From 5e981bf5afccb617f05fc6f841aeeb7b8efac4c0 Mon Sep 17 00:00:00 2001 From: suvajit-sarkar Date: Fri, 19 Jan 2024 10:13:51 +0000 Subject: [PATCH] fix corda os vault secret & auth path Signed-off-by: suvajit-sarkar --- .../configuration/deploy-network.yaml | 42 ++++++++++++------- .../r3-corda/configuration/deploy-nodes.yaml | 8 ++-- .../certificates/ambassador/tasks/main.yaml | 6 +-- .../certificates/doorman/tasks/main.yaml | 18 ++++---- .../create/certificates/nms/tasks/main.yaml | 40 +++++++++--------- .../create/certificates/node/tasks/main.yaml | 28 ++++++------- .../certificates/notary/tasks/main.yaml | 28 ++++++------- .../k8_component/templates/create_doorman.tpl | 10 ++--- .../k8_component/templates/create_mongodb.tpl | 4 +- .../k8_component/templates/network_map.tpl | 10 ++--- .../create/node_component/templates/job.tpl | 12 +++--- .../create/node_component/templates/node.tpl | 16 +++---- .../delete/vault_secrets/tasks/main.yaml | 32 +------------- .../vault_secrets/tasks/nested_main.yaml | 37 ---------------- .../roles/setup/doorman/tasks/main.yml | 25 +++-------- .../roles/setup/nms/tasks/main.yaml | 23 ++-------- .../roles/setup/node/tasks/main.yaml | 22 ++-------- .../roles/setup/notary/tasks/main.yaml | 20 ++------- 18 files changed, 136 insertions(+), 245 deletions(-) diff --git a/platforms/r3-corda/configuration/deploy-network.yaml b/platforms/r3-corda/configuration/deploy-network.yaml index f798d3b1c53..caa332071b2 100644 --- a/platforms/r3-corda/configuration/deploy-network.yaml +++ b/platforms/r3-corda/configuration/deploy-network.yaml @@ -26,7 +26,6 @@ loop: "{{ network['organizations'] }}" loop_control: loop_var: org - when: network['type'] == 'corda' # Create Storageclass - name: Create StorageClass @@ -39,7 +38,22 @@ loop: "{{ network['organizations'] }}" loop_control: loop_var: org - when: network['type'] == 'corda' + + # Setup Vault-Kubernetes accesses + - name: "Setup vault Kubernetes accesses" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault_kubernetes" + vars: + name: "{{ item.name | lower }}" + org_name: "{{ item.name | lower }}" + component_ns: "{{ item.name | lower }}-ns" + component_name: "{{ item.name | lower }}-vaultk8s-job" + component_auth: "{{ network.env.type }}{{ name }}" + component_type: "organization" + kubernetes: "{{ item.k8s }}" + vault: "{{ item.vault }}" + gitops: "{{ item.gitops }}" + loop: "{{ network['organizations'] }}" # Deploy Doorman node - name: Deploy Doorman service node @@ -47,14 +61,14 @@ name: setup/doorman vars: services: "{{ item.services }}" - organisation: "{{ item.name | lower }}" - sc_name: "{{ organisation }}-bevel-storageclass" + name: "{{ item.name | lower }}" + sc_name: "{{ name }}-bevel-storageclass" component_ns: "{{ item.name | lower }}-ns" kubernetes: "{{ item.k8s }}" vault: "{{ item.vault }}" gitops: "{{ item.gitops }}" loop: "{{ network['organizations'] }}" - when: network['type'] == 'corda' and item.type.find('doorman') != -1 + when: item.type.find('doorman') != -1 # Deploy NMS node - name: Deploy Networkmap service node @@ -62,14 +76,14 @@ name: setup/nms vars: services: "{{ item.services }}" - organisation: "{{ item.name | lower }}" - sc_name: "{{ organisation }}-bevel-storageclass" + name: "{{ item.name | lower }}" + sc_name: "{{ name }}-bevel-storageclass" component_ns: "{{ item.name | lower }}-ns" kubernetes: "{{ item.k8s }}" vault: "{{ item.vault }}" gitops: "{{ item.gitops }}" loop: "{{ network['organizations'] }}" - when: network['type'] == 'corda' and item.type.find('nms') != -1 + when: item.type.find('nms') != -1 # Wait for network services to respond - name: Check that network services uri are reachable @@ -91,23 +105,23 @@ vars: services: "{{ item.services }}" node: "{{ item.services.notary }}" - organisation: "{{ item.name | lower }}" - sc_name: "{{ organisation }}-bevel-storageclass" + name: "{{ item.name | lower }}" + sc_name: "{{ name }}-bevel-storageclass" component_ns: "{{ item.name | lower }}-ns" kubernetes: "{{ item.k8s }}" vault: "{{ item.vault }}" gitops: "{{ item.gitops }}" cordapps: "{{ item.cordapps | default() }}" loop: "{{ network['organizations'] }}" - when: network['type'] == 'corda' and item.type.find('notary') != -1 + when: item.type.find('notary') != -1 # Deploy all other nodes - name: 'Deploy nodes' include_role: name: setup/node vars: - organisation: "{{ item.name | lower }}" - sc_name: "{{ organisation }}-bevel-storageclass" + name: "{{ item.name | lower }}" + sc_name: "{{ name }}-bevel-storageclass" component_ns: "{{ item.name | lower }}-ns" services: "{{ item.services }}" kubernetes: "{{ item.k8s }}" @@ -115,4 +129,4 @@ cordapps: "{{ item.cordapps | default() }}" gitops: "{{ item.gitops }}" loop: "{{ network['organizations'] }}" - when: network['type'] == 'corda' and item.type == 'node' + when: item.type == 'node' diff --git a/platforms/r3-corda/configuration/deploy-nodes.yaml b/platforms/r3-corda/configuration/deploy-nodes.yaml index 7690b23d4af..9b4c0f87b54 100644 --- a/platforms/r3-corda/configuration/deploy-nodes.yaml +++ b/platforms/r3-corda/configuration/deploy-nodes.yaml @@ -31,8 +31,8 @@ vars: services: "{{ item.services }}" node: "{{ item.services.notary }}" - organisation: "{{ item.name | lower }}" - sc_name: "{{ organisation }}-bevel-storageclass" + name: "{{ item.name | lower }}" + sc_name: "{{ name }}-bevel-storageclass" component_ns: "{{ item.name | lower }}-ns" kubernetes: "{{ item.k8s }}" vault: "{{ item.vault }}" @@ -46,8 +46,8 @@ include_role: name: setup/node vars: - organisation: "{{ item.name | lower }}" - sc_name: "{{ organisation }}-bevel-storageclass" + name: "{{ item.name | lower }}" + sc_name: "{{ name }}-bevel-storageclass" component_ns: "{{ item.name | lower }}-ns" services: "{{ item.services }}" kubernetes: "{{ item.k8s }}" diff --git a/platforms/r3-corda/configuration/roles/create/certificates/ambassador/tasks/main.yaml b/platforms/r3-corda/configuration/roles/create/certificates/ambassador/tasks/main.yaml index 3ef55b235a8..5da9860e313 100644 --- a/platforms/r3-corda/configuration/roles/create/certificates/ambassador/tasks/main.yaml +++ b/platforms/r3-corda/configuration/roles/create/certificates/ambassador/tasks/main.yaml @@ -25,7 +25,7 @@ # Check ambassador tls certs already created - name: Check if ambassador tls already created shell: | - vault kv get -field=tlscacerts {{ component_name }}/tlscerts + vault kv get -field=tlscacerts {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/tlscerts environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -35,7 +35,7 @@ # Gets the existing ambassador tls certs - name: Get ambassador and tls certs from Vault shell: | - vault kv get -format=yaml {{ component_name }}/tlscerts + vault kv get -format=yaml {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/tlscerts environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -94,7 +94,7 @@ # Stores the genreated ambassador tls certificates to vault - name: Putting tls certs to vault shell: | - vault kv put {{ component_name }}/tlscerts tlscacerts="$(cat {{ ambassadortls }}/ambassador.crt | base64)" tlskey="$(cat {{ ambassadortls }}/ambassador.key | base64)" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/tlscerts tlscacerts="$(cat {{ ambassadortls }}/ambassador.crt | base64)" tlskey="$(cat {{ ambassadortls }}/ambassador.key | base64)" environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" diff --git a/platforms/r3-corda/configuration/roles/create/certificates/doorman/tasks/main.yaml b/platforms/r3-corda/configuration/roles/create/certificates/doorman/tasks/main.yaml index d45a65d3dda..0b9ca9ec61d 100644 --- a/platforms/r3-corda/configuration/roles/create/certificates/doorman/tasks/main.yaml +++ b/platforms/r3-corda/configuration/roles/create/certificates/doorman/tasks/main.yaml @@ -67,7 +67,7 @@ # Check if certificates for doorman are already created and stored in vault or not - name: Check if root certs already created shell: | - vault kv get -field=cacerts {{ component_name }}/certs + vault kv get -field=cacerts {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -77,7 +77,7 @@ # Get the existing root certificates if any. - name: Get root certs from Vault shell: | - vault kv get -format=yaml {{ component_name }}/certs + vault kv get -format=yaml {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -118,7 +118,7 @@ # Check if doorman certs already created - name: Check if doorman certs already created shell: | - vault kv get -field=doorman.jks {{ component_name }}/certs > {{ doormanca }}/tempkeys.jks + vault kv get -field=doorman.jks {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs > {{ doormanca }}/tempkeys.jks environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -151,7 +151,7 @@ # Checking root certificates for mongodb - name: Check if mongoroot certs already created shell: | - vault kv get -field=mongoCA.crt {{ component_name }}/certs > {{ mongorootca }}/tempmongoCA.crt + vault kv get -field=mongoCA.crt {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs > {{ mongorootca }}/tempmongoCA.crt environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -178,7 +178,7 @@ # checking if mongodb certificate already created - name: Check if mongodb certs already created shell: | - vault kv get -field=mongodb-{{component_name}}.pem {{ component_name }}/certs > {{ mongodbca }}/tempmongodb-{{component_name}}.pem + vault kv get -field=mongodb-{{component_name}}.pem {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs > {{ mongodbca }}/tempmongodb-{{component_name}}.pem environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -206,7 +206,7 @@ # Putting certs to vault for root - name: Putting certs to vault for root shell: | - vault kv put {{ component_name }}/certs rootcakey="$(cat {{ rootca }}/keys.jks | base64)" cacerts="$(cat {{ rootca }}/cordarootca.pem | base64)" keystore="$(cat {{ rootca }}/cordarootca.key | base64)" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs rootcakey="$(cat {{ rootca }}/keys.jks | base64)" cacerts="$(cat {{ rootca }}/cordarootca.pem | base64)" keystore="$(cat {{ rootca }}/cordarootca.key | base64)" environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -215,9 +215,9 @@ # Putting certs and credential to vault for doorman - name: Putting certs and credential to vault for doorman shell: | - vault kv put {{ component_name }}/credentials/userpassword sa="{{ userpassword_sa }}" - vault kv put {{ component_name }}/credentials/mongodb mongodbPassword="{{ mongodbPassword }}" - vault kv put {{ component_name }}/certs doorman.jks="$(cat {{ doormanca }}/keys.jks | base64)" rootcakey="$(cat {{ rootca }}/keys.jks | base64)" cacerts="$(cat {{ rootca }}/cordarootca.pem | base64)" keystore="$(cat {{ rootca }}/cordarootca.key | base64)" mongodb-{{ component_name }}.pem="$(cat {{ mongodbca }}/mongodb-{{ component_name }}.pem | base64)" mongoCA.crt="$(cat {{ mongorootca }}/mongoCA.crt | base64)" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/credentials/userpassword sa="{{ userpassword_sa }}" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/credentials/mongodb mongodbPassword="{{ mongodbPassword }}" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs doorman.jks="$(cat {{ doormanca }}/keys.jks | base64)" rootcakey="$(cat {{ rootca }}/keys.jks | base64)" cacerts="$(cat {{ rootca }}/cordarootca.pem | base64)" keystore="$(cat {{ rootca }}/cordarootca.key | base64)" mongodb-{{ component_name }}.pem="$(cat {{ mongodbca }}/mongodb-{{ component_name }}.pem | base64)" mongoCA.crt="$(cat {{ mongorootca }}/mongoCA.crt | base64)" environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" diff --git a/platforms/r3-corda/configuration/roles/create/certificates/nms/tasks/main.yaml b/platforms/r3-corda/configuration/roles/create/certificates/nms/tasks/main.yaml index a79fffdde7b..b9e304a5f6f 100644 --- a/platforms/r3-corda/configuration/roles/create/certificates/nms/tasks/main.yaml +++ b/platforms/r3-corda/configuration/roles/create/certificates/nms/tasks/main.yaml @@ -40,7 +40,7 @@ # Check if root certs already created - name: Check if root certs already created shell: | - vault kv get -field=cacerts {{ component_name }}/certs + vault kv get -field=cacerts {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -50,7 +50,7 @@ # Get all root certs data from Vault - name: Get all root certs data from Vault shell: | - vault kv get -format=yaml {{ component_name }}/certs + vault kv get -format=yaml {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -79,11 +79,11 @@ - name: Generate CAroot certificate shell: | cd {{ rootca }} - keytool -genkey -keyalg RSA -alias key -dname {{ root_subject | quote }} -keystore keys.jks -storepass changeme -keypass changeme - openssl ecparam -name prime256v1 -genkey -noout -out cordarootca.key - openssl req -x509 -config {{playbook_dir}}/openssl.conf -new -nodes -key cordarootca.key -days 