From 85c84e39ae556da3bed8568b26dfd0efbe0163ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marina=20G=C3=B3mez=20Cepeda?= <83813093+mgCepeda@users.noreply.github.com> Date: Mon, 1 Apr 2024 08:42:55 +0200 Subject: [PATCH] [fabic] Introduce helm chart deployment capability for version 2.5 (#2529) **Primary Changes** 1. This PR includes changes to deploy fabric 2.5.4 without a channel using helm charts. 2. Version 2.2.2 is pending 3. Deploy with Ansible pending **Changes in charts** platforms/hyperledger-fabric/charts/fabric-ca-server platforms/hyperledger-fabric/charts/fabric-cacerts-gen platforms/hyperledger-fabric/charts/fabric-catools platforms/hyperledger-fabric/charts/fabric-cli platforms/hyperledger-fabric/charts/fabric-orderernode platforms/hyperledger-fabric/charts/fabric-peernode fixes #2484 Signed-off-by: mgCepeda --- platforms/hyperledger-fabric/charts/README.md | 135 ++ .../charts/fabric-ca-server/Chart.yaml | 20 +- .../charts/fabric-ca-server/README.md | 8 +- .../charts/fabric-ca-server/requirements.yaml | 29 + .../fabric-ca-server/templates/_helpers.tpl | 33 +- .../templates/ca-job-cleanup.yaml | 125 ++ .../fabric-ca-server/templates/configmap.yaml | 13 +- .../templates/deployment.yaml | 185 -- .../fabric-ca-server/templates/service.yaml | 54 +- .../templates/statefulset.yaml | 201 ++ .../fabric-ca-server/templates/volume.yaml | 34 - .../charts/fabric-ca-server/values.yaml | 223 +- .../charts/fabric-cacerts-gen/.helmignore | 23 + .../charts/fabric-cacerts-gen/Chart.yaml | 19 +- .../fabric-cacerts-gen/templates/_helpers.tpl | 33 +- .../templates/configmap.yaml | 33 + .../fabric-cacerts-gen/templates/job.yaml | 256 +-- .../charts/fabric-cacerts-gen/values.yaml | 91 +- .../charts/fabric-catools/Chart.yaml | 19 +- .../charts/fabric-catools/README.md | 21 +- .../fabric-catools/templates/_helpers.tpl | 33 +- .../fabric-catools/templates/configmap.yaml | 1866 ++++++++++------- .../fabric-catools/templates/deployment.yaml | 422 ++-- .../fabric-catools/templates/volume.yaml | 30 +- .../charts/fabric-catools/values.yaml | 173 +- .../charts/fabric-cli/Chart.yaml | 20 +- .../charts/fabric-cli/README.md | 4 +- .../charts/fabric-cli/templates/_helpers.tpl | 33 +- .../fabric-cli/templates/deployment.yaml | 125 +- .../charts/fabric-cli/templates/volume.yaml | 6 +- .../charts/fabric-cli/values.yaml | 111 +- .../charts/fabric-orderernode/Chart.yaml | 20 +- .../charts/fabric-orderernode/README.md | 9 +- .../fabric-orderernode/requirements.yaml | 7 + .../fabric-orderernode/templates/_helpers.tpl | 33 +- .../templates/configmap.yaml | 42 +- .../templates/deployment.yaml | 272 --- .../templates/node-statefulset.yaml | 311 +++ .../fabric-orderernode/templates/service.yaml | 57 +- .../templates/servicemonitor.yaml | 16 +- .../charts/fabric-orderernode/values.yaml | 180 +- .../charts/fabric-peernode/Chart.yaml | 19 +- .../charts/fabric-peernode/README.md | 82 +- .../charts/fabric-peernode/requirements.yaml | 14 + .../fabric-peernode/templates/_helpers.tpl | 33 +- .../fabric-peernode/templates/configmap.yaml | 76 +- .../fabric-peernode/templates/deployment.yaml | 332 --- .../templates/node-statefulset.yaml | 362 ++++ .../fabric-peernode/templates/service.yaml | 75 +- .../templates/servicemonitor.yaml | 16 +- .../charts/fabric-peernode/values.yaml | 262 ++- .../ordererOrganization/ca-server.yaml | 42 + .../ordererOrganization/orderer.yaml | 23 + .../peerOrganization/ca-server.yaml | 60 + .../peerOrganization/peer.yaml | 34 + .../ordererOrganization/ca-server.yaml | 48 + .../ordererOrganization/orderer.yaml | 30 + .../peerOrganization/ca-server.yaml | 66 + .../peerOrganization/peer.yaml | 39 + 59 files changed, 4109 insertions(+), 2829 deletions(-) create mode 100644 platforms/hyperledger-fabric/charts/README.md create mode 100644 platforms/hyperledger-fabric/charts/fabric-ca-server/requirements.yaml create mode 100644 platforms/hyperledger-fabric/charts/fabric-ca-server/templates/ca-job-cleanup.yaml delete mode 100644 platforms/hyperledger-fabric/charts/fabric-ca-server/templates/deployment.yaml create mode 100644 platforms/hyperledger-fabric/charts/fabric-ca-server/templates/statefulset.yaml delete mode 100644 platforms/hyperledger-fabric/charts/fabric-ca-server/templates/volume.yaml create mode 100644 platforms/hyperledger-fabric/charts/fabric-cacerts-gen/.helmignore create mode 100644 platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/configmap.yaml create mode 100644 platforms/hyperledger-fabric/charts/fabric-orderernode/requirements.yaml delete mode 100644 platforms/hyperledger-fabric/charts/fabric-orderernode/templates/deployment.yaml create mode 100644 platforms/hyperledger-fabric/charts/fabric-orderernode/templates/node-statefulset.yaml create mode 100644 platforms/hyperledger-fabric/charts/fabric-peernode/requirements.yaml delete mode 100755 platforms/hyperledger-fabric/charts/fabric-peernode/templates/deployment.yaml create mode 100755 platforms/hyperledger-fabric/charts/fabric-peernode/templates/node-statefulset.yaml create mode 100644 platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ordererOrganization/ca-server.yaml create mode 100644 platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ordererOrganization/orderer.yaml create mode 100644 platforms/hyperledger-fabric/charts/values/noproxy-and-novault/peerOrganization/ca-server.yaml create mode 100644 platforms/hyperledger-fabric/charts/values/noproxy-and-novault/peerOrganization/peer.yaml create mode 100644 platforms/hyperledger-fabric/charts/values/proxy-and-vault/ordererOrganization/ca-server.yaml create mode 100644 platforms/hyperledger-fabric/charts/values/proxy-and-vault/ordererOrganization/orderer.yaml create mode 100644 platforms/hyperledger-fabric/charts/values/proxy-and-vault/peerOrganization/ca-server.yaml create mode 100644 platforms/hyperledger-fabric/charts/values/proxy-and-vault/peerOrganization/peer.yaml diff --git a/platforms/hyperledger-fabric/charts/README.md b/platforms/hyperledger-fabric/charts/README.md new file mode 100644 index 00000000000..23b23b587b8 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/README.md @@ -0,0 +1,135 @@ +[//]: # (##############################################################################################) +[//]: # (Copyright Accenture. All Rights Reserved.) +[//]: # (SPDX-License-Identifier: Apache-2.0) +[//]: # (##############################################################################################) + +# Charts for Hyperledger Fabric components + +## About +This folder contains the helm charts which are used for the deployment of the Hyperledger Fabric components. Each helm that you can use has the following keys and you need to set them. The `global.cluster.provider` is used as a key for the various cloud features enabled. Also you only need to specify one cloud provider, **not** both if deploying to cloud. As of writing this doc, AWS is fully supported. + +```yaml +global: + serviceAccountName: vault-auth + cluster: + provider: aws # choose from: minikube | aws + cloudNativeServices: false # future: set to true to use Cloud Native Services + kubernetesUrl: "https://yourkubernetes.com" # Provide the k8s URL, ignore if not using Hashicorp Vault + vault: + type: hashicorp # choose from hashicorp | kubernetes + network: besu # must be besu for these charts + # Following are necessary only when hashicorp vault is used. + address: http://vault.url:8200 + authPath: supplychain + secretEngine: secretsv2 + secretPrefix: "data/supplychain" + role: vault-role +``` + +## Usage + +### Pre-requisites + +- Kubernetes Cluster (either Managed cloud option like EKS or local like minikube) +- Accessible and unsealed Hahsicorp Vault (if using Vault) +- Configured Haproxy (if using Haproxy as proxy) +- Update the dependencies + ``` + helm dependency update fabric-ca-server + helm dependency update fabric-orderernode + helm dependency update fabric-peernode + ``` + +### _Without Proxy or Vault_ + +### To setup Orderer organization +```bash +kubectl create namespace supplychain-net + +helm install supplychain-ca ./fabric-ca-server --namespace supplychain-net --values ./values/noproxy-and-novault/ordererOrganization/ca-server.yaml + +# Install the Orderers +helm install orderer1 ./fabric-orderernode --namespace supplychain-net --values ./values/noproxy-and-novault/ordererOrganization/orderer.yaml +helm install orderer2 ./fabric-orderernode --namespace supplychain-net --values ./values/noproxy-and-novault/ordererOrganization/orderer.yaml +helm install orderer3 ./fabric-orderernode --namespace supplychain-net --values ./values/noproxy-and-novault/ordererOrganization/orderer.yaml +``` + +### To setup Peer organization + +```bash +kubectl create namespace carrier-net + +# Get the Orderer tls certificate and place in fabric-catools/files +cd ./fabric-catools/files +kubectl --namespace supplychain-net get configmap orderer-tls-cacert -o jsonpath='{.data.cacert}' > orderer.crt + +# Before installing, we must use the dependencies again, due to the addition of the file in the files folder +cd ../.. +helm dependency update fabric-ca-server + +helm install carrier-ca ./fabric-ca-server --namespace carrier-net --values ./values/noproxy-and-novault/peerOrganization/ca-server.yaml + +# To use a custom peer configuration, copy core.yaml file into ./fabric-peernode/files +# This step is optional +cp /home/bevel/build/peer0-core.yaml ./fabric-peernode/files + +# Install the Peers +helm install peer0 ./fabric-peernode --namespace carrier-net --values ./values/noproxy-and-novault/peerOrganization/peer.yaml +``` + +### _With Ambassador proxy and Vault_ + +### To setup Orderer organization + +Replace the `global.vault.address`, `global.cluster.kubernetesUrl` and `global.proxy.externalUrlSuffix` in all the files in `./values/proxy-and-vault/` folder. + +```bash +kubectl create namespace supplychain-net + +kubectl -n supplychain-net create secret generic roottoken --from-literal=token= + +helm install supplychain-ca ./fabric-ca-server --namespace supplychain-net --values ./values/proxy-and-vault/ordererOrganization/ca-server.yaml + +# Install the Orderers +helm install orderer1 ./fabric-orderernode --namespace supplychain-net --values ./values/proxy-and-vault/ordererOrganization/orderer.yaml +helm install orderer2 ./fabric-orderernode --namespace supplychain-net --values ./values/proxy-and-vault/ordererOrganization/orderer.yaml +helm install orderer3 ./fabric-orderernode --namespace supplychain-net --values ./values/proxy-and-vault/ordererOrganization/orderer.yaml +``` + +### To setup Peer organization + +```bash +kubectl create namespace carrier-net + +kubectl -n carrier-net create secret generic roottoken --from-literal=token= + +# Get the Orderer tls certificate and place in fabric-catools/files +cd ./fabric-catools/files +kubectl --namespace supplychain-net get configmap orderer-tls-cacert -o jsonpath='{.data.cacert}' > orderer.crt + +# Before installing, we must use the dependencies again, due to the addition of the file in the files folder +cd ../.. +helm dependency update fabric-ca-server + +helm install carrier-ca ./fabric-ca-server --namespace carrier-net --values ./values/noproxy-and-novault/peerOrganization/ca-server.yaml + +# To use a custom peer configuration, copy core.yaml file into ./fabric-peernode/files +# This step is optional +cp /home/bevel/build/peer0-core.yaml ./fabric-peernode/files + +# Install the Peers +helm install peer0 ./fabric-peernode --namespace carrier-net --values ./values/proxy-and-vault/peerOrganization/peer.yaml +``` + +### Clean-up + +To clean up, just uninstall the helm releases. +```bash +helm uninstall --namespace supplychain-net orderer1 +helm uninstall --namespace supplychain-net orderer2 +helm uninstall --namespace supplychain-net orderer3 +helm uninstall --namespace supplychain-net supplychain-ca + +helm uninstall --namespace carrier-net peer0 +helm uninstall --namespace carrier-net carrier-ca +``` \ No newline at end of file diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/Chart.yaml b/platforms/hyperledger-fabric/charts/fabric-ca-server/Chart.yaml index 05530cbf407..64653b52428 100644 --- a/platforms/hyperledger-fabric/charts/fabric-ca-server/Chart.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-ca-server/Chart.yaml @@ -5,7 +5,23 @@ ############################################################################################## apiVersion: v1 -appVersion: "2.0" -description: "Hyperledger Fabric: Deploys a CA server." name: fabric-ca-server +description: "Hyperledger Fabric: Deploys a CA server." version: 1.0.0 +appVersion: latest +keywords: + - bevel + - ethereum + - fabric + - hyperledger + - enterprise + - blockchain + - deployment + - accenture +home: https://hyperledger-bevel.readthedocs.io/en/latest/ +sources: + - https://github.com/hyperledger/bevel +maintainers: + - name: Hyperledger Bevel maintainers + email: bevel@lists.hyperledger.org + diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/README.md b/platforms/hyperledger-fabric/charts/fabric-ca-server/README.md index dfd679be803..945b5d3a2dc 100644 --- a/platforms/hyperledger-fabric/charts/fabric-ca-server/README.md +++ b/platforms/hyperledger-fabric/charts/fabric-ca-server/README.md @@ -122,9 +122,9 @@ The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hy | Name | Description | Default Value | | --------------------------| ---------------------------------------------------| ---------------| -| servicetype | Service type for the pod | ClusterIP | -| ports.tcp.nodeport | TCP node port to be exposed for CA server | 30007 | -| ports.tcp.clusteripport | TCP cluster IP port to be exposed for CA server | 7054 | +| serviceType | Service type for the pod | ClusterIP | +| ports.tcp.nodePort | TCP node port to be exposed for CA server | 30007 | +| ports.tcp.clusterIpPort | TCP cluster IP port to be exposed for CA server | 7054 | ### Annotations @@ -139,7 +139,7 @@ The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hy | ----------------------| -------------------------------------------------------------------------|--------------------------------| | provider | Proxy/ingress provider. Possible values: "haproxy" or "none" | haproxy | | type | Type of the deployment. Possible values: "orderer", "peer", or "test" | test | -| external_url_suffix | External URL suffix for the organization | org1proxy.blockchaincloudpoc.com | +| externalUrlSuffix | External URL suffix for the organization | org1proxy.blockchaincloudpoc.com | diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/requirements.yaml b/platforms/hyperledger-fabric/charts/fabric-ca-server/requirements.yaml new file mode 100644 index 00000000000..04389e53f48 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/fabric-ca-server/requirements.yaml @@ -0,0 +1,29 @@ +dependencies: + - name: bevel-vault-mgmt + repository: "file://../../../shared/charts/bevel-vault-mgmt" + tags: + - bevel + version: ~1.0.0 + - name: bevel-scripts + repository: "file://../../../shared/charts/bevel-scripts" + tags: + - bevel + version: ~1.0.0 + - name: bevel-storageclass + alias: storage + repository: "file://../../../shared/charts/bevel-storageclass" + tags: + - storage + version: ~1.0.0 + - name: fabric-cacerts-gen + alias: cacerts + repository: "file://../fabric-cacerts-gen" + tags: + - cacerts + version: ~1.0.0 + - name: fabric-catools + alias: catools + repository: "file://../fabric-catools" + tags: + - catools + version: ~1.0.0 diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/_helpers.tpl b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/_helpers.tpl index 8823df47301..1670a50fd9e 100644 --- a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/_helpers.tpl +++ b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/_helpers.tpl @@ -1,8 +1,31 @@ -{{- define "labels.custom" }} - {{ range $key, $val := $.Values.metadata.labels }} - {{ $key }}: {{ $val }} - {{ end }} -{{- end }} +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fabric-ca-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fabric-ca-server.fullname" -}} +{{- $name := default .Chart.Name -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" $name .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fabric-ca-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} {{- define "labels.deployment" -}} {{- if $.Values.labels }} diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/ca-job-cleanup.yaml b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/ca-job-cleanup.yaml new file mode 100644 index 00000000000..57f8f8442c0 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/ca-job-cleanup.yaml @@ -0,0 +1,125 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "fabric-ca-server.name" . }}-cleanup + labels: + app.kubernetes.io/name: fabric-ca-server-job-cleanup + app.kubernetes.io/component: ca-server-job-cleanup + app.kubernetes.io/part-of: {{ include "fabric-ca-server.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/managed-by: helm + namespace: {{ .Release.Namespace }} + annotations: + helm.sh/hook-weight: "0" + helm.sh/hook: "pre-delete" + helm.sh/hook-delete-policy: "hook-succeeded" +spec: + backoffLimit: 3 + completions: 1 + template: + metadata: + labels: + app.kubernetes.io/name: fabric-ca-server-job-cleanup + app.kubernetes.io/component: ca-server-job-cleanup + app.kubernetes.io/part-of: {{ include "fabric-ca-server.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/managed-by: helm + spec: + serviceAccountName: {{ .Values.global.serviceAccountName }} + restartPolicy: "Never" + containers: + - name: delete-secrets + image: "{{ $.Values.image.alpineUtils }}" + securityContext: + runAsUser: 0 + imagePullPolicy: IfNotPresent + env: + - name: COMPONENT_TYPE + value: {{ $.Values.catools.orgData.type }} + - name: ORDERERS_NAMES + value: "{{ $.Values.catools.orderers | join " " -}}" + - name: PEERS_NAMES + value: "{{ $.Values.catools.peers | join " " -}}" + - name: USERS_IDENTITIES + value: "{{ $.Values.catools.users.usersIdentities | join " " -}}" + command: ["sh", "-c"] + args: + - |- +{{- if .Values.settings.removeCertsOnDelete }} + + function deleteSecret { + key=$1 + kubectl get secret ${key} --namespace {{ .Release.Namespace }} -o json > /dev/null 2>&1 + if [ $? -eq 0 ]; then + kubectl delete secret ${key} --namespace {{ .Release.Namespace }} + fi + } + deleteSecret ca-certs + deleteSecret ca-credentials + + deleteSecret admin-tls + deleteSecret admin-msp + + if [ "$COMPONENT_TYPE" = "orderer" ]; then + SERVICES_NAMES=$ORDERERS_NAMES; + fi; + + if [ "$COMPONENT_TYPE" = "peer" ]; then + SERVICES_NAMES=$PEERS_NAMES; + fi; + + for SERVICE in $SERVICES_NAMES + do + # Check if orderer/peer msp already created + if [ "$COMPONENT_TYPE" = "peer" ]; then + SERVICE_NAME="${SERVICE%%,*}" + deleteSecret ${SERVICE_NAME}-msp + fi; + + if [ "$COMPONENT_TYPE" = "orderer" ]; then + SERVICE_NAME="${SERVICE}" + deleteSecret ${SERVICE_NAME}-msp + fi; + + # Check if orderer/peer msp already created + if [ "$COMPONENT_TYPE" = "peer" ]; then + SERVICE_NAME="${SERVICE%%,*}" + deleteSecret ${SERVICE_NAME}-tls + fi; + + if [ "$COMPONENT_TYPE" = "orderer" ]; then + SERVICE_NAME="${SERVICE}" + deleteSecret ${SERVICE_NAME}-tls + fi; + done + + if [ $COMPONENT_TYPE == 'peer' ]; + then + # Check if msp config file already created + deleteSecret msp-config + deleteSecret orderer-tls + deleteSecret couchdb + fi; + + if [ "$USERS_IDENTITIES" ] + then + for user_identity in $USERS_IDENTITIES + do + # Check if users tls already created + deleteSecret ${user_identity}-tls + # Check if users msp already created for users + deleteSecret ${user_identity}-msp + done + fi + +{{- end}} + +{{- if .Values.settings.removeOrdererTlsOnDelete }} + + if kubectl get configmap --namespace {{ .Release.Namespace }} orderer-tls-cacert &> /dev/null; then + echo "Deleting orderer-tls-cacert configmap in k8s ..." + kubectl delete configmap --namespace {{ .Release.Namespace }} orderer-tls-cacert + fi +{{- end}} + diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/configmap.yaml b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/configmap.yaml index 99241a79d24..70da32c3715 100644 --- a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/configmap.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/configmap.yaml @@ -8,14 +8,15 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ $.Values.server.name }}-config - namespace: {{ $.Values.metadata.namespace }} + name: {{ .Release.Name }}-config + namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: {{ $.Values.server.name }}-config - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ include "fabric-ca-server.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- include "labels.custom" . | nindent 2 }} data: fabric-ca-server-config.yaml: | {{ (tpl (.Files.Get ( printf "%s" $.Values.server.configpath )) . ) | nindent 6 }} diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/deployment.yaml b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/deployment.yaml deleted file mode 100644 index 9ee7562f736..00000000000 --- a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/deployment.yaml +++ /dev/null @@ -1,185 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $.Values.server.name }} - namespace: {{ $.Values.metadata.namespace }} - labels: - app.kubernetes.io/name: {{ $.Values.server.name }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- include "labels.custom" . | nindent 2 }} - {{- include "labels.deployment" . | nindent 2 }} - annotations: - {{- if $.Values.annotations }} - {{- range $key, $value := $.Values.deployment.annotations }} - {{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} - {{- end }} - {{- end }} - {{- end }} -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: {{ $.Values.server.name }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - name: {{ $.Values.server.name }} - app.kubernetes.io/name: {{ $.Values.server.name }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- include "labels.deployment" . | nindent 6 }} - spec: - serviceAccountName: {{ $.Values.vault.serviceaccountname }} - {{- if .Values.vault.imagesecretname }} - imagePullSecrets: - - name: {{ $.Values.vault.imagesecretname }} - {{- end }} - volumes: - - name: ca-server-db - persistentVolumeClaim: - claimName: ca-server-db-pvc - - name: certificates - emptyDir: - medium: Memory - {{- if (not (empty .Values.server.configpath)) }} - - name: {{ $.Values.server.name }}-config-volume - configMap: - name: {{ $.Values.server.name }}-config - items: - - key: fabric-ca-server-config.yaml - path: fabric-ca-server-config.yaml - {{- end }} - {{ if .Values.vault.tls }} - - name: vaultca - secret: - secretName: "{{ .Values.vault.tls }}" - items: - - key: ca.crt.pem - path: ca-certificates.crt - {{- end }} - - name: scripts-volume - configMap: - name: bevel-vault-script - initContainers: - - name: ca-certs-init - image: {{ $.Values.metadata.images.alpineutils }} - imagePullPolicy: IfNotPresent - env: - - name: VAULT_ADDR - value: {{ $.Values.vault.address }} - - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.vault.authpath }} - - name: VAULT_APP_ROLE - value: {{ $.Values.vault.role }} - - name: MOUNT_PATH - value: /secret - - name: VAULT_TYPE - value: "{{ $.Values.vault.type }}" - command: ["sh", "-c"] - args: - - |- - #!/usr/bin/env sh - source /scripts/bevel-vault.sh - - # Calling a function to retrieve the vault token. - vaultBevelFunc "init" - - SECRET_CERT={{ $.Values.vault.secretcert }} - vault_secret_key=$(echo ${SECRET_CERT} |awk -F "?" '{print $1}') - vault_data_key=$(echo ${SECRET_CERT} |awk -F "?" '{print $2}') - - # Calling a function to retrieve secrets from Vault only if they exist. - vaultBevelFunc "readJson" "${vault_secret_key}" - VALUE_OF_SECRET=$(echo ${VAULT_SECRET} | jq -r ".[\"${vault_data_key}\"]") - echo "${VALUE_OF_SECRET}" >> ${MOUNT_PATH}/server.crt - - SECRET_KEY={{ $.Values.vault.secretkey }} - vault_secret_key=$(echo ${SECRET_KEY} |awk -F "?" '{print $1}') - vault_data_key=$(echo ${SECRET_KEY} |awk -F "?" '{print $2}') - - # Calling a function to retrieve secrets from Vault only if they exist. - vaultBevelFunc "readJson" "${vault_secret_key}" - VALUE_OF_SECRET=$(echo ${VAULT_SECRET} | jq -r ".[\"${vault_data_key}\"]") - echo "${VALUE_OF_SECRET}" >> ${MOUNT_PATH}/server.key - - SECRET_ADMIN_PASS={{ $.Values.vault.secretadminpass }} - vault_secret_key=$(echo ${SECRET_ADMIN_PASS} |awk -F "?" '{print $1}') - vault_data_key=$(echo ${SECRET_ADMIN_PASS} |awk -F "?" '{print $2}') - - # Calling a function to retrieve secrets from Vault only if they exist. - vaultBevelFunc "readJson" "${vault_secret_key}" - VALUE_OF_SECRET=$(echo ${VAULT_SECRET} | jq -r ".[\"${vault_data_key}\"]") - echo "${VALUE_OF_SECRET}" >> ${MOUNT_PATH}/user_cred - volumeMounts: - - name: certificates - mountPath: /secret - {{ if .Values.vault.tls }} - - name: vaultca - mountPath: "/etc/ssl/certs/" - readOnly: true - {{ end }} - - name: scripts-volume - mountPath: /scripts/bevel-vault.sh - subPath: bevel-vault.sh - containers: - - name: ca - image: {{ $.Values.metadata.images.ca }} - imagePullPolicy: IfNotPresent - command: ["sh", "-c"] - args: - - |- - #!/usr/bin/env sh - if [[ -d /custom-config/ ]] && [[ -f /custom-config/fabric-ca-server-config.yaml ]]; then - cp /custom-config/fabric-ca-server-config.yaml $FABRIC_CA_HOME/fabric-ca-server-config.yaml - fabric-ca-server start --config $FABRIC_CA_HOME/fabric-ca-server-config.yaml -d - else - sleep 1 && fabric-ca-server start -b {{ $.Values.server.admin }}:`cat /etc/hyperledger/fabric-ca-server-config/user_cred` -d - fi - ports: - - containerPort: 7054 - - containerPort: 9443 - env: - - name: FABRIC_CA_HOME - value: /etc/hyperledger/fabric-ca-server - - name: FABRIC_CA_SERVER_CA_NAME - value: "{{ $.Values.server.name }}.{{ $.Values.metadata.namespace }}" - - name: FABRIC_CA_SERVER_CA_CERTFILE - value: /etc/hyperledger/fabric-ca-server-config/server.crt - - name: FABRIC_CA_SERVER_CA_KEYFILE - value: /etc/hyperledger/fabric-ca-server-config/server.key - - name: FABRIC_CA_SERVER_TLS_ENABLED - value: "{{ $.Values.server.tlsstatus }}" - - name: FABRIC_CA_SERVER_DEBUG - value: "true" - - name: FABRIC_CA_SERVER_TLS_CERTFILE - value: /etc/hyperledger/fabric-ca-server-config/server.crt - - name: FABRIC_CA_SERVER_TLS_KEYFILE - value: /etc/hyperledger/fabric-ca-server-config/server.key - - name: FABRIC_CA_SERVER_DB_DATASOURCE - value: /var/hyperledger/fabric-ca-server/db/fabric-ca-server.db - - name: FABRIC_CA_SERVER_OPERATIONS_LISTENADDRESS - value: 0.0.0.0:9443 - volumeMounts: - - name: certificates - mountPath: /etc/hyperledger/fabric-ca-server-config - readOnly: true - - name: ca-server-db - mountPath: /var/hyperledger/fabric-ca-server/db/ - {{- if (not (empty .Values.server.configpath)) }} - - name: {{ $.Values.server.name }}-config-volume - mountPath: /custom-config/ - {{- end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/service.yaml b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/service.yaml index e3d3b33f0b5..d4301f4dd62 100644 --- a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/service.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/service.yaml @@ -7,81 +7,75 @@ apiVersion: v1 kind: Service metadata: - name: {{ $.Values.server.name }} - namespace: {{ $.Values.metadata.namespace }} - annotations: - {{- if $.Values.annotations }} - {{- range $key, $value := $.Values.annotations.service }} - {{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} - {{- end }} - {{- end }} - {{- end }} + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} labels: - run: {{ $.Values.server.name }} - app.kubernetes.io/name: {{ $.Values.server.name }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ include "fabric-ca-server.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- include "labels.custom" . | nindent 2 }} {{- include "labels.service" . | nindent 2 }} spec: - type: {{ $.Values.service.servicetype }} + type: ClusterIP selector: - name: {{ $.Values.server.name }} + app.kubernetes.io/part-of: {{ include "fabric-ca-server.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} ports: - name: tcp protocol: TCP targetPort: 7054 - port: {{ $.Values.service.ports.tcp.clusteripport }} - {{- if $.Values.service.ports.tcp.nodeport }} - nodePort: {{ $.Values.service.ports.tcp.nodeport }} + port: {{ $.Values.service.ports.tcp.clusterIpPort }} + {{- if $.Values.service.ports.tcp.nodePort }} + nodePort: {{ $.Values.service.ports.tcp.nodePort }} {{- end }} - name: operations protocol: TCP targetPort: 9443 port: 9443 -{{- if eq $.Values.proxy.provider "haproxy" }} +{{- if eq $.Values.global.proxy.provider "haproxy" }} --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ $.Values.server.name }} - namespace: {{ $.Values.metadata.namespace }} + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} annotations: kubernetes.io/ingress.class: "haproxy" ingress.kubernetes.io/ssl-passthrough: "true" spec: rules: - - host: ca.{{ $.Values.metadata.namespace }}.{{ $.Values.proxy.external_url_suffix }} + - host: ca.{{ .Release.Namespace }}.{{ $.Values.global.proxy.externalUrlSuffix }} http: paths: - path: / pathType: Prefix backend: service: - name: {{ $.Values.server.name }} + name: {{ .Release.Name }} port: - number: {{ $.Values.service.ports.tcp.clusteripport }} + number: {{ $.Values.service.ports.tcp.clusterIpPort }} --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ $.Values.server.name }}-ops - namespace: {{ $.Values.metadata.namespace }} + name: {{ .Release.Name }}-ops + namespace: {{ .Release.Namespace }} annotations: kubernetes.io/ingress.class: "haproxy" spec: rules: - - host: ca-ops.{{ $.Values.metadata.namespace }}.{{ $.Values.proxy.external_url_suffix }} + - host: ca-ops.{{ .Release.Namespace }}.{{ $.Values.global.proxy.externalUrlSuffix }} http: paths: - path: / pathType: Prefix backend: service: - name: {{ $.Values.server.name }} + name: {{ .Release.Name }} port: number: 9443 {{- end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/statefulset.yaml b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/statefulset.yaml new file mode 100644 index 00000000000..389f943329a --- /dev/null +++ b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/statefulset.yaml @@ -0,0 +1,201 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "fabric-ca-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ include "fabric-ca-server.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm + annotations: + {{- include "labels.deployment" . | nindent 2 }} +spec: + replicas: 1 + podManagementPolicy: OrderedReady + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app: {{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ include "fabric-ca-server.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm + serviceName: {{ .Release.Name }} + volumeClaimTemplates: + - metadata: + name: ca-server-db-pvc + labels: + {{- include "labels.deployment" . | nindent 2 }} + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: storage-{{ .Release.Name }} + resources: + requests: + storage: "{{ .Values.storage.size }}" + template: + metadata: + labels: + name: {{ .Release.Name }} + app: {{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ include "fabric-ca-server.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm + {{- if $.Values.labels }} + {{- range $key, $value := $.Values.labels.deployment }} + {{- range $k, $v := $value }} + {{ $k }}: {{ $v | quote }} + {{- end }} + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ .Values.global.serviceAccountName }} + {{- if .Values.image.pullSecret }} + imagePullSecrets: + - name: {{ $.Values.image.pullSecret }} + {{- end }} + volumes: + - name: certificates + emptyDir: + medium: Memory + {{- if (not (empty .Values.server.configpath)) }} + - name: {{ .Release.Name }}-config-volume + configMap: + name: {{ .Release.Name }}-config + items: + - key: fabric-ca-server-config.yaml + path: fabric-ca-server-config.yaml + {{- end }} + {{ if .Values.global.vault.tls }} + - name: vaultca + secret: + secretName: "{{ .Values.global.vault.tls }}" + items: + - key: ca.crt.pem + path: ca-certificates.crt + {{- end }} + - name: scripts-volume + configMap: + name: bevel-vault-script + initContainers: + - name: ca-certs-init + image: {{ $.Values.image.alpineUtils }} + imagePullPolicy: IfNotPresent + env: + - name: VAULT_ADDR + value: {{ $.Values.global.vault.address }} + - name: VAULT_APP_ROLE + value: {{ $.Values.global.vault.role }} + - name: KUBERNETES_AUTH_PATH + value: {{ $.Values.global.vault.authPath }} + - name: VAULT_SECRET_ENGINE + value: "{{ .Values.global.vault.secretEngine }}" + - name: VAULT_SECRET_PREFIX + value: "{{ .Values.global.vault.secretPrefix }}" + - name: VAULT_TYPE + value: "{{ $.Values.global.vault.type }}" + - name: COMPONENT_NAME + value: {{ .Release.Namespace }} + - name: MOUNT_PATH + value: /secret + command: ["sh", "-c"] + args: + - |- + #!/usr/bin/env sh +{{- if eq .Values.global.vault.type "hashicorp" }} + source /scripts/bevel-vault.sh + # Calling a function to retrieve the vault token. + vaultBevelFunc "init" + + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/ca" + + ca_cert=$(echo ${VAULT_SECRET} | jq -r ".[\"ca.${COMPONENT_NAME}-cert.pem\"]") + echo "${ca_cert}" >> ${MOUNT_PATH}/server.crt + + ca_key=$(echo ${VAULT_SECRET} | jq -r ".[\"${COMPONENT_NAME}-CA.key\"]") + echo "${ca_key}" >> ${MOUNT_PATH}/server.key + + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/credentials" + user=$(echo ${VAULT_SECRET} | jq -r ".[\"user\"]") + echo "${user}" >> ${MOUNT_PATH}/user_cred + +{{- else }} + kubectl get secret ca-certs --namespace {{ .Release.Namespace }} --output="jsonpath={.data.ca-${COMPONENT_NAME}-key}" | base64 -d > ${MOUNT_PATH}/server.key + kubectl get secret ca-certs --namespace {{ .Release.Namespace }} --output="jsonpath={.data.ca-${COMPONENT_NAME}-cert}" | base64 -d > ${MOUNT_PATH}/server.crt + kubectl get secret ca-credentials --namespace {{ .Release.Namespace }} -o json | jq '.data.user' | tr -d '"' | base64 -d > ${MOUNT_PATH}/user_cred +{{- end }} + volumeMounts: + - name: certificates + mountPath: /secret + {{ if .Values.global.vault.tls }} + - name: vaultca + mountPath: "/etc/ssl/certs/" + readOnly: true + {{ end }} + - name: scripts-volume + mountPath: /scripts/bevel-vault.sh + subPath: bevel-vault.sh + containers: + - name: ca + image: {{ $.Values.image.ca }} + imagePullPolicy: IfNotPresent + command: ["sh", "-c"] + args: + - |- + #!/usr/bin/env sh + if [[ -d /custom-config/ ]] && [[ -f /custom-config/fabric-ca-server-config.yaml ]]; then + cp /custom-config/fabric-ca-server-config.yaml $FABRIC_CA_HOME/fabric-ca-server-config.yaml + fabric-ca-server start --config $FABRIC_CA_HOME/fabric-ca-server-config.yaml -d + else + sleep 1 && fabric-ca-server start -b {{ $.Values.server.admin }}:`cat /etc/hyperledger/fabric-ca-server-config/user_cred` -d + fi + ports: + - containerPort: 7054 + - containerPort: 9443 + env: + - name: FABRIC_CA_HOME + value: /etc/hyperledger/fabric-ca-server + - name: FABRIC_CA_SERVER_CA_NAME + value: "{{ .Release.Name }}.{{ .Release.Namespace }}" + - name: FABRIC_CA_SERVER_CA_CERTFILE + value: /etc/hyperledger/fabric-ca-server-config/server.crt + - name: FABRIC_CA_SERVER_CA_KEYFILE + value: /etc/hyperledger/fabric-ca-server-config/server.key + - name: FABRIC_CA_SERVER_TLS_ENABLED + value: "{{ $.Values.server.tlsStatus }}" + - name: FABRIC_CA_SERVER_DEBUG + value: "true" + - name: FABRIC_CA_SERVER_TLS_CERTFILE + value: /etc/hyperledger/fabric-ca-server-config/server.crt + - name: FABRIC_CA_SERVER_TLS_KEYFILE + value: /etc/hyperledger/fabric-ca-server-config/server.key + - name: FABRIC_CA_SERVER_DB_DATASOURCE + value: /var/hyperledger/fabric-ca-server/db/fabric-ca-server.db + - name: FABRIC_CA_SERVER_OPERATIONS_LISTENADDRESS + value: 0.0.0.0:9443 + volumeMounts: + - name: certificates + mountPath: /etc/hyperledger/fabric-ca-server-config + readOnly: true + - name: ca-server-db-pvc + mountPath: /var/hyperledger/fabric-ca-server/db/ + {{- if (not (empty .Values.server.configpath)) }} + - name: {{ .Release.Name }}-config-volume + mountPath: /custom-config/ + {{- end }} \ No newline at end of file diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/volume.yaml b/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/volume.yaml deleted file mode 100644 index 7c3d2eaf9e4..00000000000 --- a/platforms/hyperledger-fabric/charts/fabric-ca-server/templates/volume.yaml +++ /dev/null @@ -1,34 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: ca-server-db-pvc - namespace: {{ $.Values.metadata.namespace }} - labels: - app.kubernetes.io/name: ca-server-db-pvc - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- include "labels.custom" . | nindent 2 }} - {{- include "labels.pvc" . | nindent 2 }} - annotations: - {{- if $.Values.annotations }} - {{- range $key, $value := $.Values.annotations.pvc }} - {{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} - {{- end }} - {{- end }} - {{- end }} -spec: - storageClassName: {{ $.Values.storage.storageclassname }} - accessModes: - - ReadWriteOnce - resources: - requests: - storage: {{ $.Values.storage.storagesize }} diff --git a/platforms/hyperledger-fabric/charts/fabric-ca-server/values.yaml b/platforms/hyperledger-fabric/charts/fabric-ca-server/values.yaml index 593f0ba0d62..b8c1f2b88d5 100644 --- a/platforms/hyperledger-fabric/charts/fabric-ca-server/values.