[fabic] Introduce helm chart deployment capability for version 2.5 (#…

…2529)

**Primary Changes**

1. This PR includes changes to deploy fabric 2.5.4 without a channel using helm charts.
2. Version 2.2.2 is pending
3. Deploy with Ansible pending

**Changes in charts**
platforms/hyperledger-fabric/charts/fabric-ca-server
platforms/hyperledger-fabric/charts/fabric-cacerts-gen
platforms/hyperledger-fabric/charts/fabric-catools
platforms/hyperledger-fabric/charts/fabric-cli
platforms/hyperledger-fabric/charts/fabric-orderernode
platforms/hyperledger-fabric/charts/fabric-peernode

fixes #2484

Signed-off-by: mgCepeda <[email protected]>

platforms/hyperledger-fabric/charts/README.md

@@ -0,0 +1,135 @@
+[//]: # (##############################################################################################)
+[//]: # (Copyright Accenture. All Rights Reserved.)
+[//]: # (SPDX-License-Identifier: Apache-2.0)
+[//]: # (##############################################################################################)
+
+# Charts for Hyperledger Fabric components
+
+## About
+This folder contains the helm charts which are used for the deployment of the Hyperledger Fabric components. Each helm that you can use has the following keys and you need to set them. The `global.cluster.provider` is used as a key for the various cloud features enabled. Also you only need to specify one cloud provider, **not** both if deploying to cloud. As of writing this doc, AWS is fully supported.
+
+```yaml
+global:
+  serviceAccountName: vault-auth
+  cluster:
+    provider: aws   # choose from: minikube | aws
+    cloudNativeServices: false  # future: set to true to use Cloud Native Services 
+    kubernetesUrl: "https://yourkubernetes.com" # Provide the k8s URL, ignore if not using Hashicorp Vault
+  vault:
+    type: hashicorp # choose from hashicorp | kubernetes
+    network: besu   # must be besu for these charts
+    # Following are necessary only when hashicorp vault is used.
+    address: http://vault.url:8200
+    authPath: supplychain
+    secretEngine: secretsv2
+    secretPrefix: "data/supplychain"
+    role: vault-role
+```
+
+## Usage
+
+### Pre-requisites
+
+- Kubernetes Cluster (either Managed cloud option like EKS or local like minikube)
+- Accessible and unsealed Hahsicorp Vault (if using Vault)
+- Configured Haproxy  (if using Haproxy as proxy)
+- Update the dependencies
+  ```
+  helm dependency update fabric-ca-server
+  helm dependency update fabric-orderernode
+  helm dependency update fabric-peernode
+  ```
+
+### _Without Proxy or Vault_
+
+### To setup Orderer organization
+```bash
+kubectl create namespace supplychain-net 
+
+helm install supplychain-ca ./fabric-ca-server --namespace supplychain-net --values ./values/noproxy-and-novault/ordererOrganization/ca-server.yaml
+
+# Install the Orderers
+helm install orderer1 ./fabric-orderernode --namespace supplychain-net --values ./values/noproxy-and-novault/ordererOrganization/orderer.yaml
+helm install orderer2 ./fabric-orderernode --namespace supplychain-net --values ./values/noproxy-and-novault/ordererOrganization/orderer.yaml
+helm install orderer3 ./fabric-orderernode --namespace supplychain-net --values ./values/noproxy-and-novault/ordererOrganization/orderer.yaml
+```
+
+### To setup Peer organization
+
+```bash
+kubectl create namespace carrier-net 
+
+# Get the Orderer tls certificate and place in fabric-catools/files
+cd ./fabric-catools/files
+kubectl --namespace supplychain-net get configmap orderer-tls-cacert -o jsonpath='{.data.cacert}' > orderer.crt
+
+# Before installing, we must use the dependencies again, due to the addition of the file in the files folder
+cd ../..
+helm dependency update fabric-ca-server
+
+helm install carrier-ca ./fabric-ca-server --namespace carrier-net --values ./values/noproxy-and-novault/peerOrganization/ca-server.yaml
+
+# To use a custom peer configuration, copy core.yaml file into ./fabric-peernode/files
+# This step is optional
+cp /home/bevel/build/peer0-core.yaml ./fabric-peernode/files
+
+# Install the Peers
+helm install peer0 ./fabric-peernode --namespace carrier-net --values ./values/noproxy-and-novault/peerOrganization/peer.yaml
+```
+
+### _With Ambassador proxy and Vault_
+
+### To setup Orderer organization
+
+Replace the `global.vault.address`, `global.cluster.kubernetesUrl` and `global.proxy.externalUrlSuffix` in all the files in `./values/proxy-and-vault/` folder.
+
+```bash
+kubectl create namespace supplychain-net 
+
+kubectl -n supplychain-net create secret generic roottoken --from-literal=token=<VAULT_ROOT_TOKEN>
+
+helm install supplychain-ca ./fabric-ca-server --namespace supplychain-net --values ./values/proxy-and-vault/ordererOrganization/ca-server.yaml
+
+# Install the Orderers
+helm install orderer1 ./fabric-orderernode --namespace supplychain-net --values ./values/proxy-and-vault/ordererOrganization/orderer.yaml
+helm install orderer2 ./fabric-orderernode --namespace supplychain-net --values ./values/proxy-and-vault/ordererOrganization/orderer.yaml
+helm install orderer3 ./fabric-orderernode --namespace supplychain-net --values ./values/proxy-and-vault/ordererOrganization/orderer.yaml
+```
+
+### To setup Peer organization
+
+```bash
+kubectl create namespace carrier-net 
+
+kubectl -n carrier-net create secret generic roottoken --from-literal=token=<VAULT_ROOT_TOKEN>
+
+# Get the Orderer tls certificate and place in fabric-catools/files
+cd ./fabric-catools/files
+kubectl --namespace supplychain-net get configmap orderer-tls-cacert -o jsonpath='{.data.cacert}' > orderer.crt
+
+# Before installing, we must use the dependencies again, due to the addition of the file in the files folder
+cd ../..
+helm dependency update fabric-ca-server
+
+helm install carrier-ca ./fabric-ca-server --namespace carrier-net --values ./values/noproxy-and-novault/peerOrganization/ca-server.yaml
+
+# To use a custom peer configuration, copy core.yaml file into ./fabric-peernode/files
+# This step is optional
+cp /home/bevel/build/peer0-core.yaml ./fabric-peernode/files
+
+# Install the Peers
+helm install peer0 ./fabric-peernode --namespace carrier-net --values ./values/proxy-and-vault/peerOrganization/peer.yaml
+```
+
+### Clean-up
+
+To clean up, just uninstall the helm releases.
+```bash
+helm uninstall --namespace supplychain-net orderer1
+helm uninstall --namespace supplychain-net orderer2
+helm uninstall --namespace supplychain-net orderer3
+helm uninstall --namespace supplychain-net supplychain-ca
+
+helm uninstall --namespace carrier-net peer0
+helm uninstall --namespace carrier-net carrier-ca
+```

