Skip to content

Commit

Permalink
feat(besu): replace ansible roles readme with inline code comments
Browse files Browse the repository at this point in the history 
This PR enhances the readability and understanding of our roles by adding comment messages throughout the code.

Changes:
- Added clear and concise comment messages in ansible roles.
- Maintained proper code indentation for increased code reliability.
- Removed the roles' Readme.md if it existed.

Additional changes:
- Added comments to all the Besu Helm chart's bash code.
- Deleted the entire storageclass role along with its tpl as we have already migrated it to the shared platform.

fixes #2326

Signed-off-by: saurabhkumarkardam <[email protected]>
  • Loading branch information
@saurabhkumarkardam
saurabhkumarkardam committed Oct 25, 2023
1 parent a8cd445 commit 1e12794
Show file tree
Hide file tree
Showing 59 changed files with 890 additions and 1,498 deletions.
151 changes: 118 additions & 33 deletions platforms/hyperledger-besu/charts/generate_ambassador_certs/templates/job.yaml
View file

Large diffs are not rendered by default.

47 changes: 43 additions & 4 deletions platforms/hyperledger-besu/charts/node_besu/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,37 +108,50 @@ spec:
args:
- |-
#!/usr/bin/env sh
# Source the bevel-vault.sh script to perform the Vault-CURD operations
. /scripts/bevel-vault.sh
# Get the Vault token
echo "Getting the vault Token..."
vaultBevelFunc 'init'
mkdir -p ${MOUNT_PATH}
# Obtain node's private key from Vault
vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/{{ .Values.vault.keyname }}"
vaultBevelFunc 'readJson' ${vault_secret_key}
node_private_key=$(echo ${VAULT_SECRET} | jq -r '.["key"]')
# Save the node's private key to a file
echo "${node_private_key}" > ${MOUNT_PATH}/node_private_key
# Check if transaction manager (TM) functionality is enabled
if [ {{ $.Values.privacy.tm_flag }} == "true" ]
then
# Obtain the TM's public key from Vault
vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/{{ .Values.vault.tmdir }}"
echo "Getting transaction manager public key from $vault_secret_key"
vaultBevelFunc 'readJson' ${vault_secret_key}
tm_key_pub=$(echo ${VAULT_SECRET} | jq -r '.["publicKey"]')
# Save the TM's public key to a file
echo "${tm_key_pub}" > ${MOUNT_PATH}/tm_key_pub
fi
# Check if TM TLS (Transport Layer Security) is enabled
if [ {{ $.Values.tm.tls }} == "true" ]
then
# Obtain TM TLS data from Vault
vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/{{ .Values.vault.tlsdir }}"
echo "Getting tls knownServer, keystore and keystore password from $vault_secret_key"
vaultBevelFunc 'readJson' ${vault_secret_key}
# Extract TM TLS data from the Vault response
tm_known_server=$(echo ${VAULT_SECRET} | jq -r '.["knownServer"]'| base64 -d)
keystore_b64=$(echo ${VAULT_SECRET} | jq -r '.["keystore"]')
keystore=$(echo ${keystore_b64} | sed 's/ //g' ) # removing white spaces from keystore because sometimes while fetching b64 string, '+' is replaced with white spaces.
keystore_password=$(echo ${VAULT_SECRET} | jq -r '.["password"]' | base64 -d)
# Save the TM TLS data to respective files
echo "${tm_known_server}" > ${MOUNT_PATH}/known_server
echo "${keystore}" > ${MOUNT_PATH}/keystore
base64 -d ${MOUNT_PATH}/keystore > ${MOUNT_PATH}/keystore.pkcs12
Expand All @@ -157,18 +170,29 @@ spec:
args:
- |-
#!/usr/bin/env sh
# Check if liveliness check is enabled
{{- if .Values.liveliness_check.enabled }}
# Initialize a counter variable
COUNTER=1
# Use a loop to perform liveliness checks
while [ "$COUNTER" -lt {{ $.Values.healthcheck.readinessthreshold }} ]
do
# get truststore from vault to see if registration is done or not
# Get truststore from vault to see if registration is done or not
LOOKUP_SECRET_RESPONSE=$(curl -X GET {{ .Values.liveliness_check.url }}:{{ .Values.liveliness_check.port }}/liveness | jq -r 'if .errors then . else . end')
# Check if the response does not contain "UP" (indicating service is not ready)
if ! echo ${LOOKUP_SECRET_RESPONSE} | grep -E "UP"
then
# Sleep for the specified readiness check interval before the next check
sleep {{ $.Values.healthcheck.readinesscheckinterval }}
else
# Break the loop if the service is ready (contains "UP")
break
fi
fi
# Increment the counter
COUNTER=`expr "$COUNTER" + 1`
done
{{- end }}
Expand All @@ -183,33 +207,48 @@ spec:
- /bin/sh
- -c
args:
- |
- |
# Set the static-nodes.json file content with the JSON representation of static nodes
echo -n {{ .Values.staticnodes | toJson | quote }} > {{ .Values.node.mountPath }}/static-nodes.json
# Create a temporary directory for the genesis file
mkdir -p /tmp/genesis;
