feat(indy): enable platform deployment via ansible-server

This commit introduces support for deploying a decentralized ledger technology (DLT) network using Ansible automation. The changes include: 1. Updated the Ansible codebase to support network deployment in respect of the standalone Helm chart. 2. The following Ansible roles have been introduced to appropriately deploy the network: - 1. Generate keys for each node of each organization. - 2. Fetch generated keys in JSON format to deploy genesis with known nodes only. - 3. Utilize keys stored in the JSON file to configure the genesis with known nodes and then install the genesis block. - 4. A secondary genesis setup is also included to support deployment in multiple namespaces for a multi-organization Indy network. - 5. Deploy stewards for all organizations. - 6. Deploy the endorser. 3. Updated the Reset Ansible code to delete each node's key from the vault, along with the organization policy and Authentication engine. 4. Added an individual role to clean all the network-supported local files (JSON files). 5. Updated the sample network configuration file to provide information on which networks can be deployed using this file and how to customize the network by following the network rules specified in the file itself. This PR will allow users to set an Indy network with support of the following rules: 1. Exactly 1 trustee is required per organization. 2. Up to 1 endorser is allowed per organization. 3. At least 4 stewards are required collectively across the entire Indy network. fixes hyperledger-bevel#2557 Signed-off-by: saurabhkumarkardam <[email protected]>
saurabhkumarkardam · Jun 11, 2024 · 34720eb · 34720eb
1 parent 75e4ddd
commit 34720eb
Show file tree

Hide file tree

Showing 47 changed files with 1,171 additions and 771 deletions.
diff --git a/platforms/hyperledger-indy/charts/README.md b/platforms/hyperledger-indy/charts/README.md
@@ -79,7 +79,8 @@ helm install university-steward-3 ./indy-node --namespace university-ns --values
 cd ./indy-register-identity/files
 kubectl --namespace university-ns get secret university-endorser-identity-public -o jsonpath='{.data.value}' | base64 -d | jq '.["did"]'> university-endorser-did.json
 kubectl --namespace university-ns get secret university-endorser-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["verification-key"]' > university-endorser-verkey.json
-# Register endorser identity from admin
+# Register the endorser identity using the trustee's credentials
+# Deploy the endorser identity registration Helm chart in the authority namespace, where the trustee resides
 cd ../..
 helm install university-endorser-id ./indy-register-identity --namespace authority-ns
 ```
@@ -130,24 +131,26 @@ helm install university-steward-4 ./indy-node --namespace university-ns --values
 cd ./indy-register-identity/files
 kubectl --namespace university-ns get secret university-endorser-identity-public -o jsonpath='{.data.value}' | base64 -d | jq '.["did"]'> university-endorser-did.json
 kubectl --namespace university-ns get secret university-endorser-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["verification-key"]' > university-endorser-verkey.json
-# Register endorser identity from admin
+# Register the endorser identity using the trustee's credentials
+# Deploy the endorser identity registration Helm chart in the authority namespace, where the trustee resides
 cd ../..
 helm install university-endorser-id ./indy-register-identity --namespace authority-ns
 ```
 