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-ca-server/values.yaml @@ -3,113 +3,150 @@ # # SPDX-License-Identifier: Apache-2.0 ############################################################################################## +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +--- +# The following are for overriding global values +global: + #Provide the service account name which will be created. + serviceAccountName: vault-auth + cluster: + provider: aws # choose from: minikube | aws | azure | gcp + cloudNativeServices: false # only 'false' is implemented + vault: + #Provide the type of vault + #Eg. type: hashicorp + type: hashicorp + #Provide the vaultrole for an organization + #Eg. vaultrole: org1-vault-role + role: vault-role + #Provide the vault server address + #Eg. vaultaddress: http://Vault-884963190.eu-west-1.elb.amazonaws.com + address: + #Provide the kubernetes auth backed configured in vault for an organization + #Eg. authpath: supplychain + authPath: supplychain + #Provide the secret engine. + secretEngine: secretsv2 + #Provide the vault path where the secrets will be stored + secretPrefix: "data/supplychain" + #Enable or disable TLS for vault communication + #Eg. tls: true + tls: -metadata: - #Provide the namespace for CA server - #Eg. namespace: org1-net - namespace: org1-net - images: - #Provide the valid image name and version for fabric ca - #Eg. ca: hyperledger/fabric-ca:1.4.8 - ca: ghcr.io/hyperledger/bevel-fabric-ca:1.4.8 - #Provide the valid image name and version to read certificates from vault server - #Eg.alpineutils: ghcr.io/hyperledger/bevel-alpine:latest - alpineutils: ghcr.io/hyperledger/bevel-alpine:latest - #Provide the custom labels - #NOTE: Provide labels other than name, release name , release service, chart version , chart name , run. - #Eg. labels: - # role: ca - labels: + proxy: + #This will be the proxy/ingress provider. Can have values "haproxy" or "none" + #Eg. provider: "haproxy" + provider: haproxy + #This field specifies the external url for the organization + #Eg. externalUrlSuffix: test.blockchaincloudpoc.com + externalUrlSuffix: test.blockchaincloudpoc.com -deployment: - annotations: +cacerts: + ca: + #Provide organization's name + orgName: supplychain + #Provide the subject of the services ca organization's + #Eg. subject: "/C=GB/ST=London/L=London/O=Carrier/CN=carrier-net" + subject: /C=GB/ST=London/L=London/O=Orderer + # Flag to ensure the certificates secrets are removed on helm uninstall + +catools: + orgData: + #Provide organization's name in lowercases + #Eg. orgName: supplychain + orgName: supplychain + #Provide organization's type (orderer or peer) + #Eg. component_type: orderer + type: + #Provide organization's subject + #Eg. "O=Orderer,L=51.50/-0.13/London,C=GB" + componentSubject: + #Provide organization's subject + #Eg. "O=Orderer,L=51.50/-0.13/London,C=GB" + certSubject: + #Provide organization's country + #Eg. UK + componentCountry: UK + #Provide organization's state + #Eg. London + componentState: London + #Provide organization's location + #Eg. Lodon + componentLocation: Lodon + + #Provide orderer's names + orderers: + - orderer1 + - orderer2 + - orderer3 + + #Provide peer's names + peers: + - peer0 + + users: + # Generating User Certificates with custom attributes using Fabric CA in Bevel for Peer Organizations + usersList: + - user: + identity: user1 + attributes: + - key: "hf.Revoker" + value: "true" + - user: + identity: user2 + attributes: + - key: "hf.Revoker" + value: "true" + #Base64 encoded list of users + #Eg. IC0gdXNlcjoKICAgICAgICAgIGlkZW50aXR5OiB1c2VyMQogICAgICAgICAgYXR0cmlidXRlczoKICAgICAgICAgICAgLSBrZXk6IGtleTEKICAgICAgIgICAgICAgIC0ga2V5OiBrZXkyCiAgICAgICAgICAgICAgdmFsdWU6IHZhbHVlMgogICAgICAgIC0gdXNlcjoKICAgICAgICAgIGlkZW50aXR5OiB1c2VyMgogICAgICAgICAgYXR0cmlidXRlczoKICAgICAgICAgICAgLSBrZXk6IGtleTEKICAgICAgICAgICAgICB2YWx1ZTogdmFsdWUxCiAgICAgICAgICAgIC0ga2V5OiBrZXkzCiAgICAgICAgICAgICAgdmFsdWU6IHZhbHVlMw== + usersListAnsible: + #Provides a list of user identities + usersIdentities: + - user1 + - user2 + + checks: + #Provides the need to refresh user certificates + refreshCertValue: false + #Add a peer to an existing network + addPeerValue: False + +storage: + #Provide the size for CA + #Eg. size: 512Mi + size: 512Mi + +image: + #Provide the valid image name and version to read certificates from vault server + #Eg.alpineutils: ghcr.io/hyperledger/bevel-alpine:latest + alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest + #Provide the valid image name and version for fabric ca + #Eg. ca: ghcr.io/hyperledger/bevel-fabric-ca:latest + ca: ghcr.io/hyperledger/bevel-fabric-ca:latest + #Provide the secret to use if private repository + #Eg. pullSecret: regcred + pullSecret: server: - #Provide name for ca server deployment - #Eg. name: ca - name: ca - #Provide the value for tlsstatus to be true or false for deployment - #Eg. tlsstatus: true - tlsstatus: true + #Provide the value for tlsStatus to be true or false for deployment + #Eg. tlsStatus: true + tlsStatus: true #Provide the admin name for CA server #Eg. admin: admin admin: admin # Provide the path for Fabric CA Server Config # Eg. configpath: conf/ca-config-default.yaml - configpath: conf/ca-config-default.yaml - -storage: - #Provide the storageclassname for CA - #Eg. storageclassname: aws-storageclass - storageclassname: aws-storageclass - #Provide the storagesize for CA - #Eg. storagesize: 512Mi - storagesize: 512Mi - -vault: - #Provide the vault server address - #Eg. vaultaddress: http://Vault-884963190.eu-west-1.elb.amazonaws.com - address: - #Provide the vaultrole for deployment - #Eg. vaultrole: vault-role - role: vault-role - #Provide the kubernetes auth backend configured in vault for CA server - #Eg. authpath: fra-demo-hlkube-cluster-cluster - authpath: devorg1-net-auth - #Provide the secretcert path configured in vault for CA server - #Eg. secretcert: secretsv2/data/crypto/Organizations/.../...-cert.pem - secretcert: secretsv2/data/crypto/peerOrganizations/org1-net/ca?ca.org1-net-cert.pem - #Provide the secretkey path configured in vault for CA server - #Eg. secretkey: secretsv2/data/crypto/Organizations/.../...-CA.key - secretkey: secretsv2/data/crypto/peerOrganizations/org1-net/ca?org1-net-CA.key - # Provide the secret path for admin password configured in vault for CA server - # Eg. secretadminpass: secretsv2/data/credentials/.../.../ca/org1?user - secretadminpass: secretsv2/data/credentials/org1-net/ca/org1?user - #Provide the serviceaccountname for vault - #Eg. serviceaccountname: vault-auth - serviceaccountname: vault-auth - #Provide the type of vault - #Eg. type: hashicorp - type: hashicorp - #Provide the imagesecretname for vault - #Eg. imagesecretname: regcred - imagesecretname: "" - #Enable or disable TLS for vault communication - #Eg. tls: true - tls: - #kuberenetes secret for vault ca.cert - #Eg. tlssecret: vaultca - tlssecret: vaultca - + service: - #Provide service type for the pod - #Eg. servicetype: NodePort - servicetype: ClusterIP ports: tcp: #Provide tcp node port to be exposed for ca server - #Eg. nodeport: 30007 - nodeport: + #Eg. nodePort: 30007 + nodePort: #Provide tcp cluster IP port to be exposed for ca server - #Eg. clusteripport: 7054 - clusteripport: 7054 - -annotations: - # Extra annotations for the service - service: [] - # Extra annotations for the PVC - pvc: [] - -proxy: - #This will be the proxy/ingress provider. Can have values "haproxy" or "none" - #Eg. provider: "haproxy" - provider: haproxy - #Type can be "orderer" or "peer"; "test" is defaulted - #Eg. type: orderer - type: test - #This field specifies the external url for the organization - #Eg. external_url_suffix: org1proxy.blockchaincloudpoc.com - external_url_suffix: org1proxy.blockchaincloudpoc.com + #Eg. clusterIpPort: 7054 + clusterIpPort: 7054 labels: service: [] diff --git a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/.helmignore b/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/.helmignore new file mode 100644 index 00000000000..014fa775608 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +generated_config/ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/Chart.yaml b/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/Chart.yaml index 6eac32205fe..eb70defb6cc 100644 --- a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/Chart.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/Chart.yaml @@ -5,7 +5,22 @@ ############################################################################################## apiVersion: v1 -appVersion: "2.0" -description: "Hyperledger Fabric: Generates CA Server certs." name: fabric-cacerts-gen +description: "Hyperledger Fabric: Generates CA Server certs." version: 1.0.0 +appVersion: latest +keywords: + - bevel + - ethereum + - fabric + - hyperledger + - enterprise + - blockchain + - deployment + - accenture +home: https://hyperledger-bevel.readthedocs.io/en/latest/ +sources: + - https://github.com/hyperledger/bevel +maintainers: + - name: Hyperledger Bevel maintainers + email: bevel@lists.hyperledger.org diff --git a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/_helpers.tpl b/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/_helpers.tpl index d43c09d8cef..50542fe2e53 100644 --- a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/_helpers.tpl +++ b/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/_helpers.tpl @@ -1,5 +1,28 @@ -{{- define "labels.custom" }} - {{ range $key, $val := $.Values.metadata.labels }} - {{ $key }}: {{ $val }} - {{ end }} -{{- end }} +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fabric-cacerts-gen.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fabric-cacerts-gen.fullname" -}} +{{- $name := default .Chart.Name -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" $name .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fabric-cacerts-gen.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/configmap.yaml b/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/configmap.yaml new file mode 100644 index 00000000000..3dc1dbe44b6 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/configmap.yaml @@ -0,0 +1,33 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: openssl-config-file + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name }} + app.kubernetes.io/name: fabric-cacerts-gen-job + app.kubernetes.io/component: fabric-cacerts-gen-job + app.kubernetes.io/part-of: {{ include "fabric-cacerts-gen.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm +data: + openssl.conf: |- + [req] + req_extensions = v3_req + distinguished_name = dn + + [dn] + + [v3_req] + basicConstraints = critical, CA:TRUE + keyUsage = critical,digitalSignature, keyEncipherment, keyCertSign, cRLSign + subjectKeyIdentifier = hash + diff --git a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/job.yaml b/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/job.yaml index c758f4e1de2..a4c336da1e1 100644 --- a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/job.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/templates/job.yaml @@ -1,174 +1,107 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - +--- apiVersion: batch/v1 kind: Job metadata: - name: "{{ $.Values.metadata.name }}-cacerts-job" - namespace: "{{ $.Values.metadata.namespace }}" + name: {{ include "fabric-cacerts-gen.name" . }}-init labels: - app: "{{ $.Values.metadata.name }}-cacerts-job" - app.kubernetes.io/name: "{{ $.Values.metadata.name }}-cacerts-job" - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} + app: {{ .Release.Name }} + app.kubernetes.io/name: fabric-cacerts-gen-job + app.kubernetes.io/component: fabric-cacerts-gen-job + app.kubernetes.io/part-of: {{ include "fabric-cacerts-gen.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm + namespace: {{ .Release.Namespace }} spec: backoffLimit: 6 template: metadata: labels: - app: "{{ $.Values.metadata.name }}-cacerts-job" - app.kubernetes.io/name: "{{ $.Values.metadata.name }}-cacerts-job" - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} + app: {{ .Release.Name }} + app.kubernetes.io/name: fabric-cacerts-gen-job + app.kubernetes.io/component: cacerts-gen-job + app.kubernetes.io/part-of: {{ include "fabric-cacerts-gen.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/managed-by: helm spec: - restartPolicy: "OnFailure" - serviceAccountName: {{ $.Values.vault.serviceaccountname }} - {{- if .Values.vault.imagesecretname }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + restartPolicy: OnFailure imagePullSecrets: - - name: {{ $.Values.vault.imagesecretname }} + {{- if .Values.image.pullSecret }} + - name: {{ .Values.image.pullSecret }} {{- end }} volumes: - - name: certcheck - emptyDir: - medium: Memory - name: scripts-volume configMap: name: bevel-vault-script - name: package-manager configMap: name: package-manager - initContainers: - - name: init-check-certificates - image: {{ $.Values.metadata.images.alpineutils }} - imagePullPolicy: IfNotPresent - env: - - name: VAULT_ADDR - value: {{ $.Values.vault.address }} - - name: VAULT_APP_ROLE - value: {{ $.Values.vault.role }} - - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.vault.authpath }} - - name: VAULT_SECRET_CRYPTO_PATH - value: {{ $.Values.vault.secretcryptoprefix }} - - name: VAULT_SECRET_CREDENTIALS_PATH - value: {{ $.Values.vault.secretcredentialsprefix }} - - name: MOUNT_PATH - value: "/certcheck" - - name: VAULT_TYPE - value: "{{ $.Values.vault.type }}" - command: ["sh", "-c"] - args: - - |- - #!/usr/bin/env sh - . /scripts/bevel-vault.sh - - # Calling a function to retrieve the vault token. - vaultBevelFunc "init" - - mkdir -p ${MOUNT_PATH} - - # Calling a function to retrieve secrets from Vault only if they exist. - vaultBevelFunc "readJson" "${VAULT_SECRET_CRYPTO_PATH}" - - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - echo "Certificates present in vault" - touch ${MOUNT_PATH}/present_cacert.txt - else - echo "Certficates absent in vault. Ignore error warning." - touch ${MOUNT_PATH}/absent_cacert.txt - fi - - # Check if CA server admin credentials already present in the vault - vaultBevelFunc "readJson" "${VAULT_SECRET_CREDENTIALS_PATH}" - - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - echo "Certificates present in vault" - touch ${MOUNT_PATH}/present_creds.txt - else - echo "Certficates absent in vault. Ignore error warning." - touch ${MOUNT_PATH}/absent_creds.txt - fi - - echo "Done checking for certificates in vault." - volumeMounts: - - name: certcheck - mountPath: /certcheck - - name: scripts-volume - mountPath: /scripts/bevel-vault.sh - subPath: bevel-vault.sh + - name: openssl-config + configMap: + name: openssl-config-file + defaultMode: 0775 + items: + - key: openssl.conf + path: openssl.conf containers: - name: "cacerts" - image: {{ $.Values.metadata.images.alpineutils }} + image: {{ $.Values.image.alpineUtils }} imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: {{ $.Values.vault.address }} + value: {{ $.Values.global.vault.address }} - name: VAULT_APP_ROLE - value: {{ $.Values.vault.role }} + value: {{ $.Values.global.vault.role }} - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.vault.authpath }} - - name: VAULT_SECRET_CRYPTO_PATH - value: {{ $.Values.vault.secretcryptoprefix }} - - name: VAULT_SECRET_CREDENTIALS_PATH - value: {{ $.Values.vault.secretcredentialsprefix }} + value: {{ $.Values.global.vault.authPath }} + - name: VAULT_SECRET_ENGINE + value: "{{ .Values.global.vault.secretEngine }}" + - name: VAULT_SECRET_PREFIX + value: "{{ .Values.global.vault.secretPrefix }}" + - name: VAULT_TYPE + value: "{{ $.Values.global.vault.type }}" - name: COMPONENT_NAME - value: {{ $.Values.metadata.component_name }} + value: {{ .Release.Namespace }} - name: ORG_NAME - value: {{ $.Values.metadata.name }} + value: {{ $.Values.ca.orgName }} + - name: CA_URL + value: {{ .Release.Name }}.{{ .Release.Namespace }} - name: CA_SUBJECT - value: "{{ $.Values.ca.subject }}" - - name: VAULT_TYPE - value: "{{ $.Values.vault.type }}" + value: "{{ $.Values.ca.subject }}/CN={{ .Release.Name }}.{{ .Release.Namespace }}" command: ["sh", "-c"] args: - |- - . /scripts/bevel-vault.sh . /scripts/package-manager.sh - # Define the packages to install - packages_to_install="jq curl openssl" + packages_to_install="jq curl openssl kubectl" install_packages "$packages_to_install" - if [ -e /certcheck/absent_cacert.txt ] - then - # Create openssl.conf file - echo "[req] - req_extensions = v3_req - distinguished_name = dn - - [dn] - - [v3_req] - basicConstraints = critical, CA:TRUE - keyUsage = critical,digitalSignature, keyEncipherment, keyCertSign, cRLSign - subjectKeyIdentifier = hash - " > openssl.conf - - # this commands generate the CA certificate - openssl ecparam -name prime256v1 -genkey -noout -out ${COMPONENT_NAME}-CA.key - openssl req -x509 -config "openssl.conf" -new -nodes -key ${COMPONENT_NAME}-CA.key -days 1024 -out ca.${COMPONENT_NAME}-cert.pem -extensions v3_req -subj "${CA_SUBJECT}" - - # This commands put the certificates with correct format for the curl command - while IFS= read -r line - do - echo "$line\n" - done < ${COMPONENT_NAME}-CA.key > ./cakey_formatted.txt - + formatCertificate () { + NAME="${1##*/}" while IFS= read -r line do echo "$line\n" - done < ca.${COMPONENT_NAME}-cert.pem > ./capem_formatted.txt + done < ${1} > ${2}/${NAME}.txt + } - PEM_CERTIFICATE=$(cat capem_formatted.txt) - KEY_CERTIFICATE=$(cat cakey_formatted.txt) - +{{- if eq .Values.global.vault.type "hashicorp" }} + . /scripts/bevel-vault.sh + echo "Getting vault Token..." + vaultBevelFunc "init" + #Read if genesis exists in Vault + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/ca" + function safeWriteSecret { + key=$1 + FORMAT_CERTIFICATE_PATH="/formatcertificate" + mkdir -p ${FORMAT_CERTIFICATE_PATH} + formatCertificate "${COMPONENT_NAME}-CA.key" "${FORMAT_CERTIFICATE_PATH}" + formatCertificate "ca.${COMPONENT_NAME}-cert.pem" "${FORMAT_CERTIFICATE_PATH}" + + PEM_CERTIFICATE=$(cat ${FORMAT_CERTIFICATE_PATH}/ca.${COMPONENT_NAME}-cert.pem.txt) + KEY_CERTIFICATE=$(cat ${FORMAT_CERTIFICATE_PATH}/${COMPONENT_NAME}-CA.key.txt) + + # create a JSON file for the data related to node crypto echo " { \"data\": @@ -178,17 +111,39 @@ spec: } }" > payload.json - # Calling a function to retrieve the vault token. - vaultBevelFunc "init" # Calling a function to write secrets to the vault. - vaultBevelFunc 'write' "${VAULT_SECRET_CRYPTO_PATH}" 'payload.json' + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${key}" 'payload.json' rm payload.json - fi + } + +{{- else }} + function safeWriteSecret { + key=$1 + kubectl get secret ${key}-certs --namespace ${COMPONENT_NAME} -o json > /dev/null 2>&1 + if [ $? -ne 0 ]; then + kubectl create secret generic ${key}-certs --namespace ${COMPONENT_NAME} --from-file=ca-${COMPONENT_NAME}-key=${COMPONENT_NAME}-CA.key \ + --from-file=ca-${COMPONENT_NAME}-cert=ca.${COMPONENT_NAME}-cert.pem + fi + } +{{- end }} - if [ -e /certcheck/absent_creds.txt ] + if [ "$SECRETS_AVAILABLE" == "yes" ] then - # Calling a function to retrieve the vault token. - vaultBevelFunc "init" + echo "The certificates are already created, skipping..." + else + + # this commands generate the CA certificate + openssl ecparam -name prime256v1 -genkey -noout -out ${COMPONENT_NAME}-CA.key + openssl req -x509 -config "/openssl/openssl.conf" -new -nodes -key ${COMPONENT_NAME}-CA.key -days 1024 -out ca.${COMPONENT_NAME}-cert.pem -extensions v3_req -subj "${CA_SUBJECT}" -addext "subjectAltName = DNS:${CA_URL}" + + safeWriteSecret ca + + fi + +{{- if eq .Values.global.vault.type "hashicorp" }} + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/credentials" + function safeWriteCredentials { + key=$1 echo " { \"data\": @@ -198,16 +153,33 @@ spec: }" > payload.json # Calling a function to write a secret to the vault. - vaultBevelFunc 'write' "${VAULT_SECRET_CREDENTIALS_PATH}" 'payload.json' + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${key}" 'payload.json' # Calling a function to retrieve secrets from Vault only if they exist. - vaultBevelFunc "readJson" "${VAULT_SECRET_CREDENTIALS_PATH}" + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${key}" + } +{{- else }} + function safeWriteCredentials { + key=$1 + kubectl get secret ca-${key} --namespace ${COMPONENT_NAME} -o json > /dev/null 2>&1 + if [ $? -ne 0 ]; then + kubectl create secret generic ca-${key} --namespace ${COMPONENT_NAME} --from-literal=user="${ORG_NAME}-adminpw" + fi + } +{{- end }} + + if [ "$SECRETS_AVAILABLE" == "yes" ] + then + echo "The credentials are already created, skipping..." + else + safeWriteCredentials credentials fi volumeMounts: - - name: certcheck - mountPath: /certcheck - name: scripts-volume mountPath: /scripts/bevel-vault.sh subPath: bevel-vault.sh - name: package-manager mountPath: /scripts/package-manager.sh subPath: package-manager.sh + - name: openssl-config + mountPath: /openssl/openssl.conf + subPath: openssl.conf diff --git a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/values.yaml b/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/values.yaml index 3fbbe603697..9a4f3dc59b9 100644 --- a/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/values.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-cacerts-gen/values.yaml @@ -3,54 +3,51 @@ # # SPDX-License-Identifier: Apache-2.0 ############################################################################################## +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +--- +# The following are for overriding global values +global: + #Provide the service account name which will be created. + serviceAccountName: vault-auth + cluster: + provider: aws # choose from: minikube | aws | azure | gcp + cloudNativeServices: false # only 'false' is implemented + #Provide the kubernetes host url + #Eg. kubernetesUrl: https://10.3.8.5:8443 + kubernetesUrl: + vault: + #Provide the type of vault + #Eg. type: hashicorp + type: hashicorp + #Provide the vaultrole for an organization + #Eg. vaultrole: org1-vault-role + role: vault-role + #Provide the network type + network: fabric + #Provide the vault server address + #Eg. vaultaddress: http://Vault-884963190.eu-west-1.elb.amazonaws.com + address: + #Provide the kubernetes auth backed configured in vault for an organization + #Eg. authpath: supplychain + authPath: supplychain + #Provide the secret engine. + secretEngine: secretsv2 + #Provide the vault path where the secrets will be stored + secretPrefix: "data/supplychain" -metadata: - #Provide organization's name - #Eg. namespace: org1 - name: org1 - #Provide organization's component_name - #Eg. component_name: org1-net - component_name: org1-net - #Provide the namespace for organization's peer - #Eg. namespace: org1-net - namespace: org1-net - images: - #Provide the valid image name and version to read certificates from vault server - #Eg.alpineutils: ghcr.io/hyperledger/bevel-alpine:latest - alpineutils: ghcr.io/hyperledger/bevel-alpine:latest - #Provide the custom labels - #NOTE: Provide labels other than name, release name , release service, chart version , chart name , app. - #Eg. labels: - # role: anchorpeer - labels: anchorpeer - -vault: - #Provide the vaultrole for an organization - #Eg. vaultrole: org1-vault-role - role: vault-role - #Provide the vault server address - #Eg. vaultaddress: http://Vault-884963190.eu-west-1.elb.amazonaws.com - address: - #Provide the kubernetes auth backed configured in vault for an organization - #Eg. authpath: fra-demo-hlkube-cluster-org1 - authpath: devorg1-net-auth - # Vault secret prefix for crypto - secretcryptoprefix: secretsv2/data/crypto/ordererOrganizations/org1-net/ca - # Vault secret prefix for credentials - secretcredentialsprefix: secretsv2/data/credentials/org1-net/ca/smari - #Provide the serviceaccountname for vault - #Eg. serviceaccountname: vault-auth - serviceaccountname: vault-auth - #Provide the type of vault - #Eg. type: hashicorp - type: hashicorp - #Provide the imagesecretname for vault - #Eg. imagesecretname: regcred - imagesecretname: "" - #Kuberenetes secret for vault ca.cert - #Enable or disable TLS for vault communication if value present or not +image: + #Provide the valid image name and version to read certificates from vault server + #Eg.alpineutils: ghcr.io/hyperledger/bevel-alpine:latest + alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest + #Provide the secret to use if private repository + #Eg. pullSecret: regcred + pullSecret: ca: + #Provide organization's name + orgName: supplychain #Provide the subject of the services ca organization's - #Eg. subject: "/C=GB/ST=London/L=London/O=Carrier/CN=org1-net" - subject: /C=GB/ST=London/L=London/O=Orderer/CN=ca.org1-net + #Eg. subject: "/C=GB/ST=London/L=London/O=Carrier/CN=supplychain-net" + subject: /C=GB/ST=London/L=London/O=Orderer + # Flag to ensure the certificates secrets are removed on helm uninstall diff --git a/platforms/hyperledger-fabric/charts/fabric-catools/Chart.yaml b/platforms/hyperledger-fabric/charts/fabric-catools/Chart.yaml index 6ff272cccab..1256cb248cb 100644 --- a/platforms/hyperledger-fabric/charts/fabric-catools/Chart.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-catools/Chart.yaml @@ -5,7 +5,22 @@ ############################################################################################## apiVersion: v1 -appVersion: "2.0" -description: "Hyperledger Fabric: Deploys a Fabric CA tools." name: fabric-catools +description: "Hyperledger Fabric: Deploys a Fabric CA tools." version: 1.0.0 +appVersion: latest +keywords: + - bevel + - ethereum + - fabric + - hyperledger + - enterprise + - blockchain + - deployment + - accenture +home: https://hyperledger-bevel.readthedocs.io/en/latest/ +sources: + - https://github.com/hyperledger/bevel +maintainers: + - name: Hyperledger Bevel maintainers + email: bevel@lists.hyperledger.org diff --git a/platforms/hyperledger-fabric/charts/fabric-catools/README.md b/platforms/hyperledger-fabric/charts/fabric-catools/README.md index 8353542dcba..89e81b97909 100644 --- a/platforms/hyperledger-fabric/charts/fabric-catools/README.md +++ b/platforms/hyperledger-fabric/charts/fabric-catools/README.md @@ -104,7 +104,7 @@ The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hy | Name | Description | Default Value | | ----------------------| --------------------------- | ------------------- | | storageclassname | Storage class name | aws-storageclass | -| storagesize | Storage size for CA | 512Mi | +| size | Storage size for CA | 512Mi | ### Vault @@ -136,12 +136,11 @@ The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hy | Name | Description | Default Value | | ----------------------| ----------------------------------| ----------------| | external_url_suffix | External URL of the organization | org1proxy.blockchaincloudpoc.com | -| component_subject | Organization's subject | "" | -| cert_subject | Organization's subject | "" | -| component_country | Organization's country | UK | -| component_state | Organization's state | London | -| component_location | Organization's location | London | -| ca_url | Organization's CA URL | "" | +| componentSubject | Organization's subject | "" | +| certSubject | Organization's subject | "" | +| componentCountry | Organization's country | UK | +| componentState | Organization's state | London | +| componentLocation | Organization's location | London | ### Orderers @@ -155,21 +154,21 @@ The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hy | Name | Description | Default Value | | --------------| --------------------------- | -----------------| | name | Peer's name | peer1 | -| peer_count | Total number of peers | 4 | +| peerCount | Total number of peers | 4 | ### Users | Name | Description | Default Value | | ----------------------| --------------------------- | ----------------| -| users_list | Base64 encoded list of users | "" | -| users_identities | List of user identities | "" | +| usersList | Base64 encoded list of users | "" | +| usersIdentities | List of user identities | "" | ### Checks | Name | Description | Default Value | | ----------------------| --------------------------- | ------------------- | | refresh_cert_value | Refresh user certificates | false | -| add_peer_value | Add a peer to an existing network | false | +| addPeerValue | Add a peer to an existing network | false | diff --git a/platforms/hyperledger-fabric/charts/fabric-catools/templates/_helpers.tpl b/platforms/hyperledger-fabric/charts/fabric-catools/templates/_helpers.tpl index 8823df47301..d4e68a15afc 100644 --- a/platforms/hyperledger-fabric/charts/fabric-catools/templates/_helpers.tpl +++ b/platforms/hyperledger-fabric/charts/fabric-catools/templates/_helpers.tpl @@ -1,8 +1,31 @@ -{{- define "labels.custom" }} - {{ range $key, $val := $.Values.metadata.labels }} - {{ $key }}: {{ $val }} - {{ end }} -{{- end }} +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fabric-catools.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fabric-catools.fullname" -}} +{{- $name := default .Chart.Name -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" $name .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fabric-catools.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} {{- define "labels.deployment" -}} {{- if $.Values.labels }} diff --git a/platforms/hyperledger-fabric/charts/fabric-catools/templates/configmap.yaml b/platforms/hyperledger-fabric/charts/fabric-catools/templates/configmap.yaml index 40bb8bc304e..ed8641854e9 100644 --- a/platforms/hyperledger-fabric/charts/fabric-catools/templates/configmap.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-catools/templates/configmap.yaml @@ -9,12 +9,14 @@ apiVersion: v1 kind: ConfigMap metadata: name: crypto-scripts-cm - namespace: {{ .Values.metadata.namespace }} + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: crypto-scripts - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ include "fabric-catools.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm data: generate-crypto-orderer.sh: |- #!/bin/bash @@ -22,13 +24,13 @@ data: set -x CURRENT_DIR=${PWD} - FULLY_QUALIFIED_ORG_NAME="{{ .Values.metadata.namespace }}" - EXTERNAL_URL_SUFFIX="{{ .Values.org_data.external_url_suffix }}" - ALTERNATIVE_ORG_NAMES=("{{ .Values.org_data.external_url_suffix }}") - ORG_NAME="{{ .Values.metadata.org_name }}" - SUBJECT="C={{ .Values.org_data.component_country }},ST={{ .Values.org_data.component_state }},L={{ .Values.org_data.component_location }},O={{ .Values.metadata.org_name }}" - SUBJECT_PEER="{{ .Values.org_data.component_subject }}" - CA="{{ .Values.org_data.ca_url }}" + FULLY_QUALIFIED_ORG_NAME="{{ .Release.Namespace }}" + EXTERNAL_URL_SUFFIX="{{ .Values.global.proxy.externalUrlSuffix }}" + ALTERNATIVE_ORG_NAMES=("{{ .Values.global.proxy.externalUrlSuffix }}") + ORG_NAME="{{ .Values.orgData.orgName }}" + SUBJECT="C={{ .Values.orgData.componentCountry }},ST={{ .Values.orgData.componentState }},L={{ .Values.orgData.componentLocation }},O={{ .Values.orgData.orgName }}" + SUBJECT_PEER="{{ .Values.orgData.componentSubject }}" + CA="{{ .Release.Name }}.{{ .Release.Namespace }}:7054" CA_ADMIN_USER="${ORG_NAME}-admin" CA_ADMIN_PASS="${ORG_NAME}-adminpw" @@ -48,7 +50,7 @@ data: ## Get the CA cert and store in Org MSP folder fabric-ca-client getcacert -d -u https://${CA} --tls.certfiles ${ROOT_TLS_CERT} -M ${ORG_CYPTO_FOLDER}/msp - if [ "{{ .Values.metadata.proxy }}" != "none" ]; then + if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then mv ${ORG_CYPTO_FOLDER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/msp/cacerts/ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem fi mkdir ${ORG_CYPTO_FOLDER}/msp/tlscacerts @@ -68,7 +70,7 @@ data: mkdir -p ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER} cp -R ${ORG_HOME}/admin/msp ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER} - if [ "{{ .Values.metadata.proxy }}" != "none" ]; then + if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then mv ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/msp/cacerts/ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem fi @@ -89,13 +91,13 @@ data: set -x CURRENT_DIR=${PWD} - FULLY_QUALIFIED_ORG_NAME="{{ .Values.metadata.namespace }}" - EXTERNAL_URL_SUFFIX="{{ .Values.org_data.external_url_suffix }}" - ALTERNATIVE_ORG_NAMES=("{{ .Values.org_data.external_url_suffix }}") - ORG_NAME="{{ .Values.metadata.org_name }}" - SUBJECT="C={{ .Values.org_data.component_country }},ST={{ .Values.org_data.component_state }},L={{ .Values.org_data.component_location }},O={{ .Values.metadata.org_name }}" - SUBJECT_PEER="{{ .Values.org_data.component_subject }}" - CA="{{ .Values.org_data.ca_url }}" + FULLY_QUALIFIED_ORG_NAME="{{ .Release.Namespace }}" + EXTERNAL_URL_SUFFIX="{{ .Values.global.proxy.externalUrlSuffix }}" + ALTERNATIVE_ORG_NAMES=("{{ .Values.global.proxy.externalUrlSuffix }}") + ORG_NAME="{{ .Values.orgData.orgName }}" + SUBJECT="C={{ .Values.orgData.componentCountry }},ST={{ .Values.orgData.componentState }},L={{ .Values.orgData.componentLocation }},O={{ .Values.orgData.orgName }}" + SUBJECT_PEER="{{ .Values.orgData.componentSubject }}" + CA="{{ .Release.Name }}.{{ .Release.Namespace }}:7054" CA_ADMIN_USER="${ORG_NAME}-admin" CA_ADMIN_PASS="${ORG_NAME}-adminpw" ORDERER_NAME=$1 @@ -140,7 +142,7 @@ data: # Create the TLS CA directories of the MSP folder if they don't exist. mkdir ${ORG_CYPTO_FOLDER}/orderers/${PEER}/msp/tlscacerts - if [ "{{ .Values.metadata.proxy }}" != "none" ]; then + if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then mv ${ORG_CYPTO_FOLDER}/orderers/${PEER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/orderers/${PEER}/msp/cacerts/ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem fi cp ${ORG_CYPTO_FOLDER}/orderers/${PEER}/msp/cacerts/* ${ORG_CYPTO_FOLDER}/orderers/${PEER}/msp/tlscacerts @@ -158,16 +160,17 @@ data: set -x CURRENT_DIR=${PWD} - FULLY_QUALIFIED_ORG_NAME="{{ .Values.metadata.namespace }}" - ALTERNATIVE_ORG_NAMES=("{{ .Values.metadata.namespace }}.svc.cluster.local" "{{ .Values.metadata.org_name }}.net" "{{ .Values.metadata.namespace }}.{{ .Values.org_data.external_url_suffix }}") - ORG_NAME="{{ .Values.metadata.org_name }}" - EXTERNAL_URL_SUFFIX="{{ .Values.org_data.external_url_suffix }}" - AFFILIATION="{{ .Values.metadata.org_name }}" - SUBJECT="C={{ .Values.org_data.component_country }},ST={{ .Values.org_data.component_state }},L={{ .Values.org_data.component_location }},O={{ .Values.metadata.org_name }}" - SUBJECT_PEER="{{ .Values.org_data.component_subject }}" - CA="{{ .Values.org_data.ca_url }}" + FULLY_QUALIFIED_ORG_NAME="{{ .Release.Namespace }}" + ALTERNATIVE_ORG_NAMES=("{{ .Release.Namespace }}.svc.cluster.local" "{{ .Values.orgData.orgName }}.net" "{{ .Release.Namespace }}.{{ .Values.global.proxy.externalUrlSuffix }}") + ORG_NAME="{{ .Values.orgData.orgName }}" + EXTERNAL_URL_SUFFIX="{{ .Values.global.proxy.externalUrlSuffix }}" + AFFILIATION="{{ .Values.orgData.orgName }}" + SUBJECT="C={{ .Values.orgData.componentCountry }},ST={{ .Values.orgData.componentState }},L={{ .Values.orgData.componentLocation }},O={{ .Values.orgData.orgNname }}" + SUBJECT_PEER="{{ .Values.orgData.componentSubject }}" + CA="{{ .Release.Name }}.{{ .Release.Namespace }}:7054" CA_ADMIN_USER="${ORG_NAME}-admin" CA_ADMIN_PASS="${ORG_NAME}-adminpw" + NO_OF_PEERS="$PEERS_COUNT" ORG_ADMIN_USER="Admin@${FULLY_QUALIFIED_ORG_NAME}" ORG_ADMIN_PASS="Admin@${FULLY_QUALIFIED_ORG_NAME}-pw" @@ -179,15 +182,13 @@ data: CAS_FOLDER="${HOME}/ca-tools/cas/ca-${ORG_NAME}" ORG_HOME="${HOME}/ca-tools/${ORG_NAME}" - NO_OF_PEERS={{ .Values.peer_count }} - ## Enroll CA administrator for Org. This user will be used to create other identities fabric-ca-client enroll -d -u https://${CA_ADMIN_USER}:${CA_ADMIN_PASS}@${CA} --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} --csr.names "${SUBJECT_PEER}" ## Get the CA cert and store in Org MSP folder fabric-ca-client getcacert -d -u https://${CA} --tls.certfiles ${ROOT_TLS_CERT} -M ${ORG_CYPTO_FOLDER}/msp - if [ "{{ .Values.metadata.proxy }}" != "none" ]; then + if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then mv ${ORG_CYPTO_FOLDER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/msp/cacerts/ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem fi mkdir ${ORG_CYPTO_FOLDER}/msp/tlscacerts @@ -209,7 +210,7 @@ data: mkdir -p ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER} cp -R ${ORG_HOME}/admin/msp ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER} - if [ "{{ .Values.metadata.proxy }}" != "none" ]; then + if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then mv ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/msp/cacerts/ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem fi @@ -255,7 +256,7 @@ data: # Copy the peer org's admin cert into target MSP directory mkdir -p ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/admincerts - if [ "{{ .Values.metadata.proxy }}" != "none" ]; then + if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then mv ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/cacerts/ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem fi cp ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/cacerts/* ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/tlscacerts @@ -265,23 +266,24 @@ data: done cd ${CURRENT_DIR} - + generate-crypto-add-peer.sh: |- #!/bin/bash set -x CURRENT_DIR=${PWD} - FULLY_QUALIFIED_ORG_NAME="{{ .Values.metadata.namespace }}" - ALTERNATIVE_ORG_NAMES=("{{ .Values.metadata.namespace }}.svc.cluster.local" "{{ .Values.metadata.org_name }}.net" "{{ .Values.metadata.namespace }}.{{ .Values.org_data.external_url_suffix }}") - ORG_NAME="{{ .Values.metadata.org_name }}" - EXTERNAL_URL_SUFFIX="{{ .Values.org_data.external_url_suffix }}" - AFFILIATION="{{ .Values.metadata.org_name }}" - SUBJECT="C={{ .Values.org_data.component_country }},ST={{ .Values.org_data.component_state }},L={{ .Values.org_data.component_location }},O={{ .Values.metadata.org_name }}" - SUBJECT_PEER="{{ .Values.org_data.component_subject }}" - CA="{{ .Values.org_data.ca_url }}" + FULLY_QUALIFIED_ORG_NAME="{{ .Release.Namespace }}" + ALTERNATIVE_ORG_NAMES=("{{ .Release.Namespace }}.svc.cluster.local" "{{ .Values.orgData.orgName }}.net" "{{ .Release.Namespace }}.{{ .Values.global.proxy.externalUrlSuffix }}") + ORG_NAME="{{ .Values.orgData.orgName }}" + EXTERNAL_URL_SUFFIX="{{ .Values.global.proxy.externalUrlSuffix }}" + AFFILIATION="{{ .Values.orgData.orgName }}" + SUBJECT="C={{ .Values.orgData.componentCountry }},ST={{ .Values.orgData.componentState }},L={{ .Values.orgData.componentLocation }},O={{ .Values.orgData.orgName }}" + SUBJECT_PEER="{{ .Values.orgData.componentSubject }}" + CA="{{ .Release.Name }}.