platforms/hyperledger-fabric/charts/fabric-ca-server/Chart.yaml

@@ -5,7 +5,23 @@
 ##############################################################################################
 
 apiVersion: v1
-appVersion: "2.0"
-description: "Hyperledger Fabric: Deploys a CA server."
 name: fabric-ca-server
+description: "Hyperledger Fabric: Deploys a CA server."
 version: 1.0.0
+appVersion: latest
+keywords:
+  - bevel
+  - ethereum
+  - fabric
+  - hyperledger
+  - enterprise
+  - blockchain
+  - deployment
+  - accenture
+home: https://hyperledger-bevel.readthedocs.io/en/latest/
+sources:
+  - https://github.com/hyperledger/bevel
+maintainers:
+  - name: Hyperledger Bevel maintainers
+    email: [email protected]
+

platforms/hyperledger-fabric/charts/fabric-ca-server/README.md

@@ -122,9 +122,9 @@ The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hy
 
 | Name                      | Description                                        | Default Value  |
 | --------------------------| ---------------------------------------------------| ---------------|
-| servicetype               | Service type for the pod                           | ClusterIP      |
-| ports.tcp.nodeport        | TCP node port to be exposed for CA server          | 30007          |
-| ports.tcp.clusteripport   | TCP cluster IP port to be exposed for CA server    | 7054           |
+| serviceType               | Service type for the pod                           | ClusterIP      |
+| ports.tcp.nodePort        | TCP node port to be exposed for CA server          | 30007          |
+| ports.tcp.clusterIpPort   | TCP cluster IP port to be exposed for CA server    | 7054           |
 
