }}" ORG_ADMIN_USER="Admin@${FULLY_QUALIFIED_ORG_NAME}" ORG_ADMIN_PASS="Admin@${FULLY_QUALIFIED_ORG_NAME}-pw" ORG_CYPTO_FOLDER="/crypto-config/ordererOrganizations/${FULLY_QUALIFIED_ORG_NAME}" - ROOT_TLS_CERT="/crypto-config/ordererOrganizations/${FULLY_QUALIFIED_ORG_NAME}/ca/ca.${FULLY_QUALIFIED_ORG_NAME}-cert.pem" - CAS_FOLDER="${HOME}/ca-tools/cas/ca-${ORG_NAME}" - ORG_HOME="${HOME}/ca-tools/${ORG_NAME}" + CAS_FOLDER="${HOME}/ca-tools/cas/ca" + ORG_HOME="${HOME}/ca-tools/org" ## Enroll CA administrator for Org. This user will be used to create other identities - fabric-ca-client enroll -d -u https://${CA_ADMIN_USER}:${CA_ADMIN_PASS}@${CA} --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} --csr.names "${SUBJECT_PEER}" + fabric-ca-client enroll -d -u https://${CA_ADMIN_USER}:${CA_ADMIN_PASS}@${CA} --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} --csr.names "${SUBJECT}" ## Get the CA cert and store in Org MSP folder fabric-ca-client getcacert -d -u https://${CA} --tls.certfiles ${ROOT_TLS_CERT} -M ${ORG_CYPTO_FOLDER}/msp - if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then - mv ${ORG_CYPTO_FOLDER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/msp/cacerts/${ORG_NAME_EXT}-ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem - fi mkdir ${ORG_CYPTO_FOLDER}/msp/tlscacerts cp ${ORG_CYPTO_FOLDER}/msp/cacerts/* ${ORG_CYPTO_FOLDER}/msp/tlscacerts - ## Register and enroll admin for Org and populate admincerts for MSP - fabric-ca-client register -d --id.name ${ORG_ADMIN_USER} --id.secret ${ORG_ADMIN_PASS} --id.type admin --csr.names "${SUBJECT_PEER}" --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.AffiliationMgr=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} + if [ ! -e /crypto-config/admin-msp-exists ] || [ ! -e /crypto-config/admin-tls-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + # Add affiliation for organisation + fabric-ca-client affiliation add ${AFFILIATION} -u https://${CA_ADMIN_USER}:${CA_ADMIN_PASS}@${CA} --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} + ## Register and enroll admin for Org and populate admincerts for MSP + fabric-ca-client register -d --id.name ${ORG_ADMIN_USER} --id.secret ${ORG_ADMIN_PASS} --id.type admin --csr.names "${SUBJECT}" --id.affiliation ${AFFILIATION} --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.AffiliationMgr=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} - fabric-ca-client enroll -d -u https://${ORG_ADMIN_USER}:${ORG_ADMIN_PASS}@${CA} --tls.certfiles ${ROOT_TLS_CERT} --home ${ORG_HOME}/admin --csr.names "${SUBJECT_PEER}" + fabric-ca-client enroll -d -u https://${ORG_ADMIN_USER}:${ORG_ADMIN_PASS}@${CA} --id.affiliation ${AFFILIATION} --tls.certfiles ${ROOT_TLS_CERT} --home ${ORG_HOME}/admin --csr.names "${SUBJECT}" - mkdir -p ${ORG_CYPTO_FOLDER}/msp/admincerts - cp ${ORG_HOME}/admin/msp/signcerts/* ${ORG_CYPTO_FOLDER}/msp/admincerts/${ORG_ADMIN_USER}-cert.pem - - mkdir ${ORG_HOME}/admin/msp/admincerts - cp ${ORG_HOME}/admin/msp/signcerts/* ${ORG_HOME}/admin/msp/admincerts/${ORG_ADMIN_USER}-cert.pem + mkdir -p ${ORG_CYPTO_FOLDER}/msp/admincerts + cp ${ORG_HOME}/admin/msp/signcerts/* ${ORG_CYPTO_FOLDER}/msp/admincerts/${ORG_ADMIN_USER}-cert.pem - mkdir -p ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER} - cp -R ${ORG_HOME}/admin/msp ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER} + mkdir ${ORG_HOME}/admin/msp/admincerts + cp ${ORG_HOME}/admin/msp/signcerts/* ${ORG_HOME}/admin/msp/admincerts/${ORG_ADMIN_USER}-cert.pem - if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then - mv ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/msp/cacerts/${ORG_NAME_EXT}-ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem - fi + mkdir -p ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER} + cp -R ${ORG_HOME}/admin/msp ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER} - # Get TLS cert for admin and copy to appropriate location - fabric-ca-client enroll -d --enrollment.profile tls -u https://${ORG_ADMIN_USER}:${ORG_ADMIN_PASS}@${CA} -M ${ORG_HOME}/admin/tls --tls.certfiles ${ROOT_TLS_CERT} --csr.names "${SUBJECT_PEER}" + # Get TLS cert for admin and copy to appropriate location + fabric-ca-client enroll -d --enrollment.profile tls -u https://${ORG_ADMIN_USER}:${ORG_ADMIN_PASS}@${CA} -M ${ORG_HOME}/admin/tls --tls.certfiles ${ROOT_TLS_CERT} --csr.names "${SUBJECT}" - # Copy the TLS key and cert to the appropriate place - mkdir -p ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/tls - cp ${ORG_HOME}/admin/tls/keystore/* ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/tls/client.key - cp ${ORG_HOME}/admin/tls/signcerts/* ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/tls/client.crt - cp ${ORG_HOME}/admin/tls/tlscacerts/* ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/tls/ca.crt + # Copy the TLS key and cert to the appropriate place + mkdir -p ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/tls + cp ${ORG_HOME}/admin/tls/keystore/* ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/tls/client.key + cp ${ORG_HOME}/admin/tls/signcerts/* ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/tls/client.crt + cp ${ORG_HOME}/admin/tls/tlscacerts/* ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/tls/ca.crt + fi cd ${CURRENT_DIR} orderer-script.sh: |- #!/bin/bash - set -x CURRENT_DIR=${PWD} FULLY_QUALIFIED_ORG_NAME="{{ .Release.Namespace }}" EXTERNAL_URL_SUFFIX="{{ .Values.global.proxy.externalUrlSuffix }}" - ALTERNATIVE_ORG_NAMES=("{{ .Values.global.proxy.externalUrlSuffix }}") - ORG_NAME="{{ .Values.orgData.orgName }}" - SUBJECT="C={{ .Values.orgData.componentCountry }},ST={{ .Values.orgData.componentState }},L={{ .Values.orgData.componentLocation }},O={{ .Values.orgData.orgName }}" - SUBJECT_PEER="{{ .Values.orgData.componentSubject }}" - CA="${ORG_NAME}-ca.{{ .Release.Namespace }}:7054" - CA_ADMIN_USER="${ORG_NAME}-admin" - CA_ADMIN_PASS="${ORG_NAME}-adminpw" + ALTERNATIVE_ORG_NAMES=("{{ .Release.Namespace }}.svc.cluster.local" "{{ .Values.orgData.orgName }}.net" "{{ .Release.Namespace }}.{{ .Values.global.proxy.externalUrlSuffix }}") + SUBJECT="{{ .Values.orgData.componentSubject }}" + CA="{{ .Values.orgData.caAddress }}" + CA_ADMIN_USER="{{ .Values.orgData.caAdminUser }}" + CA_ADMIN_PASS="{{ .Values.orgData.caAdminPassword }}" ORDERER_NAME=$1 ORG_ADMIN_USER="Admin@${FULLY_QUALIFIED_ORG_NAME}" ORG_ADMIN_PASS="Admin@${FULLY_QUALIFIED_ORG_NAME}-pw" ORG_CYPTO_FOLDER="/crypto-config/ordererOrganizations/${FULLY_QUALIFIED_ORG_NAME}" - ROOT_TLS_CERT="/crypto-config/ordererOrganizations/${FULLY_QUALIFIED_ORG_NAME}/ca/ca.${FULLY_QUALIFIED_ORG_NAME}-cert.pem" - CAS_FOLDER="${HOME}/ca-tools/cas/ca-${ORG_NAME}" - ORG_HOME="${HOME}/ca-tools/${ORG_NAME}" + CAS_FOLDER="${HOME}/ca-tools/cas/ca" + ORG_HOME="${HOME}/ca-tools/org" ## Register and enroll node and populate its MSP folder PEER="${ORDERER_NAME}.${FULLY_QUALIFIED_ORG_NAME}" @@ -125,7 +115,7 @@ data: fabric-ca-client register -d --id.name ${PEER} --id.secret ${PEER}-pw --id.type orderer --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} # Enroll to get peers TLS cert - fabric-ca-client enroll -d --enrollment.profile tls -u https://${PEER}:${PEER}-pw@${CA} -M ${ORG_HOME}/cas/orderers/tls --csr.hosts "${CSR_HOSTS}" --tls.certfiles ${ROOT_TLS_CERT} --csr.names "${SUBJECT_PEER}" + fabric-ca-client enroll -d --enrollment.profile tls -u https://${PEER}:${PEER}-pw@${CA} -M ${ORG_HOME}/cas/orderers/tls --csr.hosts "${CSR_HOSTS}" --tls.certfiles ${ROOT_TLS_CERT} --csr.names "${SUBJECT}" # Copy the TLS key and cert to the appropriate place mkdir -p ${ORG_CYPTO_FOLDER}/orderers/${PEER}/tls @@ -136,109 +126,91 @@ data: rm -rf ${ORG_HOME}/cas/orderers/tls # Enroll again to get the peer's enrollment certificate (default profile) - fabric-ca-client enroll -d -u https://${PEER}:${PEER}-pw@${CA} -M ${ORG_CYPTO_FOLDER}/orderers/${PEER}/msp --tls.certfiles ${ROOT_TLS_CERT} --csr.names "${SUBJECT_PEER}" - + fabric-ca-client enroll -d -u https://${PEER}:${PEER}-pw@${CA} -M ${ORG_CYPTO_FOLDER}/orderers/${PEER}/msp --tls.certfiles ${ROOT_TLS_CERT} --csr.names "${SUBJECT}" # Create the TLS CA directories of the MSP folder if they don't exist. mkdir ${ORG_CYPTO_FOLDER}/orderers/${PEER}/msp/tlscacerts - if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then - mv ${ORG_CYPTO_FOLDER}/orderers/${PEER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/orderers/${PEER}/msp/cacerts/${ORG_NAME_EXT}-ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem - fi cp ${ORG_CYPTO_FOLDER}/orderers/${PEER}/msp/cacerts/* ${ORG_CYPTO_FOLDER}/orderers/${PEER}/msp/tlscacerts # Copy the peer org's admin cert into target MSP directory mkdir -p ${ORG_CYPTO_FOLDER}/orderers/${PEER}/msp/admincerts cp ${ORG_CYPTO_FOLDER}/msp/admincerts/${ORG_ADMIN_USER}-cert.pem ${ORG_CYPTO_FOLDER}/orderers/${PEER}/msp/admincerts - cd ${CURRENT_DIR} generate-crypto-peer.sh: |- #!/bin/bash - set -x CURRENT_DIR=${PWD} FULLY_QUALIFIED_ORG_NAME="{{ .Release.Namespace }}" ALTERNATIVE_ORG_NAMES=("{{ .Release.Namespace }}.svc.cluster.local" "{{ .Values.orgData.orgName }}.net" "{{ .Release.Namespace }}.{{ .Values.global.proxy.externalUrlSuffix }}") - ORG_NAME="{{ .Values.orgData.orgName }}" EXTERNAL_URL_SUFFIX="{{ .Values.global.proxy.externalUrlSuffix }}" AFFILIATION="{{ .Values.orgData.orgName }}" - SUBJECT="C={{ .Values.orgData.componentCountry }},ST={{ .Values.orgData.componentState }},L={{ .Values.orgData.componentLocation }},O={{ .Values.orgData.orgNname }}" - SUBJECT_PEER="{{ .Values.orgData.componentSubject }}" - CA="${ORG_NAME}-ca.{{ .Release.Namespace }}:7054" - CA_ADMIN_USER="${ORG_NAME}-admin" - CA_ADMIN_PASS="${ORG_NAME}-adminpw" + SUBJECT="{{ .Values.orgData.componentSubject }}" + CA="{{ .Values.orgData.caAddress }}" + CA_ADMIN_USER="{{ .Values.orgData.caAdminUser }}" + CA_ADMIN_PASS="{{ .Values.orgData.caAdminPassword }}" ORG_ADMIN_USER="Admin@${FULLY_QUALIFIED_ORG_NAME}" ORG_ADMIN_PASS="Admin@${FULLY_QUALIFIED_ORG_NAME}-pw" ORG_CYPTO_FOLDER="/crypto-config/peerOrganizations/${FULLY_QUALIFIED_ORG_NAME}" - ROOT_TLS_CERT="/crypto-config/peerOrganizations/${FULLY_QUALIFIED_ORG_NAME}/ca/ca.${FULLY_QUALIFIED_ORG_NAME}-cert.pem" - CAS_FOLDER="${HOME}/ca-tools/cas/ca-${ORG_NAME}" - ORG_HOME="${HOME}/ca-tools/${ORG_NAME}" + CAS_FOLDER="${HOME}/ca-tools/cas/ca" + ORG_HOME="${HOME}/ca-tools/org" ## Enroll CA administrator for Org. This user will be used to create other identities - fabric-ca-client enroll -d -u https://${CA_ADMIN_USER}:${CA_ADMIN_PASS}@${CA} --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} --csr.names "${SUBJECT_PEER}" + fabric-ca-client enroll -d -u https://${CA_ADMIN_USER}:${CA_ADMIN_PASS}@${CA} --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} --csr.names "${SUBJECT}" ## Get the CA cert and store in Org MSP folder fabric-ca-client getcacert -d -u https://${CA} --tls.certfiles ${ROOT_TLS_CERT} -M ${ORG_CYPTO_FOLDER}/msp - if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then - mv ${ORG_CYPTO_FOLDER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/msp/cacerts/${ORG_NAME_EXT}-ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem - fi mkdir ${ORG_CYPTO_FOLDER}/msp/tlscacerts cp ${ORG_CYPTO_FOLDER}/msp/cacerts/* ${ORG_CYPTO_FOLDER}/msp/tlscacerts + if [ ! -e /crypto-config/admin-msp-exists ] || [ ! -e /crypto-config/admin-tls-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + # Add affiliation for organisation + fabric-ca-client affiliation add ${AFFILIATION} -u https://${CA_ADMIN_USER}:${CA_ADMIN_PASS}@${CA} --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} + ## Register and enroll admin for Org and populate admincerts for MSP + fabric-ca-client register -d --id.name ${ORG_ADMIN_USER} --id.secret ${ORG_ADMIN_PASS} --id.type admin --csr.names "${SUBJECT}" --id.affiliation ${AFFILIATION} --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.AffiliationMgr=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} - # Add affiliation for organisation - fabric-ca-client affiliation add ${AFFILIATION} -u https://${CA_ADMIN_USER}:${CA_ADMIN_PASS}@${CA} --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} - ## Register and enroll admin for Org and populate admincerts for MSP - fabric-ca-client register -d --id.name ${ORG_ADMIN_USER} --id.secret ${ORG_ADMIN_PASS} --id.type admin --csr.names "${SUBJECT_PEER}" --id.affiliation ${AFFILIATION} --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.AffiliationMgr=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} + fabric-ca-client enroll -d -u https://${ORG_ADMIN_USER}:${ORG_ADMIN_PASS}@${CA} --id.affiliation ${AFFILIATION} --tls.certfiles ${ROOT_TLS_CERT} --home ${ORG_HOME}/admin --csr.names "${SUBJECT}" - fabric-ca-client enroll -d -u https://${ORG_ADMIN_USER}:${ORG_ADMIN_PASS}@${CA} --id.affiliation ${AFFILIATION} --tls.certfiles ${ROOT_TLS_CERT} --home ${ORG_HOME}/admin --csr.names "${SUBJECT_PEER}" + mkdir -p ${ORG_CYPTO_FOLDER}/msp/admincerts + cp ${ORG_HOME}/admin/msp/signcerts/* ${ORG_CYPTO_FOLDER}/msp/admincerts/${ORG_ADMIN_USER}-cert.pem - mkdir -p ${ORG_CYPTO_FOLDER}/msp/admincerts - cp ${ORG_HOME}/admin/msp/signcerts/* ${ORG_CYPTO_FOLDER}/msp/admincerts/${ORG_ADMIN_USER}-cert.pem + mkdir ${ORG_HOME}/admin/msp/admincerts + cp ${ORG_HOME}/admin/msp/signcerts/* ${ORG_HOME}/admin/msp/admincerts/${ORG_ADMIN_USER}-cert.pem - mkdir ${ORG_HOME}/admin/msp/admincerts - cp ${ORG_HOME}/admin/msp/signcerts/* ${ORG_HOME}/admin/msp/admincerts/${ORG_ADMIN_USER}-cert.pem + mkdir -p ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER} + cp -R ${ORG_HOME}/admin/msp ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER} - mkdir -p ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER} - cp -R ${ORG_HOME}/admin/msp ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER} + # Get TLS cert for admin and copy to appropriate location + fabric-ca-client enroll -d --enrollment.profile tls -u https://${ORG_ADMIN_USER}:${ORG_ADMIN_PASS}@${CA} -M ${ORG_HOME}/admin/tls --tls.certfiles ${ROOT_TLS_CERT} --csr.names "${SUBJECT}" - if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then - mv ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/msp/cacerts/${ORG_NAME_EXT}-ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem + # Copy the TLS key and cert to the appropriate place + mkdir -p ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/tls + cp ${ORG_HOME}/admin/tls/keystore/* ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/tls/client.key + cp ${ORG_HOME}/admin/tls/signcerts/* ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/tls/client.crt + cp ${ORG_HOME}/admin/tls/tlscacerts/* ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/tls/ca.crt fi - - # Get TLS cert for admin and copy to appropriate location - fabric-ca-client enroll -d --enrollment.profile tls -u https://${ORG_ADMIN_USER}:${ORG_ADMIN_PASS}@${CA} -M ${ORG_HOME}/admin/tls --tls.certfiles ${ROOT_TLS_CERT} --csr.names "${SUBJECT_PEER}" - - # Copy the TLS key and cert to the appropriate place - mkdir -p ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/tls - cp ${ORG_HOME}/admin/tls/keystore/* ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/tls/client.key - cp ${ORG_HOME}/admin/tls/signcerts/* ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/tls/client.crt - cp ${ORG_HOME}/admin/tls/tlscacerts/* ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/tls/ca.crt - - ## Register and enroll peers and populate their MSP folder - for PEER_DATA in $PEERS_NAMES + ## Register and enroll peer as per argument provided and populate their MSP folder + PEER_NAME=$1 + PEER="${PEER_NAME}.${FULLY_QUALIFIED_ORG_NAME}" + CSR_HOSTS=${PEER} + for i in "${ALTERNATIVE_ORG_NAMES[@]}" do - PEER_NAME="${PEER_DATA%%,*}" - PEER="${PEER_NAME}.${FULLY_QUALIFIED_ORG_NAME}" - CSR_HOSTS=${PEER} - for i in "${ALTERNATIVE_ORG_NAMES[@]}" - do - CSR_HOSTS="${CSR_HOSTS},${PEER_NAME}.${i}" - done - echo "Registering and enrolling $PEER with csr hosts ${CSR_HOSTS}" - + CSR_HOSTS="${CSR_HOSTS},${PEER_NAME}.${i}" + done + echo "Registering and enrolling $PEER with csr hosts ${CSR_HOSTS}" + if [ ! -e /crypto-config/$PEER_NAME-msp-exists ] || [ ! -e /crypto-config/$PEER_NAME-tls-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then # Register the peer fabric-ca-client register -d --id.name ${PEER} --id.secret ${PEER}-pw --id.type peer --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} # Enroll to get peers TLS cert - fabric-ca-client enroll -d --enrollment.profile tls -u https://${PEER}:${PEER}-pw@${CA} -M ${ORG_HOME}/cas/peers/tls --csr.hosts "${CSR_HOSTS}" --tls.certfiles ${ROOT_TLS_CERT} --csr.names "${SUBJECT_PEER}" + fabric-ca-client enroll -d --enrollment.profile tls -u https://${PEER}:${PEER}-pw@${CA} -M ${ORG_HOME}/cas/peers/tls --csr.hosts "${CSR_HOSTS}" --tls.certfiles ${ROOT_TLS_CERT} --csr.names "${SUBJECT}" # Copy the TLS key and cert to the appropriate place mkdir -p ${ORG_CYPTO_FOLDER}/peers/${PEER}/tls @@ -249,66 +221,53 @@ data: rm -rf ${ORG_HOME}/cas/peers/tls # Enroll again to get the peer's enrollment certificate (default profile) - fabric-ca-client enroll -d -u https://${PEER}:${PEER}-pw@${CA} -M ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp --tls.certfiles ${ROOT_TLS_CERT} --csr.names "${SUBJECT_PEER}" + fabric-ca-client enroll -d -u https://${PEER}:${PEER}-pw@${CA} -M ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp --tls.certfiles ${ROOT_TLS_CERT} --csr.names "${SUBJECT}" # Create the TLS CA directories of the MSP folder if they don't exist. mkdir -p ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/tlscacerts # Copy the peer org's admin cert into target MSP directory mkdir -p ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/admincerts - if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then - mv ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/cacerts/${ORG_NAME_EXT}-ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem - fi + cp ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/cacerts/* ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/tlscacerts cp ${ORG_CYPTO_FOLDER}/msp/admincerts/${ORG_ADMIN_USER}-cert.pem ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/admincerts - done - + fi cd ${CURRENT_DIR} generate-crypto-add-peer.sh: |- #!/bin/bash - set -x CURRENT_DIR=${PWD} FULLY_QUALIFIED_ORG_NAME="{{ .Release.Namespace }}" ALTERNATIVE_ORG_NAMES=("{{ .Release.Namespace }}.svc.cluster.local" "{{ .Values.orgData.orgName }}.net" "{{ .Release.Namespace }}.{{ .Values.global.proxy.externalUrlSuffix }}") - ORG_NAME="{{ .Values.orgData.orgName }}" EXTERNAL_URL_SUFFIX="{{ .Values.global.proxy.externalUrlSuffix }}" AFFILIATION="{{ .Values.orgData.orgName }}" - SUBJECT="C={{ .Values.orgData.componentCountry }},ST={{ .Values.orgData.componentState }},L={{ .Values.orgData.componentLocation }},O={{ .Values.orgData.orgName }}" - SUBJECT_PEER="{{ .Values.orgData.componentSubject }}" - CA="${ORG_NAME}-ca.{{ .Release.Namespace }}:7054" - CA_ADMIN_USER="${ORG_NAME}-admin" - CA_ADMIN_PASS="${ORG_NAME}-adminpw" - NO_OF_PEERS="$PEERS_COUNT" + SUBJECT="{{ .Values.orgData.componentSubject }}" + CA="{{ .Values.orgData.caAddress }}" + CA_ADMIN_USER="{{ .Values.orgData.caAdminUser }}" + CA_ADMIN_PASS="{{ .Values.orgData.caAdminPassword }}" ORG_ADMIN_USER="Admin@${FULLY_QUALIFIED_ORG_NAME}" ORG_ADMIN_PASS="Admin@${FULLY_QUALIFIED_ORG_NAME}-pw" ORG_CYPTO_FOLDER="/crypto-config/peerOrganizations/${FULLY_QUALIFIED_ORG_NAME}" - ROOT_TLS_CERT="/crypto-config/peerOrganizations/${FULLY_QUALIFIED_ORG_NAME}/ca/ca.${FULLY_QUALIFIED_ORG_NAME}-cert.pem" - CAS_FOLDER="${HOME}/ca-tools/cas/ca-${ORG_NAME}" - ORG_HOME="${HOME}/ca-tools/${ORG_NAME}" - - NO_OF_NEW_PEERS={{ .Values.new_peerCount }} + CAS_FOLDER="${HOME}/ca-tools/cas/ca" + ORG_HOME="${HOME}/ca-tools/org" ## Enroll CA administrator for Org. This user will be used to create other identities - fabric-ca-client enroll -d -u https://${CA_ADMIN_USER}:${CA_ADMIN_PASS}@${CA} --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} --csr.names "${SUBJECT_PEER}" + fabric-ca-client enroll -d -u https://${CA_ADMIN_USER}:${CA_ADMIN_PASS}@${CA} --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} --csr.names "${SUBJECT}" ## Get the CA cert and store in Org MSP folder fabric-ca-client getcacert -d -u https://${CA} --tls.certfiles ${ROOT_TLS_CERT} -M ${ORG_CYPTO_FOLDER}/msp - if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then - mv ${ORG_CYPTO_FOLDER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/msp/cacerts/${ORG_NAME_EXT}-ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem - fi mkdir ${ORG_CYPTO_FOLDER}/msp/tlscacerts cp ${ORG_CYPTO_FOLDER}/msp/cacerts/* ${ORG_CYPTO_FOLDER}/msp/tlscacerts ## Enroll admin for Org and populate admincerts for MSP - fabric-ca-client enroll -d -u https://${ORG_ADMIN_USER}:${ORG_ADMIN_PASS}@${CA} --id.affiliation ${AFFILIATION} --tls.certfiles ${ROOT_TLS_CERT} --home ${ORG_HOME}/admin --csr.names "${SUBJECT_PEER}" + fabric-ca-client enroll -d -u https://${ORG_ADMIN_USER}:${ORG_ADMIN_PASS}@${CA} --id.affiliation ${AFFILIATION} --tls.certfiles ${ROOT_TLS_CERT} --home ${ORG_HOME}/admin --csr.names "${SUBJECT}" # Copy existing org certs mkdir -p ${ORG_CYPTO_FOLDER}/msp/admincerts @@ -320,12 +279,8 @@ data: mkdir -p ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER} cp -R ${ORG_HOME}/admin/msp ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER} - if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then - mv ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/msp/cacerts/${ORG_NAME_EXT}-ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem - fi - # Get TLS cert for admin and copy to appropriate location - fabric-ca-client enroll -d --enrollment.profile tls -u https://${ORG_ADMIN_USER}:${ORG_ADMIN_PASS}@${CA} -M ${ORG_HOME}/admin/tls --tls.certfiles ${ROOT_TLS_CERT} --csr.names "${SUBJECT_PEER}" + fabric-ca-client enroll -d --enrollment.profile tls -u https://${ORG_ADMIN_USER}:${ORG_ADMIN_PASS}@${CA} -M ${ORG_HOME}/admin/tls --tls.certfiles ${ROOT_TLS_CERT} --csr.names "${SUBJECT}" # Copy the TLS key and cert to the appropriate place mkdir -p ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/tls @@ -334,78 +289,67 @@ data: cp ${ORG_HOME}/admin/tls/tlscacerts/* ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/tls/ca.crt ## Register and enroll peers and populate their MSP folder - COUNTER=`expr ${NO_OF_PEERS} - ${NO_OF_NEW_PEERS}` - while [ ${COUNTER} -lt ${NO_OF_PEERS} ]; do - PEER="peer${COUNTER}.${FULLY_QUALIFIED_ORG_NAME}" - CSR_HOSTS=${PEER} - for i in "${ALTERNATIVE_ORG_NAMES[@]}" - do - CSR_HOSTS="${CSR_HOSTS},peer${COUNTER}.${i}" - done - echo "Registering and enrolling $PEER with csr hosts ${CSR_HOSTS}" + PEER_NAME=$1 + PEER="${PEER_NAME}.${FULLY_QUALIFIED_ORG_NAME}" + CSR_HOSTS=${PEER} + for i in "${ALTERNATIVE_ORG_NAMES[@]}" + do + CSR_HOSTS="${CSR_HOSTS},${PEER_NAME}.${i}" + done + echo "Registering and enrolling $PEER with csr hosts ${CSR_HOSTS}" - # Register the peer - fabric-ca-client register -d --id.name ${PEER} --id.secret ${PEER}-pw --id.type peer --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} -u https://${CA} + # Register the peer + fabric-ca-client register -d --id.name ${PEER} --id.secret ${PEER}-pw --id.type peer --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} -u https://${CA} - # Enroll to get peers TLS cert - fabric-ca-client enroll -d --enrollment.profile tls -u https://${PEER}:${PEER}-pw@${CA} -M ${ORG_HOME}/cas/peers/tls --csr.hosts "${CSR_HOSTS}" --tls.certfiles ${ROOT_TLS_CERT} --csr.names "${SUBJECT_PEER}" + # Enroll to get peers TLS cert + fabric-ca-client enroll -d --enrollment.profile tls -u https://${PEER}:${PEER}-pw@${CA} -M ${ORG_HOME}/cas/peers/tls --csr.hosts "${CSR_HOSTS}" --tls.certfiles ${ROOT_TLS_CERT} --csr.names "${SUBJECT}" - # Copy the TLS key and cert to the appropriate place - mkdir -p ${ORG_CYPTO_FOLDER}/peers/${PEER}/tls - cp ${ORG_HOME}/cas/peers/tls/keystore/* ${ORG_CYPTO_FOLDER}/peers/${PEER}/tls/server.key - cp ${ORG_HOME}/cas/peers/tls/signcerts/* ${ORG_CYPTO_FOLDER}/peers/${PEER}/tls/server.crt - cp ${ORG_HOME}/cas/peers/tls/tlscacerts/* ${ORG_CYPTO_FOLDER}/peers/${PEER}/tls/ca.crt - - rm -rf ${ORG_HOME}/cas/peers/tls - - # Enroll again to get the peer's enrollment certificate (default profile) - fabric-ca-client enroll -d -u https://${PEER}:${PEER}-pw@${CA} -M ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp --tls.certfiles ${ROOT_TLS_CERT} --csr.names "${SUBJECT_PEER}" + # Copy the TLS key and cert to the appropriate place + mkdir -p ${ORG_CYPTO_FOLDER}/peers/${PEER}/tls + cp ${ORG_HOME}/cas/peers/tls/keystore/* ${ORG_CYPTO_FOLDER}/peers/${PEER}/tls/server.key + cp ${ORG_HOME}/cas/peers/tls/signcerts/* ${ORG_CYPTO_FOLDER}/peers/${PEER}/tls/server.crt + cp ${ORG_HOME}/cas/peers/tls/tlscacerts/* ${ORG_CYPTO_FOLDER}/peers/${PEER}/tls/ca.crt + + rm -rf ${ORG_HOME}/cas/peers/tls + + # Enroll again to get the peer's enrollment certificate (default profile) + fabric-ca-client enroll -d -u https://${PEER}:${PEER}-pw@${CA} -M ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp --tls.certfiles ${ROOT_TLS_CERT} --csr.names "${SUBJECT}" - # Create the TLS CA directories of the MSP folder if they don't exist. - mkdir -p ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/tlscacerts - - # Copy the peer org's admin cert into target MSP directory - mkdir -p ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/admincerts - if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then - mv ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/cacerts/${ORG_NAME_EXT}-ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem - fi - cp ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/cacerts/* ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/tlscacerts - cp ${ORG_CYPTO_FOLDER}/msp/admincerts/${ORG_ADMIN_USER}-cert.pem ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/admincerts - - let COUNTER=COUNTER+1 - done + # Create the TLS CA directories of the MSP folder if they don't exist. + mkdir -p ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/tlscacerts + + # Copy the peer org's admin cert into target MSP directory + mkdir -p ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/admincerts + + cp ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/cacerts/* ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/tlscacerts + cp ${ORG_CYPTO_FOLDER}/msp/admincerts/${ORG_ADMIN_USER}-cert.pem ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/admincerts cd ${CURRENT_DIR} generate-user-crypto.sh: |- #!/bin/bash - set -x CURRENT_DIR=${PWD} # Input parameters FULLY_QUALIFIED_ORG_NAME="{{ .Release.Namespace }}" - ORG_NAME="{{ .Values.orgData.orgName }}" TYPE_FOLDER=$1s USER_IDENTITIES=$2 AFFILIATION="{{ .Values.orgData.orgName }}" SUBJECT="{{ .Values.orgData.componentSubject }}" - CA="${ORG_NAME}-ca.{{ .Release.Namespace }}:7054" - if [ "$1" != "peer" ]; then - ORG_CYPTO_FOLDER="/crypto-config/ordererOrganizations/${FULLY_QUALIFIED_ORG_NAME}" - ROOT_TLS_CERT="/crypto-config/ordererOrganizations/${FULLY_QUALIFIED_ORG_NAME}/ca/ca.${FULLY_QUALIFIED_ORG_NAME}-cert.pem" - else - ORG_CYPTO_FOLDER="/crypto-config/$1Organizations/${FULLY_QUALIFIED_ORG_NAME}" - ROOT_TLS_CERT="/crypto-config/$1Organizations/${FULLY_QUALIFIED_ORG_NAME}/ca/ca.${FULLY_QUALIFIED_ORG_NAME}-cert.pem" - fi - CAS_FOLDER="${HOME}/ca-tools/cas/ca-${ORG_NAME}" - ORG_HOME="${HOME}/ca-tools/${ORG_NAME}" + CA="{{ .Values.orgData.caAddress }}" + + ORG_CYPTO_FOLDER="/crypto-config/$1Organizations/${FULLY_QUALIFIED_ORG_NAME}" + ROOT_TLS_CERT="/crypto-config/$1Organizations/${FULLY_QUALIFIED_ORG_NAME}/ca/ca.${FULLY_QUALIFIED_ORG_NAME}-cert.pem" + + CAS_FOLDER="${HOME}/ca-tools/cas/ca" + ORG_HOME="${HOME}/ca-tools/org" ## Register and enroll users CUR_USER=0 TOTAL_USERS=$(echo ${USER_IDENTITIES} | base64 -d | sed -e 's/None/null/g' | tr "'" '"' | jq '. | length') + while [ ${CUR_USER} -lt ${TOTAL_USERS} ]; do - # Get the user identity USER=$(echo ${USER_IDENTITIES} | base64 -d | sed -e 's/None/null/g' | tr "'" '"' | jq '.['${CUR_USER}'].identity' | sed -e 's/"//g') ORG_USER="${USER}@${FULLY_QUALIFIED_ORG_NAME}" @@ -421,16 +365,12 @@ data: ATTRS=${ATTRS}","$(echo ${USER_IDENTITIES} | base64 -d | sed -e 's/None/null/g' | tr "'" '"' | jq '.['${CUR_USER}'].attributes['${CUR_ATTRS}'].key' | sed -e 's/"//g')"="$(echo ${USER_IDENTITIES} | base64 -d | sed -e 's/None/null/g' | tr "'" '"' | jq '.['${CUR_USER}'].attributes['${CUR_ATTRS}'].value' | sed -e 's/"//g')":ecert" CUR_ATTRS=$((CUR_ATTRS + 1)) done - - # Checking if the user msp folder exists in the CA server - if [ ! -d "${ORG_HOME}/client${USER}" ]; then # if user certificates do not exist - + + #Check if the user certs does not exist + if [ ! -e /crypto-config/${USER}-msp-exists ] || [ ! -e /crypto-config/${USER}-tls-exists ]; then + # if user certificates do not exist ## Register and enroll User for Org - if [ "$1" = "peer" ]; then - fabric-ca-client register -d --id.name ${ORG_USER} --id.secret ${ORG_USERPASS} --id.type client --csr.names "${SUBJECT}" --id.affiliation ${AFFILIATION} --id.attrs "${ATTRS}" --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} - else - fabric-ca-client register -d --id.name ${ORG_USER} --id.secret ${ORG_USERPASS} --id.type client --csr.names "${SUBJECT}" --id.attrs "${ATTRS}" --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} - fi + fabric-ca-client register -d --id.name ${ORG_USER} --id.secret ${ORG_USERPASS} --id.type client --csr.names "${SUBJECT}" --id.affiliation ${AFFILIATION} --id.attrs "${ATTRS}" --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} # Enroll the registered user to generate enrollment certificate fabric-ca-client enroll -d -u https://${ORG_USER}:${ORG_USERPASS}@${CA} --csr.names "${SUBJECT}" --tls.certfiles ${ROOT_TLS_CERT} --home ${ORG_HOME}/client${USER} @@ -441,9 +381,6 @@ data: mkdir -p ${ORG_CYPTO_FOLDER}/users/${ORG_USER} cp -R ${ORG_HOME}/client${USER}/msp ${ORG_CYPTO_FOLDER}/users/${ORG_USER} - if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then - mv ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/msp/cacerts/${ORG_NAME_EXT}-ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem - fi mkdir ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/msp/tlscacerts cp ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/msp/cacerts/* ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/msp/tlscacerts @@ -460,7 +397,7 @@ data: # Current datetime + 5 minutes | e.g. 20210302182036 CUR_DATETIME=$(date -d "$(echo $(date)' + 5 minutes')" +'%Y%m%d%H%M%S') - + #TODO get ${ORG_HOME}/client${USER}/msp/signcerts/cert.pem from Kubernetes secret or Vault in job.yaml # Extracting "notAfter" datetime from the existing user certificate | e.g. 20210302182036 CERT_DATETIME=$(date -d "$(echo $(openssl x509 -noout -enddate < ${ORG_HOME}/client${USER}/msp/signcerts/cert.pem) | sed 's/notAfter=//g')" +'%Y%m%d%H%M%S') @@ -558,6 +495,9 @@ data: done < ${1} > ${2}/${NAME}.txt } + function saveAdminSecrets { + TLS_KEY=admin-tls + MSP_KEY=admin-msp {{- if eq .Values.global.vault.type "hashicorp" }} . ../bevel-vault.sh # Calling a function to retrieve the vault token. @@ -566,438 +506,206 @@ data: FORMAT_CERTIFICATE_PATH="/formatcertificate" mkdir -p ${FORMAT_CERTIFICATE_PATH}/tls mkdir -p ${FORMAT_CERTIFICATE_PATH}/msp - - function saveAdminSecrets { - TLS_KEY=$1 - TLS_KEY_FORMATTED=$(echo $TLS_KEY | tr - /) - MPS_KEY=$2 - MPS_KEY_FORMATTED=$(echo $MPS_KEY | tr - /) - - if [ -e /certcheck/present_tls.txt ]; then ADMIN_TLS_CERT_WRITTEN=true; else ADMIN_TLS_CERT_WRITTEN=false; fi - if [ -e /certcheck/present_msp.txt ]; then ADMIN_MSP_CERT_WRITTEN=true; else ADMIN_MSP_CERT_WRITTEN=false; fi - COUNTER=1 - while [ "$COUNTER" -le {{ $.Values.healthCheck.retries }} ] - do - if [ -e /certcheck/absent_tls.txt ] && [ "$ADMIN_TLS_CERT_WRITTEN" = "false" ] - then - # This commands put the certificates with correct format for the curl command - formatCertificate "${ORG_CYPTO_FOLDER}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/tls" - formatCertificate "${ORG_CYPTO_FOLDER}/tls/client.crt" "${FORMAT_CERTIFICATE_PATH}/tls" - formatCertificate "${ORG_CYPTO_FOLDER}/tls/client.key" "${FORMAT_CERTIFICATE_PATH}/tls" - - CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/ca.crt.txt) - CLIENT_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/client.crt.txt) - CLIENT_KEY=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/client.key.txt) - - echo " + if [ ! -e /crypto-config/${TLS_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + # This commands put the certificates with correct format for the curl command + formatCertificate "${ORG_CYPTO_FOLDER}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/tls" + formatCertificate "${ORG_CYPTO_FOLDER}/tls/client.crt" "${FORMAT_CERTIFICATE_PATH}/tls" + formatCertificate "${ORG_CYPTO_FOLDER}/tls/client.key" "${FORMAT_CERTIFICATE_PATH}/tls" + + CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/ca.crt.txt) + CLIENT_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/client.crt.txt) + CLIENT_KEY=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/client.key.txt) + + echo " + { + \"data\": { - \"data\": - { - \"ca.crt\": \"${CA_CRT}\", - \"client.crt\": \"${CLIENT_CRT}\", - \"client.key\": \"${CLIENT_KEY}\" - } - }" > payload.json - - vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY_FORMATTED}" 'payload.json' - rm payload.json - - # Check tls certificates - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY_FORMATTED}" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"ca.crt\"]" 2>&1) - TLS_CLIENT_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"client.crt\"]" 2>&1) - TLS_CLIENT_KEY=$(echo ${VAULT_SECRET} | jq -r ".[\"client.key\"]" 2>&1) - - tls_certificate_fields=("$TLS_CA_CERT" "$TLS_CLIENT_CERT" "$TLS_CLIENT_KEY") - - for field in "${tls_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] - then - ADMIN_TLS_CERT_WRITTEN=false - break - else - ADMIN_TLS_CERT_WRITTEN=true - fi - done - fi - fi - - if [ -e /certcheck/absent_msp.txt ] && [ "$ADMIN_MSP_CERT_WRITTEN" = "false" ] - then - # This commands put the certificates with correct format for the curl command - SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") - - formatCertificate "${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem" "${FORMAT_CERTIFICATE_PATH}/msp" - formatCertificate "${SK_NAME}" "${FORMAT_CERTIFICATE_PATH}/msp" - formatCertificate "${ORG_CYPTO_FOLDER}/msp/signcerts/cert.pem" "${FORMAT_CERTIFICATE_PATH}/msp" - formatCertificate "${ORG_CYPTO_FOLDER}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/tls" - - ADMINCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/Admin@${COMPONENT_NAME}-cert.pem.txt) - KEYSTORE=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/*_sk.txt) - SIGNCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/cert.pem.txt) - CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/ca.crt.txt) - - if [ "$PROXY" != "none" ] ; then - - formatCertificate "${ORG_CYPTO_FOLDER}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/msp" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) - - echo " - { - \"data\": - { - \"admincerts\": \"${ADMINCERTS}\", - \"cacerts\": \"${CACERTS}\", - \"keystore\": \"${KEYSTORE}\", - \"signcerts\": \"${SIGNCERTS}\", - \"tlscacerts\": \"${CA_CRT}\" - } - }" > payload.json - fi; - - if [ "$PROXY" = "none" ] ; then - - formatCertificate "${ORG_CYPTO_FOLDER}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/msp" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem.txt) - - echo " - { - \"data\": - { - \"admincerts\": \"${ADMINCERTS}\", - \"cacerts\": \"${CACERTS}\", - \"keystore\": \"${KEYSTORE}\", - \"signcerts\": \"${SIGNCERTS}\", - \"tlscacerts\": \"${CA_CRT}\" - } - }" > payload.json - fi; - - vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY_FORMATTED}" 'payload.json' - rm payload.json - - # Check msp certificates - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY_FORMATTED}" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - MSP_ADMINCERT=$(echo ${VAULT_SECRET} | jq -r ".[\"admincerts\"]" 2>&1) - MSP_CACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"cacerts\"]" 2>&1) - MSP_KEYSTORE=$(echo ${VAULT_SECRET} | jq -r ".[\"keystore\"]" 2>&1) - MSP_SIGNCERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"signcerts\"]" 2>&1) - MSP_TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"tlscacerts\"]" 2>&1) - - msp_certificate_fields=("$MSP_ADMINCERT" "$MSP_CACERTS" "$MSP_KEYSTORE" "$MSP_SIGNCERTS" "$MSP_TLSCACERTS") - for field in "${msp_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] - then - ADMIN_MSP_CERT_WRITTEN=false - break - else - ADMIN_MSP_CERT_WRITTEN=true - fi - done - fi - fi + \"ca_crt\": \"${CA_CRT}\", + \"client_crt\": \"${CLIENT_CRT}\", + \"client_key\": \"${CLIENT_KEY}\" + } + }" > payload.json + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/users/${TLS_KEY}" 'payload.json' + rm payload.json + fi - if [ "$ADMIN_TLS_CERT_WRITTEN" = "true" ] && [ "$ADMIN_MSP_CERT_WRITTEN" = "true" ] - then - echo "Admin certificates are successfully stored in vault" - break - else - echo "Admin certificates are not ready, sleeping for {{ $.Values.healthCheck.sleepTimeAfterError }}" - sleep {{ $.Values.healthCheck.sleepTimeAfterError }} - COUNTER=`expr "$COUNTER" + 1` - fi - done + if [ ! -e /crypto-config/${MSP_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + # This commands put the certificates with correct format for the curl command + SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") + formatCertificate "${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem" "${FORMAT_CERTIFICATE_PATH}/msp" + formatCertificate "${SK_NAME}" "${FORMAT_CERTIFICATE_PATH}/msp" + formatCertificate "${ORG_CYPTO_FOLDER}/msp/signcerts/cert.pem" "${FORMAT_CERTIFICATE_PATH}/msp" + formatCertificate "${ORG_CYPTO_FOLDER}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/tls" + + ADMINCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/Admin@${COMPONENT_NAME}-cert.pem.txt) + KEYSTORE=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/*_sk.txt) + SIGNCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/cert.pem.txt) + CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/ca.crt.txt) + + formatCertificate "${ORG_CYPTO_FOLDER}/msp/cacerts/{{ include "fabric-catools.caFileName" . }}" "${FORMAT_CERTIFICATE_PATH}/msp" + CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/{{ include "fabric-catools.caFileName" . }}.txt) + + echo " + { + \"data\": + { + \"admincerts\": \"${ADMINCERTS}\", + \"cacerts\": \"${CACERTS}\", + \"keystore\": \"${KEYSTORE}\", + \"signcerts\": \"${SIGNCERTS}\", + \"tlscacerts\": \"${CA_CRT}\" + } + }" > payload.json - if [ "$COUNTER" -gt {{ $.Values.healthCheck.retries }} ] - then - echo "Retry attempted `expr $COUNTER - 1` times, Admin certificates have not been saved." - touch ${MOUNT_PATH}/certs_not_found.txt - exit 1 + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/users/${MSP_KEY}" 'payload.json' + rm payload.json + fi +{{- end }} # end Vault if condition + # Files are stored as K8s secrets; add more conditions here for cloud KMS + if [ ! -e /crypto-config/${TLS_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + # Check if secret exists + kubectl get secret --namespace ${COMPONENT_NAME} ${TLS_KEY} >/dev/null 2>&1 + if [ $? -eq 0 ]; then + # Delete the secret if exists + kubectl delete secret --namespace ${COMPONENT_NAME} ${TLS_KEY} fi - } - - function saveOrdererSecrets { - ORDERER_NAME=$1 - TLS_KEY=$2 - TLS_KEY_FORMATTED=$(echo $TLS_KEY | tr - /) - MPS_KEY=$3 - MPS_KEY_FORMATTED=$(echo $MPS_KEY | tr - /) - - COUNTER=1 - if [ -e /certcheck/present_tls_${ORDERER_NAME}.txt ]; then ORDERER_TLS_CERT_WRITTEN=true; else ORDERER_TLS_CERT_WRITTEN=false; fi - if [ -e /certcheck/present_msp_${ORDERER_NAME}.txt ]; then ORDERER_MSP_CERT_WRITTEN=true; else ORDERER_MSP_CERT_WRITTEN=false; fi - mkdir -p ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls - mkdir -p ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp - mkdir -p ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cacerts - mkdir -p ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/tlscacerts - while [ "$COUNTER" -le {{ $.Values.healthCheck.retries }} ] - do - if [ -e /certcheck/absent_tls_${ORDERER_NAME}.txt ] && [ "$ORDERER_TLS_CERT_WRITTEN" = "false" ]; then - - # This commands put the certificates with correct format for the curl command - formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls" - formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/server.crt" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls" - formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/server.key" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls" - - CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls/ca.crt.txt) - SERVER_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls/server.crt.txt) - SERVER_KEY=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls/server.key.txt) - - echo " - { - \"data\": - { - \"ca.crt\": \"${CA_CRT}\", - \"server.crt\": \"${SERVER_CRT}\", - \"server.key\": \"${SERVER_KEY}\" - } - }" > payload.json - - vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY_FORMATTED}" 'payload.json' - rm payload.json - - # Check tls certificates - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY_FORMATTED}" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"ca.crt\"]" 2>&1) - TLS_CLIENT_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"server.crt\"]" 2>&1) - TLS_CLIENT_KEY=$(echo ${VAULT_SECRET} | jq -r ".[\"server.key\"]" 2>&1) - - tls_certificate_fields=("$TLS_CA_CERT" "$TLS_CLIENT_CERT" "$TLS_CLIENT_KEY") - - for field in "${tls_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] - then - ORDERER_TLS_CERT_WRITTEN=false - break - else - ORDERER_TLS_CERT_WRITTEN=true - fi - done - fi - fi; - - if [ -e /certcheck/absent_msp_${ORDERER_NAME}.txt ] && [ "$ORDERER_MSP_CERT_WRITTEN" = "false" ]; then - # This commands put the certificates with correct format for the curl command - SK_NAME=$(find ${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/keystore/ -name "*_sk") - - formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp" - formatCertificate "${SK_NAME}" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp" - formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/signcerts/cert.pem" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp" - - ADMINCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/Admin@${COMPONENT_NAME}-cert.pem.txt) - KEYSTORE=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/*_sk.txt) - SIGNCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cert.pem.txt) - - if [ "$PROXY" != "none" ] ; then - - formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cacerts" - formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/tlscacerts" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) - TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/tlscacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) - - echo " - { - \"data\": - { - \"admincerts\": \"${ADMINCERTS}\", - \"cacerts\": \"${CACERTS}\", - \"keystore\": \"${KEYSTORE}\", - \"signcerts\": \"${SIGNCERTS}\", - \"tlscacerts\": \"${TLSCERTS}\" - } - }" > payload.json - - fi; - - if [ "$PROXY" = "none" ] ; then - formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cacerts" - formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/tlscacerts" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem.txt) - TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/tlscacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem.txt) - - echo " - { - \"data\": - { - \"admincerts\": \"${ADMINCERTS}\", - \"cacerts\": \"${CACERTS}\", - \"keystore\": \"${KEYSTORE}\", - \"signcerts\": \"${SIGNCERTS}\", - \"tlscacerts\": \"${TLSCERTS}\" - } - }" > payload.json - - fi; - - vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY_FORMATTED}" 'payload.json' - rm payload.json - - # Check msp certificates - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY_FORMATTED}" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - MSP_ADMINCERT=$(echo ${VAULT_SECRET} | jq -r ".[\"admincerts\"]" 2>&1) - MSP_CACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"cacerts\"]" 2>&1) - MSP_KEYSTORE=$(echo ${VAULT_SECRET} | jq -r ".[\"keystore\"]" 2>&1) - MSP_SIGNCERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"signcerts\"]" 2>&1) - MSP_TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"tlscacerts\"]" 2>&1) - - msp_certificate_fields=("$MSP_ADMINCERT" "$MSP_CACERTS" "$MSP_KEYSTORE" "$MSP_SIGNCERTS" "$MSP_TLSCACERTS") - for field in "${msp_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] - then - ORDERER_MSP_CERT_WRITTEN=false - break - else - ORDERER_MSP_CERT_WRITTEN=true - fi - done - fi - fi; - - if [ "$ORDERER_TLS_CERT_WRITTEN" = "true" ] && [ "$ORDERER_MSP_CERT_WRITTEN" = "true" ] - then - echo "${ORDERER_NAME} certificates are successfully stored in vault" - break - else - echo "${ORDERER_NAME} certificates are not ready, sleeping for {{ $.Values.healthCheck.sleepTimeAfterError }}" - sleep {{ $.Values.healthCheck.sleepTimeAfterError }} - COUNTER=`expr "$COUNTER" + 1` - fi - done - - if [ "$COUNTER" -gt {{ $.Values.healthCheck.retries }} ] - then - echo "Retry attempted `expr $COUNTER - 1` times, Orderers certificates have not been saved." - touch ${MOUNT_PATH}/certs_not_found.txt - exit 1 - fi; - - } - -{{- else }} - - function saveAdminSecrets { - TLS_KEY=$1 - MPS_KEY=$2 - if [ -e /certcheck/absent_tls.txt ] - then - kubectl create secret generic ${TLS_KEY} --namespace ${COMPONENT_NAME} --from-file=cacrt=${ORG_CYPTO_FOLDER}/tls/ca.crt \ - --from-file=clientcrt=${ORG_CYPTO_FOLDER}/tls/client.crt \ - --from-file=clientkey=${ORG_CYPTO_FOLDER}/tls/client.key + kubectl create secret generic ${TLS_KEY} --namespace ${COMPONENT_NAME} --from-file=cacrt=${ORG_CYPTO_FOLDER}/tls/ca.crt \ + --from-file=clientcrt=${ORG_CYPTO_FOLDER}/tls/client.crt \ + --from-file=clientkey=${ORG_CYPTO_FOLDER}/tls/client.key + fi + + if [ ! -e /crypto-config/${MSP_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") + kubectl get secret --namespace ${COMPONENT_NAME} ${MSP_KEY} >/dev/null 2>&1 + if [ $? -eq 0 ]; then + # Delete the secret if exists + kubectl delete secret --namespace ${COMPONENT_NAME} ${MSP_KEY} fi - - if [ -e /certcheck/absent_msp.txt ] - then - if [ "$PROXY" != "none" ] - then - SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") - kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ - --from-file=admincerts=${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ - --from-file=cacerts=${ORG_CYPTO_FOLDER}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem \ - --from-file=keystore=${SK_NAME} \ - --from-file=signcerts=${ORG_CYPTO_FOLDER}/msp/signcerts/cert.pem \ - --from-file=tlscacerts=${ORG_CYPTO_FOLDER}/tls/ca.crt - fi + kubectl create secret generic ${MSP_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=admincerts=${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ + --from-file=cacerts=${ORG_CYPTO_FOLDER}/msp/cacerts/{{ include "fabric-catools.caFileName" . }} \ + --from-file=keystore=${SK_NAME} \ + --from-file=signcerts=${ORG_CYPTO_FOLDER}/msp/signcerts/cert.pem \ + --from-file=tlscacerts=${ORG_CYPTO_FOLDER}/tls/ca.crt + fi + echo "Orderer Admin certificates are successfully stored." + } - if [ "$PROXY" = "none" ] - then - SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") - kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ - --from-file=admincerts=${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ - --from-file=cacerts=${ORG_CYPTO_FOLDER}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem \ - --from-file=keystore=${SK_NAME} \ - --from-file=signcerts=${ORG_CYPTO_FOLDER}/msp/signcerts/cert.pem \ - --from-file=tlscacerts=${ORG_CYPTO_FOLDER}/tls/ca.crt - fi - fi + function saveOrdererSecrets { + ORDERER_NAME=$1 + TLS_KEY=$1-tls + MSP_KEY=$1-msp +{{- if eq .Values.global.vault.type "hashicorp" }} + . ../bevel-vault.sh + # Calling a function to retrieve the vault token. + vaultBevelFunc "init" + FORMAT_CERTIFICATE_PATH="/formatcertificate" + mkdir -p ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls + mkdir -p ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp + mkdir -p ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cacerts + mkdir -p ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/tlscacerts + if [ ! -e /crypto-config/${TLS_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + # This commands put the certificates with correct format for the curl command + formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls" + formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/server.crt" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls" + formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/server.key" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls" + + CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls/ca.crt.txt) + SERVER_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls/server.crt.txt) + SERVER_KEY=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls/server.key.txt) + + echo " + { + \"data\": + { + \"ca_crt\": \"${CA_CRT}\", + \"server_crt\": \"${SERVER_CRT}\", + \"server_key\": \"${SERVER_KEY}\" + } + }" > payload.json + + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/orderers/${TLS_KEY}" 'payload.json' + rm payload.json + fi - checkSecret admin-msp - checkSecret admin-tls - } - - function saveOrdererSecrets { - ORDERER_NAME=$1 - TLS_KEY=$2 - MPS_KEY=$3 - - if [ -e /certcheck/absent_tls_${ORDERER_NAME}.txt ] - then - kubectl create secret generic ${TLS_KEY} --namespace ${COMPONENT_NAME} \ - --from-file=cacrt=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/ca.crt \ - --from-file=servercrt=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/server.crt \ - --from-file=serverkey=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/server.key - fi + if [ ! -e /crypto-config/${MSP_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + # This commands put the certificates with correct format for the curl command + SK_NAME=$(find ${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/keystore/ -name "*_sk") + formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp" + formatCertificate "${SK_NAME}" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp" + formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/signcerts/cert.pem" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp" - if [ -e /certcheck/absent_msp_${ORDERER_NAME}.txt ] - then - - if [ "$PROXY" != "none" ] - then - SK_NAME=$(find ${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/keystore/ -name "*_sk") - kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ - --from-file=admincerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ - --from-file=cacerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem \ - --from-file=keystore=${SK_NAME} \ - --from-file=signcerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/signcerts/cert.pem \ - --from-file=tlscacerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem - fi + ADMINCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/Admin@${COMPONENT_NAME}-cert.pem.txt) + KEYSTORE=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/*_sk.txt) + SIGNCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cert.pem.txt) - if [ "$PROXY" = "none" ] - then - SK_NAME=$(find ${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/keystore/ -name "*_sk") - kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ - --from-file=admincerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ - --from-file=cacerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem \ - --from-file=keystore=${SK_NAME} \ - --from-file=signcerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/signcerts/cert.pem \ - --from-file=tlscacerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem - fi - fi + formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/cacerts/{{ include "fabric-catools.caFileName" . }}" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cacerts" + formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/{{ include "fabric-catools.caFileName" . }}" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/tlscacerts" + CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cacerts/{{ include "fabric-catools.caFileName" . }}.txt) + TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/tlscacerts/{{ include "fabric-catools.caFileName" . }}.txt) - checkSecret $ORDERER_NAME-tls - checkSecret $ORDERER_NAME-msp - } + echo " + { + \"data\": + { + \"admincerts\": \"${ADMINCERTS}\", + \"cacerts\": \"${CACERTS}\", + \"keystore\": \"${KEYSTORE}\", + \"signcerts\": \"${SIGNCERTS}\", + \"tlscacerts\": \"${TLSCERTS}\" + } + }" > payload.json - function checkSecret { - key=$1 - kubectl get secret ${key} --namespace ${COMPONENT_NAME} -o json > /dev/null 2>&1 - if [ $? -ne 0 ]; then - echo "Secret ${key} wasn't created correctly" - touch ${MOUNT_PATH}/certs_not_found.txt + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/orderers/${MSP_KEY}" 'payload.json' + rm payload.json + fi +{{- end }} # End Vault if condition + # Files are stored as K8s secrets; add more conditions here for cloud KMS + if [ ! -e /crypto-config/${TLS_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + # Check if secret exists + kubectl get secret --namespace ${COMPONENT_NAME} ${TLS_KEY} >/dev/null 2>&1 + if [ $? -eq 0 ]; then + # Delete the secret if exists + kubectl delete secret --namespace ${COMPONENT_NAME} ${TLS_KEY} fi - } + kubectl create secret generic ${TLS_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=cacrt=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/ca.crt \ + --from-file=servercrt=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/server.crt \ + --from-file=serverkey=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/server.key + fi -{{- end }} + if [ ! -e /crypto-config/${MSP_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + SK_NAME=$(find ${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/keystore/ -name "*_sk") + kubectl get secret --namespace ${COMPONENT_NAME} ${MSP_KEY} >/dev/null 2>&1 + if [ $? -eq 0 ]; then + # Delete the secret if exists + kubectl delete secret --namespace ${COMPONENT_NAME} ${MSP_KEY} + fi + kubectl create secret generic ${MSP_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=admincerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ + --from-file=cacerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/cacerts/{{ include "fabric-catools.caFileName" . }} \ + --from-file=keystore=${SK_NAME} \ + --from-file=signcerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/signcerts/cert.pem \ + --from-file=tlscacerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/{{ include "fabric-catools.caFileName" . }} + fi + echo "$ORDERER_NAME Client certificates are successfully stored." + } function safeOrderererTlsConfigmap { ORDERER_NAME=$1 kubectl get configmap --namespace {{ .Release.Namespace }} orderer-tls-cacert - if [ $? -ne 0 ] && [ -e /certcheck/absent_tls_${ORDERER_NAME}.txt ]; then + if [ $? -ne 0 ]; then kubectl create configmap --namespace {{ .Release.Namespace }} orderer-tls-cacert --from-file=cacert=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/ca.crt fi } ORG_CYPTO_FOLDER="/crypto-config/ordererOrganizations/${COMPONENT_NAME}/users/Admin@${COMPONENT_NAME}" ORG_CYPTO_ORDERER_FOLDER="/crypto-config/ordererOrganizations/${COMPONENT_NAME}/orderers" - saveAdminSecrets admin-tls admin-msp - - for ORDERER in $ORDERERS_NAMES - do - saveOrdererSecrets $ORDERER $ORDERER-tls $ORDERER-msp - safeOrderererTlsConfigmap $ORDERER - done - + + saveAdminSecrets + ORDERER=$1 + saveOrdererSecrets $ORDERER + safeOrderererTlsConfigmap $ORDERER --- apiVersion: v1 kind: ConfigMap @@ -1022,691 +730,207 @@ data: echo "$line\n" done < ${1} > ${2}/${NAME}.txt } - - validateVaultResponse () { - if echo ${2} | grep "errors" || [ "${2}" = "" ]; then - echo "ERROR: unable to retrieve ${1}: ${2}" - exit 1 - fi - if [ "$3" == "LOOKUPSECRETRESPONSE" ] - then - http_code=$(curl -fsS -o /dev/null -w "%{http_code}" \ - --header "X-Vault-Token: ${VAULT_TOKEN}" \ - ${VAULT_ADDR}/v1/${1}) - curl_response=$? - if test "$http_code" != "200" ; then - echo "Http response code from Vault - $http_code and curl_response - $curl_response" - if test "$curl_response" != "0"; then - echo "Error: curl command failed with error code - $curl_response" - exit 1 - fi - fi - fi - } - -{{- if eq .Values.global.vault.type "hashicorp" }} - echo "coming soon" - . ../bevel-vault.sh - # Calling a function to retrieve the vault token. - vaultBevelFunc "init" - - FORMAT_CERTIFICATE_PATH="/formatcertificate" - mkdir -p ${FORMAT_CERTIFICATE_PATH}/tls - mkdir -p ${FORMAT_CERTIFICATE_PATH}/msp - function saveAdminSecrets { - TLS_KEY=$1 - TLS_KEY_FORMATTED=$(echo $TLS_KEY | tr - /) - MPS_KEY=$2 - MPS_KEY_FORMATTED=$(echo $MPS_KEY | tr - /) - - if [ -e /certcheck/present_tls.txt ]; then ADMIN_TLS_CERT_WRITTEN=true; else ADMIN_TLS_CERT_WRITTEN=false; fi - if [ -e /certcheck/present_msp.txt ]; then ADMIN_MSP_CERT_WRITTEN=true; else ADMIN_MSP_CERT_WRITTEN=false; fi - COUNTER=1 - while [ "$COUNTER" -le {{ $.Values.healthCheck.retries }} ] - do - if [ -e /certcheck/absent_tls.txt ] && [ "$ADMIN_TLS_CERT_WRITTEN" = "false" ] - then - # This commands put the certificates with correct format for the curl command - formatCertificate "${ORG_CYPTO_FOLDER}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/tls" - formatCertificate "${ORG_CYPTO_FOLDER}/tls/client.crt" "${FORMAT_CERTIFICATE_PATH}/tls" - formatCertificate "${ORG_CYPTO_FOLDER}/tls/client.key" "${FORMAT_CERTIFICATE_PATH}/tls" - - CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/ca.crt.txt) - CLIENT_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/client.crt.txt) - CLIENT_KEY=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/client.key.txt) - - echo " - { - \"data\": - { - \"ca.crt\": \"${CA_CRT}\", - \"client.crt\": \"${CLIENT_CRT}\", - \"client.key\": \"${CLIENT_KEY}\" - } - }" > payload.json - - vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY_FORMATTED}" 'payload.json' - rm payload.json - - # Check tls certificates - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY_FORMATTED}" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"ca.crt\"]" 2>&1) - TLS_CLIENT_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"client.crt\"]" 2>&1) - TLS_CLIENT_KEY=$(echo ${VAULT_SECRET} | jq -r ".