{{ .Release.Namespace }}:7054" CA_ADMIN_USER="${ORG_NAME}-admin" CA_ADMIN_PASS="${ORG_NAME}-adminpw" + NO_OF_PEERS="$PEERS_COUNT" ORG_ADMIN_USER="Admin@${FULLY_QUALIFIED_ORG_NAME}" ORG_ADMIN_PASS="Admin@${FULLY_QUALIFIED_ORG_NAME}-pw" @@ -293,8 +295,7 @@ data: CAS_FOLDER="${HOME}/ca-tools/cas/ca-${ORG_NAME}" ORG_HOME="${HOME}/ca-tools/${ORG_NAME}" - NO_OF_PEERS={{ .Values.peer_count }} - NO_OF_NEW_PEERS={{ .Values.new_peer_count }} + NO_OF_NEW_PEERS={{ .Values.new_peerCount }} ## Enroll CA administrator for Org. This user will be used to create other identities fabric-ca-client enroll -d -u https://${CA_ADMIN_USER}:${CA_ADMIN_PASS}@${CA} --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} --csr.names "${SUBJECT_PEER}" @@ -302,7 +303,7 @@ data: ## Get the CA cert and store in Org MSP folder fabric-ca-client getcacert -d -u https://${CA} --tls.certfiles ${ROOT_TLS_CERT} -M ${ORG_CYPTO_FOLDER}/msp - if [ "{{ .Values.metadata.proxy }}" != "none" ]; then + if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then mv ${ORG_CYPTO_FOLDER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/msp/cacerts/ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem fi mkdir ${ORG_CYPTO_FOLDER}/msp/tlscacerts @@ -321,7 +322,7 @@ data: mkdir -p ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER} cp -R ${ORG_HOME}/admin/msp ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER} - if [ "{{ .Values.metadata.proxy }}" != "none" ]; then + if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then mv ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/users/${ORG_ADMIN_USER}/msp/cacerts/ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem fi @@ -367,7 +368,7 @@ data: # Copy the peer org's admin cert into target MSP directory mkdir -p ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/admincerts - if [ "{{ .Values.metadata.proxy }}" != "none" ]; then + if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then mv ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/cacerts/ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem fi cp ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/cacerts/* ${ORG_CYPTO_FOLDER}/peers/${PEER}/msp/tlscacerts @@ -385,13 +386,13 @@ data: CURRENT_DIR=${PWD} # Input parameters - FULLY_QUALIFIED_ORG_NAME="{{ .Values.metadata.namespace }}" - ORG_NAME="{{ .Values.metadata.org_name }}" + FULLY_QUALIFIED_ORG_NAME="{{ .Release.Namespace }}" + ORG_NAME="{{ .Values.orgData.orgName }}" TYPE_FOLDER=$1s USER_IDENTITIES=$2 - AFFILIATION="{{ .Values.metadata.org_name }}" - SUBJECT="{{ .Values.org_data.component_subject }}" - CA="{{ .Values.org_data.ca_url }}" + AFFILIATION="{{ .Values.orgData.orgName }}" + SUBJECT="{{ .Values.orgData.componentSubject }}" + CA="{{ .Release.Name }}.{{ .Release.Namespace }}:7054" if [ "$1" != "peer" ]; then ORG_CYPTO_FOLDER="/crypto-config/ordererOrganizations/${FULLY_QUALIFIED_ORG_NAME}" ROOT_TLS_CERT="/crypto-config/ordererOrganizations/${FULLY_QUALIFIED_ORG_NAME}/ca/ca.${FULLY_QUALIFIED_ORG_NAME}-cert.pem" @@ -442,7 +443,7 @@ data: mkdir -p ${ORG_CYPTO_FOLDER}/users/${ORG_USER} cp -R ${ORG_HOME}/client${USER}/msp ${ORG_CYPTO_FOLDER}/users/${ORG_USER} - if [ "{{ .Values.metadata.proxy }}" != "none" ]; then + if [ "{{ .Values.global.proxy.provider }}" != "none" ]; then mv ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/msp/cacerts/*.pem ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/msp/cacerts/ca-${FULLY_QUALIFIED_ORG_NAME}-${EXTERNAL_URL_SUFFIX}.pem fi mkdir ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/msp/tlscacerts @@ -539,12 +540,14 @@ apiVersion: v1 kind: ConfigMap metadata: name: orderer-script-store-vault - namespace: {{ .Values.metadata.namespace }} + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: orderer-script-vault - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ include "fabric-catools.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm data: store-vault-orderer.sh: |- #!/bin/bash @@ -557,259 +560,234 @@ data: done < ${1} > ${2}/${NAME}.txt } - validateVaultResponse () { - if echo ${2} | grep "errors" || [ "${2}" = "" ]; then - echo "ERROR: unable to retrieve ${1}: ${2}" - exit 1 - fi - if [ "$3" == "LOOKUPSECRETRESPONSE" ] - then - http_code=$(curl -fsS -o /dev/null -w "%{http_code}" \ - --header "X-Vault-Token: ${VAULT_TOKEN}" \ - ${VAULT_ADDR}/v1/${1}) - curl_response=$? - if test "$http_code" != "200" ; then - echo "Http response code from Vault - $http_code and curl_response - $curl_response" - if test "$curl_response" != "0"; then - echo "Error: curl command failed with error code - $curl_response" - exit 1 - fi - fi - fi - } - - echo "Puting secrets/certificates from Vault server" - KUBE_SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) - VAULT_TOKEN=$(curl -sS --request POST ${VAULT_ADDR}/v1/auth/${KUBERNETES_AUTH_PATH}/login -H "Content-Type: application/json" -d '{"role":"'"${VAULT_APP_ROLE}"'","jwt":"'"${KUBE_SA_TOKEN}"'"}' | jq -r 'if .errors then . else .auth.client_token end') - validateVaultResponse 'vault login token' "${VAULT_TOKEN}" - - FORMAT_CERTIFICATE_PATH="/formatcertificate" - mkdir -p ${FORMAT_CERTIFICATE_PATH}/tls - mkdir -p ${FORMAT_CERTIFICATE_PATH}/msp - - ORG_CYPTO_FOLDER="/crypto-config/ordererOrganizations/${COMPONENT_NAME}/users/Admin@${COMPONENT_NAME}" - - if [ -e /certcheck/present_tls.txt ]; then ADMIN_TLS_CERT_WRITTEN=true; else ADMIN_TLS_CERT_WRITTEN=false; fi - if [ -e /certcheck/present_msp.txt ]; then ADMIN_MSP_CERT_WRITTEN=true; else ADMIN_MSP_CERT_WRITTEN=false; fi - COUNTER=1 - while [ "$COUNTER" -le {{ $.Values.healthcheck.retries }} ] - do - - if [ -e /certcheck/absent_tls.txt ] && [ "$ADMIN_TLS_CERT_WRITTEN" = "false" ] - then - - # This commands put the certificates with correct format for the curl command - formatCertificate "${ORG_CYPTO_FOLDER}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/tls" - formatCertificate "${ORG_CYPTO_FOLDER}/tls/client.crt" "${FORMAT_CERTIFICATE_PATH}/tls" - formatCertificate "${ORG_CYPTO_FOLDER}/tls/client.key" "${FORMAT_CERTIFICATE_PATH}/tls" - - CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/ca.crt.txt) - CLIENT_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/client.crt.txt) - CLIENT_KEY=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/client.key.txt) - - echo " - { - \"data\": - { - \"ca.crt\": \"${CA_CRT}\", - \"client.crt\": \"${CLIENT_CRT}\", - \"client.key\": \"${CLIENT_KEY}\" - } - }" > payload.json - - # This command copy organization level tls certificates for orgs - curl \ - -H "X-Vault-Token: ${VAULT_TOKEN}" \ - -H "Content-Type: application/json" \ - -X POST \ - -d @payload.json \ - ${VAULT_ADDR}/v1/${VAULT_SECRET_USERS}/admin/tls - - # Check tls certificates - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/${VAULT_SECRET_USERS}/admin/tls | jq -r 'if .errors then . else . end') - TLS_CA_CERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["ca.crt"]' 2>&1) - TLS_CLIENT_CERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["client.crt"]' 2>&1) - TLS_CLIENT_KEY=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["client.key"]' 2>&1) +{{- if eq .Values.global.vault.type "hashicorp" }} + . ../bevel-vault.sh + # Calling a function to retrieve the vault token. + vaultBevelFunc "init" + + FORMAT_CERTIFICATE_PATH="/formatcertificate" + mkdir -p ${FORMAT_CERTIFICATE_PATH}/tls + mkdir -p ${FORMAT_CERTIFICATE_PATH}/msp + + function saveAdminSecrets { + TLS_KEY=$1 + TLS_KEY_FORMATTED=$(echo $TLS_KEY | tr - /) + MPS_KEY=$2 + MPS_KEY_FORMATTED=$(echo $MPS_KEY | tr - /) + + if [ -e /certcheck/present_tls.txt ]; then ADMIN_TLS_CERT_WRITTEN=true; else ADMIN_TLS_CERT_WRITTEN=false; fi + if [ -e /certcheck/present_msp.txt ]; then ADMIN_MSP_CERT_WRITTEN=true; else ADMIN_MSP_CERT_WRITTEN=false; fi + COUNTER=1 + while [ "$COUNTER" -le {{ $.Values.healthCheck.retries }} ] + do + if [ -e /certcheck/absent_tls.txt ] && [ "$ADMIN_TLS_CERT_WRITTEN" = "false" ] + then + # This commands put the certificates with correct format for the curl command + formatCertificate "${ORG_CYPTO_FOLDER}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/tls" + formatCertificate "${ORG_CYPTO_FOLDER}/tls/client.crt" "${FORMAT_CERTIFICATE_PATH}/tls" + formatCertificate "${ORG_CYPTO_FOLDER}/tls/client.key" "${FORMAT_CERTIFICATE_PATH}/tls" - tls_certificate_fields=("$TLS_CA_CERT" "$TLS_CLIENT_CERT" "$TLS_CLIENT_KEY") + CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/ca.crt.txt) + CLIENT_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/client.crt.txt) + CLIENT_KEY=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/client.key.txt) + + echo " + { + \"data\": + { + \"ca.crt\": \"${CA_CRT}\", + \"client.crt\": \"${CLIENT_CRT}\", + \"client.key\": \"${CLIENT_KEY}\" + } + }" > payload.json + + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY_FORMATTED}" 'payload.json' + rm payload.json - for field in "${tls_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] + # Check tls certificates + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY_FORMATTED}" + if [ "$SECRETS_AVAILABLE" == "yes" ] then - ADMIN_TLS_CERT_WRITTEN=false - break - else - ADMIN_TLS_CERT_WRITTEN=true + TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"ca.crt\"]" 2>&1) + TLS_CLIENT_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"client.crt\"]" 2>&1) + TLS_CLIENT_KEY=$(echo ${VAULT_SECRET} | jq -r ".[\"client.key\"]" 2>&1) + + tls_certificate_fields=("$TLS_CA_CERT" "$TLS_CLIENT_CERT" "$TLS_CLIENT_KEY") + + for field in "${tls_certificate_fields[@]}" + do + if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] + then + ADMIN_TLS_CERT_WRITTEN=false + break + else + ADMIN_TLS_CERT_WRITTEN=true + fi + done fi - done - rm payload.json - fi - - if [ -e /certcheck/absent_msp.txt ] && [ "$ADMIN_MSP_CERT_WRITTEN" = "false" ] - then - # This commands put the certificates with correct format for the curl command - SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") + fi - formatCertificate "${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem" "${FORMAT_CERTIFICATE_PATH}/msp" - formatCertificate "${SK_NAME}" "${FORMAT_CERTIFICATE_PATH}/msp" - formatCertificate "${ORG_CYPTO_FOLDER}/msp/signcerts/cert.pem" "${FORMAT_CERTIFICATE_PATH}/msp" - formatCertificate "${ORG_CYPTO_FOLDER}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/tls" + if [ -e /certcheck/absent_msp.txt ] && [ "$ADMIN_MSP_CERT_WRITTEN" = "false" ] + then + # This commands put the certificates with correct format for the curl command + SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") - ADMINCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/Admin@${COMPONENT_NAME}-cert.pem.txt) - KEYSTORE=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/*_sk.txt) - SIGNCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/cert.pem.txt) - CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/ca.crt.txt) + formatCertificate "${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem" "${FORMAT_CERTIFICATE_PATH}/msp" + formatCertificate "${SK_NAME}" "${FORMAT_CERTIFICATE_PATH}/msp" + formatCertificate "${ORG_CYPTO_FOLDER}/msp/signcerts/cert.pem" "${FORMAT_CERTIFICATE_PATH}/msp" + formatCertificate "${ORG_CYPTO_FOLDER}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/tls" - if [ "$PROXY" != "none" ] ; then + ADMINCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/Admin@${COMPONENT_NAME}-cert.pem.txt) + KEYSTORE=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/*_sk.txt) + SIGNCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/cert.pem.txt) + CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/ca.crt.txt) - formatCertificate "${ORG_CYPTO_FOLDER}/msp/cacerts/ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/msp" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) - - echo " - { - \"data\": - { - \"admincerts\": \"${ADMINCERTS}\", - \"cacerts\": \"${CACERTS}\", - \"keystore\": \"${KEYSTORE}\", - \"signcerts\": \"${SIGNCERTS}\", - \"tlscacerts\": \"${CA_CRT}\" - } - }" > payload.json - fi; + if [ "$PROXY" != "none" ] ; then - if [ "$PROXY" = "none" ] ; then + formatCertificate "${ORG_CYPTO_FOLDER}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/msp" + CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) + + echo " + { + \"data\": + { + \"admincerts\": \"${ADMINCERTS}\", + \"cacerts\": \"${CACERTS}\", + \"keystore\": \"${KEYSTORE}\", + \"signcerts\": \"${SIGNCERTS}\", + \"tlscacerts\": \"${CA_CRT}\" + } + }" > payload.json + fi; - formatCertificate "${ORG_CYPTO_FOLDER}/msp/cacerts/ca-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/msp" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/ca-${COMPONENT_NAME}-7054.pem.txt) + if [ "$PROXY" = "none" ] ; then - echo " - { - \"data\": - { - \"admincerts\": \"${ADMINCERTS}\", - \"cacerts\": \"${CACERTS}\", - \"keystore\": \"${KEYSTORE}\", - \"signcerts\": \"${SIGNCERTS}\", - \"tlscacerts\": \"${CA_CRT}\" - } - }" > payload.json - fi; + formatCertificate "${ORG_CYPTO_FOLDER}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/msp" + CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem.txt) - # This command copy organization level msp certificates for orgs - curl \ - -H "X-Vault-Token: ${VAULT_TOKEN}" \ - -H "Content-Type: application/json" \ - -X POST \ - -d @payload.json \ - ${VAULT_ADDR}/v1/${VAULT_SECRET_USERS}/admin/msp + echo " + { + \"data\": + { + \"admincerts\": \"${ADMINCERTS}\", + \"cacerts\": \"${CACERTS}\", + \"keystore\": \"${KEYSTORE}\", + \"signcerts\": \"${SIGNCERTS}\", + \"tlscacerts\": \"${CA_CRT}\" + } + }" > payload.json + fi; - # Check msp certificates - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/${VAULT_SECRET_USERS}/admin/msp | jq -r 'if .errors then . else . end') - MSP_ADMINCERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["admincerts"]' 2>&1) - MSP_CACERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["cacerts"]' 2>&1) - MSP_KEYSTORE=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["keystore"]' 2>&1) - MSP_SIGNCERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["signcerts"]' 2>&1) - MSP_TLSCACERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["tlscacerts"]' 2>&1) - - msp_certificate_fields=("$MSP_ADMINCERT" "$MSP_CACERTS" "$MSP_KEYSTORE" "$MSP_SIGNCERTS" "$MSP_TLSCACERTS") + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY_FORMATTED}" 'payload.json' + rm payload.json - for field in "${msp_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] + # Check msp certificates + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY_FORMATTED}" + if [ "$SECRETS_AVAILABLE" == "yes" ] then - ADMIN_MSP_CERT_WRITTEN=false - break - else - ADMIN_MSP_CERT_WRITTEN=true + MSP_ADMINCERT=$(echo ${VAULT_SECRET} | jq -r ".[\"admincerts\"]" 2>&1) + MSP_CACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"cacerts\"]" 2>&1) + MSP_KEYSTORE=$(echo ${VAULT_SECRET} | jq -r ".[\"keystore\"]" 2>&1) + MSP_SIGNCERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"signcerts\"]" 2>&1) + MSP_TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"tlscacerts\"]" 2>&1) + + msp_certificate_fields=("$MSP_ADMINCERT" "$MSP_CACERTS" "$MSP_KEYSTORE" "$MSP_SIGNCERTS" "$MSP_TLSCACERTS") + for field in "${msp_certificate_fields[@]}" + do + if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] + then + ADMIN_MSP_CERT_WRITTEN=false + break + else + ADMIN_MSP_CERT_WRITTEN=true + fi + done fi - done - rm payload.json - fi - - if [ "$ADMIN_TLS_CERT_WRITTEN" = "true" ] && [ "$ADMIN_MSP_CERT_WRITTEN" = "true" ] - then - echo "Admin certificates are successfully stored in vault" - break - else - echo "Admin certificates are not ready, sleeping for {{ $.Values.healthcheck.sleepTimeAfterError }}" - sleep {{ $.Values.healthcheck.sleepTimeAfterError }} - COUNTER=`expr "$COUNTER" + 1` - fi - done - - if [ "$COUNTER" -gt {{ $.Values.healthcheck.retries }} ] - then - echo "Retry attempted `expr $COUNTER - 1` times, Admin certificates have not been saved." - touch ${MOUNT_PATH}/certs_not_found.txt - exit 1 - fi; + fi - ORG_CYPTO_ORDERER_FOLDER="/crypto-config/ordererOrganizations/${COMPONENT_NAME}/orderers" - list=$(echo "$ORDERERS_NAMES" | tr "-" "\n") - for ORDERER_NAME in $list - do - COUNTER=1 - if [ -e /certcheck/present_tls_${ORDERER_NAME}.txt ]; then ORDERER_TLS_CERT_WRITTEN=true; else ORDERER_TLS_CERT_WRITTEN=false; fi - if [ -e /certcheck/present_msp_${ORDERER_NAME}.txt ]; then ORDERER_MSP_CERT_WRITTEN=true; else ORDERER_MSP_CERT_WRITTEN=false; fi - mkdir -p ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls - mkdir -p ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp - mkdir -p ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cacerts - mkdir -p ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/tlscacerts - while [ "$COUNTER" -le {{ $.Values.healthcheck.retries }} ] - do - if [ -e /certcheck/absent_tls_${ORDERER_NAME}.txt ] && [ "$ORDERER_TLS_CERT_WRITTEN" = "false" ]; then + if [ "$ADMIN_TLS_CERT_WRITTEN" = "true" ] && [ "$ADMIN_MSP_CERT_WRITTEN" = "true" ] + then + echo "Admin certificates are successfully stored in vault" + break + else + echo "Admin certificates are not ready, sleeping for {{ $.Values.healthCheck.sleepTimeAfterError }}" + sleep {{ $.Values.healthCheck.sleepTimeAfterError }} + COUNTER=`expr "$COUNTER" + 1` + fi + done - # This commands put the certificates with correct format for the curl command - formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls" - formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/server.crt" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls" - formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/server.key" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls" + if [ "$COUNTER" -gt {{ $.Values.healthCheck.retries }} ] + then + echo "Retry attempted `expr $COUNTER - 1` times, Admin certificates have not been saved." + touch ${MOUNT_PATH}/certs_not_found.txt + exit 1 + fi + } + + function saveOrdererSecrets { + ORDERER_NAME=$1 + TLS_KEY=$2 + TLS_KEY_FORMATTED=$(echo $TLS_KEY | tr - /) + MPS_KEY=$3 + MPS_KEY_FORMATTED=$(echo $MPS_KEY | tr - /) + + COUNTER=1 + if [ -e /certcheck/present_tls_${ORDERER_NAME}.txt ]; then ORDERER_TLS_CERT_WRITTEN=true; else ORDERER_TLS_CERT_WRITTEN=false; fi + if [ -e /certcheck/present_msp_${ORDERER_NAME}.txt ]; then ORDERER_MSP_CERT_WRITTEN=true; else ORDERER_MSP_CERT_WRITTEN=false; fi + mkdir -p ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls + mkdir -p ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp + mkdir -p ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cacerts + mkdir -p ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/tlscacerts + while [ "$COUNTER" -le {{ $.Values.healthCheck.retries }} ] + do + if [ -e /certcheck/absent_tls_${ORDERER_NAME}.txt ] && [ "$ORDERER_TLS_CERT_WRITTEN" = "false" ]; then - CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls/ca.crt.txt) - SERVER_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls/server.crt.txt) - SERVER_KEY=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls/server.key.txt) + # This commands put the certificates with correct format for the curl command + formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls" + formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/server.crt" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls" + formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/server.key" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls" - echo " - { - \"data\": - { - \"ca.crt\": \"${CA_CRT}\", - \"server.crt\": \"${SERVER_CRT}\", - \"server.key\": \"${SERVER_KEY}\" - } - }" > payload.json + CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls/ca.crt.txt) + SERVER_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls/server.crt.txt) + SERVER_KEY=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/tls/server.key.txt) - # This command copy the crypto material for orderer (tls) - curl \ - -H "X-Vault-Token: ${VAULT_TOKEN}" \ - -H "Content-Type: application/json" \ - -X POST \ - -d @payload.json \ - ${VAULT_ADDR}/v1/${VAULT_SECRET_ORDERER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls - - # Check tls certificates - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/${VAULT_SECRET_ORDERER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls | jq -r 'if .errors then . else . end') - TLS_CA_CERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["ca.crt"]' 2>&1) - TLS_SERVER_CERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["server.crt"]' 2>&1) - TLS_SERVER_KEY=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["server.key"]' 2>&1) + echo " + { + \"data\": + { + \"ca.crt\": \"${CA_CRT}\", + \"server.crt\": \"${SERVER_CRT}\", + \"server.key\": \"${SERVER_KEY}\" + } + }" > payload.json - tls_certificate_fields=("$TLS_CA_CERT" "$TLS_SERVER_CERT" "$TLS_SERVER_KEY") + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY_FORMATTED}" 'payload.json' + rm payload.json - for field in "${tls_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] + # Check tls certificates + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY_FORMATTED}" + if [ "$SECRETS_AVAILABLE" == "yes" ] then - ORDERER_TLS_CERT_WRITTEN=false - break - else - ORDERER_TLS_CERT_WRITTEN=true + TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"ca.crt\"]" 2>&1) + TLS_CLIENT_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"server.crt\"]" 2>&1) + TLS_CLIENT_KEY=$(echo ${VAULT_SECRET} | jq -r ".[\"server.key\"]" 2>&1) + + tls_certificate_fields=("$TLS_CA_CERT" "$TLS_CLIENT_CERT" "$TLS_CLIENT_KEY") + + for field in "${tls_certificate_fields[@]}" + do + if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] + then + ORDERER_TLS_CERT_WRITTEN=false + break + else + ORDERER_TLS_CERT_WRITTEN=true + fi + done fi - done - rm payload.json - fi; + fi; - if [ -e /certcheck/absent_msp_${ORDERER_NAME}.txt ] && [ "$ORDERER_MSP_CERT_WRITTEN" = "false" ]; then + if [ -e /certcheck/absent_msp_${ORDERER_NAME}.txt ] && [ "$ORDERER_MSP_CERT_WRITTEN" = "false" ]; then # This commands put the certificates with correct format for the curl command SK_NAME=$(find ${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/keystore/ -name "*_sk") @@ -823,10 +801,10 @@ data: if [ "$PROXY" != "none" ] ; then - formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/cacerts/ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cacerts" - formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/tlscacerts" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cacerts/ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) - TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/tlscacerts/ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) + formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cacerts" + formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/tlscacerts" + CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) + TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/tlscacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) echo " { @@ -843,10 +821,10 @@ data: fi; if [ "$PROXY" = "none" ] ; then - formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/cacerts/ca-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cacerts" - formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/ca-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/tlscacerts" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cacerts/ca-${COMPONENT_NAME}-7054.pem.txt) - TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/tlscacerts/ca-${COMPONENT_NAME}-7054.pem.txt) + formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cacerts" + formatCertificate "${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/tlscacerts" + CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem.txt) + TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${ORDERER_NAME}/msp/tlscacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem.txt) echo " { @@ -862,66 +840,179 @@ data: fi; - # This command copy the msp certificates to the Vault - curl \ - -H "X-Vault-Token: ${VAULT_TOKEN}" \ - -H "Content-Type: application/json" \ - -X POST \ - -d @payload.json \ - ${VAULT_ADDR}/v1/${VAULT_SECRET_ORDERER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY_FORMATTED}" 'payload.json' + rm payload.json # Check msp certificates - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/${VAULT_SECRET_ORDERER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp | jq -r 'if .errors then . else . end') - MSP_ADMINCERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["admincerts"]' 2>&1) - MSP_CACERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["cacerts"]' 2>&1) - MSP_KEYSTORE=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["keystore"]' 2>&1) - MSP_SIGNCERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["signcerts"]' 2>&1) - MSP_TLSCACERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["tlscacerts"]' 2>&1) - - msp_certificate_fields=("$MSP_ADMINCERT" "$MSP_CACERTS" "$MSP_KEYSTORE" "$MSP_SIGNCERTS" "$MSP_TLSCACERTS") + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY_FORMATTED}" + if [ "$SECRETS_AVAILABLE" == "yes" ] + then + MSP_ADMINCERT=$(echo ${VAULT_SECRET} | jq -r ".[\"admincerts\"]" 2>&1) + MSP_CACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"cacerts\"]" 2>&1) + MSP_KEYSTORE=$(echo ${VAULT_SECRET} | jq -r ".[\"keystore\"]" 2>&1) + MSP_SIGNCERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"signcerts\"]" 2>&1) + MSP_TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"tlscacerts\"]" 2>&1) + + msp_certificate_fields=("$MSP_ADMINCERT" "$MSP_CACERTS" "$MSP_KEYSTORE" "$MSP_SIGNCERTS" "$MSP_TLSCACERTS") + for field in "${msp_certificate_fields[@]}" + do + if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] + then + ORDERER_MSP_CERT_WRITTEN=false + break + else + ORDERER_MSP_CERT_WRITTEN=true + fi + done + fi + fi; + + if [ "$ORDERER_TLS_CERT_WRITTEN" = "true" ] && [ "$ORDERER_MSP_CERT_WRITTEN" = "true" ] + then + echo "${ORDERER_NAME} certificates are successfully stored in vault" + break + else + echo "${ORDERER_NAME} certificates are not ready, sleeping for {{ $.Values.healthCheck.sleepTimeAfterError }}" + sleep {{ $.Values.healthCheck.sleepTimeAfterError }} + COUNTER=`expr "$COUNTER" + 1` + fi + done - for field in "${msp_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] - then - ORDERER_MSP_CERT_WRITTEN=false - break - else - ORDERER_MSP_CERT_WRITTEN=true - fi - done - rm payload.json + if [ "$COUNTER" -gt {{ $.Values.healthCheck.retries }} ] + then + echo "Retry attempted `expr $COUNTER - 1` times, Orderers certificates have not been saved." + touch ${MOUNT_PATH}/certs_not_found.txt + exit 1 fi; - if [ "$ORDERER_TLS_CERT_WRITTEN" = "true" ] && [ "$ORDERER_MSP_CERT_WRITTEN" = "true" ] + } + +{{- else }} + + function saveAdminSecrets { + TLS_KEY=$1 + MPS_KEY=$2 + if [ -e /certcheck/absent_tls.txt ] then - echo "${ORDERER_NAME} certificates are successfully stored in vault" - break - else - echo "${ORDERER_NAME} certificates are not ready, sleeping for {{ $.Values.healthcheck.sleepTimeAfterError }}" - sleep {{ $.Values.healthcheck.sleepTimeAfterError }} - COUNTER=`expr "$COUNTER" + 1` + kubectl create secret generic ${TLS_KEY} --namespace ${COMPONENT_NAME} --from-file=cacrt=${ORG_CYPTO_FOLDER}/tls/ca.crt \ + --from-file=clientcrt=${ORG_CYPTO_FOLDER}/tls/client.crt \ + --from-file=clientkey=${ORG_CYPTO_FOLDER}/tls/client.key fi - done - - if [ "$COUNTER" -gt {{ $.Values.healthcheck.retries }} ] - then - echo "Retry attempted `expr $COUNTER - 1` times, Orderers certificates have not been saved." - touch ${MOUNT_PATH}/certs_not_found.txt - exit 1 - fi; + + if [ -e /certcheck/absent_msp.txt ] + then + if [ "$PROXY" != "none" ] + then + SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") + kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=admincerts=${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ + --from-file=cacerts=${ORG_CYPTO_FOLDER}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem \ + --from-file=keystore=${SK_NAME} \ + --from-file=signcerts=${ORG_CYPTO_FOLDER}/msp/signcerts/cert.pem \ + --from-file=tlscacerts=${ORG_CYPTO_FOLDER}/tls/ca.crt + fi + + if [ "$PROXY" = "none" ] + then + SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") + kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=admincerts=${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ + --from-file=cacerts=${ORG_CYPTO_FOLDER}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem \ + --from-file=keystore=${SK_NAME} \ + --from-file=signcerts=${ORG_CYPTO_FOLDER}/msp/signcerts/cert.pem \ + --from-file=tlscacerts=${ORG_CYPTO_FOLDER}/tls/ca.crt + fi + fi + + checkSecret admin-msp + checkSecret admin-tls + } + + function saveOrdererSecrets { + ORDERER_NAME=$1 + TLS_KEY=$2 + MPS_KEY=$3 + + if [ -e /certcheck/absent_tls_${ORDERER_NAME}.txt ] + then + kubectl create secret generic ${TLS_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=cacrt=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/ca.crt \ + --from-file=servercrt=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/server.crt \ + --from-file=serverkey=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/server.key + fi + + if [ -e /certcheck/absent_msp_${ORDERER_NAME}.txt ] + then + + if [ "$PROXY" != "none" ] + then + SK_NAME=$(find ${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/keystore/ -name "*_sk") + kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=admincerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ + --from-file=cacerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem \ + --from-file=keystore=${SK_NAME} \ + --from-file=signcerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/signcerts/cert.pem \ + --from-file=tlscacerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem + fi + + if [ "$PROXY" = "none" ] + then + SK_NAME=$(find ${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/keystore/ -name "*_sk") + kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=admincerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ + --from-file=cacerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem \ + --from-file=keystore=${SK_NAME} \ + --from-file=signcerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/signcerts/cert.pem \ + --from-file=tlscacerts=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem + fi + fi + + checkSecret $ORDERER_NAME-tls + checkSecret $ORDERER_NAME-msp + } + + function checkSecret { + key=$1 + kubectl get secret ${key} --namespace ${COMPONENT_NAME} -o json > /dev/null 2>&1 + if [ $? -ne 0 ]; then + echo "Secret ${key} wasn't created correctly" + touch ${MOUNT_PATH}/certs_not_found.txt + fi + } + +{{- end }} + + function safeOrderererTlsConfigmap { + ORDERER_NAME=$1 + kubectl get configmap --namespace {{ .Release.Namespace }} orderer-tls-cacert + if [ $? -ne 0 ] && [ -e /certcheck/absent_tls_${ORDERER_NAME}.txt ]; then + kubectl create configmap --namespace {{ .Release.Namespace }} orderer-tls-cacert --from-file=cacert=${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/tls/ca.crt + fi + } + + ORG_CYPTO_FOLDER="/crypto-config/ordererOrganizations/${COMPONENT_NAME}/users/Admin@${COMPONENT_NAME}" + ORG_CYPTO_ORDERER_FOLDER="/crypto-config/ordererOrganizations/${COMPONENT_NAME}/orderers" + saveAdminSecrets admin-tls admin-msp + + for ORDERER in $ORDERERS_NAMES + do + saveOrdererSecrets $ORDERER $ORDERER-tls $ORDERER-msp + safeOrderererTlsConfigmap $ORDERER done + --- apiVersion: v1 kind: ConfigMap metadata: name: peer-script-store-vault - namespace: {{ .Values.metadata.namespace }} + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: peer-script-vault - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ include "fabric-catools.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm data: store-vault-peer.sh: |- #!/bin/bash @@ -955,200 +1046,189 @@ data: fi } - echo "Puting secrets/certificates from Vault server" - KUBE_SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) - VAULT_TOKEN=$(curl -sS --request POST ${VAULT_ADDR}/v1/auth/${KUBERNETES_AUTH_PATH}/login -H "Content-Type: application/json" -d '{"role":"'"${VAULT_APP_ROLE}"'","jwt":"'"${KUBE_SA_TOKEN}"'"}' | jq -r 'if .errors then . else .auth.client_token end') - validateVaultResponse 'vault login token' "${VAULT_TOKEN}" +{{- if eq .Values.global.vault.type "hashicorp" }} + echo "coming soon" + . ../bevel-vault.sh + # Calling a function to retrieve the vault token. + vaultBevelFunc "init" FORMAT_CERTIFICATE_PATH="/formatcertificate" mkdir -p ${FORMAT_CERTIFICATE_PATH}/tls mkdir -p ${FORMAT_CERTIFICATE_PATH}/msp - ORG_CYPTO_FOLDER="/crypto-config/peerOrganizations/${COMPONENT_NAME}/users/Admin@${COMPONENT_NAME}" - - if [ -e /certcheck/present_tls.txt ]; then ADMIN_TLS_CERT_WRITTEN=true; else ADMIN_TLS_CERT_WRITTEN=false; fi - if [ -e /certcheck/present_msp.txt ]; then ADMIN_MSP_CERT_WRITTEN=true; else ADMIN_MSP_CERT_WRITTEN=false; fi - COUNTER=1 - while [ "$COUNTER" -le {{ $.Values.healthcheck.retries }} ] - do - - if ([ -e /certcheck/absent_tls.txt ] && [ "$ADMIN_TLS_CERT_WRITTEN" = "false" ]) || [ "$REFRESH_CERTS" == 'true' ]; then + function saveAdminSecrets { + TLS_KEY=$1 + TLS_KEY_FORMATTED=$(echo $TLS_KEY | tr - /) + MPS_KEY=$2 + MPS_KEY_FORMATTED=$(echo $MPS_KEY | tr - /) - # This commands put the certificates with correct format for the curl command - formatCertificate "${ORG_CYPTO_FOLDER}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/tls" - formatCertificate "${ORG_CYPTO_FOLDER}/tls/client.crt" "${FORMAT_CERTIFICATE_PATH}/tls" - formatCertificate "${ORG_CYPTO_FOLDER}/tls/client.key" "${FORMAT_CERTIFICATE_PATH}/tls" - - CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/ca.crt.txt) - CLIENT_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/client.crt.txt) - CLIENT_KEY=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/client.key.txt) - - echo " - { - \"data\": - { - \"ca.crt\": \"${CA_CRT}\", - \"client.crt\": \"${CLIENT_CRT}\", - \"client.key\": \"${CLIENT_KEY}\" - } - }" > payload.json - - # This command copy organization level tls certificates for orgs - curl \ - -H "X-Vault-Token: ${VAULT_TOKEN}" \ - -H "Content-Type: application/json" \ - -X POST \ - -d @payload.json \ - ${VAULT_ADDR}/v1/${VAULT_SECRET_USERS}/admin/tls - - # Check tls certificates - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/${VAULT_SECRET_USERS}/admin/tls | jq -r 'if .errors then . else . end') - TLS_CA_CERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["ca.crt"]' 2>&1) - TLS_CLIENT_CERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["client.crt"]' 2>&1) - TLS_CLIENT_KEY=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["client.key"]' 2>&1) + if [ -e /certcheck/present_tls.txt ]; then ADMIN_TLS_CERT_WRITTEN=true; else ADMIN_TLS_CERT_WRITTEN=false; fi + if [ -e /certcheck/present_msp.txt ]; then ADMIN_MSP_CERT_WRITTEN=true; else ADMIN_MSP_CERT_WRITTEN=false; fi + COUNTER=1 + while [ "$COUNTER" -le {{ $.Values.healthCheck.retries }} ] + do + if [ -e /certcheck/absent_tls.txt ] && [ "$ADMIN_TLS_CERT_WRITTEN" = "false" ] + then + # This commands put the certificates with correct format for the curl command + formatCertificate "${ORG_CYPTO_FOLDER}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/tls" + formatCertificate "${ORG_CYPTO_FOLDER}/tls/client.crt" "${FORMAT_CERTIFICATE_PATH}/tls" + formatCertificate "${ORG_CYPTO_FOLDER}/tls/client.key" "${FORMAT_CERTIFICATE_PATH}/tls" - tls_certificate_fields=("$TLS_CA_CERT" "$TLS_CLIENT_CERT" "$TLS_CLIENT_KEY") + CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/ca.crt.txt) + CLIENT_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/client.crt.txt) + CLIENT_KEY=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/client.key.txt) + + echo " + { + \"data\": + { + \"ca.crt\": \"${CA_CRT}\", + \"client.crt\": \"${CLIENT_CRT}\", + \"client.key\": \"${CLIENT_KEY}\" + } + }" > payload.json + + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY_FORMATTED}" 'payload.json' + rm payload.json - for field in "${tls_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] + # Check tls certificates + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY_FORMATTED}" + if [ "$SECRETS_AVAILABLE" == "yes" ] then - ADMIN_TLS_CERT_WRITTEN=false - break - else - ADMIN_TLS_CERT_WRITTEN=true - fi - done - rm payload.json - fi; - - if ([ -e /certcheck/absent_msp.txt ] && [ "$ADMIN_MSP_CERT_WRITTEN" = "false" ]) || [ "$REFRESH_CERTS" == 'true' ]; then + TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"ca.crt\"]" 2>&1) + TLS_CLIENT_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"client.crt\"]" 2>&1) + TLS_CLIENT_KEY=$(echo ${VAULT_SECRET} | jq -r ".[\"client.key\"]" 2>&1) - # This commands put the certificates with correct format for the curl command - SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") + tls_certificate_fields=("$TLS_CA_CERT" "$TLS_CLIENT_CERT" "$TLS_CLIENT_KEY") - formatCertificate "${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem" "${FORMAT_CERTIFICATE_PATH}/msp" - formatCertificate "${SK_NAME}" "${FORMAT_CERTIFICATE_PATH}/msp" - formatCertificate "${ORG_CYPTO_FOLDER}/msp/signcerts/cert.pem" "${FORMAT_CERTIFICATE_PATH}/msp" - formatCertificate "${ORG_CYPTO_FOLDER}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/tls" + for field in "${tls_certificate_fields[@]}" + do + if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] + then + ADMIN_TLS_CERT_WRITTEN=false + break + else + ADMIN_TLS_CERT_WRITTEN=true + fi + done + fi + fi - ADMINCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/Admin@${COMPONENT_NAME}-cert.pem.txt) - KEYSTORE=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/*_sk.txt) - SIGNCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/cert.pem.txt) - CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/ca.crt.txt) + if [ -e /certcheck/absent_msp.txt ] && [ "$ADMIN_MSP_CERT_WRITTEN" = "false" ] + then + # This commands put the certificates with correct format for the curl command + SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") - if [ "$PROXY" != "none" ] ; then + formatCertificate "${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem" "${FORMAT_CERTIFICATE_PATH}/msp" + formatCertificate "${SK_NAME}" "${FORMAT_CERTIFICATE_PATH}/msp" + formatCertificate "${ORG_CYPTO_FOLDER}/msp/signcerts/cert.pem" "${FORMAT_CERTIFICATE_PATH}/msp" + formatCertificate "${ORG_CYPTO_FOLDER}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/tls" - formatCertificate "${ORG_CYPTO_FOLDER}/msp/cacerts/ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/msp" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) - - echo " - { - \"data\": - { - \"admincerts\": \"${ADMINCERTS}\", - \"cacerts\": \"${CACERTS}\", - \"keystore\": \"${KEYSTORE}\", - \"signcerts\": \"${SIGNCERTS}\", - \"tlscacerts\": \"${CA_CRT}\" - } - }" > payload.json + ADMINCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/Admin@${COMPONENT_NAME}-cert.pem.txt) + KEYSTORE=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/*_sk.txt) + SIGNCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/cert.pem.txt) + CA_CRT=$(cat ${FORMAT_CERTIFICATE_PATH}/tls/ca.crt.txt) - fi; + if [ "$PROXY" != "none" ] ; then - if [ "$PROXY" = "none" ] ; then + formatCertificate "${ORG_CYPTO_FOLDER}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/msp" + CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) + + echo " + { + \"data\": + { + \"admincerts\": \"${ADMINCERTS}\", + \"cacerts\": \"${CACERTS}\", + \"keystore\": \"${KEYSTORE}\", + \"signcerts\": \"${SIGNCERTS}\", + \"tlscacerts\": \"${CA_CRT}\" + } + }" > payload.json + fi; - formatCertificate "${ORG_CYPTO_FOLDER}/msp/cacerts/ca-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/msp" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/ca-${COMPONENT_NAME}-7054.pem.txt) + if [ "$PROXY" = "none" ] ; then - echo " - { - \"data\": - { - \"admincerts\": \"${ADMINCERTS}\", - \"cacerts\": \"${CACERTS}\", - \"keystore\": \"${KEYSTORE}\", - \"signcerts\": \"${SIGNCERTS}\", - \"tlscacerts\": \"${CA_CRT}\" - } - }" > payload.json - fi; + formatCertificate "${ORG_CYPTO_FOLDER}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/msp" + CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/msp/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem.txt) - # This command copy organization level msp certificates for orgs - curl \ - -H "X-Vault-Token: ${VAULT_TOKEN}" \ - -H "Content-Type: application/json" \ - -X POST \ - -d @payload.json \ - ${VAULT_ADDR}/v1/${VAULT_SECRET_USERS}/admin/msp - - # Check msp certificates - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/${VAULT_SECRET_USERS}/admin/msp | jq -r 'if .errors then . else . end') - MSP_ADMINCERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["admincerts"]' 2>&1) - MSP_CACERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["cacerts"]' 2>&1) - MSP_KEYSTORE=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["keystore"]' 2>&1) - MSP_SIGNCERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["signcerts"]' 2>&1) - MSP_TLSCACERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["tlscacerts"]' 2>&1) - - msp_certificate_fields=("$MSP_ADMINCERT" "$MSP_CACERTS" "$MSP_KEYSTORE" "$MSP_SIGNCERTS" "$MSP_TLSCACERTS") + echo " + { + \"data\": + { + \"admincerts\": \"${ADMINCERTS}\", + \"cacerts\": \"${CACERTS}\", + \"keystore\": \"${KEYSTORE}\", + \"signcerts\": \"${SIGNCERTS}\", + \"tlscacerts\": \"${CA_CRT}\" + } + }" > payload.json + fi; - for field in "${msp_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY_FORMATTED}" 'payload.json' + rm payload.json + + # Check msp certificates + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY_FORMATTED}" + if [ "$SECRETS_AVAILABLE" == "yes" ] then - ADMIN_MSP_CERT_WRITTEN=false - break - else - ADMIN_MSP_CERT_WRITTEN=true + MSP_ADMINCERT=$(echo ${VAULT_SECRET} | jq -r ".