 ### Clean-up
 
-To clean up, simply uninstall the Helm releases. It's important to uninstall the genesis Helm chart at the end to prevent any cleanup failure.
+To clean up, simply uninstall the Helm charts. 
+> **NOTE**: It's important to uninstall the genesis Helm chart at the end to prevent any cleanup failure.
 
 ```bash
 helm uninstall --namespace university-ns university-steward-1
 helm uninstall --namespace university-ns university-steward-2
 helm uninstall --namespace university-ns university-steward-3
 helm uninstall --namespace university-ns university-steward-4
-helm uninstall --namespace university-ns genesis
 helm uninstall --namespace university-ns university-keys
+helm uninstall --namespace university-ns genesis
 
 helm uninstall --namespace authority-ns university-endorser-id
-helm uninstall --namespace authority-ns genesis
 helm uninstall --namespace authority-ns authority-keys
+helm uninstall --namespace authority-ns genesis
 ```
diff --git a/platforms/hyperledger-indy/configuration/cleanup.yaml b/platforms/hyperledger-indy/configuration/cleanup.yaml
@@ -13,17 +13,19 @@
   no_log: "{{ no_ansible_log | default(false) }}"
   tasks:
   # Cleanup all organizations' vault indy crypto
-  - name: Cleanup Vault indy crypto
+  - name: "Clean up Vault indy crypto"
     include_role:
       name: clean/vault
     vars:
-      organization: "{{ organizationItem.name | lower }}"
-      organization_ns: "{{ organization }}-ns"
-      services: "{{ organizationItem.services }}"
-      acount: "{{ organization }}-admin-vault-auth"
-      vault: "{{ organizationItem.vault }}"
-      role: "rw"
-      auth_path: "kubernetes-{{ organization }}"
+      org_name: "{{ org.name | lower }}"
+      org_ns: "{{ org_name }}-ns"
+      services: "{{ org.services }}"
+      vault: "{{ org.vault }}"
     loop: "{{ network['organizations'] }}"
     loop_control:
-      loop_var: organizationItem
+      loop_var: org
+
+  # Clean up helpers directory
+  - name: "Clean up helpers directory"
+    include_role:
+      name: clean/local_directories
diff --git a/platforms/hyperledger-indy/configuration/deploy-network.yaml b/platforms/hyperledger-indy/configuration/deploy-network.yaml
@@ -4,10 +4,11 @@
 #  SPDX-License-Identifier: Apache-2.0
 ##############################################################################################
 
-#########################
+##############################################################################################
 # Playbook to create deployment files for namespaces, service account and clusterrolebinding
 # Playbook arguments: complete network.yaml
-#########################
+##############################################################################################
+---
 - hosts: ansible_provisioners
   gather_facts: no
   no_log: "{{ no_ansible_log | default(false) }}"
@@ -24,203 +25,100 @@
       name: check/validation
 
   # Create namespaces for organizations
-  - name: 'Create namespace'
+  - name: "Create namespace"
     include_role:
       name: create/namespace
     vars:
-      component_name: "{{ organizationItem.name | lower }}-ns"
-      component_type_name: "{{ organizationItem.type | lower }}"
-      kubernetes: "{{ organizationItem.k8s }}"
-      release_dir: "{{playbook_dir}}/../../../{{organizationItem.gitops.release_dir}}/{{ organizationItem.name | lower }}"
+      component_name: "{{ org.name | lower }}-ns"
+      component_type_name: "{{ org.type | lower }}"
+      kubernetes: "{{ org.k8s }}"
+      release_dir: "{{playbook_dir}}/../../../{{org.gitops.release_dir}}/{{ org.name | lower }}"
     loop: "{{ network['organizations'] }}"
     loop_control:
-      loop_var: organizationItem
+      loop_var: org
 
-  # Create service accounts
-  - name: 'Create service accounts'
+  # Create necessary Kubernetes secrets for each organization
+  - name: "Create k8s secrets"
     include_role:
-      name: create/serviceaccount/main
+      name: create/secrets
     vars:
-      component_ns: "{{ organizationItem.name | lower }}-ns"
-      organization: "{{ organizationItem.name | lower }}"
-      component_type_name: "{{ organization }}"
-      services: "{{ organizationItem.services }}"
-      gitops: "{{ organizationItem.gitops }}"
-      kubernetes: "{{ organizationItem.k8s }}"
+      component_ns: "{{ org.name | lower }}-ns"
+      kubernetes: "{{ org.k8s }}"
+      vault: "{{ org.vault }}"
     loop: "{{ network['organizations'] }}"
     loop_control:
-      loop_var: organizationItem
-    when: organizationItem.org_status is not defined or organizationItem.org_status == 'new'
+      loop_var: org
 