 ### Annotations
 
@@ -139,7 +139,7 @@ The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hy
 | ----------------------| -------------------------------------------------------------------------|--------------------------------|
 | provider              | Proxy/ingress provider. Possible values: "haproxy" or "none"             | haproxy                        |
 | type                  | Type of the deployment. Possible values: "orderer", "peer", or "test"    | test                           |
-| external_url_suffix   | External URL suffix for the organization                                 | org1proxy.blockchaincloudpoc.com    |
+| externalUrlSuffix   | External URL suffix for the organization                                 | org1proxy.blockchaincloudpoc.com    |
 
 
 <a name = "deployment"></a>

platforms/hyperledger-fabric/charts/fabric-ca-server/requirements.yaml

@@ -0,0 +1,29 @@
+dependencies:
+  - name: bevel-vault-mgmt
+    repository: "file://../../../shared/charts/bevel-vault-mgmt"
+    tags:
+      - bevel
+    version: ~1.0.0
+  - name: bevel-scripts
+    repository: "file://../../../shared/charts/bevel-scripts"
+    tags:
+      - bevel
+    version: ~1.0.0
+  - name: bevel-storageclass
+    alias: storage
+    repository: "file://../../../shared/charts/bevel-storageclass"
+    tags:
+      - storage
+    version: ~1.0.0
+  - name: fabric-cacerts-gen
+    alias: cacerts
+    repository: "file://../fabric-cacerts-gen"
+    tags:
+      - cacerts
+    version: ~1.0.0
+  - name: fabric-catools
+    alias: catools
+    repository: "file://../fabric-catools"
+    tags:
+      - catools
+    version: ~1.0.0

platforms/hyperledger-fabric/charts/fabric-ca-server/templates/_helpers.tpl

@@ -1,8 +1,31 @@
-{{- define "labels.custom" }}
-  {{ range $key, $val := $.Values.metadata.labels }}
-  {{ $key }}: {{ $val }}
-  {{ end }}
-{{- end }}
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "fabric-ca-server.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "fabric-ca-server.fullname" -}}
+{{- $name := default .Chart.Name -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" $name .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "fabric-ca-server.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
 
 {{- define "labels.deployment" -}}
 {{- if $.Values.labels }}

platforms/hyperledger-fabric/charts/fabric-ca-server/templates/ca-job-cleanup.yaml