[\"admincerts\"]" 2>&1) + MSP_CACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"cacerts\"]" 2>&1) + MSP_KEYSTORE=$(echo ${VAULT_SECRET} | jq -r ".[\"keystore\"]" 2>&1) + MSP_SIGNCERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"signcerts\"]" 2>&1) + MSP_TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"tlscacerts\"]" 2>&1) + + msp_certificate_fields=("$MSP_ADMINCERT" "$MSP_CACERTS" "$MSP_KEYSTORE" "$MSP_SIGNCERTS" "$MSP_TLSCACERTS") + for field in "${msp_certificate_fields[@]}" + do + if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] + then + ADMIN_MSP_CERT_WRITTEN=false + break + else + ADMIN_MSP_CERT_WRITTEN=true + fi + done fi - done + fi - rm payload.json - fi; + if [ "$ADMIN_TLS_CERT_WRITTEN" = "true" ] && [ "$ADMIN_MSP_CERT_WRITTEN" = "true" ] + then + echo "Admin certificates are successfully stored in vault" + break + else + echo "Admin certificates are not ready, sleeping for {{ $.Values.healthCheck.sleepTimeAfterError }}" + sleep {{ $.Values.healthCheck.sleepTimeAfterError }} + COUNTER=`expr "$COUNTER" + 1` + fi + done - if [ "$ADMIN_TLS_CERT_WRITTEN" = "true" ] && [ "$ADMIN_MSP_CERT_WRITTEN" = "true" ] + if [ "$COUNTER" -gt {{ $.Values.healthCheck.retries }} ] then - echo "Admin certificates are successfully stored in vault" - break - else - echo "Admin certificates are not ready, sleeping for {{ $.Values.healthcheck.sleepTimeAfterError }}" - sleep {{ $.Values.healthcheck.sleepTimeAfterError }} - COUNTER=`expr "$COUNTER" + 1` + echo "Retry attempted `expr $COUNTER - 1` times, Admin certificates have not been saved." + touch ${MOUNT_PATH}/certs_not_found.txt + exit 1 fi - done - - if [ "$COUNTER" -gt {{ $.Values.healthcheck.retries }} ] - then - echo "Retry attempted `expr $COUNTER - 1` times, Admin certificates have not been saved." - touch ${MOUNT_PATH}/certs_not_found.txt - exit 1 - fi; - - ORG_CYPTO_PEER_FOLDER="/crypto-config/peerOrganizations/${COMPONENT_NAME}/peers" + } - list=$(echo "$PEERS_NAMES" | tr "-" "\n") - for PEER in $list - do - SAVE=false - STATUS="${PEER##*,}" - if [ "$STATUS" = "new" ] || [ "$STATUS" = "" ]; then - PEER_NAME="${PEER%%,*}" - SAVE=true - else - continue - fi; + function savePeerSecrets { + PEER_NAME=$1 + TLS_KEY=$2 + TLS_KEY_FORMATTED=$(echo $TLS_KEY | tr - /) + MPS_KEY=$3 + MPS_KEY_FORMATTED=$(echo $MPS_KEY | tr - /) + COUNTER=1 if [ -e /certcheck/present_tls_${PEER_NAME}.txt ]; then PEER_TLS_CERT_WRITTEN=true; else PEER_TLS_CERT_WRITTEN=false; fi if [ -e /certcheck/present_msp_${PEER_NAME}.txt ]; then PEER_MSP_CERT_WRITTEN=true; else PEER_MSP_CERT_WRITTEN=false; fi - mkdir -p ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/tls mkdir -p ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp mkdir -p ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/cacerts mkdir -p ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/tlscacerts - while [ "$COUNTER" -le {{ $.Values.healthcheck.retries }} ] + while [ "$COUNTER" -le {{ $.Values.healthCheck.retries }} ] do - if ([ -e /certcheck/absent_tls_${PEER_NAME}.txt ] && [ "$PEER_TLS_CERT_WRITTEN" = "false" ] && [ "$SAVE" == 'true' ]) || [ "$REFRESH_CERTS" == 'true' ]; then - + if ([ -e /certcheck/absent_tls_${PEER_NAME}.txt ] && [ "$PEER_TLS_CERT_WRITTEN" = "false" ] && [ "$SAVE" == 'true' ]) || [ "$REFRESH_CERTS" == 'true' ] + then # This commands put the certificates with correct format for the curl command formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/tls/ca.crt" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/tls" formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/tls/server.crt" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/tls" @@ -1168,37 +1248,34 @@ data: } }" > payload.json - # This command copy the crypto material for peers (tls) - curl \ - -H "X-Vault-Token: ${VAULT_TOKEN}" \ - -H "Content-Type: application/json" \ - -X POST \ - -d @payload.json \ - ${VAULT_ADDR}/v1/${VAULT_SECRET_PEER}/${PEER_NAME}.${COMPONENT_NAME}/tls - + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY_FORMATTED}" 'payload.json' + rm payload.json + # Check tls certificates - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/${VAULT_SECRET_PEER}/${PEER_NAME}.${COMPONENT_NAME}/tls | jq -r 'if .errors then . else . end') - TLS_CA_CERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["ca.crt"]' 2>&1) - TLS_SERVER_CERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["server.crt"]' 2>&1) - TLS_SERVER_KEY=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["server.key"]' 2>&1) + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY_FORMATTED}" + if [ "$SECRETS_AVAILABLE" == "yes" ] + then + TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"ca.crt\"]" 2>&1) + TLS_CLIENT_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"server.crt\"]" 2>&1) + TLS_CLIENT_KEY=$(echo ${VAULT_SECRET} | jq -r ".[\"server.key\"]" 2>&1) - tls_certificate_fields=("$TLS_CA_CERT" "$TLS_SERVER_CERT" "$TLS_SERVER_KEY") + tls_certificate_fields=("$TLS_CA_CERT" "$TLS_CLIENT_CERT" "$TLS_CLIENT_KEY") - for field in "${tls_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] - then - PEER_TLS_CERT_WRITTEN=false - break - else - PEER_TLS_CERT_WRITTEN=true - fi - done - rm payload.json + for field in "${tls_certificate_fields[@]}" + do + if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] + then + PEER_TLS_CERT_WRITTEN=false + break + else + PEER_TLS_CERT_WRITTEN=true + fi + done + fi fi; - if ([ -e /certcheck/absent_msp_${PEER_NAME}.txt ] && [ "$PEER_MSP_CERT_WRITTEN" = "false" ] && [ "$SAVE" == 'true' ]) || [ "$REFRESH_CERTS" == 'true' ]; then - + if ([ -e /certcheck/absent_msp_${PEER_NAME}.txt ] && [ "$PEER_MSP_CERT_WRITTEN" = "false" ] && [ "$SAVE" == 'true' ]) || [ "$REFRESH_CERTS" == 'true' ] + then # This commands put the certificates with correct format for the curl command SK_NAME=$(find ${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/keystore/ -name "*_sk") @@ -1210,12 +1287,12 @@ data: KEYSTORE=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/*_sk.txt) SIGNCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/cert.pem.txt) - if [ "$PROXY" != "none" ] ; then - - formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/cacerts/ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/cacerts" - formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/tlscacerts" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/cacerts/ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) - TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/tlscacerts/ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) + if [ "$PROXY" != "none" ] + then + formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/cacerts" + formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/tlscacerts" + CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) + TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/tlscacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) echo " { @@ -1228,14 +1305,14 @@ data: \"tlscacerts\": \"${TLSCERTS}\" } }" > payload.json - fi; - if [ "$PROXY" = "none" ] ; then - formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/cacerts/ca-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/cacerts" - formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/ca-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/tlscacerts" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/cacerts/ca-${COMPONENT_NAME}-7054.pem.txt) - TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/tlscacerts/ca-${COMPONENT_NAME}-7054.pem.txt) + if [ "$PROXY" = "none" ] + then + formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/cacerts" + formatCertificate "${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/tlscacerts" + CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem.txt) + TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${PEER_NAME}/msp/tlscacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem.txt) echo " { @@ -1251,212 +1328,384 @@ data: fi; - # This command copy the msp certificates to the Vault - curl \ - -H "X-Vault-Token: ${VAULT_TOKEN}" \ - -H "Content-Type: application/json" \ - -X POST \ - -d @payload.json \ - ${VAULT_ADDR}/v1/${VAULT_SECRET_PEER}/${PEER_NAME}.${COMPONENT_NAME}/msp + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY_FORMATTED}" 'payload.json' + rm payload.json # Check msp certificates - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/${VAULT_SECRET_PEER}/${PEER_NAME}.${COMPONENT_NAME}/msp | jq -r 'if .errors then . else . end') - MSP_ADMINCERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["admincerts"]' 2>&1) - MSP_CACERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["cacerts"]' 2>&1) - MSP_KEYSTORE=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["keystore"]' 2>&1) - MSP_SIGNCERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["signcerts"]' 2>&1) - MSP_TLSCACERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["tlscacerts"]' 2>&1) - - msp_certificate_fields=("$MSP_ADMINCERT" "$MSP_CACERTS" "$MSP_KEYSTORE" "$MSP_SIGNCERTS" "$MSP_TLSCACERTS") + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY_FORMATTED}" + if [ "$SECRETS_AVAILABLE" == "yes" ] + then + MSP_ADMINCERT=$(echo ${VAULT_SECRET} | jq -r ".[\"admincerts\"]" 2>&1) + MSP_CACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"cacerts\"]" 2>&1) + MSP_KEYSTORE=$(echo ${VAULT_SECRET} | jq -r ".[\"keystore\"]" 2>&1) + MSP_SIGNCERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"signcerts\"]" 2>&1) + MSP_TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"tlscacerts\"]" 2>&1) - for field in "${msp_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] - then - PEER_MSP_CERT_WRITTEN=false - break - else - PEER_MSP_CERT_WRITTEN=true - fi - done - rm payload.json + msp_certificate_fields=("$MSP_ADMINCERT" "$MSP_CACERTS" "$MSP_KEYSTORE" "$MSP_SIGNCERTS" "$MSP_TLSCACERTS") + for field in "${msp_certificate_fields[@]}" + do + if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] + then + PEER_MSP_CERT_WRITTEN=false + break + else + PEER_MSP_CERT_WRITTEN=true + fi + done + fi fi; - + if [ "$PEER_TLS_CERT_WRITTEN" = "true" ] && [ "$PEER_MSP_CERT_WRITTEN" = "true" ] then echo "${PEER_NAME} certificates are successfully stored in vault" break else - echo "${PEER_NAME} certificates are not ready, sleeping for {{ $.Values.healthcheck.sleepTimeAfterError }}" - sleep {{ $.Values.healthcheck.sleepTimeAfterError }} + echo "${PEER_NAME} certificates are not ready, sleeping for {{ $.Values.healthCheck.sleepTimeAfterError }}" + sleep {{ $.Values.healthCheck.sleepTimeAfterError }} COUNTER=`expr "$COUNTER" + 1` fi done - if [ "$COUNTER" -gt {{ $.Values.healthcheck.retries }} ] + if [ "$COUNTER" -gt {{ $.Values.healthCheck.retries }} ] then echo "Retry attempted `expr $COUNTER - 1` times, peers certificates have not been saved." touch ${MOUNT_PATH}/certs_not_found.txt exit 1 fi; + } - done + function saveConfigFileSecrets { + KEY=$1 + KEY_FORMATTED=$(echo $KEY | tr - /) - COUNTER=1 - if [ -e /certcheck/present_config_file.txt ]; then CONFIG_FILE_WRITTEN=true; else CONFIG_FILE_WRITTEN=false; fi - COUCHDB_WRITTEN=false - while [ "$COUNTER" -le {{ $.Values.healthcheck.retries }} ] - do - if [ -e /certcheck/absent_config_file.txt ] && [ "$CONFIG_FILE_WRITTEN" = "false" ]; then + COUNTER=1 + if [ -e /certcheck/present_config_file.txt ]; then CONFIG_FILE_WRITTEN=true; else CONFIG_FILE_WRITTEN=false; fi + while [ "$COUNTER" -le {{ $.Values.healthCheck.retries }} ] + do + if [ -e /certcheck/absent_config_file.txt ] && [ "$CONFIG_FILE_WRITTEN" = "false" ]; then - # This commands put the config file with correct format for the curl command - mkdir -p ${FORMAT_CERTIFICATE_PATH}/msp_config_file - formatCertificate "/crypto-config/peerOrganizations/${COMPONENT_NAME}/msp/config.yaml" "${FORMAT_CERTIFICATE_PATH}/msp_config_file" - MSP_CONFIG_FILE=$(cat ${FORMAT_CERTIFICATE_PATH}/msp_config_file/config.yaml.txt) + # This commands put the config file with correct format for the curl command + mkdir -p ${FORMAT_CERTIFICATE_PATH}/msp_config_file + formatCertificate "/crypto-config/peerOrganizations/${COMPONENT_NAME}/msp/config.yaml" "${FORMAT_CERTIFICATE_PATH}/msp_config_file" + MSP_CONFIG_FILE=$(cat ${FORMAT_CERTIFICATE_PATH}/msp_config_file/config.yaml.txt) - echo " - { - \"data\": - { - \"configfile\": \"${MSP_CONFIG_FILE}\" - } - }" > payload.json - - # This command write the msp config file to Vault - curl \ - -H "X-Vault-Token: ${VAULT_TOKEN}" \ - -H "Content-Type: application/json" \ - -X POST \ - -d @payload.json \ - ${VAULT_ADDR}/v1/${VAULT_SECRET_CONFIG_FILE} - - # Check msp config file - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/${VAULT_SECRET_CONFIG_FILE} | jq -r 'if .errors then . else . end') - CONFIG_FILE=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["configfile"]' 2>&1) - - if [ "$CONFIG_FILE" = "null" ] || [[ "$CONFIG_FILE" = "parse error"* ]] || [ "$CONFIG_FILE" = "" ] - then - CONFIG_FILE_WRITTEN=false - else - CONFIG_FILE_WRITTEN=true - fi - rm payload.json - fi; - - if [ "$COUCHDB_WRITTEN" = "false" ]; then - - # This command writes the couchdb credentials for each organization to the vault - curl \ - -H "X-Vault-Token: ${VAULT_TOKEN}" \ - -H "Content-Type: application/json" \ - -X POST \ - -d '{ "data": {"user":"admin123"}}' \ - ${VAULT_ADDR}/v1/${VAULT_SECRET_COUCHDB} - - # Check couchdb credentials - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/${VAULT_SECRET_COUCHDB} | jq -r 'if .errors then . else . end') - USER=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["user"]' 2>&1) - - if [ "$USER" = "null" ] || [[ "$USER" = "parse error"* ]] || [ "$USER" = "" ] + echo " + { + \"data\": + { + \"configfile\": \"${MSP_CONFIG_FILE}\" + } + }" > payload.json + + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" 'payload.json' + rm payload.json + + # Check cofig file + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" + if [ "$SECRETS_AVAILABLE" == "yes" ] + then + CONFIG_FILE=$(echo ${VAULT_SECRET} | jq -r ".[\"configfile\"]" 2>&1) + if [ "$CONFIG_FILE" = "null" ] || [[ "$CONFIG_FILE" = "parse error"* ]] || [ "$CONFIG_FILE" = "" ] + then + CONFIG_FILE_WRITTEN=false + break + else + CONFIG_FILE_WRITTEN=true + fi + fi + fi; + + if [ "$CONFIG_FILE_WRITTEN" = "true" ] then - COUCHDB_WRITTEN=false + echo "MSP config file is successfully stored in vault" + break else - COUCHDB_WRITTEN=true + echo "MSP config file is not ready, sleeping for {{ $.Values.healthCheck.sleepTimeAfterError }}" + sleep {{ $.Values.healthCheck.sleepTimeAfterError }} + COUNTER=`expr "$COUNTER" + 1` fi - fi; + done - if [ "$CONFIG_FILE_WRITTEN" = "true" ] && [ "$COUCHDB_WRITTEN" = "true" ] + if [ "$COUNTER" -gt {{ $.Values.healthCheck.retries }} ] then - echo "MSP config file and couchdb credentials are successfully stored in vault" - break - else - echo "MSP config file or couchdb credentials are not ready, sleeping for {{ $.Values.healthcheck.sleepTimeAfterError }}" - sleep {{ $.Values.healthcheck.sleepTimeAfterError }} - COUNTER=`expr "$COUNTER" + 1` - fi - done - - if [ "$COUNTER" -gt {{ $.Values.healthcheck.retries }} ] - then - echo "Retry attempted `expr $COUNTER - 1` times, cryto materials have not been saved." - touch ${MOUNT_PATH}/certs_not_found.txt - exit 1 - fi; - - list=$(echo "$ORDERERS_NAMES" | tr "-" "\n") - for ORDERER in $list - do + echo "Retry attempted `expr $COUNTER - 1` times, cryto materials have not been saved." + touch ${MOUNT_PATH}/certs_not_found.txt + exit 1 + fi; + } + + function saveCouchdbSecrets { + KEY=$1 + KEY_FORMATTED=$(echo $KEY | tr - /) + COUNTER=1 - if [ -e /certcheck/present_orderer_tls_cert.txt ]; then ORDERER_TLS_WRITTEN=true; else ORDERER_TLS_WRITTEN=false; fi - while [ "$COUNTER" -le {{ $.Values.healthcheck.retries }} ] + COUCHDB_WRITTEN=false + while [ "$COUNTER" -le {{ $.Values.healthCheck.retries }} ] do - if [ -e /certcheck/absent_orderer_tls_cert.txt ] && [ "$ORDERER_TLS_WRITTEN" = "false" ]; then - cat /tlscerts/${ORDERER}.crt | base64 -d > ${ORDERER}.formatted - # formatting is needed because bas64 encoding removed the newlines, so they need to be added again - while read line || [ -n "$line" ]; - do - echo "$line\n"; - done < ${ORDERER}.formatted > ${ORDERER}.final - ORDERER_TLS=$(cat ${ORDERER}.final) + if [ "$COUCHDB_WRITTEN" = "false" ]; then + echo " { \"data\": - { - \"ca.crt\": \"${ORDERER_TLS}\" - } + { + \"user\": \"admin123\" + } }" > payload.json + + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" 'payload.json' + rm payload.json - # This command writes organization level certificates for orderers to vault - curl \ - -H "X-Vault-Token: ${VAULT_TOKEN}" \ - -H "Content-Type: application/json" \ - -X POST \ - -d @payload.json \ - ${VAULT_ADDR}/v1/${VAULT_SECRET_PEER_ORDERER_TLS} - - # Check orderer certs - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/${VAULT_SECRET_PEER_ORDERER_TLS} | jq -r 'if .errors then . else . end') - CA_CRT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["ca.crt"]' 2>&1) - - if [ "$CA_CRT" = "null" ] || [[ "$CA_CRT" = "parse error"* ]] || [ "$CA_CRT" = "" ] + # Check couchdb credentials + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" + if [ "$SECRETS_AVAILABLE" == "yes" ] then - ORDERER_TLS_WRITTEN=false - else - ORDERER_TLS_WRITTEN=true - fi - rm payload.json - fi + USER=$(echo ${VAULT_SECRET} | jq -r ".[\"user\"]" 2>&1) + if [ "$USER" = "null" ] || [[ "$USER" = "parse error"* ]] || [ "$USER" = "" ] + then + COUCHDB_WRITTEN=false + break + else + COUCHDB_WRITTEN=true + fi + fi + fi; - if [ "$ORDERER_TLS_WRITTEN" = "true" ] + if [ "$COUCHDB_WRITTEN" = "true" ] then - echo "${ORDERER} tls certificate are successfully stored in vault" + echo "Couchdb credentials are successfully stored in vault" break else - echo "${ORDERER} tls certificate are not ready, sleeping for {{ $.Values.healthcheck.sleepTimeAfterError }}" - sleep {{ $.Values.healthcheck.sleepTimeAfterError }} + echo "Couchdb credentials are not ready, sleeping for {{ $.Values.healthCheck.sleepTimeAfterError }}" + sleep {{ $.Values.healthCheck.sleepTimeAfterError }} COUNTER=`expr "$COUNTER" + 1` fi done + } + + function saveOrdererTlsSecrets { + KEY=$1 + KEY_FORMATTED=$(echo $KEY | tr - /) + + COUNTER=1 + if [ -e /certcheck/present_orderer_tls_cert.txt ]; then ORDERER_TLS_WRITTEN=true; else ORDERER_TLS_WRITTEN=false; fi + while [ "$COUNTER" -le {{ $.Values.healthCheck.retries }} ] + do + if [ -e /certcheck/absent_orderer_tls_cert.txt ] && [ "$ORDERER_TLS_WRITTEN" = "false" ] + then + # formatting is needed because bas64 encoding removed the newlines, so they need to be added again + while read line || [ -n "$line" ]; + do + echo "$line\n"; + done < /tlscerts/orderer.crt > orderer.formatted + ORDERER_TLS=$(cat orderer.formatted) + echo " + { + \"data\": + { + \"ca.crt\": \"${ORDERER_TLS}\" + } + }" > payload.json + + # This command writes organization level certificates for orderers to vault + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" 'payload.json' + rm payload.json + + # Check couchdb credentials + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" + if [ "$SECRETS_AVAILABLE" == "yes" ] + then + CA_CRT=$(echo ${VAULT_SECRET} | jq -r ".[\"ca.crt\"]" 2>&1) + if [ "$CA_CRT" = "null" ] || [[ "$CA_CRT" = "parse error"* ]] || [ "$CA_CRT" = "" ] + then + ORDERER_TLS_WRITTEN=false + else + ORDERER_TLS_WRITTEN=true + fi + fi + fi; + + if [ "$ORDERER_TLS_WRITTEN" = "true" ] + then + echo "${ORDERER} tls certificate are successfully stored in vault" + break + else + echo "${ORDERER} tls certificate are not ready, sleeping for {{ $.Values.healthCheck.sleepTimeAfterError }}" + sleep {{ $.Values.healthCheck.sleepTimeAfterError }} + COUNTER=`expr "$COUNTER" + 1` + fi + done + + if [ "$COUNTER" -gt {{ $.Values.healthCheck.retries }} ] + then + echo "Retry attempted `expr $COUNTER - 1` times, orderer tls have not been saved." + touch ${MOUNT_PATH}/certs_not_found.txt + exit 1 + fi; + } + +{{- else }} + function saveAdminSecrets { + TLS_KEY=$1 + MPS_KEY=$2 + if [ -e /certcheck/absent_tls.txt ] + then + kubectl create secret generic ${TLS_KEY} --namespace ${COMPONENT_NAME} --from-file=cacrt=${ORG_CYPTO_FOLDER}/tls/ca.crt \ + --from-file=clientcrt=${ORG_CYPTO_FOLDER}/tls/client.crt \ + --from-file=clientkey=${ORG_CYPTO_FOLDER}/tls/client.key + fi + + if [ -e /certcheck/absent_msp.txt ] + then + if [ "$PROXY" != "none" ] + then + SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") + kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=admincerts=${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ + --from-file=cacerts=${ORG_CYPTO_FOLDER}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem \ + --from-file=keystore=${SK_NAME} \ + --from-file=signcerts=${ORG_CYPTO_FOLDER}/msp/signcerts/cert.pem \ + --from-file=tlscacerts=${ORG_CYPTO_FOLDER}/tls/ca.crt + fi + + if [ "$PROXY" = "none" ] + then + SK_NAME=$(find ${ORG_CYPTO_FOLDER}/msp/keystore/ -name "*_sk") + kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=admincerts=${ORG_CYPTO_FOLDER}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ + --from-file=cacerts=${ORG_CYPTO_FOLDER}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem \ + --from-file=keystore=${SK_NAME} \ + --from-file=signcerts=${ORG_CYPTO_FOLDER}/msp/signcerts/cert.pem \ + --from-file=tlscacerts=${ORG_CYPTO_FOLDER}/tls/ca.crt + fi + fi + + checkSecret admin-msp + checkSecret admin-tls + + } + + function savePeerSecrets { + PEER_NAME=$1 + TLS_KEY=$2 + MPS_KEY=$3 - if [ "$COUNTER" -gt {{ $.Values.healthcheck.retries }} ] + if ([ -e /certcheck/absent_tls_${PEER_NAME}.txt ] && [ "$SAVE" == 'true' ]) || [ "$REFRESH_CERTS" == 'true' ] + then + kubectl create secret generic ${TLS_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=cacrt=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/tls/ca.crt \ + --from-file=servercrt=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/tls/server.crt \ + --from-file=serverkey=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/tls/server.key + fi + + if [ -e /certcheck/absent_msp_${PEER_NAME}.txt ] + then + + if [ "$PROXY" != "none" ] + then + SK_NAME=$(find ${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/keystore/ -name "*_sk") + kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=admincerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ + --from-file=cacerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem \ + --from-file=keystore=${SK_NAME} \ + --from-file=signcerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/signcerts/cert.pem \ + --from-file=tlscacerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem + fi + + if [ "$PROXY" = "none" ] + then + SK_NAME=$(find ${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/keystore/ -name "*_sk") + kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=admincerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/admincerts/Admin@${COMPONENT_NAME}-cert.pem \ + --from-file=cacerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem \ + --from-file=keystore=${SK_NAME} \ + --from-file=signcerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/signcerts/cert.pem \ + --from-file=tlscacerts=${ORG_CYPTO_PEER_FOLDER}/${PEER_NAME}.${COMPONENT_NAME}/msp/tlscacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem + fi + fi + + checkSecret $PEER_NAME-tls + checkSecret $PEER_NAME-msp + } + + function saveConfigFileSecrets { + KEY=$1 + if [ -e /certcheck/absent_config_file.txt ] + then + kubectl create secret generic ${KEY} --namespace ${COMPONENT_NAME} --from-file=configfile=/crypto-config/peerOrganizations/${COMPONENT_NAME}/msp/config.yaml + fi + checkSecret msp-config + } + + function saveCouchdbSecrets { + KEY=$1 + kubectl get secret ${KEY} --namespace ${COMPONENT_NAME} -o json > /dev/null 2>&1 + if [ $? -ne 0 ]; then + kubectl create secret generic ${KEY} --namespace ${COMPONENT_NAME} --from-literal=user="admin123" + fi + checkSecret couchdb + } + + function saveOrdererTlsSecrets { + KEY=$1 + if [ -e /certcheck/absent_orderer_tls_cert.txt ] + then + kubectl create secret generic ${KEY} --namespace ${COMPONENT_NAME} --from-file=cacrt=/tlscerts/orderer.crt + fi + checkSecret orderer-tls + } + + function checkSecret { + KEY=$1 + kubectl get secret ${KEY} --namespace ${COMPONENT_NAME} -o json > /dev/null 2>&1 + if [ $? -ne 0 ]; then + echo "Secret ${KEY} wasn't created correctly" + touch ${MOUNT_PATH}/certs_not_found.txt + fi + } + +{{- end }} + + ORG_CYPTO_FOLDER="/crypto-config/peerOrganizations/${COMPONENT_NAME}/users/Admin@${COMPONENT_NAME}" + ORG_CYPTO_PEER_FOLDER="/crypto-config/peerOrganizations/${COMPONENT_NAME}/peers" + + saveAdminSecrets admin-tls admin-msp + + for PEER in $PEERS_NAMES + do + SAVE=false + if [[ "$PEER" == *","* ]] then - echo "Retry attempted `expr $COUNTER - 1` times, orderer tls have not been saved." - touch ${MOUNT_PATH}/certs_not_found.txt - exit 1 + STATUS="${PEER##*,}" + else + STATUS="" + fi + + if [ "$STATUS" = "new" ] || [ "$STATUS" = "" ]; then + PEER_NAME="${PEER%%,*}" + SAVE=true + savePeerSecrets $PEER_NAME $PEER-tls $PEER-msp + else + continue fi; done + saveConfigFileSecrets msp-config + saveCouchdbSecrets couchdb + saveOrdererTlsSecrets orderer-tls + --- apiVersion: v1 kind: ConfigMap metadata: name: users-script-store-vault - namespace: {{ .Values.metadata.namespace }} + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: users-script-vault - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ include "fabric-catools.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm data: store-vault-users.sh: |- #!/bin/bash @@ -1490,27 +1739,34 @@ data: fi } - echo "Puting secrets/certificates from Vault server" - KUBE_SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) - VAULT_TOKEN=$(curl -sS --request POST ${VAULT_ADDR}/v1/auth/${KUBERNETES_AUTH_PATH}/login -H "Content-Type: application/json" -d '{"role":"'"${VAULT_APP_ROLE}"'","jwt":"'"${KUBE_SA_TOKEN}"'"}' | jq -r 'if .errors then . else .auth.client_token end') - validateVaultResponse 'vault login token' "${VAULT_TOKEN}" - +{{- if eq .Values.global.vault.type "hashicorp" }} + + echo "coming soon" + . ../bevel-vault.sh + # Calling a function to retrieve the vault token. + vaultBevelFunc "init" + FORMAT_CERTIFICATE_PATH="/formatcertificate" ORG_CYPTO_USERS_FOLDER="/crypto-config/peerOrganizations/${COMPONENT_NAME}/users" - - list=$(echo "$USERS_IDENTITIES" | tr "-" "\n") - for USER in $list - do + + + function saveUserSecrets { + USER=$1 + TLS_KEY=$2 + TLS_KEY_FORMATTED=$(echo $TLS_KEY | tr - /) + MPS_KEY=$3 + MPS_KEY_FORMATTED=$(echo $MPS_KEY | tr - /) + if [ -e /certcheck/present_tls_${USER}.txt ]; then USER_TLS_CERT_WRITTEN=true; else USER_TLS_CERT_WRITTEN=false; fi if [ -e /certcheck/present_msp_${USER}.txt ]; then USER_MSP_CERT_WRITTEN=true; else USER_MSP_CERT_WRITTEN=false; fi - + mkdir -p ${FORMAT_CERTIFICATE_PATH}/${USER}/tls mkdir -p ${FORMAT_CERTIFICATE_PATH}/${USER}/msp mkdir -p ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/cacerts mkdir -p ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/tlscacerts COUNTER=1 - while [ "$COUNTER" -le {{ $.Values.healthcheck.retries }} ] + while [ "$COUNTER" -le {{ $.Values.healthCheck.retries }} ] do if ([ -e /certcheck/absent_tls_${USER}.txt ] && [ "$USER_TLS_CERT_WRITTEN" = "false" ]) || [ "$REFRESH_CERTS" == 'true' ]; then @@ -1534,32 +1790,30 @@ data: }" > payload.json # This command copy the crypto material for users (tls) - curl \ - -H "X-Vault-Token: ${VAULT_TOKEN}" \ - -H "Content-Type: application/json" \ - -X POST \ - -d @payload.json \ - ${VAULT_ADDR}/v1/${VAULT_SECRET_USERS}/${USER}/tls - + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY_FORMATTED}" 'payload.json' + rm payload.json + # Check tls certificates - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/${VAULT_SECRET_USERS}/${USER}/tls | jq -r 'if .errors then . else . end') - TLS_CA_CERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["ca.crt"]' 2>&1) - TLS_CLIENT_CERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["client.crt"]' 2>&1) - TLS_CLIENT_KEY=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["client.key"]' 2>&1) + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${TLS_KEY_FORMATTED}" + if [ "$SECRETS_AVAILABLE" == "yes" ] + then + TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"ca.crt\"]" 2>&1) + TLS_CLIENT_CERT=$(echo ${VAULT_SECRET} | jq -r ".[\"client.crt\"]" 2>&1) + TLS_CLIENT_KEY=$(echo ${VAULT_SECRET} | jq -r ".[\"client.key\"]" 2>&1) - tls_certificate_fields=("$TLS_CA_CERT" "$TLS_CLIENT_CERT" "$TLS_CLIENT_KEY") + tls_certificate_fields=("$TLS_CA_CERT" "$TLS_CLIENT_CERT" "$TLS_CLIENT_KEY") - for field in "${tls_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] - then - USER_TLS_CERT_WRITTEN=false - break - else - USER_TLS_CERT_WRITTEN=true - fi - done - rm payload.json + for field in "${tls_certificate_fields[@]}" + do + if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] + then + USER_TLS_CERT_WRITTEN=false + break + else + USER_TLS_CERT_WRITTEN=true + fi + done + fi fi; if ([ -e /certcheck/absent_msp_${USER}.txt ] && [ "$USER_MSP_CERT_WRITTEN" = "false" ]) || [ "$REFRESH_CERTS" == 'true' ]; then @@ -1577,11 +1831,11 @@ data: if [ "$PROXY" != "none" ] ; then - formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/cacerts/ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp/cacerts" - formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/tlscacerts/ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp/tlscacerts" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/cacerts/ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) + formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp/cacerts" + formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/tlscacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp/tlscacerts" + CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) # En el rol lo copia directamente del tls - TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/tlscacerts/ca-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) + TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/tlscacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem.txt) echo " { @@ -1598,10 +1852,10 @@ data: fi; if [ "$PROXY" = "none" ] ; then - formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/cacerts/ca-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp/cacerts" - formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/tlscacerts/ca-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp/tlscacerts" - CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/cacerts/ca-${COMPONENT_NAME}-7054.pem.txt) - TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/tlscacerts/ca-${COMPONENT_NAME}-7054.pem.txt) + formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp/cacerts" + formatCertificate "${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/tlscacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem" "${FORMAT_CERTIFICATE_PATH}/${USER}/msp/tlscacerts" + CACERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem.txt) + TLSCERTS=$(cat ${FORMAT_CERTIFICATE_PATH}/${USER}/msp/tlscacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem.txt) echo " { @@ -1618,34 +1872,31 @@ data: fi; # This command copy the msp certificates to the Vault - curl \ - -H "X-Vault-Token: ${VAULT_TOKEN}" \ - -H "Content-Type: application/json" \ - -X POST \ - -d @payload.json \ - ${VAULT_ADDR}/v1/${VAULT_SECRET_USERS}/${USER}/msp + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY_FORMATTED}" 'payload.json' + rm payload.json # Check msp certificates - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/${VAULT_SECRET_USERS}/${USER}/msp | jq -r 'if .errors then . else . end') - MSP_ADMINCERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["admincerts"]' 2>&1) - MSP_CACERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["cacerts"]' 2>&1) - MSP_KEYSTORE=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["keystore"]' 2>&1) - MSP_SIGNCERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["signcerts"]' 2>&1) - MSP_TLSCACERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["tlscacerts"]' 2>&1) - - msp_certificate_fields=("$MSP_ADMINCERT" "$MSP_CACERTS" "$MSP_KEYSTORE" "$MSP_SIGNCERTS" "$MSP_TLSCACERTS") + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${MPS_KEY_FORMATTED}" + if [ "$SECRETS_AVAILABLE" == "yes" ] + then + MSP_ADMINCERT=$(echo ${VAULT_SECRET} | jq -r ".[\"admincerts\"]" 2>&1) + MSP_CACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"cacerts\"]" 2>&1) + MSP_KEYSTORE=$(echo ${VAULT_SECRET} | jq -r ".[\"keystore\"]" 2>&1) + MSP_SIGNCERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"signcerts\"]" 2>&1) + MSP_TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r ".[\"tlscacerts\"]" 2>&1) - for field in "${msp_certificate_fields[@]}" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] - then - USER_MSP_CERT_WRITTEN=false - break - else - USER_MSP_CERT_WRITTEN=true - fi - done - rm payload.json + msp_certificate_fields=("$MSP_ADMINCERT" "$MSP_CACERTS" "$MSP_KEYSTORE" "$MSP_SIGNCERTS" "$MSP_TLSCACERTS") + for field in "${msp_certificate_fields[@]}" + do + if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] + then + USER_MSP_CERT_WRITTEN=false + break + else + USER_MSP_CERT_WRITTEN=true + fi + done + fi fi; if [ "$USER_TLS_CERT_WRITTEN" = "true" ] && [ "$USER_MSP_CERT_WRITTEN" = "true" ] @@ -1653,74 +1904,139 @@ data: echo "${USER} certificates are successfully stored in vault" break else - echo "${USER} certificates are not ready, sleeping for {{ $.Values.healthcheck.sleepTimeAfterError }}" - sleep {{ $.Values.healthcheck.sleepTimeAfterError }} + echo "${USER} certificates are not ready, sleeping for {{ $.Values.healthCheck.sleepTimeAfterError }}" + sleep {{ $.Values.healthCheck.sleepTimeAfterError }} COUNTER=`expr "$COUNTER" + 1` fi done; - if [ "$COUNTER" -gt {{ $.Values.healthcheck.retries }} ] + if [ "$COUNTER" -gt {{ $.Values.healthCheck.retries }} ] then echo "Retry attempted `expr $COUNTER - 1` times, users certificates have not been saved." touch ${MOUNT_PATH}/certs_not_found.txt exit 1 - fi; - done; + fi; + } +{{- else }} + + function saveUserSecrets { + USER=$1 + TLS_KEY=$2 + MPS_KEY=$3 + + if [ -e /certcheck/absent_tls_${USER}.txt ] || [ "$REFRESH_CERTS" == 'true' ] + then + kubectl create secret generic ${TLS_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=cacrt=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/tls/ca.crt \ + --from-file=clientcrt=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/tls/client.crt \ + --from-file=clientkey=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/tls/client.key + fi + + if [ -e /certcheck/absent_msp_${USER}.txt ] || [ "$REFRESH_CERTS" == 'true' ] + then + if [ "$PROXY" != "none" ] + then + SK_NAME=$(find ${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/keystore/ -name "*_sk") + kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=admincerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/admincerts/${USER}@${COMPONENT_NAME}-cert.pem \ + --from-file=cacerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem \ + --from-file=keystore=${SK_NAME} \ + --from-file=signcerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/signcerts/cert.pem \ + --from-file=tlscacerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/tlscacerts/{{ .Release.Name }}-${COMPONENT_NAME}-${EXTERNAL_URL_SUFFIX}.pem + fi + + if [ "$PROXY" = "none" ] + then + SK_NAME=$(find ${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/keystore/ -name "*_sk") + kubectl create secret generic ${MPS_KEY} --namespace ${COMPONENT_NAME} \ + --from-file=admincerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/admincerts/${USER}@${COMPONENT_NAME}-cert.pem \ + --from-file=cacerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/cacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem \ + --from-file=keystore=${SK_NAME} \ + --from-file=signcerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/signcerts/cert.pem \ + --from-file=tlscacerts=${ORG_CYPTO_USERS_FOLDER}/${USER}@${COMPONENT_NAME}/msp/tlscacerts/{{ .Release.Name }}-${COMPONENT_NAME}-7054.pem + fi + fi + checkSecret $USER-tls + checkSecret $USER-msp + } + + function checkSecret { + KEY=$1 + kubectl get secret ${KEY} --namespace ${COMPONENT_NAME} -o json > /dev/null 2>&1 + if [ $? -ne 0 ]; then + echo "Secret ${KEY} wasn't created correctly" + touch ${MOUNT_PATH}/certs_not_found.txt + fi + } +{{- end }} + ORG_CYPTO_USERS_FOLDER="/crypto-config/peerOrganizations/${COMPONENT_NAME}/users" + for USER in $USERS_IDENTITIES + do + saveUserSecrets $USER $USER-tls $USER-msp + done --- apiVersion: v1 kind: ConfigMap metadata: name: msp-config-file - namespace: {{ .Values.metadata.namespace }} + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: msp-config-file - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ include "fabric-catools.