[\"client.key\"]" 2>&1) - - tls_certificate_fields=("$TLS_CA_CERT" "$TLS_CLIENT_CERT" "$TLS_CLIENT_KEY") - - for field in "${tls_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] - then - ADMIN_TLS_CERT_WRITTEN=false - break - else - ADMIN_TLS_CERT_WRITTEN=true - fi - done - fi - fi - - if [ -e /certcheck/absent_msp.txt ] && [ "$ADMIN_MSP_CERT_WRITTEN" = "false" ] - then - # This commands put the certificates with correct format for the curl command - SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") - - formatCertificate "${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem" "${FORMAT_CERTIFICATE_PATH}/msp" - formatCertificate "${SK_NAME}" "${FORMAT_CERTIFICATE_PATH}/msp" - formatCertificate "${ORG_CYPTO_FOLDER}/msp/signcerts/cert.pem" "${FORMAT_CERTIFICATE_PATH}/msp" - formatCertificate "${ORG_CYPTO_FOLDER}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/tls" + TLS_KEY=admin-tls + MSP_KEY=admin-msp +{{- if eq .Values.global.vault.type "hashicorp" }} + . ../bevel-vault.sh + # Calling a function to retrieve the vault token. + vaultBevelFunc "init" + FORMAT_CERTIFICATE_PATH="/formatcertificate" + mkdir -p ${FORMAT_CERTIFICATE_PATH}/tls + mkdir -p ${FORMAT_CERTIFICATE_PATH}/msp - ADMINCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/Admin@${COMPONENT_NAME}-cert.pem.txt) - KEYSTORE=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/*_sk.txt) - SIGNCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/cert.pem.txt) - CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/ca.crt.txt) + if [ ! -e /crypto-config/${TLS_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + # This commands put the certificates with correct format for the curl command + formatCertificate "${ORG_CYPTO_FOLDER}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/tls" + formatCertificate "${ORG_CYPTO_FOLDER}/tls/client.crt" "${FORMAT_CERTIFICATE_PATH}/tls" + formatCertificate "${ORG_CYPTO_FOLDER}/tls/client.key" "${FORMAT_CERTIFICATE_PATH}/tls" - if [ "$PROXY" != "none" ] ; then + CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/ca.crt.txt) + CLIENT_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/client.crt.txt) + CLIENT_KEY=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/client.key.txt) + + echo " + { + \"data\": + { + \"ca_crt\": \"${CA_CRT}\", + \"client_crt\": \"${CLIENT_CRT}\", + \"client_key\": \"${CLIENT_KEY}\" + } + }" > payload.json + + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/users/${TLS_KEY}" 'payload.json' + rm payload.json + fi - formatCertificate "${ORG_CYPTO_FOLDER}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/msp" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) + if [ ! -e /crypto-config/${MSP_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + # This commands put the certificates with correct format for the curl command + SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") + formatCertificate "${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem" "${FORMAT_CERTIFICATE_PATH}/msp" + formatCertificate "${SK_NAME}" "${FORMAT_CERTIFICATE_PATH}/msp" + formatCertificate "${ORG_CYPTO_FOLDER}/msp/signcerts/cert.pem" "${FORMAT_CERTIFICATE_PATH}/msp" + formatCertificate "${ORG_CYPTO_FOLDER}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/tls" + + ADMINCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/Admin@${COMPONENT_NAME}-cert.pem.txt) + KEYSTORE=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/*_sk.txt) + SIGNCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/cert.pem.txt) + CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/ca.crt.txt) + + formatCertificate "${ORG_CYPTO_FOLDER}/msp/cacerts/{{ include "fabric-catools.caFileName" . }}" "${FORMAT_CERTIFICATE_PATH}/msp" + CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/{{ include "fabric-catools.caFileName" . }}.txt) - echo " - { - \"data\": - { - \"admincerts\": \"${ADMINCERTS}\", - \"cacerts\": \"${CACERTS}\", - \"keystore\": \"${KEYSTORE}\", - \"signcerts\": \"${SIGNCERTS}\", - \"tlscacerts\": \"${CA_CRT}\" - } - }" > payload.json - fi; - - if [ "$PROXY" = "none" ] ; then - - formatCertificate "${ORG_CYPTO_FOLDER}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/msp" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem.txt) - - echo " - { - \"data\": - { - \"admincerts\": \"${ADMINCERTS}\", - \"cacerts\": \"${CACERTS}\", - \"keystore\": \"${KEYSTORE}\", - \"signcerts\": \"${SIGNCERTS}\", - \"tlscacerts\": \"${CA_CRT}\" - } - }" > payload.json - fi; - - vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY_FORMATTED}" 'payload.json' - rm payload.json - - # Check msp certificates - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY_FORMATTED}" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - MSP_ADMINCERT=$(echo ${VAULT_SECRET} | jq -r ".[\"admincerts\"]" 2>&1) - MSP_CACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"cacerts\"]" 2>&1) - MSP_KEYSTORE=$(echo ${VAULT_SECRET} | jq -r ".[\"keystore\"]" 2>&1) - MSP_SIGNCERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"signcerts\"]" 2>&1) - MSP_TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"tlscacerts\"]" 2>&1) - - msp_certificate_fields=("$MSP_ADMINCERT" "$MSP_CACERTS" "$MSP_KEYSTORE" "$MSP_SIGNCERTS" "$MSP_TLSCACERTS") - for field in "${msp_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] - then - ADMIN_MSP_CERT_WRITTEN=false - break - else - ADMIN_MSP_CERT_WRITTEN=true - fi - done - fi + echo " + { + \"data\": + { + \"admincerts\": \"${ADMINCERTS}\", + \"cacerts\": \"${CACERTS}\", + \"keystore\": \"${KEYSTORE}\", + \"signcerts\": \"${SIGNCERTS}\", + \"tlscacerts\": \"${CA_CRT}\" + } + }" > payload.json + + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/users/${MSP_KEY}" 'payload.json' + rm payload.json + fi +{{- end }} # End Vault if condition + if [ ! -e /crypto-config/${TLS_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + # Check if secret exists + kubectl get secret --namespace ${COMPONENT_NAME} ${TLS_KEY} >/dev/null 2>&1 + if [ $? -eq 0 ]; then + # Delete the secret if exists + kubectl delete secret --namespace ${COMPONENT_NAME} ${TLS_KEY} fi + kubectl create secret generic ${TLS_KEY} --namespace ${COMPONENT_NAME} --from-file=cacrt=${ORG_CYPTO_FOLDER}/tls/ca.crt \ + --from-file=clientcrt=${ORG_CYPTO_FOLDER}/tls/client.crt \ + --from-file=clientkey=${ORG_CYPTO_FOLDER}/tls/client.key + fi - if [ "$ADMIN_TLS_CERT_WRITTEN" = "true" ] && [ "$ADMIN_MSP_CERT_WRITTEN" = "true" ] - then - echo "Admin certificates are successfully stored in vault" - break - else - echo "Admin certificates are not ready, sleeping for {{ $.Values.healthCheck.sleepTimeAfterError }}" - sleep {{ $.Values.healthCheck.sleepTimeAfterError }} - COUNTER=`expr "$COUNTER" + 1` + if [ ! -e /crypto-config/${MSP_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") + kubectl get secret --namespace ${COMPONENT_NAME} ${MSP_KEY} >/dev/null 2>&1 + if [ $? -eq 0 ]; then + # Delete the secret if exists + kubectl delete secret --namespace ${COMPONENT_NAME} ${MSP_KEY} fi - done - - if [ "$COUNTER" -gt {{ $.Values.healthCheck.retries }} ] - then - echo "Retry attempted `expr $COUNTER - 1` times, Admin certificates have not been saved." - touch ${MOUNT_PATH}/certs_not_found.txt - exit 1 + kubectl create secret generic ${MSP_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=admincerts=${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ + --from-file=cacerts=${ORG_CYPTO_FOLDER}/msp/cacerts/{{ include "fabric-catools.caFileName" . }} \ + --from-file=keystore=${SK_NAME} \ + --from-file=signcerts=${ORG_CYPTO_FOLDER}/msp/signcerts/cert.pem \ + --from-file=tlscacerts=${ORG_CYPTO_FOLDER}/tls/ca.crt fi + + echo "Peer Admin certificates are successfully stored." } function savePeerSecrets { PEER_NAME=$1 - TLS_KEY=$1/tls - MPS_KEY=$1/msp - - COUNTER=1 - if [ -e /certcheck/present_tls_${PEER_NAME}.txt ]; then PEER_TLS_CERT_WRITTEN=true; else PEER_TLS_CERT_WRITTEN=false; fi - if [ -e /certcheck/present_msp_${PEER_NAME}.txt ]; then PEER_MSP_CERT_WRITTEN=true; else PEER_MSP_CERT_WRITTEN=false; fi + TLS_KEY=$1-tls + MSP_KEY=$1-msp +{{- if eq .Values.global.vault.type "hashicorp" }} + . ../bevel-vault.sh + # Calling a function to retrieve the vault token. + vaultBevelFunc "init" + FORMAT_CERTIFICATE_PATH="/formatcertificate" mkdir -p ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/tls mkdir -p ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp mkdir -p ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/cacerts mkdir -p ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/tlscacerts - while [ "$COUNTER" -le {{ $.Values.healthCheck.retries }} ] - do - if ([ -e /certcheck/absent_tls_${PEER_NAME}.txt ] && [ "$PEER_TLS_CERT_WRITTEN" = "false" ] && [ "$SAVE" == 'true' ]) || [ "$REFRESH_CERTS" == 'true' ] - then - # This commands put the certificates with correct format for the curl command - formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/tls" - formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/tls/server.crt" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/tls" - formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/tls/server.key" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/tls" - - CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/tls/ca.crt.txt) - SERVER_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/tls/server.crt.txt) - SERVER_KEY=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/tls/server.key.txt) - - echo " - { - \"data\": - { - \"ca.crt\": \"${CA_CRT}\", - \"server.crt\": \"${SERVER_CRT}\", - \"server.key\": \"${SERVER_KEY}\" - } - }" > payload.json - - vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY}" 'payload.json' - rm payload.json - - # Check tls certificates - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY}" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"ca.crt\"]" 2>&1) - TLS_CLIENT_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"server.crt\"]" 2>&1) - TLS_CLIENT_KEY=$(echo ${VAULT_SECRET} | jq -r ".[\"server.key\"]" 2>&1) - - tls_certificate_fields=("$TLS_CA_CERT" "$TLS_CLIENT_CERT" "$TLS_CLIENT_KEY") - - for field in "${tls_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] - then - PEER_TLS_CERT_WRITTEN=false - break - else - PEER_TLS_CERT_WRITTEN=true - fi - done - fi - fi; - - if ([ -e /certcheck/absent_msp_${PEER_NAME}.txt ] && [ "$PEER_MSP_CERT_WRITTEN" = "false" ] && [ "$SAVE" == 'true' ]) || [ "$REFRESH_CERTS" == 'true' ] - then - # This commands put the certificates with correct format for the curl command - SK_NAME=$(find ${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/keystore/ -name "*_sk") - - formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp" - formatCertificate "${SK_NAME}" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp" - formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/signcerts/cert.pem" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp" - - ADMINCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/Admin@${COMPONENT_NAME}-cert.pem.txt) - KEYSTORE=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/*_sk.txt) - SIGNCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/cert.pem.txt) - - if [ "$PROXY" != "none" ] - then - formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/cacerts" - formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/tlscacerts" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) - TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/tlscacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) - - echo " - { - \"data\": - { - \"admincerts\": \"${ADMINCERTS}\", - \"cacerts\": \"${CACERTS}\", - \"keystore\": \"${KEYSTORE}\", - \"signcerts\": \"${SIGNCERTS}\", - \"tlscacerts\": \"${TLSCERTS}\" - } - }" > payload.json - fi; - - if [ "$PROXY" = "none" ] - then - formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/cacerts" - formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/tlscacerts" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem.txt) - TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/tlscacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem.txt) - - echo " - { - \"data\": - { - \"admincerts\": \"${ADMINCERTS}\", - \"cacerts\": \"${CACERTS}\", - \"keystore\": \"${KEYSTORE}\", - \"signcerts\": \"${SIGNCERTS}\", - \"tlscacerts\": \"${TLSCERTS}\" - } - }" > payload.json - - fi; - - vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY}" 'payload.json' - rm payload.json - - # Check msp certificates - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY}" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - MSP_ADMINCERT=$(echo ${VAULT_SECRET} | jq -r ".[\"admincerts\"]" 2>&1) - MSP_CACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"cacerts\"]" 2>&1) - MSP_KEYSTORE=$(echo ${VAULT_SECRET} | jq -r ".[\"keystore\"]" 2>&1) - MSP_SIGNCERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"signcerts\"]" 2>&1) - MSP_TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"tlscacerts\"]" 2>&1) - - msp_certificate_fields=("$MSP_ADMINCERT" "$MSP_CACERTS" "$MSP_KEYSTORE" "$MSP_SIGNCERTS" "$MSP_TLSCACERTS") - for field in "${msp_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] - then - PEER_MSP_CERT_WRITTEN=false - break - else - PEER_MSP_CERT_WRITTEN=true - fi - done - fi - fi; - - if [ "$PEER_TLS_CERT_WRITTEN" = "true" ] && [ "$PEER_MSP_CERT_WRITTEN" = "true" ] - then - echo "${PEER_NAME} certificates are successfully stored in vault" - break - else - echo "${PEER_NAME} certificates are not ready, sleeping for {{ $.Values.healthCheck.sleepTimeAfterError }}" - sleep {{ $.Values.healthCheck.sleepTimeAfterError }} - COUNTER=`expr "$COUNTER" + 1` - fi - done - - if [ "$COUNTER" -gt {{ $.Values.healthCheck.retries }} ] - then - echo "Retry attempted `expr $COUNTER - 1` times, peers certificates have not been saved." - touch ${MOUNT_PATH}/certs_not_found.txt - exit 1 - fi; - } - - function saveConfigFileSecrets { - KEY=$1 - KEY_FORMATTED=$(echo $KEY | tr - /) - - COUNTER=1 - if [ -e /certcheck/present_config_file.txt ]; then CONFIG_FILE_WRITTEN=true; else CONFIG_FILE_WRITTEN=false; fi - while [ "$COUNTER" -le {{ $.Values.healthCheck.retries }} ] - do - if [ -e /certcheck/absent_config_file.txt ] && [ "$CONFIG_FILE_WRITTEN" = "false" ]; then - - # This commands put the config file with correct format for the curl command - mkdir -p ${FORMAT_CERTIFICATE_PATH}/msp_config_file - formatCertificate "/crypto-config/peerOrganizations/${COMPONENT_NAME}/msp/config.yaml" "${FORMAT_CERTIFICATE_PATH}/msp_config_file" - MSP_CONFIG_FILE=$(cat ${FORMAT_CERTIFICATE_PATH}/msp_config_file/config.yaml.txt) - - echo " - { - \"data\": - { - \"configfile\": \"${MSP_CONFIG_FILE}\" - } - }" > payload.json - - vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" 'payload.json' - rm payload.json - - # Check cofig file - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - CONFIG_FILE=$(echo ${VAULT_SECRET} | jq -r ".[\"configfile\"]" 2>&1) - if [ "$CONFIG_FILE" = "null" ] || [[ "$CONFIG_FILE" = "parse error"* ]] || [ "$CONFIG_FILE" = "" ] - then - CONFIG_FILE_WRITTEN=false - break - else - CONFIG_FILE_WRITTEN=true - fi - fi - fi; - - if [ "$CONFIG_FILE_WRITTEN" = "true" ] - then - echo "MSP config file is successfully stored in vault" - break - else - echo "MSP config file is not ready, sleeping for {{ $.Values.healthCheck.sleepTimeAfterError }}" - sleep {{ $.Values.healthCheck.sleepTimeAfterError }} - COUNTER=`expr "$COUNTER" + 1` - fi - done - - if [ "$COUNTER" -gt {{ $.Values.healthCheck.retries }} ] - then - echo "Retry attempted `expr $COUNTER - 1` times, cryto materials have not been saved." - touch ${MOUNT_PATH}/certs_not_found.txt - exit 1 - fi; - } - - function saveCouchdbSecrets { - KEY=$1 - KEY_FORMATTED=$(echo $KEY | tr - /) - - COUNTER=1 - COUCHDB_WRITTEN=false - while [ "$COUNTER" -le {{ $.Values.healthCheck.retries }} ] - do - if [ "$COUCHDB_WRITTEN" = "false" ]; then - - echo " + if [ ! -e /crypto-config/${TLS_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + # This commands put the certificates with correct format for the curl command + formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/tls" + formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/tls/server.crt" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/tls" + formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/tls/server.key" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/tls" + + CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/tls/ca.crt.txt) + SERVER_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/tls/server.crt.txt) + SERVER_KEY=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/tls/server.key.txt) + + echo " + { + \"data\": { - \"data\": - { - \"user\": \"admin123\" - } - }" > payload.json - - vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" 'payload.json' - rm payload.json - - # Check couchdb credentials - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - USER=$(echo ${VAULT_SECRET} | jq -r ".[\"user\"]" 2>&1) - if [ "$USER" = "null" ] || [[ "$USER" = "parse error"* ]] || [ "$USER" = "" ] - then - COUCHDB_WRITTEN=false - break - else - COUCHDB_WRITTEN=true - fi - fi - fi; - - if [ "$COUCHDB_WRITTEN" = "true" ] - then - echo "Couchdb credentials are successfully stored in vault" - break - else - echo "Couchdb credentials are not ready, sleeping for {{ $.Values.healthCheck.sleepTimeAfterError }}" - sleep {{ $.Values.healthCheck.sleepTimeAfterError }} - COUNTER=`expr "$COUNTER" + 1` - fi - done - } - - function saveOrdererTlsSecrets { - KEY=$1 - KEY_FORMATTED=$(echo $KEY | tr - /) - - COUNTER=1 - if [ -e /certcheck/present_orderer_tls_cert.txt ]; then ORDERER_TLS_WRITTEN=true; else ORDERER_TLS_WRITTEN=false; fi - while [ "$COUNTER" -le {{ $.Values.healthCheck.retries }} ] - do - if [ -e /certcheck/absent_orderer_tls_cert.txt ] && [ "$ORDERER_TLS_WRITTEN" = "false" ] - then - cp /tlscerts/orderer.crt orderer.crt - grep -v '^$' "/tlscerts/orderer.crt" > orderer.crt - - cat orderer.crt - formatCertificate "orderer.crt" "./" - ORDERER_TLS=$(cat orderer.crt.txt) - - cat orderer.crt.txt - echo " - { - \"data\": - { - \"ca.crt\": \"${ORDERER_TLS}\" - } - }" > payload.json - - # This command writes organization level certificates for orderers to vault - vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" 'payload.json' - rm payload.json - - # Check couchdb credentials - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - CA_CRT=$(echo ${VAULT_SECRET} | jq -r ".[\"ca.crt\"]" 2>&1) - if [ "$CA_CRT" = "null" ] || [[ "$CA_CRT" = "parse error"* ]] || [ "$CA_CRT" = "" ] - then - ORDERER_TLS_WRITTEN=false - else - ORDERER_TLS_WRITTEN=true - fi - fi - fi; - - if [ "$ORDERER_TLS_WRITTEN" = "true" ] - then - echo "${ORDERER} tls certificate are successfully stored in vault" - break - else - echo "${ORDERER} tls certificate are not ready, sleeping for {{ $.Values.healthCheck.sleepTimeAfterError }}" - sleep {{ $.Values.healthCheck.sleepTimeAfterError }} - COUNTER=`expr "$COUNTER" + 1` - fi - done - - if [ "$COUNTER" -gt {{ $.Values.healthCheck.retries }} ] - then - echo "Retry attempted `expr $COUNTER - 1` times, orderer tls have not been saved." - touch ${MOUNT_PATH}/certs_not_found.txt - exit 1 - fi; - } - -{{- else }} - function saveAdminSecrets { - TLS_KEY=$1 - MPS_KEY=$2 - if [ -e /certcheck/absent_tls.txt ] - then - kubectl create secret generic ${TLS_KEY} --namespace ${COMPONENT_NAME} --from-file=cacrt=${ORG_CYPTO_FOLDER}/tls/ca.crt \ - --from-file=clientcrt=${ORG_CYPTO_FOLDER}/tls/client.crt \ - --from-file=clientkey=${ORG_CYPTO_FOLDER}/tls/client.key - fi - - if [ -e /certcheck/absent_msp.txt ] - then - if [ "$PROXY" != "none" ] - then - SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") - kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ - --from-file=admincerts=${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ - --from-file=cacerts=${ORG_CYPTO_FOLDER}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem \ - --from-file=keystore=${SK_NAME} \ - --from-file=signcerts=${ORG_CYPTO_FOLDER}/msp/signcerts/cert.pem \ - --from-file=tlscacerts=${ORG_CYPTO_FOLDER}/tls/ca.crt - fi - - if [ "$PROXY" = "none" ] - then - SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") - kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ - --from-file=admincerts=${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ - --from-file=cacerts=${ORG_CYPTO_FOLDER}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem \ - --from-file=keystore=${SK_NAME} \ - --from-file=signcerts=${ORG_CYPTO_FOLDER}/msp/signcerts/cert.pem \ - --from-file=tlscacerts=${ORG_CYPTO_FOLDER}/tls/ca.crt - fi - fi - - checkSecret admin-msp - checkSecret admin-tls - - } - - function savePeerSecrets { - PEER_NAME=$1 - TLS_KEY=$1-tls - MPS_KEY=$1-msp - - if ([ -e /certcheck/absent_tls_${PEER_NAME}.txt ] && [ "$SAVE" == 'true' ]) || [ "$REFRESH_CERTS" == 'true' ] - then - kubectl create secret generic ${TLS_KEY} --namespace ${COMPONENT_NAME} \ - --from-file=cacrt=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/tls/ca.crt \ - --from-file=servercrt=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/tls/server.crt \ - --from-file=serverkey=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/tls/server.key - fi - - if [ -e /certcheck/absent_msp_${PEER_NAME}.txt ] - then - - if [ "$PROXY" != "none" ] - then - SK_NAME=$(find ${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/keystore/ -name "*_sk") - kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ - --from-file=admincerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ - --from-file=cacerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem \ - --from-file=keystore=${SK_NAME} \ - --from-file=signcerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/signcerts/cert.pem \ - --from-file=tlscacerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem - fi - - if [ "$PROXY" = "none" ] - then - SK_NAME=$(find ${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/keystore/ -name "*_sk") - kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ - --from-file=admincerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ - --from-file=cacerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem \ - --from-file=keystore=${SK_NAME} \ - --from-file=signcerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/signcerts/cert.pem \ - --from-file=tlscacerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem - fi - fi - - checkSecret $PEER_NAME-tls - checkSecret $PEER_NAME-msp - } + \"ca_crt\": \"${CA_CRT}\", + \"server_crt\": \"${SERVER_CRT}\", + \"server_key\": \"${SERVER_KEY}\" + } + }" > payload.json + + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/peers/${TLS_KEY}" 'payload.json' + rm payload.json + fi - function saveConfigFileSecrets { - KEY=$1 - if [ -e /certcheck/absent_config_file.txt ] - then - kubectl create secret generic ${KEY} --namespace ${COMPONENT_NAME} --from-file=configfile=/crypto-config/peerOrganizations/${COMPONENT_NAME}/msp/config.yaml - fi - checkSecret msp-config - } - - function saveCouchdbSecrets { - KEY=$1 - kubectl get secret ${KEY} --namespace ${COMPONENT_NAME} -o json > /dev/null 2>&1 - if [ $? -ne 0 ]; then - kubectl create secret generic ${KEY} --namespace ${COMPONENT_NAME} --from-literal=user="admin123" - fi - checkSecret couchdb - } - - function saveOrdererTlsSecrets { - KEY=$1 - if [ -e /certcheck/absent_orderer_tls_cert.txt ] - then - kubectl create secret generic ${KEY} --namespace ${COMPONENT_NAME} --from-file=cacrt=/tlscerts/orderer.crt - fi - checkSecret orderer-tls - } - - function checkSecret { - KEY=$1 - kubectl get secret ${KEY} --namespace ${COMPONENT_NAME} -o json > /dev/null 2>&1 - if [ $? -ne 0 ]; then - echo "Secret ${KEY} wasn't created correctly" - touch ${MOUNT_PATH}/certs_not_found.txt + if [ ! -e /crypto-config/${MSP_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + # This commands put the certificates with correct format for the curl command + SK_NAME=$(find ${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/keystore/ -name "*_sk") + formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp" + formatCertificate "${SK_NAME}" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp" + formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/signcerts/cert.pem" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp" + + ADMINCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/Admin@${COMPONENT_NAME}-cert.pem.txt) + KEYSTORE=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/*_sk.txt) + SIGNCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/cert.pem.txt) + + formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/cacerts/{{ include "fabric-catools.caFileName" . }}" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/cacerts" + formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/{{ include "fabric-catools.caFileName" . }}" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/tlscacerts" + CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/cacerts/{{ include "fabric-catools.caFileName" . }}.txt) + TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/tlscacerts/{{ include "fabric-catools.caFileName" . }}.txt) + + echo " + { + \"data\": + { + \"admincerts\": \"${ADMINCERTS}\", + \"cacerts\": \"${CACERTS}\", + \"keystore\": \"${KEYSTORE}\", + \"signcerts\": \"${SIGNCERTS}\", + \"tlscacerts\": \"${TLSCERTS}\" + } + }" > payload.json + + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/peers/${MSP_KEY}" 'payload.json' + rm payload.json + fi +{{- end }} # End Vault if condition + if [ ! -e /crypto-config/${TLS_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + # Check if secret exists + kubectl get secret --namespace ${COMPONENT_NAME} ${TLS_KEY} >/dev/null 2>&1 + if [ $? -eq 0 ]; then + # Delete the secret if exists + kubectl delete secret --namespace ${COMPONENT_NAME} ${TLS_KEY} fi - } - -{{- end }} + kubectl create secret generic ${TLS_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=cacrt=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/tls/ca.crt \ + --from-file=servercrt=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/tls/server.crt \ + --from-file=serverkey=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/tls/server.key + fi - function saveAdminMspConfigmap { - kubectl get configmap --namespace {{ .Release.Namespace }} admin-msp - if [ $? -ne 0 ]; then - if [ "$PROXY" != "none" ]; then - kubectl create configmap --namespace {{ .Release.Namespace }} admin-msp --from-file=admincerts=${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ - --from-file=cacerts=${ORG_CYPTO_FOLDER}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem \ - --from-file=tlscacerts=${ORG_CYPTO_FOLDER}/tls/ca.crt - else - kubectl create configmap --namespace {{ .Release.Namespace }} admin-msp --from-file=admincerts=${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ - --from-file=cacerts=${ORG_CYPTO_FOLDER}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem \ - --from-file=tlscacerts=${ORG_CYPTO_FOLDER}/tls/ca.crt + if [ ! -e /crypto-config/${MSP_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + SK_NAME=$(find ${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/keystore/ -name "*_sk") + kubectl get secret --namespace ${COMPONENT_NAME} ${MSP_KEY} >/dev/null 2>&1 + if [ $? -eq 0 ]; then + # Delete the secret if exists + kubectl delete secret --namespace ${COMPONENT_NAME} ${MSP_KEY} fi + kubectl create secret generic ${MSP_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=admincerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ + --from-file=cacerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/cacerts/{{ include "fabric-catools.caFileName" . }} \ + --from-file=keystore=${SK_NAME} \ + --from-file=signcerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/signcerts/cert.pem \ + --from-file=tlscacerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/{{ include "fabric-catools.caFileName" . }} fi + echo "${PEER_NAME} Client certificates are successfully stored." } ORG_CYPTO_FOLDER="/crypto-config/peerOrganizations/${COMPONENT_NAME}/users/Admin@${COMPONENT_NAME}" ORG_CYPTO_PEER_FOLDER="/crypto-config/peerOrganizations/${COMPONENT_NAME}/peers" - saveAdminSecrets admin-tls admin-msp - saveAdminMspConfigmap - - for PEER in $PEERS_NAMES - do - SAVE=false - if [[ "$PEER" == *","* ]] - then - STATUS="${PEER##*,}" - else - STATUS="" - fi - - if [ "$STATUS" = "new" ] || [ "$STATUS" = "" ]; then - PEER_NAME="${PEER%%,*}" - SAVE=true - savePeerSecrets $PEER_NAME - else - continue - fi; - done - - saveConfigFileSecrets msp-config - saveCouchdbSecrets couchdb - saveOrdererTlsSecrets orderer-tls - + saveAdminSecrets + savePeerSecrets $1 --- apiVersion: v1 kind: ConfigMap @@ -1731,326 +955,114 @@ data: echo "$line\n" done < ${1} > ${2}/${NAME}.txt } - - validateVaultResponse () { - if echo ${2} | grep "errors" || [ "${2}" = "" ]; then - echo "ERROR: unable to retrieve ${1}: ${2}" - exit 1 - fi - if [ "$3" == "LOOKUPSECRETRESPONSE" ] - then - http_code=$(curl -fsS -o /dev/null -w "%{http_code}" \ - --header "X-Vault-Token: ${VAULT_TOKEN}" \ - ${VAULT_ADDR}/v1/${1}) - curl_response=$? - if test "$http_code" != "200" ; then - echo "Http response code from Vault - $http_code and curl_response - $curl_response" - if test "$curl_response" != "0"; then - echo "Error: curl command failed with error code - $curl_response" - exit 1 - fi - fi - fi - } - -{{- if eq .Values.global.vault.type "hashicorp" }} - - echo "coming soon" - . ../bevel-vault.sh - # Calling a function to retrieve the vault token. - vaultBevelFunc "init" - - FORMAT_CERTIFICATE_PATH="/formatcertificate" - ORG_CYPTO_USERS_FOLDER="/crypto-config/peerOrganizations/${COMPONENT_NAME}/users" - - function saveUserSecrets { USER=$1 - TLS_KEY=$2 - TLS_KEY_FORMATTED=$(echo $TLS_KEY | tr - /) - MPS_KEY=$3 - MPS_KEY_FORMATTED=$(echo $MPS_KEY | tr - /) + TLS_KEY=$1-tls + MSP_KEY=$1-msp +{{- if eq .Values.global.vault.type "hashicorp" }} + . ../bevel-vault.sh + # Calling a function to retrieve the vault token. + vaultBevelFunc "init" + + FORMAT_CERTIFICATE_PATH="/formatcertificate" + ORG_CYPTO_USERS_FOLDER="/crypto-config/peerOrganizations/${COMPONENT_NAME}/users" - if [ -e /certcheck/present_tls_${USER}.txt ]; then USER_TLS_CERT_WRITTEN=true; else USER_TLS_CERT_WRITTEN=false; fi - if [ -e /certcheck/present_msp_${USER}.txt ]; then USER_MSP_CERT_WRITTEN=true; else USER_MSP_CERT_WRITTEN=false; fi - mkdir -p ${FORMAT_CERTIFICATE_PATH}/${USER}/tls mkdir -p ${FORMAT_CERTIFICATE_PATH}/${USER}/msp mkdir -p ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/cacerts mkdir -p ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/tlscacerts - COUNTER=1 - - while [ "$COUNTER" -le {{ $.Values.healthCheck.retries }} ] - do - if ([ -e /certcheck/absent_tls_${USER}.txt ] && [ "$USER_TLS_CERT_WRITTEN" = "false" ]) || [ "$REFRESH_CERTS" == 'true' ]; then - - # This commands put the certificates with correct format for the curl command - formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/${USER}/tls" - formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/tls/client.crt" "${FORMAT_CERTIFICATE_PATH}/${USER}/tls" - formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/tls/client.key" "${FORMAT_CERTIFICATE_PATH}/${USER}/tls" - - CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/tls/ca.crt.txt) - CLIENT_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/tls/client.crt.txt) - CLIENT_KEY=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/tls/client.key.txt) - - echo " - { - \"data\": - { - \"ca.crt\": \"${CA_CRT}\", - \"client.crt\": \"${CLIENT_CRT}\", - \"client.key\": \"${CLIENT_KEY}\" - } - }" > payload.json - - # This command copy the crypto material for users (tls) - vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY_FORMATTED}" 'payload.json' - rm payload.json - - # Check tls certificates - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY_FORMATTED}" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"ca.crt\"]" 2>&1) - TLS_CLIENT_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"client.crt\"]" 2>&1) - TLS_CLIENT_KEY=$(echo ${VAULT_SECRET} | jq -r ".[\"client.key\"]" 2>&1) - - tls_certificate_fields=("$TLS_CA_CERT" "$TLS_CLIENT_CERT" "$TLS_CLIENT_KEY") - - for field in "${tls_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] - then - USER_TLS_CERT_WRITTEN=false - break - else - USER_TLS_CERT_WRITTEN=true - fi - done - fi - fi; - if ([ -e /certcheck/absent_msp_${USER}.txt ] && [ "$USER_MSP_CERT_WRITTEN" = "false" ]) || [ "$REFRESH_CERTS" == 'true' ]; then + if [ ! -e /crypto-config/${TLS_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + # This commands put the certificates with correct format for the curl command + formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/${USER}/tls" + formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/tls/client.crt" "${FORMAT_CERTIFICATE_PATH}/${USER}/tls" + formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/tls/client.key" "${FORMAT_CERTIFICATE_PATH}/${USER}/tls" - # This commands put the certificates with correct format for the curl command - SK_NAME=$(find ${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/keystore/ -name "*_sk") + CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/tls/ca.crt.txt) + CLIENT_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/tls/client.crt.txt) + CLIENT_KEY=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/tls/client.key.txt) - formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/admincerts/${USER}@${COMPONENT_NAME}-cert.pem" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp" - formatCertificate "${SK_NAME}" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp" - formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/signcerts/cert.pem" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp" - - ADMINCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/${USER}@${COMPONENT_NAME}-cert.pem.txt) - KEYSTORE=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/*_sk.txt) - SIGNCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/cert.pem.txt) - - if [ "$PROXY" != "none" ] ; then - - formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp/cacerts" - formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/tlscacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp/tlscacerts" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) - # En el rol lo copia directamente del tls - TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/tlscacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) - - echo " - { - \"data\": - { - \"admincerts\": \"${ADMINCERTS}\", - \"cacerts\": \"${CACERTS}\", - \"keystore\": \"${KEYSTORE}\", - \"signcerts\": \"${SIGNCERTS}\", - \"tlscacerts\": \"${TLSCERTS}\" - } - }" > payload.json - - fi; - - if [ "$PROXY" = "none" ] ; then - formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp/cacerts" - formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/tlscacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp/tlscacerts" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem.txt) - TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/tlscacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem.txt) + echo " + { + \"data\": + { + \"ca_crt\": \"${CA_CRT}\", + \"client_crt\": \"${CLIENT_CRT}\", + \"client_key\": \"${CLIENT_KEY}\" + } + }" > payload.json + + # This command copy the crypto material for users (tls) + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/users/${TLS_KEY}" 'payload.json' + rm payload.json + fi - echo " - { - \"data\": - { - \"admincerts\": \"${ADMINCERTS}\", - \"cacerts\": \"${CACERTS}\", - \"keystore\": \"${KEYSTORE}\", - \"signcerts\": \"${SIGNCERTS}\", - \"tlscacerts\": \"${TLSCERTS}\" - } - }" > payload.json - - fi; - - # This command copy the msp certificates to the Vault - vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY_FORMATTED}" 'payload.json' - rm payload.json - - # Check msp certificates - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY_FORMATTED}" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - MSP_ADMINCERT=$(echo ${VAULT_SECRET} | jq -r ".[\"admincerts\"]" 2>&1) - MSP_CACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"cacerts\"]" 2>&1) - MSP_KEYSTORE=$(echo ${VAULT_SECRET} | jq -r ".[\"keystore\"]" 2>&1) - MSP_SIGNCERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"signcerts\"]" 2>&1) - MSP_TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"tlscacerts\"]" 2>&1) - - msp_certificate_fields=("$MSP_ADMINCERT" "$MSP_CACERTS" "$MSP_KEYSTORE" "$MSP_SIGNCERTS" "$MSP_TLSCACERTS") - for field in "${msp_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] - then - USER_MSP_CERT_WRITTEN=false - break - else - USER_MSP_CERT_WRITTEN=true - fi - done - fi - fi; - - if [ "$USER_TLS_CERT_WRITTEN" = "true" ] && [ "$USER_MSP_CERT_WRITTEN" = "true" ] - then - echo "${USER} certificates are successfully stored in vault" - break - else - echo "${USER} certificates are not ready, sleeping for {{ $.Values.healthCheck.sleepTimeAfterError }}" - sleep {{ $.Values.healthCheck.sleepTimeAfterError }} - COUNTER=`expr "$COUNTER" + 1` + if [ ! -e /crypto-config/${MSP_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + # This commands put the certificates with correct format for the curl command + SK_NAME=$(find ${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/keystore/ -name "*_sk") + formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/admincerts/${USER}@${COMPONENT_NAME}-cert.pem" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp" + formatCertificate "${SK_NAME}" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp" + formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/signcerts/cert.pem" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp" + + ADMINCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/${USER}@${COMPONENT_NAME}-cert.pem.txt) + KEYSTORE=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/*_sk.txt) + SIGNCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/cert.pem.txt) + + formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/cacerts/{{ include "fabric-catools.caFileName" . }}" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp/cacerts" + formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/tlscacerts/{{ include "fabric-catools.caFileName" . }}" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp/tlscacerts" + CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/cacerts/{{ include "fabric-catools.caFileName" . }}.txt) + # En el rol lo copia directamente del tls + TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/tlscacerts/{{ include "fabric-catools.caFileName" . }}.txt) + + echo " + { + \"data\": + { + \"admincerts\": \"${ADMINCERTS}\", + \"cacerts\": \"${CACERTS}\", + \"keystore\": \"${KEYSTORE}\", + \"signcerts\": \"${SIGNCERTS}\", + \"tlscacerts\": \"${TLSCERTS}\" + } + }" > payload.json + + #This command copy the msp certificates to the Vault + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/users/${MSP_KEY}" 'payload.json' + rm payload.json + fi +{{- end }} + # Check if secret exists + if [ ! -e /crypto-config/${TLS_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + kubectl get secret --namespace ${COMPONENT_NAME} ${TLS_KEY} >/dev/null 2>&1 + if [ $? -eq 0 ]; then + # Delete the secret if exists + kubectl delete secret --namespace ${COMPONENT_NAME} ${TLS_KEY} fi - done; - - if [ "$COUNTER" -gt {{ $.Values.healthCheck.retries }} ] - then - echo "Retry attempted `expr $COUNTER - 1` times, users certificates have not been saved." - touch ${MOUNT_PATH}/certs_not_found.txt - exit 1 - fi; - } -{{- else }} - function saveUserSecrets { - USER=$1 - TLS_KEY=$2 - MPS_KEY=$3 - - if [ -e /certcheck/absent_tls_${USER}.txt ] || [ "$REFRESH_CERTS" == 'true' ] - then kubectl create secret generic ${TLS_KEY} --namespace ${COMPONENT_NAME} \ --from-file=cacrt=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/tls/ca.crt \ --from-file=clientcrt=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/tls/client.crt \ --from-file=clientkey=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/tls/client.key fi - if [ -e /certcheck/absent_msp_${USER}.txt ] || [ "$REFRESH_CERTS" == 'true' ] - then - if [ "$PROXY" != "none" ] - then - SK_NAME=$(find ${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/keystore/ -name "*_sk") - kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ - --from-file=admincerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/admincerts/${USER}@${COMPONENT_NAME}-cert.pem \ - --from-file=cacerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem \ - --from-file=keystore=${SK_NAME} \ - --from-file=signcerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/signcerts/cert.pem \ - --from-file=tlscacerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/tlscacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem - fi - - if [ "$PROXY" = "none" ] - then - SK_NAME=$(find ${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/keystore/ -name "*_sk") - kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ - --from-file=admincerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/admincerts/${USER}@${COMPONENT_NAME}-cert.pem \ - --from-file=cacerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/cacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem \ - --from-file=keystore=${SK_NAME} \ - --from-file=signcerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/signcerts/cert.pem \ - --from-file=tlscacerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/tlscacerts/${ORG_NAME_EXT}-ca-${COMPONENT_NAME}-7054.pem + if [ ! -e /crypto-config/${MSP_KEY}-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + SK_NAME=$(find ${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/keystore/ -name "*_sk") + kubectl get secret --namespace ${COMPONENT_NAME} ${MSP_KEY} >/dev/null 2>&1 + if [ $? -eq 0 ]; then + # Delete the secret if exists + kubectl delete secret --namespace ${COMPONENT_NAME} ${MSP_KEY} fi + kubectl create secret generic ${MSP_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=admincerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/admincerts/${USER}@${COMPONENT_NAME}-cert.pem \ + --from-file=cacerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/cacerts/{{ include "fabric-catools.caFileName" . }} \ + --from-file=keystore=${SK_NAME} \ + --from-file=signcerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/signcerts/cert.pem \ + --from-file=tlscacerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/tlscacerts/{{ include "fabric-catools.caFileName" . }} fi - checkSecret $USER-tls - checkSecret $USER-msp + echo "${USER} certificates are successfully stored." } - - function checkSecret { - KEY=$1 - kubectl get secret ${KEY} --namespace ${COMPONENT_NAME} -o json > /dev/null 2>&1 - if [ $? -ne 0 ]; then - echo "Secret ${KEY} wasn't created correctly" - touch ${MOUNT_PATH}/certs_not_found.txt - fi - } -{{- end }} ORG_CYPTO_USERS_FOLDER="/crypto-config/peerOrganizations/${COMPONENT_NAME}/users" - for USER in $USERS_IDENTITIES - do - saveUserSecrets $USER $USER-tls $USER-msp - done ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: msp-config-file - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: msp-config-file - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ include "fabric-catools.fullname" . }} - app.kubernetes.io/namespace: {{ .Release.Namespace }} - app.kubernetes.io/release: {{ .Release.Name }} - app.kubernetes.io/managed-by: helm -data: - no-none-config.yaml: |- - NodeOUs: - Enable: true - ClientOUIdentifier: - Certificate: cacerts/${ORG_NAME_EXT}-ca-{{ .Release.Namespace }}-{{ .Values.global.proxy.externalUrlSuffix }}.pem - OrganizationalUnitIdentifier: client - PeerOUIdentifier: - Certificate: cacerts/${ORG_NAME_EXT}-ca-{{ .Release.Namespace }}-{{ .Values.global.proxy.externalUrlSuffix }}.pem - OrganizationalUnitIdentifier: peer - AdminOUIdentifier: - Certificate: cacerts/${ORG_NAME_EXT}-ca-{{ .Release.Namespace }}-{{ .Values.global.proxy.externalUrlSuffix }}.pem - OrganizationalUnitIdentifier: admin - OrdererOUIdentifier: - Certificate: cacerts/${ORG_NAME_EXT}-ca-{{ .Release.Namespace }}-{{ .Values.global.proxy.externalUrlSuffix }}.pem - OrganizationalUnitIdentifier: orderer - none-config.yaml: |- - NodeOUs: - Enable: true - ClientOUIdentifier: - Certificate: cacerts/${ORG_NAME_EXT}-ca-{{ .Release.Namespace }}-7054.pem - OrganizationalUnitIdentifier: client - PeerOUIdentifier: - Certificate: cacerts/${ORG_NAME_EXT}-ca-{{ .Release.Namespace }}-7054.pem - OrganizationalUnitIdentifier: peer - AdminOUIdentifier: - Certificate: cacerts/${ORG_NAME_EXT}-ca-{{ .Release.Namespace }}-7054.pem - OrganizationalUnitIdentifier: admin - OrdererOUIdentifier: - Certificate: cacerts/${ORG_NAME_EXT}-ca-{{ .Release.Namespace }}-7054.pem - OrganizationalUnitIdentifier: orderer - -{{- $file := .Files.Get "files/orderer.crt" }} -{{- if and (eq $.Values.orgData.type "peer") $file }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: orderer-tls-cacert - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: orderer-tls-cacert - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ include "fabric-catools.fullname" . }} - app.kubernetes.io/namespace: {{ .Release.Namespace }} - app.kubernetes.io/release: {{ .Release.Name }} - app.kubernetes.io/managed-by: helm -data: - orderer.crt: |- - {{ .Files.Get "files/orderer.crt" | nindent 8 }} -{{- end }} + saveUserSecrets $1 +{{- end }} # End createConfigMaps condition diff --git a/platforms/hyperledger-fabric/charts/fabric-catools/templates/deployment.yaml b/platforms/hyperledger-fabric/charts/fabric-catools/templates/deployment.yaml deleted file mode 100644 index 1a853c6a205..00000000000 --- a/platforms/hyperledger-fabric/charts/fabric-catools/templates/deployment.yaml +++ /dev/null @@ -1,569 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "fabric-catools.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Release.Name }} - app.kubernetes.io/name: {{ include "fabric-catools.name" . }} - app.kubernetes.io/component: ca-tools - app.kubernetes.io/part-of: {{ include "fabric-catools.fullname" . }} - app.kubernetes.io/namespace: {{ .Release.Namespace }} - app.kubernetes.io/release: {{ .Release.Name }} - app.kubernetes.io/managed-by: helm - annotations: - {{ include "labels.deployment" . | nindent 2 }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ .Release.Name }} - app.kubernetes.io/name: {{ include "fabric-catools.name" . }} - app.kubernetes.io/component: ca-tools - app.kubernetes.io/part-of: {{ include "fabric-catools.fullname" . }} - app.kubernetes.io/namespace: {{ .Release.Namespace }} - app.kubernetes.io/release: {{ .Release.Name }} - app.kubernetes.io/managed-by: helm - template: - metadata: - labels: - app: {{ .Release.Name }} - app.kubernetes.io/name: {{ include "fabric-catools.name" . }} - app.kubernetes.io/component: ca-tools - app.kubernetes.io/part-of: {{ include "fabric-catools.fullname" . }} - app.kubernetes.io/namespace: {{ .Release.Namespace }} - app.kubernetes.io/release: {{ .Release.Name }} - app.kubernetes.io/managed-by: helm - {{ include "labels.deployment" . | nindent 6 }} - spec: - serviceAccountName: {{ $.Values.global.serviceAccountName }} - {{- if .Values.global.vault.imageSecretName }} - imagePullSecrets: - - name: {{ $.Values.global.vault.imageSecretName }} - {{- end }} - volumes: - - name: ca-tools-pv - persistentVolumeClaim: - claimName: ca-tools-pvc - - name: ca-tools-crypto-pv - persistentVolumeClaim: - claimName: ca-tools-crypto-pvc - - name: certcheck - emptyDir: - medium: Memory - - name: generate-crypto - configMap: - name: crypto-scripts-cm - defaultMode: 0775 - items: - - key: generate-crypto-orderer.sh - path: generate-crypto-orderer.sh - - name: generate-orderer-crypto - configMap: - name: crypto-scripts-cm - defaultMode: 0775 - items: - - key: orderer-script.sh - path: orderer-script.sh - - name: generate-crypto-peer - configMap: - name: crypto-scripts-cm - defaultMode: 0775 - items: - - key: generate-crypto-peer.sh - path: generate-crypto-peer.sh - - name: generate-crypto-add-peer - configMap: - name: crypto-scripts-cm - defaultMode: 0775 - items: - - key: generate-crypto-add-peer.sh - path: generate-crypto-add-peer.sh - - name: generate-user-crypto - configMap: - name: crypto-scripts-cm - defaultMode: 0775 - items: - - key: generate-user-crypto.sh - path: generate-user-crypto.sh - - name: store-vault-orderer - configMap: - name: orderer-script-store-vault - defaultMode: 0775 - items: - - key: store-vault-orderer.sh - path: store-vault-orderer.sh - - name: store-vault-peer - configMap: - name: peer-script-store-vault - defaultMode: 0775 - items: - - key: store-vault-peer.sh - path: store-vault-peer.sh - - name: store-vault-users - configMap: - name: users-script-store-vault - defaultMode: 0775 - items: - - key: store-vault-users.sh - path: store-vault-users.sh - - name: none-config - configMap: - name: msp-config-file - defaultMode: 0775 - items: - - key: none-config.yaml - path: none-config.yaml - - name: no-none-config - configMap: - name: msp-config-file - defaultMode: 0775 - items: - - key: no-none-config.yaml - path: no-none-config.yaml - {{- $file := .Files.Get "files/orderer.crt" }} - {{ if and (eq $.Values.orgData.type "peer") $file }} - - name: orderer-tls-cacert - configMap: - name: orderer-tls-cacert - defaultMode: 0775 - items: - - key: orderer.crt - path: orderer.crt - {{- end }} - - name: scripts-volume - configMap: - name: bevel-vault-script - - name: package-manager - configMap: - name: package-manager - initContainers: - - name: init-check-certificates - image: {{ $.Values.image.alpineUtils }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: VAULT_ADDR - value: {{ $.Values.global.vault.address }} - - name: VAULT_APP_ROLE - value: {{ $.Values.global.vault.role }} - - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.global.vault.authPath }} - - name: VAULT_TYPE - value: {{ $.Values.global.vault.type }} - - name: VAULT_SECRET_ENGINE - value: "{{ .Values.global.vault.secretEngine }}" - - name: VAULT_SECRET_PREFIX - value: "{{ .Values.global.vault.secretPrefix }}" - - name: COMPONENT_TYPE - value: "{{ $.Values.orgData.type }}" - - name: COMPONENT_NAME - value: {{ .Release.Namespace }} - - name: ORG_NAME_EXT - value: {{ $.Values.orgData.orgName }} - - name: PROXY - value: {{ .Values.global.proxy.provider }} - - name: ORDERERS_NAMES - value: "{{ $.Values.orderers | join " " -}}" - - name: PEERS_NAMES - value: "{{ $.Values.peers | join " " -}}" - - name: USERS_IDENTITIES - value: "{{ $.Values.users.usersIdentities | join " " -}}" - - name: MOUNT_PATH - value: "/certcheck" - command: ["sh", "-c"] - args: - - |- - #!/usr/bin/env sh - - mkdir -p ${MOUNT_PATH} - OUTPUT_PATH="/crypto-config/${COMPONENT_TYPE}Organizations/${COMPONENT_NAME}" - mkdir -p ${OUTPUT_PATH}/ca - mkdir -p /root/ca-tools/${ORG_NAME_EXT} - -{{- if eq .Values.global.vault.type "hashicorp" }} - . /scripts/bevel-vault.sh - # Calling a function to retrieve the vault token. - vaultBevelFunc "init" - - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/ca" - - # Get ca cert - ca_cert=$(echo ${VAULT_SECRET} | jq -r ".[\"ca.${COMPONENT_NAME}-cert.pem\"]") - echo "${ca_cert}" > ${OUTPUT_PATH}/ca/ca.${COMPONENT_NAME}-cert.pem - - # Get ca key - ca_key=$(echo ${VAULT_SECRET} | jq -r ".[\"${COMPONENT_NAME}-CA.key\"]") - echo "${ca_key}" > ${OUTPUT_PATH}/ca/${COMPONENT_NAME}-CA.key - - function checkSecret { - key=$1 - key_formatted=$(echo $key | tr - /) - file_name=$2 - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${key_formatted}" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - echo "Certificates present in vault" - touch ${MOUNT_PATH}/present_${file_name}.txt - else - echo "Certficates absent in vault. Ignore error warning." - touch ${MOUNT_PATH}/absent_${file_name}.txt - fi - } -{{- else }} - - kubectl get secret ca-certs --namespace {{ .Release.Namespace }} --output="jsonpath={.data.ca-${COMPONENT_NAME}-cert}" | base64 -d > ${OUTPUT_PATH}/ca/ca.${COMPONENT_NAME}-cert.pem - kubectl get secret ca-certs --namespace {{ .Release.Namespace }} --output="jsonpath={.data.ca-${COMPONENT_NAME}-key}" | base64 -d > ${OUTPUT_PATH}/ca/${COMPONENT_NAME}-CA.key - - function checkSecret { - key=$1 - file_name=$2 - kubectl get secret ${key} --namespace ${COMPONENT_NAME} -o json > /dev/null 2>&1 - if [ $? -ne 0 ]; then - echo "Certficates absent in kuberenetes secrets. Ignore error warning." - touch ${MOUNT_PATH}/absent_${file_name}.txt - else - echo "Certficates present in kuberenetes secrets. Ignore error warning." - touch ${MOUNT_PATH}/present_${file_name}.txt - fi - } -{{- end }} - - checkSecret admin-msp msp - checkSecret admin-tls tls - - if [ "$COMPONENT_TYPE" = "orderer" ]; then - SERVICES_NAMES=$ORDERERS_NAMES; - fi; - - if [ "$COMPONENT_TYPE" = "peer" ]; then - SERVICES_NAMES=$PEERS_NAMES; - fi; - - for SERVICE in $SERVICES_NAMES - do - # Check if orderer/peer msp already created - if [ "$COMPONENT_TYPE" = "peer" ]; then - SERVICE_NAME="${SERVICE%%,*}" - checkSecret ${SERVICE_NAME}-msp msp_${SERVICE_NAME} - fi; - - if [ "$COMPONENT_TYPE" = "orderer" ]; then - SERVICE_NAME="${SERVICE}" - checkSecret ${SERVICE_NAME}-msp msp_${SERVICE_NAME} - fi; - - # Check if orderer/peer msp already created - if [ "$COMPONENT_TYPE" = "peer" ]; then - SERVICE_NAME="${SERVICE%%,*}" - checkSecret ${SERVICE_NAME}-tls tls_${SERVICE_NAME} - fi; - - if [ "$COMPONENT_TYPE" = "orderer" ]; then - SERVICE_NAME="${SERVICE}" - checkSecret ${SERVICE_NAME}-tls tls_${SERVICE_NAME} - fi; - - done - - if [ $COMPONENT_TYPE == 'peer' ]; - then - # Check if msp config file already created - checkSecret msp-config config_file - checkSecret orderer-tls orderer_tls_cert - fi; - - if [ "$USERS_IDENTITIES" ] - then - for user_identity in $USERS_IDENTITIES - do - # Check if users tls already created - checkSecret ${user_identity}-tls tls_${user_identity} - # Check if users msp already created for users - checkSecret ${user_identity}-msp msp_${user_identity} - done - fi - volumeMounts: - - name: ca-tools-pv - mountPath: /root/ca-tools - - name: ca-tools-crypto-pv - mountPath: /crypto-config - - name: certcheck - mountPath: /certcheck - - name: scripts-volume - mountPath: /scripts/bevel-vault.sh - subPath: bevel-vault.sh - containers: - - name: ca-tools - image: "{{ .Values.image.caTools }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: COMPONENT_TYPE - value: {{ $.Values.orgData.type }} - - name: COMPONENT_NAME - value: {{ .Release.Namespace }} - - name: ORG_NAME_EXT - value: {{ $.Values.orgData.orgName }} - - name: REFRESH_CERTS - value: "{{ $.Values.checks.refreshCertValue }}" - - name: ADD_PEER - value: "{{ $.Values.checks.addPeerValue }}" - - name: ORDERERS_NAMES - value: "{{ $.Values.orderers | join " " -}}" - - name: PEERS_NAMES - value: "{{ $.Values.peers | join " " -}}" - - name: PEERS_COUNT - value: "{{ len $.Values.peers }}" - - name: USERS - value: {{ $.Values.users.usersList | toJson | b64enc }} - - name: USERS_ANSIBLE - value: {{ $.Values.users.usersListAnsible }} - - name: USERS_IDENTITIES - value: "{{ $.Values.users.usersIdentities | join " " -}}" - - name: SUBJECT - value: {{ .Values.orgData.componentSubject }} - - name: CERT_SUBJECT - value: {{ .Values.orgData.certSubject }} - - name: CA_URL - value: {{ .Release.Name }}.