fix corda os vault secret & auth path

Signed-off-by: suvajit-sarkar <[email protected]>
hyperledger-bevel · Jan 22, 2024 · 5e981bf · 5e981bf
1 parent 611991a
commit 5e981bf
Show file tree

Hide file tree

Showing 18 changed files with 136 additions and 245 deletions.
diff --git a/platforms/r3-corda/configuration/deploy-network.yaml b/platforms/r3-corda/configuration/deploy-network.yaml
@@ -26,7 +26,6 @@
     loop: "{{ network['organizations'] }}"
     loop_control:
       loop_var: org
-    when: network['type'] == 'corda'
 
   # Create Storageclass
   - name: Create StorageClass
@@ -39,37 +38,52 @@
     loop: "{{ network['organizations'] }}"
     loop_control:
       loop_var: org
-    when: network['type'] == 'corda'
+
+  # Setup Vault-Kubernetes accesses
+  - name: "Setup vault Kubernetes accesses"
+    include_role:
+      name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault_kubernetes"
+    vars:
+      name: "{{ item.name | lower }}"
+      org_name: "{{ item.name | lower }}"
+      component_ns: "{{ item.name | lower }}-ns"
+      component_name: "{{ item.name | lower }}-vaultk8s-job"
+      component_auth: "{{ network.env.type }}{{ name }}"
+      component_type: "organization"
+      kubernetes: "{{ item.k8s }}"
+      vault: "{{ item.vault }}"
+      gitops: "{{ item.gitops }}"
+    loop: "{{ network['organizations'] }}"
 
   # Deploy Doorman node
   - name: Deploy Doorman service node
     include_role:
       name: setup/doorman
     vars:
       services: "{{ item.services }}"
-      organisation: "{{ item.name | lower }}"
-      sc_name: "{{ organisation }}-bevel-storageclass"
+      name: "{{ item.name | lower }}"
+      sc_name: "{{ name }}-bevel-storageclass"
       component_ns: "{{ item.name | lower }}-ns"
       kubernetes: "{{ item.k8s }}"
       vault: "{{ item.vault }}"
       gitops: "{{ item.gitops }}"     
     loop: "{{ network['organizations'] }}"
-    when: network['type'] == 'corda' and item.type.find('doorman') != -1
+    when: item.type.find('doorman') != -1
 
   # Deploy NMS node
   - name: Deploy Networkmap service node
     include_role:
       name: setup/nms      
     vars:
       services: "{{ item.services }}"
-      organisation: "{{ item.name | lower }}"
-      sc_name: "{{ organisation }}-bevel-storageclass"
+      name: "{{ item.name | lower }}"
+      sc_name: "{{ name }}-bevel-storageclass"
       component_ns: "{{ item.name | lower }}-ns"
       kubernetes: "{{ item.k8s }}"
       vault: "{{ item.vault }}"
       gitops: "{{ item.gitops }}"
     loop: "{{ network['organizations'] }}"
-    when: network['type'] == 'corda' and item.type.find('nms') != -1
+    when: item.type.find('nms') != -1
 
   # Wait for network services to respond  
   - name: Check that network services uri are reachable
@@ -91,28 +105,28 @@
     vars:
       services: "{{ item.services }}"
       node: "{{ item.services.notary }}"
-      organisation: "{{ item.name | lower }}"
-      sc_name: "{{ organisation }}-bevel-storageclass"
+      name: "{{ item.name | lower }}"
+      sc_name: "{{ name }}-bevel-storageclass"
       component_ns: "{{ item.name | lower }}-ns"
       kubernetes: "{{ item.k8s }}"
       vault: "{{ item.vault }}"
       gitops: "{{ item.gitops }}" 
       cordapps: "{{ item.cordapps | default() }}"
     loop: "{{ network['organizations'] }}"
-    when: network['type'] == 'corda' and item.type.find('notary') != -1
+    when: item.type.find('notary') != -1
 