-  # Create StorageClass
-  - name: Create Storage Class
+  # Generate keys for each nodes
+  - name: "Generate keys"
     include_role:
-      name: "{{ playbook_dir }}/../../../platforms/shared/configuration/roles/setup/storageclass"
+      name: setup/generate-keys
     vars:
       org_name: "{{ org.name | lower }}"
-      sc_name: "{{ org_name }}-bevel-storageclass"
-      region: "{{ org.k8s.region | default('eu-west-1') }}"
+      stewards: "{{ org.services.stewards }}"
+      cloud_provider: "{{ org.cloud_provider | lower }}"
+      vault: "{{ org.vault }}"
+      kubernetes: "{{ org.k8s }}"
+      component_type: "generate-keys"
+      component_ns: "{{ org_name }}-ns"
+      component_name: "{{ org_name }}-keys"
+      values_dir: "{{playbook_dir}}/../../../{{org.gitops.release_dir}}"
+      charts_dir: "{{ org.gitops.chart_source }}"
     loop: "{{ network['organizations'] }}"
     loop_control:
       loop_var: org
-    when: org.org_status is not defined or org.org_status == 'new'
-
-  # Admin K8S auth
-  - name: Admin K8S auth
-    include_role:
-      name: setup/vault_kubernetes
-    vars:
-      organization: "{{ organizationItem.name | lower }}"
-      component_ns: "{{ organizationItem.name | lower }}-ns"
-      component_name: "{{ organization }}-bevel-ac-vault-auth"
-      component_type: "GetServiceAccount"
-      vault: "{{ organizationItem.vault }}"
-      auth_path: "kubernetes-{{ organization }}-admin-auth"
-      kubernetes: "{{ organizationItem.k8s }}"
-    loop: "{{ network['organizations'] }}"
-    loop_control:
-      loop_var: organizationItem
-    when: organizationItem.org_status is not defined or organizationItem.org_status == 'new'
-
-  # Generate auth job
-  - name: 'Generate auth job'
-    include_role:
-      name: setup/auth_job
-    vars:
-      organization: "{{ organizationItem.name | lower }}"
-      component_ns: "{{ organizationItem.name | lower }}-ns"
-      component_name: "{{ organization }}"
-      services: "{{ organizationItem.services }}"
-      kubernetes: "{{ organizationItem.k8s }}"
-      vault: "{{ organizationItem.vault }}"
-      gitops: "{{ organizationItem.gitops }}"
-    loop: "{{ network['organizations'] }}"
-    loop_control:
-      loop_var: organizationItem
-    when: organizationItem.org_status is not defined or organizationItem.org_status == 'new'
-
-  # Get Vault AC Token via Service Account
-  - name: Get Vault AC Token via Service Account
-    include_role:
-      name: check/k8_component
-    vars:
-      organization: "{{ organizationItem.name | lower }}"
-      component_ns: "{{ organizationItem.name | lower }}-ns"
-      component_name: "{{ organization }}-bevel-ac-vault-auth"
-      component_type: "GetServiceAccount"
-      vault: "{{ organizationItem.vault }}"
-      kubernetes: "{{ organizationItem.k8s }}"
-    loop: "{{ network['organizations'] }}"
-    loop_control:
-      loop_var: organizationItem
 
-  # Generate indy crypto and insert into Vault
-  - name: 'Generate indy crypto and insert into Vault'
+  # Get each node keys for the Genesis setup
+  - name: "Get keys for the Genesis setup"
     include_role:
-      name: setup/crypto
+      name: setup/genesis-node-keys
     vars:
-      organization: "{{ organizationItem.name | lower }}"
-      component_ns: "{{ organizationItem.name | lower }}-ns"
-      component_name: "{{ organization }}"
-      services: "{{ organizationItem.services }}"
-      kubernetes: "{{ organizationItem.k8s }}"
-      vault: "{{ organizationItem.vault }}"
-      gitops: "{{ organizationItem.gitops }}"
-      vault_ac_token: "{{ ac_vault_tokens[organization] }}"
+      component_ns: "{{ org.name | lower }}-ns"
+      kubernetes: "{{ org.k8s }}"
     loop: "{{ network['organizations'] }}"
     loop_control:
-      loop_var: organizationItem
-    when: organizationItem.org_status is not defined or organizationItem.org_status == 'new'
-
-  # Create and deploy domain genesis
-  - name: 'Create domain genesis'
-    include_role:
-      name: setup/domain_genesis
-
-  # Create and deploy pool genesis
-  - name: 'Create pool genesis'
-    include_role:
-      name: setup/pool_genesis
+      loop_var: org
 
-  # Add new Trustees via existing Trustee
-  - name: "Add New Trustees via existing Trustee"
+  # Install Genesis
+  - name: "Install Genesis"
     include_role:
-      name: setup/trustees
-    vars:
-      new_org_query: "organizations[?org_status=='new']"
-      neworg: "{{ network | json_query(new_org_query) | first }}"
-      organization: "{{ organizationItem.name | lower }}"
-      component_ns: "{{ organizationItem.name | lower }}-ns"
-      component_name: "{{ organization }}"
-      kubernetes: "{{ organizationItem.k8s }}"
-      gitops: "{{ organizationItem.gitops }}"
-      vault: "{{ organizationItem.vault }}"
-    loop: "{{ network['organizations'] }}"
-    loop_control:
-      loop_var: organizationItem
-    when:
-    - (add_new_org|bool and add_new_org_network_trustee_present|bool)
-    - (organizationItem.org_status is not defined or organizationItem.org_status == 'existing')
+      name: setup/genesis
 