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm data: no-none-config.yaml: |- NodeOUs: Enable: true ClientOUIdentifier: - Certificate: cacerts/ca-{{ .Values.metadata.namespace }}-{{ .Values.org_data.external_url_suffix }}.pem + Certificate: cacerts/ca-{{ .Release.Namespace }}-{{ .Values.global.proxy.externalUrlSuffix }}.pem OrganizationalUnitIdentifier: client PeerOUIdentifier: - Certificate: cacerts/ca-{{ .Values.metadata.namespace }}-{{ .Values.org_data.external_url_suffix }}.pem + Certificate: cacerts/ca-{{ .Release.Namespace }}-{{ .Values.global.proxy.externalUrlSuffix }}.pem OrganizationalUnitIdentifier: peer AdminOUIdentifier: - Certificate: cacerts/ca-{{ .Values.metadata.namespace }}-{{ .Values.org_data.external_url_suffix }}.pem + Certificate: cacerts/ca-{{ .Release.Namespace }}-{{ .Values.global.proxy.externalUrlSuffix }}.pem OrganizationalUnitIdentifier: admin OrdererOUIdentifier: - Certificate: cacerts/ca-{{ .Values.metadata.namespace }}-{{ .Values.org_data.external_url_suffix }}.pem + Certificate: cacerts/ca-{{ .Release.Namespace }}-{{ .Values.global.proxy.externalUrlSuffix }}.pem OrganizationalUnitIdentifier: orderer none-config.yaml: |- NodeOUs: Enable: true ClientOUIdentifier: - Certificate: cacerts/ca-{{ .Values.metadata.namespace }}-7054.pem + Certificate: cacerts/ca-{{ .Release.Namespace }}-7054.pem OrganizationalUnitIdentifier: client PeerOUIdentifier: - Certificate: cacerts/ca-{{ .Values.metadata.namespace }}-7054.pem + Certificate: cacerts/ca-{{ .Release.Namespace }}-7054.pem OrganizationalUnitIdentifier: peer AdminOUIdentifier: - Certificate: cacerts/ca-{{ .Values.metadata.namespace }}-7054.pem + Certificate: cacerts/ca-{{ .Release.Namespace }}-7054.pem OrganizationalUnitIdentifier: admin OrdererOUIdentifier: - Certificate: cacerts/ca-{{ .Values.metadata.namespace }}-7054.pem + Certificate: cacerts/ca-{{ .Release.Namespace }}-7054.pem OrganizationalUnitIdentifier: orderer + +{{- $file := .Files.Get "files/orderer.crt" }} +{{ if and (eq $.Values.orgData.type "peer") $file }} --- apiVersion: v1 kind: ConfigMap metadata: - name: tls-cert - namespace: {{ .Values.metadata.namespace }} + name: orderer-tls-cacert + namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: tls-cert - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: orderer-tls-cacert app.kubernetes.io/instance: {{ .Release.Name }} -data: - {{- range $orderers := $.Values.orderers_info }} - {{ $orderers.name }}.crt: {{ $orderers.path | quote }} - {{- end }} + app.kubernetes.io/part-of: {{ include "fabric-catools.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm +data: + orderer.crt: |- + {{ .Files.Get "files/orderer.crt" | nindent 8 }} +{{- end }} + diff --git a/platforms/hyperledger-fabric/charts/fabric-catools/templates/deployment.yaml b/platforms/hyperledger-fabric/charts/fabric-catools/templates/deployment.yaml index b61c80d33f1..74cdf20367a 100644 --- a/platforms/hyperledger-fabric/charts/fabric-catools/templates/deployment.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-catools/templates/deployment.yaml @@ -8,38 +8,45 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Values.metadata.name }} - namespace: {{ .Values.metadata.namespace }} + name: {{ template "fabric-catools.fullname" . }} + namespace: {{ .Release.Namespace }} labels: app: {{ .Release.Name }} - app.kubernetes.io/name: {{ .Values.metadata.name }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{ include "labels.deployment" . | nindent 2 }} + app.kubernetes.io/name: {{ include "fabric-catools.name" . }} + app.kubernetes.io/component: ca-tools + app.kubernetes.io/part-of: {{ include "fabric-catools.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm annotations: - {{- if $.Values.annotations }} - {{- range $key, $value := $.Values.annotations.deployment }} - {{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} - {{- end }} - {{- end }} - {{- end }} + {{ include "labels.deployment" . | nindent 2 }} spec: replicas: {{ .Values.replicaCount }} selector: matchLabels: - name: {{ .Values.metadata.name }} + app: {{ .Release.Name }} + app.kubernetes.io/name: {{ include "fabric-catools.name" . }} + app.kubernetes.io/component: ca-tools + app.kubernetes.io/part-of: {{ include "fabric-catools.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm template: metadata: labels: - name: {{ .Values.metadata.name }} + app: {{ .Release.Name }} + app.kubernetes.io/name: {{ include "fabric-catools.name" . }} + app.kubernetes.io/component: ca-tools + app.kubernetes.io/part-of: {{ include "fabric-catools.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm {{ include "labels.deployment" . | nindent 6 }} spec: - serviceAccountName: {{ $.Values.vault.serviceaccountname }} - {{- if .Values.vault.imagesecretname }} + serviceAccountName: {{ $.Values.global.serviceAccountName }} + {{- if .Values.global.vault.imageSecretName }} imagePullSecrets: - - name: {{ $.Values.vault.imagesecretname }} + - name: {{ $.Values.global.vault.imageSecretName }} {{- end }} volumes: - name: ca-tools-pv @@ -121,16 +128,15 @@ spec: items: - key: no-none-config.yaml path: no-none-config.yaml - {{- if eq $.Values.metadata.component_type "peer" }} - {{- range $orderers := $.Values.orderers_info }} - - name: {{ $orderers.name }}-tls-cert + {{- $file := .Files.Get "files/orderer.crt" }} + {{ if and (eq $.Values.orgData.type "peer") $file }} + - name: orderer-tls-cacert configMap: - name: tls-cert + name: orderer-tls-cacert defaultMode: 0775 items: - - key: {{ $orderers.name }}.crt - path: {{ $orderers.name }}.crt - {{- end }} + - key: orderer.crt + path: orderer.crt {{- end }} - name: scripts-volume configMap: @@ -140,96 +146,110 @@ spec: name: package-manager initContainers: - name: init-check-certificates - image: {{ $.Values.image.alpineutils }} - imagePullPolicy: IfNotPresent + image: {{ $.Values.image.alpineUtils }} + imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: VAULT_ADDR - value: {{ $.Values.vault.address }} + value: {{ $.Values.global.vault.address }} - name: VAULT_APP_ROLE - value: {{ $.Values.vault.role }} + value: {{ $.Values.global.vault.role }} - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.vault.authpath }} - - name: VAULT_SECRET_USERS - value: {{ $.Values.vault.secretusers }} - - name: VAULT_SECRET_ORDERER - value: {{ $.Values.vault.secretorderer }} - - name: VAULT_SECRET_PEER - value: {{ $.Values.vault.secretpeer }} - - name: VAULT_SECRET_CONFIG_FILE - value: {{ $.Values.vault.secretconfigfile }} - - name: VAULT_SECRET_PEER_ORDERER_TLS - value: {{ $.Values.vault.secretpeerorderertls }} + value: {{ $.Values.global.vault.authPath }} + - name: VAULT_TYPE + value: {{ $.Values.global.vault.type }} + - name: VAULT_SECRET_ENGINE + value: "{{ .Values.global.vault.secretEngine }}" + - name: VAULT_SECRET_PREFIX + value: "{{ .Values.global.vault.secretPrefix }}" - name: COMPONENT_TYPE - value: {{ $.Values.metadata.component_type }} + value: "{{ $.Values.orgData.type }}" - name: COMPONENT_NAME - value: {{ $.Values.metadata.namespace }} + value: {{ .Release.Namespace }} - name: ORG_NAME_EXT - value: {{ $.Values.metadata.org_name }} + value: {{ $.Values.orgData.orgName }} - name: PROXY - value: {{ .Values.metadata.proxy }} + value: {{ .Values.global.proxy.provider }} - name: ORDERERS_NAMES - value: "{{ $.Values.orderers.name }}" + value: "{{ $.Values.orderers | join " " -}}" - name: PEERS_NAMES - value: "{{ $.Values.peers.name }}" + value: "{{ $.Values.peers | join " " -}}" - name: USERS_IDENTITIES - value: {{ $.Values.users.users_identities }} + value: "{{ $.Values.users.usersIdentities | join " " -}}" - name: MOUNT_PATH value: "/certcheck" - - name: VAULT_TYPE - value: "{{ $.Values.vault.type }}" command: ["sh", "-c"] args: - |- #!/usr/bin/env sh - . /scripts/bevel-vault.sh - # Calling a function to retrieve the vault token. - vaultBevelFunc "init" - mkdir -p ${MOUNT_PATH} OUTPUT_PATH="/crypto-config/${COMPONENT_TYPE}Organizations/${COMPONENT_NAME}" mkdir -p ${OUTPUT_PATH}/ca mkdir -p /root/ca-tools/${ORG_NAME_EXT} + +{{- if eq .Values.global.vault.type "hashicorp" }} + . /scripts/bevel-vault.sh + # Calling a function to retrieve the vault token. + vaultBevelFunc "init" - SECRET_CERT={{ $.Values.vault.secretcert }} - vault_secret_key=$(echo ${SECRET_CERT} |awk -F "?" '{print $1}') - vault_data_key=$(echo ${SECRET_CERT} |awk -F "?" '{print $2}') + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/ca" # Get ca cert - vaultBevelFunc "readJson" "${vault_secret_key}" - VALUE_OF_SECRET=$(echo ${VAULT_SECRET} | jq -r ".[\"${vault_data_key}\"]") - echo "${VALUE_OF_SECRET}" > ${OUTPUT_PATH}/ca/ca.${COMPONENT_NAME}-cert.pem - - SECRET_KEY={{ $.Values.vault.secretkey }} - vault_secret_key=$(echo ${SECRET_KEY} |awk -F "?" '{print $1}') - vault_data_key=$(echo ${SECRET_KEY} |awk -F "?" '{print $2}') + ca_cert=$(echo ${VAULT_SECRET} | jq -r ".[\"ca.${COMPONENT_NAME}-cert.pem\"]") + echo "${ca_cert}" > ${OUTPUT_PATH}/ca/ca.${COMPONENT_NAME}-cert.pem # Get ca key - vaultBevelFunc "readJson" "${vault_secret_key}" - VALUE_OF_SECRET=$(echo ${VAULT_SECRET} | jq -r ".[\"${vault_data_key}\"]") - echo "${VALUE_OF_SECRET}" > ${OUTPUT_PATH}/ca/${COMPONENT_NAME}-CA.key + ca_key=$(echo ${VAULT_SECRET} | jq -r ".[\"${COMPONENT_NAME}-CA.key\"]") + echo "${ca_key}" > ${OUTPUT_PATH}/ca/${COMPONENT_NAME}-CA.key + + function checkSecret { + key=$1 + key_formatted=$(echo $key | tr - /) + file_name=$2 + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${key_formatted}" + if [ "$SECRETS_AVAILABLE" == "yes" ] + then + echo "Certificates present in vault" + touch ${MOUNT_PATH}/present_${file_name}.txt + else + echo "Certficates absent in vault. Ignore error warning." + touch ${MOUNT_PATH}/absent_${file_name}.txt + fi + } +{{- else }} + + while true; do + POD_NAME="fabric-ca-server-{{ .Release.Name }}-0" + pod_describe=$(kubectl describe pod "$POD_NAME" 2>&1) + # Check if the pod is in "Running" state + if echo "$pod_describe" | grep -q "State:.*Running"; then + echo "The pod $POD_NAME is in Running state." + break + else + echo "$POD_NAME is not in Running state or does not exist." + sleep 2s + fi + done - # Check if admin msp already created - vaultBevelFunc "readJson" "${VAULT_SECRET_USERS}/admin/msp" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - echo "Certificates present in vault" - touch ${MOUNT_PATH}/present_msp.txt - else - echo "Certficates absent in vault. Ignore error warning." - touch ${MOUNT_PATH}/absent_msp.txt - fi + kubectl get secret ca-certs --namespace {{ .Release.Namespace }} --output="jsonpath={.data.ca-${COMPONENT_NAME}-cert}" | base64 -d > ${OUTPUT_PATH}/ca/ca.${COMPONENT_NAME}-cert.pem + kubectl get secret ca-certs --namespace {{ .Release.Namespace }} --output="jsonpath={.data.ca-${COMPONENT_NAME}-key}" | base64 -d > ${OUTPUT_PATH}/ca/${COMPONENT_NAME}-CA.key + + function checkSecret { + key=$1 + file_name=$2 + kubectl get secret ${key} --namespace ${COMPONENT_NAME} -o json > /dev/null 2>&1 + if [ $? -ne 0 ]; then + echo "Certficates absent in kuberenetes secrets. Ignore error warning." + touch ${MOUNT_PATH}/absent_${file_name}.txt + else + echo "Certficates present in kuberenetes secrets. Ignore error warning." + touch ${MOUNT_PATH}/present_${file_name}.txt + fi + } +{{- end }} - # Check if admin tls already created - vaultBevelFunc "readJson" "${VAULT_SECRET_USERS}/admin/tls" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - echo "Certificates present in vault" - touch ${MOUNT_PATH}/present_tls.txt - else - echo "Certficates absent in vault. Ignore error warning." - touch ${MOUNT_PATH}/absent_tls.txt - fi + checkSecret admin-msp msp + checkSecret admin-tls tls if [ "$COMPONENT_TYPE" = "orderer" ]; then SERVICES_NAMES=$ORDERERS_NAMES; @@ -239,103 +259,50 @@ spec: SERVICES_NAMES=$PEERS_NAMES; fi; - list=$(echo "$SERVICES_NAMES" | tr "-" "\n") - for SERVICE in $list + for SERVICE in $SERVICES_NAMES do # Check if orderer/peer msp already created if [ "$COMPONENT_TYPE" = "peer" ]; then SERVICE_NAME="${SERVICE%%,*}" - vaultBevelFunc "readJson" "${VAULT_SECRET_PEER}/${SERVICE_NAME}.${COMPONENT_NAME}/msp" + checkSecret ${SERVICE_NAME}-msp msp_${SERVICE_NAME} fi; if [ "$COMPONENT_TYPE" = "orderer" ]; then SERVICE_NAME="${SERVICE}" - vaultBevelFunc "readJson" "${VAULT_SECRET_ORDERER}/${SERVICE_NAME}.${COMPONENT_NAME}/msp" + checkSecret ${SERVICE_NAME}-msp msp_${SERVICE_NAME} fi; - - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - echo "Certificates present in vault" - touch ${MOUNT_PATH}/present_msp_${SERVICE_NAME}.txt - else - echo "Certficates absent in vault. Ignore error warning." - touch ${MOUNT_PATH}/absent_msp_${SERVICE_NAME}.txt - fi - + # Check if orderer/peer msp already created if [ "$COMPONENT_TYPE" = "peer" ]; then SERVICE_NAME="${SERVICE%%,*}" - vaultBevelFunc "readJson" "${VAULT_SECRET_PEER}/${SERVICE_NAME}.${COMPONENT_NAME}/tls" + checkSecret ${SERVICE_NAME}-tls tls_${SERVICE_NAME} fi; if [ "$COMPONENT_TYPE" = "orderer" ]; then SERVICE_NAME="${SERVICE}" - vaultBevelFunc "readJson" "${VAULT_SECRET_ORDERER}/${SERVICE_NAME}.${COMPONENT_NAME}/tls" + checkSecret ${SERVICE_NAME}-tls tls_${SERVICE_NAME} fi; - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - echo "Certificates present in vault" - touch ${MOUNT_PATH}/present_tls_${SERVICE_NAME}.txt - else - echo "Certficates absent in vault. Ignore error warning." - touch ${MOUNT_PATH}/absent_tls_${SERVICE_NAME}.txt - fi done if [ $COMPONENT_TYPE == 'peer' ]; then # Check if msp config file already created - vaultBevelFunc "readJson" "${VAULT_SECRET_CONFIG_FILE}" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - echo "Certificates present in vault." - touch ${MOUNT_PATH}/present_config_file.txt - else - echo "Certficates absent in vault. Ignore error warning." - touch ${MOUNT_PATH}/absent_config_file.txt - fi - - # Check if msp config file already created - vaultBevelFunc "readJson" "${VAULT_SECRET_PEER_ORDERER_TLS}" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - echo "Certificates present in vault." - touch ${MOUNT_PATH}/present_orderer_tls_cert.txt - else - echo "Certficates absent in vault. Ignore error warning." - touch ${MOUNT_PATH}/absent_orderer_tls_cert.txt - fi + checkSecret msp-config config_file + checkSecret orderer-tls orderer_tls_cert fi; if [ "$USERS_IDENTITIES" ] then - identities_list=$(echo "$USERS_IDENTITIES" | tr "-" "\n") - for user_identity in $identities_list + for user_identity in $USERS_IDENTITIES do - # Check if users msp already created - vaultBevelFunc "readJson" "${VAULT_SECRET_USERS}/${user_identity}/msp" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - echo "Certificates present in vault." - touch ${MOUNT_PATH}/present_msp_${user_identity}.txt - else - echo "Certficates absent in vault. Ignore error warning." - touch ${MOUNT_PATH}/absent_msp_${user_identity}.txt - fi - # Check if users tls already created - vaultBevelFunc "readJson" "${VAULT_SECRET_USERS}/${user_identity}/tls" - if [ "$SECRETS_AVAILABLE" == "yes" ] - then - echo "Certificates present in vault" - touch ${MOUNT_PATH}/present_tls_${user_identity}.txt - else - echo "Certficates absent in vault. Ignore error warning." - touch ${MOUNT_PATH}/absent_tls_${user_identity}.txt - fi + checkSecret ${user_identity}-tls tls_${user_identity} + # Check if users msp already created for users + checkSecret ${user_identity}-msp msp_${user_identity} done fi + echo "----------${POD_NAME}-----------------------" volumeMounts: - name: ca-tools-pv mountPath: /root/ca-tools @@ -347,43 +314,51 @@ spec: mountPath: /scripts/bevel-vault.sh subPath: bevel-vault.sh containers: - - name: {{ .Values.metadata.name }} - image: "{{ .Values.image.catools }}" + - name: ca-tools + image: "{{ .Values.image.caTools }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: COMPONENT_TYPE - value: {{ $.Values.metadata.component_type }} + value: {{ $.Values.orgData.type }} - name: COMPONENT_NAME - value: {{ $.Values.metadata.namespace }} + value: {{ .Release.Namespace }} - name: ORG_NAME_EXT - value: {{ $.Values.metadata.org_name }} + value: {{ $.Values.orgData.orgName }} - name: REFRESH_CERTS - value: "{{ $.Values.checks.refresh_cert_value }}" + value: "{{ $.Values.checks.refreshCertValue }}" - name: ADD_PEER - value: "{{ $.Values.checks.add_peer_value }}" + value: "{{ $.Values.checks.addPeerValue }}" - name: ORDERERS_NAMES - value: "{{ $.Values.orderers.name }}" + value: "{{ $.Values.orderers | join " " -}}" - name: PEERS_NAMES - value: "{{ $.Values.peers.name }}" + value: "{{ $.Values.peers | join " " -}}" + - name: PEERS_COUNT + value: "{{ len $.Values.peers }}" - name: USERS - value: {{ $.Values.users.users_list }} + value: {{ $.Values.users.usersList | toJson | b64enc }} + - name: USERS_ANSIBLE + value: {{ $.Values.users.usersListAnsible }} - name: USERS_IDENTITIES - value: {{ $.Values.users.users_identities }} + value: "{{ $.Values.users.usersIdentities | join " " -}}" - name: SUBJECT - value: {{ .Values.org_data.component_subject }} + value: {{ .Values.orgData.componentSubject }} - name: CERT_SUBJECT - value: {{ .Values.org_data.cert_subject }} + value: {{ .Values.orgData.certSubject }} - name: CA_URL - value: {{ .Values.org_data.ca_url }} + value: {{ .Release.Name }}.{{ .Release.Namespace }}:7054 - name: EXTERNAL_URL_SUFFIX - value: {{ .Values.org_data.external_url_suffix }} + value: {{ .Values.global.proxy.externalUrlSuffix }} - name: PROXY - value: {{ .Values.metadata.proxy }} + value: {{ .Values.global.proxy.provider }} - name: MOUNT_PATH value: "/certcheck" command: ["sh", "-c"] args: - - |- + - |- + . /scripts/package-manager.sh + # Define the packages to install + packages_to_install="jq" + install_packages "$packages_to_install" if [ "$COMPONENT_TYPE" = "orderer" ]; then if [ -e ${MOUNT_PATH}/absent_msp.txt ]; then @@ -403,12 +378,10 @@ spec: fi; # Generate crypto material for organization orderers (for each orderer) - orderers=$(echo "$ORDERERS_NAMES" | tr "-" "\n") - for ORDERER_NAME in $orderers + for ORDERER_NAME in $ORDERERS_NAMES do if [ -e ${MOUNT_PATH}/absent_msp_${ORDERER_NAME}.txt ]; then - echo "need to execute scripts for ${ORDERER_NAME} " - + echo "need to execute scripts for ${ORDERER_NAME}" SK_NAME=$(find ${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/keystore/ -name "*_sk") if [ -n "$SK_NAME" ]; then rm ${ORG_CYPTO_ORDERER_FOLDER}/${ORDERER_NAME}.${COMPONENT_NAME}/msp/keystore/*_sk @@ -416,15 +389,14 @@ spec: rm /root/ca-tools/${ORG_NAME_EXT}/cas/orderers/tls/keystore/*_sk fi; cd /root/ca-tools/${ORG_NAME_EXT} - ./orderer-script.sh ${ORDERER_NAME} + ./orderer-script.sh ${ORDERER_NAME} fi; done fi; if [ "$COMPONENT_TYPE" = "peer" ]; then - - list=$(echo "$PEERS_NAMES" | tr "-" "\n") - for PEER in $list + + for PEER in $PEERS_NAMES do PEER_NAME="${PEER%%,*}" @@ -451,19 +423,23 @@ spec: fi; done - # Generate crypto material for users - list=$(echo "$USERS_IDENTITIES" | tr "-" "\n") - for USER in $list + # Generate crypto material for users + for USER in $USERS_IDENTITIES do if ([ "$USERS" ] && [ -e ${MOUNT_PATH}/absent_msp_${USER}.txt ]) || [ "$REFRESH_CERTS" = "true" ] then cd /root/ca-tools/${ORG_NAME_EXT} - ./generate-user-crypto.sh peer ${USERS} + if [ -z "$USERS_ANSIBLE" ]; + then + ./generate-user-crypto.sh peer ${USERS} + else + ./generate-user-crypto.sh peer ${USERS_ANSIBLE} + fi break fi; done fi; - + # this command creates the indicator of the completion of scripts touch ${MOUNT_PATH}/flag_finish.txt tail -f /dev/null @@ -475,58 +451,55 @@ spec: - name: certcheck mountPath: /certcheck - name: generate-crypto - mountPath: /root/ca-tools/{{ $.Values.metadata.org_name }}/generate-crypto-orderer.sh + mountPath: /root/ca-tools/{{ $.Values.orgData.orgName }}/generate-crypto-orderer.sh subPath: generate-crypto-orderer.sh - name: generate-orderer-crypto - mountPath: /root/ca-tools/{{ $.Values.metadata.org_name }}/orderer-script.sh + mountPath: /root/ca-tools/{{ $.Values.orgData.orgName }}/orderer-script.sh subPath: orderer-script.sh - name: generate-crypto-peer - mountPath: /root/ca-tools/{{ $.Values.metadata.org_name }}/generate-crypto-peer.sh + mountPath: /root/ca-tools/{{ $.Values.orgData.orgName }}/generate-crypto-peer.sh subPath: generate-crypto-peer.sh - name: generate-crypto-add-peer - mountPath: /root/ca-tools/{{ $.Values.metadata.org_name }}/generate-crypto-add-peer.sh + mountPath: /root/ca-tools/{{ $.Values.orgData.orgName }}/generate-crypto-add-peer.sh subPath: generate-crypto-add-peer.sh - name: generate-user-crypto - mountPath: /root/ca-tools/{{ $.Values.metadata.org_name }}/generate-user-crypto.sh + mountPath: /root/ca-tools/{{ $.Values.orgData.orgName }}/generate-user-crypto.sh subPath: generate-user-crypto.sh + - name: package-manager + mountPath: /scripts/package-manager.sh + subPath: package-manager.sh - name: store-vault - image: {{ $.Values.image.alpineutils }} + image: {{ $.Values.image.alpineUtils }} imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: VAULT_ADDR - value: {{ $.Values.vault.address }} + value: {{ $.Values.global.vault.address }} - name: VAULT_APP_ROLE - value: {{ $.Values.vault.role }} + value: {{ $.Values.global.vault.role }} - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.vault.authpath }} - - name: VAULT_SECRET_USERS - value: {{ $.Values.vault.secretusers }} - - name: VAULT_SECRET_ORDERER - value: {{ $.Values.vault.secretorderer }} - - name: VAULT_SECRET_PEER - value: {{ $.Values.vault.secretpeer }} - - name: VAULT_SECRET_PEER_ORDERER_TLS - value: {{ $.Values.vault.secretpeerorderertls }} - - name: VAULT_SECRET_CONFIG_FILE - value: {{ $.Values.vault.secretconfigfile }} - - name: VAULT_SECRET_COUCHDB - value: {{ $.Values.vault.secretcouchdb }} + value: {{ $.Values.global.vault.authPath }} + - name: VAULT_TYPE + value: {{ $.Values.global.vault.type }} + - name: VAULT_SECRET_ENGINE + value: "{{ .Values.global.vault.secretEngine }}" + - name: VAULT_SECRET_PREFIX + value: "{{ .Values.global.vault.secretPrefix }}" - name: COMPONENT_TYPE - value: {{ $.Values.metadata.component_type }} + value: {{ $.Values.orgData.type }} - name: COMPONENT_NAME - value: {{ $.Values.metadata.namespace }} + value: {{ .Release.Namespace }} - name: REFRESH_CERTS - value: "{{ $.Values.checks.refresh_cert_value }}" + value: "{{ $.Values.checks.refreshCertValue }}" - name: PROXY - value: {{ .Values.metadata.proxy }} + value: {{ .Values.global.proxy.provider }} - name: EXTERNAL_URL_SUFFIX - value: {{ .Values.org_data.external_url_suffix }} + value: {{ .Values.global.proxy.externalUrlSuffix }} - name: ORDERERS_NAMES - value: "{{ $.Values.orderers.name }}" + value: "{{ $.Values.orderers | join " " -}}" - name: PEERS_NAMES - value: "{{ $.Values.peers.name }}" + value: "{{ $.Values.peers | join " " -}}" - name: USERS_IDENTITIES - value: {{ $.Values.users.users_identities }} + value: "{{ $.Values.users.usersIdentities | join " " -}}" - name: MOUNT_PATH value: "/certcheck" command: ["sh", "-c"] @@ -534,7 +507,7 @@ spec: - |- . /scripts/package-manager.sh # Define the packages to install - packages_to_install="jq curl bash" + packages_to_install="jq curl bash kubectl" install_packages "$packages_to_install" while ! [ -f ${MOUNT_PATH}/flag_finish.txt ] @@ -543,6 +516,7 @@ spec: sleep 2s done + ls if [ -e /${MOUNT_PATH}/flag_finish.txt ]; then if [ "$COMPONENT_TYPE" = "orderer" ]; then # Generate crypto material for organization orderers @@ -583,23 +557,25 @@ spec: - name: store-vault-users mountPath: /scripts/peer/store-vault-users.sh subPath: store-vault-users.sh - {{ if and (eq $.Values.metadata.component_type "peer") (ne $.Values.metadata.proxy "none") }} + {{ if and (eq $.Values.orgData.type "peer") (ne $.Values.global.proxy.provider "none") }} - name: no-none-config - mountPath: /crypto-config/peerOrganizations/{{ $.Values.metadata.namespace }}/msp/config.yaml + mountPath: /crypto-config/peerOrganizations/{{ .Release.Namespace }}/msp/config.yaml subPath: no-none-config.yaml {{ end }} - {{ if and (eq $.Values.metadata.component_type "peer") (eq $.Values.metadata.proxy "none") }} + {{ if and (eq $.Values.orgData.type "peer") (eq $.Values.global.proxy.provider "none") }} - name: none-config - mountPath: /crypto-config/peerOrganizations/{{ $.Values.metadata.namespace }}/msp/config.yaml + mountPath: /crypto-config/peerOrganizations/{{ .Release.Namespace }}/msp/config.yaml subPath: none-config.yaml {{ end }} - {{- if eq $.Values.metadata.component_type "peer" }} - {{- range $orderers := $.Values.orderers_info }} - - name: {{ $orderers.name }}-tls-cert - mountPath: /tlscerts/{{ $orderers.name }}.crt - subPath: {{ $orderers.name }}.crt - {{- end }} + {{- $file := .Files.Get "files/orderer.crt" }} + {{ if and (eq $.Values.orgData.type "peer") $file }} + - name: orderer-tls-cacert + mountPath: /tlscerts/orderer.crt + subPath: orderer.crt {{- end }} - name: package-manager mountPath: /scripts/package-manager.sh subPath: package-manager.sh + - name: scripts-volume + mountPath: /scripts/bevel-vault.sh + subPath: bevel-vault.sh diff --git a/platforms/hyperledger-fabric/charts/fabric-catools/templates/volume.yaml b/platforms/hyperledger-fabric/charts/fabric-catools/templates/volume.yaml index 1e17edafa7c..28e72237dd7 100644 --- a/platforms/hyperledger-fabric/charts/fabric-catools/templates/volume.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-catools/templates/volume.yaml @@ -9,46 +9,30 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: ca-tools-crypto-pvc - namespace: {{ $.Values.metadata.namespace }} + namespace: {{ .Release.Namespace }} annotations: - {{- if $.Values.annotations }} - {{- range $key, $value := $.Values.annotations.pvc }} - {{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} - {{- end }} - {{- end }} - {{- end }} - labels: {{ include "labels.pvc" . | nindent 2 }} spec: - storageClassName: {{ $.Values.storage.storageclassname }} + storageClassName: storage-{{ .Release.Name }} accessModes: - ReadWriteOnce resources: requests: - storage: {{ $.Values.storage.storagesize }} + storage: {{ $.Values.storage.size }} --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: ca-tools-pvc - namespace: {{ $.Values.metadata.namespace }} + namespace: {{ .Release.Namespace }} annotations: - {{- if $.Values.annotations }} - {{- range $key, $value := $.Values.annotations.pvc }} - {{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} - {{- end }} - {{- end }} - {{- end }} - labels: - {{ include "labels.pvc" . | nindent 2 }} + {{ include "labels.pvc" . | nindent 2 }} spec: - storageClassName: {{ $.Values.storage.storageclassname }} + storageClassName: storage-{{ .Release.Name }} accessModes: - ReadWriteOnce resources: requests: - storage: {{ $.Values.storage.storagesize }} + storage: {{ $.Values.storage.size }} diff --git a/platforms/hyperledger-fabric/charts/fabric-catools/values.yaml b/platforms/hyperledger-fabric/charts/fabric-catools/values.yaml index 84d5925c048..e8551e87f5b 100644 --- a/platforms/hyperledger-fabric/charts/fabric-catools/values.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-catools/values.yaml @@ -3,92 +3,60 @@ # # SPDX-License-Identifier: Apache-2.0 ############################################################################################## +global: + #Provide the service account name which will be created. + serviceAccountName: vault-auth + cluster: + provider: aws # choose from: minikube | aws | azure | gcp + cloudNativeServices: false # only 'false' is implemented + vault: + #Provide the type of vault + #Eg. type: hashicorp + type: hashicorp + #Provide the vaultrole for an organization + #Eg. vaultrole: supplychain-vault-role + role: vault-role + #Provide the vault server address + #Eg. vaultaddress: http://Vault-884963190.eu-west-1.elb.amazonaws.com + address: + #Provide the kubernetes auth backed configured in vault for an organization + #Eg. authpath: supplychain + authPath: supplychain + #Provide the secret engine. + secretEngine: secretsv2 + #Provide the vault path where the secrets will be stored + secretPrefix: "data/supplychain" + #Provide the imagesecretname for vault + #Eg. imagesecretname: regcred + imageSecretName: "" + + proxy: + #This will be the proxy/ingress provider. Can have values "haproxy" or "none" + #Eg. provider: "haproxy" + provider: haproxy + #This field specifies the external url for the organization + #Eg. externalUrlSuffix: test.blockchaincloudpoc.com + externalUrlSuffix: test.blockchaincloudpoc.com -metadata: - #Provide the namespace for CA deployment - #Eg. namespace: org1-net - namespace: org1-net - #Provide name for ca server deployment - #Eg. name: ca-tools - name: ca-tools - #Provide organization's type (orderer or peer) - #Eg. component_type: orderer - component_type: orderer - #Provide organization's name in lowercases - #Eg. org_name: org1 - org_name: org1 - #This will be the proxy/ingress provider. Can have values "haproxy" or "none" - #Eg. provider: "haproxy" - proxy: haproxy # Provide the number of replica pods replicaCount: 1 image: #Provide the image name for the server container #Eg. image: hyperledger/fabric-ca-tools - repository: ghcr.io/hyperledger/bevel-fabric-ca-tools:1.2.1 + caTools: ghcr.io/hyperledger/bevel-fabric-ca:latest # Provide image pull policy pullPolicy: IfNotPresent #Provide the valid image name and version to read certificates from vault server #Eg.alpineutils: ghcr.io/hyperledger/bevel-alpine:latest - alpineutils: ghcr.io/hyperledger/bevel-alpine:latest + alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest -annotations: - #Extra annotations - pvc: {} - deployment: {} - storage: - #Provide the storageclassname for - #Eg. storageclassname: aws-storageclass - storageclassname: aws-storageclass - #Provide the storagesize for CA - #Eg. storagesize: 512Mi - storagesize: 512Mi - -vault: - #Provide the vaultrole for an organization - #Eg. vaultrole: vault-role - role: vault-role - #Provide the vault server address - #Eg. vaultaddress: http://Vault-884963190.eu-west-1.elb.amazonaws.com - address: - #Provide the kubernetes auth backed configured in vault for an organization - #Eg. authpath: devorg1-net-auth - authpath: devorg1-net-auth - #Provide the path configured in vault for users certficates - #Eg. secretmsp: secretsv2/data/crypto/ordererOrganizations/..../users - secretusers: secretsv2/data/crypto/ordererOrganizations/org1-net/users - #Provide the path configured in vault for orderers - #Eg. secrettls: secretsv2/data/crypto/Organizations/.../.../orderers - secretorderer: secretsv2/data/crypto/ordererOrganizations/org1-net/orderers - #Provide the path configured in vault for orderers - #Eg. secretpeerorderertls: secretsv2/data/crypto/Organizations/.../.../orderer/tls - secretpeerorderertls: secretsv2/data/crypto/peerOrganizations/org1-net/orderer/tls - #Provide the secretcert path configured in vault for CA server - #Eg. secretcert: secretsv2/data/crypto/Organizations/.../...-cert.pem - secretcert: secretsv2/data/crypto/ordererOrganizations/org1-net/ca?ca.org1-net-cert.pem - #Provide the secretkey path configured in vault for CA server - #Eg. secretkey: secretsv2/data/crypto/Organizations/.../...-CA.key - secretkey: secretsv2/data/crypto/ordererOrganizations/org1-net/ca?org1-net-CA.key - #Provide the path configured in vault for MSP config.yaml file - #Eg. secretconfigfile: secretsv2/data/crypto/Organizations/.../config - secretconfigfile: secretsv2/data/crypto/ordererOrganizations/org1-net/msp/config - #Provide the path configured in vault for couchdb credentials - #Eg. secretconfigfile: secretsv2/data/credentials/.../couchdb/org1 - secretcouchdb: secretsv2/data/credentials/org1-net/couchdb/org1 - #Provide the serviceaccountname for vault - #Eg. serviceaccountname: vault-auth - serviceaccountname: vault-auth - #Provide the type of vault - #Eg. type: hashicorp - type: hashicorp - #Provide the imagesecretname for vault - #Eg. imagesecretname: regcred - imagesecretname: "" - #Kuberenetes secret for vault ca.cert + #Provide the size for CA + #Eg. size: 512Mi + size: 512Mi -healthcheck: +healthCheck: # The amount of times to retry fetching from/writing to Vault before giving up. # Eg. retries: 10 retries: 10 @@ -96,52 +64,65 @@ healthcheck: # Eg. sleepTimeAfterError: 15 sleepTimeAfterError: 15 -org_data: - #External URL of the organization - #Eg. external_url_suffix: org1.blockchaincloudpoc.com - external_url_suffix: org1proxy.blockchaincloudpoc.com +orgData: + #Provide organization's name in lowercases + #Eg. orgName: supplychain + orgName: supplychain + #Provide organization's type (orderer or peer) + #Eg. component_type: orderer + type: #Provide organization's subject #Eg. "O=Orderer,L=51.50/-0.13/London,C=GB" - component_subject: + componentSubject: #Provide organization's subject #Eg. "O=Orderer,L=51.50/-0.13/London,C=GB" - cert_subject: + certSubject: #Provide organization's country #Eg. UK - component_country: UK + componentCountry: UK #Provide organization's state #Eg. London - component_state: London + componentState: London #Provide organization's location #Eg. Lodon - component_location: Lodon - #Provide organization's ca_url - #Eg. "ca.supplychain-net.org1.blockchaincloudpoc.com" - ca_url: - + componentLocation: Lodon + #Provide orderer's names orderers: - name: orderer1 -#Provide orderer's names and ca certificates -orderers_info: {} + - orderer1 + - orderer2 + - orderer3 + #Provide peer's names peers: - name: peer1 -#Provide the total number of peers -peer_count: 4 + - peer0 users: + # Generating User Certificates with custom attributes using Fabric CA in Bevel for Peer Organizations + usersList: + - user: + identity: user1 + attributes: + - key: "hf.Revoker" + value: "true" + - user: + identity: user2 + attributes: + - key: "hf.Revoker" + value: "true" #Base64 encoded list of users #Eg. IC0gdXNlcjoKICAgICAgICAgIGlkZW50aXR5OiB1c2VyMQogICAgICAgICAgYXR0cmlidXRlczoKICAgICAgICAgICAgLSBrZXk6IGtleTEKICAgICAgIgICAgICAgIC0ga2V5OiBrZXkyCiAgICAgICAgICAgICAgdmFsdWU6IHZhbHVlMgogICAgICAgIC0gdXNlcjoKICAgICAgICAgIGlkZW50aXR5OiB1c2VyMgogICAgICAgICAgYXR0cmlidXRlczoKICAgICAgICAgICAgLSBrZXk6IGtleTEKICAgICAgICAgICAgICB2YWx1ZTogdmFsdWUxCiAgICAgICAgICAgIC0ga2V5OiBrZXkzCiAgICAgICAgICAgICAgdmFsdWU6IHZhbHVlMw== - users_list: + usersListAnsible: #Provides a list of user identities - #Eg. "user1-user2-user3" - users_identities: + usersIdentities: + - user1 + - user2 + checks: #Provides the need to refresh user certificates - refresh_cert_value: false + refreshCertValue: false #Add a peer to an existing network - add_peer_value: False + addPeerValue: False labels: service: [] diff --git a/platforms/hyperledger-fabric/charts/fabric-cli/Chart.yaml b/platforms/hyperledger-fabric/charts/fabric-cli/Chart.yaml index 67b27977c0a..0fa3f404cc5 100644 --- a/platforms/hyperledger-fabric/charts/fabric-cli/Chart.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-cli/Chart.yaml @@ -5,7 +5,23 @@ ############################################################################################## apiVersion: v1 -appVersion: "2.0" -description: "Hyperledger Fabric: Deploys Fabric Cli." name: fabric-cli +description: "Hyperledger Fabric: Deploys Fabric Cli." version: 1.0.0 +appVersion: latest +keywords: + - bevel + - ethereum + - fabric + - hyperledger + - enterprise + - blockchain + - deployment + - accenture +home: https://hyperledger-bevel.readthedocs.io/en/latest/ +sources: + - https://github.com/hyperledger/bevel +maintainers: + - name: Hyperledger Bevel maintainers + email: bevel@lists.hyperledger.org + diff --git a/platforms/hyperledger-fabric/charts/fabric-cli/README.md b/platforms/hyperledger-fabric/charts/fabric-cli/README.md index 3741f56ee44..bd7b2cb7629 100644 --- a/platforms/hyperledger-fabric/charts/fabric-cli/README.md +++ b/platforms/hyperledger-fabric/charts/fabric-cli/README.md @@ -99,8 +99,8 @@ The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hy | Name | Description | Default Value | | --------------| --------------------------------------------| -----------------------------| | name | Name of the peer as per deployment YAML | peer0 | -| localmspid | Local MSP ID for the organization's peer | Org1MSP | -| tlsstatus | TLS status for the organization's peer | true | +| localMspId | Local MSP ID for the organization's peer | Org1MSP | +| tlsStatus | TLS status for the organization's peer | true | | address | Address for the peer | peer0.org1-net:7051 | ### Orderer Configuration diff --git a/platforms/hyperledger-fabric/charts/fabric-cli/templates/_helpers.tpl b/platforms/hyperledger-fabric/charts/fabric-cli/templates/_helpers.tpl index 8823df47301..83db7397ca3 100644 --- a/platforms/hyperledger-fabric/charts/fabric-cli/templates/_helpers.tpl +++ b/platforms/hyperledger-fabric/charts/fabric-cli/templates/_helpers.tpl @@ -1,8 +1,31 @@ -{{- define "labels.custom" }} - {{ range $key, $val := $.Values.metadata.labels }} - {{ $key }}: {{ $val }} - {{ end }} -{{- end }} +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fabric-cli.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fabric-cli.fullname" -}} +{{- $name := default .Chart.Name -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" $name .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fabric-cli.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} {{- define "labels.deployment" -}} {{- if $.Values.labels }} diff --git a/platforms/hyperledger-fabric/charts/fabric-cli/templates/deployment.yaml b/platforms/hyperledger-fabric/charts/fabric-cli/templates/deployment.yaml index 56b640d9808..7b54718c386 100644 --- a/platforms/hyperledger-fabric/charts/fabric-cli/templates/deployment.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-cli/templates/deployment.yaml @@ -7,8 +7,8 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Values.peer.name }}-cli - namespace: {{ .Values.metadata.namespace }} + name: {{ template "fabric-cli.fullname" . }} + namespace: {{ .Release.Namespace }} labels: {{ include "labels.deployment" . | nindent 2 }} spec: @@ -22,19 +22,19 @@ spec: app: cli {{ include "labels.deployment" . | nindent 6 }} spec: - serviceAccountName: {{ $.Values.vault.serviceaccountname }} - {{- if .Values.vault.imagesecretname }} + serviceAccountName: {{ $.Values.global.serviceAccountName }} + {{- if .Values.global.vault.imageSecretName }} imagePullSecrets: - - name: {{ $.Values.vault.imagesecretname }} + - name: {{ $.Values.global.vault.imageSecretName }} {{- end }} volumes: - - name: {{ .Values.peer.name }}-cli-pv + - name: {{ .Release.Name }}-cli-pv persistentVolumeClaim: - claimName: {{ .Values.peer.name }}-cli-pvc - {{ if .Values.vault.tls }} + claimName: {{ .Release.Name }}-cli-pvc + {{ if .Values.global.vault.tls }} - name: vaultca secret: - secretName: {{ $.Values.vault.tls }} + secretName: {{ $.Values.global.vault.tls }} items: - key: ca.crt.pem path: ca-certificates.crt @@ -50,50 +50,91 @@ spec: name: package-manager initContainers: - name: certificates-init - image: {{ $.Values.metadata.images.alpineutils }} + image: {{ $.Values.image.alpineUtils }} imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR - value: {{ $.Values.vault.address }} + value: {{ $.Values.global.vault.address }} + - name: VAULT_SECRET_ENGINE + value: "{{ $.Values.global.vault.secretEngine }}" + - name: VAULT_SECRET_PREFIX + value: "{{ $.Values.global.vault.secretPrefix }}" - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.vault.authpath }} + value: {{ $.Values.global.vault.authPath }} - name: VAULT_APP_ROLE - value: {{ $.Values.vault.role }} - - name: VAULT_PEER_SECRET_PREFIX - value: "{{ $.Values.vault.adminsecretprefix }}" - - name: VAULT_ORDERER_SECRET_PREFIX - value: "{{ $.Values.vault.orderersecretprefix }}" + value: {{ $.Values.global.vault.role }} - name: MOUNT_PATH value: "/secret" - name: VAULT_TYPE - value: "{{ $.Values.vault.type }}" + value: "{{ $.Values.global.vault.type }}" + - name: CORE_PEER_ADDRESS + value: "{{ .Release.Name }}.