   # Deploy all other nodes
   - name: 'Deploy nodes'
     include_role:
       name: setup/node
     vars:
-      organisation: "{{ item.name | lower }}"
-      sc_name: "{{ organisation }}-bevel-storageclass"
+      name: "{{ item.name | lower }}"
+      sc_name: "{{ name }}-bevel-storageclass"
       component_ns: "{{ item.name | lower }}-ns"
       services: "{{ item.services }}"
       kubernetes: "{{ item.k8s }}"
       vault: "{{ item.vault }}"
       cordapps: "{{ item.cordapps | default() }}"
       gitops: "{{ item.gitops }}" 
     loop: "{{ network['organizations'] }}"  
-    when: network['type'] == 'corda' and item.type == 'node'
+    when: item.type == 'node'
diff --git a/platforms/r3-corda/configuration/deploy-nodes.yaml b/platforms/r3-corda/configuration/deploy-nodes.yaml
@@ -31,8 +31,8 @@
     vars:
       services: "{{ item.services }}"
       node: "{{ item.services.notary }}"
-      organisation: "{{ item.name | lower }}"
-      sc_name: "{{ organisation }}-bevel-storageclass"
+      name: "{{ item.name | lower }}"
+      sc_name: "{{ name }}-bevel-storageclass"
       component_ns: "{{ item.name | lower }}-ns"
       kubernetes: "{{ item.k8s }}"
       vault: "{{ item.vault }}"
@@ -46,8 +46,8 @@
     include_role:
       name: setup/node
     vars:
-      organisation: "{{ item.name | lower }}"
-      sc_name: "{{ organisation }}-bevel-storageclass"
+      name: "{{ item.name | lower }}"
+      sc_name: "{{ name }}-bevel-storageclass"
       component_ns: "{{ item.name | lower }}-ns"
       services: "{{ item.services }}"
       kubernetes: "{{ item.k8s }}"

diff --git a/platforms/r3-corda/configuration/roles/create/certificates/ambassador/tasks/main.yaml b/platforms/r3-corda/configuration/roles/create/certificates/ambassador/tasks/main.yaml
@@ -25,7 +25,7 @@
 # Check ambassador tls certs already created
 - name: Check if ambassador tls already created
   shell: |
-    vault kv get -field=tlscacerts {{ component_name }}/tlscerts
+    vault kv get -field=tlscacerts {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/tlscerts
   environment:
     VAULT_ADDR: "{{ vault.url }}"
     VAULT_TOKEN: "{{ vault.root_token }}"
@@ -35,7 +35,7 @@
 # Gets the existing ambassador tls certs
 - name: Get ambassador and tls certs from Vault
   shell: |
-    vault kv get -format=yaml {{ component_name }}/tlscerts
+    vault kv get -format=yaml {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/tlscerts
   environment:
     VAULT_ADDR: "{{ vault.url }}"
     VAULT_TOKEN: "{{ vault.root_token }}"
@@ -94,7 +94,7 @@
 # Stores the genreated ambassador tls certificates to vault
 - name: Putting tls certs to vault
   shell: |
-    vault kv put {{ component_name }}/tlscerts tlscacerts="$(cat {{ ambassadortls }}/ambassador.crt | base64)" tlskey="$(cat {{ ambassadortls }}/ambassador.key | base64)"
+    vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/tlscerts tlscacerts="$(cat {{ ambassadortls }}/ambassador.crt | base64)" tlskey="$(cat {{ ambassadortls }}/ambassador.key | base64)"
   environment:
     VAULT_ADDR: "{{ vault.url }}"
     VAULT_TOKEN: "{{ vault.root_token }}"