{{ .Release.Namespace }}:7054 - - name: EXTERNAL_URL_SUFFIX - value: {{ .Values.global.proxy.externalUrlSuffix }} - - name: PROXY - value: {{ .Values.global.proxy.provider }} - - name: MOUNT_PATH - value: "/certcheck" - command: ["sh", "-c"] - args: - - |- - . /scripts/package-manager.sh - # Define the packages to install - packages_to_install="jq" - install_packages "$packages_to_install" - - if [ "$COMPONENT_TYPE" = "orderer" ]; then - if [ -e ${MOUNT_PATH}/absent_msp.txt ]; then - ORG_CYPTO_FOLDER="/crypto-config/ordererOrganizations/${COMPONENT_NAME}/users/Admin@${COMPONENT_NAME}" - ORG_CYPTO_ORDERER_FOLDER="/crypto-config/ordererOrganizations/${COMPONENT_NAME}/orderers" - - SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") - if [ -n "$SK_NAME" ]; then - rm ${ORG_CYPTO_FOLDER}/msp/keystore/*_sk - rm /root/ca-tools/${ORG_NAME_EXT}/admin/msp/keystore/*_sk - rm /root/ca-tools/${ORG_NAME_EXT}/admin/tls/keystore/*_sk - fi; - - # Generate crypto material for organization orderers (admin) - cd /root/ca-tools/${ORG_NAME_EXT} - ./generate-crypto-orderer.sh - fi; - - # Generate crypto material for organization orderers (for each orderer) - for ORDERER_NAME in $ORDERERS_NAMES - do - if [ -e ${MOUNT_PATH}/absent_msp_${ORDERER_NAME}.txt ]; then - echo "need to execute scripts for ${ORDERER_NAME}" - SK_NAME=$(find ${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/keystore/ -name "*_sk") - if [ -n "$SK_NAME" ]; then - rm ${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/keystore/*_sk - rm /root/ca-tools/${ORG_NAME_EXT}/cas/orderers/msp/keystore/*_sk - rm /root/ca-tools/${ORG_NAME_EXT}/cas/orderers/tls/keystore/*_sk - fi; - cd /root/ca-tools/${ORG_NAME_EXT} - ./orderer-script.sh ${ORDERER_NAME} - fi; - done - fi; - - if [ "$COMPONENT_TYPE" = "peer" ]; then - - for PEER in $PEERS_NAMES - do - PEER_NAME="${PEER%%,*}" - - if [ -e ${MOUNT_PATH}/absent_msp.txt ] || [ -e ${MOUNT_PATH}/absent_msp_${PEER_NAME}.txt ] || [ "$REFRESH_CERTS" = "true" ]; then - - ORG_CYPTO_FOLDER="/crypto-config/peerOrganizations/${COMPONENT_NAME}/users/Admin@${COMPONENT_NAME}" - - SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") - if [ -n "$SK_NAME" ]; then - rm ${ORG_CYPTO_FOLDER}/msp/keystore/*_sk - rm /root/ca-tools/${ORG_NAME_EXT}/admin/msp/keystore/*_sk - rm /root/ca-tools/${ORG_NAME_EXT}/admin/tls/keystore/*_sk - fi; - - # Generate crypto material for organization peers - cd /root/ca-tools/${ORG_NAME_EXT} - if [ "$ADD_PEER" = "false" ]; then - ./generate-crypto-peer.sh - break - else - ./generate-crypto-add-peer.sh - break - fi; - fi; - done - - # Generate crypto material for users - for USER in $USERS_IDENTITIES - do - if ([ "$USERS" ] && [ -e ${MOUNT_PATH}/absent_msp_${USER}.txt ]) || [ "$REFRESH_CERTS" = "true" ] - then - cd /root/ca-tools/${ORG_NAME_EXT} - if [ -z "$USERS_ANSIBLE" ]; - then - ./generate-user-crypto.sh peer ${USERS} - else - ./generate-user-crypto.sh peer ${USERS_ANSIBLE} - fi - break - fi; - done - fi; - - # this command creates the indicator of the completion of scripts - touch ${MOUNT_PATH}/flag_finish.txt - tail -f /dev/null - volumeMounts: - - name: ca-tools-pv - mountPath: /root/ca-tools - - name: ca-tools-crypto-pv - mountPath: /crypto-config - - name: certcheck - mountPath: /certcheck - - name: generate-crypto - mountPath: /root/ca-tools/{{ $.Values.orgData.orgName }}/generate-crypto-orderer.sh - subPath: generate-crypto-orderer.sh - - name: generate-orderer-crypto - mountPath: /root/ca-tools/{{ $.Values.orgData.orgName }}/orderer-script.sh - subPath: orderer-script.sh - - name: generate-crypto-peer - mountPath: /root/ca-tools/{{ $.Values.orgData.orgName }}/generate-crypto-peer.sh - subPath: generate-crypto-peer.sh - - name: generate-crypto-add-peer - mountPath: /root/ca-tools/{{ $.Values.orgData.orgName }}/generate-crypto-add-peer.sh - subPath: generate-crypto-add-peer.sh - - name: generate-user-crypto - mountPath: /root/ca-tools/{{ $.Values.orgData.orgName }}/generate-user-crypto.sh - subPath: generate-user-crypto.sh - - name: package-manager - mountPath: /scripts/package-manager.sh - subPath: package-manager.sh - - name: store-vault - image: {{ $.Values.image.alpineUtils }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: VAULT_ADDR - value: {{ $.Values.global.vault.address }} - - name: VAULT_APP_ROLE - value: {{ $.Values.global.vault.role }} - - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.global.vault.authPath }} - - name: VAULT_TYPE - value: {{ $.Values.global.vault.type }} - - name: VAULT_SECRET_ENGINE - value: "{{ .Values.global.vault.secretEngine }}" - - name: VAULT_SECRET_PREFIX - value: "{{ .Values.global.vault.secretPrefix }}" - - name: ORG_NAME_EXT - value: {{ $.Values.orgData.orgName }} - - name: COMPONENT_TYPE - value: {{ $.Values.orgData.type }} - - name: COMPONENT_NAME - value: {{ .Release.Namespace }} - - name: REFRESH_CERTS - value: "{{ $.Values.checks.refreshCertValue }}" - - name: PROXY - value: {{ .Values.global.proxy.provider }} - - name: EXTERNAL_URL_SUFFIX - value: {{ .Values.global.proxy.externalUrlSuffix }} - - name: ORDERERS_NAMES - value: "{{ $.Values.orderers | join " " -}}" - - name: PEERS_NAMES - value: "{{ $.Values.peers | join " " -}}" - - name: USERS_IDENTITIES - value: "{{ $.Values.users.usersIdentities | join " " -}}" - - name: MOUNT_PATH - value: "/certcheck" - command: ["sh", "-c"] - args: - - |- - . /scripts/package-manager.sh - # Define the packages to install - packages_to_install="jq curl bash kubectl" - install_packages "$packages_to_install" - - while ! [ -f ${MOUNT_PATH}/flag_finish.txt ] - do - echo 'Waiting for completion of scripts' - sleep 2s - done - - ls - if [ -e /${MOUNT_PATH}/flag_finish.txt ]; then - if [ "$COMPONENT_TYPE" = "orderer" ]; then - # Generate crypto material for organization orderers - cd /scripts/orderer - ./store-vault-orderer.sh - fi; - - if [ "$COMPONENT_TYPE" = "peer" ]; then - # Generate crypto material for organization peers - cd /scripts/peer - ./store-vault-peer.sh - if [ "$USERS_IDENTITIES" ] - then - cd /scripts/peer - ./store-vault-users.sh - fi; - fi; - fi; - - # Raises an error if any certificate has not been stored correctly - if [ -e /certcheck/certs_not_found.txt ]; then - exit 1 - fi - tail -f /dev/null - volumeMounts: - - name: ca-tools-pv - mountPath: /root/ca-tools - - name: ca-tools-crypto-pv - mountPath: /crypto-config - - name: certcheck - mountPath: /certcheck - - name: store-vault-orderer - mountPath: /scripts/orderer/store-vault-orderer.sh - subPath: store-vault-orderer.sh - - name: store-vault-peer - mountPath: /scripts/peer/store-vault-peer.sh - subPath: store-vault-peer.sh - - name: store-vault-users - mountPath: /scripts/peer/store-vault-users.sh - subPath: store-vault-users.sh - {{ if and (eq $.Values.orgData.type "peer") (ne $.Values.global.proxy.provider "none") }} - - name: no-none-config - mountPath: /crypto-config/peerOrganizations/{{ .Release.Namespace }}/msp/config.yaml - subPath: no-none-config.yaml - {{ end }} - {{ if and (eq $.Values.orgData.type "peer") (eq $.Values.global.proxy.provider "none") }} - - name: none-config - mountPath: /crypto-config/peerOrganizations/{{ .Release.Namespace }}/msp/config.yaml - subPath: none-config.yaml - {{ end }} - {{- $file := .Files.Get "files/orderer.crt" }} - {{ if and (eq $.Values.orgData.type "peer") $file }} - - name: orderer-tls-cacert - mountPath: /tlscerts/orderer.crt - subPath: orderer.crt - {{- end }} - - name: package-manager - mountPath: /scripts/package-manager.sh - subPath: package-manager.sh - - name: scripts-volume - mountPath: /scripts/bevel-vault.sh - subPath: bevel-vault.sh diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/orderer-job-cleanup.yaml b/platforms/hyperledger-fabric/charts/fabric-catools/templates/job-cleanup.yaml similarity index 55% rename from platforms/hyperledger-fabric/charts/fabric-orderernode/templates/orderer-job-cleanup.yaml rename to platforms/hyperledger-fabric/charts/fabric-catools/templates/job-cleanup.yaml index dc8b1be6e6d..4689847725b 100644 --- a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/orderer-job-cleanup.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-catools/templates/job-cleanup.yaml @@ -1,15 +1,21 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## --- apiVersion: batch/v1 kind: Job metadata: - name: {{ include "fabric-orderernode.name" . }}-cleanup + name: {{ .Release.Name }}-certs-cleanup + namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: fabric-orderernode-job-cleanup - app.kubernetes.io/component: orderernode-job-cleanup - app.kubernetes.io/part-of: {{ include "fabric-orderernode.fullname" . }} + app.kubernetes.io/name: {{ include "fabric-catools.name" . }}-cleanup + app.kubernetes.io/component: ca-tools + app.kubernetes.io/part-of: {{ include "fabric-catools.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - namespace: {{ .Release.Namespace }} annotations: helm.sh/hook-weight: "0" helm.sh/hook: "pre-delete" @@ -20,28 +26,30 @@ spec: template: metadata: labels: - app.kubernetes.io/name: fabric-orderernode-job-cleanup - app.kubernetes.io/component: orderernode-job-cleanup - app.kubernetes.io/part-of: {{ include "fabric-orderernode.fullname" . }} + app.kubernetes.io/name: {{ include "fabric-catools.name" . }}-cleanup + app.kubernetes.io/component: ca-tools + app.kubernetes.io/part-of: {{ include "fabric-catools.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm spec: serviceAccountName: {{ .Values.global.serviceAccountName }} restartPolicy: "Never" + {{- if .Values.image.pullSecret }} + imagePullSecrets: + - name: {{ .Values.image.pullSecret }} + {{- end }} containers: - name: delete-secrets - image: "{{ $.Values.image.alpineUtils }}" + image: {{ .Values.image.alpineUtils }} securityContext: runAsUser: 0 imagePullPolicy: IfNotPresent - env: - - name: ORDERERS_NAMES - value: "{{ $.Values.catools.orderers | join " " -}}" command: ["sh", "-c"] args: - - |- -{{- if .Values.settings.removeCertsOnDelete }} + - | +{{- if .Values.settings.removeCertsOnDelete }} function deleteSecret { key=$1 kubectl get secret ${key} --namespace {{ .Release.Namespace }} -o json > /dev/null 2>&1 @@ -52,25 +60,16 @@ spec: deleteSecret admin-tls deleteSecret admin-msp - - for ORDERER in $ORDERERS_NAMES - do - ORDERER_NAME="${ORDERER}" - deleteSecret ${ORDERER_NAME}-msp - deleteSecret ${ORDERER_NAME}-tls - done - -{{- end}} - + deleteSecret {{ .Release.Name }}-msp + deleteSecret {{ .Release.Name }}-tls + {{- range .Values.users.usersList }} + deleteSecret {{ .identity }}-msp + deleteSecret {{ .identity }}-tls + {{ end }} +{{- end}} {{- if .Values.settings.removeOrdererTlsOnDelete }} - if kubectl get configmap --namespace {{ .Release.Namespace }} orderer-tls-cacert &> /dev/null; then echo "Deleting orderer-tls-cacert configmap in k8s ..." kubectl delete configmap --namespace {{ .Release.Namespace }} orderer-tls-cacert fi - if kubectl get configmap --namespace {{ .Release.Namespace }} admin-msp &> /dev/null; then - echo "Deleting admin-msp configmap in k8s ..." - kubectl delete configmap --namespace {{ .Release.Namespace }} admin-msp - fi {{- end}} - diff --git a/platforms/hyperledger-fabric/charts/fabric-catools/templates/job.yaml b/platforms/hyperledger-fabric/charts/fabric-catools/templates/job.yaml new file mode 100644 index 00000000000..89834782ede --- /dev/null +++ b/platforms/hyperledger-fabric/charts/fabric-catools/templates/job.yaml @@ -0,0 +1,300 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Release.Name }}-certs-job + namespace: {{ .Release.Namespace }} + annotations: + helm.sh/hook-delete-policy: "before-hook-creation" + labels: + app.kubernetes.io/name: {{ include "fabric-catools.name" . }}-job + app.kubernetes.io/component: ca-tools + app.kubernetes.io/part-of: {{ include "fabric-catools.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm +spec: + backoffLimit: 6 + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "fabric-catools.name" . }} + app.kubernetes.io/component: ca-tools + app.kubernetes.io/part-of: {{ include "fabric-catools.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm + spec: + restartPolicy: OnFailure + serviceAccountName: {{ .Values.global.serviceAccountName }} + {{- if .Values.image.pullSecret }} + imagePullSecrets: + - name: {{ .Values.image.pullSecret }} + {{- end }} + volumes: + - name: certificates + emptyDir: + medium: Memory + - name: generate-crypto + configMap: + name: crypto-scripts-cm + defaultMode: 0775 + items: + - key: generate-crypto-orderer.sh + path: generate-crypto-orderer.sh + - name: generate-orderer-crypto + configMap: + name: crypto-scripts-cm + defaultMode: 0775 + items: + - key: orderer-script.sh + path: orderer-script.sh + - name: generate-crypto-peer + configMap: + name: crypto-scripts-cm + defaultMode: 0775 + items: + - key: generate-crypto-peer.sh + path: generate-crypto-peer.sh + - name: generate-crypto-add-peer + configMap: + name: crypto-scripts-cm + defaultMode: 0775 + items: + - key: generate-crypto-add-peer.sh + path: generate-crypto-add-peer.sh + - name: generate-user-crypto + configMap: + name: crypto-scripts-cm + defaultMode: 0775 + items: + - key: generate-user-crypto.sh + path: generate-user-crypto.sh + - name: store-vault-orderer + configMap: + name: orderer-script-store-vault + defaultMode: 0775 + items: + - key: store-vault-orderer.sh + path: store-vault-orderer.sh + - name: store-vault-peer + configMap: + name: peer-script-store-vault + defaultMode: 0775 + items: + - key: store-vault-peer.sh + path: store-vault-peer.sh + - name: store-vault-users + configMap: + name: users-script-store-vault + defaultMode: 0775 + items: + - key: store-vault-users.sh + path: store-vault-users.sh + - name: scripts-volume + configMap: + name: bevel-vault-script + - name: package-manager + configMap: + name: package-manager + containers: + - name: generate-certs + image: "{{ .Values.image.caTools }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: COMPONENT_TYPE + value: {{ .Values.orgData.type }} + - name: COMPONENT_NAME + value: {{ .Release.Namespace }} + - name: ADD_PEER + value: "{{ .Values.settings.addPeerValue }}" + - name: USERS + value: {{ .Values.users.usersList | toJson | b64enc }} + - name: USERS_ANSIBLE + value: {{ .Values.users.usersListAnsible }} + - name: REFRESH_CERT_VALUE + value: "{{ .Values.settings.refreshCertValue }}" + {{- if eq .Values.global.vault.type "hashicorp" }} + - name: VAULT_ADDR + value: {{ .Values.global.vault.address }} + - name: VAULT_APP_ROLE + value: {{ .Values.global.vault.role }} + - name: KUBERNETES_AUTH_PATH + value: {{ .Values.global.vault.authPath }} + - name: VAULT_TYPE + value: {{ .Values.global.vault.type }} + - name: VAULT_SECRET_ENGINE + value: "{{ .Values.global.vault.secretEngine }}" + - name: VAULT_SECRET_PREFIX + value: "{{ .Values.global.vault.secretPrefix }}" + {{- end }} + command: ["sh", "-c"] + args: + - | + + . /scripts/package-manager.sh + # Define the packages to install + packages_to_install="jq curl" + install_packages "$packages_to_install" + # Download kubectl binary + curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.27.0/bin/linux/amd64/kubectl; + chmod u+x kubectl && mv kubectl /usr/local/bin/kubectl; + +{{- if (eq .Values.global.vault.type "hashicorp") }} + . /scripts/bevel-vault.sh + echo "Getting vault Token..." + vaultBevelFunc "init" +{{- end }} + OUTPUT_PATH="/crypto-config/${COMPONENT_TYPE}Organizations/${COMPONENT_NAME}" + mkdir -p ${OUTPUT_PATH}/ca + mkdir -p ${OUTPUT_PATH}/msp/admincerts + # Get the CA cert from Kubernetes secret + kubectl get secret --namespace {{ .Release.Namespace }} fabric-ca-server-certs >/dev/null 2>&1 + if [ $? -eq 0 ]; then + LOOKUP_SECRET_RESPONSE=$(kubectl get secret -n {{ .Release.Namespace }} fabric-ca-server-certs -o jsonpath='{.data}'); + echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".\"tls.crt\"" | base64 -d > ${OUTPUT_PATH}/ca/ca.${COMPONENT_NAME}-cert.pem; + else +{{- if (eq .Values.global.vault.type "hashicorp") }} + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/ca" + if [ "$SECRETS_AVAILABLE" = "yes" ]; then + # Get ca cert + ca_cert=$(echo ${VAULT_SECRET} | jq -r ".rootca_pem") + echo "${ca_cert}" > ${OUTPUT_PATH}/ca/ca.${COMPONENT_NAME}-cert.pem + ca_key=$(echo ${VAULT_SECRET} | jq -r ".rootca_key") + echo "${ca_key}" > ${OUTPUT_PATH}/ca/ca.${COMPONENT_NAME}.key + # Also create the k8s secret + kubectl create secret tls ${key} --namespace ${COMPONENT_NAME} \ + --cert=${OUTPUT_PATH}/ca/ca.${COMPONENT_NAME}-cert.pem \ + --key=${OUTPUT_PATH}/ca/ca.${COMPONENT_NAME}.key + else + echo "CA certs not found in Vault" + exit 1 + fi; +{{- else }} + echo "CA certs not found in Kubernetes secret" + exit 1 +{{- end }} + fi + echo "CA certificate saved locally." + checkSecrets() { + type=$1 + key=$2 + kubectl get secret --namespace {{ .Release.Namespace }} ${key} >/dev/null 2>&1 + if [ $? -eq 0 ]; then + # Secret found + touch /crypto-config/${key}-exists + if [ $key = "admin-msp" ]; then + # Get the admin cert if admin-msp already exists + LOOKUP_SECRET_RESPONSE=$(kubectl get secret --namespace {{ .Release.Namespace }} ${key} -o jsonpath='{.data}'); + echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".\"admincerts\"" | base64 -d > ${OUTPUT_PATH}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem; + fi + else +{{- if (eq .Values.global.vault.type "hashicorp") }} + #Read if secret exists in Vault + vaultBevelFunc 'readJson' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${type}/${key}" + if [ "$SECRETS_AVAILABLE" = "yes" ]; then + touch /crypto-config/${key}-exists + #TODO Maybe create the K8s secrets from Vault secrets here if needed + fi; +{{- else }} + echo "Secret $key does not exist." +{{- end }} + fi + } + + # Check if secrets already exist + checkSecrets users admin-msp + checkSecrets users admin-tls + checkSecrets ${COMPONENT_TYPE}s {{ .Release.Name }}-msp + checkSecrets ${COMPONENT_TYPE}s {{ .Release.Name }}-tls + + echo "Starting certificate generation." + if [ "$COMPONENT_TYPE" = "orderer" ]; then + # Generate crypto material for organization orderers (admin) + cd /root/ca-tools/org + ./generate-crypto-orderer.sh + + if [ ! -e /crypto-config/{{ .Release.Name }}-msp-exists ] || [ ! -e /crypto-config/{{ .Release.Name }}-tls-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + # Generate crypto material for organization orderer + echo "Need to execute scripts for orderer {{ .Release.Name }}" + cd /root/ca-tools/org + ./orderer-script.sh {{ .Release.Name }} + fi + + # Save the generated certificates + cd /scripts/orderer + ./store-vault-orderer.sh {{ .Release.Name }} + fi + + if [ "$COMPONENT_TYPE" = "peer" ]; then + # Generate crypto material for organization peer (admin) + cd /root/ca-tools/org + if [ "$ADD_PEER" = "false" ]; then + ./generate-crypto-peer.sh {{ .Release.Name }} + else + if [ ! -e /crypto-config/{{ .Release.Name }}-msp-exists ] || [ ! -e /crypto-config/{{ .Release.Name }}-tls-exists ] || [ "$REFRESH_CERT_VALUE" = "true" ]; then + ./generate-crypto-add-peer.sh {{ .Release.Name }} + fi + fi; + {{- range .Values.users.usersList }} + checkSecrets users {{ .identity }}-msp + checkSecrets users {{ .identity }}-tls + {{ end }} + # Generate crypto material for users + cd /root/ca-tools/org + if [ -z "$USERS_ANSIBLE" ]; + then + ./generate-user-crypto.sh peer ${USERS} + else + ./generate-user-crypto.sh peer ${USERS_ANSIBLE} + fi + + # Save the generated certificates for peers and users + cd /scripts/peer + ./store-vault-peer.sh {{ .Release.Name }} + cd /scripts/peer + {{- range .Values.users.usersList }} + ./store-vault-users.sh {{ .identity }} + {{ end }} + fi; + # this command creates the indicator of the completion of scripts + echo "Certificate generation complete." + volumeMounts: + - name: certificates + mountPath: /crypto-config + - name: generate-crypto + mountPath: /root/ca-tools/org/generate-crypto-orderer.sh + subPath: generate-crypto-orderer.sh + - name: generate-orderer-crypto + mountPath: /root/ca-tools/org/orderer-script.sh + subPath: orderer-script.sh + - name: generate-crypto-peer + mountPath: /root/ca-tools/org/generate-crypto-peer.sh + subPath: generate-crypto-peer.sh + - name: generate-crypto-add-peer + mountPath: /root/ca-tools/org/generate-crypto-add-peer.sh + subPath: generate-crypto-add-peer.sh + - name: generate-user-crypto + mountPath: /root/ca-tools/org/generate-user-crypto.sh + subPath: generate-user-crypto.sh + - name: package-manager + mountPath: /scripts/package-manager.sh + subPath: package-manager.sh + - name: store-vault-orderer + mountPath: /scripts/orderer/store-vault-orderer.sh + subPath: store-vault-orderer.sh + - name: store-vault-peer + mountPath: /scripts/peer/store-vault-peer.sh + subPath: store-vault-peer.sh + - name: store-vault-users + mountPath: /scripts/peer/store-vault-users.sh + subPath: store-vault-users.sh + - name: scripts-volume + mountPath: /scripts/bevel-vault.sh + subPath: bevel-vault.sh diff --git a/platforms/hyperledger-fabric/charts/fabric-catools/templates/volume.yaml b/platforms/hyperledger-fabric/charts/fabric-catools/templates/volume.yaml deleted file mode 100644 index 28e72237dd7..00000000000 --- a/platforms/hyperledger-fabric/charts/fabric-catools/templates/volume.yaml +++ /dev/null @@ -1,38 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: ca-tools-crypto-pvc - namespace: {{ .Release.Namespace }} - annotations: - {{ include "labels.pvc" . | nindent 2 }} -spec: - storageClassName: storage-{{ .Release.Name }} - accessModes: - - ReadWriteOnce - resources: - requests: - storage: {{ $.Values.storage.size }} - ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: ca-tools-pvc - namespace: {{ .Release.Namespace }} - annotations: - {{ include "labels.pvc" . | nindent 2 }} -spec: - storageClassName: storage-{{ .Release.Name }} - accessModes: - - ReadWriteOnce - resources: - requests: - storage: {{ $.Values.storage.size }} - diff --git a/platforms/hyperledger-fabric/charts/fabric-catools/values.yaml b/platforms/hyperledger-fabric/charts/fabric-catools/values.yaml index 5a0b168c9fb..82f43b89efc 100644 --- a/platforms/hyperledger-fabric/charts/fabric-catools/values.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-catools/values.yaml @@ -26,9 +26,6 @@ global: secretEngine: secretsv2 #Provide the vault path where the secrets will be stored secretPrefix: "data/supplychain" - #Provide the imagesecretname for vault - #Eg. imagesecretname: regcred - imageSecretName: "" proxy: #This will be the proxy/ingress provider. Can have values "haproxy" or "none" @@ -38,91 +35,65 @@ global: #Eg. externalUrlSuffix: test.blockchaincloudpoc.com externalUrlSuffix: test.blockchaincloudpoc.com -# Provide the number of replica pods -replicaCount: 1 - image: #Provide the image name for the server container - #Eg. image: hyperledger/fabric-ca-tools + #Eg. caTools: hyperledger/fabric-ca-tools:latest caTools: ghcr.io/hyperledger/bevel-fabric-ca:latest - # Provide image pull policy - pullPolicy: IfNotPresent #Provide the valid image name and version to read certificates from vault server #Eg.alpineutils: ghcr.io/hyperledger/bevel-alpine:latest alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest - -storage: - #Provide the size for CA - #Eg. size: 512Mi - size: 512Mi - -healthCheck: - # The amount of times to retry fetching from/writing to Vault before giving up. - # Eg. retries: 10 - retries: 10 - # The amount of time in seconds to wait after an error occurs when fetching from/writing to Vault. - # Eg. sleepTimeAfterError: 15 - sleepTimeAfterError: 15 + #Provide the secret to use if private repository + #Eg. pullSecret: regcred + pullSecret: + # Provide image pull policy + pullPolicy: IfNotPresent orgData: + #Provide the CA URL for the organization without https + #Eg. caAddress: ca.example.com + caAddress: + #Provide the CA Admin User for the organization + #Eg. caAdminUser: admin + caAdminUser: supplychain-admin + #Provide the CA Admin Password for the organization + #Eg. caAdminPassword: adminpw + caAdminPassword: supplychain-adminpw #Provide organization's name in lowercases #Eg. orgName: supplychain orgName: supplychain #Provide organization's type (orderer or peer) - #Eg. component_type: orderer - type: - #Provide organization's subject - #Eg. "O=Orderer,L=51.50/-0.13/London,C=GB" - componentSubject: + #Eg. type: orderer + type: orderer #Provide organization's subject - #Eg. "O=Orderer,L=51.50/-0.13/London,C=GB" - certSubject: - #Provide organization's country - #Eg. UK - componentCountry: UK - #Provide organization's state - #Eg. London - componentState: London - #Provide organization's location - #Eg. Lodon - componentLocation: Lodon - -#Provide orderer's names -orderers: - - orderer1 - - orderer2 - - orderer3 - -#Provide peer's names -peers: - - peer0-carrier + #Eg. componentSubject: "O=Orderer,L=51.50/-0.13/London,C=GB" + componentSubject: "O=Orderer,L=51.50/-0.13/London,C=GB" users: # Generating User Certificates with custom attributes using Fabric CA in Bevel for Peer Organizations usersList: - - user: - identity: user1 - attributes: - - key: "hf.Revoker" - value: "true" - - user: - identity: user2 + - identity: user1 attributes: - key: "hf.Revoker" value: "true" + # - identity: user2 + # attributes: + # - key: "hf.Revoker" + # value: "true" #Base64 encoded list of users - #Eg. IC0gdXNlcjoKICAgICAgICAgIGlkZW50aXR5OiB1c2VyMQogICAgICAgICAgYXR0cmlidXRlczoKICAgICAgICAgICAgLSBrZXk6IGtleTEKICAgICAgIgICAgICAgIC0ga2V5OiBrZXkyCiAgICAgICAgICAgICAgdmFsdWU6IHZhbHVlMgogICAgICAgIC0gdXNlcjoKICAgICAgICAgIGlkZW50aXR5OiB1c2VyMgogICAgICAgICAgYXR0cmlidXRlczoKICAgICAgICAgICAgLSBrZXk6IGtleTEKICAgICAgICAgICAgICB2YWx1ZTogdmFsdWUxCiAgICAgICAgICAgIC0ga2V5OiBrZXkzCiAgICAgICAgICAgICAgdmFsdWU6IHZhbHVlMw== + #Eg. usersListAnsible: IC0gdXNlcjoKICAgICAgICAgIGlkZW50aXR5OiB1c2VyMQogICAgICAgICAgYXR0cmlidXRlczoKICAgICAgICAgICAgLSBrZXk6IGtleTEKICAgICAgIgICAgICAgIC0ga2V5OiBrZXkyCiAgICAgICAgICAgICAgdmFsdWU6IHZhbHVlMgogICAgICAgIC0gdXNlcjoKICAgICAgICAgIGlkZW50aXR5OiB1c2VyMgogICAgICAgICAgYXR0cmlidXRlczoKICAgICAgICAgICAgLSBrZXk6IGtleTEKICAgICAgICAgICAgICB2YWx1ZTogdmFsdWUxCiAgICAgICAgICAgIC0ga2V5OiBrZXkzCiAgICAgICAgICAgICAgdmFsdWU6IHZhbHVlMw== usersListAnsible: - #Provides a list of user identities - usersIdentities: - - user1 - - user2 -checks: - #Provides the need to refresh user certificates +settings: + #Flag to create configmaps for the organization. This flag must be set to true when installing the first orderer/peer in organization and false for others. + createConfigMaps: true + #Flag to refresh user certificates refreshCertValue: false - #Add a peer to an existing network - addPeerValue: False + #Flag to add a peer to an existing network + addPeerValue: false + #Flag to remove certificates on uninstall + removeCertsOnDelete: false + #Flag to remove orderer certificates on uninstall + removeOrdererTlsOnDelete: false labels: service: [] diff --git a/platforms/hyperledger-fabric/charts/fabric-channel-create/Chart.yaml b/platforms/hyperledger-fabric/charts/fabric-channel-create/Chart.yaml index c6b3bbdb988..46a9ce16dd2 100644 --- a/platforms/hyperledger-fabric/charts/fabric-channel-create/Chart.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-channel-create/Chart.yaml @@ -6,12 +6,12 @@ apiVersion: v1 name: fabric-channel-create -description: "Hyperledger Fabric: Creates channel." -version: 1.0.0 +description: "Hyperledger Fabric: Creates channel" +version: 1.1.0 appVersion: latest keywords: - bevel - - ethereum + - hlf - fabric - hyperledger - enterprise diff --git a/platforms/hyperledger-fabric/charts/fabric-channel-create/README.md b/platforms/hyperledger-fabric/charts/fabric-channel-create/README.md index 54fb87f8c7a..fa2153fa56c 100644 --- a/platforms/hyperledger-fabric/charts/fabric-channel-create/README.md +++ b/platforms/hyperledger-fabric/charts/fabric-channel-create/README.md @@ -3,198 +3,98 @@ [//]: # (SPDX-License-Identifier: Apache-2.0) [//]: # (##############################################################################################) - -# Create Channel Hyperledger Fabric Deployment - -- [Create Channel Hyperledger Fabric Deployment](#create-channel-hyperledger-fabric-deployment) - - [Create Channel Hyperledger Fabric Deployment Helm Chart](#create-channel-hyperledger-fabric-deployment-helm-chart) - - [Prerequisites](#prerequisites) - - [Chart Structure](#chart-structure) - - [Configuration](#configuration) - - [Metadata](#metadata) - - [Deployment](#deployment) - - [Peer](#peer) - - [Vault](#vault) - - [Channel](#channel) - - [Orderer](#orderer) - - [Other](#other) - - [Deployment](#deployment-1) - - [Verification](#verification) - - [Updating the Deployment](#updating-the-deployment) - - [Deletion](#deletion) - - [Contributing](#contributing) - - [License](#license) - - [Attribution](#attribution) - - - -## Create Channel Hyperledger Fabric Deployment Helm Chart ---- -A [Helm chart](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-fabric/charts/fabric-channel-create) to create a channel. - - - -## Prerequisites ---- -Before deploying the Helm chart, make sure to have the following prerequisites: - -- Kubernetes cluster up and running. -- A HashiCorp Vault instance is set up and configured to use Kubernetes service account token-based authentication. -- The Vault is unsealed and initialized. -- Helm installed. +# fabric-channel-create +This chart is a component of Hyperledger Bevel. The fabric-channel-create chart deploys a Kubernetes job to create a channel. This chart should be executed after the [fabric-genesis](../fabric-genesis/README.md) chart and the channeltx should be present in `files`. See [Bevel documentation](https://hyperledger-bevel.readthedocs.io/en/latest/) for details. - -## Chart Structure ---- -The structure of the Helm chart is as follows: +## TL;DR +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install allchannel bevel/fabric-channel-create ``` -fabric-channel-create/ - |- templates/ - |- _helpers.yaml - |- configmap.yaml - |- create_channel.yaml - |- Chart.yaml - |- README.md - |- values.yaml -``` - -- `templates/`: Contains the Kubernetes manifest templates that define the resources to be deployed. -- `helpers.tpl`: Contains custom label definitions used in other templates. -- `configmap.yaml`: Store configuration data that can be consumed by containers. The first ConfigMap stores various configuration data as key-value pairs and the second ConfigMap stores the base64-encoded content of the channel configuration file (channel.tx.base64). -- `create_channel.yaml`: The certificates-init fetches TLS certificates from a Vault server and stores them in a local directory. The createchannel fetches the channel configuration file from a local directory and checks to see if the channel already exists. If the channel does not exist, the createchannel creates the channel. -- `Chart.yaml`: Contains the metadata for the Helm chart, such as the name, version, and description. -- `README.md`: Provides information and instructions about the Helm chart. -- `values.yaml`: Contains the default configuration values for the Helm chart. - - - -## Configuration ---- -The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-fabric/charts/fabric-channel-create/values.yaml) file contains configurable values for the Helm chart. We can modify these values according to the deployment requirements. Here are some important configuration options: - -### Metadata - -| Name | Description | Default Value | -| ----------------------| ----------------------------------------------------------------------|---------------------------------------------------| -| namespace | Provide the namespace for organization's peer | org1-net | -| images.fabrictools | Valid image name and version for fabric tools | ghcr.io/hyperledger/bevel-fabric-tools:2.2.2 | -| images.alpineutils | Valid image name and version to read certificates from vault server | ghcr.io/hyperledger/bevel-alpine:latest | -| labels | Custom labels (other than specified) | "" | - - -### Deployment - -| Name | Description | Default Value | -| ------------ | ------------------------------------------- | -------------- | -| annotations | Deployment annotations | "" | - -### Peer - -| Name | Description | Default Value | -| --------------| ----------------------------------------------| ------------------------------| -| name | Name of the peer as per deployment yaml | peer0 | -| address | Address of the peer and grpc cluster IP port | peer0.org1-net:7051 | -| localmspid | Local MSP ID for organization | Org1MSP | -| loglevel | Log level for organization's peer | debug | -| tlsstatus | True or False for organization's peer | true | - -### Vault - -| Name | Description | Default Value | -| ------------------- | --------------------------------------------------------------------| ------------------------------| -| role | Vault role for the organization | vault-role | -| address | Vault server address | "" | -| authpath | Kubernetes auth backend configured in vault for the organization | devorg1-net-auth | -| adminsecretprefix | Vault secret prefix for admin | secretsv2/data/crypto/peerOrganizations/org1-net/users/admin | -| orderersecretprefix | Vault secret prefix for orderer | secretsv2/data/crypto/peerOrganizations/org1-net/orderer | -| serviceaccountname | Service account name for vault | vault-auth | -| type | Provide the type of vault | hashicorp | -| imagesecretname | Image secret name for vault | "" | -| tls | Vault ca.cert Kubernetes secret | "" | - -### Channel - -| Name | Description | Default Value | -| ------ | --------------------------------- | -------------- | -| name | Name of the channel | mychannel | - -### Orderer - -| Name | Description | Default Value | -| ------- | ----------------------------| --------------------------| -| address | Address for the orderer | orderer1.org1proxy.blockchaincloudpoc.com:443 | - -### Other - -| Name | Description | Default Value | -| ---------- | ---------------------------------------------| --------------- | -| channeltx | Base64 encoded file contents for channeltx | "" | +## Prerequisites - -## Deployment ---- +- Kubernetes 1.19+ +- Helm 3.2.0+ -To deploy the fabric-channel-create Helm chart, follow these steps: +If Hashicorp Vault is used, then +- HashiCorp Vault Server 1.13.1+ -1. Modify the [values.yaml](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-channel-create/values.yaml) file to set the desired configuration values. -2. Run the following Helm command to install the chart: - ``` - $ helm repo add bevel https://hyperledger.github.io/bevel/ - $ helm install ./fabric-channel-create - ``` -Replace `` with the desired name for the release. +Also, [fabric-genesis](../fabric-genesis/README.md) chart should be installed. Then you can get the channeltx with following commands: -This will deploy the fabric-channel-create node to the Kubernetes cluster based on the provided configurations. +```bash +cd ./fabric-channel-create/files +kubectl --namespace supplychain-net get configmap allchannel-channeltx -o jsonpath='{.data.allchannel-channeltx_base64}' > channeltx.json +``` +## Installing the Chart - -## Verification ---- +To install the chart with the release name `allchannel`: -To verify the deployment, we can use the following command: -``` -$ kubectl get jobs -n +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install allchannel bevel/fabric-channel-create ``` -Replace `` with the actual namespace where the Job was created. This command will display information about the Job, including the number of completions and the current status of the Job's pods. +The command deploys the chart on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. - -## Updating the Deployment ---- +> **Tip**: List all releases using `helm list` -If we need to update the deployment with new configurations or changes, modify the same [values.yaml](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-channel-create/values.yaml) file with the desired changes and run the following Helm command: -``` -$ helm upgrade ./fabric-channel-create -``` -Replace `` with the name of the release. This command will apply the changes to the deployment, ensuring the fabric-channel-create node is up to date. +## Uninstalling the Chart +To uninstall/delete the `allchannel` deployment: - -## Deletion ---- - -To delete the deployment and associated resources, run the following Helm command: -``` -$ helm uninstall +```bash +helm uninstall allchannel ``` -Replace `` with the name of the release. This command will remove all the resources created by the Helm chart. +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +### Global parameters +These parameters are refered to as same in each parent or child chart +| Name | Description | Default Value | +|--------|---------|-------------| +|`global.version` | Fabric Version. This chart is only used for `2.2.x` | `2.2.2` | +|`global.serviceAccountName` | The serviceaccount name that will be created for Vault Auth and k8S Secret management| `vault-auth` | +| `global.cluster.provider` | Kubernetes cluster provider like AWS EKS or minikube. Currently ony `aws`, `azure` and `minikube` are tested | `aws` | +| `global.cluster.cloudNativeServices` | only `false` is implemented, `true` to use Cloud Native Services (SecretsManager and IAM for AWS; KeyVault & Managed Identities for Azure) is for future | `false` | +| `global.vault.type` | Type of Vault to support other providers. Currently, only `hashicorp` and `kubernetes` is supported. | `hashicorp` | +| `global.vault.role` | Role used for authentication with Vault | `vault-role` | +| `global.vault.network` | Network type that is being deployed | `fabric` | +| `global.vault.address`| URL of the Vault server. | `""` | +| `global.vault.authPath` | Authentication path for Vault | `carrier` | +| `global.vault.secretEngine` | Vault secret engine name | `secretsv2` | +| `global.vault.secretPrefix` | Vault secret prefix which must start with `data/` | `data/carrier` | +| `global.vault.tls` | Name of the Kubernetes secret which has certs to connect to TLS enabled Vault | `false` | + +### Image + +| Name | Description | Default Value | +| -------------| ---------- | --------- | +| `image.fabricTools` | Fabric Tools image repository | `ghcr.io/hyperledger/bevel-fabric-tools` | +| `image.alpineUtils` | Alpine utils image repository and tag | `ghcr.io/hyperledger/bevel-alpine:latest` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | - -## Contributing ---- -If you encounter any bugs, have suggestions, or would like to contribute to the [Create Channel Hyperledger Fabric Deployment Helm Chart](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-channel-create), please feel free to open an issue or submit a pull request on the [project's GitHub repository](https://github.com/hyperledger/bevel). +### Peer +| Name | Description | Default Value | +|--------|---------|-------------| +| `peer.name` | Name of the Peer that is creating the channel | `peer0` | +| `peer.address` | Peer Internal or External Address with port | `peer0.carrier-net:7051` | +| `peer.localMspId` | Peer MSP ID | `carrierMSP` | +| `peer.logLevel` | Peer Log Level | `debug` | +| `peer.tlsStatus` | TLS status of the peer | `true` | +| `peer.ordererAddress` | Orderer Internal or External Address with port for Peer to connect | `orderer1.supplychain-net:7050` | - ## License This chart is licensed under the Apache v2.0 license. -Copyright © 2023 Accenture +Copyright © 2024 Accenture ### Attribution diff --git a/platforms/hyperledger-fabric/charts/fabric-channel-create/files/readme.txt b/platforms/hyperledger-fabric/charts/fabric-channel-create/files/readme.txt new file mode 100644 index 00000000000..bf16a121ea7 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/fabric-channel-create/files/readme.txt @@ -0,0 +1 @@ +This is a dummy file. Place the channeltx_base64 file in this directory.. \ No newline at end of file diff --git a/platforms/hyperledger-fabric/charts/fabric-channel-create/templates/_helpers.tpl b/platforms/hyperledger-fabric/charts/fabric-channel-create/templates/_helpers.tpl index c3413f6de17..4b4d123f9eb 100644 --- a/platforms/hyperledger-fabric/charts/fabric-channel-create/templates/_helpers.tpl +++ b/platforms/hyperledger-fabric/charts/fabric-channel-create/templates/_helpers.tpl @@ -27,32 +27,20 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} -{{- define "labels.deployment" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.deployment }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "labels.service" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.service }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "labels.pvc" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.pvc }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} +{{/* +Create orderer tls configmap name depending on Configmap existance +*/}} +{{- define "fabric-channel-create.orderercrt" -}} +{{- $secret := lookup "v1" "ConfigMap" .Release.Namespace "orderer-tls-cacert" -}} +{{- if $secret -}} +{{/* + Use this configmap +*/}} +{{- printf "orderer-tls-cacert" -}} +{{- else -}} +{{/* + Use the release configmap +*/}} +{{- printf "%s-orderer-tls-cacert" $.Values.peer.name -}} +{{- end -}} +{{- end -}} diff --git a/platforms/hyperledger-fabric/charts/fabric-channel-create/templates/configmap.yaml b/platforms/hyperledger-fabric/charts/fabric-channel-create/templates/configmap.yaml index f6e7ea70b6b..39a6c936fe9 100644 --- a/platforms/hyperledger-fabric/charts/fabric-channel-create/templates/configmap.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-channel-create/templates/configmap.yaml @@ -9,45 +9,40 @@ kind: ConfigMap metadata: name: {{ .Release.Name }}-config namespace: {{ .Release.Namespace }} - annotations: - {{- include "labels.deployment" . | nindent 2 }} labels: app: {{ .Release.Name }} - app.kubernetes.io/name: createchannel-{{ .Release.Name }} - app.kubernetes.io/component: fabric-channel-create-job + app.kubernetes.io/name: {{ .Release.Name }}-config + app.kubernetes.io/component: configmap app.kubernetes.io/part-of: {{ include "fabric-channel-create.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - {{ include "labels.deployment" . | nindent 6 }} data: CHANNEL_NAME: {{ .Release.Name }} - FABRIC_LOGGING_SPEC: {{ $.Values.peer.logLevel }} - CORE_PEER_ID: {{ $.Values.peer.name }}.{{ .Release.Namespace }} - CORE_PEER_ADDRESS: {{ $.Values.peer.address }} - CORE_PEER_LOCALMSPID: {{ $.Values.peer.localMspId }} + FABRIC_LOGGING_SPEC: {{ .Values.peer.logLevel }} + CORE_PEER_ID: {{ .Values.peer.name }}.{{ .Release.Namespace }} + CORE_PEER_ADDRESS: {{ .Values.peer.address }} + CORE_PEER_LOCALMSPID: {{ .Values.peer.localMspId }} CORE_PEER_TLS_ENABLED: "{{ $.Values.peer.tlsStatus }}" CORE_PEER_TLS_ROOTCERT_FILE: /opt/gopath/src/github.com/hyperledger/fabric/crypto/admin/msp/tlscacerts/tlsca.crt - ORDERER_CA: /opt/gopath/src/github.com/hyperledger/fabric/crypto/orderer/tls/ca.crt - ORDERER_URL: {{ $.Values.orderer.address }} + ORDERER_CA: /opt/gopath/src/github.com/hyperledger/fabric/orderer/tls/orderer.crt + ORDERER_URL: {{ .Values.peer.ordererAddress }} CORE_PEER_MSPCONFIGPATH: /opt/gopath/src/github.com/hyperledger/fabric/crypto/admin/msp - NETWORK_VERSION: {{ $.Values.global.network.version }} - + NETWORK_VERSION: {{ .Values.global.version }} --- apiVersion: v1 kind: ConfigMap metadata: - name: channel-artifacts-{{ .Release.Name }} + name: {{ .Release.Name }}-channel-artifacts namespace: {{ .Release.Namespace }} labels: app: {{ .Release.Name }} - app.kubernetes.io/name: createchannel-{{ .Release.Name }} - app.kubernetes.io/component: fabric-channel-create-job + app.kubernetes.io/name: {{ .Release.Name }}-channel-artifacts + app.kubernetes.io/component: channel-artifacts app.kubernetes.io/part-of: {{ include "fabric-channel-create.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - {{ include "labels.deployment" . | nindent 6 }} data: - channel.tx.json: |- - {{ .Files.Get "files/channel.tx.json" | nindent 8 }} + channeltx_base64: |- + {{ .Files.Get "files/channeltx.json" | nindent 8 }} diff --git a/platforms/hyperledger-fabric/charts/fabric-channel-create/templates/create_channel.yaml b/platforms/hyperledger-fabric/charts/fabric-channel-create/templates/create_channel.yaml index 1b4b0dc61b7..0d88dfa33e0 100644 --- a/platforms/hyperledger-fabric/charts/fabric-channel-create/templates/create_channel.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-channel-create/templates/create_channel.yaml @@ -7,74 +7,75 @@ apiVersion: batch/v1 kind: Job metadata: - name: {{ include "fabric-channel-create.fullname" . }} + name: createchannel-{{ .Release.Name }} namespace: {{ .Release.Namespace }} - annotations: - {{- include "labels.deployment" . | nindent 2 }} labels: - app: {{ .Release.Name }} app.kubernetes.io/name: createchannel-{{ .Release.Name }} app.kubernetes.io/component: fabric-channel-create-job app.kubernetes.io/part-of: {{ include "fabric-channel-create.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - {{ include "labels.deployment" . | nindent 6 }} spec: backoffLimit: 6 template: metadata: labels: - app: {{ .Release.Name }} app.kubernetes.io/name: createchannel-{{ .Release.Name }} app.kubernetes.io/component: fabric-channel-create-job app.kubernetes.io/part-of: {{ include "fabric-channel-create.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - {{ include "labels.deployment" . | nindent 6 }} spec: restartPolicy: "OnFailure" - serviceAccountName: {{ $.Values.global.serviceAccountName }} - {{- if .Values.global.vault.imageSecretName }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + {{- if .Values.image.pullSecret }} imagePullSecrets: - - name: {{ $.Values.global.vault.imageSecretName }} + - name: {{ .Values.image.pullSecret }} {{- end }} volumes: {{ if .Values.global.vault.tls }} - name: vaultca secret: - secretName: {{ $.Values.global.vault.tls }} + secretName: {{ .Values.global.vault.tls }} items: - key: ca.crt.pem path: ca-certificates.crt {{ end }} - - name: channel-artifacts-{{ .Release.Name }} + - name: {{ .Release.Name }}-channel-artifacts configMap: - name: channel-artifacts-{{ .Release.Name }} + name: {{ .Release.Name }}-channel-artifacts - name: certificates emptyDir: medium: Memory - name: scripts-volume configMap: name: bevel-vault-script + - name: orderer-tls-cacert + configMap: + name: {{ include "fabric-channel-create.orderercrt" . }} + defaultMode: 0775 + items: + - key: cacert + path: orderer.crt initContainers: - name: certificates-init - image: {{ $.Values.image.alpineUtils }} + image: {{ .Values.image.alpineUtils }} imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: {{ $.Values.global.vault.address }} + value: {{ .Values.global.vault.address }} - name: VAULT_APP_ROLE - value: {{ $.Values.global.vault.role }} + value: {{ .Values.global.vault.role }} - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.global.vault.authPath }} + value: {{ .Values.global.vault.authPath }} - name: VAULT_SECRET_ENGINE value: "{{ .Values.global.vault.secretEngine }}" - name: VAULT_SECRET_PREFIX value: "{{ .Values.global.vault.secretPrefix }}" - name: VAULT_TYPE - value: "{{ $.Values.global.vault.type }}" + value: "{{ .Values.global.vault.type }}" - name: MOUNT_PATH value: /secret command: ["sh", "-c"] @@ -86,23 +87,11 @@ spec: . /scripts/bevel-vault.sh vaultBevelFunc "init" - function getOrdererTlsSecret { - KEY=$1 - KEY_FORMATTED=$(echo $KEY | tr - /) - - echo "Getting Orderer TLS certificates from Vault using key $vault_secret_key" - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" - - TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r '.["ca.crt"]') - echo "${TLS_CA_CERT}" > ${OUTPUT_PATH}/ca.crt - } - function getAdminMspSecret { KEY=$1 - KEY_FORMATTED=$(echo $KEY | tr - /) echo "Getting MSP certificates from Vault." - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/users/${KEY}" ADMINCERT=$(echo ${VAULT_SECRET} | jq -r '.["admincerts"]') CACERTS=$(echo ${VAULT_SECRET} | jq -r '.["cacerts"]') @@ -118,15 +107,6 @@ spec: } {{- else }} - - function getOrdererTlsSecret { - KEY=$1 - kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} -o json > /dev/null 2>&1 - if [ $? -eq 0 ]; then - kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.cacrt}" | base64 -d > ${OUTPUT_PATH}/ca.crt - fi - } - function getAdminMspSecret { KEY=$1 KUBENETES_SECRET=$(kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} -o json) @@ -144,9 +124,6 @@ spec: echo "${TLSCACERTS}" > ${OUTPUT_PATH}/tlscacerts/tlsca.crt } {{- end }} - OUTPUT_PATH="${MOUNT_PATH}/orderer/tls" - mkdir -p ${OUTPUT_PATH} - getOrdererTlsSecret orderer-tls OUTPUT_PATH="${MOUNT_PATH}/admin/msp" mkdir -p ${OUTPUT_PATH}/admincerts @@ -168,7 +145,7 @@ spec: subPath: bevel-vault.sh containers: - name: createchannel - image: {{ $.Values.image.fabricTools }}:{{ $.Values.global.network.version }} + image: {{ .Values.image.fabricTools }}:{{ .Values.global.version }} imagePullPolicy: IfNotPresent stdin: true tty: true @@ -176,8 +153,7 @@ spec: args: - |- #!/usr/bin/env sh - CHANNEL_TX=$(jq -r '.data."channel.tx.base64"' ./channel-artifacts/channel.tx.json) - echo $CHANNEL_TX | base64 -d > channel.tx + cat ./channel-artifacts/channeltx_base64 | base64 -d > channel.tx echo "Fetch block to see if channel has already been created..." tls_status=${CORE_PEER_TLS_ENABLED} @@ -192,22 +168,11 @@ spec: echo "Channel ${CHANNEL_NAME} is already created." else echo "Creating Channel ${CHANNEL_NAME}" - version1_4=`echo $NETWORK_VERSION | grep -c 1.4` if [ "$tls_status" = "true" ] then - if [ $version1_4 = 1 ] - then - peer channel create -o ${ORDERER_URL} -c ${CHANNEL_NAME} -f channel.tx --tls ${CORE_PEER_TLS_ENABLED} --cafile ${ORDERER_CA} - else - peer channel create -o ${ORDERER_URL} -c ${CHANNEL_NAME} -f channel.tx --tls ${CORE_PEER_TLS_ENABLED} --cafile ${ORDERER_CA} --outputBlock /tmp/${CHANNEL_NAME}.block - fi + peer channel create -o ${ORDERER_URL} -c ${CHANNEL_NAME} -f channel.tx --tls ${CORE_PEER_TLS_ENABLED} --cafile ${ORDERER_CA} --outputBlock /tmp/${CHANNEL_NAME}.block else - if [ $version1_4 = 1 ] - then - peer channel create -o ${ORDERER_URL} -c ${CHANNEL_NAME} -f channel.tx - else - peer channel create -o ${ORDERER_URL} -c ${CHANNEL_NAME} -f channel.tx --outputBlock /tmp/${CHANNEL_NAME}.block - fi + peer channel create -o ${ORDERER_URL} -c ${CHANNEL_NAME} -f channel.tx --outputBlock /tmp/${CHANNEL_NAME}.block fi fi workingDir: /opt/gopath/src/github.com/hyperledger/fabric/peer @@ -218,6 +183,9 @@ spec: - name: certificates mountPath: /opt/gopath/src/github.com/hyperledger/fabric/crypto readOnly: true - - name: channel-artifacts-{{ .Release.Name }} + - name: {{ .Release.Name }}-channel-artifacts mountPath: /opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts readOnly: true + - name: orderer-tls-cacert + mountPath: /opt/gopath/src/github.com/hyperledger/fabric/orderer/tls/orderer.crt + subPath: orderer.crt diff --git a/platforms/hyperledger-fabric/charts/fabric-channel-create/values.yaml b/platforms/hyperledger-fabric/charts/fabric-channel-create/values.yaml index 35dfcfe9d7f..0a6da1ff8aa 100644 --- a/platforms/hyperledger-fabric/charts/fabric-channel-create/values.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-channel-create/values.yaml @@ -8,6 +8,9 @@ --- # The following are for overriding global values global: + # HLF Network Version + #Eg. version: 2.2.2 + version: 2.2.2 #Provide the service account name which will be created. serviceAccountName: vault-auth cluster: @@ -26,38 +29,34 @@ global: #Eg. vaultaddress: http://Vault-884963190.eu-west-1.elb.amazonaws.com address: #Provide the kubernetes auth backed configured in vault for an organization - #Eg. authpath: supplychain - authPath: supplychain + #Eg. authpath: carrier + authPath: carrier #Provide the secret engine. secretEngine: secretsv2 #Provide the vault path where the secrets will be stored - secretPrefix: "data/supplychain" - #Provide the imageSecretName for vault - #Eg. imageSecretName: regcred - imageSecretName: "" + secretPrefix: "data/carrier" #Enable or disable TLS for vault communication #Eg. tls: true tls: - # HLF Network Version - network: - version: 2.5.4 - image: #Provide the valid image name and version for fabric tools - #Eg. fabrictools: hyperledger/fabric-tools:1.4.0 + #Eg. fabricTools: hyperledger/fabrictools fabricTools: ghcr.io/hyperledger/bevel-fabric-tools #Provide the valid image name and version to read certificates from vault server #Eg. alpineutils: ghcr.io/hyperledger/bevel-alpine:latest alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest + #Provide the secret to use if private repository + #Eg. pullSecret: regcred + pullSecret: peer: #Provide the name of the peer as per deployment yaml. #Eg. name: peer0 - name: peer0-carrier + name: peer0 #Provide the address of the peer who creates the channel and port to be mentioned is grpc cluster IP port #Eg. address: peer0.carrier-net:7051 - address: peer0-carrier.carrier-net:7051 + address: peer0.carrier-net:7051 #Provide the localMspId for organization #Eg. localMspId: carrierMSP localMspId: carrierMSP @@ -67,8 +66,6 @@ peer: #Provide the value for tlsStatus to be true or false for organization's peer #Eg. tlsStatus: true tlsStatus: true - -orderer: #Provide the address for orderer - #Eg. address: orderer.fratest-com:7050 - address: orderer1.test.yourdomain.com:443 + #Eg. ordererAddress: orderer1.test.yourdomain.com:443 + ordererAddress: orderer1.supplychain-net:7050 diff --git a/platforms/hyperledger-fabric/charts/fabric-channel-join/Chart.yaml b/platforms/hyperledger-fabric/charts/fabric-channel-join/Chart.yaml index d89b9c1baa4..4b659443cc8 100644 --- a/platforms/hyperledger-fabric/charts/fabric-channel-join/Chart.