{{ $.Values.peer.address }}" command: ["sh", "-c"] args: - |- #!/usr/bin/env sh . /scripts/bevel-vault.sh +{{- if eq .Values.global.vault.type "hashicorp" }} + # Calling a function to retrieve the vault token. + echo "------------ ${VAULT_ADDR}----------------" vaultBevelFunc "init" - echo "Getting Orderer TLS certificates from Vault using key $vault_secret_key" - vaultBevelFunc "readJson" "${VAULT_ORDERER_SECRET_PREFIX}/tls" + function getOrdererTlsSecret { + KEY=$1 + KEY_FORMATTED=$(echo $KEY | tr - /) + + echo "Getting Orderer TLS certificates from Vault using key $vault_secret_key" + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" - TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r '.["ca.crt"]') - OUTPUT_PATH="${MOUNT_PATH}/orderer/tls" - mkdir -p ${OUTPUT_PATH} - echo "${TLS_CA_CERT}" >> ${OUTPUT_PATH}/ca.crt + TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r '.["ca.crt"]') + echo "${TLS_CA_CERT}" >> ${OUTPUT_PATH}/ca.crt + } ############################################################################### - echo "Getting MSP certificates from Vault using key $vault_secret_key" - vaultBevelFunc "readJson" "${VAULT_PEER_SECRET_PREFIX}/msp" + function getAdminMspSecret { + KEY=$1 + KEY_FORMATTED=$(echo $KEY | tr - /) + + echo "Getting MSP certificates from Vault." + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" + + ADMINCERT=$(echo ${VAULT_SECRET} | jq -r '.["admincerts"]') + CACERTS=$(echo ${VAULT_SECRET} | jq -r '.["cacerts"]') + KEYSTORE=$(echo ${VAULT_SECRET} | jq -r '.["keystore"]') + SIGNCERTS=$(echo ${VAULT_SECRET} | jq -r '.["signcerts"]') + TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r '.["tlscacerts"]') + + echo "${ADMINCERT}" >> ${OUTPUT_PATH}/admincerts/admin.crt + echo "${CACERTS}" >> ${OUTPUT_PATH}/cacerts/ca.crt + echo "${KEYSTORE}" >> ${OUTPUT_PATH}/keystore/server.key + echo "${SIGNCERTS}" >> ${OUTPUT_PATH}/signcerts/server.crt + echo "${TLSCACERTS}" >> ${OUTPUT_PATH}/tlscacerts/tlsca.crt + } - ADMINCERT=$(echo ${VAULT_SECRET} | jq -r '.["admincerts"]') - CACERTS=$(echo ${VAULT_SECRET} | jq -r '.["cacerts"]') - KEYSTORE=$(echo ${VAULT_SECRET} | jq -r '.["keystore"]') - SIGNCERTS=$(echo ${VAULT_SECRET} | jq -r '.["signcerts"]') - TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r '.["tlscacerts"]') +{{- else }} + + function getOrdererTlsSecret { + KEY=$1 + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.cacrt}" | base64 -d > ${OUTPUT_PATH}/ca.crt + } + + function getAdminMspSecret { + KEY=$1 + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.admincerts}" | base64 -d > ${OUTPUT_PATH}/admincerts/admin.crt + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.cacerts}" | base64 -d > ${OUTPUT_PATH}/cacerts/ca.crt + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.keystore}" | base64 -d > ${OUTPUT_PATH}/keystore/server.key + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.signcerts}" | base64 -d > ${OUTPUT_PATH}/signcerts/server.crt + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.tlscacerts}" | base64 -d > ${OUTPUT_PATH}/tlscacerts/tlsca.crt + } + +{{- end }} + + OUTPUT_PATH="${MOUNT_PATH}/orderer/tls" + mkdir -p ${OUTPUT_PATH} + getOrdererTlsSecret orderer-tls OUTPUT_PATH="${MOUNT_PATH}/admin/msp" mkdir -p ${OUTPUT_PATH}/admincerts @@ -101,16 +142,12 @@ spec: mkdir -p ${OUTPUT_PATH}/keystore mkdir -p ${OUTPUT_PATH}/signcerts mkdir -p ${OUTPUT_PATH}/tlscacerts + getAdminMspSecret admin-msp - echo "${ADMINCERT}" >> ${OUTPUT_PATH}/admincerts/admin.crt - echo "${CACERTS}" >> ${OUTPUT_PATH}/cacerts/ca.crt - echo "${KEYSTORE}" >> ${OUTPUT_PATH}/keystore/server.key - echo "${SIGNCERTS}" >> ${OUTPUT_PATH}/signcerts/server.crt - echo "${TLSCACERTS}" >> ${OUTPUT_PATH}/tlscacerts/tlsca.crt volumeMounts: - name: certificates mountPath: /secret - {{ if .Values.vault.tls }} + {{ if .Values.global.vault.tls }} - name: vaultca mountPath: "/etc/ssl/certs/" readOnly: true @@ -123,7 +160,7 @@ spec: subPath: package-manager.sh containers: - name: cli - image: {{ $.Values.metadata.images.fabrictools }} + image: {{ $.Values.image.fabricTools }}:{{ $.Values.network.version }} imagePullPolicy: IfNotPresent stdin: true tty: true @@ -135,25 +172,25 @@ spec: - name: FABRIC_LOGGING_SPEC value: "debug" - name: CORE_PEER_ID - value: "{{ .Values.peer.name }}.{{ .Values.metadata.namespace }}" + value: "{{ .Release.Name }}.{{ .Release.Namespace }}" - name: CORE_PEER_ADDRESS - value: "{{ .Values.peer.address }}" + value: "{{ .Release.Name }}.{{ $.Values.peer.address }}" - name: CORE_PEER_LOCALMSPID - value: "{{ .Values.peer.localmspid }}" + value: "{{ .Values.peer.localMspId }}" - name: CORE_PEER_TLS_ENABLED - value: "{{ .Values.peer.tlsstatus }}" + value: "{{ $.Values.peer.tlsStatus }}" - name: CORE_PEER_TLS_ROOTCERT_FILE value: /opt/gopath/src/github.com/hyperledger/fabric/crypto/admin/msp/tlscacerts/tlsca.crt - name: ORDERER_CA value: /opt/gopath/src/github.com/hyperledger/fabric/crypto/orderer/tls/ca.crt - name: ORDERER_URL - value: "{{ .Values.orderer.address }}" + value: "{{ $.Values.orderer.address }}" - name: CORE_PEER_MSPCONFIGPATH value: /opt/gopath/src/github.com/hyperledger/fabric/crypto/admin/msp volumeMounts: - name: certificates mountPath: /opt/gopath/src/github.com/hyperledger/fabric/crypto - - name: {{ .Values.peer.name }}-cli-pv + - name: {{ .Release.Name }}-cli-pv mountPath: /opt/gopath/src/github.com/chaincode - name: package-manager mountPath: /scripts/package-manager.sh diff --git a/platforms/hyperledger-fabric/charts/fabric-cli/templates/volume.yaml b/platforms/hyperledger-fabric/charts/fabric-cli/templates/volume.yaml index 42534298009..8e5dac63d3d 100644 --- a/platforms/hyperledger-fabric/charts/fabric-cli/templates/volume.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-cli/templates/volume.yaml @@ -8,12 +8,12 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: - name: {{ $.Values.peer.name }}-cli-pvc - namespace: {{ $.Values.metadata.namespace }} + name: {{ .Release.Name }}-cli-pvc + namespace: {{ .Release.Namespace }} labels: {{ include "labels.pvc" . | nindent 2 }} spec: - storageClassName: {{ $.Values.storage.class }} + storageClassName: storage-{{ .Release.Name }} accessModes: - ReadWriteOnce resources: diff --git a/platforms/hyperledger-fabric/charts/fabric-cli/values.yaml b/platforms/hyperledger-fabric/charts/fabric-cli/values.yaml index 33582837c06..c39c98f59a3 100644 --- a/platforms/hyperledger-fabric/charts/fabric-cli/values.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-cli/values.yaml @@ -6,74 +6,69 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +global: + #Provide the service account name which will be created. + serviceAccountName: vault-auth + vault: + #Provide the type of vault + #Eg. type: hashicorp + type: hashicorp + #Provide the vaultrole for an organization + #Eg. vaultrole: org1-vault-role + role: vault-role + #Provide the vault server address + #Eg. vaultaddress: http://Vault-884963190.eu-west-1.elb.amazonaws.com + address: + #Provide the kubernetes auth backed configured in vault for an organization + #Eg. authpath: supplychain + authPath: supplychain + #Provide the secret engine. + secretEngine: secretsv2 + #Provide the vault path where the secrets will be stored + secretPrefix: "data/supplychain" + #Provide the imagesecretname for vault + #Eg. imagesecretname: regcred + imageSecretName: "" + #Kuberenetes secret for vault ca.cert + #Enable or disable TLS for vault communication if value present or not + #Eg. tls: vaultca + tls: -metadata: - #Provide the namespace for organization's peer - #Eg. namespace: org1-net - namespace: org1-net - images: - #Provide the valid image name and version for fabric tools - #Eg. fabrictools: hyperledger/fabric-tools:1.4.0 - fabrictools: ghcr.io/hyperledger/bevel-fabric-tools:2.2.2 - #Provide the valid image name and version to read certificates from vault server - #Eg.alpineutils: ghcr.io/hyperledger/bevel-alpine:latest - alpineutils: ghcr.io/hyperledger/bevel-alpine:latest + cluster: + provider: azure # choose from: minikube | aws | azure | gcp + cloudNativeServices: false # only 'false' is implemented -storage: - #Provide the storageclassname - class: aws-storageclass - #Provide the storagesize - size: 256Mi +# HLF Network Version +network: + version: 2.2.2 -vault: - #Provide the vaultrole for an organization - #Eg. vaultrole: vault-role - role: vault-role - #Provide the vault server address - #Eg. vaultaddress: http://Vault-884963190.eu-west-1.elb.amazonaws.com - address: - #Provide the kubernetes auth backed configured in vault for an organization - #Eg. authpath: fra-demo-hlkube-cluster-org1 - authpath: devorg1-net-auth - #Provide the value for vault secretprefix - #Eg. adminsecretprefix: secretsv2/data/crypto/peerOrganizations/.../users/admin - adminsecretprefix: secretsv2/data/crypto/peerOrganizations/org1-net/users/admin - #Provide the value for vault secretprefix - #Eg. orderersecretprefix: secretsv2/data/crypto/peerOrganizations/.../orderer - orderersecretprefix: secretsv2/data/crypto/peerOrganizations/org1-net/orderer - #Provide the serviceaccountname for vault - #Eg. serviceaccountname: vault-auth - serviceaccountname: vault-auth - #Provide the type of vault - #Eg. type: hashicorp - type: hashicorp - #Provide the imagesecretname for vault - #Eg. imagesecretname: regcred - imagesecretname: "" - #Kuberenetes secret for vault ca.cert - #Enable or disable TLS for vault communication if value present or not - #Eg. tls: vaultca - tls: +image: + #Provide the valid image name and version for fabric tools + #Eg. fabrictools: hyperledger/fabric-tools:1.4.0 + fabricTools: ghcr.io/hyperledger/bevel-fabric-tools + #Provide the valid image name and version to read certificates from vault server + #Eg.alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest + alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest +storage: + #Provide the storagesize + size: 256Mi peer: - #Provide the name of the peer as per deployment yaml. - #Eg. name: peer0 - name: peer0 - #Provide the localmspid for organization - #Eg. localmspid: Org1MSP - localmspid: Org1MSP - #Provide the value for tlsstatus to be true or false for organization's peer - #Eg. tlsstatus: true - tlsstatus: true + #Provide the localMspId for organization + #Eg. localMspId: supplychainMSP + localMspId: supplychainMSP + #Provide the value for tlsStatus to be true or false for organization's peer + #Eg. tlsStatus: true + tlsStatus: true #Provide the address for the peer - #Eg: address: peer0.org1-net:7051 - address: peer0.org1-net:7051 + #Eg: address: test.blockchaincloudpoc.com + address: test.blockchaincloudpoc.com orderer: #Provide the address for orderer - #Eg. address: orderer1.org1proxy.blockchaincloudpoc.com:443 - address: orderer1.org1proxy.blockchaincloudpoc.com:443 + #Eg. address: orderer1.test.blockchaincloudpoc.com:443 + address: orderer1.test.blockchaincloudpoc.com:443 labels: service: [] diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/Chart.yaml b/platforms/hyperledger-fabric/charts/fabric-orderernode/Chart.yaml index dda2a22b87b..3d53b5ebed6 100644 --- a/platforms/hyperledger-fabric/charts/fabric-orderernode/Chart.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-orderernode/Chart.yaml @@ -5,7 +5,23 @@ ############################################################################################## apiVersion: v1 -appVersion: "2.0" -description: "Hyperledger Fabric: Deploys orderer node." name: fabric-orderernode +description: "Hyperledger Fabric: Deploys orderer node." version: 1.0.0 +appVersion: latest +keywords: + - bevel + - ethereum + - fabric + - hyperledger + - enterprise + - blockchain + - deployment + - accenture +home: https://hyperledger-bevel.readthedocs.io/en/latest/ +sources: + - https://github.com/hyperledger/bevel +maintainers: + - name: Hyperledger Bevel maintainers + email: bevel@lists.hyperledger.org + diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/README.md b/platforms/hyperledger-fabric/charts/fabric-orderernode/README.md index 1c9f8f4fa48..e275aefcc82 100644 --- a/platforms/hyperledger-fabric/charts/fabric-orderernode/README.md +++ b/platforms/hyperledger-fabric/charts/fabric-orderernode/README.md @@ -57,7 +57,7 @@ fabric-orderernode/ - `templates/`: Contains the Kubernetes manifest templates that define the resources to be deployed. - `helpers.tpl`: Contains custom label definitions used in other templates. - `configmap.yaml`: Defines two ConfigMaps, one for the orderer configuration and one for the genesis block. -- `deployment.yaml`: The kafka-healthcheck checks the health of the Kafka brokers before the main container is started. The certificates-init fetches the TLS and MSP certificates from Vault and stores them in a local directory. The {{ $.Values.orderer.name }} runs the Hyperledger Fabric orderer. The grpc-web exposes the orderer's gRPC API over HTTP/WebSockets. These containers are responsible for ensuring that the orderer is up and running, that it has the necessary certificates, and that it can be accessed by clients. +- `deployment.yaml`: The kafka-healthCheck checks the health of the Kafka brokers before the main container is started. The certificates-init fetches the TLS and MSP certificates from Vault and stores them in a local directory. The {{ $.Values.orderer.name }} runs the Hyperledger Fabric orderer. The grpc-web exposes the orderer's gRPC API over HTTP/WebSockets. These containers are responsible for ensuring that the orderer is up and running, that it has the necessary certificates, and that it can be accessed by clients. - `service.yaml`: Ensures internal and external access with exposed ports for gRPC (7050), gRPC-Web (7443), and operations (9443), and optionally uses HAProxy for external exposure and secure communication. - `servicemonitor.yaml`: Define a ServiceMonitor resource that allows Prometheus to collect metrics from the orderer node's "operations" port. The configuration is conditionally applied based on the availability of the Prometheus Operator's API version and whether metrics are enabled for the orderer service. - `Chart.yaml`: Contains the metadata for the Helm chart, such as the name, version, and description. @@ -78,7 +78,7 @@ The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hy | network.version | HyperLedger Fabric network version | 2.2.2 | | images.orderer | Valid image name and version for fabric orderer | ghcr.io/hyperledger/bevel-fabric-orderer:2.2.2 | | images.alpineutils | Valid image name and version to read certificates from vault server | ghcr.io/hyperledger/bevel-alpine:latest | -| images.healthcheck | Valid image name and version for health check of Kafka | busybox | +| images.healthCheck | Valid image name and version for health check of Kafka | busybox | | labels | Custom labels | "" | ### Orderer @@ -102,7 +102,6 @@ The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hy | Name | Description | Default Value | | ----------------------| -----------------------------------| ----------------| -| storageclassname | Storage class name for orderer | aws-storageclassname | | storagesize | Storage size for storage class | 512Mi | ### Service @@ -139,8 +138,8 @@ The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hy | Name | Description | Default Value | | --------------------------- | ------------------------------------------------------------------------| ----------------| -| readinesscheckinterval | Interval in seconds to check readiness of Kafka services | 5 | -| readinessthreshold | Threshold for checking if specified Kafka brokers are up and running | 4 | +| readinessCheckInterval | Interval in seconds to check readiness of Kafka services | 5 | +| readinessThresHold | Threshold for checking if specified Kafka brokers are up and running | 4 | | brokers | List of Kafka broker addresses | "" | ### Proxy diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/requirements.yaml b/platforms/hyperledger-fabric/charts/fabric-orderernode/requirements.yaml new file mode 100644 index 00000000000..895f0a0e1cf --- /dev/null +++ b/platforms/hyperledger-fabric/charts/fabric-orderernode/requirements.yaml @@ -0,0 +1,7 @@ +dependencies: + - name: bevel-storageclass + alias: storage + repository: "file://../../../shared/charts/bevel-storageclass" + tags: + - storage + version: ~1.0.0 diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/_helpers.tpl b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/_helpers.tpl index 8823df47301..76f3d9e390f 100644 --- a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/_helpers.tpl +++ b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/_helpers.tpl @@ -1,8 +1,31 @@ -{{- define "labels.custom" }} - {{ range $key, $val := $.Values.metadata.labels }} - {{ $key }}: {{ $val }} - {{ end }} -{{- end }} +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fabric-orderernode.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fabric-orderernode.fullname" -}} +{{- $name := default .Chart.Name -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" $name .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fabric-orderernode.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} {{- define "labels.deployment" -}} {{- if $.Values.labels }} diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/configmap.yaml b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/configmap.yaml index 03e3239be3b..15613610bfa 100644 --- a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/configmap.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/configmap.yaml @@ -7,27 +7,29 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ $.Values.orderer.name }}-config - namespace: {{ $.Values.metadata.namespace }} + name: {{ .Release.Name }}-config + namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: {{ $.Values.orderer.name }}-config - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app: {{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ include "fabric-orderernode.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- include "labels.custom" . | nindent 2 }} data: - FABRIC_LOGGING_SPEC: {{ $.Values.orderer.loglevel }} + FABRIC_LOGGING_SPEC: {{ $.Values.orderer.logLevel }} ORDERER_GENERAL_LISTENADDRESS: 0.0.0.0 -{{ if contains "2.5" $.Values.metadata.network.version }} +{{ if contains "2.5" $.Values.network.version }} ORDERER_GENERAL_BOOTSTRAPMETHOD: "none" {{ else }} ORDERER_GENERAL_GENESISMETHOD: file ORDERER_GENERAL_GENESISFILE: /var/hyperledger/orderer/orderer.genesis.block {{ end }} - ORDERER_GENERAL_LOCALMSPID: {{ $.Values.orderer.localmspid }} - ORDERER_GENERAL_KEEPALIVE_SERVERINTERVAL: {{ $.Values.orderer.keepaliveserverinterval }} + ORDERER_GENERAL_LOCALMSPID: {{ $.Values.orderer.localMspId }} + ORDERER_GENERAL_KEEPALIVE_SERVERINTERVAL: {{ $.Values.orderer.keepAliveServerInterval }} ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/orderer/crypto/msp - ORDERER_GENERAL_TLS_ENABLED: "{{ $.Values.orderer.tlsstatus }}" + ORDERER_GENERAL_TLS_ENABLED: "{{ $.Values.orderer.tlsStatus }}" ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/orderer/crypto/tls/server.key ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/orderer/crypto/tls/server.crt ORDERER_GENERAL_TLS_ROOTCAS: '[/var/hyperledger/orderer/crypto/tls/ca.crt]' @@ -40,7 +42,7 @@ data: ORDERER_KAFKA_VERBOSE: "true" GODEBUG: "netdns=go" ORDERER_OPERATIONS_LISTENADDRESS: 0.0.0.0:10443 -{{ if contains "2.5" $.Values.metadata.network.version }} +{{ if contains "2.5" $.Values.network.version }} ORDERER_ADMIN_LISTENADDRESS: 0.0.0.0:7055 ORDERER_ADMIN_TLS_ENABLED: "true" ORDERER_ADMIN_TLS_PRIVATEKEY: /var/hyperledger/orderer/crypto/tls/server.key @@ -50,18 +52,20 @@ data: {{ end }} --- -{{- if ne $.Values.metadata.network.version "2.5.4" }} +{{- if ne $.Values.network.version "2.5.4" }} apiVersion: v1 kind: ConfigMap metadata: - name: genesis-block-{{ $.Values.orderer.name }} - namespace: {{ $.Values.metadata.namespace }} + name: genesis-block-{{ .Release.Name }} + namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: genesis-block - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app: {{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ include "fabric-orderernode.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- include "labels.custom" . | nindent 2 }} data: genesis.block.base64: {{ .Values.genesis | quote }} {{ end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/deployment.yaml b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/deployment.yaml deleted file mode 100644 index b0a4187c137..00000000000 --- a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/deployment.yaml +++ /dev/null @@ -1,272 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ $.Values.orderer.name }} - namespace: {{ $.Values.metadata.namespace }} - labels: - app.kubernetes.io/name: {{ $.Values.orderer.name }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- include "labels.custom" . | nindent 2 }} - {{- include "labels.deployment" . | nindent 2 }} - annotations: - {{- if $.Values.annotations }} - {{- range $key, $value := $.Values.annotations.deployment }} - {{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} - {{- end }} - {{- end }} - {{- end }} -spec: - updateStrategy: - type: RollingUpdate - serviceName: "{{ $.Values.orderer.name }}" - replicas: 1 - selector: - matchLabels: - app: {{ $.Values.orderer.name }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/name: {{ $.Values.orderer.name }} - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - labels: - app: {{ $.Values.orderer.name }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/name: {{ $.Values.orderer.name }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- include "labels.deployment" . | nindent 6 }} - spec: - serviceAccountName: {{ $.Values.vault.serviceaccountname }} - {{- if .Values.vault.imagesecretname }} - imagePullSecrets: - - name: {{ $.Values.vault.imagesecretname }} - {{- end }} - volumes: - - name: certificates - emptyDir: - medium: Memory - {{ if .Values.vault.tls }} - - name: vaultca - secret: - secretName: {{ $.Values.vault.tls }} - items: - - key: ca.crt.pem - path: ca-certificates.crt # curl expects certs to be in /etc/ssl/certs/ca-certificates.crt - {{ end }} - {{- if ne $.Values.metadata.network.version "2.5.4" }} - - name: {{ $.Values.orderer.name }}-genesis-volume - configMap: - name: genesis-block-{{ $.Values.orderer.name }} - items: - - key: genesis.block.base64 - path: genesis.block.base64 - {{ end }} - - name: scripts-volume - configMap: - name: bevel-vault-script - initContainers: - - name: kafka-healthcheck - image: {{ $.Values.metadata.images.healthcheck }} - imagePullPolicy: IfNotPresent - command: ["sh", "-c"] - args: - - |- - #!/usr/bin/env sh - if [ {{ $.Values.consensus.name }} == kafka ] - then - COUNTER=1 - FLAG=true - KAFKACOUNT=0 - COUNT=0 - {{ range $.Values.kafka.brokers}} - COUNT=`expr "$COUNT" + 1` - {{ end }} - while [ "$COUNTER" -le {{ $.Values.kafka.readinessthreshold }} ] - do - {{ range $.Values.kafka.brokers}} - KAFKA_BROKERS={{ . }} - STATUS=$(nc -vz $KAFKA_BROKERS 2>&1 | grep -c open ) - if [ "$STATUS" == 0 ] - then - FLAG=false - else - FLAG=true - KAFKACOUNT=`expr "$KAFKACOUNT" + 1` - echo "$KAFKACOUNT kafka brokers out of $COUNT are up and running" - fi - {{ end }} - if [ "$FLAG" == false ] - then - echo "$KAFKACOUNT kafka brokers out of $COUNT are up and running!" - echo "Retry attempted $COUNTER times, retrying after {{ $.Values.kafka.readinesscheckinterval }} seconds" - COUNTER=`expr "$COUNTER" + 1` - sleep {{ $.Values.kafka.readinesscheckinterval }} - else - echo "SUCCESS!" - echo "All $KAFKACOUNT kafka broker are up and running!" - exit 0 - break - fi - done - if [ "$COUNTER" -gt {{ $.Values.kafka.readinessthreshold }} ] || [ "$FLAG" == false ] - then - echo "Retry attempted $COUNTER times, no kafka brokers are up and running. Giving up!" - exit 1 - break - fi - fi - - name: certificates-init - image: {{ $.Values.metadata.images.alpineutils }} - imagePullPolicy: IfNotPresent - env: - - name: VAULT_ADDR - value: {{ $.Values.vault.address }} - - name: VAULT_SECRET_PREFIX - value: "{{ $.Values.vault.secretprefix }}" - - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.vault.authpath }} - - name: VAULT_APP_ROLE - value: {{ $.Values.vault.role }} - - name: MOUNT_PATH - value: /secret - - name: VAULT_TYPE - value: "{{ $.Values.vault.type }}" - command: ["sh", "-c"] - args: - - |- - #!/usr/bin/env sh - . /scripts/bevel-vault.sh - - # Calling a function to retrieve the vault token. - vaultBevelFunc "init" - - echo "Getting TLS certificates from Vault." - vaultBevelFunc "readJson" "${VAULT_SECRET_PREFIX}/tls" - - TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r '.["ca.crt"]') - TLS_SERVER_CERT=$(echo ${VAULT_SECRET} | jq -r '.["server.crt"]') - TLS_SERVER_KEY=$(echo ${VAULT_SECRET} | jq -r '.["server.key"]') - - OUTPUT_PATH="${MOUNT_PATH}/tls" - mkdir -p ${OUTPUT_PATH} - echo "${TLS_CA_CERT}" >> ${OUTPUT_PATH}/ca.crt - echo "${TLS_SERVER_CERT}" >> ${OUTPUT_PATH}/server.crt - echo "${TLS_SERVER_KEY}" >> ${OUTPUT_PATH}/server.key - - echo "Getting MSP certificates from Vault." - vaultBevelFunc "readJson" "${VAULT_SECRET_PREFIX}/msp" - - ADMINCERT=$(echo ${VAULT_SECRET} | jq -r '.["admincerts"]') - CACERTS=$(echo ${VAULT_SECRET} | jq -r '.["cacerts"]') - KEYSTORE=$(echo ${VAULT_SECRET} | jq -r '.["keystore"]') - SIGNCERTS=$(echo ${VAULT_SECRET} | jq -r '.["signcerts"]') - TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r '.["tlscacerts"]') - - OUTPUT_PATH="${MOUNT_PATH}/msp" - mkdir -p ${OUTPUT_PATH}/admincerts - mkdir -p ${OUTPUT_PATH}/cacerts - mkdir -p ${OUTPUT_PATH}/keystore - mkdir -p ${OUTPUT_PATH}/signcerts - mkdir -p ${OUTPUT_PATH}/tlscacerts - - echo "${ADMINCERT}" >> ${OUTPUT_PATH}/admincerts/admin.crt - echo "${CACERTS}" >> ${OUTPUT_PATH}/cacerts/ca.crt - echo "${KEYSTORE}" >> ${OUTPUT_PATH}/keystore/server.key - echo "${SIGNCERTS}" >> ${OUTPUT_PATH}/signcerts/server.crt - echo "${TLSCACERTS}" >> ${OUTPUT_PATH}/tlscacerts/tlsca.crt - volumeMounts: - - name: certificates - mountPath: /secret - {{ if .Values.vault.tls }} - - name: vaultca - mountPath: "/etc/ssl/certs/" - readOnly: true - {{ end }} - - name: scripts-volume - mountPath: /scripts/bevel-vault.sh - subPath: bevel-vault.sh - containers: - - name: {{ $.Values.orderer.name }} - image: {{ $.Values.metadata.images.orderer }} - imagePullPolicy: IfNotPresent - workingDir: /opt/gopath/src/github.com/hyperledger/fabric - command: ["sh", "-c", "cat /var/hyperledger/orderer/genesis/genesis.block.base64 | base64 -d > /var/hyperledger/orderer/orderer.genesis.block && orderer"] - ports: - - containerPort: 7050 - - name: operations - containerPort: 10443 - envFrom: - - configMapRef: - name: {{ $.Values.orderer.name }}-config - volumeMounts: - - name: datadir - mountPath: /var/hyperledger/production/orderer - {{- if ne $.Values.metadata.network.version "2.5.4" }} - - name: {{ $.Values.orderer.name }}-genesis-volume - mountPath: /var/hyperledger/orderer/genesis - readOnly: true - {{- end }} - - name: certificates - mountPath: /var/hyperledger/orderer/crypto - readOnly: true - resources: - requests: - memory: {{ .Values.config.pod.resources.requests.memory }} - cpu: {{ .Values.config.pod.resources.requests.cpu }} - limits: - memory: {{ .Values.config.pod.resources.limits.memory }} - cpu: {{ .Values.config.pod.resources.limits.cpu }} - - name: grpc-web - image: "ghcr.io/hyperledger-labs/grpc-web:latest" - imagePullPolicy: IfNotPresent - ports: - - name: grpc-web - containerPort: 7443 - env: - - name: BACKEND_ADDRESS - value: "{{ $.Values.orderer.name }}.{{ $.Values.metadata.namespace }}:{{ $.Values.service.ports.grpc.clusteripport }}" - - name: SERVER_TLS_CERT_FILE - value: "/certs/tls/server.crt" - - name: SERVER_TLS_KEY_FILE - value: "/certs/tls/server.key" - - name: BACKEND_TLS_CA_FILES - value: "/certs/tls/ca.crt" - - name: SERVER_BIND_ADDRESS - value: "0.0.0.0" - - name: SERVER_HTTP_DEBUG_PORT - value: "8080" - - name: SERVER_HTTP_TLS_PORT - value: "7443" - - name: BACKEND_TLS - value: "true" - - name: SERVER_HTTP_MAX_WRITE_TIMEOUT - value: 5m - - name: SERVER_HTTP_MAX_READ_TIMEOUT - value: 5m - - name: USE_WEBSOCKETS - value: "true" - volumeMounts: - - name: certificates - mountPath: /certs - volumeClaimTemplates: - #Lables are not being taken by Kubernetes as it dynamically creates PVC - - metadata: - name: datadir - labels: - {{- include "labels.pvc" . | nindent 6 }} - spec: - accessModes: [ "ReadWriteOnce" ] - storageClassName: {{ $.Values.storage.storageclassname }} - resources: - requests: - storage: {{ $.Values.storage.storagesize }} diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/node-statefulset.yaml b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/node-statefulset.yaml new file mode 100644 index 00000000000..23d5accc679 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/node-statefulset.yaml @@ -0,0 +1,311 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "fabric-orderernode.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ include "fabric-orderernode.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm + annotations: + {{- include "labels.deployment" . | nindent 2 }} +spec: + updateStrategy: + type: RollingUpdate + serviceName: "{{ .Release.Name }}" + replicas: 1 + selector: + matchLabels: + app: {{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ include "fabric-orderernode.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + labels: + app: {{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ include "fabric-orderernode.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm + {{- include "labels.deployment" . | nindent 2 }} + spec: + serviceAccountName: {{ $.Values.global.serviceAccountName }} + {{- if .Values.global.vault.imageSecretName }} + imagePullSecrets: + - name: {{ $.Values.global.vault.imageSecretName }} + {{- end }} + volumes: + - name: certificates + emptyDir: + medium: Memory + {{ if .Values.global.vault.tls }} + - name: vaultca + secret: + secretName: {{ $.Values.global.vault.tls }} + items: + - key: ca.crt.pem + path: ca-certificates.crt # curl expects certs to be in /etc/ssl/certs/ca-certificates.crt + {{ end }} + {{- if ne $.Values.network.version "2.5.4" }} + - name: {{ .Release.Name }}-genesis-volume + configMap: + name: genesis-block-{{ .Release.Name }} + items: + - key: genesis.block.base64 + path: genesis.block.base64 + {{ end }} + - name: scripts-volume + configMap: + name: bevel-vault-script + initContainers: + - name: kafka-healthcheck + image: {{ $.Values.image.healthCheck }} + imagePullPolicy: IfNotPresent + command: ["sh", "-c"] + args: + - |- + #!/usr/bin/env sh + if [ {{ $.Values.consensus.name }} == kafka ] + then + COUNTER=1 + FLAG=true + KAFKACOUNT=0 + COUNT=0 + {{ range $.Values.kafka.brokers}} + COUNT=`expr "$COUNT" + 1` + {{ end }} + while [ "$COUNTER" -le {{ $.Values.kafka.readinessThresHold }} ] + do + {{ range $.Values.kafka.brokers}} + KAFKA_BROKERS={{ . }} + STATUS=$(nc -vz $KAFKA_BROKERS 2>&1 | grep -c open ) + if [ "$STATUS" == 0 ] + then + FLAG=false + else + FLAG=true + KAFKACOUNT=`expr "$KAFKACOUNT" + 1` + echo "$KAFKACOUNT kafka brokers out of $COUNT are up and running" + fi + {{ end }} + if [ "$FLAG" == false ] + then + echo "$KAFKACOUNT kafka brokers out of $COUNT are up and running!" + echo "Retry attempted $COUNTER times, retrying after {{ $.Values.kafka.readinessCheckInterval }} seconds" + COUNTER=`expr "$COUNTER" + 1` + sleep {{ $.Values.kafka.readinessCheckInterval }} + else + echo "SUCCESS!" + echo "All $KAFKACOUNT kafka broker are up and running!" + exit 0 + break + fi + done + if [ "$COUNTER" -gt {{ $.Values.kafka.readinessThresHold }} ] || [ "$FLAG" == false ] + then + echo "Retry attempted $COUNTER times, no kafka brokers are up and running. Giving up!" + exit 1 + break + fi + fi + - name: certificates-init + image: {{ $.Values.image.alpineUtils }} + imagePullPolicy: IfNotPresent + env: + - name: VAULT_ADDR + value: {{ $.Values.global.vault.address }} + - name: VAULT_SECRET_ENGINE + value: "{{ $.Values.global.vault.secretEngine }}" + - name: VAULT_SECRET_PREFIX + value: "{{ $.Values.global.vault.secretPrefix }}" + - name: KUBERNETES_AUTH_PATH + value: {{ $.Values.global.vault.authPath }} + - name: VAULT_APP_ROLE + value: {{ $.Values.global.vault.role }} + - name: MOUNT_PATH + value: /secret + - name: VAULT_TYPE + value: "{{ $.Values.global.vault.type }}" + - name: ORDERER_NAME + value: {{ .Release.Name }} + command: ["sh", "-c"] + args: + - |- + #!/usr/bin/env sh +{{- if eq .Values.global.vault.type "hashicorp" }} + . /scripts/bevel-vault.sh + + # Calling a function to retrieve the vault token. + vaultBevelFunc "init" + + function getOrdererTlsSecret { + KEY=$1 + KEY_FORMATTED=$(echo $KEY | tr - /) + + echo "Getting TLS certificates from Vault." + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" + + TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r '.["ca.crt"]') + TLS_SERVER_CERT=$(echo ${VAULT_SECRET} | jq -r '.["server.crt"]') + TLS_SERVER_KEY=$(echo ${VAULT_SECRET} | jq -r '.["server.key"]') + + echo "${TLS_CA_CERT}" >> ${OUTPUT_PATH}/ca.crt + echo "${TLS_SERVER_CERT}" >> ${OUTPUT_PATH}/server.crt + echo "${TLS_SERVER_KEY}" >> ${OUTPUT_PATH}/server.key + } + + function getOrdererMspSecret { + KEY=$1 + KEY_FORMATTED=$(echo $KEY | tr - /) + + echo "Getting MSP certificates from Vault." + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" + + ADMINCERT=$(echo ${VAULT_SECRET} | jq -r '.["admincerts"]') + CACERTS=$(echo ${VAULT_SECRET} | jq -r '.["cacerts"]') + KEYSTORE=$(echo ${VAULT_SECRET} | jq -r '.["keystore"]') + SIGNCERTS=$(echo ${VAULT_SECRET} | jq -r '.["signcerts"]') + TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r '.["tlscacerts"]') + + echo "${ADMINCERT}" >> ${OUTPUT_PATH}/admincerts/admin.crt + echo "${CACERTS}" >> ${OUTPUT_PATH}/cacerts/ca.crt + echo "${KEYSTORE}" >> ${OUTPUT_PATH}/keystore/server.key + echo "${SIGNCERTS}" >> ${OUTPUT_PATH}/signcerts/server.crt + echo "${TLSCACERTS}" >> ${OUTPUT_PATH}/tlscacerts/tlsca.crt + } + +{{- else }} + + function getOrdererTlsSecret { + KEY=$1 + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.cacrt}" | base64 -d > ${OUTPUT_PATH}/ca.crt + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.servercrt}" | base64 -d > ${OUTPUT_PATH}/server.crt + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.serverkey}" | base64 -d > ${OUTPUT_PATH}/server.key + } + + function getOrdererMspSecret { + KEY=$1 + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.admincerts}" | base64 -d > ${OUTPUT_PATH}/admincerts/admin.crt + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.cacerts}" | base64 -d > ${OUTPUT_PATH}/cacerts/ca.crt + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.keystore}" | base64 -d > ${OUTPUT_PATH}/keystore/server.key + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.signcerts}" | base64 -d > ${OUTPUT_PATH}/signcerts/server.crt + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.tlscacerts}" | base64 -d > ${OUTPUT_PATH}/tlscacerts/tlsca.crt + } + +{{- end }} + OUTPUT_PATH="${MOUNT_PATH}/tls" + mkdir -p ${OUTPUT_PATH} + getOrdererTlsSecret ${ORDERER_NAME}-tls + + OUTPUT_PATH="${MOUNT_PATH}/msp" + mkdir -p ${OUTPUT_PATH}/admincerts + mkdir -p ${OUTPUT_PATH}/cacerts + mkdir -p ${OUTPUT_PATH}/keystore + mkdir -p ${OUTPUT_PATH}/signcerts + mkdir -p ${OUTPUT_PATH}/tlscacerts + getOrdererMspSecret ${ORDERER_NAME}-msp + + volumeMounts: + - name: certificates + mountPath: /secret + {{ if .Values.global.vault.tls }} + - name: vaultca + mountPath: "/etc/ssl/certs/" + readOnly: true + {{ end }} + - name: scripts-volume + mountPath: /scripts/bevel-vault.sh + subPath: bevel-vault.sh + containers: + - name: {{ .Release.Name }} + image: {{ $.Values.image.orderer }}:{{ $.Values.network.version }} + imagePullPolicy: IfNotPresent + workingDir: /opt/gopath/src/github.com/hyperledger/fabric + command: ["sh", "-c", "cat /var/hyperledger/orderer/genesis/genesis.block.base64 | base64 -d > /var/hyperledger/orderer/orderer.genesis.block && orderer"] + ports: + - containerPort: 7050 + - name: operations + containerPort: 10443 + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config + volumeMounts: + - name: datadir + mountPath: /var/hyperledger/production/orderer + {{- if ne $.Values.network.version "2.5.4" }} + - name: {{ .Release.Name }}-genesis-volume + mountPath: /var/hyperledger/orderer/genesis + readOnly: true + {{- end }} + - name: certificates + mountPath: /var/hyperledger/orderer/crypto + readOnly: true + resources: + requests: + memory: {{ .Values.config.pod.resources.requests.memory }} + cpu: {{ .Values.config.pod.resources.requests.cpu }} + limits: + memory: {{ .Values.config.pod.resources.limits.memory }} + cpu: {{ .Values.config.pod.resources.limits.cpu }} + - name: grpc-web + image: "ghcr.io/hyperledger-labs/grpc-web:latest" + imagePullPolicy: IfNotPresent + ports: + - name: grpc-web + containerPort: 7443 + env: + - name: BACKEND_ADDRESS + value: "{{ .Release.Name }}.{{ .Release.Namespace }}:{{ $.Values.service.ports.grpc.clusterIpPort }}" + - name: SERVER_TLS_CERT_FILE + value: "/certs/tls/server.crt" + - name: SERVER_TLS_KEY_FILE + value: "/certs/tls/server.key" + - name: BACKEND_TLS_CA_FILES + value: "/certs/tls/ca.crt" + - name: SERVER_BIND_ADDRESS + value: "0.0.0.0" + - name: SERVER_HTTP_DEBUG_PORT + value: "8080" + - name: SERVER_HTTP_TLS_PORT + value: "7443" + - name: BACKEND_TLS + value: "true" + - name: SERVER_HTTP_MAX_WRITE_TIMEOUT + value: 5m + - name: SERVER_HTTP_MAX_READ_TIMEOUT + value: 5m + - name: USE_WEBSOCKETS + value: "true" + volumeMounts: + - name: certificates + mountPath: /certs + volumeClaimTemplates: + #Lables are not being taken by Kubernetes as it dynamically creates PVC + - metadata: + name: datadir + labels: + {{- include "labels.pvc" . | nindent 6 }} + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: storage-{{ .Release.Name }} + resources: + requests: + storage: {{ $.Values.storage.size }} diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/service.yaml b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/service.yaml index 49ed70688f8..b2f6d798770 100644 --- a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/service.