diff --git a/platforms/r3-corda/configuration/roles/create/certificates/doorman/tasks/main.yaml b/platforms/r3-corda/configuration/roles/create/certificates/doorman/tasks/main.yaml
@@ -67,7 +67,7 @@
 # Check if certificates for doorman are already created and stored in vault or not
 - name: Check if root certs already created
   shell: |
-    vault kv get -field=cacerts {{ component_name }}/certs
+    vault kv get -field=cacerts {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs
   environment:
     VAULT_ADDR: "{{ vault.url }}"
     VAULT_TOKEN: "{{ vault.root_token }}"
@@ -77,7 +77,7 @@
 # Get the existing root certificates if any.
 - name: Get root certs from Vault
   shell: |
-    vault kv get -format=yaml {{ component_name }}/certs
+    vault kv get -format=yaml {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs
   environment:
     VAULT_ADDR: "{{ vault.url }}"
     VAULT_TOKEN: "{{ vault.root_token }}"
@@ -118,7 +118,7 @@
 # Check if doorman certs already created
 - name: Check if doorman certs already created
   shell: |
-    vault kv get -field=doorman.jks {{ component_name }}/certs > {{ doormanca }}/tempkeys.jks
+    vault kv get -field=doorman.jks {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs > {{ doormanca }}/tempkeys.jks
   environment:
     VAULT_ADDR: "{{ vault.url }}"
     VAULT_TOKEN: "{{ vault.root_token }}"
@@ -151,7 +151,7 @@
 # Checking root certificates for mongodb
 - name: Check if mongoroot certs already created
   shell: |
-    vault kv get -field=mongoCA.crt  {{ component_name }}/certs > {{ mongorootca }}/tempmongoCA.crt
+    vault kv get -field=mongoCA.crt  {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs > {{ mongorootca }}/tempmongoCA.crt
   environment:
     VAULT_ADDR: "{{ vault.url }}"
     VAULT_TOKEN: "{{ vault.root_token }}"
@@ -178,7 +178,7 @@
 # checking if mongodb certificate already created
 - name: Check if mongodb certs already created
   shell: |
-    vault kv get -field=mongodb-{{component_name}}.pem  {{ component_name }}/certs > {{ mongodbca }}/tempmongodb-{{component_name}}.pem
+    vault kv get -field=mongodb-{{component_name}}.pem  {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs > {{ mongodbca }}/tempmongodb-{{component_name}}.pem
   environment:
     VAULT_ADDR: "{{ vault.url }}"
     VAULT_TOKEN: "{{ vault.root_token }}"
@@ -206,7 +206,7 @@
 # Putting certs to vault for root
 - name: Putting certs to vault for root
   shell: |
-    vault kv put {{ component_name }}/certs rootcakey="$(cat {{ rootca }}/keys.jks | base64)" cacerts="$(cat {{ rootca }}/cordarootca.pem | base64)" keystore="$(cat {{ rootca }}/cordarootca.key | base64)"
+    vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs rootcakey="$(cat {{ rootca }}/keys.jks | base64)" cacerts="$(cat {{ rootca }}/cordarootca.pem | base64)" keystore="$(cat {{ rootca }}/cordarootca.key | base64)"
   environment:
     VAULT_ADDR: "{{ vault.url }}"
     VAULT_TOKEN: "{{ vault.root_token }}"
@@ -215,9 +215,9 @@
 # Putting certs and credential to vault for doorman
 - name: Putting certs and credential to vault for doorman
   shell: |
-    vault kv put {{ component_name }}/credentials/userpassword  sa="{{ userpassword_sa }}"
-    vault kv put {{ component_name }}/credentials/mongodb  mongodbPassword="{{ mongodbPassword }}"
-    vault kv put {{ component_name }}/certs doorman.jks="$(cat {{ doormanca }}/keys.jks | base64)" rootcakey="$(cat {{ rootca }}/keys.jks | base64)" cacerts="$(cat {{ rootca }}/cordarootca.pem | base64)" keystore="$(cat {{ rootca }}/cordarootca.key | base64)" mongodb-{{ component_name }}.pem="$(cat {{ mongodbca }}/mongodb-{{ component_name }}.pem | base64)" mongoCA.crt="$(cat {{ mongorootca }}/mongoCA.crt | base64)"
+    vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/credentials/userpassword  sa="{{ userpassword_sa }}"
+    vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/credentials/mongodb  mongodbPassword="{{ mongodbPassword }}"
+    vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs doorman.jks="$(cat {{ doormanca }}/keys.jks | base64)" rootcakey="$(cat {{ rootca }}/keys.jks | base64)" cacerts="$(cat {{ rootca }}/cordarootca.pem | base64)" keystore="$(cat {{ rootca }}/cordarootca.key | base64)" mongodb-{{ component_name }}.pem="$(cat {{ mongodbca }}/mongodb-{{ component_name }}.pem | base64)" mongoCA.crt="$(cat {{ mongorootca }}/mongoCA.crt | base64)"
   environment:
     VAULT_ADDR: "{{ vault.url }}"
     VAULT_TOKEN: "{{ vault.root_token }}"