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-channel-join/Chart.yaml @@ -7,11 +7,11 @@ apiVersion: v1 name: fabric-channel-join description: "Hyperledger Fabric: Joins the peer to the channel." -version: 1.0.0 +version: 1.1.0 appVersion: latest keywords: - bevel - - ethereum + - hlf - fabric - hyperledger - enterprise diff --git a/platforms/hyperledger-fabric/charts/fabric-channel-join/README.md b/platforms/hyperledger-fabric/charts/fabric-channel-join/README.md index fb57f297204..562e5989108 100644 --- a/platforms/hyperledger-fabric/charts/fabric-channel-join/README.md +++ b/platforms/hyperledger-fabric/charts/fabric-channel-join/README.md @@ -3,175 +3,102 @@ [//]: # (SPDX-License-Identifier: Apache-2.0) [//]: # (##############################################################################################) - -# Join Channel Hyperledger Fabric Deployment +# fabric-channel-join -- [Join Channel Hyperledger Fabric Deployment Helm Chart](#join-channel-hyperledger-fabric-deployment-helm-chart) -- [Prerequisites](#prerequisites) -- [Chart Structure](#chart-structure) -- [Configuration](#configuration) -- [Deployment](#deployment) -- [Verification](#verification) -- [Updating the Deployment](#updating-the-deployment) -- [Deletion](#deletion) -- [Contributing](#contributing) -- [License](#license) +This chart is a component of Hyperledger Bevel. The fabric-channel-join chart deploys a Kubernetes job to join a channel. This chart should be executed after the [fabric-channel-create](../fabric-channel-create/README.md) chart or the [fabric-osnadmin-channel-create](../fabric-osnadmin-channel-create/README.md) chart for 2.5.x and the anchortx should be present in `files`. See [Bevel documentation](https://hyperledger-bevel.readthedocs.io/en/latest/) for details. +## TL;DR - -## Join Channel Hyperledger Fabric Deployment Helm Chart ---- -A [Helm chart](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-fabric/charts/fabric-channel-join) for joining the channel. - +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install peer0-allchannel bevel/fabric-channel-join +``` - ## Prerequisites ---- -Before deploying the Helm chart, make sure to have the following prerequisites: -- Kubernetes cluster up and running. -- A HashiCorp Vault instance is set up and configured to use Kubernetes service account token-based authentication. -- The Vault is unsealed and initialized. -- Helm installed. +- Kubernetes 1.19+ +- Helm 3.2.0+ +If Hashicorp Vault is used, then +- HashiCorp Vault Server 1.13.1+ - -## Chart Structure ---- -The structure of the Helm chart is as follows: +Also, for Fabric 2.2.x, the [fabric-genesis](../fabric-genesis/README.md) and [fabric-channel-create](../fabric-channel-create/README.md) charts should be installed. +For Fabric 2.5.x, the [fabric-osnadmin-channel-create](../fabric-osnadmin-channel-create/README.md) chart should be installed before this chart. +Then you can get the channeltx with following commands: +```bash +cd ./fabric-channel-join/files +kubectl --namespace supplychain-net get configmap allchannel-supplychain-anchortx -o jsonpath='{.data.allchannel-supplychain-anchortx_base64}' > anchortx.json ``` -fabric-channel-join/ - |- templates/ - |- _helpers.yaml - |- configmap.yaml - |- join_channel.yaml - |- Chart.yaml - |- README.md - |- values.yaml -``` - -- `templates/`: Contains the Kubernetes manifest templates that define the resources to be deployed. -- `helpers.tpl`: Contains custom label definitions used in other templates. -- `configmap.yaml`: Stores the configuration for the joinchannel container. -- `join_channel.yaml`: The certificates-init retrieves TLS and MSP certificates from Vault and stores them in the local filesystem. The joinchannel joins the peer to the channel by fetching the channel configuration block from the orderer. Both containers are essential for the peer to join the channel and start participating in the network. -- `Chart.yaml`: Contains the metadata for the Helm chart, such as the name, version, and description. -- `README.md`: Provides information and instructions about the Helm chart. -- `values.yaml`: Contains the default configuration values for the Helm chart. - - - -## Configuration ---- -The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-fabric/charts/fabric-channel-join/values.yaml) file contains configurable values for the Helm chart. We can modify these values according to the deployment requirements. Here are some important configuration options: - -### Metadata - -| Name | Description | Default Value | -| -----------------------| ---------------------------------------------------------------------------------| --------------------------------------------------| -| namespace | Namespace for organization's peer | org1-net | -| images.fabrictools | Valid image name and version for Fabric tools | ghcr.io/hyperledger/bevel-fabric-tools:2.2.2 | -| images.alpineutils | Valid image name and version to read certificates from the Vault server | ghcr.io/hyperledger/bevel-alpine:latest | -| labels | Custom labels for the organization | "" | - -### Peer - -| Name | Description | Default Value | -| ------------| -------------------------------------------------| ----------------------------| -| name | Name of the peer as per deployment YAML | peer0 | -| address | Address of the peer and its grpc cluster IP port | peer0.org1-net:7051 | -| localmspid | Local MSPID for the organization | Org1MSP | -| loglevel | Log level for the organization's peer | info | -| tlsstatus | TLS status for the organization's peer | true | - -### Vault - -| Name | Description | Default Value | -| ----------------------| ------------------------------------------------------------------| -----------------------------| -| role | Vault role for the organization | vault-role | -| address | Vault server address | "" | -| authpath | Kubernetes auth backend configured in Vault for the organization | devorg1-net-auth | -| adminsecretprefix | Vault secretprefix for admin | secretsv2/data/crypto/peerOrganizations/org1-net/users/admin | -| orderersecretprefix | Vault secretprefix for orderer | secretsv2/data/crypto/peerOrganizations/org1-net/orderer | -| serviceaccountname | Service account name for Vault | vault-auth | -| type | Provide the type of vault | hashicorp | -| imagesecretname | Imagesecret name for Vault | "" | - -### channel -| Name | Description | Default Value | -| ----------| ----------------------| -----------------| -| address | Name of the channel | mychannel | +## Installing the Chart -### Orderer +To install the chart with the release name `peer0-allchannel`: -| Name | Description | Default Value | -| ----------| --------------------------| -----------------------------| -| address | Address for the orderer | orderer1.org1proxy.blockchaincloudpoc.com:443 | - - - -## Deployment ---- - -To deploy the fabric-channel-join Helm chart, follow these steps: - -1. Modify the [values.yaml](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-channel-join/values.yaml) file to set the desired configuration values. -2. Run the following Helm command to install the chart: - ``` - $ helm repo add bevel https://hyperledger.github.io/bevel/ - $ helm install ./fabric-channel-join - ``` -Replace `` with the desired name for the release. - -This will deploy the fabric-channel-join node to the Kubernetes cluster based on the provided configurations. - - - -## Verification ---- - -To verify the deployment, we can use the following command: -``` -$ kubectl get jobs -n +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install peer0-allchannel bevel/fabric-channel-join ``` -Replace `` with the actual namespace where the Job was created. This command will display information about the Job, including the number of completions and the current status of the Job's pods. +The command deploys the chart on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. - -## Updating the Deployment ---- +> **Tip**: List all releases using `helm list` -If we need to update the deployment with new configurations or changes, modify the same [values.yaml](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-channel-join/values.yaml) file with the desired changes and run the following Helm command: -``` -$ helm upgrade ./fabric-channel-join -``` -Replace `` with the name of the release. This command will apply the changes to the deployment, ensuring the fabric-channel-join node is up to date. +## Uninstalling the Chart +To uninstall/delete the `peer0-allchannel` deployment: - -## Deletion ---- - -To delete the deployment and associated resources, run the following Helm command: -``` -$ helm uninstall +```bash +helm uninstall peer0-allchannel ``` -Replace `` with the name of the release. This command will remove all the resources created by the Helm chart. +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +### Global parameters +These parameters are refered to as same in each parent or child chart +| Name | Description | Default Value | +|--------|---------|-------------| +|`global.version` | Fabric Version. | `2.5.4` | +|`global.serviceAccountName` | The serviceaccount name that will be created for Vault Auth and k8S Secret management| `vault-auth` | +| `global.cluster.provider` | Kubernetes cluster provider like AWS EKS or minikube. Currently ony `aws`, `azure` and `minikube` are tested | `aws` | +| `global.cluster.cloudNativeServices` | only `false` is implemented, `true` to use Cloud Native Services (SecretsManager and IAM for AWS; KeyVault & Managed Identities for Azure) is for future | `false` | +| `global.vault.type` | Type of Vault to support other providers. Currently, only `hashicorp` and `kubernetes` is supported. | `hashicorp` | +| `global.vault.role` | Role used for authentication with Vault | `vault-role` | +| `global.vault.network` | Network type that is being deployed | `fabric` | +| `global.vault.address`| URL of the Vault server. | `""` | +| `global.vault.authPath` | Authentication path for Vault | `supplychain` | +| `global.vault.secretEngine` | Vault secret engine name | `secretsv2` | +| `global.vault.secretPrefix` | Vault secret prefix which must start with `data/` | `data/supplychain` | +| `global.vault.tls` | Name of the Kubernetes secret which has certs to connect to TLS enabled Vault | `false` | + +### Image + +| Name | Description | Default Value | +| -------------| ---------- | --------- | +| `image.fabricTools` | Fabric Tools image repository | `ghcr.io/hyperledger/bevel-fabric-tools` | +| `image.alpineUtils` | Alpine utils image repository and tag | `ghcr.io/hyperledger/bevel-alpine:latest` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | - -## Contributing ---- -If you encounter any bugs, have suggestions, or would like to contribute to the [Join Channel Hyperledger Fabric Deployment Helm Chart](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-channel-join), please feel free to open an issue or submit a pull request on the [project's GitHub repository](https://github.com/hyperledger/bevel). +### Peer +| Name | Description | Default Value | +|--------|---------|-------------| +| `peer.name` | Name of the Peer that is joining the channel | `peer0` | +| `peer.type` | Type of the Peer that is joining the channel, choose between `anchor` or `general` | `anchor` | +| `peer.address` | Peer Internal or External Address with port | `peer0.supplychain-net:7051` | +| `peer.localMspId` | Peer MSP ID | `supplychainMSP` | +| `peer.logLevel` | Peer Log Level | `info` | +| `peer.tlsStatus` | TLS status of the peer | `true` | +| `peer.channelName` | Name of the channel this peer wants to join | `AllChannel` | +| `peer.ordererAddress` | Orderer Internal or External Address with port for Peer to connect | `orderer1.supplychain-net:7050` | - ## License This chart is licensed under the Apache v2.0 license. -Copyright © 2023 Accenture +Copyright © 2024 Accenture ### Attribution diff --git a/platforms/hyperledger-fabric/charts/fabric-channel-join/files/readme.txt b/platforms/hyperledger-fabric/charts/fabric-channel-join/files/readme.txt new file mode 100644 index 00000000000..bf16a121ea7 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/fabric-channel-join/files/readme.txt @@ -0,0 +1 @@ +This is a dummy file. Place the channeltx_base64 file in this directory.. \ No newline at end of file diff --git a/platforms/hyperledger-fabric/charts/fabric-channel-join/templates/_helpers.tpl b/platforms/hyperledger-fabric/charts/fabric-channel-join/templates/_helpers.tpl index 3a2e0f8d507..869da311d62 100644 --- a/platforms/hyperledger-fabric/charts/fabric-channel-join/templates/_helpers.tpl +++ b/platforms/hyperledger-fabric/charts/fabric-channel-join/templates/_helpers.tpl @@ -27,32 +27,20 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} -{{- define "labels.deployment" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.deployment }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "labels.service" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.service }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "labels.pvc" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.pvc }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} +{{/* +Create orderer tls configmap name depending on Configmap existance +*/}} +{{- define "fabric-channel-join.orderercrt" -}} +{{- $secret := lookup "v1" "ConfigMap" .Release.Namespace "orderer-tls-cacert" -}} +{{- if $secret -}} +{{/* + Use this configmap +*/}} +{{- printf "orderer-tls-cacert" -}} +{{- else -}} +{{/* + Use the release configmap +*/}} +{{- printf "%s-orderer-tls-cacert" $.Values.peer.name -}} +{{- end -}} +{{- end -}} diff --git a/platforms/hyperledger-fabric/charts/fabric-channel-join/templates/anchorpeer.yaml b/platforms/hyperledger-fabric/charts/fabric-channel-join/templates/anchorpeer.yaml index bcde7ca4cff..8be70ed1a79 100644 --- a/platforms/hyperledger-fabric/charts/fabric-channel-join/templates/anchorpeer.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-channel-join/templates/anchorpeer.yaml @@ -21,9 +21,8 @@ metadata: app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - {{ include "labels.deployment" . | nindent 6 }} spec: - backoffLimit: 6 + backoffLimit: 3 template: metadata: labels: @@ -34,19 +33,18 @@ spec: app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - {{ include "labels.deployment" . | nindent 6 }} spec: restartPolicy: "OnFailure" - serviceAccountName: {{ $.Values.global.serviceAccountName }} - {{- if .Values.global.vault.imageSecretName }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + {{- if .Values.image.pullSecret }} imagePullSecrets: - - name: {{ $.Values.global.vault.imageSecretName }} + - name: {{ .Values.image.pullSecret }} {{- end }} volumes: {{ if .Values.global.vault.tls }} - name: vaultca secret: - secretName: {{ $.Values.global.vault.tls }} + secretName: {{ .Values.global.vault.tls }} items: - key: ca.crt.pem path: ca-certificates.crt # curl expects certs to be in /etc/ssl/certs/ca-certificates.crt @@ -54,31 +52,38 @@ spec: - name: certificates emptyDir: medium: Memory - {{- if ne $.Values.global.network.version "2.5.4" }} + - name: orderer-tls-cacert + configMap: + name: {{ include "fabric-channel-join.orderercrt" . }} + defaultMode: 0775 + items: + - key: cacert + path: orderer.crt + {{- if ne (.Values.global.version | trunc 3) "2.5" }} - name: anchorpeer-artifacts configMap: - name: anchorpeer-{{ $.Values.channel.name }}-{{ $.Values.peer.name }}-artifacts + name: {{ .Release.Name }}-anchor-artifacts {{- end }} - name: scripts-volume configMap: name: bevel-vault-script initContainers: - name: certificates-init - image: {{ $.Values.image.alpineUtils }} + image: {{ .Values.image.alpineUtils }} imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: {{ $.Values.global.vault.address }} + value: {{ .Values.global.vault.address }} - name: VAULT_APP_ROLE - value: {{ $.Values.global.vault.role }} + value: {{ .Values.global.vault.role }} - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.global.vault.authPath }} + value: {{ .Values.global.vault.authPath }} - name: VAULT_SECRET_ENGINE value: "{{ .Values.global.vault.secretEngine }}" - name: VAULT_SECRET_PREFIX value: "{{ .Values.global.vault.secretPrefix }}" - name: VAULT_TYPE - value: "{{ $.Values.global.vault.type }}" + value: "{{ .Values.global.vault.type }}" - name: MOUNT_PATH value: /secret command: ["sh", "-c"] @@ -91,24 +96,11 @@ spec: # Calling a function to retrieve the vault token. vaultBevelFunc "init" - function getOrdererTlsSecret { - KEY=$1 - KEY_FORMATTED=$(echo $KEY | tr - /) - - echo "Getting Orderer TLS certificates from Vault using key $vault_secret_key" - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" - - TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r '.["ca.crt"]') - echo "${TLS_CA_CERT}" > ${OUTPUT_PATH}/ca.crt - - } - function getAdminMspSecret { KEY=$1 - KEY_FORMATTED=$(echo $KEY | tr - /) echo "Getting MSP certificates from Vault." - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/users/${KEY}" ADMINCERT=$(echo ${VAULT_SECRET} | jq -r '.["admincerts"]') CACERTS=$(echo ${VAULT_SECRET} | jq -r '.["cacerts"]') @@ -124,13 +116,6 @@ spec: } {{- else }} - function getOrdererTlsSecret { - KEY=$1 - kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} -o json > /dev/null 2>&1 - if [ $? -eq 0 ]; then - kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.cacrt}" | base64 -d > ${OUTPUT_PATH}/ca.crt - fi - } function getAdminMspSecret { KEY=$1 @@ -149,9 +134,6 @@ spec: echo "${TLSCACERTS}" > ${OUTPUT_PATH}/tlscacerts/tlsca.crt } {{- end }} - OUTPUT_PATH="${MOUNT_PATH}/orderer/tls" - mkdir -p ${OUTPUT_PATH} - getOrdererTlsSecret orderer-tls OUTPUT_PATH="${MOUNT_PATH}/admin/msp" mkdir -p ${OUTPUT_PATH}/admincerts @@ -174,7 +156,7 @@ spec: subPath: bevel-vault.sh containers: - name: anchorpeer - image: {{ $.Values.image.fabricTools }}:{{ $.Values.global.network.version }} + image: {{ .Values.image.fabricTools }}:{{ .Values.global.version }} imagePullPolicy: IfNotPresent stdin: true tty: true @@ -221,8 +203,7 @@ spec: else peer channel fetch 0 ${CHANNEL_NAME}.block -o ${ORDERER_URL} -c ${CHANNEL_NAME} fi - ANCHORS_TX=$(jq -r '.data."anchors.tx.base64"' ./channel-artifacts/anchors.tx.json) - echo $ANCHORS_TX | base64 -d > ${CORE_PEER_LOCALMSPID}anchors.tx + cat ./channel-artifacts/anchors.tx.json | base64 -d > ${CORE_PEER_LOCALMSPID}anchors.tx if [ "$tls_status" = "true" ] then peer channel update -o ${ORDERER_URL} -c ${CHANNEL_NAME} -f ${CORE_PEER_LOCALMSPID}anchors.tx --tls --cafile ${ORDERER_CA} @@ -233,12 +214,15 @@ spec: workingDir: /opt/gopath/src/github.com/hyperledger/fabric/peer envFrom: - configMapRef: - name: joinchannel-{{ $.Values.channel.name }}-{{ $.Values.peer.name }}-config + name: {{ .Release.Name }}-config volumeMounts: - name: certificates mountPath: /opt/gopath/src/github.com/hyperledger/fabric/crypto readOnly: true - {{- if ne $.Values.global.network.version "2.5.4" }} + - name: orderer-tls-cacert + mountPath: /opt/gopath/src/github.com/hyperledger/fabric/orderer/tls/orderer.crt + subPath: orderer.crt + {{- if ne (.Values.global.version | trunc 3) "2.5" }} - name: anchorpeer-artifacts mountPath: /opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts readOnly: true diff --git a/platforms/hyperledger-fabric/charts/fabric-channel-join/templates/configmap.yaml b/platforms/hyperledger-fabric/charts/fabric-channel-join/templates/configmap.yaml index b3ad7aec7cf..df2f3b2d68a 100644 --- a/platforms/hyperledger-fabric/charts/fabric-channel-join/templates/configmap.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-channel-join/templates/configmap.yaml @@ -7,46 +7,43 @@ apiVersion: v1 kind: ConfigMap metadata: - name: joinchannel-{{ $.Values.channel.name }}-{{ $.Values.peer.name }}-config + name: {{ .Release.Name }}-config namespace: {{ .Release.Namespace }} labels: - app: {{ .Release.Name }} - app.kubernetes.io/name: channel-join-{{ .Release.Name }} - app.kubernetes.io/component: fabric-channel-join-job + app.kubernetes.io/name: {{ .Release.Name }}-config + app.kubernetes.io/component: configmap app.kubernetes.io/part-of: {{ include "fabric-channel-join.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm data: - CHANNEL_NAME: {{ $.Values.channel.name }} - FABRIC_LOGGING_SPEC: {{ $.Values.peer.logLevel }} - CORE_PEER_ID: {{ $.Values.peer.name }}.{{ .Release.Namespace }} - CORE_PEER_ADDRESS: {{ $.Values.peer.address }} - CORE_PEER_LOCALMSPID: {{ $.Values.peer.localMspId }} - CORE_PEER_TLS_ENABLED: "{{ $.Values.peer.tlsStatus }}" + CHANNEL_NAME: {{ .Values.peer.channelName | lower }} + FABRIC_LOGGING_SPEC: {{ .Values.peer.logLevel }} + CORE_PEER_ID: {{ .Values.peer.name }}.{{ .Release.Namespace }} + CORE_PEER_ADDRESS: {{ .Values.peer.address }} + CORE_PEER_LOCALMSPID: {{ .Values.peer.localMspId }} + CORE_PEER_TLS_ENABLED: "{{ .Values.peer.tlsStatus }}" CORE_PEER_TLS_ROOTCERT_FILE: /opt/gopath/src/github.com/hyperledger/fabric/crypto/admin/msp/tlscacerts/tlsca.crt - ORDERER_CA: /opt/gopath/src/github.com/hyperledger/fabric/crypto/orderer/tls/ca.crt - ORDERER_URL: {{ $.Values.orderer.address }} + ORDERER_CA: /opt/gopath/src/github.com/hyperledger/fabric/orderer/tls/orderer.crt + ORDERER_URL: {{ .Values.peer.ordererAddress }} CORE_PEER_MSPCONFIGPATH: /opt/gopath/src/github.com/hyperledger/fabric/crypto/admin/msp - NETWORK_VERSION: {{ $.Values.global.network.version }} + NETWORK_VERSION: {{ .Values.global.version }} --- -{{- if ne $.Values.global.network.version "2.5.4" }} +{{- if ne (.Values.global.version | trunc 3) "2.5" }} apiVersion: v1 kind: ConfigMap metadata: - name: anchorpeer-{{ $.Values.channel.name }}-{{ $.Values.peer.name }}-artifacts + name: {{ .Release.Name }}-anchor-artifacts namespace: {{ .Release.Namespace }} labels: - app: {{ .Release.Name }} - app.kubernetes.io/name: anchorpeer-{{ .Release.Name }} - app.kubernetes.io/component: fabric-anchorpeer-job + app.kubernetes.io/name: {{ .Release.Name }}-anchor-artifacts + app.kubernetes.io/component: anchorpeer-artifacts app.kubernetes.io/part-of: {{ include "fabric-channel-join.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - {{ include "labels.deployment" . | nindent 6 }} data: anchors.tx.json: |- - {{ .Files.Get "files/anchors.tx.json" | nindent 8 }} + {{ .Files.Get "files/anchortx.json" | nindent 8 }} {{- end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-channel-join/templates/join_channel.yaml b/platforms/hyperledger-fabric/charts/fabric-channel-join/templates/join_channel.yaml index b6ac7f2a4db..da1524115d2 100644 --- a/platforms/hyperledger-fabric/charts/fabric-channel-join/templates/join_channel.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-channel-join/templates/join_channel.yaml @@ -7,45 +7,41 @@ apiVersion: batch/v1 kind: Job metadata: - name: {{ include "fabric-channel-join.fullname" . }} + name: joinchannel-{{ .Release.Name }} namespace: {{ .Release.Namespace }} annotations: "helm.sh/hook": post-install "helm.sh/hook-weight": "0" labels: - app: {{ .Release.Name }} app.kubernetes.io/name: channel-join-{{ .Release.Name }} app.kubernetes.io/component: fabric-channel-join-job app.kubernetes.io/part-of: {{ include "fabric-channel-join.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - {{ include "labels.deployment" . | nindent 6 }} spec: backoffLimit: 6 template: metadata: labels: - app: {{ .Release.Name }} app.kubernetes.io/name: channel-join-{{ .Release.Name }} app.kubernetes.io/component: fabric-channel-join-job app.kubernetes.io/part-of: {{ include "fabric-channel-join.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - {{ include "labels.deployment" . | nindent 6 }} spec: restartPolicy: "OnFailure" - serviceAccountName: {{ $.Values.global.serviceAccountName }} - {{- if .Values.global.vault.imageSecretName }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + {{- if .Values.image.pullSecret }} imagePullSecrets: - - name: {{ $.Values.global.vault.imageSecretName }} + - name: {{ .Values.image.pullSecret }} {{- end }} volumes: {{ if .Values.global.vault.tls }} - name: vaultca secret: - secretName: {{ $.Values.global.vault.tls }} + secretName: {{ .Values.global.vault.tls }} items: - key: ca.crt.pem path: ca-certificates.crt # curl expects certs to be in /etc/ssl/certs/ca-certificates.crt @@ -56,23 +52,30 @@ spec: - name: scripts-volume configMap: name: bevel-vault-script + - name: orderer-tls-cacert + configMap: + name: {{ include "fabric-channel-join.orderercrt" . }} + defaultMode: 0775 + items: + - key: cacert + path: orderer.crt initContainers: - name: certificates-init - image: {{ $.Values.image.alpineUtils }} + image: {{ .Values.image.alpineUtils }} imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: {{ $.Values.global.vault.address }} + value: {{ .Values.global.vault.address }} - name: VAULT_APP_ROLE - value: {{ $.Values.global.vault.role }} + value: {{ .Values.global.vault.role }} - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.global.vault.authPath }} + value: {{ .Values.global.vault.authPath }} - name: VAULT_SECRET_ENGINE value: "{{ .Values.global.vault.secretEngine }}" - name: VAULT_SECRET_PREFIX value: "{{ .Values.global.vault.secretPrefix }}" - name: VAULT_TYPE - value: "{{ $.Values.global.vault.type }}" + value: "{{ .Values.global.vault.type }}" - name: MOUNT_PATH value: /secret command: ["sh", "-c"] @@ -84,23 +87,11 @@ spec: . /scripts/bevel-vault.sh vaultBevelFunc "init" - function getOrdererTlsSecret { - KEY=$1 - KEY_FORMATTED=$(echo $KEY | tr - /) - - echo "Getting Orderer TLS certificates from Vault using key $vault_secret_key" - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" - - TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r '.["ca.crt"]') - echo "${TLS_CA_CERT}" > ${OUTPUT_PATH}/ca.crt - } - function getAdminMspSecret { KEY=$1 - KEY_FORMATTED=$(echo $KEY | tr - /) echo "Getting MSP certificates from Vault." - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/users/${KEY}" ADMINCERT=$(echo ${VAULT_SECRET} | jq -r '.["admincerts"]') CACERTS=$(echo ${VAULT_SECRET} | jq -r '.["cacerts"]') @@ -117,14 +108,6 @@ spec: {{- else }} - function getOrdererTlsSecret { - KEY=$1 - kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} -o json > /dev/null 2>&1 - if [ $? -eq 0 ]; then - kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.cacrt}" | base64 -d > ${OUTPUT_PATH}/ca.crt - fi - } - function getAdminMspSecret { KEY=$1 KUBENETES_SECRET=$(kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} -o json) @@ -143,9 +126,6 @@ spec: } {{- end }} - OUTPUT_PATH="${MOUNT_PATH}/orderer/tls" - mkdir -p ${OUTPUT_PATH} - getOrdererTlsSecret orderer-tls OUTPUT_PATH="${MOUNT_PATH}/admin/msp" mkdir -p ${OUTPUT_PATH}/admincerts @@ -167,7 +147,7 @@ spec: subPath: bevel-vault.sh containers: - name: joinchannel - image: {{ $.Values.image.fabricTools }}:{{ $.Values.global.network.version }} + image: {{ .Values.image.fabricTools }}:{{ .Values.global.version }} imagePullPolicy: IfNotPresent stdin: true tty: true @@ -194,8 +174,11 @@ spec: workingDir: /opt/gopath/src/github.com/hyperledger/fabric/peer envFrom: - configMapRef: - name: joinchannel-{{ $.Values.channel.name }}-{{ $.Values.peer.name }}-config + name: {{ .Release.Name }}-config volumeMounts: - name: certificates mountPath: /opt/gopath/src/github.com/hyperledger/fabric/crypto readOnly: true + - name: orderer-tls-cacert + mountPath: /opt/gopath/src/github.com/hyperledger/fabric/orderer/tls/orderer.crt + subPath: orderer.crt diff --git a/platforms/hyperledger-fabric/charts/fabric-channel-join/values.yaml b/platforms/hyperledger-fabric/charts/fabric-channel-join/values.yaml index c11f7a45cf8..ec0d8db02f4 100644 --- a/platforms/hyperledger-fabric/charts/fabric-channel-join/values.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-channel-join/values.yaml @@ -8,6 +8,9 @@ --- # The following are for overriding global values global: + # HLF Network Version + #Eg. version: 2.5.4 + version: 2.5.4 #Provide the service account name which will be created. serviceAccountName: vault-auth cluster: @@ -32,48 +35,43 @@ global: secretEngine: secretsv2 #Provide the vault path where the secrets will be stored secretPrefix: "data/supplychain" - #Provide the imageSecretName for vault - #Eg. imageSecretName: regcred - imageSecretName: "" #Enable or disable TLS for vault communication #Eg. tls: true tls: - # HLF Network Version - network: - version: 2.5.4 - image: #Provide the valid image name and version for fabric tools - #Eg. fabric-tools: hyperledger/fabrictools:1.4.0 + #Eg. fabricTools: hyperledger/fabrictools fabricTools: ghcr.io/hyperledger/bevel-fabric-tools #Provide the valid image name and version to read certificates from vault server #Eg.alpineutils: ghcr.io/hyperledger/bevel-alpine:latest alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest + #Provide the secret to use if private repository + #Eg. pullSecret: regcred + pullSecret: peer: #Provide the name of the peer as per deployment yaml. #Eg. name: peer0 - name: peer0-carrier + name: peer0 + #Provide the type of peer + #Eg. type: anchor | general + type: anchor #Provide the address of the peer who wants to join channel and port to be mentioned is grpc cluster IP port - #Eg. address: peer0-carrier.carrier-net:7051 - address: peer0-carrier.carrier-net:7051 + #Eg. address: peer0.supplychain-net:7051 + address: peer0.supplychain-net:7051 #Provide the localMspId for organization - #Eg. localMspId: carrierMSP - localMspId: carrierMSP + #Eg. localMspId: supplychainMSP + localMspId: supplychainMSP #Provide the logLevel for organization's peer #Eg. logLevel: info logLevel: info #Provide the value for tlsstatus to be true or false for organization's peer #Eg. tlsstatus: true tlsStatus: true - -channel: - #Provide the name of the channel - #Eg. name: mychannel - name: mychannel - -orderer: + #Provide the name of the channel which peer will join + #Eg. channelName: AllChannel + channelName: AllChannel #Provide the address for orderer - #Eg. address: orderer1.test.yourdomain.com:443 - address: orderer1.test.yourdomain.com:443 + #Eg. ordererAddress: orderer1.test.yourdomain.com:443 + ordererAddress: orderer1.supplychain-net:7050 diff --git a/platforms/hyperledger-fabric/charts/fabric-cli/Chart.yaml b/platforms/hyperledger-fabric/charts/fabric-cli/Chart.yaml index 0fa3f404cc5..0bc0fd2ec8b 100644 --- a/platforms/hyperledger-fabric/charts/fabric-cli/Chart.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-cli/Chart.yaml @@ -6,12 +6,12 @@ apiVersion: v1 name: fabric-cli -description: "Hyperledger Fabric: Deploys Fabric Cli." -version: 1.0.0 +description: "Hyperledger Fabric: Deploys Fabric CLI" +version: 1.1.0 appVersion: latest keywords: - bevel - - ethereum + - hlf - fabric - hyperledger - enterprise diff --git a/platforms/hyperledger-fabric/charts/fabric-cli/README.md b/platforms/hyperledger-fabric/charts/fabric-cli/README.md index bd7b2cb7629..0ae99364746 100644 --- a/platforms/hyperledger-fabric/charts/fabric-cli/README.md +++ b/platforms/hyperledger-fabric/charts/fabric-cli/README.md @@ -3,175 +3,104 @@ [//]: # (SPDX-License-Identifier: Apache-2.0) [//]: # (##############################################################################################) - -# Fabric Cli Hyperledger Fabric Deployment +# fabric-cli -- [Fabric Cli Hyperledger Fabric Deployment Helm Chart](#fabric-cli-hyperledger-fabric-deployment-helm-chart) -- [Prerequisites](#prerequisites) -- [Chart Structure](#chart-structure) -- [Configuration](#configuration) -- [Deployment](#deployment) -- [Verification](#verification) -- [Updating the Deployment](#updating-the-deployment) -- [Deletion](#deletion) -- [Contributing](#contributing) -- [License](#license) +This chart is a component of Hyperledger Bevel. The fabric-cli chart deploys a Fabric CLI attached to a Peer node to the Kubernetes cluster. This chart is a dependency and is deployed by the [fabric-peernode](../fabric-peernode/README.md) chart. See [Bevel documentation](https://hyperledger-bevel.readthedocs.io/en/latest/) for details. +## TL;DR - -## Fabric Cli Hyperledger Fabric Deployment Helm Chart ---- -A [Helm chart](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-fabric/charts/fabric-cli) for Fabric Cli. - - - -## Prerequisites ---- -Before deploying the Helm chart, make sure to have the following prerequisites: - -- Kubernetes cluster up and running. -- A HashiCorp Vault instance is set up and configured to use Kubernetes service account token-based authentication. -- The Vault is unsealed and initialized. -- Helm installed. - - - -## Chart Structure ---- -The structure of the Helm chart is as follows: - -``` -fabric-cli/ - |- templates/ - |- _helpers.yaml - |- deployment.yaml - |- volume.yaml - |- Chart.yaml - |- README.md - |- values.yaml +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install peer0-cli bevel/fabric-cli ``` -- `templates/`: Contains the Kubernetes manifest templates that define the resources to be deployed. -- `helpers.tpl`: Contains custom label definitions used in other templates. -- `deployment.yaml`: The certificates-init retrieves TLS certificates and cryptographic materials from HashiCorp Vault, ensuring secure communication. The cli runs Hyperledger Fabric CLI tools, using the fetched certificates for secure interaction with the network. -- `volume.yaml`: Requests storage resources for the cli container -- `Chart.yaml`: Contains the metadata for the Helm chart, such as the name, version, and description. -- `README.md`: Provides information and instructions about the Helm chart. -- `values.yaml`: Contains the default configuration values for the Helm chart. - - - -## Configuration ---- -The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-fabric/charts/fabric-cli/values.yaml) file contains configurable values for the Helm chart. We can modify these values according to the deployment requirements. Here are some important configuration options: - -### Metadata - -| Name | Description | Default Value | -| ----------------------| ----------------------------------------------------------------------| --------------------------------------------------| -| namespace | Namespace for organization's peer deployment | org1-net | -| images.fabrictools | Valid image name and version for fabric tools |ghcr.io/hyperledger/bevel-fabric-tools:2.2.2 | -| images.alpineutils | Valid image name and version to read certificates from vault server | ghcr.io/hyperledger/bevel-alpine:latest | - -### Storage - -| Name | Description | Default Value | -| ------------| ----------------------| ---------------| -| class | Storage class name | aws-storageclass | -| size | Storage size | 256Mi | - -### Vault - -| Name | Description | Default Value | -| ----------------------| ------------------------------------------------------------------| -------------------------------| -| role | Vault role for the organization | vault-role | -| address | Vault server address | "" | -| authpath | Kubernetes auth backend configured in Vault for the organization | devorg1-net-auth | -| adminsecretprefix | Vault secret prefix for admin | secretsv2/data/crypto/peerOrganizations/org1-net/users/admin | -| orderersecretprefix | Vault secret prefix for orderer | secretsv2/data/crypto/peerOrganizations/org1-net/orderer | -| serviceaccountname | Service account name for Vault | vault-auth | -| type | Provide the type of vault | hashicorp | -| imagesecretname | Image secret name for Vault | "" | -| tls | TLS status for Vault communication | "" | - -### Peer Configuration - -| Name | Description | Default Value | -| --------------| --------------------------------------------| -----------------------------| -| name | Name of the peer as per deployment YAML | peer0 | -| localMspId | Local MSP ID for the organization's peer | Org1MSP | -| tlsStatus | TLS status for the organization's peer | true | -| address | Address for the peer | peer0.org1-net:7051 | +## Prerequisites -### Orderer Configuration +- Kubernetes 1.19+ +- Helm 3.2.0+ -| Name | Description | Default Value | -| ------------| -------------------------| -----------------------------| -| address | Address for the orderer | orderer1.org1proxy.blockchaincloudpoc.com:443 | +If Hashicorp Vault is used, then +- HashiCorp Vault Server 1.13.1+ +## Installing the Chart - -## Deployment ---- +To install the chart with the release name `peer0-cli`: -To deploy the fabric-cli Helm chart, follow these steps: +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install peer0-cli bevel/fabric-cli +``` -1. Modify the [values.yaml](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-cli/values.yaml) file to set the desired configuration values. -2. Run the following Helm command to install the chart: - ``` - $ helm repo add bevel https://hyperledger.github.io/bevel/ - $ helm install ./fabric-cli - ``` -Replace `` with the desired name for the release. +The command deploys the chart on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. -This will deploy the fabric-cli node to the Kubernetes cluster based on the provided configurations. +> **Tip**: List all releases using `helm list` +## Uninstalling the Chart - -## Verification ---- +To uninstall/delete the `peer0-cli` deployment: -To verify the deployment, we can use the following command: -``` -$ kubectl get deployments -n +```bash +helm uninstall peer0-cli ``` -Replace `` with the actual namespace where the deployment was created. The command will display information about the deployment, including the number of replicas and their current status. +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +### Global parameters +These parameters are refered to as same in each parent or child chart +| Name | Description | Default Value | +|--------|---------|-------------| +|`global.version` | Fabric Version. | `2.5.4` | +|`global.serviceAccountName` | The serviceaccount name that will be created for Vault Auth and k8S Secret management| `vault-auth` | +| `global.cluster.provider` | Kubernetes cluster provider like AWS EKS or minikube. Currently ony `aws`, `azure` and `minikube` are tested | `aws` | +| `global.cluster.cloudNativeServices` | only `false` is implemented, `true` to use Cloud Native Services (SecretsManager and IAM for AWS; KeyVault & Managed Identities for Azure) is for future | `false` | +| `global.vault.type` | Type of Vault to support other providers. Currently, only `hashicorp` and `kubernetes` is supported. | `hashicorp` | +| `global.vault.role` | Role used for authentication with Vault | `vault-role` | +| `global.vault.address`| URL of the Vault server. | `""` | +| `global.vault.authPath` | Authentication path for Vault | `supplychain` | +| `global.vault.secretEngine` | Vault secret engine name | `secretsv2` | +| `global.vault.secretPrefix` | Vault secret prefix which must start with `data/` | `data/supplychain` | +| `global.vault.tls` | Name of the Kubernetes secret which has certs to connect to TLS enabled Vault | `false` | + +### Image + +| Name | Description | Default Value | +| -------------| ---------- | --------- | +| `image.fabricTools` | Fabric Tools image repository | `ghcr.io/hyperledger/bevel-fabric-tools` | +| `image.alpineUtils` | Alpine utils image repository and tag | `ghcr.io/hyperledger/bevel-alpine:latest` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | - -## Updating the Deployment ---- - -If we need to update the deployment with new configurations or changes, modify the same [values.yaml](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-cli/values.yaml) file with the desired changes and run the following Helm command: -``` -$ helm upgrade ./fabric-cli -``` -Replace `` with the name of the release. This command will apply the changes to the deployment, ensuring the fabric-cli node is up to date. - +### Storage - -## Deletion ---- +| Name | Description | Default Value | +|--------|---------|-------------| +| `storage.size` | PVC Storage Size for the cli, Storage Class should be created by `fabric-peernode` chart | `256Mi` | -To delete the deployment and associated resources, run the following Helm command: -``` -$ helm uninstall -``` -Replace `` with the name of the release. This command will remove all the resources created by the Helm chart. +### Configuration +| Name | Description | Default Value | +|--------|---------|-------------| +| `localMspId` | Local MSP ID of the organization| `supplychainMSP` | +| `tlsStatus` | TLS status of the peer | `true` | +| `ports.grpc.clusterIpPort` | GRPC Internal Port for Peer | `7051` | +| `ordererAddress` | Orderer Internal or External Address with port for CLI to connect | `orderer1.supplychain-net:7050` | +| `healthCheck.retries` | Retry count to connect to the Peer | `20` | +| `healthCheck.sleepTimeAfterError` | Wait seconds after unsuccessful connection attempt | `15` | - -## Contributing ---- -If you encounter any bugs, have suggestions, or would like to contribute to the [Fabric Cli Hyperledger Fabric Deployment Helm Chart](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-cli), please feel free to open an issue or submit a pull request on the [project's GitHub repository](https://github.com/hyperledger/bevel). +### Labels +| Name | Description | Default Value | +| ----------------| ----------- | ------------- | +| `labels.service` | Array of Labels for service object | `[]` | +| `labels.pvc` | Array of Labels for PVC object | `[]` | +| `labels.deployment` | Array of Labels for deployment or statefulset object | `[]` | - ## License This chart is licensed under the Apache v2.0 license. -Copyright © 2023 Accenture +Copyright © 2024 Accenture ### Attribution diff --git a/platforms/hyperledger-fabric/charts/fabric-cli/templates/_helpers.tpl b/platforms/hyperledger-fabric/charts/fabric-cli/templates/_helpers.tpl index 83db7397ca3..8f2f5c508ee 100644 --- a/platforms/hyperledger-fabric/charts/fabric-cli/templates/_helpers.tpl +++ b/platforms/hyperledger-fabric/charts/fabric-cli/templates/_helpers.tpl @@ -14,7 +14,7 @@ If release name contains chart name it will be used as a full name. {{- define "fabric-cli.fullname" -}} {{- $name := default .Chart.Name -}} {{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- printf "%s-cli" .Release.Name | trunc 63 | trimSuffix "-" -}} {{- else -}} {{- printf "%s-%s" $name .Release.Name | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -27,32 +27,38 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Create orderer tls configmap name depending on Configmap existance +*/}} +{{- define "fabric-cli.orderercrt" -}} +{{- $secret := lookup "v1" "ConfigMap" .Release.Namespace "orderer-tls-cacert" -}} +{{- if $secret -}} +{{/* + Use this configmap +*/}} +{{- printf "orderer-tls-cacert" -}} +{{- else -}} +{{/* + Use the release configmap +*/}} +{{- printf "%s-orderer-tls-cacert" .Release.Name -}} +{{- end -}} +{{- end -}} + {{- define "labels.deployment" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.deployment }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} +{{- range $value := .Values.labels.deployment }} +{{ toYaml $value }} {{- end }} {{- end }} {{- define "labels.service" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.service }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} +{{- range $value := .Values.labels.service }} +{{ toYaml $value }} {{- end }} {{- end }} {{- define "labels.pvc" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.pvc }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} +{{- range $value := .Values.labels.pvc }} +{{ toYaml $value }} {{- end }} {{- end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-cli/templates/deployment.yaml b/platforms/hyperledger-fabric/charts/fabric-cli/templates/deployment.yaml index 2377a3fb545..89a03f977f4 100644 --- a/platforms/hyperledger-fabric/charts/fabric-cli/templates/deployment.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-cli/templates/deployment.yaml @@ -10,22 +10,29 @@ metadata: name: {{ template "fabric-cli.fullname" . }} namespace: {{ .Release.Namespace }} labels: - {{ include "labels.deployment" . | nindent 2 }} + app: cli + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: fabric + {{ include "labels.deployment" . | nindent 4 }} spec: replicas: 1 selector: matchLabels: app: cli + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: fabric template: metadata: labels: app: cli - {{ include "labels.deployment" . | nindent 6 }} + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: fabric + {{ include "labels.deployment" . | nindent 8 }} spec: - serviceAccountName: {{ $.Values.global.serviceAccountName }} - {{- if .Values.global.vault.imageSecretName }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + {{- if .Values.image.pullSecret }} imagePullSecrets: - - name: {{ $.Values.global.vault.imageSecretName }} + - name: {{ .Values.image.pullSecret }} {{- end }} volumes: - name: {{ .Release.Name }}-cli-pv @@ -34,7 +41,7 @@ spec: {{ if .Values.global.vault.tls }} - name: vaultca secret: - secretName: {{ $.Values.global.vault.tls }} + secretName: {{ .Values.global.vault.tls }} items: - key: ca.crt.pem path: ca-certificates.crt @@ -48,27 +55,34 @@ spec: - name: package-manager configMap: name: package-manager + - name: orderer-tls-cacert + configMap: + name: {{ include "fabric-cli.orderercrt" . }} + defaultMode: 0775 + items: + - key: cacert + path: orderer.crt initContainers: - name: certificates-init - image: {{ $.Values.image.alpineUtils }} + image: {{ .Values.image.alpineUtils }} imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: {{ $.Values.global.vault.address }} + value: {{ .Values.global.vault.address }} - name: VAULT_SECRET_ENGINE - value: "{{ $.Values.global.vault.secretEngine }}" + value: "{{ .Values.global.vault.secretEngine }}" - name: VAULT_SECRET_PREFIX - value: "{{ $.Values.global.vault.secretPrefix }}" + value: "{{ .Values.global.vault.secretPrefix }}" - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.global.vault.authPath }} + value: {{ .Values.global.vault.authPath }} - name: VAULT_APP_ROLE - value: {{ $.Values.global.vault.role }} + value: {{ .Values.global.vault.role }} - name: MOUNT_PATH value: "/secret" - name: VAULT_TYPE - value: "{{ $.Values.global.vault.type }}" + value: "{{ .Values.global.vault.type }}" - name: CORE_PEER_ADDRESS - value: "{{ .Release.Name }}.{{ $.Values.peer.address }}" + value: "{{ .Release.Name }}.{{ .Release.Namespace }}:{{ .Values.ports.grpc.clusterIpPort }}" command: ["sh", "-c"] args: - |- @@ -79,31 +93,11 @@ spec: # Calling a function to retrieve the vault token. vaultBevelFunc "init" - - function getOrdererTlsSecret { - KEY=$1 - KEY_FORMATTED=$(echo $KEY | tr - /) - - echo "Getting Orderer TLS certificates from Vault using key $vault_secret_key" - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r '.["ca.crt"]') - echo "${TLS_CA_CERT}" > ${OUTPUT_PATH}/ca.crt - ORDERER_TLS_SECRET=true - else - ORDERER_TLS_SECRET=false - fi - } - - ############################################################################### - function getAdminMspSecret { KEY=$1 - KEY_FORMATTED=$(echo $KEY | tr - /) echo "Getting MSP certificates from Vault." - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/users/${KEY}" if [ "$SECRETS_AVAILABLE" == "yes" ] then ADMINCERT=$(echo ${VAULT_SECRET} | jq -r '.["admincerts"]') @@ -125,17 +119,6 @@ spec: {{- else }} - function getOrdererTlsSecret { - KEY=$1 - kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} -o json > /dev/null 2>&1 - if [ $? -eq 0 ]; then - kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.cacrt}" | base64 -d > ${OUTPUT_PATH}/ca.crt - ORDERER_TLS_SECRET=true - else - ORDERER_TLS_SECRET=false - fi - } - function getAdminMspSecret { KEY=$1 KUBENETES_SECRET=$(kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} -o json) @@ -160,11 +143,8 @@ spec: {{- end }} COUNTER=1 - while [ "$COUNTER" -le {{ $.Values.healthCheck.retries }} ] + while [ "$COUNTER" -le {{ .Values.healthCheck.retries }} ] do - OUTPUT_PATH="${MOUNT_PATH}/orderer/tls" - mkdir -p ${OUTPUT_PATH} - getOrdererTlsSecret orderer-tls OUTPUT_PATH="${MOUNT_PATH}/admin/msp" mkdir -p ${OUTPUT_PATH}/admincerts @@ -174,18 +154,18 @@ spec: mkdir -p ${OUTPUT_PATH}/tlscacerts getAdminMspSecret admin-msp - if [ "$ORDERER_TLS_SECRET" = "true" ] && [ "$ADMIN_MSP_SECRET" = "true" ] + if [ "$ADMIN_MSP_SECRET" = "true" ] then echo "Peer certificates have been obtained correctly" break else - echo "Peer certificates have not been obtained, sleeping for {{ $.Values.healthCheck.sleepTimeAfterError }}" - sleep {{ $.Values.healthCheck.sleepTimeAfterError }} + echo "Peer certificates have not been obtained, sleeping for {{ .Values.healthCheck.sleepTimeAfterError }}" + sleep {{ .Values.healthCheck.sleepTimeAfterError }} COUNTER=`expr "$COUNTER" + 1` fi done - if [ "$COUNTER" -gt {{ $.Values.healthCheck.retries }} ] + if [ "$COUNTER" -gt {{ .Values.healthCheck.retries }} ] then echo "Retry attempted `expr $COUNTER - 1` times, The peer certificates have not been obtained." exit 1 @@ -207,7 +187,7 @@ spec: subPath: package-manager.sh containers: - name: cli - image: {{ $.Values.image.fabricTools }}:{{ $.Values.global.network.version }} + image: {{ .Values.image.fabricTools }}:{{ .Values.global.version }} imagePullPolicy: IfNotPresent stdin: true tty: true @@ -221,17 +201,17 @@ spec: - name: CORE_PEER_ID value: "{{ .Release.Name }}.{{ .Release.Namespace }}" - name: CORE_PEER_ADDRESS - value: "{{ .Release.Name }}.{{ $.Values.peer.address }}" + value: "{{ .Release.Name }}.{{ .Release.Namespace }}:{{ .Values.ports.grpc.clusterIpPort }}" - name: CORE_PEER_LOCALMSPID - value: "{{ .Values.peer.localMspId }}" + value: "{{ .Values.localMspId }}" - name: CORE_PEER_TLS_ENABLED - value: "{{ $.Values.peer.tlsStatus }}" + value: "{{ .Values.tlsStatus }}" - name: CORE_PEER_TLS_ROOTCERT_FILE value: /opt/gopath/src/github.com/hyperledger/fabric/crypto/admin/msp/tlscacerts/tlsca.crt - name: ORDERER_CA - value: /opt/gopath/src/github.com/hyperledger/fabric/crypto/orderer/tls/ca.crt + value: /opt/gopath/src/github.com/hyperledger/fabric/orderer/tls/orderer.crt - name: ORDERER_URL - value: "{{ $.Values.orderer.address }}" + value: "{{ .Values.ordererAddress }}" - name: CORE_PEER_MSPCONFIGPATH value: /opt/gopath/src/github.com/hyperledger/fabric/crypto/admin/msp volumeMounts: @@ -242,3 +222,6 @@ spec: - name: package-manager mountPath: /scripts/package-manager.sh subPath: package-manager.sh + - name: orderer-tls-cacert + mountPath: /opt/gopath/src/github.com/hyperledger/fabric/orderer/tls/orderer.crt + subPath: orderer.crt diff --git a/platforms/hyperledger-fabric/charts/fabric-cli/templates/volume.yaml b/platforms/hyperledger-fabric/charts/fabric-cli/templates/volume.yaml index 8e5dac63d3d..32604c40983 100644 --- a/platforms/hyperledger-fabric/charts/fabric-cli/templates/volume.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-cli/templates/volume.yaml @@ -11,11 +11,11 @@ metadata: name: {{ .Release.Name }}-cli-pvc namespace: {{ .Release.Namespace }} labels: - {{ include "labels.pvc" . | nindent 2 }} + {{ include "labels.pvc" . | nindent 4 }} spec: storageClassName: storage-{{ .Release.Name }} accessModes: - ReadWriteOnce resources: requests: - storage: {{ $.Values.storage.size }} + storage: {{ .Values.storage.size }} diff --git a/platforms/hyperledger-fabric/charts/fabric-cli/values.yaml b/platforms/hyperledger-fabric/charts/fabric-cli/values.yaml index e950b1b4689..706aefefec7 100644 --- a/platforms/hyperledger-fabric/charts/fabric-cli/values.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-cli/values.yaml @@ -7,8 +7,14 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. global: + # HLF Network Version + #Eg. version: 2.5.4 + version: 2.5.4 #Provide the service account name which will be created. serviceAccountName: vault-auth + cluster: + provider: aws # choose from: minikube | aws | azure | gcp + cloudNativeServices: false # only 'false' is implemented vault: #Provide the type of vault #Eg. type: hashicorp @@ -26,49 +32,40 @@ global: secretEngine: secretsv2 #Provide the vault path where the secrets will be stored secretPrefix: "data/supplychain" - #Provide the imagesecretname for vault - #Eg. imagesecretname: regcred - imageSecretName: "" #Kuberenetes secret for vault ca.cert #Enable or disable TLS for vault communication if value present or not #Eg. tls: vaultca tls: - cluster: - provider: azure # choose from: minikube | aws | azure | gcp - cloudNativeServices: false # only 'false' is implemented - - # HLF Network Version - network: - version: 2.2.2 - image: - #Provide the valid image name and version for fabric tools - #Eg. fabrictools: hyperledger/fabric-tools:1.4.0 + #Provide the valid image repository for fabric tools + #Eg. fabricTools: hyperledger/fabric-tools fabricTools: ghcr.io/hyperledger/bevel-fabric-tools #Provide the valid image name and version to read certificates from vault server #Eg.alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest + #Provide the secret to use if private repository + #Eg. pullSecret: regcred + pullSecret: storage: - #Provide the storagesize - size: 256Mi - -peer: - #Provide the localMspId for organization - #Eg. localMspId: supplychainMSP - localMspId: supplychainMSP - #Provide the value for tlsStatus to be true or false for organization's peer - #Eg. tlsStatus: true - tlsStatus: true - #Provide the address for the peer - #Eg: address: test.blockchaincloudpoc.com - address: test.blockchaincloudpoc.com + #Provide the storagesize + size: 256Mi -orderer: - #Provide the address for orderer - #Eg. address: orderer1.test.blockchaincloudpoc.com:443 - address: orderer1.test.blockchaincloudpoc.com:443 +#Provide the localMspId for organization +#Eg. localMspId: supplychainMSP +localMspId: supplychainMSP +#Provide the value for tlsStatus to be true or false for organization's peer +#Eg. tlsStatus: true +tlsStatus: true +ports: + grpc: + #Provide a cluster IP port for grpc service to be exposed + #Eg. clusterIpPort: 7051 + clusterIpPort: 7051 +#Provide the address for orderer +#Eg. ordererAddress: orderer1.supplychain-net:7050 +ordererAddress: orderer1.supplychain-net:7050 healthCheck: retries: 20 diff --git a/platforms/hyperledger-fabric/charts/fabric-genesis/Chart.yaml b/platforms/hyperledger-fabric/charts/fabric-genesis/Chart.yaml index e2026d94ac8..74d721a4785 100644 --- a/platforms/hyperledger-fabric/charts/fabric-genesis/Chart.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-genesis/Chart.yaml @@ -7,11 +7,11 @@ apiVersion: v1 name: fabric-genesis description: "Hyperledger Fabric: Generates configtx and genesis files." -version: 1.0.0 +version: 1.1.0 appVersion: latest keywords: - bevel - - ethereum + - hlf - fabric - hyperledger - enterprise diff --git a/platforms/hyperledger-fabric/charts/fabric-genesis/README.md b/platforms/hyperledger-fabric/charts/fabric-genesis/README.md index 3b8958e4f63..070f38424fb 100644 --- a/platforms/hyperledger-fabric/charts/fabric-genesis/README.md +++ b/platforms/hyperledger-fabric/charts/fabric-genesis/README.md @@ -5,7 +5,7 @@ # fabric-genesis -This chart is a component of Hyperledger Bevel. The fabric-genesis chart createsthe genesis file for fabric network. If enabled, the keys are then stored on the configured vault and stored as Kubernetes secrets. See [Bevel documentation](https://hyperledger-bevel.readthedocs.io/en/latest/) for details. +This chart is a component of Hyperledger Bevel. The fabric-genesis chart creates the genesis file and other channel artifacts for a Hyperfabric network. If enabled, the keys are then stored on the configured vault and stored as Kubernetes secrets. See [Bevel documentation](https://hyperledger-bevel.readthedocs.io/en/latest/) for details. ## TL;DR @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install genesis bevel/fabric-genesis ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -22,7 +22,20 @@ helm install genesis bevel/fabric-genesis If Hashicorp Vault is used, then - HashiCorp Vault Server 1.13.1+ -> **Important**: Also check the dependent charts. +The [Orderers](../fabric-orderernode/README.md) and [Peers](../fabric-peernode/README.md) should already be installed and this chart should generally be installed from the Orderer namespace as it has most of the admin permissions. + +After the peers have been installed, get certificates and the configuration file of each peer organization, place in `fabric-genesis/files` +```bash +cd ./fabric-genesis/files +kubectl --namespace carrier-net get secret admin-msp -o json > carrier.json +kubectl --namespace carrier-net get configmap peer0-msp-config -o json > carrier-config-file.json +``` + +If additional orderer(s) from a different organization is needed in genesis, then get that TLS cert and place in `fabric-genesis/files` +```bash +cd ./fabric-genesis/files +kubectl --namespace carrier-net get secret orderer5-tls -o json > orderer5-orderer-tls.json +``` ## Installing the Chart @@ -54,7 +67,8 @@ The command removes all the Kubernetes components associated with the chart and These parameters are refered to as same in each parent or child chart | Name | Description | Default Value | |--------|---------|-------------| -|`global.serviceAccountName` | The serviceaccount name that will be created for Vault Auth and k8S Secret management| `vault-auth` | +| `global.version` | Fabric Version.| `2.5.4` | +| `global.serviceAccountName` | The serviceaccount name that will be created for Vault Auth and k8S Secret management| `vault-auth` | | `global.cluster.provider` | Kubernetes cluster provider like AWS EKS or minikube. Currently ony `aws` and `minikube` is tested | `aws` | | `global.cluster.cloudNativeServices` | only `false` is implemented, `true` to use Cloud Native Services (SecretsManager and IAM for AWS; KeyVault & Managed Identities for Azure) is for future | `false` | | `global.vault.type` | Type of Vault to support other providers. Currently, only `hashicorp` and `kubernetes` is supported. | `hashicorp` | @@ -62,70 +76,59 @@ These parameters are refered to as same in each parent or child chart | `global.vault.network` | Network type that is being deployed | `fabric` | | `global.vault.address`| URL of the Vault server. | `""` | | `global.vault.authPath` | Authentication path for Vault | `supplychain` | -| `global.vault.secretEngine` | The value for vault secret engine name | `secretsv2` | -| `global.vault.secretPrefix` | The value for vault secret prefix which must start with `data/` | `data/supplychain` | -| `global.vault.secretEngine` | The value for vault secret engine name | `secretsv2` | -| `global.vault.secretPrefix` | The value for vault secret prefix which must start with `data/` | `data/supplychain` | -| `global.proxy.provider` | The proxy or Ingress provider. Can be `none` or `haproxy` | `ambassador` | -| `global.proxy.externalUrlSuffix` | The External URL suffix at which the Besu P2P and RPC service will be available | `test.blockchaincloudpoc.com` | +| `global.vault.secretEngine` | Vault secret engine name | `secretsv2` | +| `global.vault.secretPrefix` | Vault secret prefix which must start with `data/` | `data/supplychain` | +| `global.proxy.provider` | The proxy or Ingress provider. Can be `none` or `haproxy` | `haproxy` | +| `global.proxy.externalUrlSuffix` | The External URL suffix at which the Fabric services will be available | `test.blockchaincloudpoc.com` | ### Image | Name | Description | Default Value | | -------------| ---------- | --------- | -| `image.ca` | Provide the image name for the generate-geneis container | `ghcr.io/hyperledger/bevel-fabric-ca:latest` | -| `image.alpineUtils` | Provide the docker secret name in the namespace | `Provide the valid image name and version to read certificates from vault server` | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.fabricTools` | Fabric Tools image repository | `ghcr.io/hyperledger/bevel-fabric-tools` | +| `image.alpineUtils` | Alpine utils image repository and tag | `ghcr.io/hyperledger/bevel-alpine:latest` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | + +### Organizations -### Network +List of Organizations participating in the Network with their Peer and Orderer Addresses. -| Name | Description | Default Value | -| `network.version` | HyperLedger Fabric network version | 2.5.4 | +| Name | Description | Default Value | +|--------|---------|-------------| +| `organizations.name` | Organization Name | `supplychain` | +| `organizations.orderers` | List of organization's orderer nodes and their addresses. This list presents two fields `orderer.name` and `orderer.ordererAddress` | `- name: orderer1`
`ordererAddress: orderer1.supplychain-net:7050`
`- name: orderer2`
`ordererAddress: orderer2.supplychain-net:7050`
`- name: orderer3`
`ordererAddress: orderer3.supplychain-net:7050` | +| `organizations.peers` | List of the organization's peer nodes and their addresses. This list presents two fields `peer.name` and `peer.peerAddress` | `- name: peer0`
`peerAddress: peer0.supplychain-net:7051`
`- name: peer1`
`peerAddress: peer1.supplychain-net:7051` | ### Consensus | Name | Description | Default Value | | ---------| ----------------------------| ----------------| -| `consensus.name` | Name of the consensus | raft | +| `consensus` | Name of the consensus | `raft` | +| `kafka.brokers` | Array of Kafka broker Addresses, only valid for `kafka` consensus | `""` | -### Organizations - -| Name | Description | Default Value | -|--------|---------|-------------| -| `organization.name` | Provide the organization's name| `""` | -| `organization.type`| Provide the organization's type (orderer or peer) | `""` | -| `organization.orderers` | Provide a list of the organization's orderer nodes. This list presents two fields `orderer.name` and `orderer.ordererAddress` | `""` | -| `organization.peers` | Provide a list of the organization's peer nodes. This list presents two fields `peer.name` and `peer.peerAddress` | `""` | ### Channels +List of Channels you want to create the artifacts for. | Name | Description | Default Value | |--------|---------|-------------| -| `channel.channel_name` | Provide the channel's name| `"Allchannel"` | -| `channel.consortium`| Provide the channel's consortium | `SupplyChainConsortium` | -| `channel.orderers` | Provide a list of orderer type organizations on the network | `""` | -| `channel.participants` | provides a list of participating channel organizations. This list presents one field `organization.name` | `""` | -| `channel.genesis` | Provide the profile name of the genesis file` | `OrdererGenesis` | - -### Vars +| `channels.name` | Name of the channel | `allchannel` | +| `channels.consortium`| Consortium Name | `SupplyChainConsortium` | +| `channels.orderers` | List of orderer type organizations (from the list above) on the network | `- supplychain` | +| `channels.participants` | List of participating channel organizations (from the list above) on the network | `- supplychain`