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/service.yaml @@ -7,33 +7,34 @@ apiVersion: v1 kind: Service metadata: - name: {{ $.Values.orderer.name }} - namespace: {{ $.Values.metadata.namespace }} + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} annotations: - {{- if $.Values.annotations }} - {{- range $key, $value := $.Values.annotations.service }} + {{- if $.Values.labels }} + {{- range $key, $value := $.Values.labels.service }} {{- range $k, $v := $value }} {{ $k }}: {{ $v | quote }} {{- end }} {{- end }} {{- end }} labels: - run: {{ $.Values.orderer.name }} - app.kubernetes.io/name: {{ $.Values.orderer.name }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + run: {{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }} + app: {{ .Release.Name }} + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ include "fabric-orderernode.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- include "labels.custom" . | nindent 2 }} - {{- include "labels.service" . | nindent 2 }} spec: - type: {{ $.Values.service.servicetype }} + type: {{ $.Values.service.serviceType }} selector: - app: {{ $.Values.orderer.name }} + app: {{ .Release.Name }} ports: - protocol: TCP targetPort: 7050 - port: {{ $.Values.service.ports.grpc.clusteripport }} - {{- if (ne $.Values.service.servicetype "ClusterIP") }} + port: {{ $.Values.service.ports.grpc.clusterIpPort }} + {{- if (ne $.Values.service.serviceType "ClusterIP") }} nodePort: {{ $.Values.service.ports.grpc.nodeport }} {{- end }} name: grpc @@ -44,61 +45,61 @@ spec: - name: operations protocol: TCP targetPort: 9443 - port: {{ $.Values.service.ports.metrics.clusteripport }} - {{- if (eq $.Values.service.servicetype "ClusterIP") }} + port: {{ $.Values.service.ports.metrics.clusterIpPort }} + {{- if (eq $.Values.service.serviceType "ClusterIP") }} clusterIP: None {{- end }} -{{ if eq $.Values.proxy.provider "haproxy" }} +{{ if eq $.Values.global.proxy.provider "haproxy" }} --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ $.Values.orderer.name }} - namespace: {{ $.Values.metadata.namespace }} + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} annotations: kubernetes.io/ingress.class: "haproxy" ingress.kubernetes.io/ssl-passthrough: "true" spec: rules: - - host: {{ $.Values.orderer.name }}.{{ $.Values.proxy.external_url_suffix }} + - host: {{ .Release.Name }}.{{ $.Values.global.proxy.externalUrlSuffix }} http: paths: - path: / pathType: Prefix backend: service: - name: {{ $.Values.orderer.name }} + name: {{ .Release.Name }} port: - number: {{ $.Values.service.ports.grpc.clusteripport }} - - host: {{ $.Values.orderer.name }}-proxy.{{ $.Values.proxy.external_url_suffix }} + number: {{ $.Values.service.ports.grpc.clusterIpPort }} + - host: {{ .Release.Name }}-proxy.{{ $.Values.global.proxy.externalUrlSuffix }} http: paths: - path: / pathType: Prefix backend: service: - name: {{ $.Values.orderer.name }} + name: {{ .Release.Name }} port: number: 7443 --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ $.Values.orderer.name }}-ops - namespace: {{ $.Values.metadata.namespace }} + name: {{ .Release.Name }}-ops + namespace: {{ .Release.Namespace }} annotations: kubernetes.io/ingress.class: "haproxy" spec: rules: - - host: {{ $.Values.orderer.name }}-ops.{{ $.Values.proxy.external_url_suffix }} + - host: {{ .Release.Name }}-ops.{{ $.Values.global.proxy.externalUrlSuffix }} http: paths: - path: / pathType: Prefix backend: service: - name: {{ $.Values.orderer.name }} + name: {{ .Release.Name }} port: number: 10443 {{ end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/servicemonitor.yaml b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/servicemonitor.yaml index 62850b18082..0e882368204 100644 --- a/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/servicemonitor.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-orderernode/templates/servicemonitor.yaml @@ -4,11 +4,15 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: labels: - app: {{ $.Values.orderer.name }} + app: {{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ include "fabric-orderernode.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - name: {{ $.Values.orderer.name }} - namespace: {{ $.Values.metadata.namespace }} + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} spec: jobLabel: {{ .Release.Name }} endpoints: @@ -16,10 +20,10 @@ spec: port: operations namespaceSelector: matchNames: - - {{ $.Values.metadata.namespace }} + - {{ .Release.Namespace }} selector: matchLabels: app.kubernetes.io/instance: {{ .Release.Name }} - run: {{ $.Values.orderer.name }} + run: {{ .Release.Name }} {{- end }} {{- end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-orderernode/values.yaml b/platforms/hyperledger-fabric/charts/fabric-orderernode/values.yaml index 72b46e23f21..fe44b44a29c 100644 --- a/platforms/hyperledger-fabric/charts/fabric-orderernode/values.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-orderernode/values.yaml @@ -4,49 +4,81 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -metadata: - #Provide the namespace for orderer - #Eg. namespace: org1-net - namespace: org1-net - # HLF Network Version - network: - version: 2.2.2 - images: - #Provide the valid image name and version for fabric orderer - #Eg. orderer: hyperledger/fabric-orderer:1.4.0 - orderer: ghcr.io/hyperledger/bevel-fabric-orderer:2.2.2 - #Provide the valid image name and version to read certificates from vault server - #Eg.alpineutils: ghcr.io/hyperledger/bevel-alpine:latest - alpineutils: ghcr.io/hyperledger/bevel-alpine:latest - #Provide the valid image name and version for healthcheck of kafka - #Eg. healthcheck: busybox - healthcheck: busybox - #Provide the custom labels - #NOTE: Provide labels other than name, release name , release service, chart version , chart name , run - #These lables will not be applied to VolumeClaimTemplate of StatefulSet as labels are automatically picked up by Kubernetes - #Eg. labels: - # role: orderer - labels: +global: + #Provide the service account name which will be created. + serviceAccountName: vault-auth + vault: + #Provide the type of vault + #Eg. type: hashicorp + type: hashicorp + #Provide the vaultrole for an organization + #Eg. vaultrole: org1-vault-role + role: vault-role + #Provide the vault server address + #Eg. vaultaddress: http://Vault-884963190.eu-west-1.elb.amazonaws.com + address: + #Provide the kubernetes auth backed configured in vault for an organization + #Eg. authpath: supplychain + authPath: supplychain + #Provide the secret engine. + secretEngine: secretsv2 + #Provide the vault path where the secrets will be stored + secretPrefix: "data/supplychain" + #Provide the imagesecretname for vault + #Eg. imagesecretname: regcred + imageSecretName: "" + #Kuberenetes secret for vault ca.cert + #Enable or disable TLS for vault communication if value present or not + #Eg. tls: vaultca + tls: + + cluster: + provider: aws # choose from: minikube | aws | azure | gcp + cloudNativeServices: false # only 'false' is implemented + + proxy: + #This will be the proxy/ingress provider. Can have values "none" or "haproxy" + #Eg. provider: "haproxy" + provider: "haproxy" + #This field contains the external URL of the organization + #Eg. externalUrlSuffix: test.blockchaincloudpoc.com + externalUrlSuffix: test.blockchaincloudpoc.com + +labels: + service: [] + pvc: [] + deployment: [] + +# HLF Network Version +network: + version: 2.2.2 + +image: + #Provide the valid image name and version for fabric orderer + #Eg. orderer: hyperledger/fabric-orderer:1.4.0 + orderer: ghcr.io/hyperledger/bevel-fabric-orderer + #Provide the valid image name and version to read certificates from vault server + #Eg.alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest + alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest + #Provide the valid image name and version for healthCheck of kafka + #Eg. healthCheck: busybox + healthCheck: busybox orderer: - #Provide the name for the orderer node - #Eg. name: orderer - name: orderer - #Provide the loglevel for orderer deployment - #Eg. loglevel: info - loglevel: info - #Provide the localmspid for orderer deployment - #Eg. localmspid: OrdererMSP - localmspid: OrdererMSP - #Provide the value for tlsstatus to be true or false for orderer deployment - #Eg. tlsstatus: true - tlsstatus: true + #Provide the logLevel for orderer deployment + #Eg. logLevel: info + logLevel: info + #Provide the localMspId for orderer deployment + #Eg. localMspId: supplychainMSP + localMspId: supplychainMSP + #Provide the value for tlsStatus to be true or false for orderer deployment + #Eg. tlsStatus: true + tlsStatus: true #Provide the interval in which the orderer to signal the connection has kept alive - #Eg. keepaliveserverinterval: 10s - keepaliveserverinterval: 10s + #Eg. keepAliveServerInterval: 10s + keepAliveServerInterval: 10s #Provide the address for orderer - #Eg. address: orderer1.org1proxy.blockchaincloudpoc.com:443 - ordererAddress: orderer1.org1proxy.blockchaincloudpoc.com:443 + #Eg. address: orderer1.test.blockchaincloudpoc.com consensus: #Provide name of the consensus. Currently support raft and kafka @@ -54,69 +86,33 @@ consensus: name: raft storage: - #Provide the storageclassname for orderer - #Eg. storageclassname: aws-storage - storageclassname: aws-storageclass - #Provide the storagesize for storage class - #Eg. storagesize: 512Mi - storagesize: 512Mi - + #Provide the size for storage class + #Eg. size: 512Mi + size: 512Mi service: - #Provide the servicetype a peer - #Eg. servicetype: NodePort - servicetype: ClusterIP + #Provide the serviceType a peer + #Eg. serviceType: NodePort + serviceType: ClusterIP ports: grpc: #Provide a nodeport for orderer in the range of 30000-32767 (optional) #Eg. nodeport: 30001 nodeport: #Provide a cluster IP port for orderer to be exposed. - #Eg. clusteripport: 7050 - clusteripport: 7050 + #Eg. clusterIpPort: 7050 + clusterIpPort: 7050 metrics: enabled: false - clusteripport: 9443 -annotations: - #Extra annotations - service: {} - deployment: {} - -vault: - #Provide the vault server address - #Eg. vaultaddress: http://Vault-884963190.eu-west-1.elb.amazonaws.com - address: - #Provide the vaultrole for orderer deployment - #Eg. vaultrole: orderer-vault-role - role: vault-role - #Provide the kubernetes auth backed configured in vault for orderer deployment - #Eg. authpath: devorg1-net-auth - authpath: devorg1-net-auth - #Provide the type of vault - #Eg. type: hashicorp - type: hashicorp - #Provide the value for vault secretprefix - #Eg. secretprefix: secretsv2/data/crypto/ordererOrganizations/.../orderers/.... - secretprefix: secretsv2/data/crypto/ordererOrganizations/org1-net/orderers/orderer.org1-net - #Provide the imagesecretname for vault - #Eg. imagesecretname: regcred - imagesecretname: "" - #Provide the serviceaccountname for vault - #Eg. serviceaccountname: vault-auth - serviceaccountname: vault-auth - #Kuberenetes secret for vault ca.cert - #Enable or disable TLS for vault communication if value present or not - #Eg. tls: vaultca - tls: - + clusterIpPort: 9443 kafka: #Provide the interval in seconds you want to iterate till all kafka services to be ready - #Eg. readinesscheckinterval: 5 - readinesscheckinterval: 5 + #Eg. readinessCheckInterval: 5 + readinessCheckInterval: 5 #Provide the threshold till you want to check if all specified kafka brokers are up and running - #Eg. readinessthreshold: 4 - readinessthreshold: 4 + #Eg. readinessThresHold: 4 + readinessThresHold: 4 #Provide the kafka broker list #Eg. brokers: # - kafka-0.broker.org1-net.svc.cluster.local:9092 @@ -125,14 +121,6 @@ kafka: # - kafka-3.broker.org1-net.svc.cluster.local:9092 brokers: -proxy: - #This will be the proxy/ingress provider. Can have values "none" or "haproxy" - #Eg. provider: "haproxy" - provider: "haproxy" - #This field contains the external URL of the organization - #Eg. external_url_suffix: org1.blockchaincloudpoc.com - external_url_suffix: org1proxy.blockchaincloudpoc.com:443 - config: # Set limits and requests of pod pod: diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/Chart.yaml b/platforms/hyperledger-fabric/charts/fabric-peernode/Chart.yaml index e4003f788ce..b8da2440e42 100644 --- a/platforms/hyperledger-fabric/charts/fabric-peernode/Chart.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-peernode/Chart.yaml @@ -5,7 +5,22 @@ ############################################################################################## apiVersion: v1 -appVersion: "2.0" -description: "Hyperledger Fabric: Deploys peer node." name: fabric-peernode +description: "Hyperledger Fabric: Deploys peer node." version: 1.0.0 +appVersion: latest +keywords: + - bevel + - ethereum + - fabric + - hyperledger + - enterprise + - blockchain + - deployment + - accenture +home: https://hyperledger-bevel.readthedocs.io/en/latest/ +sources: + - https://github.com/hyperledger/bevel +maintainers: + - name: Hyperledger Bevel maintainers + email: bevel@lists.hyperledger.org diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/README.md b/platforms/hyperledger-fabric/charts/fabric-peernode/README.md index 1ee770a923d..15a29fe6c86 100644 --- a/platforms/hyperledger-fabric/charts/fabric-peernode/README.md +++ b/platforms/hyperledger-fabric/charts/fabric-peernode/README.md @@ -6,16 +6,26 @@ # Peer Node Hyperledger Fabric Deployment -- [Peer Node Hyperledger Fabric Deployment Helm Chart](#peer-node-hyperledger-fabric-deployment-helm-chart) -- [Prerequisites](#prerequisites) -- [Chart Structure](#chart-structure) -- [Configuration](#configuration) -- [Deployment](#deployment) -- [Verification](#verification) -- [Updating the Deployment](#updating-the-deployment) -- [Deletion](#deletion) -- [Contributing](#contributing) -- [License](#license) +- [Peer Node Hyperledger Fabric Deployment](#peer-node-hyperledger-fabric-deployment) + - [Peer Node Hyperledger Fabric Deployment Helm Chart](#peer-node-hyperledger-fabric-deployment-helm-chart) + - [Prerequisites](#prerequisites) + - [Chart Structure](#chart-structure) + - [Configuration](#configuration) + - [Metadata](#metadata) + - [Labels](#labels) + - [Peer](#peer) + - [Storage](#storage) + - [Vault](#vault) + - [Service](#service) + - [Proxy](#proxy) + - [Config](#config) + - [Deployment](#deployment) + - [Verification](#verification) + - [Updating the Deployment](#updating-the-deployment) + - [Deletion](#deletion) + - [Contributing](#contributing) + - [License](#license) + - [Attribution](#attribution) @@ -60,7 +70,7 @@ fabric-peernode/ - `templates/`: Contains the Kubernetes manifest templates that define the resources to be deployed. - `helpers.tpl`: Contains custom label definitions used in other templates. - `configmap.yaml`: Provides a way to configure the Hyperledger Fabric peer and enable it to join the network, interact with other nodes. The environment variables that are defined in the peer-config ConfigMap are used to configure the peer's runtime behavior. The configuration for the MSP is defined in the msp-config ConfigMap. The core.yaml file is used to configure the chaincode builder -- `deployment.yaml`: The certificates-init container fetches TLS certificates and other secrets from Vault. The couchdb container runs a CouchDB database that is used to store the ledger state. The {{ $.Values.peer.name }} container runs a Hyperledger Fabric peer that manages the ledger and provides access to the blockchain network. The grpc-web container runs a gRPC-Web proxy that allows gRPC services to be accessed via a web browser. +- `deployment.yaml`: The certificates-init container fetches TLS certificates and other secrets from Vault. The couchdb container runs a CouchDB database that is used to store the ledger state. The {{ $.Values.global.peer.name }} container runs a Hyperledger Fabric peer that manages the ledger and provides access to the blockchain network. The grpc-web container runs a gRPC-Web proxy that allows gRPC services to be accessed via a web browser. - `service.yaml`: Ensures internal and external access with exposed ports for gRPC (7051), events (7053), CouchDB (5984), gRPC-Web (7443), and operations (9443), and optionally uses HAProxy for external exposure and secure communication. - `servicemonitor.yaml`: Define a ServiceMonitor resource that allows Prometheus to collect metrics from the peer node's "operations" port. The configuration is conditionally applied based on the availability of the Prometheus Operator's API version and whether metrics are enabled for the peer service. - `Chart.yaml`: Contains the metadata for the Helm chart, such as the name, version, and description. @@ -87,38 +97,36 @@ The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hy | Name | Description | Default Value | | ---------------| --------------------------------------- | --------------| -| service | Extra annotations for service | "" | -| pvc | Extra annotations for pvc | "" | -| deployment | Extra annotations for deployment | "" | +| service | Extra labels for service | "" | +| pvc | Extra labels for pvc | "" | +| deployment | Extra labels for deployment | "" | ### Peer | Name | Description | Default Value | | ------------------------------------------| ----------------------------------------------------------------------| ----------------------------------------------| | name | Name of the peer as per deployment yaml | peer0 | -| gossippeeraddress | URL of gossipping peer and port for grpc | peer1.org1-net.svc.cluster.local:7051 | -| gossipexternalendpoint | URL of gossip external endpoint and port for haproxy https service | peer0.org1-net.org1proxy.blockchaincloudpoc.com:443 | -| localmspid | Local MSP ID for the organization | Org1MSP | -| loglevel | Log level for organization's peer | info | +| gossipPeerAddress | URL of gossipping peer and port for grpc | peer1.org1-net.svc.cluster.local:7051 | +| gossipExternalEndpoint | URL of gossip external endpoint and port for haproxy https service | peer0.org1-net.org1proxy.blockchaincloudpoc.com:443 | +| localMspId | Local MSP ID for the organization | Org1MSP | +| logLevel | Log level for organization's peer | info | | tlsstatus | Set to true or false for organization's peer | true | | builder | Valid chaincode builder image for Fabric | hyperledger/fabric-ccenv:2.2.2 | | couchdb.username | CouchDB username (mandatory if provided) | org1-user | -| configpath | Provide the configuration path | "" | +| configPath | Provide the configuration path | "" | | core | Provide core configuration | "" | -| mspconfig.organizationalunitidentifiers | Provide the members of the MSP in organizational unit identifiers | "" | -| mspconfig.nodeOUs.clientOUidentifier.organizationalunitidentifier | Organizational unit identifier for client nodes | client | -| mspconfig.nodeOUs.peerOUidentifier.organizationalunitidentifier | Organizational unit identifier for peer nodes | peer | -| mspconfig.nodeOUs.adminOUidentifier.organizationalunitidentifier | Organizational unit identifier for admin nodes (2.2.x) | admin | -| mspconfig.nodeOUs.ordererOUidentifier.organizationalunitidentifier | Organizational unit identifier for orderer nodes (2.2.x) | orderer | +| mspConfig.organizationalUnitIdentifiers | Provide the members of the MSP in organizational unit identifiers | "" | +| mspConfig.nodeOUs.clientOUIdentifier.organizationalUnitIdentifier | Organizational unit identifier for client nodes | client | +| mspConfig.nodeOUs.peerOUIdentifier.organizationalUnitIdentifier | Organizational unit identifier for peer nodes | peer | +| mspConfig.nodeOUs.adminOUIdentifier.organizationalUnitIdentifier | Organizational unit identifier for admin nodes (2.2.x) | admin | +| mspConfig.nodeOUs.ordererOUIdentifier.organizationalUnitIdentifier | Organizational unit identifier for orderer nodes (2.2.x) | orderer | ### Storage | Name | Description | Default Value | | --------------------------| -------------------------------- | ------------------- | -| peer.storageclassname | Storage class name for peer | aws-storageclass | -| peer.storagesize | Storage size for peer | 512Mi | -| couchdb.storageclassname | Storage class name for CouchDB | aws-storageclass | -| couchdb.storagesize | Storage size for CouchDB | 512Mi | +| peer.size | Storage size for peer | 512Mi | +| couchdb.size | Storage size for CouchDB | 512Mi | ### Vault @@ -138,23 +146,23 @@ The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hy | Name | Description | Default Value | | ----------------------------- | ------------------------------------------| ------------------- | -| servicetype | Service type for the peer | ClusterIP | +| serviceType | Service type for the peer | ClusterIP | | loadBalancerType | Load balancer type for the peer | "" | -| ports.grpc.nodeport | Cluster IP port for grpc service | "" | -| ports.grpc.clusteripport | Cluster IP port for grpc service | 7051 | -| ports.events.nodeport | Cluster IP port for event service | "" | -| ports.events.clusteripport | Cluster IP port for event service | 7053 | -| ports.couchdb.nodeport | Cluster IP port for CouchDB service | "" | -| ports.couchdb.clusteripport | Cluster IP port for CouchDB service | 5984 | +| ports.grpc.nodePort | Cluster IP port for grpc service | "" | +| ports.grpc.clusterIpPort | Cluster IP port for grpc service | 7051 | +| ports.events.nodePort | Cluster IP port for event service | "" | +| ports.events.clusterIpPort | Cluster IP port for event service | 7053 | +| ports.couchdb.nodePort | Cluster IP port for CouchDB service | "" | +| ports.couchdb.clusterIpPort | Cluster IP port for CouchDB service | 5984 | | ports.metrics.enabled | Enable/disable metrics service | false | -| ports.metrics.clusteripport | Cluster IP port for metrics service | 9443 | +| ports.metrics.clusterIpPort | Cluster IP port for metrics service | 9443 | ### Proxy | Name | Description | Default Value | | ----------------------| ----------------------------------------------------------| ------------------- | | provider | Proxy/ingress provider ( haproxy or none) | none | -| external_url_suffix | External URL of the organization | org1proxy.blockchaincloudpoc.com | +| externalUrlSuffix | External URL of the organization | org1proxy.blockchaincloudpoc.com | | port | External port on proxy service | 443 | ### Config diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/requirements.yaml b/platforms/hyperledger-fabric/charts/fabric-peernode/requirements.yaml new file mode 100644 index 00000000000..ff4809ac555 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/fabric-peernode/requirements.yaml @@ -0,0 +1,14 @@ +dependencies: + - name: bevel-storageclass + alias: storage + repository: "file://../../../shared/charts/bevel-storageclass" + tags: + - storage + version: ~1.0.0 + - name: fabric-cli + alias: cli + repository: "file://../fabric-cli" + tags: + - cli + version: ~1.0.0 + condition: cli.enabled \ No newline at end of file diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/_helpers.tpl b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/_helpers.tpl index 8823df47301..cebbb35241a 100644 --- a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/_helpers.tpl +++ b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/_helpers.tpl @@ -1,8 +1,31 @@ -{{- define "labels.custom" }} - {{ range $key, $val := $.Values.metadata.labels }} - {{ $key }}: {{ $val }} - {{ end }} -{{- end }} +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fabric-peernode.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fabric-peernode.fullname" -}} +{{- $name := default .Chart.Name -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" $name .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fabric-peernode.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} {{- define "labels.deployment" -}} {{- if $.Values.labels }} diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/configmap.yaml b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/configmap.yaml index d582db7b489..3665412555d 100644 --- a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/configmap.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/configmap.yaml @@ -7,28 +7,29 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ $.Values.peer.name }}-config - namespace: {{ $.Values.metadata.namespace }} + name: {{ .Release.Name }}-config + namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: {{ $.Values.peer.name }}-config - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/name: {{ .Release.Name }}-config + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ include "fabric-peernode.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- include "labels.custom" . | nindent 2 }} data: CORE_VM_ENDPOINT: unix:///host/var/run/docker.sock - CORE_PEER_ID: {{ $.Values.peer.name }}.{{ $.Values.metadata.namespace }} - FABRIC_LOGGING_SPEC: "grpc=debug:{{ $.Values.peer.loglevel }}" + CORE_PEER_ID: {{ .Release.Name }}.{{ .Release.Namespace }} + FABRIC_LOGGING_SPEC: "grpc=debug:{{ $.Values.peer.logLevel }}" CORE_LEDGER_STATE_STATEDATABASE: CouchDB CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS: localhost:5984 CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME: "{{ $.Values.peer.couchdb.username }}" - CORE_PEER_ADDRESS: {{ $.Values.peer.name }}.{{ $.Values.metadata.namespace }}:{{ $.Values.service.ports.grpc.clusteripport }} - CORE_PEER_GOSSIP_BOOTSTRAP: {{ $.Values.peer.gossippeeraddress }} - {{ if $.Values.peer.gossipexternalendpoint }} - CORE_PEER_GOSSIP_EXTERNALENDPOINT: {{ $.Values.peer.gossipexternalendpoint }} + CORE_PEER_ADDRESS: {{ .Release.Name }}.{{ .Release.Namespace }}:{{ $.Values.service.ports.grpc.clusterIpPort }} + CORE_PEER_GOSSIP_BOOTSTRAP: {{ .Release.Name }}.{{ $.Values.peer.gossipPeerAddress }} + {{ if $.Values.peer.gossipExternalEndpoint }} + CORE_PEER_GOSSIP_EXTERNALENDPOINT: {{ .Release.Name }}.{{ $.Values.peer.gossipExternalEndpoint }} {{ end }} - CORE_PEER_LOCALMSPID: {{ $.Values.peer.localmspid }} - CORE_PEER_TLS_ENABLED: "{{ $.Values.peer.tlsstatus }}" + CORE_PEER_LOCALMSPID: {{ $.Values.cli.peer.localMspId }} + CORE_PEER_TLS_ENABLED: "{{ $.Values.cli.peer.tlsStatus }}" CORE_PEER_TLS_CERT_FILE: /etc/hyperledger/fabric/crypto/tls/server.crt CORE_PEER_TLS_KEY_FILE: /etc/hyperledger/fabric/crypto/tls/server.key CORE_PEER_TLS_ROOTCERT_FILE: /etc/hyperledger/fabric/crypto/msp/tlscacerts/tlsca.crt @@ -36,58 +37,61 @@ data: CORE_PEER_GOSSIP_ORGLEADER: "false" CORE_PEER_PROFILE_ENABLED: "true" CORE_PEER_ADDRESSAUTODETECT: "true" - CORE_PEER_NETWORKID: {{ $.Values.peer.name }}.{{ $.Values.metadata.namespace }} + CORE_PEER_NETWORKID: {{ .Release.Name }}.{{ .Release.Namespace }} CORE_PEER_MSPCONFIGPATH: /etc/hyperledger/fabric/crypto/msp GODEBUG: "netdns=go" CORE_PEER_GOSSIP_SKIPHANDSHAKE: "true" - CORE_CHAINCODE_BUILDER: "{{ $.Values.peer.builder }}" + CORE_CHAINCODE_BUILDER: "{{ $.Values.peer.builder }}:{{ $.Values.cli.network.version }}" CORE_OPERATIONS_LISTENADDRESS: 0.0.0.0:9443 --- apiVersion: v1 kind: ConfigMap metadata: - name: {{ $.Values.peer.name }}-msp-config - namespace: {{ $.Values.metadata.namespace }} + name: {{ .Release.Name }}-msp-config + namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: {{ $.Values.peer.name }}-msp-config - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/name: {{ .Release.Name }}-msp-config + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ include "fabric-peernode.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- include "labels.custom" . | nindent 2 }} data: - mspconfig: | - {{if ($.Values.peer.mspconfig.organizationalunitidentifiers) }} - OrganizationalUnitIdentifiers:{{ range $.Values.peer.mspconfig.organizationalunitidentifiers }} + mspConfig: | + {{if ($.Values.peer.mspConfig.organizationalUnitIdentifiers) }} + OrganizationalUnitIdentifiers:{{ range $.Values.peer.mspConfig.organizationalUnitIdentifiers }} - Certificate: cacerts/ca.crt OrganizationalUnitIdentifier: {{ . }}{{ end }}{{end}} NodeOUs: Enable: true ClientOUIdentifier: Certificate: cacerts/ca.crt - OrganizationalUnitIdentifier: {{ $.Values.peer.mspconfig.nodeOUs.clientOUidentifier.organizationalunitidentifier }} + OrganizationalUnitIdentifier: {{ $.Values.peer.mspConfig.nodeOUs.clientOUIdentifier.organizationalUnitIdentifier }} PeerOUIdentifier: Certificate: cacerts/ca.crt - OrganizationalUnitIdentifier: {{ $.Values.peer.mspconfig.nodeOUs.peerOUidentifier.organizationalunitidentifier }} + OrganizationalUnitIdentifier: {{ $.Values.peer.mspConfig.nodeOUs.peerOUIdentifier.organizationalUnitIdentifier }} AdminOUIdentifier: Certificate: cacerts/ca.crt - OrganizationalUnitIdentifier: {{ $.Values.peer.mspconfig.nodeOUs.adminOUidentifier.organizationalunitidentifier }} + OrganizationalUnitIdentifier: {{ $.Values.peer.mspConfig.nodeOUs.adminOUIdentifier.organizationalUnitIdentifier }} OrdererOUIdentifier: Certificate: cacerts/ca.crt - OrganizationalUnitIdentifier: {{ $.Values.peer.mspconfig.nodeOUs.ordererOUidentifier.organizationalunitidentifier }} + OrganizationalUnitIdentifier: {{ $.Values.peer.mspConfig.nodeOUs.ordererOUIdentifier.organizationalUnitIdentifier }} -{{ if $.Values.peer.configpath }} --- +{{- $file := .Files.Get "files/core.yaml" }} +{{ if $file }} apiVersion: v1 kind: ConfigMap metadata: - name: builders-config - namespace: {{ $.Values.metadata.namespace }} + name: {{ .Release.Name }}-builders-config + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: builders-config - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ include "fabric-peernode.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- include "labels.custom" . | nindent 2 }} data: - core.yaml.base64: {{ .Values.peer.core | quote }} + core.yaml: {{ .Files.Get "files/core.yaml" | nindent 8 | quote }} {{ end }} \ No newline at end of file diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/deployment.yaml b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/deployment.yaml deleted file mode 100755 index 497e0861882..00000000000 --- a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/deployment.yaml +++ /dev/null @@ -1,332 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ $.Values.peer.name }} - namespace: {{ $.Values.metadata.namespace }} - labels: - name: {{ $.Values.peer.name }} - app.kubernetes.io/name: {{ $.Values.peer.name }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- include "labels.custom" . | nindent 2 }} - {{- include "labels.deployment" . | nindent 2 }} - annotations: - {{- if $.Values.annotations }} - {{- range $key, $value := $.Values.annotations.deployment }} - {{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} - {{- end }} - {{- end }} - {{- end }} -spec: - updateStrategy: - type: RollingUpdate - serviceName: "{{ $.Values.peer.name }}" - replicas: 1 - selector: - matchLabels: - app: {{ $.Values.peer.name }} - app.kubernetes.io/name: {{ $.Values.peer.name }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - labels: - app: {{ $.Values.peer.name }} - app.kubernetes.io/name: {{ $.Values.peer.name }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- include "labels.deployment" . | nindent 6 }} - spec: - serviceAccountName: {{ $.Values.vault.serviceaccountname }} - {{- if .Values.vault.imagesecretname }} - imagePullSecrets: - - name: {{ $.Values.vault.imagesecretname }} - {{- end }} - initContainers: - - name: certificates-init - image: {{ $.Values.metadata.images.alpineutils}} - imagePullPolicy: IfNotPresent - env: - - name: VAULT_ADDR - value: {{ $.Values.vault.address }} - - name: VAULT_SECRET_PREFIX - value: "{{ $.Values.vault.secretprefix }}" - - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.vault.authpath }} - - name: VAULT_APP_ROLE - value: {{ $.Values.vault.role }} - - name: MOUNT_PATH - value: /secret - - name: VAULT_TYPE - value: "{{ $.Values.vault.type }}" - command: ["sh", "-c"] - args: - - |- - #!/usr/bin/env sh - . /scripts/bevel-vault.sh - - # Calling a function to retrieve the vault token. - vaultBevelFunc "init" - - echo "Getting TLS certificates from Vault." - vaultBevelFunc "readJson" "${VAULT_SECRET_PREFIX}/tls" - - TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r '.["ca.crt"]') - TLS_SERVER_CERT=$(echo ${VAULT_SECRET} | jq -r '.["server.crt"]') - TLS_SERVER_KEY=$(echo ${VAULT_SECRET} | jq -r '.["server.key"]') - - OUTPUT_PATH="${MOUNT_PATH}/tls" - mkdir -p ${OUTPUT_PATH} - echo "${TLS_CA_CERT}" >> ${OUTPUT_PATH}/ca.crt - echo "${TLS_SERVER_CERT}" >> ${OUTPUT_PATH}/server.crt - echo "${TLS_SERVER_KEY}" >> ${OUTPUT_PATH}/server.key - - echo "Getting MSP certificates from Vault." - vaultBevelFunc "readJson" "${VAULT_SECRET_PREFIX}/msp" - - ADMINCERT=$(echo ${VAULT_SECRET} | jq -r '.["admincerts"]') - CACERTS=$(echo ${VAULT_SECRET} | jq -r '.["cacerts"]') - KEYSTORE=$(echo ${VAULT_SECRET} | jq -r '.["keystore"]') - SIGNCERTS=$(echo ${VAULT_SECRET} | jq -r '.["signcerts"]') - TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r '.["tlscacerts"]') - - OUTPUT_PATH="${MOUNT_PATH}/msp" - mkdir -p ${OUTPUT_PATH}/admincerts - mkdir -p ${OUTPUT_PATH}/cacerts - mkdir -p ${OUTPUT_PATH}/keystore - mkdir -p ${OUTPUT_PATH}/signcerts - mkdir -p ${OUTPUT_PATH}/tlscacerts - - echo "${ADMINCERT}" >> ${OUTPUT_PATH}/admincerts/admin.crt - echo "${CACERTS}" >> ${OUTPUT_PATH}/cacerts/ca.crt - echo "${KEYSTORE}" >> ${OUTPUT_PATH}/keystore/server.key - echo "${SIGNCERTS}" >> ${OUTPUT_PATH}/signcerts/server.crt - echo "${TLSCACERTS}" >> ${OUTPUT_PATH}/tlscacerts/tlsca.crt - - # COUCH_DB CREDENTIALS - echo "Getting couch db credentials" - SECRET_COUCHDB_PASS={{ $.Values.vault.secretcouchdbpass }} - if [ ! -z $SECRET_COUCHDB_PASS ] - then - vault_secret_key=$(echo ${SECRET_COUCHDB_PASS} |awk -F "?" '{print $1}') - vault_data_key=$(echo ${SECRET_COUCHDB_PASS} |awk -F "?" '{print $2}') - - # Calling a function to retrieve secrets from Vault only if they exist. - vaultBevelFunc "readJson" "${vault_secret_key}" - - PASSWORD=$(echo ${VAULT_SECRET} | jq -r ".[\"${vault_data_key}\"]") - echo "${PASSWORD}" >> ${MOUNT_PATH}/user_cred - fi - volumeMounts: - {{ if .Values.vault.tls }} - - name: vaultca - mountPath: "/etc/ssl/certs/" - readOnly: true - {{ end }} - - name: certificates - mountPath: /secret - - name: scripts-volume - mountPath: /scripts/bevel-vault.sh - subPath: bevel-vault.sh - containers: - - name: couchdb - image: {{ $.Values.metadata.images.couchdb }} - imagePullPolicy: IfNotPresent - command: ["sh", "-c"] - args: - - |- - chown -R couchdb:couchdb /opt/couchdb - chmod -R 0770 /opt/couchdb/data - chmod 664 /opt/couchdb/etc/*.ini - chmod 664 /opt/couchdb/etc/local.d/*.ini - chmod 775 /opt/couchdb/etc/*.d - if [ -e /etc/hyperledger/fabric/crypto/user_cred ] && [ -z $COUCHDB_USER ] - then - echo " Error! Please provide username for the password " - exit 1 - break - elif [ -e /etc/hyperledger/fabric/crypto/user_cred ] && [ ! -z $COUCHDB_USER ] - then - export COUCHDB_PASSWORD=`cat /etc/hyperledger/fabric/crypto/user_cred` - break - elif [ ! -e /etc/hyperledger/fabric/crypto/user_cred ] && [ ! -z $COUCHDB_USER ] - then - echo " Error! Please provide password for username $COUCHDB_USER " - exit 1 - break - else - : - fi - tini -- /docker-entrypoint.sh /opt/couchdb/bin/couchdb - ports: - - containerPort: 5984 - env: - - name: COUCHDB_USER - value: "{{ $.Values.peer.couchdb.username }}" - volumeMounts: - - name: datadir-couchdb - mountPath: /opt/couchdb/data - - name: certificates - mountPath: /etc/hyperledger/fabric/crypto - - name: {{ $.Values.peer.name }} - image: {{ $.Values.metadata.images.peer }} - imagePullPolicy: IfNotPresent - command: ["sh", "-c"] - args: - - |- - if [ -e /builders/external/core.yaml.base64 ]; then - cat /builders/external/core.yaml.base64 | base64 -d > $FABRIC_CFG_PATH/core.yaml - fi - cp /etc/hyperledger/fabric/NodeOUconfig/mspconfig /etc/hyperledger/fabric/crypto/msp/config.yaml - export CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=`cat /etc/hyperledger/fabric/crypto/user_cred` - version=$( echo ${PEER_IMAGE} | sed 's/.*://' | cut -d '.' -f -2 ) - if [ $version = "2.2" ] && [ ${IS_UPGRADE} = "true" ] - then - peer node upgrade-dbs - fi - peer node start - ports: - - name: grpc - containerPort: 7051 - - name: events - containerPort: 7053 - - name: operations - containerPort: 9443 - env: - - name: PEER_IMAGE - value: "{{ $.Values.metadata.images.peer }}" - - name: IS_UPGRADE - value: "{{ $.Values.upgrade }}" - envFrom: - - configMapRef: - name: {{ $.Values.peer.name }}-config - volumeMounts: - - name: datadir - mountPath: /var/hyperledger/production - - name: dockersocket - mountPath: /host/var/run/docker.sock - - name: certificates - mountPath: /etc/hyperledger/fabric/crypto - - name: {{ $.Values.peer.name }}-msp-config-volume - mountPath: /etc/hyperledger/fabric/NodeOUconfig - readOnly: true - {{ if $.Values.peer.configpath }} - - name: builders-config - mountPath: /builders/external - {{ end }} - resources: - requests: - memory: {{ .Values.config.pod.resources.requests.memory }} - cpu: {{ .Values.config.pod.resources.requests.cpu }} - limits: - memory: {{ .Values.config.pod.resources.limits.memory }} - cpu: {{ .Values.config.pod.resources.limits.cpu }} - - name: grpc-web - image: "ghcr.io/hyperledger-labs/grpc-web:latest" - imagePullPolicy: IfNotPresent - ports: - - name: grpc-web - containerPort: 7443 - env: - - name: BACKEND_ADDRESS - value: "{{ $.Values.peer.name }}.