1024 -out cordarootca.pem -extensions v3_ca -subj '/{{ cert_subject }}' - openssl pkcs12 -export -name cert -inkey cordarootca.key -in cordarootca.pem -out cordarootcacert.pkcs12 -cacerts -passin pass:'changeme' -passout pass:'changeme' - openssl pkcs12 -export -name key -inkey cordarootca.key -in cordarootca.pem -out cordarootcakey.pkcs12 -passin pass:'changeme' -passout pass:'changeme' + eval "keytool -genkey -keyalg RSA -alias key -dname {{ root_subject | quote }} -keystore keys.jks -storepass changeme -keypass changeme" + eval "openssl ecparam -name prime256v1 -genkey -noout -out cordarootca.key" + eval "openssl req -x509 -config {{playbook_dir}}/openssl.conf -new -nodes -key cordarootca.key -days 1024 -out cordarootca.pem -extensions v3_ca -subj '/{{ cert_subject }}'" + eval "openssl pkcs12 -export -name cert -inkey cordarootca.key -in cordarootca.pem -out cordarootcacert.pkcs12 -cacerts -passin pass:'changeme' -passout pass:'changeme'" + eval "openssl pkcs12 -export -name key -inkey cordarootca.key -in cordarootca.pem -out cordarootcakey.pkcs12 -passin pass:'changeme' -passout pass:'changeme'" eval "yes | keytool -importkeystore -srckeystore cordarootcacert.pkcs12 -srcstoretype PKCS12 -srcstorepass changeme -destkeystore keys.jks -deststorepass changeme" eval "yes | keytool -importkeystore -srckeystore cordarootcakey.pkcs12 -srcstoretype PKCS12 -srcstorepass changeme -destkeystore keys.jks -deststorepass changeme" when: nms_root_certs.failed == True and rootca_stat_result.stat.exists == False @@ -91,7 +91,7 @@ # Check if networkmap certs already created - name: Check if networkmap certs already created shell: | - vault kv get -field=networkmap.jks {{ component_name }}/certs > {{ nmsca }}/tempkeys.jks + vault kv get -field=networkmap.jks {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs > {{ nmsca }}/tempkeys.jks environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -111,12 +111,12 @@ shell: | cd {{ nmsca }} rm keys.jks - keytool -genkey -keyalg RSA -alias key -dname {{ nms_subject | quote }} -keystore keys.jks -storepass changeme -keypass changeme - openssl ecparam -name prime256v1 -genkey -noout -out cordanetworkmap.key - openssl req -new -nodes -key cordanetworkmap.key -days 1000 -out cordanetworkmap.csr -subj '/{{ nms_cert_subject }}' - openssl x509 -req -days 1000 -in cordanetworkmap.csr -CA {{ rootca }}/cordarootca.pem -CAkey {{ rootca }}/cordarootca.key -out cordanetworkmap.pem -CAcreateserial -CAserial serial -extfile {{playbook_dir}}/openssl.conf -extensions networkMap - openssl pkcs12 -export -name cert -inkey cordanetworkmap.key -in cordanetworkmap.pem -out cordanetworkmapcacert.pkcs12 -cacerts -passin pass:'changeme' -passout pass:'changeme' - openssl pkcs12 -export -name key -inkey cordanetworkmap.key -in cordanetworkmap.pem -out cordanetworkmapcakey.pkcs12 -passin pass:'changeme' -passout pass:'changeme' + eval "keytool -genkey -keyalg RSA -alias key -dname {{ nms_subject | quote }} -keystore keys.jks -storepass changeme -keypass changeme" + eval "openssl ecparam -name prime256v1 -genkey -noout -out cordanetworkmap.key" + eval "openssl req -new -nodes -key cordanetworkmap.key -days 1000 -out cordanetworkmap.csr -subj '/{{ nms_cert_subject }}'" + eval "openssl x509 -req -days 1000 -in cordanetworkmap.csr -CA {{ rootca }}/cordarootca.pem -CAkey {{ rootca }}/cordarootca.key -out cordanetworkmap.pem -CAcreateserial -CAserial serial -extfile {{playbook_dir}}/openssl.conf -extensions networkMap" + eval "openssl pkcs12 -export -name cert -inkey cordanetworkmap.key -in cordanetworkmap.pem -out cordanetworkmapcacert.pkcs12 -cacerts -passin pass:'changeme' -passout pass:'changeme'" + eval "openssl pkcs12 -export -name key -inkey cordanetworkmap.key -in cordanetworkmap.pem -out cordanetworkmapcakey.pkcs12 -passin pass:'changeme' -passout pass:'changeme'" eval "yes | keytool -importkeystore -srckeystore cordanetworkmapcacert.pkcs12 -srcstoretype PKCS12 -srcstorepass changeme -destkeystore keys.jks -deststorepass changeme" eval "yes | keytool -importkeystore -srckeystore cordanetworkmapcakey.pkcs12 -srcstoretype PKCS12 -srcstorepass changeme -destkeystore keys.jks -deststorepass changeme" when: networkmap_certs.failed == True @@ -124,7 +124,7 @@ # Checking root certificates for mongodb - name: Check if mongoroot certs already created shell: | - vault kv get -field=mongoCA.crt {{ component_name }}/certs > {{ mongorootca }}/tempmongoCA.crt + vault kv get -field=mongoCA.crt {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs > {{ mongorootca }}/tempmongoCA.crt environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -158,7 +158,7 @@ # Checking if mongodb certificate already created - name: Check if mongodb certs already created shell: | - vault kv get -field=mongodb-{{component_name}}.pem {{ component_name }}/certs > {{ mongodbca }}/tempmongodb-{{component_name}}.pem + vault kv get -field=mongodb-{{component_name}}.pem {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs > {{ mongodbca }}/tempmongodb-{{component_name}}.pem environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -186,7 +186,7 @@ # Putting certs to vault for root - name: Putting certs to vault for root shell: | - vault kv put {{ component_name }}/certs rootcakey="$(cat {{ rootca }}/keys.jks | base64)" cacerts="$(cat {{ rootca }}/cordarootca.pem | base64)" keystore="$(cat {{ rootca }}/cordarootca.key | base64)" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs rootcakey="$(cat {{ rootca }}/keys.jks | base64)" cacerts="$(cat {{ rootca }}/cordarootca.pem | base64)" keystore="$(cat {{ rootca }}/cordarootca.key | base64)" environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -195,9 +195,9 @@ # Putting certs and credential to vault for networkmap - name: Putting certs and credential to vault for networkmap shell: | - vault kv put {{ component_name }}/credentials/mongodb mongodbPassword="{{ mongodbPassword_networkmap }}" - vault kv put {{ component_name }}/credentials/userpassword sa="{{ userpassword_networkmap }}" - vault kv put {{ component_name }}/certs networkmap.jks="$(cat {{ nmsca }}/keys.jks | base64)" rootcakey="$(cat {{ rootca }}/keys.jks | base64)" cacerts="$(cat {{ rootca }}/cordarootca.pem | base64)" keystore="$(cat {{ rootca }}/cordarootca.key | base64)" mongodb-{{ component_name }}.pem="$(cat {{ mongodbca }}/mongodb-{{ component_name }}.pem | base64)" mongoCA.crt="$(cat {{ mongorootca }}/mongoCA.crt | base64)" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/credentials/mongodb mongodbPassword="{{ mongodbPassword_networkmap }}" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/credentials/userpassword sa="{{ userpassword_networkmap }}" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs networkmap.jks="$(cat {{ nmsca }}/keys.jks | base64)" rootcakey="$(cat {{ rootca }}/keys.jks | base64)" cacerts="$(cat {{ rootca }}/cordarootca.pem | base64)" keystore="$(cat {{ rootca }}/cordarootca.key | base64)" mongodb-{{ component_name }}.pem="$(cat {{ mongodbca }}/mongodb-{{ component_name }}.pem | base64)" mongoCA.crt="$(cat {{ mongorootca }}/mongoCA.crt | base64)" environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" diff --git a/platforms/r3-corda/configuration/roles/create/certificates/node/tasks/main.yaml b/platforms/r3-corda/configuration/roles/create/certificates/node/tasks/main.yaml index 45101d01265..94a51c82b49 100644 --- a/platforms/r3-corda/configuration/roles/create/certificates/node/tasks/main.yaml +++ b/platforms/r3-corda/configuration/roles/create/certificates/node/tasks/main.yaml @@ -21,7 +21,7 @@ # Check if truststore already created - name: Check if truststore already created shell: | - vault kv get -field=network-map-truststore {{ component_name }}/certs/networkmaptruststore + vault kv get -field=network-map-truststore {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs/networkmaptruststore environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -53,7 +53,7 @@ # Store the certificates in the vault - name: "Write networkmaptruststore to vault" shell: | - vault kv put {{ component_name }}/certs/networkmaptruststore network-map-truststore="$(cat {{ node_certs }}/network-map-truststore.jks | base64)" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs/networkmaptruststore network-map-truststore="$(cat {{ node_certs }}/network-map-truststore.jks | base64)" environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -63,7 +63,7 @@ # Check if certificates already created - name: Check if certificates already created shell: | - vault kv get -field=nodekeystore.jks {{ component_name }}/certs/customnodekeystore + vault kv get -field=nodekeystore.jks {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs/customnodekeystore environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -86,8 +86,8 @@ # Write certificates to vault - name: "Write certificates to vault" shell: | - vault kv put {{ component_name }}/certs/customnodekeystore nodekeystore.jks="$(cat {{ node_certs }}/nodekeystore.jks | base64)" - vault kv put {{ component_name }}/certs {{ component_name }}.cer="$(cat {{ node_certs }}/{{ component_name }}.cer | base64)" {{ component_name }}.key="$(cat {{ node_certs }}/{{ component_name }}.key | base64)" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs/customnodekeystore nodekeystore.jks="$(cat {{ node_certs }}/nodekeystore.jks | base64)" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs {{ component_name }}.cer="$(cat {{ node_certs }}/{{ component_name }}.cer | base64)" {{ component_name }}.key="$(cat {{ node_certs }}/{{ component_name }}.key | base64)" environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -97,7 +97,7 @@ # Check if doorman certs already created - name: Check if doorman certs already created shell: | - vault kv get -field=doorman.crt {{ component_name }}/certs/doorman + vault kv get -field=doorman.crt {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs/doorman environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -108,7 +108,7 @@ # Write certificates to vault - name: "Write certificates to vault" shell: | - vault kv put {{ component_name }}/certs/doorman doorman.crt="$(cat {{ doorman_cert_file }} | base64)" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs/doorman doorman.crt="$(cat {{ doorman_cert_file }} | base64)" environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -118,7 +118,7 @@ # Check if networkmap certs already created - name: Check if networkmap certs already created shell: | - vault kv get -field=networkmap.crt {{ component_name }}/certs/networkmap + vault kv get -field=networkmap.crt {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs/networkmap environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -129,7 +129,7 @@ # Write certificates to vault - name: "Write certificates to vault" shell: | - vault kv put {{ component_name }}/certs/networkmap networkmap.crt="$(cat {{ nms_cert_file }} | base64)" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs/networkmap networkmap.crt="$(cat {{ nms_cert_file }} | base64)" environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -139,10 +139,10 @@ # Write credentials to vault - name: "Write credentials to vault" shell: | - vault kv put {{ component_name }}/credentials/database sa="newh2pass" {{ component_name }}User1="xyz1234" {{ component_name }}User2="xyz1236" - vault kv put {{ component_name }}/credentials/rpcusers {{ component_name }}operations="usera" {{ component_name }}operations1="usera" {{ component_name }}operations2="usera" {{ component_name }}admin="usera" - vault kv put {{ component_name }}/credentials/keystore keyStorePassword="newpass" trustStorePassword="newpass" defaultTrustStorePassword="trustpass" defaultKeyStorePassword="cordacadevpass" sslkeyStorePassword="sslpass" ssltrustStorePassword="sslpass" - vault kv put {{ component_name }}/credentials/networkmappassword sa="admin" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/credentials/database sa="newh2pass" {{ component_name }}User1="xyz1234" {{ component_name }}User2="xyz1236" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/credentials/rpcusers {{ component_name }}operations="usera" {{ component_name }}operations1="usera" {{ component_name }}operations2="usera" {{ component_name }}admin="usera" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/credentials/keystore keyStorePassword="newpass" trustStorePassword="newpass" defaultTrustStorePassword="trustpass" defaultKeyStorePassword="cordacadevpass" sslkeyStorePassword="sslpass" ssltrustStorePassword="sslpass" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/credentials/networkmappassword sa="admin" environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -151,7 +151,7 @@ # Write cordapps credentials to vault - name: "Write cordapps credentials to vault" shell: | - vault kv put {{ component_name }}/credentials/cordapps