`- carrier` | -| Name | Description | Default Value | -|--------|---------|-------------| -| `vars.install_os` | Provide the OS | `"linux"` | -| `vars.install_arch`| Provide the architecture | `amd64` | ### Settings | Name | Description | Default Value | |--------|---------|-------------| -| `settings.removeGenesisOnDelete` | Setting to delete the genesis secret when uninstalling the release | `true` | -| `settings.removeGenesisConfigMapOnDelete` | Setting to delete the genesis configmaps when uninstalling the release | `true` | +| `settings.removeConfigMapOnDelete` | Flag to delete the genesis ConfigMap when uninstalling the release | `true` | ## License This chart is licensed under the Apache v2.0 license. -Copyright © 2023 Accenture +Copyright © 2024 Accenture ### Attribution diff --git a/platforms/hyperledger-fabric/charts/fabric-genesis/files/configtx.yaml.tpl b/platforms/hyperledger-fabric/charts/fabric-genesis/files/configtx.yaml.tpl deleted file mode 100644 index bfb85da1da2..00000000000 --- a/platforms/hyperledger-fabric/charts/fabric-genesis/files/configtx.yaml.tpl +++ /dev/null @@ -1,239 +0,0 @@ -Capabilities: -{{- if or (eq $.Values.global.network.version "2.2.2") (eq $.Values.global.network.version "2.5.4") }} - Channel: &ChannelCapabilities - V2_0: true - Orderer: &OrdererCapabilities - V2_0: true - Application: &ApplicationCapabilities -{{- if eq $.Values.global.network.version "2.5.4" }} - V2_5: true - {{- else }} - V2_0: true - {{- end }} -{{- end }} -{{- if eq $.Values.global.network.version "1.4.8" }} -{{- if eq $.Values.consensus.name "kafka"}} - Global: &ChannelCapabilities - V1_1: true - Orderer: &OrdererCapabilities - V1_1: true - Application: &ApplicationCapabilities - V1_1: true -{{- end }} -{{- if eq $.Values.consensus.name "raft"}} - Global: &ChannelCapabilities - V1_4_3: true - Orderer: &OrdererCapabilities - V1_4_2: true - Application: &ApplicationCapabilities - V1_4_2: true -{{- end }} -{{- end }} - -Application: &ApplicationDefaults - Organizations: -{{- if or (eq $.Values.global.network.version "2.2.2") (eq $.Values.global.network.version "2.5.4") }} - Policies: &ApplicationDefaultPolicies - LifecycleEndorsement: - Type: ImplicitMeta - Rule: "MAJORITY Endorsement" - Endorsement: - Type: ImplicitMeta - Rule: "MAJORITY Endorsement" - Readers: - Type: ImplicitMeta - Rule: "ANY Readers" - Writers: - Type: ImplicitMeta - Rule: "ANY Writers" - Admins: - Type: ImplicitMeta - Rule: "MAJORITY Admins" -{{- end }} - Capabilities: - <<: *ApplicationCapabilities - -Channel: &ChannelDefaults -{{- if or (eq $.Values.global.network.version "2.2.2") (eq $.Values.global.network.version "2.5.4") }} - Policies: - Readers: - Type: ImplicitMeta - Rule: "ANY Readers" - Writers: - Type: ImplicitMeta - Rule: "ANY Writers" - Admins: - Type: ImplicitMeta - Rule: "MAJORITY Admins" -{{- end }} - Capabilities: - <<: *ChannelCapabilities - -Organizations: -{{- range $org := $.Values.organizations }} - - &{{ $org.name }}Org - Name: {{ $org.name }}MSP - ID: {{ $org.name }}MSP - MSPDir: ./crypto-config/{{ $org.type }}Organizations/{{ $org.name }}-net/msp - Policies: - Readers: - Type: Signature - Rule: "OR('{{ $org.name }}MSP.member')" - Writers: - Type: Signature - Rule: "OR('{{ $org.name }}MSP.member')" - Admins: - Type: Signature - Rule: "OR('{{ $org.name }}MSP.admin')" - Endorsement: - Type: Signature - Rule: "OR('{{ $org.name }}MSP.member')" - {{- if ($org.orderers) }} - OrdererEndpoints: - {{- range $orderer := $org.orderers }} - {{- if eq $.Values.global.proxy.provider "none" }} - - {{ $orderer.name }}.{{ $org.name }}-net:7050 - {{- else }} - - {{ $orderer.ordererAddress }} - {{- end }} - {{- end }} - {{- end }} - {{- if and ($org.peers) (ne $.Values.global.network.version "2.5.4") }} - AnchorPeers: - {{- range $peer := $org.peers }} - {{- if eq $.Values.global.proxy.provider "none" }} - - Host: {{ $peer.name }}.{{ $org.name }}-net - Port: 7051 - {{- else }} - {{- $split := split ":" $peer.peerAddress }} - - Host: {{ $split._0 }} - Port: {{ $split._1 }} - {{- end }} - {{- end }} - {{- end }} - {{- printf "\n" }} - {{- end }} -Orderer: &OrdererDefaults -{{- range $org := $.Values.organizations }} -{{- if eq $org.type "orderer"}} -{{- if eq $.Values.consensus.name "raft"}} - OrdererType: etcdraft -{{- else }} - OrdererType: {{ $.Values.consensus.name }} -{{- end }} - Addresses: -{{- range $orderer := $org.orderers }} -{{- if eq $.Values.global.proxy.provider "none" }} - - {{ $orderer.name }}.{{ $org.name | lower }}-net:7050 -{{- else }} - - {{ $orderer.ordererAddress }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} - BatchTimeout: 2s - BatchSize: - MaxMessageCount: 10 - AbsoluteMaxBytes: 98 MB - PreferredMaxBytes: 1024 KB -{{- if eq $.Values.consensus.name "kafka"}} - Kafka: - Brokers: -{{- range $org := $.Values.organizations }} -{{- if and ($org.orderers) (gt (len .Values.miLista) 0)}} -{{- $replicas := $.Values.consensus.replicas }} -{{- range $index, $element := until $replicas }} - - {{ $.Values.consensus.name }}-{{ $index }}.{{ $.Values.consensus.type }}.{{ $org.name | lower }}-net.svc.cluster.local:{{ $.Values.consensus.grpc.port }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} -{{- if eq $.Values.consensus.name "raft"}} - EtcdRaft: - Consenters: -{{- range $org := $.Values.organizations }} -{{- range $orderer := $org.orderers }} -{{- $component_ns := printf "%s-net" (lower $org.name) }} -{{- if eq $.Values.global.proxy.provider "none" }} - - Host: {{ $orderer.name}}.{{ $component_ns }} - Port: 7050 -{{- else }} -{{- $split := split ":" $orderer.ordererAddress }} - - Host: {{ $split._0 }} - Port: {{ $split._1 }} -{{- end }} - ClientTLSCert: ./crypto-config/ordererOrganizations/{{ $component_ns }}/orderers/{{ $orderer.name }}.{{ $component_ns }}/tls/server.crt - ServerTLSCert: ./crypto-config/ordererOrganizations/{{ $component_ns }}/orderers/{{ $orderer.name }}.{{ $component_ns }}/tls/server.crt -{{- end }} -{{- end }} -{{- end }} - Organizations: - Policies: - Readers: - Type: ImplicitMeta - Rule: "ANY Readers" - Writers: - Type: ImplicitMeta - Rule: "ANY Writers" - Admins: - Type: ImplicitMeta - Rule: "MAJORITY Admins" - BlockValidation: - Type: ImplicitMeta - Rule: "ANY Writers" - Capabilities: - <<: *OrdererCapabilities - -Profiles: -{{- range $channel := $.Values.channels }} - {{ $channel.genesis.name }}: - <<: *ChannelDefaults - Orderer: - <<: *OrdererDefaults -{{- if eq $.Values.consensus.name "raft"}} - OrdererType: etcdraft - EtcdRaft: - Consenters: -{{- range $org := $.Values.organizations }} -{{- range $orderer := $org.orderers }} -{{- $component_ns := printf "%s-net" (lower $org.name) }} -{{- if eq $.Values.global.proxy.provider "none" }} - - Host: {{ $orderer.name}}.{{ $component_ns }} - Port: 7050 -{{- else }} -{{- $split := split ":" $orderer.ordererAddress }} - - Host: {{ $split._0 }} - Port: {{ $split._1 }} -{{- end }} - ClientTLSCert: ./crypto-config/ordererOrganizations/{{ $component_ns }}/orderers/{{ $orderer.name }}.{{ $component_ns }}/tls/server.crt - ServerTLSCert: ./crypto-config/ordererOrganizations/{{ $component_ns }}/orderers/{{ $orderer.name }}.{{ $component_ns }}/tls/server.crt -{{- end }} -{{- end }} -{{- end }} - Organizations: -{{- range $orderer := $channel.orderers }} - - *{{ $orderer }}Org -{{- end }} -{{- if ne $.Values.global.network.version "2.5.4" }} - Consortiums: - {{ $channel.consortium }}: - Organizations: -{{- range $org := $.Values.organizations }} -{{- if ne $org.type "orderer"}} - - *{{ $org.name }}Org -{{- end }} -{{- end }} - {{ $channel.channelName }}: - <<: *ChannelDefaults - Consortium: {{ $channel.consortium }} -{{- end }} - Application: - <<: *ApplicationDefaults - Organizations: -{{- range $org := $channel.participants }} - - *{{ $org.name }}Org -{{- end }} -{{- if eq $.Values.global.network.version "2.5.4" }} - Capabilities: *ApplicationCapabilities -{{- end }} -{{- end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-genesis/files/configtx_2_2.tpl b/platforms/hyperledger-fabric/charts/fabric-genesis/files/configtx_2_2.tpl new file mode 100644 index 00000000000..f83c950fd5c --- /dev/null +++ b/platforms/hyperledger-fabric/charts/fabric-genesis/files/configtx_2_2.tpl @@ -0,0 +1,154 @@ +# Configtx template for Fabric 2.2.x +Organizations: +{{- range $org := $.Values.organizations }} + - &{{ $org.name }}Org + Name: {{ $org.name }}MSP + ID: {{ $org.name }}MSP + MSPDir: ./crypto-config/organizations/{{ $org.name }}/msp + Policies: + Readers: + Type: Signature + Rule: "OR('{{ $org.name }}MSP.member')" + Writers: + Type: Signature + Rule: "OR('{{ $org.name }}MSP.member')" + Admins: + Type: Signature + Rule: "OR('{{ $org.name }}MSP.admin')" + Endorsement: + Type: Signature + Rule: "OR('{{ $org.name }}MSP.member')" + {{- if $org.orderers }} + OrdererEndpoints: + {{- range $orderer := $org.orderers }} + - {{ $orderer.ordererAddress }} + {{- end }} + {{- end }} + AnchorPeers: + {{- range $peer := $org.peers }} + {{- $split := split ":" $peer.peerAddress }} + - Host: {{ $split._0 }} + Port: {{ $split._1 }} + {{- end }} + {{- printf "\n" }} +{{- end }} + +Capabilities: + Channel: &ChannelCapabilities + V2_0: true + Orderer: &OrdererCapabilities + V2_0: true + Application: &ApplicationCapabilities + V2_0: true + +Application: &ApplicationDefaults + Organizations: + Policies: + LifecycleEndorsement: + Type: ImplicitMeta + Rule: "MAJORITY Endorsement" + Endorsement: + Type: ImplicitMeta + Rule: "MAJORITY Endorsement" + Readers: + Type: ImplicitMeta + Rule: "ANY Readers" + Writers: + Type: ImplicitMeta + Rule: "ANY Writers" + Admins: + Type: ImplicitMeta + Rule: "MAJORITY Admins" + Capabilities: + <<: *ApplicationCapabilities + +Channel: &ChannelDefaults + Policies: + Readers: + Type: ImplicitMeta + Rule: "ANY Readers" + Writers: + Type: ImplicitMeta + Rule: "ANY Writers" + Admins: + Type: ImplicitMeta + Rule: "MAJORITY Admins" + Capabilities: + <<: *ChannelCapabilities + +Orderer: &OrdererDefaults +{{- if eq $.Values.consensus "raft" }} + OrdererType: etcdraft + EtcdRaft: + Consenters: + {{- range $org := $.Values.organizations }} + {{- range $orderer := $org.orderers }} + {{- $split := split ":" $orderer.ordererAddress }} + - Host: {{ $split._0 }} + Port: {{ $split._1 }} + ClientTLSCert: ./crypto-config/organizations/{{ $org.name }}/orderers/{{ $orderer.name }}/tls/server.crt + ServerTLSCert: ./crypto-config/organizations/{{ $org.name }}/orderers/{{ $orderer.name }}/tls/server.crt + {{- end }} + {{- end }} +{{- end }} + BatchTimeout: 2s + BatchSize: + MaxMessageCount: 10 + AbsoluteMaxBytes: 98 MB + PreferredMaxBytes: 1024 KB +{{- if eq $.Values.consensus "kafka" }} + OrdererType: {{ $.Values.consensus }} + Kafka: + Brokers: + {{- range $.Values.kafka.brokers }} + - {{ . }} + {{- end }} +{{- end }} + Organizations: + Policies: + Readers: + Type: ImplicitMeta + Rule: "ANY Readers" + Writers: + Type: ImplicitMeta + Rule: "ANY Writers" + Admins: + Type: ImplicitMeta + Rule: "MAJORITY Admins" + BlockValidation: + Type: ImplicitMeta + Rule: "ANY Writers" + +Profiles: + OrdererGenesis: + <<: *ChannelDefaults + {{- with (first $.Values.channels) }} + Orderer: + <<: *OrdererDefaults + Organizations: + {{- range $org := .orderers }} + - *{{ $org }}Org + {{- end }} + Capabilities: + <<: *OrdererCapabilities + Consortiums: + {{ .consortium }}: + Organizations: + {{- range $org := .participants }} + - *{{ $org }}Org + {{- end }} + {{- end }} +{{- range $channel := $.Values.channels }} + {{ $channel.name }}: + Consortium: {{ $channel.consortium }} + <<: *ChannelDefaults + Application: + <<: *ApplicationDefaults + Organizations: + {{- range $org := $channel.participants }} + - *{{ $org }}Org + {{- end }} + Capabilities: + <<: *ApplicationCapabilities + {{- printf "\n" }} +{{- end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-genesis/files/configtx_2_5.tpl b/platforms/hyperledger-fabric/charts/fabric-genesis/files/configtx_2_5.tpl new file mode 100644 index 00000000000..c312a4d1c45 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/fabric-genesis/files/configtx_2_5.tpl @@ -0,0 +1,127 @@ +# Configtx template for Fabric 2.5.x +Organizations: +{{- range $org := $.Values.organizations }} + - &{{ $org.name }}Org + Name: {{ $org.name }}MSP + ID: {{ $org.name }}MSP + MSPDir: ./crypto-config/organizations/{{ $org.name }}/msp + Policies: + Readers: + Type: Signature + Rule: "OR('{{ $org.name }}MSP.member')" + Writers: + Type: Signature + Rule: "OR('{{ $org.name }}MSP.member')" + Admins: + Type: Signature + Rule: "OR('{{ $org.name }}MSP.admin')" + Endorsement: + Type: Signature + Rule: "OR('{{ $org.name }}MSP.member')" + {{- if $org.orderers }} + OrdererEndpoints: + {{- range $orderer := $org.orderers }} + - {{ $orderer.ordererAddress }} + {{- end }} + {{- end }} + {{- printf "\n" }} +{{- end }} + +Capabilities: + Channel: &ChannelCapabilities + V2_0: true + Orderer: &OrdererCapabilities + V2_0: true + Application: &ApplicationCapabilities + V2_5: true + +Application: &ApplicationDefaults + Organizations: + Policies: + LifecycleEndorsement: + Type: ImplicitMeta + Rule: "MAJORITY Endorsement" + Endorsement: + Type: ImplicitMeta + Rule: "MAJORITY Endorsement" + Readers: + Type: ImplicitMeta + Rule: "ANY Readers" + Writers: + Type: ImplicitMeta + Rule: "ANY Writers" + Admins: + Type: ImplicitMeta + Rule: "MAJORITY Admins" + Capabilities: + <<: *ApplicationCapabilities + +Channel: &ChannelDefaults + Policies: + Readers: + Type: ImplicitMeta + Rule: "ANY Readers" + Writers: + Type: ImplicitMeta + Rule: "ANY Writers" + Admins: + Type: ImplicitMeta + Rule: "MAJORITY Admins" + Capabilities: + <<: *ChannelCapabilities + +Orderer: &OrdererDefaults + BatchTimeout: 2s + BatchSize: + MaxMessageCount: 10 + AbsoluteMaxBytes: 98 MB + PreferredMaxBytes: 1024 KB + Organizations: + Policies: + Readers: + Type: ImplicitMeta + Rule: "ANY Readers" + Writers: + Type: ImplicitMeta + Rule: "ANY Writers" + Admins: + Type: ImplicitMeta + Rule: "MAJORITY Admins" + BlockValidation: + Type: ImplicitMeta + Rule: "ANY Writers" + +Profiles: +{{- range $channel := $.Values.channels }} + {{ $channel.name }}: + <<: *ChannelDefaults + {{- if eq $.Values.consensus "raft" }} + Orderer: + <<: *OrdererDefaults + OrdererType: etcdraft + EtcdRaft: + Consenters: + {{- range $org := $.Values.organizations }} + {{- range $orderer := $org.orderers }} + {{- $split := split ":" $orderer.ordererAddress }} + - Host: {{ $split._0 }} + Port: {{ $split._1 }} + ClientTLSCert: ./crypto-config/organizations/{{ $org.name }}/orderers/{{ $orderer.name }}/tls/server.crt + ServerTLSCert: ./crypto-config/organizations/{{ $org.name }}/orderers/{{ $orderer.name }}/tls/server.crt + {{- end }} + {{- end }} + Organizations: + {{- range $orderer := $channel.orderers }} + - *{{ $orderer }}Org + {{- end }} + Capabilities: *OrdererCapabilities + {{- end }} + Application: + <<: *ApplicationDefaults + Organizations: + {{- range $org := $channel.participants }} + - *{{ $org }}Org + {{- end }} + Capabilities: *ApplicationCapabilities + {{- printf "\n" }} +{{- end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-genesis/templates/configmap.yaml b/platforms/hyperledger-fabric/charts/fabric-genesis/templates/configmap.yaml index c433fc8bfe8..9975157e676 100644 --- a/platforms/hyperledger-fabric/charts/fabric-genesis/templates/configmap.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-genesis/templates/configmap.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: configtx-yaml + name: {{ .Release.Name }}-configtx-yaml namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: configtx-yaml @@ -19,13 +19,16 @@ metadata: app.kubernetes.io/managed-by: helm data: configtx.yaml: |- - {{ tpl (.Files.Get "files/configtx.yaml.tpl") . | nindent 8 }} - +{{- if eq ($.Values.global.version | trunc 3) "2.5" }} + {{ tpl (.Files.Get "files/configtx_2_5.tpl") . | nindent 8 }} +{{- else }} + {{ tpl (.Files.Get "files/configtx_2_2.tpl") . | nindent 8 }} +{{- end }} --- apiVersion: v1 kind: ConfigMap metadata: - name: admin-msp-certs + name: {{ .Release.Name }}-admin-msp-certs namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: admin-msp-certs @@ -46,4 +49,11 @@ data: {{ $org.name }}-config-file.json: |- {{ $.Files.Get (printf "files/%s-config-file.json" $org.name) | nindent 4 }} {{- end }} +{{- range $orderer := $org.orderers }} +{{- $ordfile := $.Files.Get (printf "files/%s-orderer-tls.json" $orderer.name) }} +{{- if $ordfile }} + {{ $orderer.name }}-orderer-tls.json: |- + {{ $.Files.Get (printf "files/%s-orderer-tls.json" $orderer.name) | nindent 4 }} +{{- end }} +{{- end }} {{- end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-genesis/templates/genesis-job-cleanup.yaml b/platforms/hyperledger-fabric/charts/fabric-genesis/templates/genesis-job-cleanup.yaml index 5cc0231a6d9..fcfb502a6b1 100644 --- a/platforms/hyperledger-fabric/charts/fabric-genesis/templates/genesis-job-cleanup.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-genesis/templates/genesis-job-cleanup.yaml @@ -30,7 +30,7 @@ spec: restartPolicy: "Never" containers: - name: delete-secrets - image: "{{ $.Values.image.alpineUtils }}" + image: "{{ .Values.image.alpineUtils }}" securityContext: runAsUser: 0 imagePullPolicy: IfNotPresent @@ -38,35 +38,27 @@ spec: command: ["sh", "-c"] args: - |- -{{- if .Values.settings.removeGenesisOnDelete }} - - function deleteSecret { - key=$1 - kubectl get secret ${key} --namespace {{ .Release.Namespace }} -o json > /dev/null 2>&1 - if [ $? -eq 0 ]; then - kubectl delete secret ${key} --namespace {{ .Release.Namespace }} - fi - } - - {{- range $channel := $.Values.channels }} - deleteSecret {{ $channel.channelName | lower}}-genesis - {{- end}} -{{- end}} {{- if .Values.settings.removeConfigMapOnDelete }} - - function deleteConfigMap { - key=$1 - kubectl get configmap ${key} --namespace {{ .Release.Namespace }} -o json > /dev/null 2>&1 - if [ $? -eq 0 ]; then - kubectl delete configmap ${key} --namespace {{ .Release.Namespace }} + {{- range $channel := $.Values.channels }} + if kubectl get configmap --namespace {{ $.Release.Namespace }} {{ $channel.name }}-genesis &> /dev/null; then + echo "Deleting genesis-file configmap in k8s ..." + kubectl delete configmap --namespace {{ $.Release.Namespace }} {{ $channel.name }}-genesis + fi + if kubectl get configmap --namespace {{ $.Release.Namespace }} syschannel-genesis &> /dev/null; then + echo "Deleting genesis-file configmap in k8s ..." + kubectl delete configmap --namespace {{ $.Release.Namespace }} syschannel-genesis + fi + if kubectl get configmap --namespace {{ $.Release.Namespace }} {{ $channel.name }}-channeltx &> /dev/null; then + echo "Deleting channeltx configmap in k8s ..." + kubectl delete configmap --namespace {{ $.Release.Namespace }} {{ $channel.name }}-channeltx + fi + {{- range $participant := $channel.participants }} + if kubectl get configmap --namespace {{ $.Release.Namespace }} {{ $channel.name }}-{{ $participant }}-anchortx &> /dev/null; then + echo "Deleting anchortx configmap in k8s ..." + kubectl delete configmap --namespace {{ $.Release.Namespace }} {{ $channel.name }}-{{ $participant }}-anchortx fi - } - - {{- range $channel := $.Values.channels }} - deleteConfigMap {{ $channel.channelName | lower}}-genesis-file - deleteConfigMap channel-artifacts-{{ $channel.channelName | lower }} - deleteConfigMap anchorpeer-artifacts-{{ $channel.channelName | lower }} - {{- end}} + {{- end }} + {{- end }} {{- end}} diff --git a/platforms/hyperledger-fabric/charts/fabric-genesis/templates/job.yaml b/platforms/hyperledger-fabric/charts/fabric-genesis/templates/job.yaml index ae081a8e148..0c5c3c98e82 100644 --- a/platforms/hyperledger-fabric/charts/fabric-genesis/templates/job.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-genesis/templates/job.yaml @@ -2,26 +2,29 @@ apiVersion: batch/v1 kind: Job metadata: - name: {{ include "fabric-genesis.name" . }}-init + name: {{ include "fabric-genesis.name" . }}-job + namespace: {{ .Release.Namespace }} + annotations: + helm.sh/hook-delete-policy: "before-hook-creation" labels: app: {{ .Release.Name }} - app.kubernetes.io/name: fabric-genesis-job - app.kubernetes.io/component: fabric-genesis-job + app.kubernetes.io/name: {{ include "fabric-genesis.name" . }}-job + app.kubernetes.io/component: fabric-genesis app.kubernetes.io/part-of: {{ include "fabric-genesis.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - namespace: {{ .Release.Namespace }} spec: backoffLimit: 6 template: metadata: labels: app: {{ .Release.Name }} - app.kubernetes.io/name: fabric-genesis-job - app.kubernetes.io/component: cacerts-gen-job + app.kubernetes.io/name: {{ include "fabric-genesis.name" . }}-job + app.kubernetes.io/component: fabric-genesis app.kubernetes.io/part-of: {{ include "fabric-genesis.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm spec: serviceAccountName: {{ .Values.global.serviceAccountName }} @@ -39,14 +42,14 @@ spec: name: package-manager - name: configtx-file configMap: - name: configtx-yaml + name: {{ .Release.Name }}-configtx-yaml defaultMode: 0775 {{- range $org := $.Values.organizations }} {{- $file := $.Files.Get (printf "files/%s.json" $org.name) }} {{- if $file }} - name: {{ $org.name }}-admin-msp configMap: - name: admin-msp-certs + name: {{ $.Release.Name }}-admin-msp-certs items: - key: {{ $org.name }}.json path: {{ $org.name }}.json @@ -55,184 +58,29 @@ spec: {{- if $file }} - name: {{ $org.name }}-config-file configMap: - name: admin-msp-certs + name: {{ $.Release.Name }}-admin-msp-certs items: - key: {{ $org.name }}-config-file.json path: {{ $org.name }}-config-file.json {{- end }} + {{- range $orderer := $org.orderers }} + {{- $ordfile := $.Files.Get (printf "files/%s-orderer-tls.json" $orderer.name) }} + {{- if $ordfile }} + - name: {{ $orderer.name }}-tls-config + configMap: + name: {{ $.Release.Name }}-admin-msp-certs + items: + - key: {{ $orderer.name }}-orderer-tls.json + path: {{ $orderer.name }}-orderer-tls.json + {{- end }} + {{- end }} {{- end }} - name: certificates emptyDir: medium: Memory - initContainers: - - name: init-check-certificates - image: {{ $.Values.image.alpineUtils }} - imagePullPolicy: IfNotPresent - env: - - name: VAULT_ADDR - value: {{ $.Values.global.vault.address }} - - name: VAULT_APP_ROLE - value: {{ $.Values.global.vault.role }} - - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.global.vault.authPath }} - - name: VAULT_SECRET_ENGINE - value: "{{ .Values.global.vault.secretEngine }}" - - name: VAULT_SECRET_PREFIX - value: "{{ .Values.global.vault.secretPrefix }}" - - name: VAULT_TYPE - value: "{{ $.Values.global.vault.type }}" - - name: PROXY - value: {{ .Values.global.proxy.provider }} - - name: EXTERNAL_URL_SUFFIX - value: {{ .Values.global.proxy.externalUrlSuffix }} - - name: COMPONENT_NAME - value: {{ .Release.Namespace }} - - name: MOUNT_PATH - value: /secret - command: ["sh", "-c"] - args: - - |- - #!/usr/bin/env sh -{{- if eq .Values.global.vault.type "hashicorp" }} - source /scripts/bevel-vault.sh - # Calling a function to retrieve the vault token. - vaultBevelFunc "init" - - function checkMspSecret { - KEY=$1 - KEY_FORMATTED=$(echo $KEY | tr - /) - - echo "Getting TLS certificates from Vault." - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" - - ADMINCERT=$(echo ${VAULT_SECRET} | jq -r '.["admincerts"]') - CACERTS=$(echo ${VAULT_SECRET} | jq -r '.["cacerts"]') - TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r '.["tlscacerts"]') - - echo "${ADMINCERT}" > ${OUTPUT_PATH_ORDERER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem - echo "${TLSCACERTS}" > ${OUTPUT_PATH_ORDERER}/msp/tlscacerts/ca.crt - if [ "$PROXY" != "none" ] ; then - echo "${CACERTS}" > ${OUTPUT_PATH_ORDERER}/msp/cacerts/${SERVER_NAME}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem - else - echo "${CACERTS}" > ${OUTPUT_PATH_ORDERER}/msp/cacerts/${SERVER_NAME}-${COMPONENT_NAME}-7054.pem - fi - } - - function checkOrdererTlsSecret { - KEY=$1 - - echo "Getting TLS certificates from Vault." - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY}/tls" - - TLS_SERVER_CERT=$(echo ${VAULT_SECRET} | jq -r '.["server.crt"]') - - echo "${TLS_SERVER_CERT}" > ${OUTPUT_PATH_ORDERER}/orderers/${KEY}.${COMPONENT_NAME}/tls/server.crt - - } - -{{- else }} - function checkMspSecret { - key=$1 - KUBENETES_SECRET=$(kubectl get secret ${key} --namespace ${COMPONENT_NAME} -o json) - if [ "$KUBENETES_SECRET" = "" ]; then - echo "Certficates absent in kuberenetes secrets" - exit 1 - else - ADMINCERT=$(echo "$KUBENETES_SECRET" | jq -r '.data.admincerts' | base64 -d) - CACERTS=$(echo "$KUBENETES_SECRET" | jq -r '.data.cacerts' | base64 -d) - TLSCACERTS=$(echo "$KUBENETES_SECRET" | jq -r '.data.tlscacerts' | base64 -d) - - echo "${ADMINCERT}" > ${OUTPUT_PATH_ORDERER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem - echo "${TLSCACERTS}" > ${OUTPUT_PATH_ORDERER}/msp/tlscacerts/ca.crt - if [ "$PROXY" != "none" ] ; then - echo "${CACERTS}" > ${OUTPUT_PATH_ORDERER}/msp/cacerts/${SERVER_NAME}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem - else - echo "${CACERTS}" > ${OUTPUT_PATH_ORDERER}/msp/cacerts/${SERVER_NAME}-${COMPONENT_NAME}-7054.pem - fi - fi - } - - function checkOrdererTlsSecret { - key=$1 - KUBENETES_SECRET=$(kubectl get secret ${key}-tls --namespace ${COMPONENT_NAME} -o json) - if [ "$KUBENETES_SECRET" = "" ]; then - echo "Certficates absent in kuberenetes secrets" - exit 1 - else - TLS_SERVER_CERT=$(echo "$KUBENETES_SECRET" | jq -r '.data.servercrt' | base64 -d) - echo "${TLS_SERVER_CERT}" > ${OUTPUT_PATH_ORDERER}/orderers/${key}.${COMPONENT_NAME}/tls/server.crt - fi - } -{{- end }} - OUTPUT_PATH_ORDERER="${MOUNT_PATH}/ordererOrganizations/${COMPONENT_NAME}" - OUTPUT_PATH_PEER="${MOUNT_PATH}/peerOrganizations" - mkdir -p ${OUTPUT_PATH_ORDERER}/msp/admincerts - mkdir -p ${OUTPUT_PATH_ORDERER}/msp/tlscacerts - mkdir -p ${OUTPUT_PATH_ORDERER}/msp/cacerts - SERVER_NAME=$(echo {{ .Release.Namespace }} | sed 's/net/ca/') - checkMspSecret admin-msp - {{- range $org := $.Values.organizations }} - {{- if eq $org.type "peer" }} - if [ -e /templates/{{ $org.name}}.json ] ; then - # Save the values of admincerts, cacerts and tlscacerts in variables - ADMINCERTS=$(jq -r '.data.admincerts' /templates/{{ $org.name}}.json) - CACERTS=$(jq -r '.data.cacerts' /templates/{{ $org.name}}.json) - TLSCACERTS=$(jq -r '.data.tlscacerts' /templates/{{ $org.name}}.json) - - mkdir -p ${OUTPUT_PATH_PEER}/{{ $org.name}}-net/msp/admincerts - mkdir -p ${OUTPUT_PATH_PEER}/{{ $org.name}}-net/msp/cacerts - mkdir -p ${OUTPUT_PATH_PEER}/{{ $org.name}}-net/msp/tlscacerts - - echo "$ADMINCERTS" > ${OUTPUT_PATH_PEER}/{{ $org.name}}-net/msp/admincerts/Admin@{{ $org.name}}-net-cert.pem - echo "$TLSCACERTS" > ${OUTPUT_PATH_PEER}/{{ $org.name}}-net/msp/tlscacerts/ca.crt - - if [ "$PROXY" != "none" ] - then - echo "$CACERTS" > ${OUTPUT_PATH_PEER}/{{ $org.name}}-net/msp/cacerts/{{ $org.name}}-ca-{{ $org.name}}-net-${EXTERNAL_URL_SUFFIX}.pem - else - echo "$CACERTS" > ${OUTPUT_PATH_PEER}/{{ $org.name}}-net/msp/cacerts/{{ $org.name}}-ca-{{ $org.name}}-net-7054.pem - fi - fi - if [ -e /templates/{{ $org.name }}-config-file.json ] ; then - if [ "$PROXY" != "none" ] - then - CONFIG_FILE=$(jq -r '.data."no-none-config.yaml"' /templates/{{ $org.name }}-config-file.json) - else - CONFIG_FILE=$(jq -r '.data."none-config.yaml"' /templates/{{ $org.name }}-config-file.json) - fi - echo "$CONFIG_FILE" > ${OUTPUT_PATH_PEER}/{{ $org.name}}-net/msp/config.yaml - fi - {{- else }} - {{- range $orderer := $org.orderers }} - orderer_name=$(echo {{ $orderer.name }}) - mkdir -p ${OUTPUT_PATH_ORDERER}/orderers/${orderer_name}.${COMPONENT_NAME}/tls - checkOrdererTlsSecret ${orderer_name} - {{- end }} - {{- end }} - {{- end }} - volumeMounts: - - name: certificates - mountPath: /secret - - name: scripts-volume - mountPath: /scripts/bevel-vault.sh - subPath: bevel-vault.sh - {{- range $org := $.Values.organizations }} - {{- $file := $.Files.Get (printf "files/%s.json" $org.name) }} - {{- if $file }} - - name: {{ $org.name }}-admin-msp - mountPath: /templates/{{ $org.name }}.json - subPath: {{ $org.name }}.json - {{- end }} - {{- $file := $.Files.Get (printf "files/%s-config-file.json" $org.name) }} - {{- if $file }} - - name: {{ $org.name }}-config-file - mountPath: /templates/{{ $org.name }}-config-file.json - subPath: {{ $org.name }}-config-file.json - {{- end }} - {{- end }} containers: - - name: "generate-genesis" - image: "{{ .Values.image.ca }}" + - name: "generate-artifacts" + image: {{ .Values.image.fabricTools }}:{{ .Values.global.version }} imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR @@ -248,14 +96,14 @@ spec: - name: VAULT_TYPE value: "{{ $.Values.global.vault.type }}" - name: NETWORK_VERSION - value: "{{ $.Values.global.network.version }}" + value: "{{ $.Values.global.version }}" + - name: PROXY + value: {{ .Values.global.proxy.provider }} + - name: EXTERNAL_URL_SUFFIX + value: {{ .Values.global.proxy.externalUrlSuffix }} - name: COMPONENT_NAME value: {{ .Release.Namespace }} - - name: OS - value: "{{ $.Values.vars.install_os }}" - - name: ARCH - value: "{{ $.Values.vars.install_arch }}" - command: ["sh", "-c"] + command: ["bash", "-c"] args: - |- #!/usr/bin/env sh @@ -272,63 +120,187 @@ spec: # Define the packages to install packages_to_install="jq curl wget" install_packages "$packages_to_install" - curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl - chmod +x ./kubectl - mv ./kubectl /usr/local/bin/kubectl - kubectl version --client + # Download kubectl binary + curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.27.0/bin/linux/amd64/kubectl; + chmod u+x kubectl && mv kubectl /usr/local/bin/kubectl; + +{{- if eq .Values.global.vault.type "hashicorp" }} + . /scripts/bevel-vault.sh + # Calling a function to retrieve the vault token. + vaultBevelFunc "init" + + function getMSPCerts { + KEY=$1 + path=$2 + mkdir -p ${path}/msp/admincerts + mkdir -p ${path}/msp/cacerts + mkdir -p ${path}/msp/tlscacerts + + echo "Getting TLS certificates from Vault." + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/users/${KEY}" - wget https://github.com/hyperledger/fabric/releases/download/v${NETWORK_VERSION}/hyperledger-fabric-${OS}-${ARCH}-${NETWORK_VERSION}.tar.gz - mkdir -p /temp - tar -xvf hyperledger-fabric-${OS}-${ARCH}-${NETWORK_VERSION}.tar.gz -C /temp - cp /temp/bin/configtxgen /templates/configtxgen + ADMINCERT=$(echo ${VAULT_SECRET} | jq -r '.["admincerts"]') + CACERTS=$(echo ${VAULT_SECRET} | jq -r '.["cacerts"]') + TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r '.["tlscacerts"]') + echo "${ADMINCERT}" > ${path}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem + echo "${TLSCACERTS}" > ${path}/msp/tlscacerts/ca.crt + echo "${CACERTS}" > ${path}/msp/cacerts/ca.crt + } + + function getOrdererTLSCerts { + KEY=$1 + path=$2 + mkdir -p ${path}/orderers/${KEY}/tls + echo "Getting TLS certificates from Vault." + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/orderers/${KEY}-tls" + + TLS_SERVER_CERT=$(echo ${VAULT_SECRET} | jq -r '.["server_crt"]') + + echo "${TLS_SERVER_CERT}" > ${path}/orderers/${KEY}/tls/server.crt + } + function writeSafeSecret { + key=$1 + file=$2 + cat $file | base64 > ${key}.base64 + + vaultBevelFunc "init" + FILE_B64=$(cat ${key}.base64) + + echo " + { + \"data\": + { + \"${key}_base64\": \"${FILE_B64}\" + } + }" > payload.json + + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/channel-artifacts/${key}" 'payload.json' + rm payload.json + + kubectl get configmap --namespace ${COMPONENT_NAME} ${key} + if [ $? -ne 0 ]; then + kubectl create configmap --namespace ${COMPONENT_NAME} ${key} --from-file=${key}_base64=${key}.base64 + fi + } + {{- else }} + function getMSPCerts { + key=$1 + path=$2 + mkdir -p ${path}/msp/admincerts + mkdir -p ${path}/msp/cacerts + mkdir -p ${path}/msp/tlscacerts + KUBENETES_SECRET=$(kubectl get secret ${key} --namespace ${COMPONENT_NAME} -o json) + if [ "$KUBENETES_SECRET" = "" ]; then + echo "Certficates absent in kuberenetes secrets" + exit 1 + else + ADMINCERT=$(echo "$KUBENETES_SECRET" | jq -r '.data.admincerts' | base64 -d) + CACERTS=$(echo "$KUBENETES_SECRET" | jq -r '.data.cacerts' | base64 -d) + TLSCACERTS=$(echo "$KUBENETES_SECRET" | jq -r '.data.tlscacerts' | base64 -d) + + echo "${ADMINCERT}" > ${path}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem + echo "${TLSCACERTS}" > ${path}/msp/tlscacerts/ca.crt + echo "${CACERTS}" > ${path}/msp/cacerts/ca.crt + + fi + } + + function getOrdererTLSCerts { + key=$1 + path=$2 + mkdir -p ${path}/orderers/${key}/tls + + KUBENETES_SECRET=$(kubectl get secret ${key}-tls --namespace ${COMPONENT_NAME} -o json) + if [ "$KUBENETES_SECRET" = "" ]; then + echo "Certficates absent in kuberenetes secrets" + exit 1 + else + TLS_SERVER_CERT=$(echo "$KUBENETES_SECRET" | jq -r '.data.servercrt' | base64 -d) + echo "${TLS_SERVER_CERT}" > ${path}/orderers/${key}/tls/server.crt + fi + } + + function writeSafeSecret { + key=$1 + file=$2 + cat $file | base64 > ${key}.base64 + + kubectl get configmap --namespace ${COMPONENT_NAME} ${key} + if [ $? -ne 0 ]; then + kubectl create configmap --namespace ${COMPONENT_NAME} ${key} --from-file=${key}_base64=${key}.base64 + fi + } + {{- end }} + + OUTPUT_PATH_PEER="/templates/crypto-config/organizations" + {{- range $org := $.Values.organizations }} + if [ -e /templates/{{ $org.name }}.json ]; then + # Read the admin-msp details from files for other orgs + ADMINCERTS=$(jq -r '.data.admincerts' /templates/{{ $org.name}}.json) + CACERTS=$(jq -r '.data.cacerts' /templates/{{ $org.name}}.json) + TLSCACERTS=$(jq -r '.data.tlscacerts' /templates/{{ $org.name}}.json) + + mkdir -p ${OUTPUT_PATH_PEER}/{{ $org.name }}/msp/admincerts + mkdir -p ${OUTPUT_PATH_PEER}/{{ $org.name }}/msp/cacerts + mkdir -p ${OUTPUT_PATH_PEER}/{{ $org.name }}/msp/tlscacerts + + echo "$ADMINCERTS" | base64 -d > ${OUTPUT_PATH_PEER}/{{ $org.name }}/msp/admincerts/Admin@{{ $org.name }}-net-cert.pem + echo "$TLSCACERTS" | base64 -d > ${OUTPUT_PATH_PEER}/{{ $org.name }}/msp/tlscacerts/ca.crt + echo "$CACERTS" | base64 -d > ${OUTPUT_PATH_PEER}/{{ $org.name }}/msp/cacerts/ca.crt + else + # Read the admin-msp details from k8s secrets for org that is executing the genesis + getMSPCerts admin-msp ${OUTPUT_PATH_PEER}/{{ $org.name }} + fi + {{- if $org.peers }} + if [ -e /templates/{{ $org.name }}-config-file.json ]; then + # Read the MSP Configfile from files for other orgs + CONFIG_FILE=$(jq -r '.data."mspConfig"' /templates/{{ $org.name }}-config-file.json) + echo "$CONFIG_FILE" > ${OUTPUT_PATH_PEER}/{{ $org.name }}/msp/config.yaml + else + # Read the MSP Configfile from k8s secrets for org that is executing the genesis + {{- with (first $org.peers) }} + KUBENETES_SECRET=$(kubectl get configmap {{ .name }}-msp-config --namespace ${COMPONENT_NAME} -o json) + if [ "$KUBENETES_SECRET" = "" ]; then + echo "MSP Config absent in Kuberenetes" + exit 1 + else + CONFIG_FILE=$(echo "$KUBENETES_SECRET" | jq -r '.data.mspConfig') + echo "${CONFIG_FILE}" > ${OUTPUT_PATH_PEER}/{{ $org.name }}/msp/config.yaml + fi + {{- end }} + fi + {{- end }} + {{- if $org.orderers }} + {{- range $orderer := $org.orderers }} + if [ -e /templates/{{ $orderer.name }}-orderer-tls.json ]; then + # Read the MSP Configfile from files for other orgs + CONFIG_FILE=$(jq -r '.data.servercrt' /templates/{{ $orderer.name }}-orderer-tls.json) + echo "$CONFIG_FILE" | base64 -d > ${OUTPUT_PATH_PEER}/{{ $org.name }}/orderers/{{ $orderer.name }}/tls/server.crt + else + getOrdererTLSCerts {{ $orderer.name }} ${OUTPUT_PATH_PEER}/{{ $org.name }} + fi + {{- end }} + {{- end }} + {{- end }} cd /templates {{- range $channel := $.Values.channels }} version2_5=`echo $NETWORK_VERSION | grep -c 2.5` - version2_2=`echo $NETWORK_VERSION | grep -c 2.2` if [ $version2_5 = 1 ]; then - echo "version 2.5" - ./configtxgen -profile {{ $channel.genesis.name }} -channelID {{ $channel.channelName | lower }} -outputBlock allchannel.genesis.block - elif [ $version2_2 = 1 ]; then - echo "version 2.2" - ./configtxgen -profile {{ $channel.channelName }} -outputCreateChannelTx {{ $channel.channelName | lower }}.tx -channelID {{ $channel.channelName | lower }} - cat {{ $channel.channelName | lower }}.tx | base64 > {{ $channel.channelName | lower }}.tx.base64 - safeConfigmap {{ $channel.channelName | lower }}.tx.base64 channel-artifacts-{{ $channel.channelName | lower }} channel.tx.base64 + echo "version 2.5.x" + configtxgen -configPath "/templates" -profile {{ $channel.name }} -channelID {{ $channel.name }} -outputBlock {{ $channel.name }}.genesis.block + writeSafeSecret {{ $channel.name }}-genesis {{ $channel.name }}.genesis.block + else + echo "version 2.2.x" + configtxgen -configPath "/templates" -profile OrdererGenesis -channelID syschannel -outputBlock genesis.block + writeSafeSecret syschannel-genesis genesis.block + configtxgen -configPath "/templates" -profile {{ $channel.name }} -channelID {{ $channel.name }} -outputCreateChannelTx {{ $channel.name }}.tx + writeSafeSecret {{ $channel.name }}-channeltx {{ $channel.name }}.tx {{- range $participant := $channel.participants }} - ./configtxgen -profile {{ $channel.channelName }} -outputAnchorPeersUpdate {{ $channel.channelName | lower }}{{ $participant.name }}MSPAnchor.tx -channelID {{ $channel.channelName | lower }} -asOrg {{ $participant.name }}MSP -configPath ./ - cat {{ $channel.channelName | lower }}{{ $participant.name }}MSPAnchor.tx | base64 > {{ $channel.channelName | lower }}{{ $participant.name }}MSPAnchor.tx.base64 - safeConfigmap {{ $channel.channelName | lower }}{{ $participant.name }}MSPAnchor.tx.base64 anchorpeer-artifacts-{{ $channel.channelName | lower }} anchors.tx.base64 + configtxgen -configPath "/templates" -profile {{ $channel.name }} -channelID {{ $channel.name }} -asOrg {{ $participant }}MSP -outputAnchorPeersUpdate {{ $channel.name }}{{ $participant }}MSPAnchor.tx + writeSafeSecret {{ $channel.name }}-{{ $participant }}-anchortx {{ $channel.name }}{{ $participant }}MSPAnchor.tx {{- end }} - ./configtxgen -profile {{ $channel.genesis.name }} -channelID syschannel -outputBlock allchannel.genesis.block - else - echo "version 1.4" - ./configtxgen -profile {{ $channel.genesis.name }} -channelID syschannel -outputBlock allchannel.genesis.block fi - cat {{ $channel.channelName | lower}}.genesis.block | base64 > {{ $channel.channelName | lower}}.genesis.block.base64 - {{- if eq $.Values.global.vault.type "hashicorp" }} - . /scripts/bevel-vault.sh - echo "Getting vault Token..." - vaultBevelFunc "init" - - GENESIS=$(cat {{ $channel.channelName | lower}}.genesis.block.base64) - - echo " - { - \"data\": - { - \"genesisBlock\": \"${GENESIS}\" - } - }" > payload.json - - vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/{{ $channel.channelName | lower}}" 'payload.json' - rm payload.json - {{- else }} - kubectl get secret "{{ $channel.channelName | lower}}-genesis" --namespace ${COMPONENT_NAME} -o json > /dev/null 2>&1 - if [ $? -ne 0 ]; then - kubectl create secret generic "{{ $channel.channelName | lower}}-genesis" --namespace ${COMPONENT_NAME} --from-file=genesis={{ $channel.channelName | lower}}.genesis.block - fi - {{- end }} - safeConfigmap {{ $channel.channelName | lower}}.genesis.block.base64 {{ $channel.channelName | lower}}-genesis-file genesis.block.base64 {{- end }} volumeMounts: - name: scripts-volume @@ -342,5 +314,25 @@ spec: subPath: configtx.yaml - name: certificates mountPath: /templates/crypto-config - readOnly: true - + {{- range $org := $.Values.organizations }} + {{- $file := $.Files.Get (printf "files/%s.json" $org.name) }} + {{- if $file }} + - name: {{ $org.name }}-admin-msp + mountPath: /templates/{{ $org.name }}.json + subPath: {{ $org.name }}.json + {{- end }} + {{- $file := $.Files.Get (printf "files/%s-config-file.json" $org.name) }} + {{- if $file }} + - name: {{ $org.name }}-config-file + mountPath: /templates/{{ $org.name }}-config-file.json + subPath: {{ $org.name }}-config-file.json + {{- end }} + {{- range $orderer := $org.orderers }} + {{- $ordfile := $.Files.Get (printf "files/%s-orderer-tls.json" $orderer.name) }} + {{- if $ordfile }} + - name: {{ $orderer.name }}-tls-config + mountPath: /templates/{{ $orderer.name }}-orderer-tls.json + subPath: {{ $orderer.name }}-orderer-tls.json + {{- end }} + {{- end }} + {{- end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-genesis/values.yaml b/platforms/hyperledger-fabric/charts/fabric-genesis/values.yaml index 244e924a926..fed3477728e 100644 --- a/platforms/hyperledger-fabric/charts/fabric-genesis/values.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-genesis/values.yaml @@ -8,10 +8,13 @@ --- # The following are for overriding global values global: + # HLF Network Version + #Eg. version: 2.5.4 + version: 2.5.4 #Provide the service account name which will be created. - serviceAccountName: vault-auth + serviceAccountName: vault-auth cluster: - provider: aws # choose from: minikube | aws | azure | gcp + provider: aws # choose from: minikube | aws | azure | gcp cloudNativeServices: false # only 'false' is implemented vault: @@ -42,14 +45,10 @@ global: #Eg. externalUrlSuffix: test.blockchaincloudpoc.com externalUrlSuffix: test.blockchaincloudpoc.com - # HLF Network Version - network: - version: 2.5.4 - image: - #Provide the image name for the generate-geneis container - #Eg. image: ghcr.io/hyperledger/bevel-fabric-ca:latest - ca: ghcr.io/hyperledger/bevel-fabric-ca:latest + #Provide the valid image repository for fabric tools + #Eg. fabricTools: hyperledger/fabric-tools + fabricTools: ghcr.io/hyperledger/bevel-fabric-tools #Provide the valid image name and version to read certificates from vault server #Eg.alpineutils: ghcr.io/hyperledger/bevel-alpine:latest alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest @@ -57,61 +56,52 @@ image: #Eg. pullSecret: regcred pullSecret: -#Provide name of the consensus. Currently support raft and kafka -#Eg. name: raft -consensus: - name: raft - # Allows specification of one or many organizations that will be connecting to a network. organizations: # Specification for the 1st organization. - - organization: - name: supplychain - type: orderer + - name: supplychain orderers: - - orderer: - name: orderer1 - ordererAddress: orderer1.test.blockchaincloudpoc.com:443 - - orderer: - name: orderer2 - ordererAddress: orderer2.test.blockchaincloudpoc.com:443 - - orderer: - name: orderer3 - ordererAddress: orderer3.test.blockchaincloudpoc.com:443 + - name: orderer1 + ordererAddress: orderer1.supplychain-net:7050 # Internal/External URI of the orderer + - name: orderer2 + ordererAddress: orderer2.supplychain-net:7050 + - name: orderer3 + ordererAddress: orderer3.supplychain-net:7050 + peers: + - name: peer0 + peerAddress: peer0.supplychain-net:7051 # Internal/External URI of the peer + - name: peer1 + peerAddress: peer1.supplychain-net:7051 # Specification for the 2nd organization. - - organization: - name: carrier - type: peer + - name: carrier peers: - - peer: - name: peer0-carrier - peerAddress: peer0-carrier.cmar-net.test.blockchaincloudpoc.com:443 # External URI of the peer + - name: peer0 + peerAddress: peer0.carrier-net:7051 # Internal/External URI of the peer + +#Provide name of the consensus. Currently support raft and kafka +#Eg. consensus: raft +consensus: raft +# kafka is only valid for consensus: kafka +#Provide the kafka broker list +kafka: + #Eg. brokers: + # - kafka-0.broker.example-com.svc.cluster.local:9092 + # - kafka-1.broker.example-com.svc.cluster.local:9092 + # - kafka-2.broker.example-com.svc.cluster.local:9092 + # - kafka-3.broker.example-com.svc.cluster.local:9092 + brokers: # The channels defined for a network with participating peers in each channel channels: - - channel: - channelName: allchannel + - name: allchannel consortium: SupplyChainConsortium orderers: - supplychain participants: - - organization: - name: carrier - genesis: - name: OrdererGenesis - -vars: #These variables can be overriden from the command line - install_os: "linux" #Default to linux OS - install_arch: "amd64" #Default to amd64 architecture + - supplychain + - carrier settings: - # Flag to ensure the genesis secret is removed on helm uninstall - removeGenesisOnDelete: true # Flag to ensure the genesis configmap is removed on helm uninstall removeConfigMapOnDelete: true - -labels: - service: [] - pvc: [] - deployment: [] diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/Chart.yaml b/platforms/hyperledger-fabric/charts/fabric-orderernode/Chart.yaml index 3d53b5ebed6..fcce9ef2506 100644 --- a/platforms/hyperledger-fabric/charts/fabric-orderernode/Chart.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-orderernode/Chart.yaml @@ -7,11 +7,11 @@ apiVersion: v1 name: fabric-orderernode description: "Hyperledger Fabric: Deploys orderer node." -version: 1.0.0 +version: 1.1.0 appVersion: latest keywords: - bevel - - ethereum + - hlf - fabric - hyperledger - enterprise diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/README.md b/platforms/hyperledger-fabric/charts/fabric-orderernode/README.md index e275aefcc82..6e45da36e52 100644 --- a/platforms/hyperledger-fabric/charts/fabric-orderernode/README.md +++ b/platforms/hyperledger-fabric/charts/fabric-orderernode/README.md @@ -3,224 +3,148 @@ [//]: # (SPDX-License-Identifier: Apache-2.0) [//]: # (##############################################################################################) - -# Orderer Node Hyperledger Fabric Deployment +# fabric-orderernode -- [Orderer Node Hyperledger Fabric Deployment Helm Chart](#orderer-node-hyperledger-fabric-deployment-helm-chart) -- [Prerequisites](#prerequisites) -- [Chart Structure](#chart-structure) -- [Configuration](#configuration) -- [Deployment](#deployment) -- [Verification](#verification) -- [Updating the Deployment](#updating-the-deployment) -- [Deletion](#deletion) -- [Contributing](#contributing) -- [License](#license) +This chart is a component of Hyperledger Bevel. The fabric-orderernode chart deploys a Orderer Node for Hyperledger Fabric blockchain network. If enabled, the keys are stored on the configured vault and stored as Kubernetes secrets. See [Bevel documentation](https://hyperledger-bevel.readthedocs.io/en/latest/) for details. +## TL;DR - -## Orderer Node Hyperledger Fabric Deployment Helm Chart ---- -A [Helm chart](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-fabric/charts/fabric-orderernode) for orderer node. - - - -## Prerequisites ---- -Before deploying the Helm chart, make sure to have the following prerequisites: - -- Kubernetes cluster up and running. -- A HashiCorp Vault instance is set up and configured to use Kubernetes service account token-based authentication. -- The Vault is unsealed and initialized. -- HAproxy is required as ingress controller. -- Helm installed. - - - -## Chart Structure ---- -The structure of the Helm chart is as follows: - -``` -fabric-orderernode/ - |- templates/ - |- _helpers.yaml - |- configmap.yaml - |- deployment.yaml - |- service.yaml - |- servicemonitor.yaml - |- Chart.yaml - |- README.md - |- values.yaml +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install orderer1 bevel/fabric-orderernode ``` -- `templates/`: Contains the Kubernetes manifest templates that define the resources to be deployed. -- `helpers.tpl`: Contains custom label definitions used in other templates. -- `configmap.yaml`: Defines two ConfigMaps, one for the orderer configuration and one for the genesis block. -- `deployment.yaml`: The kafka-healthCheck checks the health of the Kafka brokers before the main container is started. The certificates-init fetches the TLS and MSP certificates from Vault and stores them in a local directory. The {{ $.Values.orderer.name }} runs the Hyperledger Fabric orderer. The grpc-web exposes the orderer's gRPC API over HTTP/WebSockets. These containers are responsible for ensuring that the orderer is up and running, that it has the necessary certificates, and that it can be accessed by clients. -- `service.yaml`: Ensures internal and external access with exposed ports for gRPC (7050), gRPC-Web (7443), and operations (9443), and optionally uses HAProxy for external exposure and secure communication. -- `servicemonitor.yaml`: Define a ServiceMonitor resource that allows Prometheus to collect metrics from the orderer node's "operations" port. The configuration is conditionally applied based on the availability of the Prometheus Operator's API version and whether metrics are enabled for the orderer service. -- `Chart.yaml`: Contains the metadata for the Helm chart, such as the name, version, and description. -- `README.md`: Provides information and instructions about the Helm chart. -- `values.yaml`: Contains the default configuration values for the Helm chart. - - - -## Configuration ---- -The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-fabric/charts/fabric-orderernode/values.yaml) file contains configurable values for the Helm chart. We can modify these values according to the deployment requirements. Here are some important configuration options: - -### Metadata - -| Name | Description | Default Value | -| ---------------------- | ----------------------------------------------------------------------| -------------------------------------------------| -| namespace | Namespace for orderer | org1-net | -| network.version | HyperLedger Fabric network version | 2.2.2 | -| images.orderer | Valid image name and version for fabric orderer | ghcr.io/hyperledger/bevel-fabric-orderer:2.2.2 | -| images.alpineutils | Valid image name and version to read certificates from vault server | ghcr.io/hyperledger/bevel-alpine:latest | -| images.healthCheck | Valid image name and version for health check of Kafka | busybox | -| labels | Custom labels | "" | - -### Orderer - -| Name | Description | Default Value | -| --------------------------- | ----------------------------------------------------------------------- | ----------------| -| name | Name for the orderer node | orderer | -| loglevel | Log level for orderer deployment | info | -| localmspid | Local MSP ID for orderer deployment | OrdererMSP | -| tlsstatus | Enable/disable TLS for orderer deployment | true | -| keepaliveserverinterval | Interval in which the orderer signals the connection has kept alive | 10s | -| address | Provide the address for orderer | orderer1.org1proxy.blockchaincloudpoc.com:443 | - -### Consensus - -| Name | Description | Default Value | -| ---------| ----------------------------| ----------------| -| name | Name of the consensus | raft | - -### Storage - -| Name | Description | Default Value | -| ----------------------| -----------------------------------| ----------------| -| storagesize | Storage size for storage class | 512Mi | - -### Service - -| Name | Description | Default Value | -| ------------------------------| ------------------------------------------| ----------------| -| servicetype | Service type for orderer | ClusterIP | -| ports.grpc.nodeport | Cluster IP port for grpc service | "" | -| ports.grpc.clusteripport | Cluster IP port for grpc service | 7050 | -| ports.metrics.enabled | Enable/disable metrics service | false | -| ports.metrics.clusteripport | Cluster IP port for metrics service | 9443 | - -### Annotations - -| Name | Description | Default Value | -| ---------------| --------------------------------------- | --------------| -| service | Extra annotations for service | "" | -| deployment | Extra annotations for deployment | "" | - -### Vault - -| Name | Description | Default Value | -| --------------------------- | --------------------------------------------------------------------| --------------------------------- | -| address | Vault server address | "" | -| role | Vault role for orderer deployment | vault-role | -| authpath | Kubernetes auth backend configured in vault for orderer deployment | devorg1-net-auth | -| type | Provide the type of vault | hashicorp | -| secretprefix | Vault secretprefix | secretsv2/data/crypto/ordererOrganizations/org1-net/orderers/orderer.org1-net | -| imagesecretname | Image secret name for vault | "" | -| serviceaccountname | Service account name for vault | vault-auth | -| tls | Enable/disable TLS for vault communication | "" | - -### Kafka - -| Name | Description | Default Value | -| --------------------------- | ------------------------------------------------------------------------| ----------------| -| readinessCheckInterval | Interval in seconds to check readiness of Kafka services | 5 | -| readinessThresHold | Threshold for checking if specified Kafka brokers are up and running | 4 | -| brokers | List of Kafka broker addresses | "" | - -### Proxy - -| Name | Description | Default Value | -| --------------------------- | --------------------------------------- | ------------------------------ | -| provider | Proxy/ingress provider | none | -| external_url_suffix | External URL suffix of the organization | org1proxy.blockchaincloudpoc.com:443 | - -### Config - -| Name | Description | Default Value | -| --------------------------- | --------------------------------------- | ------------------------------ | -| pod.resources.limits.memory | Limit memory for node | 512M | -| pod.resources.limits.cpu | Limit CPU for node | 1 | -| pod.resources.requests.memory | Requested memory for node | 512M | -| pod.resources.requests.cpu | Requested CPU for node | 0.25 | +## Prerequisites +- Kubernetes 1.19+ +- Helm 3.2.0+ - -## Deployment ---- +If Hashicorp Vault is used, then +- HashiCorp Vault Server 1.13.1+ -To deploy the fabric-orderernode Helm chart, follow these steps: +> **Important**: Also check the dependent charts. -1. Modify the [values.yaml](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-orderernode/values.yaml) file to set the desired configuration values. -2. Run the following Helm command to install the chart: - ``` - $ helm repo add bevel https://hyperledger.github.io/bevel/ - $ helm install ./fabric-orderernode - ``` -Replace `` with the desired name for the release. +## Installing the Chart -This will deploy the fabric-orderernode node to the Kubernetes cluster based on the provided configurations. +To install the chart with the release name `orderer1`: +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install orderer1 bevel/fabric-orderernode +``` - -## Verification ---- +The command deploys the chart on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. -To verify the deployment, we can use the following command: -``` -$ kubectl get statefulsets -n -``` -Replace `` with the actual namespace where the StatefulSet was created. This command will display information about the StatefulSet, including the number of replicas and their current status. +> **Tip**: List all releases using `helm list` +## Uninstalling the Chart - -## Updating the Deployment ---- +To uninstall/delete the `orderer1` deployment: -If we need to update the deployment with new configurations or changes, modify the same [values.yaml](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-orderernode/values.yaml) file with the desired changes and run the following Helm command: +```bash +helm uninstall orderer1 ``` -$ helm upgrade ./fabric-orderernode -``` -Replace `` with the name of the release. This command will apply the changes to the deployment, ensuring the fabric-orderernode node is up to date. - - -## Deletion ---- +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +### Global + +These parameters are refered to as same in each parent or child chart +| Name | Description | Default Value | +|--------|---------|-------------| +|`global.version` | Fabric Version. | `2.5.4` | +|`global.serviceAccountName` | The serviceaccount name that will be created for Vault Auth and k8S Secret management| `vault-auth` | +| `global.cluster.provider` | Kubernetes cluster provider like AWS EKS or minikube. Currently ony `aws`, `azure` and `minikube` are tested | `aws` | +| `global.cluster.cloudNativeServices` | only `false` is implemented, `true` to use Cloud Native Services (SecretsManager and IAM for AWS; KeyVault & Managed Identities for Azure) is for future | `false` | +| `global.vault.type` | Type of Vault to support other providers. Currently, only `hashicorp` and `kubernetes` is supported. | `hashicorp` | +| `global.vault.role` | Role used for authentication with Vault | `vault-role` | +| `global.vault.address`| URL of the Vault server. | `""` | +| `global.vault.authPath` | Authentication path for Vault | `supplychain` | +| `global.vault.secretEngine` | Vault secret engine name | `secretsv2` | +| `global.vault.secretPrefix` | Vault secret prefix which must start with `data/` | `data/supplychain` | +| `global.vault.tls` | Name of the Kubernetes secret which has certs to connect to TLS enabled Vault | `""` | +| `global.proxy.provider` | The proxy or Ingress provider. Can be `none` or `haproxy` | `haproxy` | +| `global.proxy.externalUrlSuffix` | The External URL suffix at which the Fabric GRPC services will be available | `test.blockchaincloudpoc.com` | -To delete the deployment and associated resources, run the following Helm command: -``` -$ helm uninstall -``` -Replace `` with the name of the release. This command will remove all the resources created by the Helm chart. +### Storage +| Name | Description | Default Value | +|--------|---------|-------------| +| `storage.size` | Size of the PVC needed for Orderer Node | `512Mi` | +| `storage.reclaimPolicy` | Reclaim policy for the PVC. Choose from: `Delete` or `Retain` | `Delete` | +| `storage.volumeBindingMode` | Volume binding mode for the PVC. Choose from: `Immediate` or `WaitForFirstConsumer` | `Immediate` | +| `storage.allowedTopologies.enabled` | Check [bevel-storageclass](../../../shared/charts/bevel-storageclass/README.md) for details | `false` | + +### Certs + +| Name | Description | Default Value | +|--------|---------|-------------| +| `certs.generateCertificates` | Flag to generate certificates for the Orderer Node | `true` | +| `certs.orgData.caAddress` | Address of the CA Server without https | `ca.supplychain-net:7051` | +| `certs.orgData.caAdminUser` | CA Admin Username | `supplychain-admin` | +| `certs.orgData.caAdminPassword` | CA Admin Password | `supplychain-adminpw` | +| `certs.orgData.orgName` | Organization Name | `supplychain` | +| `certs.orgData.type` | Type of certificate to generate, choosed from `orderer` or `peer` | `orderer` | +| `certs.orgData.componentSubject` | X.509 subject for the organization | `"O=Orderer,L=51.50/-0.13/London,C=GB"` | +| `certs.settings.createConfigMaps` | Flag to create configmaps. Must be set to `false` for additional orderers/peers in the same organization. | `true` | +| `certs.settings.refreshCertValue` | Flag to refresh User certificates | `false` | +| `certs.settings.addPeerValue` | Flag to be used when adding a new peer to the organization | `false` | +| `certs.settings.removeCertsOnDelete` | Flag to delete the user and peer certificates on uninstall | `false` | +| `certs.settings.removeOrdererTlsOnDelete` | Flag to delete the orderer TLS certificates on uninstall | `false` | + +### Image + +| Name | Description | Default Value | +| -------------| ---------- | --------- | +| `image.orderer` |Fabric Orderer image repository | `ghcr.io/hyperledger/bevel-fabric-orderer` | +| `image.alpineUtils` | Alpine utils image repository and tag | `ghcr.io/hyperledger/bevel-alpine:latest` | +| `image.healthCheck` | Busybox image repository and tag | `busybox` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | - -## Contributing ---- -If you encounter any bugs, have suggestions, or would like to contribute to the [Orderer Node Hyperledger Fabric Deployment Helm Chart](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-orderernode), please feel free to open an issue or submit a pull request on the [project's GitHub repository](https://github.com/hyperledger/bevel). +### Orderer +| Name | Description | Default Value | +|--------|---------|-------------| +| `orderer.consensus` | Consensus type for the Orderer Node | `raft` | +| `orderer.logLevel` | Log level for the Orderer Node | `info` | +| `orderer.localMspId` | Local MSP ID for the Orderer Organization | `supplychainMSP` | +| `orderer.tlsStatus` | TLS status of the Orderer Node | `true` | +| `orderer.keepAliveServerInterval` | Keep Alive Interval in Seconds | `10s` | +| `orderer.serviceType` | Service Type for the Ordering Service | `ClusterIP` | +| `orderer.ports.grpc.nodePort` | NodePort for the Orderer GRPC Service | `""` | +| `orderer.ports.grpc.clusterIpPort` | TCP Port for the Orderer GRPC Service | `7050` | +| `orderer.ports.metrics.enabled` | Flag to enable metrics port | `false` | +| `orderer.ports.metrics.clusterIpPort` | TCP Port for the Orderer metrics | `9443` | +| `orderer.resources.limits.memory` | Memory limit for the Orderer Node | `512M` | +| `orderer.resources.limits.cpu` | CPU limit for the Orderer Node | `1` | +| `orderer.resources.requests.memory` | Memory request for the Orderer Node | `512M` | +| `orderer.resources.requests.cpu` | CPU request for the Orderer Node | `0.25` | + +### Settings + +| Name | Description | Default Value | +| ----------------| ----------- | ------------- | +| `kafka.readinessCheckInterval` | Interval between readiness checks for the Brokers | `5` | +| `kafka.readinessThresHold` | Threshold for readiness checks for the Brokers | `1` | +| `kafka.brokers` | List of Kafka Broker Addresses | `""` | +| `healthCheck.retries` | Retry count to connect to Vault | `20` | +| `healthCheck.sleepTimeAfterError` | Wait seconds after unsuccessful connection attempt | `15` | + +### Labels + +| Name | Description | Default Value | +| ----------------| ----------- | ------------- | +| `labels.service` | Array of Labels for service object | `[]` | +| `labels.pvc` | Array of Labels for PVC object | `[]` | +| `labels.deployment` | Array of Labels for deployment or statefulset object | `[]` | - ## License This chart is licensed under the Apache v2.0 license. -Copyright © 2023 Accenture +Copyright © 2024 Accenture ### Attribution diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/requirements.yaml b/platforms/hyperledger-fabric/charts/fabric-orderernode/requirements.yaml index 410faf75674..b3dafa8ee89 100644 --- a/platforms/hyperledger-fabric/charts/fabric-orderernode/requirements.