diff --git a/platforms/r3-corda/configuration/roles/create/certificates/nms/tasks/main.yaml b/platforms/r3-corda/configuration/roles/create/certificates/nms/tasks/main.yaml
@@ -40,7 +40,7 @@
 # Check if root certs already created
 - name: Check if root certs already created
   shell: |
-    vault kv get -field=cacerts {{ component_name }}/certs
+    vault kv get -field=cacerts {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs
   environment:
     VAULT_ADDR: "{{ vault.url }}"
     VAULT_TOKEN: "{{ vault.root_token }}"
@@ -50,7 +50,7 @@
 # Get all root certs data from Vault
 - name: Get all root certs data from Vault
   shell: |
-    vault kv get -format=yaml {{ component_name }}/certs
+    vault kv get -format=yaml {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs
   environment:
     VAULT_ADDR: "{{ vault.url }}"
     VAULT_TOKEN: "{{ vault.root_token }}"
@@ -79,19 +79,19 @@
 - name: Generate CAroot certificate
   shell: |
     cd {{ rootca }}
-    keytool -genkey -keyalg RSA -alias key -dname {{ root_subject | quote }} -keystore keys.jks -storepass changeme -keypass changeme
-    openssl ecparam -name prime256v1 -genkey -noout -out cordarootca.key
-    openssl req -x509 -config {{playbook_dir}}/openssl.conf -new -nodes -key cordarootca.key -days 1024 -out cordarootca.pem -extensions v3_ca -subj '/{{ cert_subject }}'
-    openssl pkcs12 -export -name cert -inkey cordarootca.key -in cordarootca.pem -out cordarootcacert.pkcs12 -cacerts -passin pass:'changeme' -passout pass:'changeme'
-    openssl pkcs12 -export -name key -inkey cordarootca.key -in cordarootca.pem -out cordarootcakey.pkcs12 -passin pass:'changeme' -passout pass:'changeme'
+    eval "keytool -genkey -keyalg RSA -alias key -dname {{ root_subject | quote }} -keystore keys.jks -storepass changeme -keypass changeme"
+    eval "openssl ecparam -name prime256v1 -genkey -noout -out cordarootca.key"
+    eval "openssl req -x509 -config {{playbook_dir}}/openssl.conf -new -nodes -key cordarootca.key -days 1024 -out cordarootca.pem -extensions v3_ca -subj '/{{ cert_subject }}'"
+    eval "openssl pkcs12 -export -name cert -inkey cordarootca.key -in cordarootca.pem -out cordarootcacert.pkcs12 -cacerts -passin pass:'changeme' -passout pass:'changeme'"
+    eval "openssl pkcs12 -export -name key -inkey cordarootca.key -in cordarootca.pem -out cordarootcakey.pkcs12 -passin pass:'changeme' -passout pass:'changeme'"
     eval "yes | keytool -importkeystore -srckeystore cordarootcacert.pkcs12 -srcstoretype PKCS12 -srcstorepass changeme -destkeystore keys.jks -deststorepass changeme"
     eval "yes | keytool -importkeystore -srckeystore cordarootcakey.pkcs12 -srcstoretype PKCS12 -srcstorepass changeme -destkeystore keys.jks -deststorepass changeme"
   when: nms_root_certs.failed == True and rootca_stat_result.stat.exists == False
 
 # Check if networkmap certs already created
 - name: Check if networkmap certs already created
   shell: |
-    vault kv get -field=networkmap.jks  {{ component_name }}/certs > {{ nmsca }}/tempkeys.jks
+    vault kv get -field=networkmap.jks  {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs > {{ nmsca }}/tempkeys.jks
   environment:
     VAULT_ADDR: "{{ vault.url }}"
     VAULT_TOKEN: "{{ vault.root_token }}"
@@ -111,20 +111,20 @@
   shell: |
     cd {{ nmsca }}
     rm keys.jks
-    keytool -genkey -keyalg RSA -alias key -dname {{ nms_subject | quote }} -keystore keys.jks -storepass changeme -keypass changeme
-    openssl ecparam -name prime256v1 -genkey -noout -out cordanetworkmap.key
-    openssl req -new -nodes -key cordanetworkmap.key -days 1000 -out cordanetworkmap.csr -subj '/{{ nms_cert_subject }}'
-    openssl x509  -req -days 1000 -in cordanetworkmap.csr -CA {{ rootca }}/cordarootca.pem -CAkey {{ rootca }}/cordarootca.key -out cordanetworkmap.pem -CAcreateserial -CAserial serial -extfile {{playbook_dir}}/openssl.conf -extensions networkMap
-    openssl pkcs12 -export -name cert -inkey cordanetworkmap.key -in cordanetworkmap.pem -out cordanetworkmapcacert.pkcs12 -cacerts -passin pass:'changeme' -passout pass:'changeme'
-    openssl pkcs12 -export -name key -inkey cordanetworkmap.key   -in cordanetworkmap.pem -out cordanetworkmapcakey.pkcs12 -passin pass:'changeme' -passout pass:'changeme'
+    eval "keytool -genkey -keyalg RSA -alias key -dname {{ nms_subject | quote }} -keystore keys.jks -storepass changeme -keypass changeme"
+    eval "openssl ecparam -name prime256v1 -genkey -noout -out cordanetworkmap.key"
+    eval "openssl req -new -nodes -key cordanetworkmap.key -days 1000 -out cordanetworkmap.csr -subj '/{{ nms_cert_subject }}'"
+    eval "openssl x509  -req -days 1000 -in cordanetworkmap.csr -CA {{ rootca }}/cordarootca.pem -CAkey {{ rootca }}/cordarootca.key -out cordanetworkmap.pem -CAcreateserial -CAserial serial -extfile {{playbook_dir}}/openssl.conf -extensions networkMap"
+    eval "openssl pkcs12 -export -name cert -inkey cordanetworkmap.key -in cordanetworkmap.pem -out cordanetworkmapcacert.pkcs12 -cacerts -passin pass:'changeme' -passout pass:'changeme'"
+    eval "openssl pkcs12 -export -name key -inkey cordanetworkmap.key   -in cordanetworkmap.pem -out cordanetworkmapcakey.pkcs12 -passin pass:'changeme' -passout pass:'changeme'"
     eval "yes | keytool -importkeystore -srckeystore cordanetworkmapcacert.pkcs12 -srcstoretype PKCS12 -srcstorepass changeme -destkeystore keys.jks -deststorepass changeme"
     eval "yes | keytool -importkeystore -srckeystore cordanetworkmapcakey.pkcs12 -srcstoretype PKCS12 -srcstorepass changeme -destkeystore keys.jks -deststorepass changeme"
   when: networkmap_certs.failed == True
 