repo_username="{{ cordapps_details.username }}" repo_password="{{ cordapps_details.password }}" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/credentials/cordapps repo_username="{{ cordapps_details.username }}" repo_password="{{ cordapps_details.password }}" environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" diff --git a/platforms/r3-corda/configuration/roles/create/certificates/notary/tasks/main.yaml b/platforms/r3-corda/configuration/roles/create/certificates/notary/tasks/main.yaml index b3b88f306f7..9b104cff780 100644 --- a/platforms/r3-corda/configuration/roles/create/certificates/notary/tasks/main.yaml +++ b/platforms/r3-corda/configuration/roles/create/certificates/notary/tasks/main.yaml @@ -21,7 +21,7 @@ # Check if truststore already created - name: Check if truststore already created shell: | - vault kv get -field=network-map-truststore {{ component_name }}/certs/networkmaptruststore + vault kv get -field=network-map-truststore {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs/networkmaptruststore environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -62,7 +62,7 @@ # Write networkmaptruststore to vault - name: "Write networkmaptruststore to vault" shell: | - vault kv put {{ component_name }}/certs/networkmaptruststore network-map-truststore="$(cat {{ notary_certs }}/network-map-truststore.jks | base64)" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs/networkmaptruststore network-map-truststore="$(cat {{ notary_certs }}/network-map-truststore.jks | base64)" environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -71,7 +71,7 @@ # Check if certificates already created - name: Check if certificates already created shell: | - vault kv get -field=nodekeystore.jks {{ component_name }}/certs/customnodekeystore + vault kv get -field=nodekeystore.jks {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs/customnodekeystore environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -92,8 +92,8 @@ # Write certificates to vault - name: "Write certificates to vault" shell: | - vault kv put {{ component_name }}/certs/customnodekeystore nodekeystore.jks="$(cat {{ notary_certs }}/nodekeystore.jks | base64)" - vault kv put {{ component_name }}/certs Notary.cer="$(cat {{ notary_certs }}/Notary.cer | base64)" Notary.key="$(cat {{ notary_certs }}/Notary.key | base64)" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs/customnodekeystore nodekeystore.jks="$(cat {{ notary_certs }}/nodekeystore.jks | base64)" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs Notary.cer="$(cat {{ notary_certs }}/Notary.cer | base64)" Notary.key="$(cat {{ notary_certs }}/Notary.key | base64)" environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -102,7 +102,7 @@ # Check if doorman certs already created - name: Check if doorman certs already created shell: | - vault kv get -field=doorman.crt {{ component_name }}/certs/doorman + vault kv get -field=doorman.crt {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs/doorman environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -112,7 +112,7 @@ # Write certificates to vault - name: "Write certificates to vault" shell: | - vault kv put {{ component_name }}/certs/doorman doorman.crt="$(cat {{ doorman_cert_file }} | base64)" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs/doorman doorman.crt="$(cat {{ doorman_cert_file }} | base64)" environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -121,7 +121,7 @@ # Check if networkmap certs already created - name: Check if networkmap certs already created shell: | - vault kv get -field=networkmap.crt {{ component_name }}/certs/networkmap + vault kv get -field=networkmap.crt {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs/networkmap environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -131,7 +131,7 @@ # Write certificates to vault - name: "Write certificates to vault" shell: | - vault kv put {{ component_name }}/certs/networkmap networkmap.crt="$(cat {{ nms_cert_file }} | base64)" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/certs/networkmap networkmap.crt="$(cat {{ nms_cert_file }} | base64)" environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -140,10 +140,10 @@ # Write credentials to vault - name: "Write credentials to vault" shell: | - vault kv put {{ component_name }}/credentials/database sa="newh2pass" notaryUser1="xyz1234" notaryUser2="xyz1236" - vault kv put {{ component_name }}/credentials/rpcusers {{ component_name }}operations="usera" {{ component_name }}operations1="usera" {{ component_name }}operations2="usera" {{ component_name }}admin="usera" - vault kv put {{ component_name }}/credentials/keystore keyStorePassword="newpass" trustStorePassword="newpass" defaultTrustStorePassword="trustpass" defaultKeyStorePassword="cordacadevpass" sslkeyStorePassword="sslpass" ssltrustStorePassword="sslpass" - vault kv put {{ component_name }}/credentials/networkmappassword sa="admin" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/credentials/database sa="newh2pass" notaryUser1="xyz1234" notaryUser2="xyz1236" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/credentials/rpcusers {{ component_name }}operations="usera" {{ component_name }}operations1="usera" {{ component_name }}operations2="usera" {{ component_name }}admin="usera" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/credentials/keystore keyStorePassword="newpass" trustStorePassword="newpass" defaultTrustStorePassword="trustpass" defaultKeyStorePassword="cordacadevpass" sslkeyStorePassword="sslpass" ssltrustStorePassword="sslpass" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/credentials/networkmappassword sa="admin" environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -151,7 +151,7 @@ # Write cordapps credentials to vault - name: "Write cordapps credentials to vault" shell: | - vault kv put {{ component_name }}/credentials/cordapps repo_username="{{ cordapps_details.username }}" repo_password="{{ cordapps_details.password }}" + vault kv put {{ vault.secret_path | default(name) }}/{{ name }}/{{ component_name }}/credentials/cordapps repo_username="{{ cordapps_details.username }}" repo_password="{{ cordapps_details.password }}" environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" diff --git a/platforms/r3-corda/configuration/roles/create/k8_component/templates/create_doorman.tpl b/platforms/r3-corda/configuration/roles/create/k8_component/templates/create_doorman.tpl index 