@@ -0,0 +1,125 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "fabric-ca-server.name" . }}-cleanup
+  labels:
+    app.kubernetes.io/name: fabric-ca-server-job-cleanup
+    app.kubernetes.io/component: ca-server-job-cleanup
+    app.kubernetes.io/part-of: {{ include "fabric-ca-server.fullname" . }}
+    app.kubernetes.io/namespace: {{ .Release.Namespace }}
+    app.kubernetes.io/managed-by: helm
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    helm.sh/hook-weight: "0"
+    helm.sh/hook: "pre-delete"
+    helm.sh/hook-delete-policy: "hook-succeeded"
+spec:
+  backoffLimit: 3
+  completions: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: fabric-ca-server-job-cleanup
+        app.kubernetes.io/component: ca-server-job-cleanup
+        app.kubernetes.io/part-of: {{ include "fabric-ca-server.fullname" . }}
+        app.kubernetes.io/namespace: {{ .Release.Namespace }}
+        app.kubernetes.io/managed-by: helm
+    spec:
+      serviceAccountName: {{ .Values.global.serviceAccountName }}      
+      restartPolicy: "Never"
+      containers:
+        - name: delete-secrets
+          image: "{{ $.Values.image.alpineUtils }}"
+          securityContext:
+            runAsUser: 0
+          imagePullPolicy: IfNotPresent
+          env:
+          - name: COMPONENT_TYPE
+            value: {{ $.Values.catools.orgData.type }}
+          - name: ORDERERS_NAMES
+            value: "{{ $.Values.catools.orderers | join " " -}}"
+          - name: PEERS_NAMES
+            value: "{{ $.Values.catools.peers | join " " -}}"
+          - name: USERS_IDENTITIES
+            value: "{{ $.Values.catools.users.usersIdentities | join " " -}}"
+          command: ["sh", "-c"]
+          args:
+            - |-
+{{- if .Values.settings.removeCertsOnDelete }}
+
+              function deleteSecret {
+                key=$1
+                kubectl get secret ${key} --namespace {{ .Release.Namespace }} -o json > /dev/null 2>&1
+                if [ $? -eq 0 ]; then
+                  kubectl delete secret ${key} --namespace {{ .Release.Namespace }}
+                fi
+              }
+              deleteSecret ca-certs
+              deleteSecret ca-credentials
+
+              deleteSecret admin-tls
+              deleteSecret admin-msp
+
+              if [ "$COMPONENT_TYPE" = "orderer" ]; then
+                SERVICES_NAMES=$ORDERERS_NAMES;
+              fi;
+
+              if [ "$COMPONENT_TYPE" = "peer" ]; then
+                SERVICES_NAMES=$PEERS_NAMES;
+              fi;
+
+              for SERVICE in $SERVICES_NAMES
+              do
+                # Check if orderer/peer msp already created
+                if [ "$COMPONENT_TYPE" = "peer" ]; then
+                  SERVICE_NAME="${SERVICE%%,*}"
+                  deleteSecret ${SERVICE_NAME}-msp 
+                fi;
+
+                if [ "$COMPONENT_TYPE" = "orderer" ]; then
+                  SERVICE_NAME="${SERVICE}"
+                  deleteSecret ${SERVICE_NAME}-msp 
+                fi;
+
+                # Check if orderer/peer msp already created
+                if [ "$COMPONENT_TYPE" = "peer" ]; then
+                  SERVICE_NAME="${SERVICE%%,*}"
+                  deleteSecret ${SERVICE_NAME}-tls
+                fi;
+
+                if [ "$COMPONENT_TYPE" = "orderer" ]; then
+                  SERVICE_NAME="${SERVICE}"
+                  deleteSecret ${SERVICE_NAME}-tls
+                fi;
+              done
+
+               if [ $COMPONENT_TYPE == 'peer' ];
+              then
+                # Check if msp config file already created
+                deleteSecret msp-config 
+                deleteSecret orderer-tls  
+                deleteSecret couchdb    
+              fi;
+
+              if [ "$USERS_IDENTITIES" ]
+              then
+                for user_identity in $USERS_IDENTITIES
+                do
+                  # Check if users tls already created
+                  deleteSecret ${user_identity}-tls
+                  # Check if users msp already created for users
+                  deleteSecret ${user_identity}-msp
+                done
+              fi
+
+{{- end}} 
+
+{{- if .Values.settings.removeOrdererTlsOnDelete }}
+
+              if kubectl get configmap --namespace {{ .Release.Namespace }} orderer-tls-cacert &> /dev/null; then
+                echo "Deleting orderer-tls-cacert configmap in k8s ..."
+                kubectl delete configmap --namespace {{ .Release.Namespace }} orderer-tls-cacert
+              fi
+{{- end}}
+

platforms/hyperledger-fabric/charts/fabric-ca-server/templates/configmap.yaml

@@ -8,14 +8,15 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ $.Values.server.name }}-config
-  namespace: {{ $.Values.metadata.namespace }}
+  name: {{ .Release.Name }}-config
+  namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ $.Values.server.name }}-config
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/component: fabric
+    app.kubernetes.io/part-of: {{ include "fabric-ca-server.fullname" . }}
+    app.kubernetes.io/namespace: {{ .Release.Namespace }}
+    app.kubernetes.io/release: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    {{- include "labels.custom" . | nindent 2 }}
 data:
   fabric-ca-server-config.yaml: |
     {{ (tpl (.Files.Get ( printf "%s" $.Values.server.configpath )) . ) | nindent 6 }}