 # Checking root certificates for mongodb
 - name: Check if mongoroot certs already created
   shell: |
-    vault kv get -field=mongoCA.crt  {{ component_name }}/certs > {{ mongorootca }}/tempmongoCA.crt
+    vault kv get -field=mongoCA.crt  {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs > {{ mongorootca }}/tempmongoCA.crt
   environment:
     VAULT_ADDR: "{{ vault.url }}"
     VAULT_TOKEN: "{{ vault.root_token }}"
@@ -158,7 +158,7 @@
 # Checking if mongodb certificate already created
 - name: Check if mongodb certs already created
   shell: |
-    vault kv get -field=mongodb-{{component_name}}.pem  {{ component_name }}/certs > {{ mongodbca }}/tempmongodb-{{component_name}}.pem
+    vault kv get -field=mongodb-{{component_name}}.pem  {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs > {{ mongodbca }}/tempmongodb-{{component_name}}.pem
   environment:
     VAULT_ADDR: "{{ vault.url }}"
     VAULT_TOKEN: "{{ vault.root_token }}"
@@ -186,7 +186,7 @@
 # Putting certs to vault for root
 - name: Putting certs to vault for root
   shell: |
-    vault kv put {{ component_name }}/certs rootcakey="$(cat {{ rootca }}/keys.jks | base64)" cacerts="$(cat {{ rootca }}/cordarootca.pem | base64)" keystore="$(cat {{ rootca }}/cordarootca.key | base64)"
+    vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs rootcakey="$(cat {{ rootca }}/keys.jks | base64)" cacerts="$(cat {{ rootca }}/cordarootca.pem | base64)" keystore="$(cat {{ rootca }}/cordarootca.key | base64)"
   environment:
     VAULT_ADDR: "{{ vault.url }}"
     VAULT_TOKEN: "{{ vault.root_token }}"
@@ -195,9 +195,9 @@
 # Putting certs and credential to vault for networkmap
 - name: Putting certs and credential to vault for networkmap
   shell: |
-    vault kv put {{ component_name }}/credentials/mongodb  mongodbPassword="{{ mongodbPassword_networkmap }}"
-    vault kv put {{ component_name }}/credentials/userpassword  sa="{{ userpassword_networkmap }}"
-    vault kv put {{ component_name }}/certs networkmap.jks="$(cat {{ nmsca }}/keys.jks | base64)" rootcakey="$(cat {{ rootca }}/keys.jks | base64)" cacerts="$(cat {{ rootca }}/cordarootca.pem | base64)" keystore="$(cat {{ rootca }}/cordarootca.key | base64)" mongodb-{{ component_name }}.pem="$(cat {{ mongodbca }}/mongodb-{{ component_name }}.pem | base64)" mongoCA.crt="$(cat {{ mongorootca }}/mongoCA.crt | base64)"
+    vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/credentials/mongodb  mongodbPassword="{{ mongodbPassword_networkmap }}"
+    vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/credentials/userpassword  sa="{{ userpassword_networkmap }}"
+    vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs networkmap.jks="$(cat {{ nmsca }}/keys.jks | base64)" rootcakey="$(cat {{ rootca }}/keys.jks | base64)" cacerts="$(cat {{ rootca }}/cordarootca.pem | base64)" keystore="$(cat {{ rootca }}/cordarootca.key | base64)" mongodb-{{ component_name }}.pem="$(cat {{ mongodbca }}/mongodb-{{ component_name }}.pem | base64)" mongoCA.crt="$(cat {{ mongorootca }}/mongoCA.crt | base64)"
   environment:
     VAULT_ADDR: "{{ vault.url }}"
     VAULT_TOKEN: "{{ vault.root_token }}"