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-orderernode/requirements.yaml @@ -6,9 +6,9 @@ dependencies: - storage version: ~1.0.0 - name: fabric-catools - alias: catools + alias: certs repository: "file://../fabric-catools" tags: - catools version: ~1.0.0 - condition: settings.generateCertificates + condition: certs.generateCertificates diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/_helpers.tpl b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/_helpers.tpl index 76f3d9e390f..c5697ed561c 100644 --- a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/_helpers.tpl +++ b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/_helpers.tpl @@ -28,31 +28,19 @@ Create chart name and version as used by the chart label. {{- end -}} {{- define "labels.deployment" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.deployment }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} +{{- range $value := $.Values.labels.deployment }} +{{ toYaml $value }} {{- end }} {{- end }} {{- define "labels.service" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.service }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} +{{- range $value := $.Values.labels.service }} +{{ toYaml $value }} {{- end }} {{- end }} {{- define "labels.pvc" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.pvc }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} +{{- range $value := $.Values.labels.pvc }} +{{ toYaml $value }} {{- end }} {{- end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/configmap.yaml b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/configmap.yaml index 70c9a26b0cf..f7c63d12aec 100644 --- a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/configmap.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/configmap.yaml @@ -18,18 +18,18 @@ metadata: app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} data: - FABRIC_LOGGING_SPEC: {{ $.Values.orderer.logLevel }} + FABRIC_LOGGING_SPEC: {{ .Values.orderer.logLevel }} ORDERER_GENERAL_LISTENADDRESS: 0.0.0.0 -{{ if contains "2.5" $.Values.global.network.version }} +{{ if contains "2.5" .Values.global.version }} ORDERER_GENERAL_BOOTSTRAPMETHOD: "none" {{ else }} ORDERER_GENERAL_GENESISMETHOD: file ORDERER_GENERAL_GENESISFILE: /var/hyperledger/orderer/orderer.genesis.block {{ end }} - ORDERER_GENERAL_LOCALMSPID: {{ $.Values.orderer.localMspId }} - ORDERER_GENERAL_KEEPALIVE_SERVERINTERVAL: {{ $.Values.orderer.keepAliveServerInterval }} + ORDERER_GENERAL_LOCALMSPID: {{ .Values.orderer.localMspId }} + ORDERER_GENERAL_KEEPALIVE_SERVERINTERVAL: {{ .Values.orderer.keepAliveServerInterval }} ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/orderer/crypto/msp - ORDERER_GENERAL_TLS_ENABLED: "{{ $.Values.orderer.tlsStatus }}" + ORDERER_GENERAL_TLS_ENABLED: "{{ .Values.orderer.tlsStatus }}" ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/orderer/crypto/tls/server.key ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/orderer/crypto/tls/server.crt ORDERER_GENERAL_TLS_ROOTCAS: '[/var/hyperledger/orderer/crypto/tls/ca.crt]' @@ -41,8 +41,8 @@ data: ORDERER_KAFKA_RETRY_SHORTTOTAL: "30s" ORDERER_KAFKA_VERBOSE: "true" GODEBUG: "netdns=go" - ORDERER_OPERATIONS_LISTENADDRESS: 0.0.0.0:10443 -{{ if contains "2.5" $.Values.global.network.version }} + ORDERER_OPERATIONS_LISTENADDRESS: 0.0.0.0:9443 +{{ if contains "2.5" .Values.global.version }} ORDERER_ADMIN_LISTENADDRESS: 0.0.0.0:7055 ORDERER_ADMIN_TLS_ENABLED: "true" ORDERER_ADMIN_TLS_PRIVATEKEY: /var/hyperledger/orderer/crypto/tls/server.key diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/node-statefulset.yaml b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/node-statefulset.yaml index 9ae8b6b16a7..cb5e927c8e8 100644 --- a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/node-statefulset.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/node-statefulset.yaml @@ -17,8 +17,7 @@ metadata: app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - annotations: - {{- include "labels.deployment" . | nindent 2 }} + {{- include "labels.deployment" . | nindent 4 }} spec: updateStrategy: type: RollingUpdate @@ -45,12 +44,12 @@ spec: app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - {{- include "labels.deployment" . | nindent 2 }} + {{- include "labels.deployment" . | nindent 8 }} spec: - serviceAccountName: {{ $.Values.global.serviceAccountName }} - {{- if .Values.global.vault.imageSecretName }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + {{- if .Values.image.pullSecret }} imagePullSecrets: - - name: {{ $.Values.global.vault.imageSecretName }} + - name: {{ .Values.image.pullSecret }} {{- end }} volumes: - name: certificates @@ -59,17 +58,17 @@ spec: {{ if .Values.global.vault.tls }} - name: vaultca secret: - secretName: {{ $.Values.global.vault.tls }} + secretName: {{ .Values.global.vault.tls }} items: - key: ca.crt.pem path: ca-certificates.crt # curl expects certs to be in /etc/ssl/certs/ca-certificates.crt {{ end }} - {{- if ne $.Values.global.network.version "2.5.4" }} + {{- if ne ($.Values.global.version | trunc 3) "2.5" }} - name: {{ .Release.Name }}-genesis-volume configMap: - name: {{ $.Values.channel.name | lower }}-genesis-file + name: syschannel-genesis items: - - key: genesis.block.base64 + - key: syschannel-genesis_base64 path: genesis.block.base64 {{ end }} - name: scripts-volume @@ -77,24 +76,24 @@ spec: name: bevel-vault-script initContainers: - name: kafka-healthcheck - image: {{ $.Values.image.healthCheck }} + image: {{ .Values.image.healthCheck }} imagePullPolicy: IfNotPresent command: ["sh", "-c"] args: - |- #!/usr/bin/env sh - if [ {{ $.Values.consensus.name }} == kafka ] + if [ {{ .Values.orderer.consensus }} == kafka ] then COUNTER=1 FLAG=true KAFKACOUNT=0 COUNT=0 - {{ range $.Values.kafka.brokers}} + {{ range .Values.kafka.brokers}} COUNT=`expr "$COUNT" + 1` {{ end }} - while [ "$COUNTER" -le {{ $.Values.kafka.readinessThresHold }} ] + while [ "$COUNTER" -le {{ .Values.kafka.readinessThresHold }} ] do - {{ range $.Values.kafka.brokers}} + {{ range .Values.kafka.brokers}} KAFKA_BROKERS={{ . }} STATUS=$(nc -vz $KAFKA_BROKERS 2>&1 | grep -c open ) if [ "$STATUS" == 0 ] @@ -109,9 +108,9 @@ spec: if [ "$FLAG" == false ] then echo "$KAFKACOUNT kafka brokers out of $COUNT are up and running!" - echo "Retry attempted $COUNTER times, retrying after {{ $.Values.kafka.readinessCheckInterval }} seconds" + echo "Retry attempted $COUNTER times, retrying after {{ .Values.kafka.readinessCheckInterval }} seconds" COUNTER=`expr "$COUNTER" + 1` - sleep {{ $.Values.kafka.readinessCheckInterval }} + sleep {{ .Values.kafka.readinessCheckInterval }} else echo "SUCCESS!" echo "All $KAFKACOUNT kafka broker are up and running!" @@ -119,7 +118,7 @@ spec: break fi done - if [ "$COUNTER" -gt {{ $.Values.kafka.readinessThresHold }} ] || [ "$FLAG" == false ] + if [ "$COUNTER" -gt {{ .Values.kafka.readinessThresHold }} ] || [ "$FLAG" == false ] then echo "Retry attempted $COUNTER times, no kafka brokers are up and running. Giving up!" exit 1 @@ -127,23 +126,23 @@ spec: fi fi - name: certificates-init - image: {{ $.Values.image.alpineUtils }} + image: {{ .Values.image.alpineUtils }} imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: {{ $.Values.global.vault.address }} + value: {{ .Values.global.vault.address }} - name: VAULT_SECRET_ENGINE - value: "{{ $.Values.global.vault.secretEngine }}" + value: "{{ .Values.global.vault.secretEngine }}" - name: VAULT_SECRET_PREFIX - value: "{{ $.Values.global.vault.secretPrefix }}" + value: "{{ .Values.global.vault.secretPrefix }}" - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.global.vault.authPath }} + value: {{ .Values.global.vault.authPath }} - name: VAULT_APP_ROLE - value: {{ $.Values.global.vault.role }} + value: {{ .Values.global.vault.role }} - name: MOUNT_PATH value: /secret - name: VAULT_TYPE - value: "{{ $.Values.global.vault.type }}" + value: "{{ .Values.global.vault.type }}" - name: ORDERER_NAME value: {{ .Release.Name }} command: ["sh", "-c"] @@ -159,15 +158,14 @@ spec: function getOrdererTlsSecret { KEY=$1 - KEY_FORMATTED=$(echo $KEY | tr - /) echo "Getting TLS certificates from Vault." - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/orderers/${KEY}" if [ "$SECRETS_AVAILABLE" == "yes" ] then - TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r '.["ca.crt"]') - TLS_SERVER_CERT=$(echo ${VAULT_SECRET} | jq -r '.["server.crt"]') - TLS_SERVER_KEY=$(echo ${VAULT_SECRET} | jq -r '.["server.key"]') + TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r '.["ca_crt"]') + TLS_SERVER_CERT=$(echo ${VAULT_SECRET} | jq -r '.["server_crt"]') + TLS_SERVER_KEY=$(echo ${VAULT_SECRET} | jq -r '.["server_key"]') echo "${TLS_CA_CERT}" > ${OUTPUT_PATH}/ca.crt echo "${TLS_SERVER_CERT}" > ${OUTPUT_PATH}/server.crt @@ -180,10 +178,9 @@ spec: function getOrdererMspSecret { KEY=$1 - KEY_FORMATTED=$(echo $KEY | tr - /) echo "Getting MSP certificates from Vault." - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/orderers/${KEY}" if [ "$SECRETS_AVAILABLE" == "yes" ] then ADMINCERT=$(echo ${VAULT_SECRET} | jq -r '.["admincerts"]') @@ -244,7 +241,7 @@ spec: {{- end }} COUNTER=1 - while [ "$COUNTER" -le {{ $.Values.healthCheck.retries }} ] + while [ "$COUNTER" -le {{ .Values.healthCheck.retries }} ] do OUTPUT_PATH="${MOUNT_PATH}/tls" mkdir -p ${OUTPUT_PATH} @@ -263,13 +260,13 @@ spec: echo "Orderer certificates have been obtained correctly" break else - echo "Orderer certificates have not been obtained, sleeping for {{ $.Values.healthCheck.sleepTimeAfterError }}" - sleep {{ $.Values.healthCheck.sleepTimeAfterError }} + echo "Orderer certificates have not been obtained, sleeping for {{ .Values.healthCheck.sleepTimeAfterError }}" + sleep {{ .Values.healthCheck.sleepTimeAfterError }} COUNTER=`expr "$COUNTER" + 1` fi done - if [ "$COUNTER" -gt {{ $.Values.healthCheck.retries }} ] + if [ "$COUNTER" -gt {{ .Values.healthCheck.retries }} ] then echo "Retry attempted `expr $COUNTER - 1` times, Orderer certificates have not been obtained." exit 1 @@ -286,22 +283,24 @@ spec: mountPath: /scripts/bevel-vault.sh subPath: bevel-vault.sh containers: - - name: {{ .Release.Name }} - image: {{ $.Values.image.orderer }}:{{ $.Values.global.network.version }} + - name: fabric-orderer + image: {{ .Values.image.orderer }}:{{ .Values.global.version }} imagePullPolicy: IfNotPresent workingDir: /opt/gopath/src/github.com/hyperledger/fabric command: ["sh", "-c", "cat /var/hyperledger/orderer/genesis/genesis.block.base64 | base64 -d > /var/hyperledger/orderer/orderer.genesis.block && orderer"] ports: - containerPort: 7050 - name: operations - containerPort: 10443 + containerPort: 9443 + - name: onsadmin + containerPort: 7055 envFrom: - configMapRef: name: {{ .Release.Name }}-config volumeMounts: - name: datadir mountPath: /var/hyperledger/production/orderer - {{- if ne $.Values.global.network.version "2.5.4" }} + {{- if ne ($.Values.global.version | trunc 3) "2.5" }} - name: {{ .Release.Name }}-genesis-volume mountPath: /var/hyperledger/orderer/genesis readOnly: true @@ -311,11 +310,11 @@ spec: readOnly: true resources: requests: - memory: {{ .Values.config.pod.resources.requests.memory }} - cpu: {{ .Values.config.pod.resources.requests.cpu }} + memory: {{ .Values.orderer.resources.requests.memory }} + cpu: {{ .Values.orderer.resources.requests.cpu }} limits: - memory: {{ .Values.config.pod.resources.limits.memory }} - cpu: {{ .Values.config.pod.resources.limits.cpu }} + memory: {{ .Values.orderer.resources.limits.memory }} + cpu: {{ .Values.orderer.resources.limits.cpu }} - name: grpc-web image: "ghcr.io/hyperledger-labs/grpc-web:latest" imagePullPolicy: IfNotPresent @@ -324,7 +323,7 @@ spec: containerPort: 7443 env: - name: BACKEND_ADDRESS - value: "{{ .Release.Name }}.{{ .Release.Namespace }}:{{ $.Values.service.ports.grpc.clusterIpPort }}" + value: "{{ .Release.Name }}.{{ .Release.Namespace }}:{{ .Values.orderer.ports.grpc.clusterIpPort }}" - name: SERVER_TLS_CERT_FILE value: "/certs/tls/server.crt" - name: SERVER_TLS_KEY_FILE @@ -353,10 +352,10 @@ spec: - metadata: name: datadir labels: - {{- include "labels.pvc" . | nindent 6 }} + {{- include "labels.pvc" . | nindent 8 }} spec: accessModes: [ "ReadWriteOnce" ] storageClassName: storage-{{ .Release.Name }} resources: requests: - storage: {{ $.Values.storage.size }} + storage: {{ .Values.storage.size }} diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/service.yaml b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/service.yaml index b2f6d798770..114b5d2d2db 100644 --- a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/service.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/service.yaml @@ -9,14 +9,6 @@ kind: Service metadata: name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} - annotations: - {{- if $.Values.labels }} - {{- range $key, $value := $.Values.labels.service }} - {{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} - {{- end }} - {{- end }} - {{- end }} labels: run: {{ .Release.Name }} app.kubernetes.io/name: {{ .Release.Name }} @@ -26,16 +18,17 @@ metadata: app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- include "labels.service" . | nindent 4 }} spec: - type: {{ $.Values.service.serviceType }} + type: {{ .Values.orderer.serviceType }} selector: app: {{ .Release.Name }} ports: - protocol: TCP targetPort: 7050 - port: {{ $.Values.service.ports.grpc.clusterIpPort }} - {{- if (ne $.Values.service.serviceType "ClusterIP") }} - nodePort: {{ $.Values.service.ports.grpc.nodeport }} + port: {{ .Values.orderer.ports.grpc.clusterIpPort }} + {{- if (ne .Values.orderer.serviceType "ClusterIP") }} + nodePort: {{ .Values.orderer.ports.grpc.nodeport }} {{- end }} name: grpc - name: grpc-web @@ -45,12 +38,18 @@ spec: - name: operations protocol: TCP targetPort: 9443 - port: {{ $.Values.service.ports.metrics.clusterIpPort }} - {{- if (eq $.Values.service.serviceType "ClusterIP") }} + port: {{ .Values.orderer.ports.metrics.clusterIpPort }} +{{ if contains "2.5" .Values.global.version }} + - name: onsadmin + protocol: TCP + targetPort: 7055 + port: 7055 +{{- end }} + {{- if (eq .Values.orderer.serviceType "ClusterIP") }} clusterIP: None {{- end }} -{{ if eq $.Values.global.proxy.provider "haproxy" }} +{{ if eq .Values.global.proxy.provider "haproxy" }} --- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -58,11 +57,11 @@ metadata: name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} annotations: - kubernetes.io/ingress.class: "haproxy" ingress.kubernetes.io/ssl-passthrough: "true" spec: + ingressClassName: "haproxy" rules: - - host: {{ .Release.Name }}.{{ $.Values.global.proxy.externalUrlSuffix }} + - host: {{ .Release.Name }}.{{ .Release.Namespace }}.{{ .Values.global.proxy.externalUrlSuffix }} http: paths: - path: / @@ -71,8 +70,8 @@ spec: service: name: {{ .Release.Name }} port: - number: {{ $.Values.service.ports.grpc.clusterIpPort }} - - host: {{ .Release.Name }}-proxy.{{ $.Values.global.proxy.externalUrlSuffix }} + number: {{ .Values.orderer.ports.grpc.clusterIpPort }} + - host: {{ .Release.Name }}-proxy.{{ .Release.Namespace }}.{{ .Values.global.proxy.externalUrlSuffix }} http: paths: - path: / @@ -88,11 +87,10 @@ kind: Ingress metadata: name: {{ .Release.Name }}-ops namespace: {{ .Release.Namespace }} - annotations: - kubernetes.io/ingress.class: "haproxy" spec: + ingressClassName: "haproxy" rules: - - host: {{ .Release.Name }}-ops.{{ $.Values.global.proxy.externalUrlSuffix }} + - host: {{ .Release.Name }}-ops.{{ .Release.Namespace }}.{{ .Values.global.proxy.externalUrlSuffix }} http: paths: - path: / @@ -101,5 +99,5 @@ spec: service: name: {{ .Release.Name }} port: - number: 10443 + number: 9443 {{ end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/servicemonitor.yaml b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/servicemonitor.yaml index 0e882368204..92ad3e488fe 100644 --- a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/servicemonitor.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/servicemonitor.yaml @@ -1,4 +1,4 @@ -{{- if $.Values.service.ports.metrics.enabled }} +{{- if .Values.orderer.ports.metrics.enabled }} {{- if $.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor" }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/values.yaml b/platforms/hyperledger-fabric/charts/fabric-orderernode/values.yaml index a4e5108f2f4..270207e8376 100644 --- a/platforms/hyperledger-fabric/charts/fabric-orderernode/values.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-orderernode/values.yaml @@ -5,8 +5,14 @@ ############################################################################################## global: + # HLF Network Version + #Eg. version: 2.5.4 + version: 2.5.4 #Provide the service account name which will be created. - serviceAccountName: vault-auth + serviceAccountName: vault-auth + cluster: + provider: aws # choose from: minikube | aws | azure | gcp + cloudNativeServices: false # only 'false' is implemented vault: #Provide the type of vault #Eg. type: hashicorp @@ -24,18 +30,11 @@ global: secretEngine: secretsv2 #Provide the vault path where the secrets will be stored secretPrefix: "data/supplychain" - #Provide the imagesecretname for vault - #Eg. imagesecretname: regcred - imageSecretName: "" #Kuberenetes secret for vault ca.cert #Enable or disable TLS for vault communication if value present or not #Eg. tls: vaultca tls: - cluster: - provider: aws # choose from: minikube | aws | azure | gcp - cloudNativeServices: false # only 'false' is implemented - proxy: #This will be the proxy/ingress provider. Can have values "none" or "haproxy" #Eg. provider: "haproxy" @@ -44,47 +43,44 @@ global: #Eg. externalUrlSuffix: test.blockchaincloudpoc.com externalUrlSuffix: test.blockchaincloudpoc.com - # HLF Network Version - network: - version: 2.5.4 +storage: + #Provide storage size for Orderer Volume + #Eg. size: 512Mi + size: 512Mi + # NOTE: when you set this to Retain, the volume WILL persist after the chart is delete and you need to manually delete it + reclaimPolicy: "Delete" # choose from: Delete | Retain + volumeBindingMode: Immediate # choose from: Immediate | WaitForFirstConsumer + allowedTopologies: + enabled: false -catools: +certs: + # Flag indicating the creation of certificates. + generateCertificates: true orgData: + caAddress: ca.supplychain-net:7051 + caAdminUser: supplychain-admin + caAdminPassword: supplychain-adminpw #Provide organization's name in lowercases - #Eg. orgName: supplychain + #Eg. orgName: supplychain orgName: supplychain #Provide organization's type (orderer or peer) - #Eg. component_type: orderer - type: - #Provide organization's subject - #Eg. "O=Orderer,L=51.50/-0.13/London,C=GB" - componentSubject: + #Eg. type: orderer + type: orderer #Provide organization's subject - #Eg. "O=Orderer,L=51.50/-0.13/London,C=GB" - certSubject: - #Provide organization's country - #Eg. UK - componentCountry: UK - #Provide organization's state - #Eg. London - componentState: London - #Provide organization's location - #Eg. Lodon - componentLocation: Lodon + #Eg. componentSubject: "O=Orderer,L=51.50/-0.13/London,C=GB" + componentSubject: "O=Orderer,L=51.50/-0.13/London,C=GB" - #Provide orderer's names - orderers: - - orderer1 - - orderer2 - - orderer3 - -channel: - # Provide the channel's name - channel_name: Allchannel + settings: + #Flag to create configmaps for the organization. This flag must be set to true when installing the first orderer/peer in organization and false for others. + createConfigMaps: true + refreshCertValue: false + addPeerValue: false + removeCertsOnDelete: false + removeOrdererTlsOnDelete: false image: - #Provide the valid image name and version for fabric orderer - #Eg. orderer: hyperledger/fabric-orderer:1.4.0 + #Provide the valid image repository for fabric orderer + #Eg. orderer: hyperledger/fabric-orderer orderer: ghcr.io/hyperledger/bevel-fabric-orderer #Provide the valid image name and version to read certificates from vault server #Eg.alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest @@ -92,8 +88,14 @@ image: #Provide the valid image name and version for healthCheck of kafka #Eg. healthCheck: busybox healthCheck: busybox - + #Provide the secret to use if private repository + #Eg. pullSecret: regcred + pullSecret: + orderer: + #Provide the name of the consensus. Currently support raft and kafka + #Eg. consensus: raft + consensus: raft #Provide the logLevel for orderer deployment #Eg. logLevel: info logLevel: info @@ -106,20 +108,6 @@ orderer: #Provide the interval in which the orderer to signal the connection has kept alive #Eg. keepAliveServerInterval: 10s keepAliveServerInterval: 10s - #Provide the address for orderer - #Eg. address: orderer1.test.blockchaincloudpoc.com - -consensus: - #Provide name of the consensus. Currently support raft and kafka - #Eg. name: raft - name: raft - -storage: - #Provide the size for storage class - #Eg. size: 512Mi - size: 512Mi - -service: #Provide the serviceType a peer #Eg. serviceType: NodePort serviceType: ClusterIP @@ -134,6 +122,21 @@ service: metrics: enabled: false clusterIpPort: 9443 + resources: + limits: + # Provide the limit memory for node + # Eg. memory: 512M + memory: 512M + # Provide the limit cpu for node + # Eg. cpu: 1 + cpu: 1 + requests: + # Provide the requests memory for node + # Eg. memory: 512M + memory: 512M + # Provide the requests cpu for node + # Eg. cpu: 0.25 + cpu: 0.25 kafka: #Provide the interval in seconds you want to iterate till all kafka services to be ready @@ -143,40 +146,13 @@ kafka: #Eg. readinessThresHold: 4 readinessThresHold: 4 #Provide the kafka broker list - #Eg. brokers: - # - kafka-0.broker.org1-net.svc.cluster.local:9092 - # - kafka-1.broker.org1-net.svc.cluster.local:9092 - # - kafka-2.broker.org1-net.svc.cluster.local:9092 - # - kafka-3.broker.org1-net.svc.cluster.local:9092 + #Eg. brokers: + # - kafka-0.broker.org1-net.svc.cluster.local:9092 + # - kafka-1.broker.org1-net.svc.cluster.local:9092 + # - kafka-2.broker.org1-net.svc.cluster.local:9092 + # - kafka-3.broker.org1-net.svc.cluster.local:9092 brokers: -config: - # Set limits and requests of pod - pod: - resources: - limits: - # Provide the limit memory for node - # Eg. memory: 512M - memory: 512M - # Provide the limit cpu for node - # Eg. cpu: 1 - cpu: 1 - requests: - # Provide the requests memory for node - # Eg. memory: 512M - memory: 512M - # Provide the requests cpu for node - # Eg. cpu: 0.25 - cpu: 0.25 - -settings: - # Flag to ensure the certificates configmaps are removed on helm uninstall - removeConfigMapsOnDelete: true - # Flag to ensure the certificates secrets are removed on helm uninstall - removeCertsOnDelete: true - # Flag indicating the creation of certificates. This flag must be set to true when installing the first orderer and false in the others. - generateCertificates: false - healthCheck: # The amount of times to retry fetching from/writing to Vault before giving up. # Eg. retries: 10 diff --git a/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/Chart.yaml b/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/Chart.yaml index 2d5248de576..adadd4aceca 100644 --- a/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/Chart.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/Chart.yaml @@ -6,12 +6,12 @@ apiVersion: v1 name: fabric-osnadmin-channel-create -description: A Helm chart for create channel -version: 1.0.0 +description: "Hyperledger Fabric: Creates channel using OSNAdmin" +version: 1.1.0 appVersion: latest keywords: - bevel - - ethereum + - hlf - fabric - hyperledger - enterprise diff --git a/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/README.md b/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/README.md index e164d0b4082..58328cc9896 100644 --- a/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/README.md +++ b/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/README.md @@ -3,179 +3,92 @@ [//]: # (SPDX-License-Identifier: Apache-2.0) [//]: # (##############################################################################################) - -# Create Channel Hyperledger Fabric Deployment +# fabric-osnadmin-channel-create -- [Osn Create Channel Hyperledger Fabric Deployment Helm Chart](#osn-create-channel-hyperledger-fabric-deployment-helm-chart) -- [Prerequisites](#prerequisites) -- [Chart Structure](#chart-structure) -- [Configuration](#configuration) -- [Deployment](#deployment) -- [Verification](#verification) -- [Updating the Deployment](#updating-the-deployment) -- [Deletion](#deletion) -- [Contributing](#contributing) -- [License](#license) +This chart is a component of Hyperledger Bevel. The fabric-osnadmin-channel-create chart deploys a Kubernetes job to create a channel. The channel name is same as the release name. This chart should be executed after the [fabric-genesis](../fabric-genesis/README.md) chart. See [Bevel documentation](https://hyperledger-bevel.readthedocs.io/en/latest/) for details. +## TL;DR - -## Osn Create Channel Hyperledger Fabric Deployment Helm Chart ---- -A [Helm chart](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create) to create a channel with fabric 2.5.4. - - - -## Prerequisites ---- -Before deploying the Helm chart, make sure to have the following prerequisites: - -- Kubernetes cluster up and running. -- A HashiCorp Vault instance is set up and configured to use Kubernetes service account token-based authentication. -- The Vault is unsealed and initialized. -- Helm installed. - - - -## Chart Structure ---- -The structure of the Helm chart is as follows: - +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install allchannel bevel/fabric-osnadmin-channel-create ``` -fabric-osnadmin-channel-create/ - |- templates/ - |- _helpers.yaml - |- configmap.yaml - |- osn_create_channel.yaml - |- Chart.yaml - |- README.md - |- values.yaml -``` - -- `templates/`: Contains the Kubernetes manifest templates that define the resources to be deployed. -- `helpers.tpl`: Contains custom label definitions used in other templates. -- `configmap.yaml`: Store configuration data that can be consumed by containers. The first ConfigMap stores various configuration data as key-value pairs and the second ConfigMap stores the base64-encoded content of the channel configuration file (channel.tx.base64). -- `osn_create_channel.yaml`: The certificates-init fetches TLS certificates from a Vault server and stores them in a local directory. The createchannel check the channel creation. If the channel does not exist, the createchannel creates the channel. -- `Chart.yaml`: Contains the metadata for the Helm chart, such as the name, version, and description. -- `README.md`: Provides information and instructions about the Helm chart. -- `values.yaml`: Contains the default configuration values for the Helm chart. - - - -## Configuration ---- -The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/values.yaml) file contains configurable values for the Helm chart. We can modify these values according to the deployment requirements. Here are some important configuration options: - -### Metadata - -| Name | Description | Default Value | -| ----------------------| ----------------------------------------------------------------------|---------------------------------------------------| -| namespace | Provide the namespace for organization's peer | org1-net | -| network.version | Provide Fabric version | 2.5.4 | -| images.fabrictools | Valid image name and version for fabric tools | ghcr.io/hyperledger/bevel-fabric-tools:2.5.4 | -| images.alpineutils | Valid image name and version to read certificates from vault server | ghcr.io/hyperledger/bevel-alpine:latest | -| labels | Custom labels (other than specified) | "" | - - -### Deployment - -| Name | Description | Default Value | -| ------------ | ------------------------------------------- | -------------- | -| annotations | Deployment annotations | "" | - -### Vault -| Name | Description | Default Value | -| ------------------- | --------------------------------------------------------------------| ------------------------------| -| role | Vault role for the organization | vault-role | -| address | Vault server address | "" | -| authpath | Kubernetes auth backend configured in vault for the organization | devorg1-net-auth | -| orderersecretprefix | Vault secret prefix for orderer | secret/secretsv2/crypto/ordererOrganizations/org1-net/orderers | -| serviceaccountname | Service account name for vault | vault-auth | -| type | Provide the type of vault | hashicorp | -| imagesecretname | Image secret name for vault | "" | -| tls | Vault ca.cert Kubernetes secret | "" | - -### Channel - -| Name | Description | Default Value | -| ------ | --------------------------------- | -------------- | -| name | Name of the channel | mychannel | - -### Orderer - -| Name | Description | Default Value | -| ------- | ----------------------------| --------------------------| -| orderer_info | Provide orderer's names | orderer1 | - -### Other - -| Name | Description | Default Value | -| ---------- | ---------------------------------------------| --------------- | -| genesis | Provide the base64 encoded genesis file | "" | - - - -## Deployment ---- +## Prerequisites -To deploy the fabric-channel-create Helm chart, follow these steps: +- Kubernetes 1.19+ +- Helm 3.2.0+ -1. Modify the [values.yaml](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/values.yaml) file to set the desired configuration values. -2. Run the following Helm command to install the chart: - ``` - $ helm repo add bevel https://hyperledger.github.io/bevel/ - $ helm install ./fabric-osnadmin-channel-create - ``` -Replace `` with the desired name for the release. +If Hashicorp Vault is used, then +- HashiCorp Vault Server 1.13.1+ -This will deploy the fabric-channel-create node to the Kubernetes cluster based on the provided configurations. +Also, [fabric-genesis](../fabric-genesis/README.md) chart should be installed and this chart should be executed from the same namespace as the Orderer Organization. +## Installing the Chart - -## Verification ---- +To install the chart with the channel name `allchannel`: -To verify the deployment, we can use the following command: -``` -$ kubectl get jobs -n +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install allchannel bevel/fabric-osnadmin-channel-create ``` -Replace `` with the actual namespace where the Job was created. This command will display information about the Job, including the number of completions and the current status of the Job's pods. +The command deploys the chart on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. - -## Updating the Deployment ---- - -If we need to update the deployment with new configurations or changes, modify the same [values.yaml](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/values.yaml) file with the desired changes and run the following Helm command: -``` -$ helm upgrade ./fabric-channel-create -``` -Replace `` with the name of the release. This command will apply the changes to the deployment, ensuring the fabric-channel-create node is up to date. +> **Tip**: List all releases using `helm list` +## Uninstalling the Chart - -## Deletion ---- +To uninstall/delete the `allchannel` deployment: -To delete the deployment and associated resources, run the following Helm command: -``` -$ helm uninstall +```bash +helm uninstall allchannel ``` -Replace `` with the name of the release. This command will remove all the resources created by the Helm chart. - - - -## Contributing ---- -If you encounter any bugs, have suggestions, or would like to contribute to the [Osn Create Channel Hyperledger Fabric Deployment Helm Chart](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create), please feel free to open an issue or submit a pull request on the [project's GitHub repository](https://github.com/hyperledger/bevel). +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +### Global parameters +These parameters are refered to as same in each parent or child chart +| Name | Description | Default Value | +|--------|---------|-------------| +|`global.version` | Fabric Version. This chart is only used for `2.5.x` | `2.5.4` | +|`global.serviceAccountName` | The serviceaccount name that will be created for Vault Auth and k8S Secret management| `vault-auth` | +| `global.cluster.provider` | Kubernetes cluster provider like AWS EKS or minikube. Currently ony `aws`, `azure` and `minikube` are tested | `aws` | +| `global.cluster.cloudNativeServices` | only `false` is implemented, `true` to use Cloud Native Services (SecretsManager and IAM for AWS; KeyVault & Managed Identities for Azure) is for future | `false` | +| `global.vault.type` | Type of Vault to support other providers. Currently, only `hashicorp` and `kubernetes` is supported. | `hashicorp` | +| `global.vault.role` | Role used for authentication with Vault | `vault-role` | +| `global.vault.network` | Network type that is being deployed | `fabric` | +| `global.vault.address`| URL of the Vault server. | `""` | +| `global.vault.authPath` | Authentication path for Vault | `supplychain` | +| `global.vault.secretEngine` | Vault secret engine name | `secretsv2` | +| `global.vault.secretPrefix` | Vault secret prefix which must start with `data/` | `data/supplychain` | +| `global.vault.tls` | Name of the Kubernetes secret which has certs to connect to TLS enabled Vault | `false` | + +### Image + +| Name | Description | Default Value | +| -------------| ---------- | --------- | +| `image.fabricTools` | Fabric Tools image repository | `ghcr.io/hyperledger/bevel-fabric-tools` | +| `image.alpineUtils` | Alpine utils image repository and tag | `ghcr.io/hyperledger/bevel-alpine:latest` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | + +### Settings + +| Name | Description | Default Value | +|--------|---------|-------------| +| `orderers` | List of Orderer nodes in the network and their OSN Admin addresses. This list presents two fields `name` and `adminAddress` | `- name: orderer1`
`adminAddress: orderer1.supplychain-net:7055`
`- name: orderer2`
`adminAddress: orderer2.supplychain-net:7055`
`- name: orderer3`
`adminAddress: orderer3.supplychain-net:7055` | +| `orderer.addOrderer` | Flag to add new Orderer node to the network | `false` | +| `orderer.name` | Name of the new Orderer node to be addded | `neworderer` | +| `orderer.localMspId` | New Orderer MSP ID | `newordererMSP` | +| `orderer.ordererAddress` | New Orderer Internal or External Address with port for Peer to connect | `neworderer.neworg-net:7050` | - ## License This chart is licensed under the Apache v2.0 license. -Copyright © 2023 Accenture +Copyright © 2024 Accenture ### Attribution diff --git a/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/templates/_helpers.tpl b/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/templates/_helpers.tpl index 17b7e9ad9d2..6d9284abc4b 100644 --- a/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/templates/_helpers.tpl +++ b/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/templates/_helpers.tpl @@ -26,33 +26,3 @@ Create chart name and version as used by the chart label. {{- define "fabric-osnadmin-channel-create.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} - -{{- define "labels.deployment" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.deployment }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "labels.service" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.service }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "labels.pvc" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.pvc }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/templates/configmap.yaml b/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/templates/configmap.yaml index 512f48a0c74..0e9eb9014e4 100644 --- a/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/templates/configmap.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/templates/configmap.yaml @@ -7,28 +7,24 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ .Release.Name }}-config + name: {{ .Release.Name }}-osnadmin-config namespace: {{ .Release.Namespace }} - annotations: - {{- include "labels.deployment" . | nindent 2 }} labels: - app: {{ .Release.Name }} - app.kubernetes.io/name: osn-createchannel-{{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }}-osnadmin-config app.kubernetes.io/component: fabric-osnadmin-channel-create-job app.kubernetes.io/part-of: {{ include "fabric-osnadmin-channel-create.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - {{ include "labels.deployment" . | nindent 6 }} data: CHANNEL_NAME: {{ .Release.Name }} ADMIN_TLS_CERTS: /opt/gopath/src/github.com/hyperledger/fabric/crypto GENESIS_FILE: /opt/gopath/src/github.com/hyperledger/fabric/orderer/genesis -{{- if $.Values.addOrderer }} - CORE_PEER_LOCALMSPID: {{ $.Values.orderer.localmspid }} +{{- if $.Values.orderer.addOrderer }} + CORE_PEER_LOCALMSPID: {{ $.Values.orderer.localMspId }} CORE_PEER_TLS_ROOTCERT_FILE: /opt/gopath/src/github.com/hyperledger/fabric/crypto/admin/msp/tlscacerts/tlsca.crt CORE_PEER_MSPCONFIGPATH: /opt/gopath/src/github.com/hyperledger/fabric/crypto/admin/msp - CORE_PEER_ADDRESS: {{ $.Values.orderer.address }} + CORE_PEER_ADDRESS: {{ $.Values.orderer.ordererAddress }} ORDERER_CA: /opt/gopath/src/github.com/hyperledger/fabric/crypto/{{ $.Values.orderer.name }}/tls/ca.crt {{ end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/templates/osn_create_channel.yaml b/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/templates/osn_create_channel.yaml index 6bf9393c0bc..5c10335248c 100644 --- a/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/templates/osn_create_channel.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/templates/osn_create_channel.yaml @@ -7,54 +7,48 @@ apiVersion: batch/v1 kind: Job metadata: - name: {{ include "fabric-osnadmin-channel-create.fullname" . }} + name: channel-create-{{ .Release.Name }} namespace: {{ .Release.Namespace }} - annotations: - {{- include "labels.deployment" . | nindent 2 }} labels: - app: {{ .Release.Name }} app.kubernetes.io/name: osn-createchannel-{{ .Release.Name }} app.kubernetes.io/component: fabric-osnadmin-channel-create-job app.kubernetes.io/part-of: {{ include "fabric-osnadmin-channel-create.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - {{ include "labels.deployment" . | nindent 6 }} spec: backoffLimit: 6 template: metadata: labels: - app: {{ .Release.Name }} app.kubernetes.io/name: osn-createchannel-{{ .Release.Name }} app.kubernetes.io/component: fabric-osnadmin-channel-create-job app.kubernetes.io/part-of: {{ include "fabric-osnadmin-channel-create.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - {{ include "labels.deployment" . | nindent 6 }} spec: restartPolicy: "OnFailure" - serviceAccountName: {{ $.Values.global.serviceAccountName }} - {{- if .Values.global.vault.imageSecretName }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + {{- if .Values.image.pullSecret }} imagePullSecrets: - - name: {{ $.Values.global.vault.imageSecretName }} + - name: {{ .Values.image.pullSecret }} {{- end }} volumes: - {{ if .Values.global.vault.tls }} + {{ if .Values.global.vault.tls }} - name: vaultca secret: - secretName: {{ $.Values.global.vault.tls }} + secretName: {{ .Values.global.vault.tls }} items: - key: ca.crt.pem path: ca-certificates.crt {{ end }} - {{- if not $.Values.addOrderer }} + {{- if not $.Values.orderer.addOrderer }} - name: genesis configMap: - name: {{ .Release.Name }}-genesis-file + name: {{ .Release.Name }}-genesis items: - - key: genesis.block.base64 + - key: {{ .Release.Name }}-genesis_base64 path: genesis.block.base64 {{ end }} - name: certificates @@ -80,10 +74,6 @@ spec: value: "{{ .Values.global.vault.secretPrefix }}" - name: VAULT_TYPE value: "{{ $.Values.global.vault.type }}" - - name: ORDERERS_NAMES - value: "{{ $.Values.orderers | join " " -}}" - - name: COMPONENT_NAME - value: {{ .Release.Namespace }} - name: MOUNT_PATH value: /secret command: ["sh", "-c"] @@ -98,14 +88,13 @@ spec: function getOrdererTlsSecret { KEY=$1 - KEY_FORMATTED=$(echo $KEY | tr - /) echo "Getting TLS certificates from Vault." - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/orderers/${KEY}" - TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r '.["ca.crt"]') - TLS_SERVER_CERT=$(echo ${VAULT_SECRET} | jq -r '.["server.crt"]') - TLS_SERVER_KEY=$(echo ${VAULT_SECRET} | jq -r '.["server.key"]') + TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r '.["ca_crt"]') + TLS_SERVER_CERT=$(echo ${VAULT_SECRET} | jq -r '.["server_crt"]') + TLS_SERVER_KEY=$(echo ${VAULT_SECRET} | jq -r '.["server_key"]') echo "${TLS_CA_CERT}" > ${OUTPUT_PATH}/ca.crt echo "${TLS_SERVER_CERT}" > ${OUTPUT_PATH}/server.crt @@ -113,11 +102,10 @@ spec: } function getOrdererMspSecret { - KEY=$1 - KEY_FORMATTED=$(echo $KEY | tr - /) - + type=$1 + KEY=$2 echo "Getting MSP certificates from Vault." - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${type}/${KEY}" ADMINCERT=$(echo ${VAULT_SECRET} | jq -r '.["admincerts"]') CACERTS=$(echo ${VAULT_SECRET} | jq -r '.["cacerts"]') @@ -146,7 +134,8 @@ spec: } function getOrdererMspSecret { - KEY=$1 + type=$1 + KEY=$2 KUBENETES_SECRET=$(kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} -o json) ADMINCERT=$(echo ${KUBENETES_SECRET} | jq -r '.data.admincerts' | base64 -d) @@ -170,22 +159,22 @@ spec: mkdir -p ${OUTPUT_PATH}/keystore mkdir -p ${OUTPUT_PATH}/signcerts mkdir -p ${OUTPUT_PATH}/tlscacerts - getOrdererMspSecret admin-msp + getOrdererMspSecret users admin-msp - for ORDERER_NAME in $ORDERERS_NAMES - do + {{- range $orderer := .Values.orderers }} + ORDERER_NAME={{ .name }} OUTPUT_PATH="${MOUNT_PATH}/${ORDERER_NAME}/msp" mkdir -p ${OUTPUT_PATH}/admincerts mkdir -p ${OUTPUT_PATH}/cacerts mkdir -p ${OUTPUT_PATH}/keystore mkdir -p ${OUTPUT_PATH}/signcerts mkdir -p ${OUTPUT_PATH}/tlscacerts - getOrdererMspSecret ${ORDERER_NAME}-msp + getOrdererMspSecret orderers ${ORDERER_NAME}-msp OUTPUT_PATH="${MOUNT_PATH}/${ORDERER_NAME}/tls" mkdir -p ${OUTPUT_PATH} getOrdererTlsSecret ${ORDERER_NAME}-tls - done + {{- end }} volumeMounts: {{ if .Values.global.vault.tls }} @@ -200,22 +189,22 @@ spec: subPath: bevel-vault.sh containers: - name: createchannel - image: {{ $.Values.image.fabricTools }}:{{ $.Values.global.network.version }} + image: {{ .Values.image.fabricTools }}:{{ .Values.global.version }} imagePullPolicy: IfNotPresent stdin: true tty: true + envFrom: + - configMapRef: + name: {{ .Release.Name }}-osnadmin-config env: - - name: ORDERERS_NAMES - value: "{{ $.Values.orderers | join " " -}}" - - name: NAMESPACE - value: "{{ .Release.Namespace }}" - name: ADD_ORDERER - value: "{{ $.Values.addOrderer }}" + value: "{{ .Values.orderer.addOrderer }}" command: ["sh", "-c"] args: - |- + #!/usr/bin/env sh - echo "Fetch genesis file..." + echo "Format or fetch genesis file..." if [ $ADD_ORDERER = false ] then cat ./genesis/genesis.block.base64 | base64 -d > orderer.genesis.block @@ -223,12 +212,13 @@ spec: peer channel fetch config ${CHANNEL_NAME}_config_block.pb -o ${CORE_PEER_ADDRESS} -c ${CHANNEL_NAME} --tls --cafile ${ORDERER_CA} fi - for ORDERER_NAME in $ORDERERS_NAMES - do + {{- range $orderer := .Values.orderers }} + ORDERER_NAME={{ .name }} ADMIN_TLS_PRIVATE_KEY="${ADMIN_TLS_CERTS}/${ORDERER_NAME}/tls/server.key" ADMIN_TLS_SIGN_CERT="${ADMIN_TLS_CERTS}/${ORDERER_NAME}/tls/server.crt" OSN_TLS_CA_ROOT_CERT="${ADMIN_TLS_CERTS}/${ORDERER_NAME}/tls/ca.crt" - ORDERER_URL="${ORDERER_NAME}.${NAMESPACE}:7055" + # The ORDERER_URL is hardcoded to use local orderer URL as of now + ORDERER_URL="{{ .adminAddress }}" CHANNEL_LIST_QUERY_RESPONSE=$(osnadmin channel list --channelID ${CHANNEL_NAME} -o "${ORDERER_URL}" --ca-file "${OSN_TLS_CA_ROOT_CERT}" --client-cert "${ADMIN_TLS_SIGN_CERT}" --client-key "${ADMIN_TLS_PRIVATE_KEY}") if echo "$CHANNEL_LIST_QUERY_RESPONSE" | grep '404'; then @@ -242,20 +232,17 @@ spec: osnadmin channel list -o "${ORDERER_URL}" --ca-file "${OSN_TLS_CA_ROOT_CERT}" --client-cert "${ADMIN_TLS_SIGN_CERT}" --client-key "${ADMIN_TLS_PRIVATE_KEY}" elif echo "$CHANNEL_LIST_QUERY_RESPONSE" | grep '200\|201'; then echo "Channel ${CHANNEL_NAME}, is already created for url: ${ORDERER_URL}" - osnadmin channel list --channelID ${CHANNEL_NAME} -o "${ORDERER_URL}" --ca-file "${OSN_TLS_CA_ROOT_CERT}" --client-cert "${ADMIN_TLS_SIGN_CERT}" --client-key "${ADMIN_TLS_PRIVATE_KEY}" + echo "$CHANNEL_LIST_QUERY_RESPONSE" else echo $CHANNEL_LIST_QUERY_RESPONSE fi - done + {{- end }} workingDir: /opt/gopath/src/github.com/hyperledger/fabric/orderer - envFrom: - - configMapRef: - name: {{ .Release.Name }}-config volumeMounts: - name: certificates mountPath: /opt/gopath/src/github.com/hyperledger/fabric/crypto readOnly: true - {{- if not $.Values.addOrderer }} + {{- if not $.Values.orderer.addOrderer }} - name: genesis mountPath: /opt/gopath/src/github.com/hyperledger/fabric/orderer/genesis readOnly: true diff --git a/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/values.yaml b/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/values.yaml index c26a4c37ee4..e155f09470f 100644 --- a/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/values.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-osnadmin-channel-create/values.yaml @@ -8,6 +8,9 @@ --- # The following are for overriding global values global: + # HLF Network Version + #Eg. version: 2.5.4 + version: 2.5.4 #Provide the service account name which will be created. serviceAccountName: vault-auth cluster: @@ -32,34 +35,32 @@ global: secretEngine: secretsv2 #Provide the vault path where the secrets will be stored secretPrefix: "data/supplychain" - #Provide the imageSecretName for vault - #Eg. imageSecretName: regcred - imageSecretName: "" #Enable or disable TLS for vault communication #Eg. tls: true tls: - # HLF Network Version - network: - version: 2.5.4 - image: #Provide the valid image name and version for fabric tools - #Eg. fabricTools: hyperledger/fabric-tools:2.2.2 + #Eg. fabricTools: hyperledger/fabric-tools fabricTools: ghcr.io/hyperledger/bevel-fabric-tools #Provide the valid image name and version to read certificates from vault server #Eg. alpineUtils: hyperledgerlabs/alpine-utils:1.0 alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest + #Provide the secret to use if private repository + #Eg. pullSecret: regcred + pullSecret: -#Provide orderer's names +#Provide orderer details orderers: - - orderer1 - - orderer2 - - orderer3 - -addOrderer: false + - name: orderer1 + adminAddress: orderer1.supplychain-net:7055 # Internal URI of the orderer ONS Admin service + - name: orderer2 + adminAddress: orderer2.supplychain-net:7055 + - name: orderer3 + adminAddress: orderer3.supplychain-net:7055 -labels: - service: [] - pvc: [] - deployment: [] +orderer: + addOrderer: false + name: neworderer + localMspId: newordererMSP + ordererAddress: neworderer.neworg-net:7050 diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/Chart.yaml b/platforms/hyperledger-fabric/charts/fabric-peernode/Chart.yaml index b8da2440e42..407c54689c0 100644 --- a/platforms/hyperledger-fabric/charts/fabric-peernode/Chart.