6532014e8a4..7ccbdf2e630 100644 --- a/platforms/r3-corda/configuration/roles/create/k8_component/templates/create_doorman.tpl +++ b/platforms/r3-corda/configuration/roles/create/k8_component/templates/create_doorman.tpl @@ -58,11 +58,11 @@ spec: role: vault-role authpath: {{ component_auth }} serviceaccountname: vault-auth - certsecretprefix: {{ services.doorman.name }}/data/certs - dbcredsecretprefix: {{ services.doorman.name }}/data/credentials/mongodb - secretdoormanpass: {{ services.doorman.name }}/data/credentials/userpassword - tlscertsecretprefix: {{ services.doorman.name }}/data/tlscerts - dbcertsecretprefix: {{ component_name }}/data/certs + certsecretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/certs + dbcredsecretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/credentials/mongodb + secretdoormanpass: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/credentials/userpassword + tlscertsecretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/tlscerts + dbcertsecretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/certs healthcheck: readinesscheckinterval: 10 readinessthreshold: 15 diff --git a/platforms/r3-corda/configuration/roles/create/k8_component/templates/create_mongodb.tpl b/platforms/r3-corda/configuration/roles/create/k8_component/templates/create_mongodb.tpl index 8016b7a11a8..50e15440f6f 100644 --- a/platforms/r3-corda/configuration/roles/create/k8_component/templates/create_mongodb.tpl +++ b/platforms/r3-corda/configuration/roles/create/k8_component/templates/create_mongodb.tpl @@ -34,9 +34,9 @@ spec: address: {{ vault.url }} role: vault-role authpath: {{ component_auth }} - secretprefix: {{ nodename }}/data/credentials/mongodb + secretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name }}/{{ nodename }}/credentials/mongodb serviceaccountname: vault-auth - certsecretprefix: {{nodename}}/data/certs + certsecretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name }}/{{ nodename }}/certs service: tcp: port: 27017 diff --git a/platforms/r3-corda/configuration/roles/create/k8_component/templates/network_map.tpl b/platforms/r3-corda/configuration/roles/create/k8_component/templates/network_map.tpl index e044c923078..af93d1e1990 100644 --- a/platforms/r3-corda/configuration/roles/create/k8_component/templates/network_map.tpl +++ b/platforms/r3-corda/configuration/roles/create/k8_component/templates/network_map.tpl @@ -62,11 +62,11 @@ spec: authpath: {{ component_auth }} serviceaccountname: vault-auth secretprefix: {{ component_name }} - certsecretprefix: {{ component_name }}/data/certs - dbcredsecretprefix: {{ component_name }}/data/credentials/mongodb - secretnetworkmappass: {{ component_name }}/data/credentials/userpassword - tlscertsecretprefix: {{ component_name }}/data/tlscerts - dbcertsecretprefix: {{ component_name }}/data/certs + certsecretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/certs + dbcredsecretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/credentials/mongodb + secretnetworkmappass: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/credentials/userpassword + tlscertsecretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/tlscerts + dbcertsecretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/certs healthcheck: readinesscheckinterval: 10 readinessthreshold: 15 diff --git a/platforms/r3-corda/configuration/roles/create/node_component/templates/job.tpl b/platforms/r3-corda/configuration/roles/create/node_component/templates/job.tpl index 09af073c4bf..2e3ea7af3c3 100644 --- a/platforms/r3-corda/configuration/roles/create/node_component/templates/job.tpl +++ b/platforms/r3-corda/configuration/roles/create/node_component/templates/job.tpl @@ -52,7 +52,7 @@ spec: exportJMXTo: transactionCacheSizeMegaBytes: 8 attachmentContentCacheSizeMegaBytes: 10 - {% if chart == 'notary' %} + {% if chart == 'corda-notary' %} notary: validating: {{ node.validating }} serviceLegalName: {{ node.serviceName | default() }} @@ -108,12 +108,12 @@ spec: vault: address: {{ vault.url }} role: vault-role - authpath: corda{{ component_name }} + authpath: {{ component_auth }} serviceaccountname: vault-auth - dbsecretprefix: {{ component_name }}/data/credentials/database - rpcusersecretprefix: {{ component_name }}/data/credentials/rpcusers - keystoresecretprefix: {{ component_name }}/data/credentials/keystore - certsecretprefix: {{ component_name }}/data/certs + dbsecretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/credentials/database + rpcusersecretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/credentials/rpcusers + keystoresecretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/credentials/keystore + certsecretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/certs retries: 10 healthcheck: diff --git a/platforms/r3-corda/configuration/roles/create/node_component/templates/node.tpl b/platforms/r3-corda/configuration/roles/create/node_component/templates/node.tpl index 4cefdc54bb1..792429b0bf0 100644 --- a/platforms/r3-corda/configuration/roles/create/node_component/templates/node.tpl +++ b/platforms/r3-corda/configuration/roles/create/node_component/templates/node.tpl @@ -52,7 +52,7 @@ spec: exportJMXTo: transactionCacheSizeMegaBytes: 8 attachmentContentCacheSizeMegaBytes: 10 - {% if chart == 'notary' %} + {% if chart == 'corda-notary' %} notary: validating: {{ node.validating }} serviceLegalName: {{ node.serviceName | default() }} @@ -130,14 +130,14 @@ spec: vault: address: {{ vault.url }} role: vault-role - authpath: corda{{ component_name }} + authpath: {{ component_auth }} serviceaccountname: vault-auth - dbsecretprefix: {{ component_name }}/data/credentials/database - rpcusersecretprefix: {{ component_name }}/data/credentials/rpcusers - keystoresecretprefix: {{ component_name }}/data/credentials/keystore - certsecretprefix: {{ component_name }}/data/certs - networkmapsecretprefix: {{ component_name }}/data/credentials/networkmappassword - cordappsreposecretprefix: {{ component_name }}/data/credentials/cordapps + dbsecretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/credentials/database + rpcusersecretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/credentials/rpcusers + keystoresecretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/credentials/keystore + certsecretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/certs + networkmapsecretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/credentials/networkmappassword + cordappsreposecretprefix: {{ vault.secret_path | default(org_name) }}/data/{{ org_name}}/{{ component_name }}/credentials/cordapps retries: 10 diff --git a/platforms/r3-corda/configuration/roles/delete/vault_secrets/tasks/main.yaml b/platforms/r3-corda/configuration/roles/delete/vault_secrets/tasks/main.yaml index 17520b3a1f7..1ef82bf4334 100644 --- a/platforms/r3-corda/configuration/roles/delete/vault_secrets/tasks/main.yaml +++ b/platforms/r3-corda/configuration/roles/delete/vault_secrets/tasks/main.yaml @@ -28,7 +28,7 @@ loop_var: service when: component_type != 'node' -# Delete the Ambassador Creds for CA +# Delete the Ambassador Creds - name: Delete Ambassador creds k8s: kind: Secret @@ -44,38 +44,10 @@ ignore_errors: yes changed_when: false -# Delete vault-auth path -- name: Delete vault-auth path - shell: | - vault delete sys/auth/corda{{ node.name }} - environment: - VAULT_ADDR: "{{ item.vault.url }}" - VAULT_TOKEN: "{{ item.vault.root_token }}" - loop: "{{ services.peers }}" - loop_control: - loop_var: node - when: component_type == 'node' - # Delete crypto materials from vault - name: Delete Crypto for nodes shell: | - vault secrets disable {{ node.name }} - environment: - VAULT_ADDR: "{{ item.vault.url }}" - VAULT_TOKEN: "{{ item.vault.root_token }}" - loop: "{{ services.peers }}" - loop_control: - loop_var: node - when: component_type == 'node' - -# Delete vault policies -- name: Delete vault policy - shell: | - vault policy delete vault-crypto-{{ component_name }}-{{ node.name }}-ro + vault secrets disable {{ item.vault.secret_path | default(item.name) }} environment: VAULT_ADDR: "{{ item.vault.url }}" VAULT_TOKEN: "{{ item.vault.root_token }}" - loop: "{{ services.peers }}" - loop_control: - loop_var: node - when: component_type == 'node' diff --git a/platforms/r3-corda/configuration/roles/delete/vault_secrets/tasks/nested_main.yaml b/platforms/r3-corda/configuration/roles/delete/vault_secrets/tasks/nested_main.yaml index 3d870411b7e..edcacaac954 100644 --- a/platforms/r3-corda/configuration/roles/delete/vault_secrets/tasks/nested_main.yaml +++ b/platforms/r3-corda/configuration/roles/delete/vault_secrets/tasks/nested_main.yaml @@ -19,40 +19,3 @@ state: absent ignore_errors: yes changed_when: false - -# Delete vault-auth path -- name: Delete vault-auth path - shell: | - vault delete sys/auth/corda{{ service.value['name'] }} - environment: - VAULT_ADDR: "{{ item.vault.url }}" - VAULT_TOKEN: "{{ item.vault.root_token }}" - -# Delete crypto materials from vault -- name: Delete Crypto for services - shell: | - vault secrets disable {{ service.value['name'] }} - environment: - VAULT_ADDR: "{{ item.vault.url }}" - VAULT_TOKEN: "{{ item.vault.root_token }}" - register: test - -# Delete vault policies -- name: Delete vault policy - shell: | - vault policy delete vault-crypto-{{ component_name }}-{{ service.value['name'] }}-ro - environment: - VAULT_ADDR: "{{ item.vault.url }}" - VAULT_TOKEN: "{{ item.vault.root_token }}" - -# Delete Ambassador Creds for CA -- name: Delete Ambassador creds - k8s: - kind: Secret - namespace: "{{ component_name }}" - name: "{{ service.value['name'] }}-ambassador-certs" - kubeconfig: "{{ kubernetes.config_file }}" - context: "{{ kubernetes.context }}" - state: absent - changed_when: false - ignore_errors: yes diff --git a/platforms/r3-corda/configuration/roles/setup/doorman/tasks/main.yml b/platforms/r3-corda/configuration/roles/setup/doorman/tasks/main.yml index eaf2b652196..620878d8e43 100644 --- a/platforms/r3-corda/configuration/roles/setup/doorman/tasks/main.yml +++ b/platforms/r3-corda/configuration/roles/setup/doorman/tasks/main.yml @@ -9,7 +9,7 @@ ############################################################################################## # Wait for namespace creation -- name: "Wait for namespace creation for {{ organisation }}" +- name: "Wait for namespace creation for {{ name }}" include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" vars: @@ -17,21 +17,6 @@ component_name: "{{ component_ns }}" type: "retry" -# Setup Vault-Kubernetes accesses and Regcred for docker registry -- name: "Setup vault for doorman" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault_kubernetes" - vars: - name: "{{ services.doorman.name | lower }}" - org_name: "{{ item.name | lower }}" - component_ns: "{{ item.name | lower }}-ns" - component_name: "{{ services.doorman.name | lower }}-vaultk8s-job" - component_auth: "{{ network.env.type }}{{ name }}" - component_type: "organization" - kubernetes: "{{ item.k8s }}" - vault: "{{ item.vault }}" - gitops: "{{ item.gitops }}" - # Generate Doorman certificates - name: "Create certificates for doorman" include_role: @@ -55,7 +40,7 @@ helm_lint: "true" nodename: "{{ services.doorman.name }}" charts_dir: "{{ gitops.chart_source }}" - component_auth: "corda{{ services.doorman.name | lower }}" + component_auth: "{{ network.env.type }}{{ org_name }}" org: "{{ item }}" release_dir: "{{ playbook_dir }}/../../../{{ gitops.release_dir }}" chart: "corda-mongodb" @@ -72,7 +57,7 @@ helm_lint: "true" nodename: "{{ services.doorman.name }}" charts_dir: "{{ gitops.chart_source }}" - component_auth: "corda{{ services.doorman.name | lower }}" + component_auth: "{{ network.env.type }}{{ org_name }}" org: "{{ item }}" release_dir: "{{ playbook_dir }}/../../../{{ gitops.release_dir }}" chart: "corda-mongodb-tls" @@ -88,7 +73,7 @@ component_type: "doorman" helm_lint: "true" charts_dir: "{{ gitops.chart_source }}" - component_auth: "corda{{ services.doorman.name | lower }}" + component_auth: "{{ network.env.type }}{{ org_name }}" org: "{{ item }}" release_dir: "{{ playbook_dir }}/../../../{{ gitops.release_dir }}" chart: "corda-doorman" @@ -105,7 +90,7 @@ component_type: "doorman" helm_lint: "true" charts_dir: "{{ gitops.chart_source }}" - component_auth: "corda{{ services.doorman.name | lower }}" + component_auth: "{{ network.env.type }}{{ org_name }}" org: "{{ item }}" release_dir: "{{ playbook_dir }}/../../../{{ gitops.release_dir }}" chart: "corda-doorman-tls" diff --git a/platforms/r3-corda/configuration/roles/setup/nms/tasks/main.yaml b/platforms/r3-corda/configuration/roles/setup/nms/tasks/main.yaml index ffa6aea1b3e..b48a022db81 100644 --- a/platforms/r3-corda/configuration/roles/setup/nms/tasks/main.yaml +++ b/platforms/r3-corda/configuration/roles/setup/nms/tasks/main.yaml @@ -19,21 +19,6 @@ tags: - notest -# Setup Vault-Kubernetes