{{ $.Values.metadata.namespace }}:{{ $.Values.service.ports.grpc.clusteripport }}" - - name: SERVER_TLS_CERT_FILE - value: /certs/tls/server.crt - - name: SERVER_TLS_KEY_FILE - value: /certs/tls/server.key - - name: BACKEND_TLS_CA_FILES - value: /certs/tls/ca.crt - - name: SERVER_BIND_ADDRESS - value: "0.0.0.0" - - name: SERVER_HTTP_DEBUG_PORT - value: "8080" - - name: SERVER_HTTP_TLS_PORT - value: "7443" - - name: BACKEND_TLS - value: "true" - - name: SERVER_HTTP_MAX_WRITE_TIMEOUT - value: 5m - - name: SERVER_HTTP_MAX_READ_TIMEOUT - value: 5m - - name: USE_WEBSOCKETS - value: "true" - volumeMounts: - - name: certificates - mountPath: /certs - volumes: - {{ if .Values.vault.tls }} - - name: vaultca - secret: - secretName: {{ $.Values.vault.tls }} - items: - - key: ca.crt.pem - path: ca-certificates.crt - {{ end }} - {{ if $.Values.peer.configpath }} - - name: builders-config - configMap: - name: builders-config - {{ end }} - - name: certificates - emptyDir: - medium: Memory - - name: dockersocket - hostPath: - path: /var/run/docker.sock - - name: {{ $.Values.peer.name }}-msp-config-volume - configMap: - name: {{ $.Values.peer.name }}-msp-config - items: - - key: mspconfig - path: mspconfig - - name: scripts-volume - configMap: - name: bevel-vault-script - volumeClaimTemplates: - #Lables are not being taken by Kubernetes as it dynamically creates PVC - - metadata: - name: datadir - labels: - {{- include "labels.pvc" . | nindent 6 }} - annotations: - {{- if $.Values.annotations }} - {{- range $key, $value := $.Values.annotations.pvc }} - {{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} - {{- end }} - {{- end }} - {{- end }} - spec: - accessModes: [ "ReadWriteOnce" ] - storageClassName: {{ .Values.storage.peer.storageclassname }} - resources: - requests: - storage: {{ .Values.storage.peer.storagesize }} - - metadata: - name: datadir-couchdb - annotations: - {{- if $.Values.annotations }} - {{- range $key, $value := $.Values.annotations.pvc }} - {{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} - {{- end }} - {{- end }} - {{- end }} - labels: - {{- include "labels.pvc" . | nindent 6 }} - spec: - accessModes: [ "ReadWriteOnce" ] - storageClassName: {{ .Values.storage.couchdb.storageclassname }} - resources: - requests: - storage: {{ .Values.storage.couchdb.storagesize }} diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/node-statefulset.yaml b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/node-statefulset.yaml new file mode 100755 index 00000000000..4ee2cc83703 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/node-statefulset.yaml @@ -0,0 +1,362 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "fabric-peernode.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ template "fabric-peernode.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm + annotations: + {{- include "labels.deployment" . | nindent 2 }} +spec: + updateStrategy: + type: RollingUpdate + serviceName: {{ .Release.Name }} + replicas: 1 + selector: + matchLabels: + app: {{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ template "fabric-peernode.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + labels: + app: {{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ template "fabric-peernode.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm + {{- include "labels.deployment" . | nindent 6 }} + spec: + serviceAccountName: {{ $.Values.global.serviceAccountName }} + {{- if .Values.global.vault.imageSecretName }} + imagePullSecrets: + - name: {{ $.Values.global.vault.imageSecretName }} + {{- end }} + initContainers: + - name: certificates-init + image: {{ $.Values.image.alpineUtils }} + imagePullPolicy: IfNotPresent + env: + - name: VAULT_ADDR + value: {{ $.Values.global.vault.address }} + - name: VAULT_SECRET_ENGINE + value: "{{ $.Values.global.vault.secretEngine }}" + - name: VAULT_SECRET_PREFIX + value: "{{ $.Values.global.vault.secretPrefix }}" + - name: KUBERNETES_AUTH_PATH + value: {{ $.Values.global.vault.authPath }} + - name: VAULT_APP_ROLE + value: {{ $.Values.global.vault.role }} + - name: MOUNT_PATH + value: /secret + - name: VAULT_TYPE + value: "{{ $.Values.global.vault.type }}" + - name: PEER_NAME + value: {{ .Release.Name }} + command: ["sh", "-c"] + args: + - |- + #!/usr/bin/env sh +{{- if eq .Values.global.vault.type "hashicorp" }} + . /scripts/bevel-vault.sh + + # Calling a function to retrieve the vault token. + vaultBevelFunc "init" + + function getPeerTlsSecret { + KEY=$1 + KEY_FORMATTED=$(echo $KEY | tr - /) + + + echo "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" + echo "Getting TLS certificates from Vault." + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" + + TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r '.["ca.crt"]') + TLS_SERVER_CERT=$(echo ${VAULT_SECRET} | jq -r '.["server.crt"]') + TLS_SERVER_KEY=$(echo ${VAULT_SECRET} | jq -r '.["server.key"]') + + echo "${TLS_CA_CERT}" >> ${OUTPUT_PATH}/ca.crt + echo "${TLS_SERVER_CERT}" >> ${OUTPUT_PATH}/server.crt + echo "${TLS_SERVER_KEY}" >> ${OUTPUT_PATH}/server.key + } + + function getPeerMspSecret { + KEY=$1 + KEY_FORMATTED=$(echo $KEY | tr - /) + + echo "Getting MSP certificates from Vault." + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" + + ADMINCERT=$(echo ${VAULT_SECRET} | jq -r '.["admincerts"]') + CACERTS=$(echo ${VAULT_SECRET} | jq -r '.["cacerts"]') + KEYSTORE=$(echo ${VAULT_SECRET} | jq -r '.["keystore"]') + SIGNCERTS=$(echo ${VAULT_SECRET} | jq -r '.["signcerts"]') + TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r '.["tlscacerts"]') + + echo "${ADMINCERT}" >> ${OUTPUT_PATH}/admincerts/admin.crt + echo "${CACERTS}" >> ${OUTPUT_PATH}/cacerts/ca.crt + echo "${KEYSTORE}" >> ${OUTPUT_PATH}/keystore/server.key + echo "${SIGNCERTS}" >> ${OUTPUT_PATH}/signcerts/server.crt + echo "${TLSCACERTS}" >> ${OUTPUT_PATH}/tlscacerts/tlsca.crt + } + + function getCouchDbPass { + KEY=$1 + KEY_FORMATTED=$(echo $KEY | tr - /) + + echo "Getting TLS certificates from Vault." + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${KEY_FORMATTED}" + + PASSWORD=$(echo ${VAULT_SECRET} | jq -r '.["user"]') + echo "${PASSWORD}" >> ${MOUNT_PATH}/user_cred + } + +{{- else }} + function getPeerTlsSecret { + KEY=$1 + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.cacrt}" | base64 -d > ${OUTPUT_PATH}/ca.crt + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.servercrt}" | base64 -d > ${OUTPUT_PATH}/server.crt + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.serverkey}" | base64 -d > ${OUTPUT_PATH}/server.key + } + + function getPeerMspSecret { + KEY=$1 + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.admincerts}" | base64 -d > ${OUTPUT_PATH}/admincerts/admin.crt + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.cacerts}" | base64 -d > ${OUTPUT_PATH}/cacerts/ca.crt + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.keystore}" | base64 -d > ${OUTPUT_PATH}/keystore/server.key + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.signcerts}" | base64 -d > ${OUTPUT_PATH}/signcerts/server.crt + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.tlscacerts}" | base64 -d > ${OUTPUT_PATH}/tlscacerts/tlsca.crt + } + + function getCouchDbPass { + KEY=$1 + kubectl get secret ${KEY} --namespace {{ .Release.Namespace }} --output="jsonpath={.data.user}" | base64 -d > ${MOUNT_PATH}/user_cred + } + +{{- end }} + OUTPUT_PATH="${MOUNT_PATH}/tls" + mkdir -p ${OUTPUT_PATH} + getPeerTlsSecret ${PEER_NAME}-tls + + OUTPUT_PATH="${MOUNT_PATH}/msp" + mkdir -p ${OUTPUT_PATH}/admincerts + mkdir -p ${OUTPUT_PATH}/cacerts + mkdir -p ${OUTPUT_PATH}/keystore + mkdir -p ${OUTPUT_PATH}/signcerts + mkdir -p ${OUTPUT_PATH}/tlscacerts + getPeerMspSecret ${PEER_NAME}-msp + + getCouchDbPass couchdb + + volumeMounts: + {{ if .Values.global.vault.tls }} + - name: vaultca + mountPath: "/etc/ssl/certs/" + readOnly: true + {{ end }} + - name: certificates + mountPath: /secret + - name: scripts-volume + mountPath: /scripts/bevel-vault.sh + subPath: bevel-vault.sh + containers: + - name: couchdb + image: {{ $.Values.image.couchdb }}:{{ $.Values.cli.network.version }} + imagePullPolicy: IfNotPresent + command: ["sh", "-c"] + args: + - |- + chown -R couchdb:couchdb /opt/couchdb + chmod -R 0770 /opt/couchdb/data + chmod 664 /opt/couchdb/etc/*.ini + chmod 664 /opt/couchdb/etc/local.d/*.ini + chmod 775 /opt/couchdb/etc/*.d + if [ -e /etc/hyperledger/fabric/crypto/user_cred ] && [ -z $COUCHDB_USER ] + then + echo " Error! Please provide username for the password " + exit 1 + break + elif [ -e /etc/hyperledger/fabric/crypto/user_cred ] && [ ! -z $COUCHDB_USER ] + then + export COUCHDB_PASSWORD=`cat /etc/hyperledger/fabric/crypto/user_cred` + break + elif [ ! -e /etc/hyperledger/fabric/crypto/user_cred ] && [ ! -z $COUCHDB_USER ] + then + echo " Error! Please provide password for username $COUCHDB_USER " + exit 1 + break + else + : + fi + tini -- /docker-entrypoint.sh /opt/couchdb/bin/couchdb + ports: + - containerPort: 5984 + env: + - name: COUCHDB_USER + value: "{{ $.Values.peer.couchdb.username }}" + volumeMounts: + - name: datadir-couchdb + mountPath: /opt/couchdb/data + - name: certificates + mountPath: /etc/hyperledger/fabric/crypto + - name: {{ .Release.Name }} + image: {{ $.Values.image.peer }}:{{ $.Values.cli.network.version }} + imagePullPolicy: IfNotPresent + command: ["sh", "-c"] + args: + - |- + + if [ -e /builders/external/core.yaml ]; then + cp /builders/external/core.yaml $FABRIC_CFG_PATH/core.yaml + fi + + cp /etc/hyperledger/fabric/NodeOUconfig/mspConfig /etc/hyperledger/fabric/crypto/msp/config.yaml + export CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=`cat /etc/hyperledger/fabric/crypto/user_cred` + version=$( echo ${PEER_IMAGE} | sed 's/.*://' | cut -d '.' -f -2 ) + if [ $version = "2.2" ] && [ ${IS_UPGRADE} = "true" ] + then + peer node upgrade-dbs + fi + peer node start + ports: + - name: grpc + containerPort: 7051 + - name: events + containerPort: 7053 + - name: operations + containerPort: 9443 + env: + - name: PEER_IMAGE + value: "{{ $.Values.image.peer }}:{{ $.Values.cli.network.version }}" + - name: IS_UPGRADE + value: "{{ $.Values.upgrade }}" + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config + volumeMounts: + - name: datadir + mountPath: /var/hyperledger/production + - name: dockersocket + mountPath: /host/var/run/docker.sock + - name: certificates + mountPath: /etc/hyperledger/fabric/crypto + - name: {{ .Release.Name }}-msp-config-volume + mountPath: /etc/hyperledger/fabric/NodeOUconfig + readOnly: true + {{- $file := .Files.Get "files/core.yaml" }} + {{ if $file }} + - name: builders-config + mountPath: /builders/external + {{ end }} + resources: + requests: + memory: {{ .Values.config.pod.resources.requests.memory }} + cpu: {{ .Values.config.pod.resources.requests.cpu }} + limits: + memory: {{ .Values.config.pod.resources.limits.memory }} + cpu: {{ .Values.config.pod.resources.limits.cpu }} + - name: grpc-web + image: "ghcr.io/hyperledger-labs/grpc-web:latest" + imagePullPolicy: IfNotPresent + ports: + - name: grpc-web + containerPort: 7443 + env: + - name: BACKEND_ADDRESS + value: "{{ .Release.Name }}.{{ .Release.Namespace }}:{{ $.Values.service.ports.grpc.clusterIpPort }}" + - name: SERVER_TLS_CERT_FILE + value: /certs/tls/server.crt + - name: SERVER_TLS_KEY_FILE + value: /certs/tls/server.key + - name: BACKEND_TLS_CA_FILES + value: /certs/tls/ca.crt + - name: SERVER_BIND_ADDRESS + value: "0.0.0.0" + - name: SERVER_HTTP_DEBUG_PORT + value: "8080" + - name: SERVER_HTTP_TLS_PORT + value: "7443" + - name: BACKEND_TLS + value: "true" + - name: SERVER_HTTP_MAX_WRITE_TIMEOUT + value: 5m + - name: SERVER_HTTP_MAX_READ_TIMEOUT + value: 5m + - name: USE_WEBSOCKETS + value: "true" + volumeMounts: + - name: certificates + mountPath: /certs + volumes: + {{ if .Values.global.vault.tls }} + - name: vaultca + secret: + secretName: {{ $.Values.global.vault.tls }} + items: + - key: ca.crt.pem + path: ca-certificates.crt + {{ end }} + {{- $file := .Files.Get "files/core.yaml" }} + {{ if $file }} + - name: builders-config + configMap: + name: {{ .Release.Name }}-builders-config + {{ end }} + - name: certificates + emptyDir: + medium: Memory + - name: dockersocket + hostPath: + path: /var/run/docker.sock + - name: {{ .Release.Name }}-msp-config-volume + configMap: + name: {{ .Release.Name }}-msp-config + items: + - key: mspConfig + path: mspConfig + - name: scripts-volume + configMap: + name: bevel-vault-script + volumeClaimTemplates: + #Lables are not being taken by Kubernetes as it dynamically creates PVC + - metadata: + name: datadir + annotations: + {{- include "labels.pvc" . | nindent 6 }} + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: storage-{{ .Release.Name }} + resources: + requests: + storage: {{ .Values.storage.peer.size }} + - metadata: + name: datadir-couchdb + annotations: + {{- include "labels.pvc" . | nindent 6 }} + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: storage-{{ .Release.Name }} + resources: + requests: + storage: {{ .Values.storage.couchdb.size }} diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/service.yaml b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/service.yaml index 5af8e23f63e..a39b19ce536 100644 --- a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/service.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/service.yaml @@ -7,54 +7,49 @@ apiVersion: v1 kind: Service metadata: - name: {{ $.Values.peer.name }} - namespace: {{ $.Values.metadata.namespace }} - {{- if or $.Values.proxy (and $.Values.service.loadBalancerType (eq $.Values.service.loadBalancerType "Internal")) }} + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + {{- if or $.Values.global.proxy (and $.Values.service.loadBalancerType (eq $.Values.service.loadBalancerType "Internal")) }} annotations: - {{- if $.Values.annotations }} - {{- range $key, $value := $.Values.annotations.service }} - {{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} - {{- end }} - {{- end }} - {{- end }} + {{- include "labels.pvc" . | nindent 2 }} {{- if and $.Values.service.loadBalancerType (eq $.Values.service.loadBalancerType "Internal") }} cloud.google.com/load-balancer-type: "Internal" {{- end }} {{- end }} labels: - run: {{ $.Values.peer.name }} - app.kubernetes.io/name: {{ $.Values.peer.name }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + run: {{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ include "fabric-peernode.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- include "labels.custom" . | nindent 2 }} {{- include "labels.pvc" . | nindent 2 }} spec: - type: {{ $.Values.service.servicetype }} + type: {{ $.Values.service.serviceType }} selector: - app: {{ $.Values.peer.name }} + app: {{ .Release.Name }} ports: - name: grpc protocol: TCP targetPort: 7051 - port: {{ $.Values.service.ports.grpc.clusteripport }} - {{- if $.Values.service.ports.grpc.nodeport }} - nodePort: {{ $.Values.service.ports.grpc.nodeport }} + port: {{ $.Values.service.ports.grpc.clusterIpPort }} + {{- if $.Values.service.ports.grpc.nodePort }} + nodePort: {{ $.Values.service.ports.grpc.nodePort }} {{- end }} - name: events protocol: TCP targetPort: 7053 - port: {{ $.Values.service.ports.events.clusteripport }} - {{- if $.Values.service.ports.events.nodeport }} - nodePort: {{ $.Values.service.ports.events.nodeport }} + port: {{ $.Values.service.ports.events.clusterIpPort }} + {{- if $.Values.service.ports.events.nodePort }} + nodePort: {{ $.Values.service.ports.events.nodePort }} {{- end }} - protocol: TCP name: couchdb targetPort: 5984 - port: {{ $.Values.service.ports.couchdb.clusteripport }} - {{- if $.Values.service.ports.couchdb.nodeport }} - nodePort: {{ $.Values.service.ports.couchdb.nodeport }} + port: {{ $.Values.service.ports.couchdb.clusterIpPort }} + {{- if $.Values.service.ports.couchdb.nodePort }} + nodePort: {{ $.Values.service.ports.couchdb.nodePort }} {{- end }} - name: grpc-web protocol: TCP @@ -63,64 +58,64 @@ spec: - name: operations protocol: TCP targetPort: 9443 - port: {{ $.Values.service.ports.metrics.clusteripport }} - {{- if (eq $.Values.service.servicetype "ClusterIP") }} + port: {{ $.Values.service.ports.metrics.clusterIpPort }} + {{- if (eq $.Values.service.serviceType "ClusterIP") }} clusterIP: None {{- end }} {{- if $.Values.service.loadBalancerIP }} loadBalancerIP: {{ $.Values.service.loadBalancerIP }} {{- end }} -{{- if eq $.Values.proxy.provider "haproxy" }} +{{- if eq $.Values.global.proxy.provider "haproxy" }} --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ $.Values.peer.name }} - namespace: {{ $.Values.metadata.namespace }} + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} annotations: kubernetes.io/ingress.class: "haproxy" ingress.kubernetes.io/ssl-passthrough: "true" spec: rules: - - host: {{ $.Values.peer.name }}.{{ $.Values.metadata.namespace }}.{{ $.Values.proxy.external_url_suffix }} + - host: {{ .Release.Name }}.{{ .Release.Namespace }}.{{ $.Values.global.proxy.externalUrlSuffix }} http: paths: - path: / pathType: Prefix backend: service: - name: {{ $.Values.peer.name }} + name: {{ .Release.Name }} port: - number: {{ $.Values.service.ports.grpc.clusteripport }} - - host: {{ $.Values.peer.name }}-proxy.{{ $.Values.metadata.namespace }}.{{ $.Values.proxy.external_url_suffix }} + number: {{ $.Values.service.ports.grpc.clusterIpPort }} + - host: {{ .Release.Name }}-proxy.{{ .Release.Namespace }}.{{ $.Values.global.proxy.externalUrlSuffix }} http: paths: - path: / pathType: Prefix backend: service: - name: {{ $.Values.peer.name }} + name: {{ .Release.Name }} port: number: 7443 --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ $.Values.peer.name }}-ops - namespace: {{ $.Values.metadata.namespace }} + name: {{ .Release.Name }}-ops + namespace: {{ .Release.Namespace }} annotations: kubernetes.io/ingress.class: "haproxy" spec: rules: - - host: {{ $.Values.peer.name }}-ops.{{ $.Values.metadata.namespace }}.{{ $.Values.proxy.external_url_suffix }} + - host: {{ .Release.Name }}-ops.{{ .Release.Namespace }}.{{ $.Values.global.proxy.externalUrlSuffix }} http: paths: - path: / pathType: Prefix backend: service: - name: {{ $.Values.peer.name }} + name: {{ .Release.Name }} port: number: 9443 {{- end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/servicemonitor.yaml b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/servicemonitor.yaml index 581d6be3294..847ba2462b0 100644 --- a/platforms/hyperledger-fabric/charts/fabric-peernode/templates/servicemonitor.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-peernode/templates/servicemonitor.yaml @@ -4,11 +4,15 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: labels: - app: {{ $.Values.peer.name }} + app: {{ .Release.Name }} + app.kubernetes.io/name: {{ $.Values.orderer.name }} + app.kubernetes.io/component: fabric + app.kubernetes.io/part-of: {{ include "fabric-orderernode.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - name: {{ $.Values.peer.name }} - namespace: {{ $.Values.metadata.namespace }} + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} spec: jobLabel: {{ .Release.Name }} endpoints: @@ -16,10 +20,10 @@ spec: port: operations namespaceSelector: matchNames: - - {{ $.Values.metadata.namespace }} + - {{ .Release.Namespace }} selector: matchLabels: app.kubernetes.io/instance: {{ .Release.Name }} - run: {{ $.Values.peer.name }} + run: {{ .Release.Name }} {{- end }} {{- end }} diff --git a/platforms/hyperledger-fabric/charts/fabric-peernode/values.yaml b/platforms/hyperledger-fabric/charts/fabric-peernode/values.yaml index 556ccdff3fe..25a3fb3bc29 100644 --- a/platforms/hyperledger-fabric/charts/fabric-peernode/values.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-peernode/values.yaml @@ -4,175 +4,169 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -metadata: - #Provide the namespace for organization's peer - #Eg. namespace: org1-net - namespace: org1-net - images: - #Provide the valid image name and version for fabric couchdb - #Eg. couchdb: hyperledger/fabric-couchdb:0.4.14 - couchdb: ghcr.io/hyperledger/bevel-fabric-couchdb:2.2.2 - #Provide the valid image name and version for fabric peer - #Eg. hyperledger/fabric-peer:2.2.2 - peer: ghcr.io/hyperledger/bevel-fabric-peer:2.2.2 - #Provide the valid image name and version to read certificates from vault server - #Eg. alpineutils: ghcr.io/hyperledger/bevel-alpine:latest - alpineutils: ghcr.io/hyperledger/bevel-alpine:latest - #Provide the custom labels - #NOTE: Provide labels other than name, release name , release service, chart version , chart name, run - #These lables will not be applied to VolumeClaimTemplate of StatefulSet as labels are automatically picked up by Kubernetes - #Eg. labels: - # role: peer - labels: -annotations: - #Extra annotations - service: {} - pvc: {} - deployment: {} +global: + #Provide the service account name which will be created. + serviceAccountName: vault-auth + vault: + #Provide the type of vault + #Eg. type: hashicorp + type: hashicorp + #Provide the vaultrole for an organization + #Eg. vaultrole: org1-vault-role + role: vault-role + #Provide the vault server address + #Eg. vaultaddress: http://Vault-884963190.eu-west-1.elb.amazonaws.com + address: + #Provide the secret engine. + secretEngine: secretsv2 + #Provide the vault path where the secrets will be stored + secretPrefix: "data/supplychain" + #Provide the imagesecretname for vault + #Eg. imagesecretname: regcred + imageSecretName: "" + #Kuberenetes secret for vault ca.cert + #Enable or disable TLS for vault communication if value present or not + #Eg. tls: vaultca + tls: + + cluster: + provider: aws # choose from: minikube | aws | azure | gcp + cloudNativeServices: false # only 'false' is implemented + + proxy: + #This will be the proxy/ingress provider. Can have values "none" or "haproxy" + #Eg. provider: "haproxy" + provider: "none" + #This field contains the external URL of the organization + #Eg. externalUrlSuffix: test.blockchaincloudpoc.com + externalUrlSuffix: test.blockchaincloudpoc.com + #This field contains the external port on haproxy + #Eg. port: 443 + port: 443 + +cli: + #Creates a peer cli pod depending upon the (enabled/disabled) tag. + enabled: true + #Provide the address for orderer + #Eg. address: orderer1.test.blockchaincloudpoc.com:443 + address: orderer1.test.blockchaincloudpoc.com:443 + # HLF Network Version + network: + version: 2.5.4 + peer: + #Provide the localMspId for organization + #Eg. localMspId: supplychainMSP + localMspId: supplychainMSP + #Provide the value for tlsStatus to be true or false for organization's peer + #Eg. tlsStatus: true + tlsStatus: true + #Provide the address for the peer + #Eg: address: peer0.org1-net:7051 + address: test.blockchaincloudpoc.com:443 + +image: + #Provide the valid image name and version for fabric couchdb + #Eg. couchdb: hyperledger/fabric-couchdb:0.4.14 + couchdb: ghcr.io/hyperledger/bevel-fabric-couchdb + #Provide the valid image name and version for fabric peer + #Eg. hyperledger/fabric-peer:2.2.2 + peer: ghcr.io/hyperledger/bevel-fabric-peer + #Provide the valid image name and version to read certificates from vault server + #Eg. alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest + alpineUtils: ghcr.io/hyperledger/bevel-alpine:latest + #Provide the valid image name and version for fabric tools + #Eg. fabrictools: hyperledger/fabric-tools:1.4.0 + fabricTools: ghcr.io/hyperledger/bevel-fabric-tools + +labels: + service: [] + pvc: [] + deployment: [] + peer: - #Provide the name of the peer as per deployment yaml. - #Eg. name: peer0 - name: peer0 #Provide the url of gossipping peer and port to be mentioned is grpc cluster IP port - #Eg. gossippeeraddress: peer1.org1-net.svc.cluster.local:7051 - gossippeeraddress: peer1.org1-net.svc.cluster.local:7051 + #Eg. gossipPeerAddress: supplychain.svc.cluster.local:443 + gossipPeerAddress: supplychain.svc.cluster.local:443 #Provide the url of gossip external endpoint and port to be mentioned is haproxy https service port - #Eg. gossipexternalendpoint: peer1-ext.org1-net:443 - gossipexternalendpoint: peer0.org1-net.org1proxy.blockchaincloudpoc.com:443 - #Provide the localmspid for organization - #Eg. localmspid: Org1MSP - localmspid: Org1MSP - #Provide the loglevel for organization's peer - #Eg. loglevel: info - loglevel: info - #Provide the value for tlsstatus to be true or false for organization's peer - #Eg. tlsstatus: true - tlsstatus: true + #Eg. gossipExternalEndpoint: supplychain:443 + gossipExternalEndpoint: supplychain.test.blockchaincloudpoc.com:443 + #Provide the logLevel for organization's peer + #Eg. logLevel: info + logLevel: info #Provide a valid chaincode builder image for Fabric #Eg. builder: hyperledger/fabric-ccenv:1.4.8 - builder: hyperledger/fabric-ccenv:2.2.2 + builder: hyperledger/fabric-ccenv couchdb: #Provide the username for couchdb login #If couchdb username is provided, it is mandatory to provide password for the same - #Eg. username: org1-user - username: org1-user - configpath: - core: - mspconfig: + #Eg. username: supplychain-user + username: supplychain-user + + mspConfig: #Provide the members of the MSP in organizational unit identifiers - #Eg.organizationalunitidentifiers: + #Eg.organizationalUnitIdentifiers: # - client # - peer # following for 2.2.x # - admin # - orderer - organizationalunitidentifiers: + organizationalUnitIdentifiers: nodeOUs: - clientOUidentifier: + clientOUIdentifier: #Provide OU which will be used to identify node as client - #Eg.organizationalunitidentifier: client - organizationalunitidentifier: client - peerOUidentifier: + #Eg.organizationalUnitIdentifier: client + organizationalUnitIdentifier: client + peerOUIdentifier: #Provide OU which will be used to identify node as peer - #Eg.organizationalunitidentifier: peer - organizationalunitidentifier: peer + #Eg.organizationalUnitIdentifier: peer + organizationalUnitIdentifier: peer # following for 2.2.x - adminOUidentifier: - organizationalunitidentifier: admin - ordererOUidentifier: - organizationalunitidentifier: orderer + adminOUIdentifier: + organizationalUnitIdentifier: admin + ordererOUIdentifier: + organizationalUnitIdentifier: orderer storage: peer: - #Provide the storageclassname for peer - #Eg. storageclassname: aws-storage - storageclassname: aws-storageclass - #Provide the storagesize for storage class - #Eg. storagesize: 512Mi - storagesize: 512Mi + #Provide the size for storage class + #Eg. size: 512Mi + size: 512Mi couchdb: - #Provide the storageclassname for couchdb - #Eg. storageclassname: aws-storage - storageclassname: aws-storageclass - #Provide the storagesize for storage class - #Eg. storagesize: 512Mi - storagesize: 512Mi - - - -vault: - #Provide the vaultrole for an organization - #Eg. vaultrole: org1-vault-role - role: vault-role - #Provide the vault server address - #Eg. vaultaddress: http://Vault-884963190.eu-west-1.elb.amazonaws.com - address: - #Provide the kubernetes auth backed configured in vault for an organization - #Eg. authpath: devorg1-net-auth - authpath: devorg1-net-auth - #Provide the value for vault secretprefix - #Eg. secretprefix: secretsv2/data/crypto/peerOrganizations/.../peers/... - secretprefix: secretsv2/data/crypto/peerOrganizations/org1-net/peers/peer0.org1-net - #Provide the serviceaccountname for vault - #Eg. serviceaccountname: vault-auth - serviceaccountname: vault-auth - #Provide the type of vault - #Eg. type: hashicorp - type: hashicorp - #Provide the imagesecretname for vault - #Eg. imagesecretname: regcred - imagesecretname: "" - #Provide the vault path for secret couchdb password - #Eg. secretcouchdbpass: secretsv2/data/credentials/org1-net/couchdb/org1?user - secretcouchdbpass: secretsv2/data/credentials/org1-net/couchdb/org1?user - #Kuberenetes secret for vault ca.cert - #Enable or disable TLS for vault communication if value present or not - #Eg. tls: vaultca - tls: - + #Provide the size for storage class + #Eg. size: 512Mi + size: 512Mi service: - #Provide the servicetype for a peer - #Eg. servicetype: NodePort - servicetype: ClusterIP + #Provide the serviceType for a peer + #Eg. serviceType: NodePort + serviceType: ClusterIP loadBalancerType: "" ports: grpc: - #Provide a nodeport for grpc service in the range of 30000-32767 (optional) - #Eg. nodeport: 30001 - nodeport: + #Provide a nodePort for grpc service in the range of 30000-32767 (optional) + #Eg. nodePort: 30001 + nodePort: #Provide a cluster IP port for grpc service to be exposed - #Eg. clusteripport: 7051 - clusteripport: 7051 + #Eg. clusterIpPort: 7051 + clusterIpPort: 7051 events: - #Provide a nodeport for event service in the range of 30000-32767 (optional) - #Eg. nodeport: 30002 - nodeport: + #Provide a nodePort for event service in the range of 30000-32767 (optional) + #Eg. nodePort: 30002 + nodePort: #Provide a cluster IP port for event service to be exposed - #Eg. clusteripport: 7053 - clusteripport: 7053 + #Eg. clusterIpPort: 7053 + clusterIpPort: 7053 couchdb: - #Provide a nodeport for couchdb service in the range of 30000-32767 (optional) - #Eg. nodeport: 30003 - nodeport: + #Provide a nodePort for couchdb service in the range of 30000-32767 (optional) + #Eg. nodePort: 30003 + nodePort: #Provide a cluster IP port for couchdb service to be exposed - #Eg. clusteripport: 5984 - clusteripport: 5984 + #Eg. clusterIpPort: 5984 + clusterIpPort: 5984 metrics: enabled: false - clusteripport: 9443 + clusterIpPort: 9443 -proxy: - #This will be the proxy/ingress provider. Can have values "none" or "haproxy" - #Eg. provider: "haproxy" - provider: "none" - #This field contains the external URL of the organization - #Eg. external_url_suffix: org1.blockchaincloudpoc.com - external_url_suffix: org1proxy.blockchaincloudpoc.com - #This field contains the external port on haproxy - #Eg. port: 443 - port: 443 - config: # Set limits and requests of pod pod: diff --git a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ordererOrganization/ca-server.yaml b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ordererOrganization/ca-server.yaml new file mode 100644 index 00000000000..1ae68be2791 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ordererOrganization/ca-server.yaml @@ -0,0 +1,42 @@ +#helm install supplychain-ca -f values/noproxy-and-novault/ordererOrganization/ca-server.yaml -n supplychain-net fabric-ca-server +global: + serviceAccountName: vault-auth + vault: + type: kubernetes + + cluster: + provider: azure + cloudNativeServices: false + kubernetesUrl: https://kubernetes.url + + proxy: + provider: none + externalUrlSuffix: supplychain-net + +cacerts: + ca: + orgName: supplychain + subject: /C=GB/ST=London/L=London/O=Orderer + +catools: + orgData: + orgName: supplychain + type: orderer + componentSubject: O=Orderer,L=51.50/-0.13/London,C=GB + certSubject: O=Orderer/L=51.50,-0.13,London/C=GB + componentCountry: UK + componentState: London + componentLocation: London + + orderers: + - orderer1 + - orderer2 + - orderer3 + +server: + tlsStatus: true + admin: supplychain-admin + +settings: + removeOrdererTlsOnDelete: true + removeCertsOnDelete: true diff --git a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ordererOrganization/orderer.yaml b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ordererOrganization/orderer.yaml new file mode 100644 index 00000000000..a8a77ccd41f --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/ordererOrganization/orderer.yaml @@ -0,0 +1,23 @@ +global: + serviceAccountName: vault-auth + vault: + type: kubernetes + + cluster: + provider: azure + cloudNativeServices: false + + proxy: + provider: none + externalUrlSuffix: supplychain-net + +network: + version: 2.5.4 + +orderer: + logLevel: info + localMspId: supplychainMSP + tlsstatus: true + +consensus: + name: raft diff --git a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/peerOrganization/ca-server.yaml b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/peerOrganization/ca-server.yaml new file mode 100644 index 00000000000..0c5ac680986 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/peerOrganization/ca-server.yaml @@ -0,0 +1,60 @@ +#helm install carrier-ca -f values/noproxy-and-novault/peerOrganization/ca-server.yaml -n carrier-net fabric-ca-server +global: + serviceAccountName: vault-auth + vault: + type: kubernetes + + cluster: + provider: azure + cloudNativeServices: false + kubernetesUrl: https://kubernetes.url + + proxy: + provider: none + externalUrlSuffix: carrier-net + +cacerts: + ca: + orgName: carrier + subject: /C=GB/ST=London/L=London/O=Carrier + +catools: + orgData: + orgName: carrier + type: peer + componentSubject: O=Carrier,OU=Carrier,L=51.50/-0.13/London,C=GB + certSubject: O=Carrier/OU=Carrier/L=51.50,-0.13,London/C=GB + componentCountry: GB + componentState: London + componentLocation: London + + peers: + - peer0 + + users: + usersList: + - user: + identity: user1 + attributes: + - key: "hf.Revoker" + value: "true" + - user: + identity: user2 + attributes: + - key: "hf.Revoker" + value: "true" + usersIdentities: + - user1 + - user2 + + checks: + refreshCertValue: false + addPeerValue: false + +server: + tlsStatus: true + admin: carrier-admin + +settings: + removeOrdererTlsOnDelete: true + removeCertsOnDelete: true diff --git a/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/peerOrganization/peer.yaml b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/peerOrganization/peer.yaml new file mode 100644 index 00000000000..b0e3f6f4b3c --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/noproxy-and-novault/peerOrganization/peer.yaml @@ -0,0 +1,34 @@ +#helm install pee0 -f values/noproxy-and-novault/peerOrganization/peer.yaml -n carrier-net fabric-orderernode +global: + serviceAccountName: vault-auth + vault: + type: kubernetes + + cluster: + provider: azure + cloudNativeServices: false + + proxy: + provider: "none" + externalUrlSuffix: carrier-net + +cli: + enabled: true + orderer: + address: orderer1.supplychain-net:7050 + network: + version: 2.5.4 + peer: + localMspId: carrierMSP + tlsStatus: true + address: carrier-net:7051 + +upgrade: False + +peer: + gossipPeerAddress: carrier-net:7051 + gossipExternalEndpoint: carrier-net:7051 + logLevel: info + builder: hyperledger/fabric-ccenv:2.5.4 + couchdb: + username: carrier-user diff --git a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ordererOrganization/ca-server.yaml b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ordererOrganization/ca-server.yaml new file mode 100644 index 00000000000..e15a1bc0ec9 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ordererOrganization/ca-server.yaml @@ -0,0 +1,48 @@ +#helm install supplychain-ca -f values/proxy-and-vault/ordererOrganization/ca-server.yaml -n supplychain-net fabric-ca-server +global: + serviceAccountName: vault-auth + vault: + type: hashicorp + address: http://vault.demo.com:8200 + authPath: supplychain + secretEngine: secretsv2 + secretPrefix: "data/supplychain" + imageSecretName: regcred + tls: false + + cluster: + provider: azure + cloudNativeServices: false + kubernetesUrl: https://kubernetes.url + + proxy: + provider: haproxy + externalUrlSuffix: test.yourdomain.com + +cacerts: + ca: + orgName: supplychain + subject: /C=GB/ST=London/L=London/O=Orderer + +catools: + orgData: + orgName: supplychain + type: orderer + componentSubject: O=Orderer,L=51.50/-0.13/London,C=GB + certSubject: O=Orderer/L=51.50,-0.13,London/C=GB + componentCountry: UK + componentState: London + componentLocation: London + + orderers: + - orderer1 + - orderer2 + - orderer3 + +server: + tlsStatus: true + admin: supplychain-admin + +settings: + removeOrdererTlsOnDelete: true + removeCertsOnDelete: true diff --git a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ordererOrganization/orderer.yaml b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ordererOrganization/orderer.yaml new file mode 100644 index 00000000000..b65a4a0697a --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/ordererOrganization/orderer.yaml @@ -0,0 +1,30 @@ +#helm install orderer1 -f values/proxy-and-vault/ordererOrganization/orderer.yaml -n supplychain-net fabric-orderernode +global: + serviceAccountName: vault-auth + vault: + type: hashicorp + address: http://vault.demo.com:8200 + authPath: supplychain + secretEngine: secretsv2 + secretPrefix: "data/supplychain" + imageSecretName: regcred + + cluster: + provider: azure + cloudNativeServices: false + + proxy: + provider: haproxy + externalUrlSuffix: test.yourdomain.com + +network: + version: 2.5.4 + +orderer: + logLevel: info + localMspId: supplychainMSP + tlsstatus: true + ordererAddress: orderer1.test.yourdomain.com:443 + +consensus: + name: raft diff --git a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/peerOrganization/ca-server.yaml b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/peerOrganization/ca-server.yaml new file mode 100644 index 00000000000..3467035e0cb --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/peerOrganization/ca-server.yaml @@ -0,0 +1,66 @@ +#helm install carrier-ca -f values/proxy-and-vault/peerOrganization/ca-server.yaml -n carrier-net fabric-ca-server +global: + serviceAccountName: vault-auth + vault: + type: hashicorp + address: http://vault.demo.com:8200 + authPath: carrier + secretEngine: secretsv2 + secretPrefix: "data/carrier" + imageSecretName: regcred + tls: false + + cluster: + provider: azure + cloudNativeServices: false + kubernetesUrl: https://kubernetes.url + + proxy: + provider: haproxy + externalUrlSuffix: test.yourdomain.com + +cacerts: + ca: + orgName: carrier + subject: /C=GB/ST=London/L=London/O=Carrier + +catools: + orgData: + orgName: carrier + type: peer + componentSubject: O=Carrier,OU=Carrier,L=51.50/-0.13/London,C=GB + certSubject: O=Carrier/OU=Carrier/L=51.50,-0.13,London/C=GB + componentCountry: GB + componentState: London + componentLocation: London + + peers: + - peer0 + + users: + usersList: + - user: + identity: user1 + attributes: + - key: "hf.Revoker" + value: "true" + - user: + identity: user2 + attributes: + - key: "hf.Revoker" + value: "true" + usersIdentities: + - user1 + - user2 + + checks: + refreshCertValue: false + addPeerValue: false + +server: + tlsStatus: true + admin: carrier-admin + +settings: + removeOrdererTlsOnDelete: true + removeCertsOnDelete: true diff --git a/platforms/hyperledger-fabric/charts/values/proxy-and-vault/peerOrganization/peer.yaml b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/peerOrganization/peer.yaml new file mode 100644 index 00000000000..3e202f5bae0 --- /dev/null +++ b/platforms/hyperledger-fabric/charts/values/proxy-and-vault/peerOrganization/peer.yaml @@ -0,0 +1,39 @@ +#helm install pee0 -f values/proxy-and-vault/peerOrganization/orderer.yaml -n carrier-net fabric-orderernode +global: + serviceAccountName: vault-auth + vault: + type: hashicorp + network: fabric + address: http://vault.demo.com:8200 + authPath: carrier + secretEngine: secretsv2 + secretPrefix: "data/carrier" + + cluster: + provider: azure + cloudNativeServices: false + + proxy: + provider: haproxy + externalUrlSuffix: test.yourdomain.com + +cli: + enabled: true + orderer: + address: orderer1.test.yourdomain.com:443 + network: + version: 2.5.4 + peer: + localMspId: carrierMSP + tlsStatus: true + address: carrier-net.test.yourdomain.com:443 + +upgrade: False + +peer: + gossipPeerAddress: carrier-net.test.yourdomain.com:443 + gossipExternalEndpoint: carrier-net.test.yourdomain.com:443 + logLevel: info + builder: hyperledger/fabric-ccenv:2.5.4 + couchdb: + username: carrier-user