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-peernode/Chart.yaml @@ -7,11 +7,11 @@ apiVersion: v1 name: fabric-peernode description: "Hyperledger Fabric: Deploys peer node." -version: 1.0.0 +version: 1.1.0 appVersion: latest keywords: - bevel - - ethereum + - hlf - fabric - hyperledger - enterprise diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/README.md b/platforms/hyperledger-fabric/charts/fabric-peernode/README.md index 15a29fe6c86..67e34e05d0b 100644 --- a/platforms/hyperledger-fabric/charts/fabric-peernode/README.md +++ b/platforms/hyperledger-fabric/charts/fabric-peernode/README.md @@ -3,240 +3,160 @@ [//]: # (SPDX-License-Identifier: Apache-2.0) [//]: # (##############################################################################################) - -# Peer Node Hyperledger Fabric Deployment - -- [Peer Node Hyperledger Fabric Deployment](#peer-node-hyperledger-fabric-deployment) - - [Peer Node Hyperledger Fabric Deployment Helm Chart](#peer-node-hyperledger-fabric-deployment-helm-chart) - - [Prerequisites](#prerequisites) - - [Chart Structure](#chart-structure) - - [Configuration](#configuration) - - [Metadata](#metadata) - - [Labels](#labels) - - [Peer](#peer) - - [Storage](#storage) - - [Vault](#vault) - - [Service](#service) - - [Proxy](#proxy) - - [Config](#config) - - [Deployment](#deployment) - - [Verification](#verification) - - [Updating the Deployment](#updating-the-deployment) - - [Deletion](#deletion) - - [Contributing](#contributing) - - [License](#license) - - [Attribution](#attribution) - - - -## Peer Node Hyperledger Fabric Deployment Helm Chart ---- -A [Helm chart](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-fabric/charts/fabric-peernode) for peer node. - - - -## Prerequisites ---- -Before deploying the Helm chart, make sure to have the following prerequisites: - -- Kubernetes cluster up and running. -- A HashiCorp Vault instance is set up and configured to use Kubernetes service account token-based authentication. -- The Vault is unsealed and initialized. -- HAproxy is required as ingress controller. -- Helm installed. +# fabric-peernode +This chart is a component of Hyperledger Bevel. The fabric-peernode chart deploys a Peer Node for Hyperledger Fabric blockchain network. If enabled, the keys are stored on the configured vault and stored as Kubernetes secrets. See [Bevel documentation](https://hyperledger-bevel.readthedocs.io/en/latest/) for details. - -## Chart Structure ---- -The structure of the Helm chart is as follows: +## TL;DR -``` -fabric-peernode/ - |- conf/ - |- default_core.yaml - |- templates/ - |- _helpers.yaml - |- configmap.yaml - |- deployment.yaml - |- service.yaml - |- servicemonitor.yaml - |- Chart.yaml - |- README.md - |- values.yaml +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install peer0 bevel/fabric-peernode ``` -- `default_core.yaml`: Default configuration file for the peer node. -- `templates/`: Contains the Kubernetes manifest templates that define the resources to be deployed. -- `helpers.tpl`: Contains custom label definitions used in other templates. -- `configmap.yaml`: Provides a way to configure the Hyperledger Fabric peer and enable it to join the network, interact with other nodes. The environment variables that are defined in the peer-config ConfigMap are used to configure the peer's runtime behavior. The configuration for the MSP is defined in the msp-config ConfigMap. The core.yaml file is used to configure the chaincode builder -- `deployment.yaml`: The certificates-init container fetches TLS certificates and other secrets from Vault. The couchdb container runs a CouchDB database that is used to store the ledger state. The {{ $.Values.global.peer.name }} container runs a Hyperledger Fabric peer that manages the ledger and provides access to the blockchain network. The grpc-web container runs a gRPC-Web proxy that allows gRPC services to be accessed via a web browser. -- `service.yaml`: Ensures internal and external access with exposed ports for gRPC (7051), events (7053), CouchDB (5984), gRPC-Web (7443), and operations (9443), and optionally uses HAProxy for external exposure and secure communication. -- `servicemonitor.yaml`: Define a ServiceMonitor resource that allows Prometheus to collect metrics from the peer node's "operations" port. The configuration is conditionally applied based on the availability of the Prometheus Operator's API version and whether metrics are enabled for the peer service. -- `Chart.yaml`: Contains the metadata for the Helm chart, such as the name, version, and description. -- `README.md`: Provides information and instructions about the Helm chart. -- `values.yaml`: Contains the default configuration values for the Helm chart. - - - -## Configuration ---- -The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-fabric/charts/fabric-peernode/values.yaml) file contains configurable values for the Helm chart. We can modify these values according to the deployment requirements. Here are some important configuration options: - -### Metadata - -| Name | Description | Default Value | -| ----------------------| ----------------------------------------------------------------------| --------------------------------------------------| -| namespace | Provide the namespace for organization's peer | org1-net | -| images.couchdb | valid image name and version for fabric couchdb | ghcr.io/hyperledger/bevel-fabric-couchdb:2.2.2 | -| images.peer | valid image name and version for fabric peer | ghcr.io/hyperledger/bevel-fabric-peer:2.2.2 | -| images.alpineutils | valid image name and version to read certificates from vault server | ghcr.io/hyperledger/bevel-alpine:latest | -| labels | Provide custom labels | "" | - -### Annotations - -| Name | Description | Default Value | -| ---------------| --------------------------------------- | --------------| -| service | Extra labels for service | "" | -| pvc | Extra labels for pvc | "" | -| deployment | Extra labels for deployment | "" | - -### Peer +## Prerequisites -| Name | Description | Default Value | -| ------------------------------------------| ----------------------------------------------------------------------| ----------------------------------------------| -| name | Name of the peer as per deployment yaml | peer0 | -| gossipPeerAddress | URL of gossipping peer and port for grpc | peer1.org1-net.svc.cluster.local:7051 | -| gossipExternalEndpoint | URL of gossip external endpoint and port for haproxy https service | peer0.org1-net.org1proxy.blockchaincloudpoc.com:443 | -| localMspId | Local MSP ID for the organization | Org1MSP | -| logLevel | Log level for organization's peer | info | -| tlsstatus | Set to true or false for organization's peer | true | -| builder | Valid chaincode builder image for Fabric | hyperledger/fabric-ccenv:2.2.2 | -| couchdb.username | CouchDB username (mandatory if provided) | org1-user | -| configPath | Provide the configuration path | "" | -| core | Provide core configuration | "" | -| mspConfig.organizationalUnitIdentifiers | Provide the members of the MSP in organizational unit identifiers | "" | -| mspConfig.nodeOUs.clientOUIdentifier.organizationalUnitIdentifier | Organizational unit identifier for client nodes | client | -| mspConfig.nodeOUs.peerOUIdentifier.organizationalUnitIdentifier | Organizational unit identifier for peer nodes | peer | -| mspConfig.nodeOUs.adminOUIdentifier.organizationalUnitIdentifier | Organizational unit identifier for admin nodes (2.2.x) | admin | -| mspConfig.nodeOUs.ordererOUIdentifier.organizationalUnitIdentifier | Organizational unit identifier for orderer nodes (2.2.x) | orderer | +- Kubernetes 1.19+ +- Helm 3.2.0+ -### Storage +If Hashicorp Vault is used, then +- HashiCorp Vault Server 1.13.1+ -| Name | Description | Default Value | -| --------------------------| -------------------------------- | ------------------- | -| peer.size | Storage size for peer | 512Mi | -| couchdb.size | Storage size for CouchDB | 512Mi | - -### Vault - -| Name | Description | Default Value | -| ----------------------| ----------------------------------------------------------------------| --------------------------------------------------| -| role | Vault role for the organization | vault-role | -| address | Vault server address | "" | -| authpath | Kubernetes auth backend configured in vault for the organization | devorg1-net-auth | -| secretprefix | Vault secret prefix | ssecretsv2/data/crypto/peerOrganizations/org1-net/peers/peer0.org1-net | -| serviceaccountname | Service account name for vault | vault-auth | -| type | Provide the type of vault | hashicorp | -| imagesecretname | Image secret name for vault | "" | -| secretcouchdbpass | Vault path for secret CouchDB password | secretsv2/data/credentials/org1-net/couchdb/org1?user | -| tls | Enable or disable TLS for vault communication | "" | - -### Service - -| Name | Description | Default Value | -| ----------------------------- | ------------------------------------------| ------------------- | -| serviceType | Service type for the peer | ClusterIP | -| loadBalancerType | Load balancer type for the peer | "" | -| ports.grpc.nodePort | Cluster IP port for grpc service | "" | -| ports.grpc.clusterIpPort | Cluster IP port for grpc service | 7051 | -| ports.events.nodePort | Cluster IP port for event service | "" | -| ports.events.clusterIpPort | Cluster IP port for event service | 7053 | -| ports.couchdb.nodePort | Cluster IP port for CouchDB service | "" | -| ports.couchdb.clusterIpPort | Cluster IP port for CouchDB service | 5984 | -| ports.metrics.enabled | Enable/disable metrics service | false | -| ports.metrics.clusterIpPort | Cluster IP port for metrics service | 9443 | - -### Proxy - -| Name | Description | Default Value | -| ----------------------| ----------------------------------------------------------| ------------------- | -| provider | Proxy/ingress provider ( haproxy or none) | none | -| externalUrlSuffix | External URL of the organization | org1proxy.blockchaincloudpoc.com | -| port | External port on proxy service | 443 | - -### Config - -| Name | Description | Default Value | -| ----------------------------- | --------------------------- | ------------------- | -| pod.resources.limits.memory | Limit memory for node | 512M | -| pod.resources.limits.cpu | Limit CPU for node | 1 | -| pod.resources.requests.memory | Requested memory for node | 512M | -| pod.resources.requests.cpu | Requested CPU for node | 0.25 | - - - -## Deployment ---- - -To deploy the fabric-peernode Helm chart, follow these steps: - -1. Modify the [values.yaml](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-peernode/values.yaml) file to set the desired configuration values. -2. Run the following Helm command to install the chart: - ``` - $ helm repo add bevel https://hyperledger.github.io/bevel/ - $ helm install ./fabric-peernode - ``` -Replace `` with the desired name for the release. - -This will deploy the fabric-peernode node to the Kubernetes cluster based on the provided configurations. - - - -## Verification ---- - -To verify the deployment, we can use the following command: -``` -$ kubectl get statefulsets -n -``` -Replace `` with the actual namespace where the StatefulSet was created. This command will display information about the StatefulSet, including the number of replicas and their current status. +> **Important**: Also check the dependent charts. +## Installing the Chart - -## Updating the Deployment ---- +To install the chart with the release name `peer0`: -If we need to update the deployment with new configurations or changes, modify the same [values.yaml](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-peernode/values.yaml) file with the desired changes and run the following Helm command: +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install peer0 bevel/fabric-peernode ``` -$ helm upgrade ./fabric-peernode -``` -Replace `` with the name of the release. This command will apply the changes to the deployment, ensuring the fabric-peernode node is up to date. +The command deploys the chart on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. - -## Deletion ---- +> **Tip**: List all releases using `helm list` -To delete the deployment and associated resources, run the following Helm command: -``` -$ helm uninstall +## Uninstalling the Chart + +To uninstall/delete the `peer0` deployment: + +```bash +helm uninstall peer0 ``` -Replace `` with the name of the release. This command will remove all the resources created by the Helm chart. +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +### Global + +These parameters are refered to as same in each parent or child chart +| Name | Description | Default Value | +|--------|---------|-------------| +|`global.version` | Fabric Version. | `2.5.4` | +|`global.serviceAccountName` | The serviceaccount name that will be created for Vault Auth and k8S Secret management| `vault-auth` | +| `global.cluster.provider` | Kubernetes cluster provider like AWS EKS or minikube. Currently ony `aws`, `azure` and `minikube` are tested | `aws` | +| `global.cluster.cloudNativeServices` | only `false` is implemented, `true` to use Cloud Native Services (SecretsManager and IAM for AWS; KeyVault & Managed Identities for Azure) is for future | `false` | +| `global.vault.type` | Type of Vault to support other providers. Currently, only `hashicorp` and `kubernetes` is supported. | `hashicorp` | +| `global.vault.role` | Role used for authentication with Vault | `vault-role` | +| `global.vault.address`| URL of the Vault server. | `""` | +| `global.vault.authPath` | Authentication path for Vault | `supplychain` | +| `global.vault.secretEngine` | Vault secret engine name | `secretsv2` | +| `global.vault.secretPrefix` | Vault secret prefix which must start with `data/` | `data/supplychain` | +| `global.vault.tls` | Name of the Kubernetes secret which has certs to connect to TLS enabled Vault | `""` | +| `global.proxy.provider` | The proxy or Ingress provider. Can be `none` or `haproxy` | `haproxy` | +| `global.proxy.externalUrlSuffix` | The External URL suffix at which the Fabric GRPC services will be available | `test.blockchaincloudpoc.com` | +| `global.proxy.port` | The External Port on the proxy | `443` | - -## Contributing ---- -If you encounter any bugs, have suggestions, or would like to contribute to the [Peer Node Hyperledger Fabric Deployment Helm Chart](https://github.com/hyperledger/bevel/blob/main/platforms/hyperledger-fabric/charts/fabric-peernode), please feel free to open an issue or submit a pull request on the [project's GitHub repository](https://github.com/hyperledger/bevel). +### Storage + +| Name | Description | Default Value | +|--------|---------|-------------| +| `storage.enabled` | Flag to enable Storage Class creation for the Peer, set to `false` when using same peer name in different organizations | `true` | +| `storage.peer` | Size of the PVC needed for Peer Node | `512Mi` | +| `storage.couchdb` | Size of the PVC needed for CouchDB Database | `512Mi` | +| `storage.reclaimPolicy` | Reclaim policy for the PVC. Choose from: `Delete` or `Retain` | `Delete` | +| `storage.volumeBindingMode` | Volume binding mode for the PVC. Choose from: `Immediate` or `WaitForFirstConsumer` | `Immediate` | +| `storage.allowedTopologies.enabled` | Check [bevel-storageclass](../../../shared/charts/bevel-storageclass/README.md) for details | `false` | + +### Certs + +| Name | Description | Default Value | +|--------|---------|-------------| +| `certs.generateCertificates` | Flag to generate certificates for the Peer Node | `true` | +| `certs.orgData.caAddress` | Address of the CA Server without https | `ca.supplychain-net:7051` | +| `certs.orgData.caAdminUser` | CA Admin Username | `supplychain-admin` | +| `certs.orgData.caAdminPassword` | CA Admin Password | `supplychain-adminpw` | +| `certs.orgData.orgName` | Organization Name | `supplychain` | +| `certs.orgData.type` | Type of certificate to generate, choosed from `orderer` or `peer` | `peer` | +| `certs.orgData.componentSubject` | X.509 subject for the organization | `"O=Peer,L=51.50/-0.13/London,C=GB"` | +| `certs.users.usersList` | Array of Users with their attributes | `- identity: user1`
`attributes:`
`- key: "hf.Revoker"`
`value: "true"` | +| `certs.users.usersListAnsible` | Base64 encoded list of Users generally passed from Ansible | `""` | +| `certs.settings.createConfigMaps` | Flag to create configmaps. Must be set to `false` for additional orderers/peers in the same organization. | `false` | +| `certs.settings.refreshCertValue` | Flag to refresh User certificates | `false` | +| `certs.settings.addPeerValue` | Flag to be used when adding a new peer to the organization | `false` | +| `certs.settings.removeCertsOnDelete` | Flag to delete the user and peer certificates on uninstall | `false` | +| `certs.settings.removePeerTlsOnDelete` | Flag to delete the orderer TLS certificates on uninstall | `false` | + +### Image + +| Name | Description | Default Value | +| -------------| ---------- | --------- | +| `image.couchdb` | CouchDB image repository | `ghcr.io/hyperledger/bevel-fabric-couchdb` | +| `image.peer` | Fabric Peer image repository | `ghcr.io/hyperledger/bevel-fabric-peer` | +| `image.alpineUtils` | Alpine utils image repository and tag | `ghcr.io/hyperledger/bevel-alpine:latest` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | + +### Peer +| Name | Description | Default Value | +|--------|---------|-------------| +| `peer.gossipPeerAddress` | Internal or External Address of the Gossip Peer Node, leave empty to use Peer's own address | `peer1.supplychain-net:7051` | +| `peer.logLevel` | Log level for the Peer Node | `info` | +| `peer.localMspId` | Local MSP ID for the Peer Organization | `supplychainMSP` | +| `peer.tlsStatus` | TLS status of the Peer Node | `true` | +| `peer.cliEnabled` | Flag to deploy the Peer CLI. Check [fabric-cli](../fabric-cli/README.md) for details | `false` | +| `peer.ordererAddress` | Orderer Internal or External Address with port for CLI to connect | `orderer1.supplychain-net:7050` | +| `peer.builder` | Chaincode Builder Image repository | `hyperledger/fabric-ccenv` | +| `peer.couchdb.username` | CouchDB User Name | `supplychain-user` | +| `peer.couchdb.password` | CouchDB User Password | ` supplychain-userpw` | +| `peer.mspConfig.organizationalUnitIdentifiers` | List of Organizational Unit Identifiers for Peer MSP Config | `""` | +| `peer.mspConfig.nodeOUs.clientOUIdentifier` | Organizational Unit Identifier to identify node as client | `client` | +| `peer.mspConfig.nodeOUs.peerOUIdentifier` | Organizational Unit Identifier to identify node as peer | `peer` | +| `peer.mspConfig.nodeOUs.adminOUIdentifier` | Organizational Unit Identifier to identify node as admin | `admin` | +| `peer.mspConfig.nodeOUs.ordererOUIdentifier` | Organizational Unit Identifier to identify node as orderer | `orderer` | +| `peer.serviceType` | Service Type for the GRPC Service | `ClusterIP` | +| `peer.loadBalancerType` | Load Balancer Type for the GRPC Service | `""` | +| `peer.ports.grpc.nodePort` | NodePort for the Peer GRPC Service | `""` | +| `peer.ports.grpc.clusterIpPort` | TCP Port for the Peer GRPC Service | `7051` | +| `peer.ports.events.nodePort` | NodePort for the Peer Events Service | `""` | +| `peer.ports.events.clusterIpPort` | TCP Port for the Peer Events Service | `7053` | +| `peer.ports.couchdb.nodePort` | NodePort for the CouchDB Service | `""` | +| `peer.ports.couchdb.clusterIpPort` | TCP Port for the CouchDB Service | `5984` | +| `peer.ports.metrics.enabled` | Flag to enable metrics port | `false` | +| `peer.ports.metrics.clusterIpPort` | TCP Port for the Peer metrics | `9443` | +| `peer.resources.limits.memory` | Memory limit for the Peer Node | `1Gi` | +| `peer.resources.limits.cpu` | CPU limit for the Peer Node | `1` | +| `peer.resources.requests.memory` | Memory request for the Peer Node | `512M` | +| `peer.resources.requests.cpu` | CPU request for the Peer Node | `0.25` | +| `peer.upgrade` | Flag to denote that Peer is being upgraded | `false` | +| `peer.healthCheck.retries` | Retry count to connect to Vault | `20` | +| `peer.healthCheck.sleepTimeAfterError` | Wait seconds after unsuccessful connection attempt | `15` | + +### Labels + +| Name | Description | Default Value | +| ----------------| ----------- | ------------- | +| `labels.service` | Array of Labels for service object | `[]` | +| `labels.pvc` | Array of Labels for PVC object | `[]` | +| `labels.deployment` | Array of Labels for deployment or statefulset object | `[]` | - ## License This chart is licensed under the Apache v2.0 license. -Copyright © 2023 Accenture +Copyright © 2024 Accenture ### Attribution diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/files/readme.txt b/platforms/hyperledger-fabric/charts/fabric-peernode/files/readme.txt new file mode 100644 index 00000000000..1a177b74f91 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/fabric-peernode/files/readme.txt @@ -0,0 +1 @@ +This is a dummy file. Place the orderer.crt file in this directory.. \ No newline at end of file diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/requirements.yaml b/platforms/hyperledger-fabric/charts/fabric-peernode/requirements.yaml index 3d161640485..236bad339f6 100644 --- a/platforms/hyperledger-fabric/charts/fabric-peernode/requirements.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-peernode/requirements.yaml @@ -5,17 +5,18 @@ dependencies: tags: - storage version: ~1.0.0 + condition: storage.enabled - name: fabric-catools - alias: catools + alias: certs repository: "file://../fabric-catools" tags: - catools version: ~1.0.0 - condition: settings.generateCertificates + condition: certs.generateCertificates - name: fabric-cli - alias: cli + alias: peer repository: "file://../fabric-cli" tags: - cli version: ~1.0.0 - condition: cli.enabled + condition: peer.cliEnabled diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/_helpers.tpl b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/_helpers.tpl index cebbb35241a..3996d38ea7c 100644 --- a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/_helpers.tpl +++ b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/_helpers.tpl @@ -28,31 +28,19 @@ Create chart name and version as used by the chart label. {{- end -}} {{- define "labels.deployment" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.deployment }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} +{{- range $value := .Values.labels.deployment }} +{{ toYaml $value }} {{- end }} {{- end }} {{- define "labels.service" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.service }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} +{{- range $value := .Values.labels.service }} +{{ toYaml $value }} {{- end }} {{- end }} {{- define "labels.pvc" -}} -{{- if $.Values.labels }} -{{- range $key, $value := $.Values.labels.pvc }} -{{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} -{{- end }} -{{- end }} +{{- range $value := .Values.labels.pvc }} +{{ toYaml $value }} {{- end }} {{- end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/configmap.yaml b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/configmap.yaml index cb92bdbf9e2..c80c6304e51 100644 --- a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/configmap.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/configmap.yaml @@ -19,17 +19,23 @@ metadata: data: CORE_VM_ENDPOINT: unix:///host/var/run/docker.sock CORE_PEER_ID: {{ .Release.Name }}.{{ .Release.Namespace }} - FABRIC_LOGGING_SPEC: "grpc=debug:{{ $.Values.peer.logLevel }}" + FABRIC_LOGGING_SPEC: "grpc=debug:{{ .Values.peer.logLevel }}" CORE_LEDGER_STATE_STATEDATABASE: CouchDB CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS: localhost:5984 - CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME: "{{ $.Values.peer.couchdb.username }}" - CORE_PEER_ADDRESS: {{ .Release.Name }}.{{ .Release.Namespace }}:{{ $.Values.service.ports.grpc.clusterIpPort }} - CORE_PEER_GOSSIP_BOOTSTRAP: {{ .Release.Name }}.{{ $.Values.peer.gossipPeerAddress }} - {{ if $.Values.peer.gossipExternalEndpoint }} - CORE_PEER_GOSSIP_EXTERNALENDPOINT: {{ .Release.Name }}.{{ $.Values.peer.gossipExternalEndpoint }} - {{ end }} - CORE_PEER_LOCALMSPID: {{ $.Values.cli.peer.localMspId }} - CORE_PEER_TLS_ENABLED: "{{ $.Values.cli.peer.tlsStatus }}" + CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME: "{{ .Values.peer.couchdb.username }}" + CORE_PEER_ADDRESS: {{ .Release.Name }}.{{ .Release.Namespace }}:{{ .Values.peer.ports.grpc.clusterIpPort }} + {{- if .Values.peer.gossipPeerAddress }} + CORE_PEER_GOSSIP_BOOTSTRAP: {{ .Values.peer.gossipPeerAddress }} + {{- else }} + CORE_PEER_GOSSIP_BOOTSTRAP: {{ .Release.Name }}.{{ .Release.Namespace }}:{{ .Values.peer.ports.grpc.clusterIpPort }} + {{- end }} + {{- if eq .Values.global.proxy.provider "none" }} + CORE_PEER_GOSSIP_EXTERNALENDPOINT: {{ .Release.Name }}.{{ .Release.Namespace }}:{{ .Values.peer.ports.grpc.clusterIpPort }} + {{- else }} + CORE_PEER_GOSSIP_EXTERNALENDPOINT: {{ .Release.Name }}.{{ .Release.Namespace }}.{{ .Values.global.proxy.externalUrlSuffix }}:{{ .Values.global.proxy.port }} + {{- end }} + CORE_PEER_LOCALMSPID: {{ .Values.peer.localMspId }} + CORE_PEER_TLS_ENABLED: "{{ .Values.peer.tlsStatus }}" CORE_PEER_TLS_CERT_FILE: /etc/hyperledger/fabric/crypto/tls/server.crt CORE_PEER_TLS_KEY_FILE: /etc/hyperledger/fabric/crypto/tls/server.key CORE_PEER_TLS_ROOTCERT_FILE: /etc/hyperledger/fabric/crypto/msp/tlscacerts/tlsca.crt @@ -41,7 +47,7 @@ data: CORE_PEER_MSPCONFIGPATH: /etc/hyperledger/fabric/crypto/msp GODEBUG: "netdns=go" CORE_PEER_GOSSIP_SKIPHANDSHAKE: "true" - CORE_CHAINCODE_BUILDER: "{{ $.Values.peer.builder }}:{{ $.Values.global.network.version }}" + CORE_CHAINCODE_BUILDER: "{{ .Values.peer.builder }}:{{ .Values.global.version }}" CORE_OPERATIONS_LISTENADDRESS: 0.0.0.0:9443 --- apiVersion: v1 @@ -57,25 +63,29 @@ metadata: app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} data: - mspConfig: | - {{if ($.Values.peer.mspConfig.organizationalUnitIdentifiers) }} - OrganizationalUnitIdentifiers:{{ range $.Values.peer.mspConfig.organizationalUnitIdentifiers }} + mspConfig: |- + + {{- if (.Values.peer.mspConfig.organizationalUnitIdentifiers) }} + OrganizationalUnitIdentifiers: + {{- range .Values.peer.mspConfig.organizationalUnitIdentifiers }} - Certificate: cacerts/ca.crt - OrganizationalUnitIdentifier: {{ . }}{{ end }}{{end}} + OrganizationalUnitIdentifier: {{ . }} + {{- end }} + {{- end }} NodeOUs: Enable: true ClientOUIdentifier: Certificate: cacerts/ca.crt - OrganizationalUnitIdentifier: {{ $.Values.peer.mspConfig.nodeOUs.clientOUIdentifier.organizationalUnitIdentifier }} + OrganizationalUnitIdentifier: {{ .Values.peer.mspConfig.nodeOUs.clientOUIdentifier }} PeerOUIdentifier: Certificate: cacerts/ca.crt - OrganizationalUnitIdentifier: {{ $.Values.peer.mspConfig.nodeOUs.peerOUIdentifier.organizationalUnitIdentifier }} + OrganizationalUnitIdentifier: {{ .Values.peer.mspConfig.nodeOUs.peerOUIdentifier }} AdminOUIdentifier: Certificate: cacerts/ca.crt - OrganizationalUnitIdentifier: {{ $.Values.peer.mspConfig.nodeOUs.adminOUIdentifier.organizationalUnitIdentifier }} + OrganizationalUnitIdentifier: {{ .Values.peer.mspConfig.nodeOUs.adminOUIdentifier }} OrdererOUIdentifier: Certificate: cacerts/ca.crt - OrganizationalUnitIdentifier: {{ $.Values.peer.mspConfig.nodeOUs.ordererOUIdentifier.organizationalUnitIdentifier }} + OrganizationalUnitIdentifier: {{ .Values.peer.mspConfig.nodeOUs.ordererOUIdentifier }} --- {{- $file := .Files.Get "files/core.yaml" }} @@ -91,7 +101,26 @@ metadata: app.kubernetes.io/part-of: {{ include "fabric-peernode.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/managed-by: helm data: core.yaml: {{ .Files.Get "files/core.yaml" | nindent 8 | quote }} -{{ end }} \ No newline at end of file +{{ end }} +{{- $orderercrt := .Files.Get "files/orderer.crt" }} +{{ if $orderercrt }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-orderer-tls-cacert + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: orderer-tls-cacert + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ include "fabric-peernode.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm +data: + cacert: |- + {{ .Files.Get "files/orderer.crt" | nindent 8 }} +{{- end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/node-statefulset.yaml b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/node-statefulset.yaml index 4bd9cfd5689..ac6dd56ed6b 100755 --- a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/node-statefulset.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/node-statefulset.yaml @@ -17,8 +17,7 @@ metadata: app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - annotations: - {{- include "labels.deployment" . | nindent 2 }} + {{- include "labels.deployment" . | nindent 4 }} spec: updateStrategy: type: RollingUpdate @@ -45,32 +44,32 @@ spec: app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: helm - {{- include "labels.deployment" . | nindent 6 }} + {{- include "labels.deployment" . | nindent 8 }} spec: - serviceAccountName: {{ $.Values.global.serviceAccountName }} - {{- if .Values.global.vault.imageSecretName }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + {{- if .Values.image.pullSecret }} imagePullSecrets: - - name: {{ $.Values.global.vault.imageSecretName }} + - name: {{ .Values.image.pullSecret }} {{- end }} initContainers: - name: certificates-init - image: {{ $.Values.image.alpineUtils }} + image: {{ .Values.image.alpineUtils }} imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: {{ $.Values.global.vault.address }} + value: {{ .Values.global.vault.address }} - name: VAULT_SECRET_ENGINE - value: "{{ $.Values.global.vault.secretEngine }}" + value: "{{ .Values.global.vault.secretEngine }}" - name: VAULT_SECRET_PREFIX - value: "{{ $.Values.global.vault.secretPrefix }}" + value: "{{ .Values.global.vault.secretPrefix }}" - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.global.vault.authPath }} + value: {{ .Values.global.vault.authPath }} - name: VAULT_APP_ROLE - value: {{ $.Values.global.vault.role }} + value: {{ .Values.global.vault.role }} - name: MOUNT_PATH value: /secret - name: VAULT_TYPE - value: "{{ $.Values.global.vault.type }}" + value: "{{ .Values.global.vault.type }}" - name: PEER_NAME value: {{ .Release.Name }} command: ["sh", "-c"] @@ -85,15 +84,15 @@ spec: vaultBevelFunc "init" function getPeerTlsSecret { - KEY=$1/tls + KEY=$1-tls echo "Getting TLS certificates from Vault." - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY}" + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/peers/${KEY}" if [ "$SECRETS_AVAILABLE" == "yes" ] then - TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r '.["ca.crt"]') - TLS_SERVER_CERT=$(echo ${VAULT_SECRET} | jq -r '.["server.crt"]') - TLS_SERVER_KEY=$(echo ${VAULT_SECRET} | jq -r '.["server.key"]') + TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r '.["ca_crt"]') + TLS_SERVER_CERT=$(echo ${VAULT_SECRET} | jq -r '.["server_crt"]') + TLS_SERVER_KEY=$(echo ${VAULT_SECRET} | jq -r '.["server_key"]') echo "${TLS_CA_CERT}" > ${OUTPUT_PATH}/ca.crt echo "${TLS_SERVER_CERT}" > ${OUTPUT_PATH}/server.crt @@ -105,10 +104,10 @@ spec: } function getPeerMspSecret { - KEY=$1/msp + KEY=$1-msp echo "Getting MSP certificates from Vault." - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY}" + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/peers/${KEY}" if [ "$SECRETS_AVAILABLE" == "yes" ] then ADMINCERT=$(echo ${VAULT_SECRET} | jq -r '.["admincerts"]') @@ -127,21 +126,6 @@ spec: PEER_MSP_SECRET=false fi } - - function getCouchDbPass { - KEY=$1 - - echo "Getting TLS certificates from Vault." - vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY}" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - PASSWORD=$(echo ${VAULT_SECRET} | jq -r '.["user"]') - echo "${PASSWORD}" > ${MOUNT_PATH}/user_cred - DB_PASS_SECRET=true - else - DB_PASS_SECRET=false - fi - } {{- else }} function getPeerTlsSecret { @@ -182,21 +166,10 @@ spec: fi } - - function getCouchDbPass { - KEY=$1 - kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} -o json > /dev/null 2>&1 - if [ $? -eq 0 ]; then - kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.user}" | base64 -d > ${MOUNT_PATH}/user_cred - DB_PASS_SECRET=true - else - DB_PASS_SECRET=false - fi - } {{- end }} COUNTER=1 - while [ "$COUNTER" -le {{ $.Values.cli.healthCheck.retries }} ] + while [ "$COUNTER" -le {{ .Values.peer.healthCheck.retries }} ] do OUTPUT_PATH="${MOUNT_PATH}/tls" mkdir -p ${OUTPUT_PATH} @@ -210,20 +183,18 @@ spec: mkdir -p ${OUTPUT_PATH}/tlscacerts getPeerMspSecret ${PEER_NAME} - getCouchDbPass couchdb - - if [ "$PEER_TLS_SECRET" = "true" ] && [ "$PEER_MSP_SECRET" = "true" ] && [ "$DB_PASS_SECRET" = "true" ] + if [ "$PEER_TLS_SECRET" = "true" ] && [ "$PEER_MSP_SECRET" = "true" ] then echo "Peer certificates have been obtained correctly" break else - echo "Peer certificates have not been obtained, sleeping for {{ $.Values.cli.healthCheck.sleepTimeAfterError }}" - sleep {{ $.Values.cli.healthCheck.sleepTimeAfterError }} + echo "Peer certificates have not been obtained, sleeping for {{ .Values.peer.healthCheck.sleepTimeAfterError }}" + sleep {{ .Values.peer.healthCheck.sleepTimeAfterError }} COUNTER=`expr "$COUNTER" + 1` fi done - if [ "$COUNTER" -gt {{ $.Values.cli.healthCheck.retries }} ] + if [ "$COUNTER" -gt {{ .Values.peer.healthCheck.retries }} ] then echo "Retry attempted `expr $COUNTER - 1` times, The peer certificates have not been obtained." exit 1 @@ -242,7 +213,7 @@ spec: subPath: bevel-vault.sh containers: - name: couchdb - image: {{ $.Values.image.couchdb }}:{{ $.Values.global.network.version }} + image: {{ .Values.image.couchdb }}:{{ .Values.global.version }} imagePullPolicy: IfNotPresent command: ["sh", "-c"] args: @@ -252,36 +223,32 @@ spec: chmod 664 /opt/couchdb/etc/*.ini chmod 664 /opt/couchdb/etc/local.d/*.ini chmod 775 /opt/couchdb/etc/*.d - if [ -e /etc/hyperledger/fabric/crypto/user_cred ] && [ -z $COUCHDB_USER ] + if [ -z $COUCHDB_USER ] then - echo " Error! Please provide username for the password " + echo " Error! Please provide username for CouchDB." exit 1 break - elif [ -e /etc/hyperledger/fabric/crypto/user_cred ] && [ ! -z $COUCHDB_USER ] - then - export COUCHDB_PASSWORD=`cat /etc/hyperledger/fabric/crypto/user_cred` - break - elif [ ! -e /etc/hyperledger/fabric/crypto/user_cred ] && [ ! -z $COUCHDB_USER ] + elif [ -z $COUCHDB_PASSWORD ] then - echo " Error! Please provide password for username $COUCHDB_USER " + echo " Error! Please provide password for username $COUCHDB_USER." exit 1 break - else - : fi tini -- /docker-entrypoint.sh /opt/couchdb/bin/couchdb ports: - containerPort: 5984 env: - name: COUCHDB_USER - value: "{{ $.Values.peer.couchdb.username }}" + value: "{{ .Values.peer.couchdb.username }}" + - name: COUCHDB_PASSWORD + value: "{{ .Values.peer.couchdb.password }}" volumeMounts: - name: datadir-couchdb mountPath: /opt/couchdb/data - name: certificates mountPath: /etc/hyperledger/fabric/crypto - name: {{ .Release.Name }} - image: {{ $.Values.image.peer }}:{{ $.Values.global.network.version }} + image: {{ .Values.image.peer }}:{{ .Values.global.version }} imagePullPolicy: IfNotPresent command: ["sh", "-c"] args: @@ -292,7 +259,7 @@ spec: fi cp /etc/hyperledger/fabric/NodeOUconfig/mspConfig /etc/hyperledger/fabric/crypto/msp/config.yaml - export CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=`cat /etc/hyperledger/fabric/crypto/user_cred` + export CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD="{{ .Values.peer.couchdb.password }}" version=$( echo ${PEER_IMAGE} | sed 's/.*://' | cut -d '.' -f -2 ) if [ $version = "2.2" ] && [ ${IS_UPGRADE} = "true" ] then @@ -308,9 +275,9 @@ spec: containerPort: 9443 env: - name: PEER_IMAGE - value: "{{ $.Values.image.peer }}:{{ $.Values.global.network.version }}" + value: "{{ .Values.image.peer }}:{{ .Values.global.version }}" - name: IS_UPGRADE - value: "{{ $.Values.upgrade }}" + value: "{{ .Values.peer.upgrade }}" envFrom: - configMapRef: name: {{ .Release.Name }}-config @@ -331,11 +298,11 @@ spec: {{ end }} resources: requests: - memory: {{ .Values.config.pod.resources.requests.memory }} - cpu: {{ .Values.config.pod.resources.requests.cpu }} + memory: {{ .Values.peer.resources.requests.memory }} + cpu: {{ .Values.peer.resources.requests.cpu }} limits: - memory: {{ .Values.config.pod.resources.limits.memory }} - cpu: {{ .Values.config.pod.resources.limits.cpu }} + memory: {{ .Values.peer.resources.limits.memory }} + cpu: {{ .Values.peer.resources.limits.cpu }} - name: grpc-web image: "ghcr.io/hyperledger-labs/grpc-web:latest" imagePullPolicy: IfNotPresent @@ -344,7 +311,7 @@ spec: containerPort: 7443 env: - name: BACKEND_ADDRESS - value: "{{ .Release.Name }}.{{ .Release.Namespace }}:{{ $.Values.service.ports.grpc.clusterIpPort }}" + value: "{{ .Release.Name }}.{{ .Release.Namespace }}:{{ .Values.peer.ports.grpc.clusterIpPort }}" - name: SERVER_TLS_CERT_FILE value: /certs/tls/server.crt - name: SERVER_TLS_KEY_FILE @@ -372,7 +339,7 @@ spec: {{ if .Values.global.vault.tls }} - name: vaultca secret: - secretName: {{ $.Values.global.vault.tls }} + secretName: {{ .Values.global.vault.tls }} items: - key: ca.crt.pem path: ca-certificates.crt @@ -402,21 +369,21 @@ spec: #Lables are not being taken by Kubernetes as it dynamically creates PVC - metadata: name: datadir - annotations: - {{- include "labels.pvc" . | nindent 6 }} + labels: + {{- include "labels.pvc" . | nindent 8 }} spec: accessModes: [ "ReadWriteOnce" ] storageClassName: storage-{{ .Release.Name }} resources: requests: - storage: {{ .Values.storage.peer.size }} + storage: {{ .Values.storage.peer }} - metadata: name: datadir-couchdb - annotations: - {{- include "labels.pvc" . | nindent 6 }} + labels: + {{- include "labels.pvc" . | nindent 8 }} spec: accessModes: [ "ReadWriteOnce" ] storageClassName: storage-{{ .Release.Name }} resources: requests: - storage: {{ .Values.storage.couchdb.size }} + storage: {{ .Values.storage.couchdb }} diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/peer-job-cleanup.yaml b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/peer-job-cleanup.yaml deleted file mode 100644 index 1a9fd14ad83..00000000000 --- a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/peer-job-cleanup.yaml +++ /dev/null @@ -1,90 +0,0 @@ ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "fabric-peernode.name" . }}-cleanup - labels: - app.kubernetes.io/name: fabric-peernode-job-cleanup - app.kubernetes.io/component: peernode-job-cleanup - app.kubernetes.io/part-of: {{ include "fabric-peernode.fullname" . }} - app.kubernetes.io/namespace: {{ .Release.Namespace }} - app.kubernetes.io/managed-by: helm - namespace: {{ .Release.Namespace }} - annotations: - helm.sh/hook-weight: "0" - helm.sh/hook: "pre-delete" - helm.sh/hook-delete-policy: "hook-succeeded" -spec: - backoffLimit: 3 - completions: 1 - template: - metadata: - labels: - app.kubernetes.io/name: fabric-peernode-job-cleanup - app.kubernetes.io/component: peernode-job-cleanup - app.kubernetes.io/part-of: {{ include "fabric-peernode.fullname" . }} - app.kubernetes.io/namespace: {{ .Release.Namespace }} - app.kubernetes.io/managed-by: helm - spec: - serviceAccountName: {{ .Values.global.serviceAccountName }} - restartPolicy: "Never" - containers: - - name: delete-secrets - image: "{{ $.Values.image.alpineUtils }}" - securityContext: - runAsUser: 0 - imagePullPolicy: IfNotPresent - env: - - name: PEERS_NAMES - value: "{{ $.Values.catools.peers | join " " -}}" - - name: USERS_IDENTITIES - value: "{{ $.Values.catools.users.usersIdentities | join " " -}}" - command: ["sh", "-c"] - args: - - |- -{{- if .Values.settings.removeCertsOnDelete }} - - function deleteSecret { - key=$1 - kubectl get secret ${key} --namespace {{ .Release.Namespace }} -o json > /dev/null 2>&1 - if [ $? -eq 0 ]; then - kubectl delete secret ${key} --namespace {{ .Release.Namespace }} - fi - } - - deleteSecret admin-tls - deleteSecret admin-msp - - for PEER in $PEERS_NAMES - do - PEER_NAME="${PEER%%,*}" - deleteSecret ${PEER_NAME}-msp - deleteSecret ${PEER_NAME}-tls - done - - deleteSecret msp-config - deleteSecret orderer-tls - deleteSecret couchdb - - if [ "$USERS_IDENTITIES" ] - then - for user_identity in $USERS_IDENTITIES - do - deleteSecret ${user_identity}-tls - deleteSecret ${user_identity}-msp - done - fi -{{- end}} - -{{- if .Values.settings.removeConfigMapsOnDelete }} - - if kubectl get configmap --namespace {{ .Release.Namespace }} orderer-tls-cacert &> /dev/null; then - echo "Deleting orderer-tls-cacert configmap in k8s ..." - kubectl delete configmap --namespace {{ .Release.Namespace }} orderer-tls-cacert - fi - if kubectl get configmap --namespace {{ .Release.Namespace }} admin-msp &> /dev/null; then - echo "Deleting admin-msp configmap in k8s ..." - kubectl delete configmap --namespace {{ .Release.Namespace }} admin-msp - fi -{{- end}} - diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/service.yaml b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/service.yaml index a39b19ce536..e96eb0f4caf 100644 --- a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/service.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/service.yaml @@ -9,10 +9,8 @@ kind: Service metadata: name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} - {{- if or $.Values.global.proxy (and $.Values.service.loadBalancerType (eq $.Values.service.loadBalancerType "Internal")) }} - annotations: - {{- include "labels.pvc" . | nindent 2 }} - {{- if and $.Values.service.loadBalancerType (eq $.Values.service.loadBalancerType "Internal") }} + {{- if or .Values.global.proxy (and .Values.peer.loadBalancerType (eq .Values.peer.loadBalancerType "Internal")) }} + {{- if and .Values.peer.loadBalancerType (eq .Values.peer.loadBalancerType "Internal") }} cloud.google.com/load-balancer-type: "Internal" {{- end }} {{- end }} @@ -24,32 +22,32 @@ metadata: app.kubernetes.io/namespace: {{ .Release.Namespace }} app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- include "labels.pvc" . | nindent 2 }} + {{- include "labels.service" . | nindent 4 }} spec: - type: {{ $.Values.service.serviceType }} + type: {{ .Values.peer.serviceType }} selector: app: {{ .Release.Name }} ports: - name: grpc protocol: TCP targetPort: 7051 - port: {{ $.Values.service.ports.grpc.clusterIpPort }} - {{- if $.Values.service.ports.grpc.nodePort }} - nodePort: {{ $.Values.service.ports.grpc.nodePort }} + port: {{ .Values.peer.ports.grpc.clusterIpPort }} + {{- if .Values.peer.ports.grpc.nodePort }} + nodePort: {{ .Values.peer.ports.grpc.nodePort }} {{- end }} - name: events protocol: TCP targetPort: 7053 - port: {{ $.Values.service.ports.events.clusterIpPort }} - {{- if $.Values.service.ports.events.nodePort }} - nodePort: {{ $.Values.service.ports.events.nodePort }} + port: {{ .Values.peer.ports.events.clusterIpPort }} + {{- if .Values.peer.ports.events.nodePort }} + nodePort: {{ .Values.peer.ports.events.nodePort }} {{- end }} - protocol: TCP name: couchdb targetPort: 5984 - port: {{ $.Values.service.ports.couchdb.clusterIpPort }} - {{- if $.Values.service.ports.couchdb.nodePort }} - nodePort: {{ $.Values.service.ports.couchdb.nodePort }} + port: {{ .Values.peer.ports.couchdb.clusterIpPort }} + {{- if .Values.peer.ports.couchdb.nodePort }} + nodePort: {{ .Values.peer.ports.couchdb.nodePort }} {{- end }} - name: grpc-web protocol: TCP @@ -58,15 +56,15 @@ spec: - name: operations protocol: TCP targetPort: 9443 - port: {{ $.Values.service.ports.metrics.clusterIpPort }} - {{- if (eq $.Values.service.serviceType "ClusterIP") }} + port: {{ .Values.peer.ports.metrics.clusterIpPort }} + {{- if (eq .Values.peer.serviceType "ClusterIP") }} clusterIP: None {{- end }} - {{- if $.Values.service.loadBalancerIP }} - loadBalancerIP: {{ $.Values.service.loadBalancerIP }} + {{- if .Values.peer.loadBalancerIP }} + loadBalancerIP: {{ .Values.peer.loadBalancerIP }} {{- end }} -{{- if eq $.Values.global.proxy.provider "haproxy" }} +{{- if eq .Values.global.proxy.provider "haproxy" }} --- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -74,11 +72,11 @@ metadata: name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} annotations: - kubernetes.io/ingress.class: "haproxy" ingress.kubernetes.io/ssl-passthrough: "true" spec: + ingressClassName: "haproxy" rules: - - host: {{ .Release.Name }}.{{ .Release.Namespace }}.{{ $.Values.global.proxy.externalUrlSuffix }} + - host: {{ .Release.Name }}.{{ .Release.Namespace }}.{{ .Values.global.proxy.externalUrlSuffix }} http: paths: - path: / @@ -87,8 +85,8 @@ spec: service: name: {{ .Release.Name }} port: - number: {{ $.Values.service.ports.grpc.clusterIpPort }} - - host: {{ .Release.Name }}-proxy.{{ .Release.Namespace }}.{{ $.Values.global.proxy.externalUrlSuffix }} + number: {{ .Values.peer.ports.grpc.clusterIpPort }} + - host: {{ .Release.Name }}-proxy.{{ .Release.Namespace }}.{{ .Values.global.proxy.externalUrlSuffix }} http: paths: - path: / @@ -104,11 +102,10 @@ kind: Ingress metadata: name: {{ .Release.Name }}-ops namespace: {{ .Release.Namespace }} - annotations: - kubernetes.io/ingress.class: "haproxy" spec: + ingressClassName: "haproxy" rules: - - host: {{ .Release.Name }}-ops.{{ .Release.Namespace }}.{{ $.Values.global.proxy.externalUrlSuffix }} + - host: {{ .Release.Name }}-ops.{{ .Release.Namespace }}.{{ .Values.global.proxy.externalUrlSuffix }} http: paths: - path: / diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/servicemonitor.yaml b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/servicemonitor.yaml index 847ba2462b0..5071e48f840 100644 --- a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/servicemonitor.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/servicemonitor.yaml @@ -1,11 +1,11 @@ -{{- if $.Values.service.ports.metrics.enabled }} +{{- if .Values.peer.ports.metrics.enabled }} {{- if $.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor" }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: labels: app: {{ .Release.Name }} - app.kubernetes.io/name: {{ $.Values.orderer.name }} + app.kubernetes.io/name: {{ .Release.Name}} app.kubernetes.io/component: fabric app.kubernetes.io/part-of: {{ include "fabric-orderernode.fullname" . }} app.kubernetes.io/namespace: {{ .Release.Namespace }} diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/values.yaml b/platforms/hyperledger-fabric/charts/fabric-peernode/values.yaml index ef1375ef779..e21f9822794 100644 --- a/platforms/hyperledger-fabric/charts/fabric-peernode/values.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-peernode/values.yaml @@ -5,8 +5,14 @@ ############################################################################################## global: + # HLF Network Version + #Eg. version: 2.5.4 + version: 2.5.4 #Provide the service account name which will be created. serviceAccountName: vault-auth + cluster: + provider: aws # choose from: minikube | aws | azure | gcp + cloudNativeServices: false # only 'false' is implemented vault: #Provide the type of vault #Eg. type: hashicorp @@ -17,26 +23,22 @@ global: #Provide the vault server address #Eg. vaultaddress: http://Vault-884963190.eu-west-1.elb.amazonaws.com address: + #Provide the kubernetes auth backed configured in vault for an organization + #Eg. authpath: supplychain + authPath: supplychain #Provide the secret engine. secretEngine: secretsv2 #Provide the vault path where the secrets will be stored secretPrefix: "data/supplychain" - #Provide the imagesecretname for vault - #Eg. imagesecretname: regcred - imageSecretName: "" #Kuberenetes secret for vault ca.cert #Enable or disable TLS for vault communication if value present or not #Eg. tls: vaultca tls: - cluster: - provider: aws # choose from: minikube | aws | azure | gcp - cloudNativeServices: false # only 'false' is implemented - proxy: #This will be the proxy/ingress provider. Can have values "none" or "haproxy" #Eg. provider: "haproxy" - provider: "none" + provider: "haproxy" #This field contains the external URL of the organization #Eg. externalUrlSuffix: test.blockchaincloudpoc.com externalUrlSuffix: test.blockchaincloudpoc.com @@ -44,57 +46,38 @@ global: #Eg. port: 443 port: 443 - # HLF Network Version - network: - version: 2.5.4 - -cli: - #Creates a peer cli pod depending upon the (enabled/disabled) tag. +storage: + #Flag to create new storage class for organization. Set to false for existing storage class. + #Eg. enabled: true enabled: true - #Provide the address for orderer - #Eg. address: orderer1.test.blockchaincloudpoc.com:443 - address: orderer1.test.blockchaincloudpoc.com:443 - peer: - #Provide the localMspId for organization - #Eg. localMspId: supplychainMSP - localMspId: supplychainMSP - #Provide the value for tlsStatus to be true or false for organization's peer - #Eg. tlsStatus: true - tlsStatus: true - #Provide the address for the peer - #Eg: address: peer0.org1-net:7051 - address: test.blockchaincloudpoc.com:443 - healthCheck: - retries: 20 - sleepTimeAfterError: 15 + #Provide storage size for Peer Volume + #Eg. peer: 512Mi + peer: 512Mi + #Provide storage size for CouchDB Volume + #Eg. couchdb: 512Mi + couchdb: 512Mi + # NOTE: when you set this to Retain, the volume WILL persist after the chart is delete and you need to manually delete it + reclaimPolicy: "Delete" # choose from: Delete | Retain + volumeBindingMode: Immediate # choose from: Immediate | WaitForFirstConsumer + allowedTopologies: + enabled: false -catools: +certs: + # Flag indicating the creation of certificates. + generateCertificates: true orgData: + caAddress: ca.supplychain-net:7051 + caAdminUser: supplychain-admin + caAdminPassword: supplychain-adminpw #Provide organization's name in lowercases #Eg. orgName: supplychain orgName: supplychain #Provide organization's type (orderer or peer) #Eg. component_type: orderer - type: - #Provide organization's subject - #Eg. "O=Orderer,L=51.50/-0.13/London,C=GB" - componentSubject: + type: peer #Provide organization's subject #Eg. "O=Orderer,L=51.50/-0.13/London,C=GB" - certSubject: - #Provide organization's country - #Eg. UK - componentCountry: UK - #Provide organization's state - #Eg. London - componentState: London - #Provide organization's location - #Eg. Lodon - componentLocation: Lodon - - #Provide peer's names - peers: - - peer0-carrier + componentSubject: "O=Orderer,L=51.50/-0.13/London,C=GB" users: # Generating User Certificates with custom attributes using Fabric CA in Bevel for Peer Organizations @@ -104,52 +87,60 @@ catools: attributes: - key: "hf.Revoker" value: "true" - - user: - identity: user2 - attributes: - - key: "hf.Revoker" - value: "true" #Base64 encoded list of users #Eg. IC0gdXNlcjoKICAgICAgICAgIGlkZW50aXR5OiB1c2VyMQogICAgICAgICAgYXR0cmlidXRlczoKICAgICAgICAgICAgLSBrZXk6IGtleTEKICAgICAgIgICAgICAgIC0ga2V5OiBrZXkyCiAgICAgICAgICAgICAgdmFsdWU6IHZhbHVlMgogICAgICAgIC0gdXNlcjoKICAgICAgICAgIGlkZW50aXR5OiB1c2VyMgogICAgICAgICAgYXR0cmlidXRlczoKICAgICAgICAgICAgLSBrZXk6IGtleTEKICAgICAgICAgICAgICB2YWx1ZTogdmFsdWUxCiAgICAgICAgICAgIC0ga2V5OiBrZXkzCiAgICAgICAgICAgICAgdmFsdWU6IHZhbHVlMw== usersListAnsible: - #Provides a list of user identities - usersIdentities: - - user1 - - user2 + settings: + #Flag to create configmaps for the organization. This flag must be set to true when installing the first orderer/peer in organization and false for others. + createConfigMaps: false + refreshCertValue: false + addPeerValue: false + removeCertsOnDelete: false + removeOrdererTlsOnDelete: false image: - #Provide the valid image name and version for fabric couchdb - #Eg. couchdb: hyperledger/fabric-couchdb:0.4.14 + #Provide the valid image repository for fabric couchdb + #Eg. couchdb: hyperledger/fabric-couchdb couchdb: ghcr.io/hyperledger/bevel-fabric-couchdb - #Provide the valid image name and version for fabric peer - #Eg. hyperledger/fabric-peer:2.2.2 + #Provide the valid repository for fabric peer + #Eg. peer: hyperledger/fabric-peer peer: ghcr.io/hyperledger/bevel-fabric-peer #Provide the valid image name and version to read certificates from vault server #Eg. alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest - #Provide the valid image name and version for fabric tools - #Eg. fabrictools: hyperledger/fabric-tools:1.4.0 - fabricTools: ghcr.io/hyperledger/bevel-fabric-tools + #Provide the secret to use if private repository + #Eg. pullSecret: regcred + pullSecret: peer: - #Provide the url of gossipping peer and port to be mentioned is grpc cluster IP port - #Eg. gossipPeerAddress: supplychain.svc.cluster.local:443 - gossipPeerAddress: supplychain.svc.cluster.local:443 - #Provide the url of gossip external endpoint and port to be mentioned is haproxy https service port - #Eg. gossipExternalEndpoint: supplychain:443 - gossipExternalEndpoint: supplychain.test.blockchaincloudpoc.com:443 + #Provide the url of the gossipping peer. If empty, this peer's own address will be used + #Eg. gossipPeerAddress: peer1.supplychain-net:7051 + gossipPeerAddress: peer1.supplychain-net:7051 #Provide the logLevel for organization's peer #Eg. logLevel: info logLevel: info + #Provide the localMspId for organization + #Eg. localMspId: supplychainMSP + localMspId: supplychainMSP + #Provide the value for tlsStatus to be true or false for organization's peer + #Eg. tlsStatus: true + tlsStatus: true + #Flag to enable CLI for this peer + #Eg. cliEnabled: true + cliEnabled: false + #Provide the address for orderer; optional is cliEnabled: false + #Eg. ordererAddress: orderer1.test.blockchaincloudpoc.com:443 + ordererAddress: orderer1.supplychain-net:7050 #Provide a valid chaincode builder image for Fabric - #Eg. builder: hyperledger/fabric-ccenv:1.4.8 + #Eg. builder: hyperledger/fabric-ccenv builder: hyperledger/fabric-ccenv couchdb: #Provide the username for couchdb login - #If couchdb username is provided, it is mandatory to provide password for the same #Eg. username: supplychain-user username: supplychain-user - + #Provide the password for couchdb login + #Eg. password: supplychain-userpw + password: supplychain-userpw mspConfig: #Provide the members of the MSP in organizational unit identifiers #Eg.organizationalUnitIdentifiers: @@ -160,31 +151,19 @@ peer: # - orderer organizationalUnitIdentifiers: nodeOUs: - clientOUIdentifier: - #Provide OU which will be used to identify node as client - #Eg.organizationalUnitIdentifier: client - organizationalUnitIdentifier: client - peerOUIdentifier: - #Provide OU which will be used to identify node as peer - #Eg.organizationalUnitIdentifier: peer - organizationalUnitIdentifier: peer + #Provide OU which will be used to identify node as client + #Eg.clientOUIdentifier: client + clientOUIdentifier: client + #Provide OU which will be used to identify node as peer + #Eg.peerOUIdentifier: peer + peerOUIdentifier: peer # following for 2.2.x - adminOUIdentifier: - organizationalUnitIdentifier: admin - ordererOUIdentifier: - organizationalUnitIdentifier: orderer - -storage: - peer: - #Provide the size for storage class - #Eg. size: 512Mi - size: 512Mi - couchdb: - #Provide the size for storage class - #Eg. size: 512Mi - size: 512Mi - -service: + #Provide OU which will be used to identify node as admin + #Eg.adminOUIdentifier: admin + adminOUIdentifier: admin + #Provide OU which will be used to identify node as orderer + #Eg.ordererOUIdentifier: orderer + ordererOUIdentifier: orderer #Provide the serviceType for a peer #Eg. serviceType: NodePort serviceType: ClusterIP @@ -213,34 +192,27 @@ service: clusterIpPort: 5984 metrics: enabled: false - clusterIpPort: 9443 - -config: - # Set limits and requests of pod - pod: - resources: - limits: + clusterIpPort: 9443 + resources: + limits: # Provide the limit memory for node - # Eg. memory: 512M - memory: 512M + # Eg. memory: 1Gi + memory: 1Gi # Provide the limit cpu for node # Eg. cpu: 1 - cpu: 1 - requests: + cpu: 1 + requests: # Provide the requests memory for node # Eg. memory: 512M - memory: 512M + memory: 512M # Provide the requests cpu for node # Eg. cpu: 0.25 - cpu: 0.25 - -settings: - # Flag to ensure the certificates configmaps are removed on helm uninstall - removeConfigMapsOnDelete: true - # Flag to ensure the certificates secrets are removed on helm uninstall - removeCertsOnDelete: true - # Flag indicating the creation of certificates. This flag must be set to true when installing the first peer and false in the others. - generateCertificates: false + cpu: 0.25 + #Flag to be set to true when network is upgraded + upgrade: false + healthCheck: + retries: 20 + sleepTimeAfterError: 15 labels: service: [] diff --git a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ca-orderer.yaml b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ca-orderer.yaml new file mode 100644 index 00000000000..9e3275732bb --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ca-orderer.yaml @@ -0,0 +1,20 @@ +#helm install supplychain-ca -f values/noproxy-and-novault/ca-server.yaml -n supplychain-net fabric-ca-server +global: + serviceAccountName: vault-auth + cluster: + provider: azure + cloudNativeServices: false + vault: + type: kubernetes + proxy: + provider: none + externalUrlSuffix: supplychain-net + +storage: + size: 512Mi +server: + removeCertsOnDelete: true + tlsStatus: true + adminUsername: supplychain-admin + adminPassword: supplychain-adminpw + subject: "/C=GB/ST=London/L=London/O=Orderer" diff --git a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ca-peer.yaml b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ca-peer.yaml new file mode 100644 index 00000000000..ba145a003a2 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ca-peer.yaml @@ -0,0 +1,20 @@ +#helm install carrier-ca -f values/noproxy-and-novault/ca-server.yaml -n carrier-net fabric-ca-server +global: + serviceAccountName: vault-auth + cluster: + provider: azure + cloudNativeServices: false + vault: + type: kubernetes + proxy: + provider: none + externalUrlSuffix: carrier-net + +storage: + size: 512Mi +server: + removeCertsOnDelete: true + tlsStatus: true + adminUsername: carrier-admin + adminPassword: carrier-adminpw + subject: "/C=GB/ST=London/L=London/O=Carrier" diff --git a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/carrier.yaml b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/carrier.yaml new file mode 100644 index 00000000000..87f053018e6 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/carrier.yaml @@ -0,0 +1,52 @@ +#helm install pee0-carrier -f values/noproxy-and-novault/peer.yaml -n carrier-net fabric-peer +global: + version: 2.5.4 + serviceAccountName: vault-auth + vault: + type: kubernetes + + cluster: + provider: azure + cloudNativeServices: false + + proxy: + provider: "none" + externalUrlSuffix: carrier-net + +certs: + generateCertificates: true + orgData: + caAddress: ca.carrier-net:7054 + caAdminUser: carrier-admin + caAdminPassword: carrier-adminpw + orgName: carrier + type: peer + componentSubject: "O=Carrier,OU=Carrier,L=51.50/-0.13/London,C=GB" + users: + usersList: + - user: + identity: user1 + attributes: + - key: "hf.Revoker" + value: "true" + settings: + #Flag to create configmaps for the organization. This flag must be set to true when installing the first orderer/peer in organization and false for others. + createConfigMaps: true + refreshCertValue: false + addPeerValue: false + removeCertsOnDelete: true + removeOrdererTlsOnDelete: true +storage: + enabled: false +peer: + gossipPeerAddress: + logLevel: info + localMspId: carrierMSP + tlsStatus: true + cliEnabled: true + ordererAddress: orderer1.supplychain-net:7050 + builder: hyperledger/fabric-ccenv + couchdb: + username: carrier-user + password: carrier-userpw + upgrade: false diff --git a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/genesis.yaml b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/genesis.yaml new file mode 100644 index 00000000000..bf48e007515 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/genesis.yaml @@ -0,0 +1,45 @@ +#helm install ca-certs -f values/noproxy-and-novault/genesis.yaml -n supplychain-net fabric-genesis +global: + version: 2.5.4 + serviceAccountName: vault-auth + cluster: + provider: azure + cloudNativeServices: false + vault: + type: kubernetes + proxy: + provider: none + externalUrlSuffix: supplychain-net + +organizations: + - name: supplychain + orderers: + - name: orderer1 + ordererAddress: orderer1.supplychain-net:7050 # Internal/External URI of the orderer + - name: orderer2 + ordererAddress: orderer2.supplychain-net:7050 + - name: orderer3 + ordererAddress: orderer3.supplychain-net:7050 + peers: + - name: peer0 + peerAddress: peer0.supplychain-net:7051 # Internal/External URI of the peer + - name: peer1 + peerAddress: peer1.supplychain-net:7051 + + - name: carrier + peers: + - name: peer0 + peerAddress: peer0.carrier-net:7051 # Internal/External URI of the peer + +consensus: raft +channels: + - name: allchannel + consortium: SupplyChainConsortium + orderers: + - supplychain + participants: + - supplychain + - carrier + +settings: + removeConfigMapOnDelete: true diff --git a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/join-channel.yaml b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/join-channel.yaml new file mode 100644 index 00000000000..39455b21a71 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/join-channel.yaml @@ -0,0 +1,19 @@ +--- +global: + version: 2.5.4 + serviceAccountName: vault-auth + cluster: + provider: azure # choose from: minikube | aws | azure | gcp + cloudNativeServices: false # only 'false' is implemented + vault: + type: kubernetes + +peer: + name: peer0 + type: anchor + address: peer0.carrier-net:7051 + localMspId: carrierMSP + logLevel: info + tlsStatus: true + channelName: AllChannel + ordererAddress: orderer1.supplychain-net:7050 diff --git a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/orderer.yaml b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/orderer.yaml new file mode 100644 index 00000000000..8d07ca97ec5 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/orderer.yaml @@ -0,0 +1,37 @@ +#helm install orderer1 -f values/noproxy-and-novault/orderer.yaml -n supplychain-net fabric-orderernode +global: + version: 2.5.4 + serviceAccountName: vault-auth + vault: + type: kubernetes + + cluster: + provider: azure + cloudNativeServices: false + + proxy: + provider: none + externalUrlSuffix: supplychain-net + +certs: + generateCertificates: true + orgData: + caAddress: ca.supplychain-net:7054 + caAdminUser: supplychain-admin + caAdminPassword: supplychain-adminpw + orgName: supplychain + type: orderer + componentSubject: "O=Orderer,L=51.50/-0.13/London,C=GB" + settings: + #Flag to create configmaps for the organization. This flag must be set to true when installing the first orderer/peer in organization and false for others. + createConfigMaps: true + refreshCertValue: false + addPeerValue: false + removeCertsOnDelete: true + removeOrdererTlsOnDelete: true + +orderer: + consensus: raft + logLevel: info + localMspId: supplychainMSP + tlsstatus: true diff --git a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ordererOrganization/ca-server.yaml b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ordererOrganization/ca-server.yaml deleted file mode 100644 index b924b48c120..00000000000 --- a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ordererOrganization/ca-server.yaml +++ /dev/null @@ -1,24 +0,0 @@ -#helm install supplychain-ca -f values/noproxy-and-novault/ordererOrganization/ca-server.yaml -n supplychain-net fabric-ca-server -global: - serviceAccountName: vault-auth - vault: - type: kubernetes - cluster: - provider: azure - cloudNativeServices: false - kubernetesUrl: https://kubernetes.url - proxy: - provider: none - externalUrlSuffix: supplychain-net - -cacerts: - ca: - orgName: supplychain - subject: /C=GB/ST=London/L=London/O=Orderer - -server: - tlsStatus: true - admin: supplychain-admin - -settings: - removeCertsOnDelete: true diff --git a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ordererOrganization/genesis.yaml b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ordererOrganization/genesis.yaml deleted file mode 100644 index 309e04e12c2..00000000000 --- a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ordererOrganization/genesis.yaml +++ /dev/null @@ -1,55 +0,0 @@ -#helm install ca-certs -f values/noproxy-and-novault/ordererOrganization/genesis.yaml -n supplychain-net fabric-genesis -global: - serviceAccountName: vault-auth - vault: - type: kubernetes - cluster: - provider: azure - cloudNativeServices: false - proxy: - provider: none - externalUrlSuffix: supplychain-net - network: - version: 2.5.4 - -consensus: - name: raft - -organizations: - - organization: - name: supplychain - type: orderer - orderers: - - orderer: - name: orderer1 - ordererAddress: orderer1.supplychain-net:7050 - - orderer: - name: orderer2 - ordererAddress: orderer2.supplychain-net:7050 - - orderer: - name: orderer3 - ordererAddress: orderer3.supplychain-net:7050 - - - organization: - name: carrier - type: peer - peers: - - peer: - name: peer0-carrier - peerAddress: peer0-carrier.carrier-net:7051 # External URI of the peer - -channels: - - channel: - channelName: allchannel - consortium: SupplyChainConsortium - orderers: - - supplychain - participants: - - organization: - name: carrier - genesis: - name: OrdererGenesis - -settings: - removeGenesisOnDelete: true - removeConfigMapOnDelete: true diff --git a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ordererOrganization/orderer.yaml b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ordererOrganization/orderer.yaml deleted file mode 100644 index 4fe0c8c306d..00000000000 --- a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ordererOrganization/orderer.yaml +++ /dev/null @@ -1,45 +0,0 @@ -#helm install orderer1 -f values/noproxy-and-novault/ordererOrganization/orderer.yaml -n supplychain-net fabric-orderernode -global: - serviceAccountName: vault-auth - vault: - type: kubernetes - cluster: - provider: azure - cloudNativeServices: false - proxy: - provider: none - externalUrlSuffix: supplychain-net - - network: - version: 2.5.4 - -catools: - orgData: - orgName: supplychain - type: orderer - componentSubject: O=Orderer,L=51.50/-0.13/London,C=GB - certSubject: O=Orderer/L=51.50,-0.13,London/C=GB - componentCountry: UK - componentState: London - componentLocation: London - - orderers: - - orderer1 - - orderer2 - - orderer3 - -channel: - name: allchannel - -orderer: - logLevel: info - localMspId: supplychainMSP - tlsstatus: true - -consensus: - name: raft - -settings: - removeConfigMapsOnDelete: true - removeCertsOnDelete: true - generateCertificates: false diff --git a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/peer.yaml b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/peer.yaml new file mode 100644 index 00000000000..c660bc11f9f --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/peer.yaml @@ -0,0 +1,51 @@ +#helm install pee0-carrier -f values/noproxy-and-novault/peer.yaml -n carrier-net fabric-peer +global: + version: 2.5.4 + serviceAccountName: vault-auth + vault: + type: kubernetes + + cluster: + provider: azure + cloudNativeServices: false + + proxy: + provider: "none" + externalUrlSuffix: supplychain-net + +certs: + generateCertificates: true + orgData: + caAddress: ca.supplychain-net:7054 + caAdminUser: supplychain-admin + caAdminPassword: supplychain-adminpw + orgName: supplychain + type: peer + componentSubject: "O=Orderer,L=51.50/-0.13/London,C=GB" + users: + usersList: + - user: + identity: user1 + attributes: + - key: "hf.Revoker" + value: "true" + settings: + #Flag to create configmaps for the organization. This flag must be set to true when installing the first orderer/peer in organization and false for others. + createConfigMaps: false + refreshCertValue: false + addPeerValue: false + removeCertsOnDelete: true + removeOrdererTlsOnDelete: true + +peer: + gossipPeerAddress: peer1.supplychain-net:7051 + logLevel: info + localMspId: supplychainMSP + tlsStatus: true + cliEnabled: false + ordererAddress: orderer1.supplychain-net:7050 + builder: hyperledger/fabric-ccenv + couchdb: + username: supplychain-user + password: supplychain-userpw + upgrade: false diff --git a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/peerOrganization/ca-server.yaml b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/peerOrganization/ca-server.yaml deleted file mode 100644 index 00ecd38df23..00000000000 --- a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/peerOrganization/ca-server.yaml +++ /dev/null @@ -1,24 +0,0 @@ -#helm install carrier-ca -f values/noproxy-and-novault/peerOrganization/ca-server.yaml -n carrier-net fabric-ca-server -global: - serviceAccountName: vault-auth - vault: - type: kubernetes - cluster: - provider: azure - cloudNativeServices: false - kubernetesUrl: https://kubernetes.url - proxy: - provider: none - externalUrlSuffix: carrier-net - -cacerts: - ca: - orgName: carrier - subject: /C=GB/ST=London/L=London/O=Carrier - -server: - tlsStatus: true - admin: carrier-admin - -settings: - removeCertsOnDelete: true diff --git a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/peerOrganization/peer.yaml b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/peerOrganization/peer.yaml deleted file mode 100644 index 72c56b2aca2..00000000000 --- a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/peerOrganization/peer.yaml +++ /dev/null @@ -1,66 +0,0 @@ -#helm install pee0-carrier -f values/noproxy-and-novault/peerOrganization/peer.yaml -n carrier-net fabric-peer -global: - serviceAccountName: vault-auth - vault: - type: kubernetes - cluster: - provider: azure - cloudNativeServices: false - proxy: - provider: "none" - externalUrlSuffix: carrier-net - network: - version: 2.5.4 - -catools: - orgData: - orgName: carrier - type: peer - componentSubject: O=Carrier,OU=Carrier,L=51.50/-0.13/London,C=GB - certSubject: O=Carrier/OU=Carrier/L=51.50,-0.13,London/C=GB - componentCountry: GB - componentState: London - componentLocation: London - - peers: - - peer0-carrier - - users: - usersList: - - user: - identity: user1 - attributes: - - key: "hf.Revoker" - value: "true" - - user: - identity: user2 - attributes: - - key: "hf.Revoker" - value: "true" - usersIdentities: - - user1 - - user2 - -cli: - enabled: true - orderer: - address: orderer1.supplychain-net:7050 - peer: - localMspId: carrierMSP - tlsStatus: true - address: carrier-net:7051 - -upgrade: False - -peer: - gossipPeerAddress: carrier-net:7051 - gossipExternalEndpoint: carrier-net:7051 - logLevel: info - builder: hyperledger/fabric-ccenv:2.5.4 - couchdb: - username: carrier-user - -settings: - removeConfigMapsOnDelete: true - removeCertsOnDelete: true - generateCertificates: false diff --git a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ca-orderer.yaml b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ca-orderer.yaml new file mode 100644 index 00000000000..3416340af25 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ca-orderer.yaml @@ -0,0 +1,27 @@ +#helm install supplychain-ca -f values/proxy-and-vault/ca-server.yaml -n supplychain-net fabric-ca-server +global: + serviceAccountName: vault-auth + cluster: + provider: azure + cloudNativeServices: false + kubernetesUrl: "https://yourkubernetes.com" + vault: + type: hashicorp + role: vault-role + address: http://vault.url:8200 + authPath: supplychain + secretEngine: secretsv2 + secretPrefix: "data/supplychain" + tls: false + proxy: + provider: haproxy + externalUrlSuffix: test.yourdomain.com + +storage: + size: 512Mi +server: + removeCertsOnDelete: true + tlsStatus: true + adminUsername: supplychain-admin + adminPassword: supplychain-adminpw + subject: "/C=GB/ST=London/L=London/O=Orderer" diff --git a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ca-peer.yaml b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ca-peer.yaml new file mode 100644 index 00000000000..2de4727a807 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ca-peer.yaml @@ -0,0 +1,27 @@ +#helm install carrier-ca -f values/proxy-and-vault/ca-server.yaml -n carrier-net fabric-ca-server +global: + serviceAccountName: vault-auth + cluster: + provider: azure + cloudNativeServices: false + kubernetesUrl: "https://yourkubernetes.com" + vault: + type: hashicorp + role: vault-role + address: http://vault.url:8200 + authPath: carrier + secretEngine: secretsv2 + secretPrefix: "data/carrier" + tls: false + proxy: + provider: haproxy + externalUrlSuffix: test.yourdomain.com + +storage: + size: 512Mi +server: + removeCertsOnDelete: true + tlsStatus: true + adminUsername: carrier-admin + adminPassword: carrier-adminpw + subject: /C=GB/ST=London/L=London/O=Carrier diff --git a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/carrier.yaml b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/carrier.yaml new file mode 100644 index 00000000000..c16adb871b2 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/carrier.yaml @@ -0,0 +1,56 @@ +#helm install pee0-carrier -f values/noproxy-and-novault/peer.yaml -n carrier-net fabric-peer +global: + version: 2.5.4 + serviceAccountName: vault-auth + cluster: + provider: azure + cloudNativeServices: false + vault: + type: hashicorp + role: vault-role + address: http://vault.url:8200 + authPath: carrier + secretEngine: secretsv2 + secretPrefix: "data/carrier" + tls: false + proxy: + provider: haproxy + externalUrlSuffix: test.yourdomain.com + +certs: + generateCertificates: true + orgData: + caAddress: ca.carrier-net.test.yourdomain.com + caAdminUser: carrier-admin + caAdminPassword: carrier-adminpw + orgName: carrier + type: peer + componentSubject: "O=Carrier,OU=Carrier,L=51.50/-0.13/London,C=GB" + users: + usersList: + - user: + identity: user1 + attributes: + - key: "hf.Revoker" + value: "true" + settings: + #Flag to create configmaps for the organization. This flag must be set to true when installing the first orderer/peer in organization and false for others. + createConfigMaps: true + refreshCertValue: false + addPeerValue: false + removeCertsOnDelete: true + removeOrdererTlsOnDelete: true +storage: + enabled: false +peer: + gossipPeerAddress: + logLevel: info + localMspId: carrierMSP + tlsStatus: true + cliEnabled: true + ordererAddress: orderer1.supplychain-net.test.yourdomain.com:443 + builder: hyperledger/fabric-ccenv + couchdb: + username: carrier-user + password: carrier-userpw + upgrade: false diff --git a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/create-channel.yaml b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/create-channel.yaml new file mode 100644 index 00000000000..7e5e5db3f0c --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/create-channel.yaml @@ -0,0 +1,27 @@ +global: + version: 2.2.2 + serviceAccountName: vault-auth + cluster: + provider: azure + cloudNativeServices: false + vault: + type: hashicorp + role: vault-role + address: http://vault.url:8200 + authPath: carrier + secretEngine: secretsv2 + secretPrefix: "data/carrier" + tls: false + proxy: + provider: haproxy + externalUrlSuffix: test.yourdomain.com + +peer: + name: peer0 + type: anchor + address: peer0.carrier-net.test.yourdomain.com:443 + localMspId: carrierMSP + logLevel: info + tlsStatus: true + channelName: AllChannel + ordererAddress: orderer1.supplychain-net.test.yourdomain.com:443 diff --git a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/genesis.yaml b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/genesis.yaml new file mode 100644 index 00000000000..2facfc098c1 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/genesis.yaml @@ -0,0 +1,50 @@ +#helm install ca-certs -f values/proxy-and-vault/genesis.yaml -n supplychain-net fabric-genesis +global: + version: 2.5.4 + serviceAccountName: vault-auth + cluster: + provider: azure + cloudNativeServices: false + vault: + type: hashicorp + role: vault-role + address: http://vault.url:8200 + authPath: supplychain + secretEngine: secretsv2 + secretPrefix: "data/supplychain" + tls: false + proxy: + provider: haproxy + externalUrlSuffix: test.yourdomain.com + +organizations: + - name: supplychain + orderers: + - name: orderer1 + ordererAddress: orderer1.supplychain-net.test.yourdomain.com:443 + - name: orderer2 + ordererAddress: orderer2.supplychain-net.test.yourdomain.com:443 + - name: orderer3 + ordererAddress: orderer3.supplychain-net.test.yourdomain.com:443 + peers: + - name: peer0 + peerAddress: peer0.supplychain-net.test.yourdomain.com:443 # Internal/External URI of the peer + - name: peer1 + peerAddress: peer1.supplychain-net.test.yourdomain.com:443 + + - name: carrier + peers: + - name: peer0 + peerAddress: peer0.carrier-net.test.yourdomain.com:443 # External URI of the peer +consensus: raft +channels: + - name: allchannel + consortium: SupplyChainConsortium + orderers: + - supplychain + participants: + - supplychain + - carrier + +settings: + removeConfigMapOnDelete: true diff --git a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/join-channel.yaml b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/join-channel.yaml new file mode 100644 index 00000000000..be85234b3a0 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/join-channel.yaml @@ -0,0 +1,24 @@ +global: + version: 2.5.4 + serviceAccountName: vault-auth + cluster: + provider: azure + cloudNativeServices: false + vault: + type: hashicorp + role: vault-role + address: http://vault.url:8200 + authPath: supplychain + secretEngine: secretsv2 + secretPrefix: "data/supplychain" + tls: false + +peer: + name: peer0 + type: anchor + address: peer0.supplychain-net.test.yourdomain.com:443 + localMspId: supplychainMSP + logLevel: info + tlsStatus: true + channelName: AllChannel + ordererAddress: orderer1.supplychain-net.test.yourdomain.com:443 diff --git a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/orderer.yaml b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/orderer.yaml new file mode 100644 index 00000000000..f3980f05b25 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/orderer.yaml @@ -0,0 +1,41 @@ +#helm install orderer1 -f values/proxy-and-vault/orderer.yaml -n supplychain-net fabric-orderernode +global: + version: 2.5.4 + serviceAccountName: vault-auth + cluster: + provider: azure + cloudNativeServices: false + vault: + type: hashicorp + role: vault-role + address: http://vault.url:8200 + authPath: supplychain + secretEngine: secretsv2 + secretPrefix: "data/supplychain" + tls: false + proxy: + provider: haproxy + externalUrlSuffix: test.yourdomain.com + +certs: + generateCertificates: true + orgData: + caAddress: ca.supplychain-net.test.yourdomain.com + caAdminUser: supplychain-admin + caAdminPassword: supplychain-adminpw + orgName: supplychain + type: orderer + componentSubject: "O=Orderer,L=51.50/-0.13/London,C=GB" + settings: + #Flag to create configmaps for the organization. This flag must be set to true when installing the first orderer/peer in organization and false for others. + createConfigMaps: true + refreshCertValue: false + addPeerValue: false + removeCertsOnDelete: true + removeOrdererTlsOnDelete: true + +orderer: + consensus: raft + logLevel: info + localMspId: supplychainMSP + tlsstatus: true diff --git a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ordererOrganization/ca-server.yaml b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ordererOrganization/ca-server.yaml deleted file mode 100644 index de8dd31e4d0..00000000000 --- a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ordererOrganization/ca-server.yaml +++ /dev/null @@ -1,29 +0,0 @@ -#helm install supplychain-ca -f values/proxy-and-vault/ordererOrganization/ca-server.yaml -n supplychain-net fabric-ca-server -global: - serviceAccountName: vault-auth - vault: - type: hashicorp - address: http://vault.demo.com:8200 - authPath: supplychain - secretEngine: secretsv2 - secretPrefix: "data/supplychain" - cluster: - provider: azure - cloudNativeServices: false - kubernetesUrl: https://kubernetes.url - - proxy: - provider: haproxy - externalUrlSuffix: test.yourdomain.com - -cacerts: - ca: - orgName: supplychain - subject: /C=GB/ST=London/L=London/O=Orderer - -server: - tlsStatus: true - admin: supplychain-admin - -settings: - removeCertsOnDelete: true diff --git a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ordererOrganization/genesis.yaml b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ordererOrganization/genesis.yaml deleted file mode 100644 index 864762cf0e6..00000000000 --- a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ordererOrganization/genesis.yaml +++ /dev/null @@ -1,59 +0,0 @@ -#helm install ca-certs -f values/proxy-and-vault/ordererOrganization/genesis.yaml -n supplychain-net fabric-genesis -global: - serviceAccountName: vault-auth - vault: - type: hashicorp - address: http://vault.demo.com:8200 - authPath: supplychain - secretEngine: secretsv2 - secretPrefix: "data/supplychain" - cluster: - provider: azure - cloudNativeServices: false - proxy: - provider: haproxy - externalUrlSuffix: test.yourdomain.com - network: - version: 2.5.4 - -consensus: - name: raft - -organizations: - - organization: - name: supplychain - type: orderer - orderers: - - orderer: - name: orderer1 - ordererAddress: orderer1.test.yourdomain.com:443 - - orderer: - name: orderer2 - ordererAddress: orderer2.test.yourdomain.com:443 - - orderer: - name: orderer3 - ordererAddress: orderer3.test.yourdomain.com:443 - - - organization: - name: carrier - type: peer - peers: - - peer: - name: peer0-carrier - peerAddress: peer0-carrier.carrier-net.test.yourdomain.com:443 # External URI of the peer - -channels: - - channel: - channelName: allchannel - consortium: SupplyChainConsortium - orderers: - - supplychain - participants: - - organization: - name: carrier - genesis: - name: OrdererGenesis - -settings: - removeGenesisOnDelete: true - removeConfigMapOnDelete: true diff --git a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ordererOrganization/orderer.yaml b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ordererOrganization/orderer.yaml deleted file mode 100644 index 5119c5ce594..00000000000 --- a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ordererOrganization/orderer.yaml +++ /dev/null @@ -1,48 +0,0 @@ -#helm install orderer1 -f values/proxy-and-vault/ordererOrganization/orderer.yaml -n supplychain-net fabric-orderernode -global: - serviceAccountName: vault-auth - vault: - type: hashicorp - address: http://vault.demo.com:8200 - authPath: supplychain - secretEngine: secretsv2 - secretPrefix: "data/supplychain" - cluster: - provider: azure - cloudNativeServices: false - proxy: - provider: haproxy - externalUrlSuffix: test.yourdomain.com - network: - version: 2.5.4 - -catools: - orgData: - orgName: supplychain - type: orderer - componentSubject: O=Orderer,L=51.50/-0.13/London,C=GB - certSubject: O=Orderer/L=51.50,-0.13,London/C=GB - componentCountry: UK - componentState: London - componentLocation: London - - orderers: - - orderer1 - - orderer2 - - orderer3 - -channel: - name: allchannel - -orderer: - logLevel: info - localMspId: supplychainMSP - tlsstatus: true - -consensus: - name: raft - -settings: - removeConfigMapsOnDelete: true - removeCertsOnDelete: true - generateCertificates: false diff --git a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/osn-create-channel.yaml b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/osn-create-channel.yaml new file mode 100644 index 00000000000..62ab1d0dcba --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/osn-create-channel.yaml @@ -0,0 +1,24 @@ +global: + version: 2.5.4 + serviceAccountName: vault-auth + cluster: + provider: azure + cloudNativeServices: false + vault: + type: hashicorp + role: vault-role + address: http://vault.url:8200 + authPath: supplychain + secretEngine: secretsv2 + secretPrefix: "data/supplychain" + tls: false + proxy: + provider: haproxy + externalUrlSuffix: test.yourdomain.com +orderers: + - name: orderer1 + adminAddress: orderer1.supplychain-net:7055 # Internal URI of the orderer ONS Admin service + - name: orderer2 + adminAddress: orderer2.supplychain-net:7055 + - name: orderer3 + adminAddress: orderer3.supplychain-net:7055 diff --git a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/peer.yaml b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/peer.yaml new file mode 100644 index 00000000000..ab684308fd4 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/peer.yaml @@ -0,0 +1,55 @@ +#helm install pee0 -f values/proxy-and-vault/orderer.yaml -n carrier-net fabric-orderernode +global: + version: 2.5.4 + serviceAccountName: vault-auth + cluster: + provider: azure + cloudNativeServices: false + vault: + type: hashicorp + role: vault-role + address: http://vault.url:8200 + authPath: supplychain + secretEngine: secretsv2 + secretPrefix: "data/supplychain" + tls: false + proxy: + provider: haproxy + externalUrlSuffix: test.yourdomain.com + +certs: + generateCertificates: true + orgData: + caAddress: ca.supplychain-net:7054 + caAdminUser: supplychain-admin + caAdminPassword: supplychain-adminpw + orgName: supplychain + type: peer + componentSubject: "O=Orderer,L=51.50/-0.13/London,C=GB" + users: + usersList: + - user: + identity: user1 + attributes: + - key: "hf.Revoker" + value: "true" + settings: + #Flag to create configmaps for the organization. This flag must be set to true when installing the first orderer/peer in organization and false for others. + createConfigMaps: false + refreshCertValue: false + addPeerValue: false + removeCertsOnDelete: true + removeOrdererTlsOnDelete: true + +peer: + gossipPeerAddress: peer1.supplychain-net.test.yourdomain.com:443 + logLevel: info + localMspId: supplychainMSP + tlsStatus: true + cliEnabled: false + ordererAddress: orderer1.supplychain-net.test.yourdomain.com:443 + builder: hyperledger/fabric-ccenv + couchdb: + username: supplychain-user + password: supplychain-userpw + upgrade: false diff --git a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/peerOrganization/ca-server.yaml b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/peerOrganization/ca-server.yaml deleted file mode 100644 index 30dc5e91b48..00000000000 --- a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/peerOrganization/ca-server.yaml +++ /dev/null @@ -1,28 +0,0 @@ -#helm install carrier-ca -f values/proxy-and-vault/peerOrganization/ca-server.yaml -n carrier-net fabric-ca-server -global: - serviceAccountName: vault-auth - vault: - type: hashicorp - address: http://vault.demo.com:8200 - authPath: carrier - secretEngine: secretsv2 - secretPrefix: "data/carrier" - cluster: - provider: azure - cloudNativeServices: false - kubernetesUrl: https://kubernetes.url - proxy: - provider: haproxy - externalUrlSuffix: test.yourdomain.com - -cacerts: - ca: - orgName: carrier - subject: /C=GB/ST=London/L=London/O=Carrier - -server: - tlsStatus: true - admin: carrier-admin - -settings: - removeCertsOnDelete: true diff --git a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/peerOrganization/peer.yaml b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/peerOrganization/peer.yaml deleted file mode 100644 index be6014373a6..00000000000 --- a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/peerOrganization/peer.yaml +++ /dev/null @@ -1,70 +0,0 @@ -#helm install pee0 -f values/proxy-and-vault/peerOrganization/orderer.yaml -n carrier-net fabric-orderernode -global: - serviceAccountName: vault-auth - vault: - type: hashicorp - network: fabric - address: http://vault.demo.com:8200 - authPath: carrier - secretEngine: secretsv2 - secretPrefix: "data/carrier" - cluster: - provider: azure - cloudNativeServices: false - proxy: - provider: haproxy - externalUrlSuffix: test.yourdomain.com - - network: - version: 2.5.4 - -catools: - orgData: - orgName: carrier - type: peer - componentSubject: O=Carrier,OU=Carrier,L=51.50/-0.13/London,C=GB - certSubject: O=Carrier/OU=Carrier/L=51.50,-0.13,London/C=GB - componentCountry: GB - componentState: London - componentLocation: London - - peers: - - peer0-carrier - - users: - usersList: - - user: - identity: user1 - attributes: - - key: "hf.Revoker" - value: "true" - - user: - identity: user2 - attributes: - - key: "hf.Revoker" - value: "true" - usersIdentities: - - user1 - - user2 - -cli: - enabled: true - orderer: - address: orderer1.test.yourdomain.com:443 - peer: - localMspId: carrierMSP - tlsStatus: true - address: carrier-net.test.yourdomain.com:443 - -upgrade: False - -peer: - gossipPeerAddress: carrier-net.test.yourdomain.com:443 - gossipExternalEndpoint: carrier-net.test.yourdomain.com:443 - couchdb: - username: carrier-user - -settings: - removeConfigMapsOnDelete: true - removeCertsOnDelete: true - generateCertificates: false diff --git a/platforms/hyperledger-fabric/configuration/roles/create/console_assets/tasks/main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/console_assets/tasks/main.yaml index 7de25f29f49..c76b64154d0 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/console_assets/tasks/main.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/console_assets/tasks/main.yaml @@ -18,7 +18,7 @@ # Get CA info from public url - name: Get CA data info uri: - url: "https://{{ item.ca_data.url }}" + url: "https://{{ item.ca_data.url }}/cainfo" validate_certs: no return_content: yes register: url_output diff --git a/platforms/hyperledger-indy/charts/indy-genesis/README.md b/platforms/hyperledger-indy/charts/indy-genesis/README.md index f113c1263f5..f09e349d304 100644 --- a/platforms/hyperledger-indy/charts/indy-genesis/README.md +++ b/platforms/hyperledger-indy/charts/indy-genesis/README.md @@ -90,7 +90,7 @@ These parameters are refered to as same in each parent or child chart | Name | Description | Default Value | | -------------| ---------- | --------- | | `image.alpineutils` | Alpine utils image repository | `ghcr.io/hyperledger/bevel-alpine-ext:latest` | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | ### Settings diff --git a/platforms/hyperledger-indy/charts/indy-key-mgmt/README.md b/platforms/hyperledger-indy/charts/indy-key-mgmt/README.md index f7bff6e576b..b1990cf5b82 100644 --- a/platforms/hyperledger-indy/charts/indy-key-mgmt/README.md +++ b/platforms/hyperledger-indy/charts/indy-key-mgmt/README.md @@ -70,7 +70,7 @@ These parameters are refered to as same in each parent or child chart | Name | Description | Default Value | | -------------| ---------- | --------- | | `image.keyUtils` | Indy Key Gen image repository for the Indy version | `ghcr.io/hyperledger/bevel-indy-key-mgmt:1.12.6` | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | ### Settings diff --git a/platforms/hyperledger-indy/charts/indy-node/README.md b/platforms/hyperledger-indy/charts/indy-node/README.md index 2b95eb19921..acfa11ea0f9 100644 --- a/platforms/hyperledger-indy/charts/indy-node/README.md +++ b/platforms/hyperledger-indy/charts/indy-node/README.md @@ -70,7 +70,7 @@ These parameters are refered to as same in each parent or child chart ### Image | Name | Description | Default Value | | -------------| ---------- | --------- | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.initContainer` | Init-container image repository and tag | `ghcr.io/hyperledger/bevel-alpine-ext:latest`| | `image.cli` | Indy-cli indy-ledger-txn image repository and tag | `ghcr.io/hyperledger/bevel-indy-ledger-txn:latest`| | `image.indyNode.repository` | Indy Node image repository | `ghcr.io/hyperledger/bevel-indy-node` | diff --git a/platforms/hyperledger-indy/charts/indy-node/templates/statefulset.yaml b/platforms/hyperledger-indy/charts/indy-node/templates/statefulset.yaml index 37af62b1927..15296240d3b 100644 --- a/platforms/hyperledger-indy/charts/indy-node/templates/statefulset.yaml +++ b/platforms/hyperledger-indy/charts/indy-node/templates/statefulset.yaml @@ -51,7 +51,7 @@ spec: - name: {{ .Values.image.pullSecret }} {{- end }} initContainers: - - name: format-certs + - name: format-certs image: {{ .Values.image.initContainer }} imagePullPolicy: IfNotPresent env: diff --git a/platforms/hyperledger-indy/charts/indy-register-identity/README.md b/platforms/hyperledger-indy/charts/indy-register-identity/README.md index dc0d7ad1696..b2ee0f648f0 100644 --- a/platforms/hyperledger-indy/charts/indy-register-identity/README.md +++ b/platforms/hyperledger-indy/charts/indy-register-identity/README.md @@ -66,7 +66,7 @@ The command removes all the Kubernetes components associated with the chart and | Name | Description | Default Value | | -------------| ---------- | --------- | | `image.cli` | Indy Cli image repository and tag | `ghcr.io/hyperledger/bevel-indy-ledger-txn:latest` | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | ### Settings diff --git a/platforms/quorum/charts/quorum-node/README.md b/platforms/quorum/charts/quorum-node/README.md index 645a0e10d92..c8e93382c88 100644 --- a/platforms/quorum/charts/quorum-node/README.md +++ b/platforms/quorum/charts/quorum-node/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install validator-1 bevel/quorum-node ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -97,7 +97,7 @@ This is where you can override the values for the [quorum-tessera-node subchart] | `image.hooks.repository` | Quorum/Besu hooks image repository | `ghcr.io/hyperledger/bevel-k8s-hooks` | | `image.hooks.tag` | Quorum/Besu hooks image tag | `qgt-0.2.12` | | `image.pullPolicy` | Pull policy to be used for the Docker images | `IfNotPresent` | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | ### quorum node diff --git a/platforms/quorum/charts/quorum-propose-validator/README.md b/platforms/quorum/charts/quorum-propose-validator/README.md index bfbc77fa923..732fb256a26 100644 --- a/platforms/quorum/charts/quorum-propose-validator/README.md +++ b/platforms/quorum/charts/quorum-propose-validator/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install propose-validator bevel/goquorum-propose-validator ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -55,7 +55,7 @@ The command removes all the Kubernetes components associated with the chart and | -------------| ---------- | --------- | | `image.genesisUtils.repository` | Quorum hooks image repository | `ghcr.io/hyperledger/bevel-k8s-hooks` | | `image.genesisUtils.tag` | Quorum hooks image tag | `qgt-0.2.12` | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.pullPolicy` | Pull policy to be used for the Docker images | `IfNotPresent` | ### validators diff --git a/platforms/quorum/charts/quorum-tessera-node/README.md b/platforms/quorum/charts/quorum-tessera-node/README.md index 871ad284812..a04cbcc610f 100644 --- a/platforms/quorum/charts/quorum-tessera-node/README.md +++ b/platforms/quorum/charts/quorum-tessera-node/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install my-tessera bevel/quorum-tessera-node ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -88,7 +88,7 @@ These parameters are refered to as same in each parent or child chart | `image.mysql.tag` | MySQL image tag | `5.7` | | `image.hooks.repository` | Quorum/Besu hooks image repository | `ghcr.io/hyperledger/bevel-k8s-hooks` | | `image.hooks.tag` | Quorum/Besu hooks image tag | `qgt-0.2.12` | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.pullPolicy` | Pull policy to be used for the Docker images | `IfNotPresent` | diff --git a/platforms/quorum/charts/quorum-tlscert-gen/README.md b/platforms/quorum/charts/quorum-tlscert-gen/README.md index 6bd2a7a218a..1d2d52c6dfc 100644 --- a/platforms/quorum/charts/quorum-tlscert-gen/README.md +++ b/platforms/quorum/charts/quorum-tlscert-gen/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install my-release bevel/quorum-tlscert-gen ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -57,9 +57,9 @@ These parameters are refered to as same in each parent or chold chart | `global.vault.address`| URL of the Vault server. | `""` | | `global.vault.authPath` | Authentication path for Vault | `supplychain` | | `global.vault.network` | Network type which will determine the vault policy | `quorum` | -| `global.vault.secretEngine` | Provide the value for vault secret engine name | `secretsv2` | -| `global.vault.secretPrefix` | Provide the value for vault secret prefix which must start with `data/` | `data/supplychain` | -| `global.proxy.externalUrlSuffix` | Provide the External URL suffix which will be used as CN to generate certificate | `test.blockchaincloudpoc.com` | +| `global.vault.secretEngine` | Vault secret engine name | `secretsv2` | +| `global.vault.secretPrefix` | Vault secret prefix which must start with `data/` | `data/supplychain` | +| `global.proxy.externalUrlSuffix` | External URL suffix which will be used as CN to generate certificate | `test.blockchaincloudpoc.com` | ### Image @@ -67,14 +67,14 @@ These parameters are refered to as same in each parent or chold chart |------------|-----------|---------| | `image.repository` | Docker repository which will be used for this job | `ghcr.io/hyperledger/bevel-alpine` | | `image.tag` | Docker image tag which will be used for this job | `latest` | -| `image.pullSecret` | Provide the docker secret name | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.pullPolicy` | The pull policy for the image | `IfNotPresent` | ### Settings | Name | Description | Default Value | | ------------| -------------- | --------------- | | `settings.tmTls` | Set value to true when transaction manager like tessera uses tls. This enables TLS for the transaction manager and Besu node. | `True` | -| `settings.certSubject` | Provide the X.509 subject for root CA | `"CN=DLT Root CA,OU=DLT,O=DLT,L=London,C=GB"` | +| `settings.certSubject` | X.509 subject for root CA | `"CN=DLT Root CA,OU=DLT,O=DLT,L=London,C=GB"` | ### Common parameters diff --git a/platforms/r3-corda-ent/charts/cenm-auth/README.md b/platforms/r3-corda-ent/charts/cenm-auth/README.md index 1d358c182de..f770b9f65bd 100644 --- a/platforms/r3-corda-ent/charts/cenm-auth/README.md +++ b/platforms/r3-corda-ent/charts/cenm-auth/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install auth bevel/cenm-auth ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -78,7 +78,7 @@ These parameters are refered to as same in each parent or child chart ### Image | Name | Description | Default Value | | -------------| ---------- | --------- | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.pullPolicy` | Pull policy to be used for the Docker images | `IfNotPresent` | | `image.auth.repository` | CENM auth image repository | `corda/enterprise-auth`| | `image.auth.tag` | CENM auth image tag as per version | `1.5.9-zulu-openjdk8u382`| diff --git a/platforms/r3-corda-ent/charts/cenm-gateway/README.md b/platforms/r3-corda-ent/charts/cenm-gateway/README.md index ee00bb0c09e..cc868964fb4 100644 --- a/platforms/r3-corda-ent/charts/cenm-gateway/README.md +++ b/platforms/r3-corda-ent/charts/cenm-gateway/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install gateway bevel/cenm-gateway ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -79,7 +79,7 @@ These parameters are refered to as same in each parent or child chart ### Image | Name | Description | Default Value | | -------------| ---------- | --------- | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.pullPolicy` | Pull policy to be used for the Docker images | `IfNotPresent` | | `image.gateway.repository` | CENM gateway image repository | `corda/enterprise-gateway`| | `image.gateway.tag` | CENM gateway image tag as per version | `1.5.9-zulu-openjdk8u382`| diff --git a/platforms/r3-corda-ent/charts/cenm-idman/README.md b/platforms/r3-corda-ent/charts/cenm-idman/README.md index 1ff304dd09b..f932cd3908c 100644 --- a/platforms/r3-corda-ent/charts/cenm-idman/README.md +++ b/platforms/r3-corda-ent/charts/cenm-idman/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install idman bevel/cenm-idman ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -83,7 +83,7 @@ These parameters are refered to as same in each parent or child chart ### Image | Name | Description | Default Value | | -------------| ---------- | --------- | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.pullPolicy` | Pull policy to be used for the Docker images | `IfNotPresent` | | `image.idman.repository` | CENM idman image repository | `corda/enterprise-idman`| | `image.idman.tag` | CENM idman image tag as per version | `1.5.9-zulu-openjdk8u382`| diff --git a/platforms/r3-corda-ent/charts/cenm-networkmap/README.md b/platforms/r3-corda-ent/charts/cenm-networkmap/README.md index 7cfcf1151b9..8d05f44f0c5 100644 --- a/platforms/r3-corda-ent/charts/cenm-networkmap/README.md +++ b/platforms/r3-corda-ent/charts/cenm-networkmap/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install networkmap bevel/cenm-networkmap ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -82,7 +82,7 @@ These parameters are refered to as same in each parent or child chart ### Image | Name | Description | Default Value | | -------------| ---------- | --------- | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.pullPolicy` | Pull policy to be used for the Docker images | `IfNotPresent` | | `image.networkmap.repository` | CENM networkmap image repository | `corda/enterprise-networkmap`| | `image.networkmap.tag` | CENM networkmap image tag as per version | `1.5.9-zulu-openjdk8u382`| diff --git a/platforms/r3-corda-ent/charts/cenm-signer/README.md b/platforms/r3-corda-ent/charts/cenm-signer/README.md index f05c8884534..ce62b2425e9 100644 --- a/platforms/r3-corda-ent/charts/cenm-signer/README.md +++ b/platforms/r3-corda-ent/charts/cenm-signer/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install signer bevel/cenm-signer ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -83,7 +83,7 @@ These parameters are refered to as same in each parent or child chart ### Image | Name | Description | Default Value | | -------------| ---------- | --------- | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.pullPolicy` | Pull policy to be used for the Docker images | `IfNotPresent` | | `image.signer.repository` | CENM idman image repository | `corda/enterprise-singer`| | `image.signer.tag` | CENM idman image tag as per version | `1.5.9-zulu-openjdk8u382`| @@ -93,10 +93,10 @@ These parameters are refered to as same in each parent or child chart ### Signers | Name | Description | Default Value | | -------------| ---------- | --------- | -| `signers.CSR.schedule.interval` | Provide the certificate sigining request interval | `"1m"` | -| `signers.CRL.schedule.interval` | Provide the certificate revocation interval | `"1d"` | -| `signers.NetworkMap.schedule.interval` | Provide the NetworkMap sigining interval | `"1m"` | -| `signers.NetworkParameters.schedule.interval` | Provide the Network Parameters sigining interval | `"1m"` | +| `signers.CSR.schedule.interval` | Certificate sigining request interval | `"1m"` | +| `signers.CRL.schedule.interval` | Certificate revocation interval | `"1d"` | +| `signers.NetworkMap.schedule.interval` | NetworkMap sigining interval | `"1m"` | +| `signers.NetworkParameters.schedule.interval` | Network Parameters sigining interval | `"1m"` | ## License diff --git a/platforms/r3-corda-ent/charts/cenm-zone/README.md b/platforms/r3-corda-ent/charts/cenm-zone/README.md index c1a3a2eec5a..011f3084ed5 100644 --- a/platforms/r3-corda-ent/charts/cenm-zone/README.md +++ b/platforms/r3-corda-ent/charts/cenm-zone/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install zone bevel/cenm-zone ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -79,7 +79,7 @@ These parameters are refered to as same in each parent or child chart ### Image | Name | Description | Default Value | | -------------| ---------- | --------- | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.pullPolicy` | Pull policy to be used for the Docker images | `IfNotPresent` | | `image.zone.repository` | CENM zone image repository | `corda/enterprise-zone`| | `image.zone.tag` | CENM zone image tag as per version | `1.5.9-zulu-openjdk8u382`| diff --git a/platforms/r3-corda-ent/charts/cenm/README.md b/platforms/r3-corda-ent/charts/cenm/README.md index 2ba8bd150ce..7276ffe6d9e 100644 --- a/platforms/r3-corda-ent/charts/cenm/README.md +++ b/platforms/r3-corda-ent/charts/cenm/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install cenm bevel/cenm ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -85,7 +85,7 @@ These parameters are refered to as same in each parent or child chart ### Image | Name | Description | Default Value | | -------------| ---------- | --------- | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.pullPolicy` | Pull policy to be used for the Docker images | `IfNotPresent` | | `image.pki.repository` | CENM PKI image repository | `corda/enterprise-pkitool`| | `image.pki.tag` | CENM PKI image tag as per version | `1.5.9-zulu-openjdk8u382`| diff --git a/platforms/r3-corda-ent/charts/enterprise-init/README.md b/platforms/r3-corda-ent/charts/enterprise-init/README.md index 36613c1b96c..bd59aa13c4e 100644 --- a/platforms/r3-corda-ent/charts/enterprise-init/README.md +++ b/platforms/r3-corda-ent/charts/enterprise-init/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install init bevel/enterprise-init ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ diff --git a/platforms/r3-corda-ent/charts/enterprise-node/README.md b/platforms/r3-corda-ent/charts/enterprise-node/README.md index 08e463d42cc..7340e8ddbfe 100644 --- a/platforms/r3-corda-ent/charts/enterprise-node/README.md +++ b/platforms/r3-corda-ent/charts/enterprise-node/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install node bevel/enterprise-node ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -77,7 +77,7 @@ These parameters are refered to as same in each parent or child chart ### Image | Name | Description | Default Value | | -------------| ---------- | --------- | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.pullPolicy` | Pull policy to be used for the Docker images | `IfNotPresent` | | `image.bevelAlpine.repository` | Bevel alpine image repository | `ghcr.io/hyperledger/bevel-alpine`| | `image.bevelAlpine.tag` | Bevel alpine image tag | `latest`| diff --git a/platforms/r3-corda/charts/corda-certs-gen/README.md b/platforms/r3-corda/charts/corda-certs-gen/README.md index c823cca1c9b..3a70d52ba3d 100644 --- a/platforms/r3-corda/charts/corda-certs-gen/README.md +++ b/platforms/r3-corda/charts/corda-certs-gen/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install my-release bevel/corda-certs-gen ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -57,9 +57,9 @@ These parameters are refered to as same in each parent or chold chart | `global.vault.address`| URL of the Vault server. | `""` | | `global.vault.authPath` | Authentication path for Vault | `supplychain` | | `global.vault.network` | Network type which will determine the vault policy | `corda` | -| `global.vault.secretEngine` | Provide the value for vault secret engine name | `secretsv2` | -| `global.vault.secretPrefix` | Provide the value for vault secret prefix which must start with `data/` | `data/supplychain` | -| `global.proxy.externalUrlSuffix` | Provide the External URL suffix which will be used as CN to generate certificate | `test.blockchaincloudpoc.com` | +| `global.vault.secretEngine` | Vault secret engine name | `secretsv2` | +| `global.vault.secretPrefix` | Vault secret prefix which must start with `data/` | `data/supplychain` | +| `global.proxy.externalUrlSuffix` | External URL suffix which will be used as CN to generate certificate | `test.blockchaincloudpoc.com` | ### Image @@ -67,7 +67,7 @@ These parameters are refered to as same in each parent or chold chart |------------|-----------|---------| | `image.repository` | Docker repository which will be used for this job | `ghcr.io/hyperledger/bevel-alpine` | | `image.tag` | Docker image tag which will be used for this job | `latest` | -| `image.pullSecret` | Provide the docker secret name | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.pullPolicy` | The pull policy for the image | `IfNotPresent` | ### Settings diff --git a/platforms/r3-corda/charts/corda-init/README.md b/platforms/r3-corda/charts/corda-init/README.md index 2fcadafa7a8..afea84bf631 100644 --- a/platforms/r3-corda/charts/corda-init/README.md +++ b/platforms/r3-corda/charts/corda-init/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install init bevel/corda-init ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ diff --git a/platforms/r3-corda/charts/corda-network-service/README.md b/platforms/r3-corda/charts/corda-network-service/README.md index ba71835d640..4ae6252b7b4 100644 --- a/platforms/r3-corda/charts/corda-network-service/README.md +++ b/platforms/r3-corda/charts/corda-network-service/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install network-service bevel/corda-network-service ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -84,7 +84,7 @@ This is where you can override the values for the [corda-certs-gen subchart](../ ### Image | Name | Description | Default Value | | -------------| ---------- | --------- | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.pullPolicy` | Pull policy to be used for the Docker images | `IfNotPresent` | | `image.mongo.repository` | MongoDB image repository | `mongo`| | `image.mongo.tag` | MongoDB image tag as per version of MongoDB | `3.6.6`| diff --git a/platforms/r3-corda/charts/corda-node/README.md b/platforms/r3-corda/charts/corda-node/README.md index 13a217f073d..c254aeea2ba 100644 --- a/platforms/r3-corda/charts/corda-node/README.md +++ b/platforms/r3-corda/charts/corda-node/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install notary bevel/corda-node ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ @@ -84,7 +84,7 @@ This is where you can override the values for the [corda-certs-gen subchart](../ ### Image | Name | Description | Default Value | | -------------| ---------- | --------- | -| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | | `image.pullPolicy` | Pull policy to be used for the Docker images | `IfNotPresent` | | `image.h2` | H2 DB image repository and tag | `ghcr.io/hyperledger/h2:2018`| | `image.corda.repository` | Corda Image repository | `ghcr.io/hyperledger/bevel-corda`| diff --git a/platforms/shared/charts/bevel-storageclass/README.md b/platforms/shared/charts/bevel-storageclass/README.md index cc51766df9a..57d0369d785 100644 --- a/platforms/shared/charts/bevel-storageclass/README.md +++ b/platforms/shared/charts/bevel-storageclass/README.md @@ -13,7 +13,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install my-storageclass bevel/bevel-storageclass ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ diff --git a/platforms/shared/charts/bevel-vault-mgmt/README.md b/platforms/shared/charts/bevel-vault-mgmt/README.md index b1a6e22de96..bbe9a4b81b0 100644 --- a/platforms/shared/charts/bevel-vault-mgmt/README.md +++ b/platforms/shared/charts/bevel-vault-mgmt/README.md @@ -13,7 +13,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install my-release bevel/bevel-vault-mgmt ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - HashiCorp Vault Server 1.13.1+ @@ -58,8 +58,8 @@ These parameters are refered to as same in each parent or child chart | `global.vault.address`| URL of the Vault server. | `""` | | `global.vault.authPath` | Authentication path for Vault | `supplychain` | | `global.vault.network` | Network type which will determine the vault policy | `besu` | -| `global.vault.secretEngine` | Provide the value for vault secret engine name | `secretsv2` | -| `global.vault.secretPrefix` | Provide the value for vault secret prefix which must start with `data/` | `data/supplychain` | +| `global.vault.secretEngine` | Vault secret engine name | `secretsv2` | +| `global.vault.secretPrefix` | Vault secret prefix which must start with `data/` | `data/supplychain` | | `global.vault.tls` | Enable or disable TLS for vault communication if value present or not | `""` | ### Image @@ -68,7 +68,7 @@ These parameters are refered to as same in each parent or child chart |------------|-----------|---------| | `image.repository` | Docker image repo which will be used for this job | `ghcr.io/hyperledger/bevel-alpine` | | `image.tag` | Docker image tag which will be used for this job | `latest` | -| `image.pullSecret` | Provide the docker secret name | `""` | +| `image.pullSecret` | Secret name in the namespace containing private image registry credentials | `""` | ### Common parameters diff --git a/platforms/shared/charts/haproxy-ingress/haproxy-ingress-0.13.9.tgz b/platforms/shared/charts/haproxy-ingress/haproxy-ingress-0.13.9.tgz deleted file mode 100644 index bea4454db17..00000000000 Binary files a/platforms/shared/charts/haproxy-ingress/haproxy-ingress-0.13.9.tgz and /dev/null differ diff --git a/platforms/shared/charts/haproxy-ingress/haproxy-ingress-0.14.6.tgz b/platforms/shared/charts/haproxy-ingress/haproxy-ingress-0.14.6.tgz new file mode 100644 index 00000000000..a45fd764beb Binary files /dev/null and b/platforms/shared/charts/haproxy-ingress/haproxy-ingress-0.14.6.tgz differ diff --git a/platforms/shared/charts/haproxy-ingress/values.yaml b/platforms/shared/charts/haproxy-ingress/values.yaml index 6ec3870fb57..654c8627ad0 100644 --- a/platforms/shared/charts/haproxy-ingress/values.yaml +++ b/platforms/shared/charts/haproxy-ingress/values.yaml @@ -4,6 +4,8 @@ rbac: secret: write: false security: + # Configures PodSecurityPolicy. This resource was removed on Kubernetes v1.25, + # so it is ignored on clusters version v1.25 or newer. enable: false # Create ServiceAccount @@ -13,14 +15,17 @@ serviceAccount: # The name of the ServiceAccount to use. # If not set and create is true, a name is generated using the fullname template name: + # Automount API credentials for the ServiceAccount. + automountServiceAccountToken: true nameOverride: "" fullnameOverride: "haproxy-ingress" controller: image: - repository: quay.io/jcmoraisjr/haproxy-ingress - tag: v0.13.9 + registry: quay.io + repository: jcmoraisjr/haproxy-ingress + tag: v0.14.6 pullPolicy: IfNotPresent imagePullSecrets: [] @@ -71,7 +76,7 @@ controller: ## Uses ingressClass as name for the IngressClass ## ingressClassResource: - enabled: false + enabled: true default: false controllerClass: "" parameters: {} @@ -98,6 +103,10 @@ controller: successThreshold: 1 timeoutSeconds: 1 + ## Annotations to be added to DaemonSet/Deployment definitions + ## + annotations: {} + ## Annotations to be added to controller pods ## podAnnotations: {} @@ -142,6 +151,9 @@ controller: # hello_again.lua: | # core.Debug("Hello again HAProxy!\n") + # Automount API credentials to the controller's pod + automountServiceAccountToken: true + # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 # is merged @@ -176,7 +188,7 @@ controller: ## DaemonSet or Deployment ## - kind: Deployment + kind: DaemonSet # TCP service key:value pairs # : /:[:[][:]] @@ -184,6 +196,11 @@ controller: tcp: {} # 8080: "default/example-tcp-svc:9000" + # default values for http and https containerPorts + containerPorts: + http: 80 + https: 443 + # optionally disable static ports, including the default 80 and 443 enableStaticPorts: true @@ -217,7 +234,8 @@ controller: # Deployment replicaCount: 1 - # PodDisruptionBudget + # A PodDisruptionBudget is created only if minAvailable is + # greater than 0 (zero) and lesser than the replicaCount minAvailable: 1 resources: {} @@ -252,7 +270,7 @@ controller: ## nodeSelector: {} - ## The 'publishService' setting allows customization of the source of the IP address or FQDN to report + ## The 'publishService' setting allows customization of the source of the IP address or FQDN to report ## in the ingress status field. If disabled (default), the field will not be set by the controller. ## If enabled, it reads the information provided by the service, unless pathOverride is specified. ## If a value for 'publish-service' is specified in controller.extraArgs, it overrides this setting. @@ -284,6 +302,7 @@ controller: # ipFamilies: [IPv4] # ipFamilyPolicy: PreferDualStack + loadBalancerClass: "" loadBalancerIP: "" loadBalancerSourceRanges: [] @@ -319,8 +338,9 @@ controller: enabled: false image: + registry: docker.io repository: haproxy - tag: "2.3.21-alpine" + tag: "2.6.14-alpine" pullPolicy: IfNotPresent ## Additional command line arguments to pass to haproxy @@ -334,6 +354,12 @@ controller: # cpu: 500m # memory: 768Mi + # Configure container lifecycle. When scaling replicas down this can be + # used to prevent controller container from terminating quickly and drop in-flight requests. + # For example, when the controller runs behind Network Load Balancer this can be used + # to configure preStop hook to sleep along with deregistration_delay. + lifecycle: {} + ## Container Security Context for the haproxy container ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @@ -380,7 +406,8 @@ controller: # (scrapes the stats port and exports metrics to prometheus) # Only used if embedded == false image: - repository: quay.io/prometheus/haproxy-exporter + registry: quay.io + repository: prometheus/haproxy-exporter tag: "v0.11.0" pullPolicy: IfNotPresent @@ -415,6 +442,7 @@ controller: ## externalIPs: [] + loadBalancerClass: "" loadBalancerIP: "" loadBalancerSourceRanges: [] servicePort: 9101 @@ -423,6 +451,7 @@ controller: ## If controller.stats.enabled = true and controller.metrics.enabled = true and controller.serviceMonitor.enabled = true, Prometheus ServiceMonitor will be created ## Ref: https://coreos.com/operators/prometheus/docs/latest/api.html#servicemonitor + ## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md ## serviceMonitor: enabled: false @@ -469,11 +498,13 @@ controller: enabled: false # syslog for haproxy - # https://github.com/whereisaaron/kube-syslog-sidecar + # https://github.com/crisu1710/kube-syslog-sidecar # (listens on UDP port 514 and outputs to stdout) + # registry needs to be in quotes image: - repository: whereisaaron/kube-syslog-sidecar - tag: latest + registry: "ghcr.io" + repository: crisu1710/kube-syslog-sidecar + tag: "0.2.0" pullPolicy: IfNotPresent ## Additional volume mounts @@ -505,10 +536,14 @@ defaultBackend: name: default-backend image: - repository: k8s.gcr.io/defaultbackend-amd64 + registry: k8s.gcr.io + repository: defaultbackend-amd64 tag: "1.5" pullPolicy: IfNotPresent + imagePullSecrets: [] + # - name: secret-name + ## Node tolerations for server scheduling to nodes with taints ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ ## @@ -536,7 +571,8 @@ defaultBackend: # Deployment replicaCount: 1 - # PodDisruptionBudget + # A PodDisruptionBudget is created only if minAvailable is + # greater than 0 (zero) and lesser than the replicaCount minAvailable: 1 resources: @@ -557,8 +593,10 @@ defaultBackend: ## externalIPs: [] + loadBalancerClass: "" loadBalancerIP: "" loadBalancerSourceRanges: [] + servicePort: 8080 type: ClusterIP @@ -571,3 +609,7 @@ defaultBackend: ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## securityContext: {} + + ## Priority Class for the default backend container + ## + priorityClassName: "" diff --git a/platforms/shared/configuration/roles/setup/haproxy-ingress/defaults/main.yaml b/platforms/shared/configuration/roles/setup/haproxy-ingress/defaults/main.yaml index c46ce820d8a..78940acc149 100644 --- a/platforms/shared/configuration/roles/setup/haproxy-ingress/defaults/main.yaml +++ b/platforms/shared/configuration/roles/setup/haproxy-ingress/defaults/main.yaml @@ -8,4 +8,4 @@ tmp_directory: "{{ lookup('env', 'TMPDIR') | default('/tmp',true) }}" default: - version: "0.13.9" + version: "0.14.6"