accesses and Regcred for docker registry -- name: "Setup vault for nms" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault_kubernetes" - vars: - name: "{{ services.nms.name | lower }}" - org_name: "{{ item.name | lower }}" - component_ns: "{{ item.name | lower }}-ns" - component_name: "{{ services.nms.name | lower }}-vaultk8s-job" - component_auth: "{{ network.env.type }}{{ name }}" - component_type: "organization" - kubernetes: "{{ item.k8s }}" - vault: "{{ item.vault }}" - gitops: "{{ item.gitops }}" - # generate NMS certificates - name: "Create certificates for nms" include_role: @@ -56,8 +41,8 @@ helm_lint: "true" charts_dir: "{{ gitops.chart_source}}" nodename: "{{ services.nms.name | lower }}" - component_auth: "corda{{ services.nms.name | lower }}" org_name: "{{ item.name | lower }}" + component_auth: "{{ network.env.type }}{{ org_name }}" org: "{{ item }}" release_dir: "{{ playbook_dir }}/../../../{{ gitops.release_dir }}" chart: "corda-mongodb" @@ -74,7 +59,7 @@ helm_lint: "true" charts_dir: "{{ gitops.chart_source}}" nodename: "{{ services.nms.name | lower }}" - component_auth: "corda{{ services.nms.name | lower }}" + component_auth: "{{ network.env.type }}{{ org_name }}" org: "{{ item }}" release_dir: "{{ playbook_dir }}/../../../{{ gitops.release_dir }}" chart: "corda-mongodb-tls" @@ -90,7 +75,7 @@ org_name: "{{ item.name | lower }}" helm_lint: "true" charts_dir: "{{ gitops.chart_source }}" - component_auth: "corda{{ services.nms.name | lower }}" + component_auth: "{{ network.env.type }}{{ org_name }}" org: "{{ item }}" release_dir: "{{ playbook_dir }}/../../../{{ gitops.release_dir }}" chart: "corda-networkmap" @@ -107,7 +92,7 @@ org_name: "{{ item.name | lower }}" helm_lint: "true" charts_dir: "{{ gitops.chart_source }}" - component_auth: "corda{{ services.nms.name | lower }}" + component_auth: "{{ network.env.type }}{{ org_name }}" org: "{{ item }}" release_dir: "{{ playbook_dir }}/../../../{{ gitops.release_dir }}" chart: "corda-networkmap-tls" diff --git a/platforms/r3-corda/configuration/roles/setup/node/tasks/main.yaml b/platforms/r3-corda/configuration/roles/setup/node/tasks/main.yaml index 0288b123b44..8aa6fa15758 100644 --- a/platforms/r3-corda/configuration/roles/setup/node/tasks/main.yaml +++ b/platforms/r3-corda/configuration/roles/setup/node/tasks/main.yaml @@ -19,24 +19,6 @@ tags: - notest -# Setup Vault-Kubernetes accesses and Regcred for docker registry -- name: "Setup vault for nodes" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault_kubernetes" - vars: - name: "{{ node.name | lower }}" - org_name: "{{ item.name | lower }}" - component_ns: "{{ item.name | lower }}-ns" - component_name: "{{ node.name | lower }}-vaultk8s-job" - component_auth: "{{ network.env.type }}{{ name }}" - component_type: "organization" - kubernetes: "{{ item.k8s }}" - vault: "{{ item.vault }}" - gitops: "{{ item.gitops }}" - loop: "{{ services.peers }}" - loop_control: - loop_var: node - # Generate crypto for nodes - name: Generate crypto for nodes include_role: @@ -70,7 +52,7 @@ # Check if nodekeystore already created - name: Check if nodekeystore already created shell: | - vault kv get -field=nodekeystore.jks {{ node.name }}/certs/nodekeystore + vault kv get -field=nodekeystore.jks {{ vault.secret_path | default(name) }}/{{ name }}/{{ node.name }}/certs/nodekeystore environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -89,6 +71,7 @@ node_type: "node" component_type: "job" org_name: "{{ item.name | lower }}" + component_auth: "{{ network.env.type }}{{ org_name }}" component_name: "{{ node.name }}" nms_url: "{{ network | json_query('network_services[?type==`networkmap`].uri') | first }}" nms_domain: "{{ nms_url.split(':')[1] }}" @@ -120,6 +103,7 @@ node_type: "node" component_type: "node" org_name: "{{ item.name | lower }}" + component_auth: "{{ network.env.type }}{{ org_name }}" component_name: "{{ node.name }}" nms_url: "{{ network | json_query('network_services[?type==`networkmap`].uri') | first }}" nms_domain: "{{ nms_url.split(':')[1] }}" diff --git a/platforms/r3-corda/configuration/roles/setup/notary/tasks/main.yaml b/platforms/r3-corda/configuration/roles/setup/notary/tasks/main.yaml index a29643a1274..55732ef41da 100644 --- a/platforms/r3-corda/configuration/roles/setup/notary/tasks/main.yaml +++ b/platforms/r3-corda/configuration/roles/setup/notary/tasks/main.yaml @@ -19,21 +19,6 @@ tags: - notest -# Setup Vault-Kubernetes accesses and Regcred for docker registry -- name: "Setup vault for notaries" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault_kubernetes" - vars: - name: "{{ node.name | lower }}" - org_name: "{{ item.name | lower }}" - component_ns: "{{ item.name | lower }}-ns" - component_name: "{{ node.name | lower }}-vaultk8s-job" - component_auth: "{{ network.env.type }}{{ name }}" - component_type: "organization" - kubernetes: "{{ item.k8s }}" - vault: "{{ item.vault }}" - gitops: "{{ item.gitops }}" - # Generate crypto for notary - name: Generate crypto for notary include_role: @@ -55,6 +40,7 @@ component_type: "db" component_name: "{{ node.name }}" org_name: "{{ item.name | lower }}" + component_auth: "{{ network.env.type }}{{ org_name }}" service_name: "{{ node.name | lower }}" corda_version: "corda-{{ network.version }}" release_dir: "{{ playbook_dir }}/../../../{{ gitops.release_dir }}" @@ -62,7 +48,7 @@ # Check if nodekeystore already created - name: Check if nodekeystore already created shell: | - vault kv get -field=nodekeystore.jks {{ node.name }}/certs/nodekeystore + vault kv get -field=nodekeystore.jks {{ vault.secret_path | default(name) }}/{{ name }}/{{ node.name }}/certs/nodekeystore environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" @@ -78,6 +64,7 @@ component_type: "job" component_name: "{{ node.name }}" org_name: "{{ item.name | lower }}" + component_auth: "{{ network.env.type }}{{ org_name }}" nms_url: "{{ network | json_query('network_services[?type==`networkmap`].uri') | first }}" nms_domain: "{{ nms_url.split(':')[1] }}" doorman_url: "{{ network | json_query('network_services[?type==`doorman`].uri') | first }}" @@ -102,6 +89,7 @@ node_type: "notary" component_type: "node" org_name: "{{ item.name | lower }}" + component_auth: "{{ network.env.type }}{{ org_name }}" component_name: "{{ node.name }}" nms_url: "{{ network | json_query('network_services[?type==`networkmap`].uri') | first }}" nms_domain: "{{ nms_url.split(':')[1] }}"