-  # Add new Stewards via existing Trustee
-  - name: "Add New Stewards via existing Trustee"
+  # Install Steward nodes
+  - name: Install Steward nodes
     include_role:
       name: setup/stewards
     vars:
-      new_org_query: "organizations[?org_status=='new']"
-      neworg: "{{ network | json_query(new_org_query) | first }}"
-      organization: "{{ organizationItem.name | lower }}"
-      component_ns: "{{ organizationItem.name | lower }}-ns"
-      component_name: "{{ organization }}"
-      kubernetes: "{{ organizationItem.k8s }}"
-      gitops: "{{ organizationItem.gitops }}"
-      vault: "{{ organizationItem.vault }}"
+      org_name: "{{ org.name | lower }}"
+      cloud_provider: "{{ org.cloud_provider | lower }}"
+      kubernetes: "{{ org.k8s }}"
+      component_ns: "{{ org_name }}-ns"
+      component_type: "stewards"
+      values_dir: "{{playbook_dir}}/../../../{{org.gitops.release_dir}}"
+      charts_dir: "{{ org.gitops.chart_source }}"
     loop: "{{ network['organizations'] }}"
     loop_control:
-      loop_var: organizationItem
-    when:
-    - (add_new_org|bool and add_new_org_network_trustee_present|bool)
-    - (organizationItem.org_status is not defined or organizationItem.org_status == 'existing')
+      loop_var: org
 
-  # Deploy all other nodes
-  - name: 'Deploy nodes'
+  # Install Endorser node
+  - name: "Install Endorser node"
     include_role:
-      name: setup/node
+      name: setup/endorser
     vars:
-      organization: "{{ organizationItem.name | lower }}"
-      sc_name: "{{ organization }}-bevel-storageclass"
-      component_ns: "{{ organizationItem.name | lower }}-ns"
-      services: "{{ organizationItem.services }}"
-      kubernetes: "{{ organizationItem.k8s }}"
-      vault: "{{ organizationItem.vault }}"
-      gitops: "{{ organizationItem.gitops }}"
-      genesis: "{{ network.genesis }}"
+      org_name: "{{ org.name | lower }}"
+      endorser: "{{ org.services.endorser | lower }}"
+      trustee: "{{ org.services.trustee | lower }}"
+      kubernetes: "{{ org.k8s }}"
+      component_name: "{{ endorser }}"
+      component_ns: "{{ org_name }}-ns"
+      values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}/{{ org_name }}/build"
+      charts_dir: "{{ org.gitops.chart_source }}"
     loop: "{{ network['organizations'] }}"
     loop_control:
-      loop_var: organizationItem
+      loop_var: org
     when:
-    - (organizationItem.type == 'peer')
-    - (organizationItem.org_status is not defined or organizationItem.org_status == 'new')
-    - (not add_new_org|bool or (add_new_org|bool and add_new_org_new_nyms_on_ledger_present|bool))
+    - (org.services.endorser is defined) and (org.services.endorser.name | length > 0)
 
-  # Create and deploy Endorser Identities
-  - name: 'Create Endorser Identities'
-    include_role:
-      name: setup/endorsers
-    vars:
-      organization: "{{ organizationItem.name | lower }}"
-      component_ns: "{{ organizationItem.name | lower }}-ns"
-      kubernetes: "{{ organizationItem.k8s }}"
-      gitops: "{{ organizationItem.gitops }}"
-      vault: "{{ organizationItem.vault }}"
-    loop: "{{ network['organizations'] }}"
-    loop_control:
-      loop_var: organizationItem
-    when:
-    - (organizationItem.type == 'peer')
-    - (organizationItem.org_status is not defined or organizationItem.org_status == 'new')
-    - (not add_new_org|bool or (add_new_org|bool and add_new_org_new_nyms_on_ledger_present|bool))
-
   # These variables can be overriden from the command line
   vars: 
     install_os: "linux"                           # Default to linux OS