# Decode and save the base64-encoded genesis file to the temporary directory
cat /etc/genesis/genesis.json.base64 | base64 -d > /tmp/genesis/genesis.json
# Remove any newline and carriage return characters from the tm_key_pub file and save it as tm_key.pub
tr -d "\n\r" < /secrets/tm_key_pub > /secrets/tm_key.pub
# Check the consensus mechanism and set arguments accordingly
if [ "$CONSENSUS" = "qbft" ]; then
args="--rpc-http-enabled --rpc-http-api=ETH,NET,QBFT,DEBUG,ADMIN,WEB3,EEA,PRIV --rpc-ws-enabled --rpc-ws-api=ETH,NET,WEB3 --p2p-port {{ .Values.node.ports.p2p }} --rpc-http-port {{ .Values.node.ports.rpc }} --rpc-ws-port={{ .Values.node.ports.ws }}"
else
args="--rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,DEBUG,ADMIN,WEB3,EEA,PRIV --rpc-ws-enabled --rpc-ws-api=ETH,NET,WEB3 --p2p-port {{ .Values.node.ports.p2p }} --rpc-http-port {{ .Values.node.ports.rpc }} --rpc-ws-port={{ .Values.node.ports.ws }}"
fi
# Check if privacy (TM TLS) is enabled and set arguments accordingly
if {{ $.Values.tm.tls }} == "true"
then
tls_args="--privacy-tls-enabled --privacy-tls-keystore-file=/secrets/keystore.pkcs12 --privacy-tls-keystore-password-file=/secrets/keystore_password --privacy-tls-known-enclave-file=/secrets/known_server --privacy-url={{ .Values.tm.url }}"
else
tls_args="--privacy-url={{ .Values.tm.url }}"
fi
# Check if metrics are enabled and set metrics-related arguments
if {{ $.Values.metrics.enabled }} == "true"
then
metrics_args="--metrics-enabled --metrics-port={{ template "metrics_port" . }} --metrics-host=0.0.0.0"
fi
# Check if onchain-permissioning is enabled and set permissioning-related arguments
if {{ $.Values.node.permissioning.enabled }} == "true"
then
permissioning_args="--permissions-accounts-contract-enabled --permissions-accounts-contract-address=0x0000000000000000000000000000000000008888 --permissions-nodes-contract-enabled --permissions-nodes-contract-address=0x0000000000000000000000000000000000009999 --permissions-nodes-contract-version=2"
args="--rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,DEBUG,ADMIN,WEB3,EEA,PRIV,PERM --rpc-ws-enabled --rpc-ws-api=ETH,NET,WEB3 --p2p-port {{ .Values.node.ports.p2p }} --rpc-http-port {{ .Values.node.ports.rpc }} --rpc-ws-port={{ .Values.node.ports.ws }}"
fi
# Execute the Besu node with the specified arguments and configuration
exec /opt/besu/bin/besu \
--identity={{ .Values.node.name }} \
--discovery-enabled=false \
Expand Down
201 changes: 126 additions & 75 deletions platforms/hyperledger-besu/charts/node_key_mgmt/templates/job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,31 +74,44 @@ spec:
args:
- |-
#!/usr/bin/env sh
# Source the bevel-vault.sh script to perform the Vault-CURD operations
. /scripts/bevel-vault.sh
# Get the Vault token
echo "Getting the vault Token..."
vaultBevelFunc 'init'
# Define the path for node crypto data
CRYPTO_PATH=/crypto
# Iterate through each peer and validator nodes in the organization
{{- range .Values.organisation.nodes }}
mkdir ${CRYPTO_PATH}/{{ .name }}
VAULT_PATH_NODE_CRYPTO=data/{{ $.Values.metadata.namespace }}/crypto/{{ .name }}/data
vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_PATH_NODE_CRYPTO}"
# Check for node crypto ..
vaultBevelFunc 'readJson' ${vault_secret_key}
NODE_KEY=$(echo ${VAULT_SECRET} | jq -r '.["key"]')
for field in "$NODE_KEY"
do
if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ]
then
echo "data absent in ${VAULT_PATH_NODE_CRYPTO}"
touch ${CRYPTO_PATH}/{{ .name }}/node_crypto_absent
else
echo "data present in ${VAULT_PATH_NODE_CRYPTO}"
fi
done
mkdir ${CRYPTO_PATH}/{{ .name }}
# Obtain node's crypto data from the Vault for the specific node
VAULT_PATH_NODE_CRYPTO=data/{{ $.Values.metadata.namespace }}/crypto/{{ .name }}/data
vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_PATH_NODE_CRYPTO}"
vaultBevelFunc 'readJson' ${vault_secret_key}
# Extract the key field from the Vault response
NODE_KEY=$(echo ${VAULT_SECRET} | jq -r '.["key"]')
# Check if the NODE_KEY field is null, contains a parse error, or is empty
for field in "$NODE_KEY"
do
if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ]
then
echo "Node crypto data is absent at vault path: ${VAULT_PATH_NODE_CRYPTO}"
# Create a marker file to indicate the absence of node crypto data
touch ${CRYPTO_PATH}/{{ .name }}/node_crypto_absent
else
echo "Node crypto data is present at vault path: ${VAULT_PATH_NODE_CRYPTO}"
fi
done
{{- end }}
echo "Done checking for crypto in vault"
volumeMounts:
- name: node-crypto
Expand All @@ -117,22 +130,33 @@ spec:
args:
- |-
echo "Generating keypair and nodeAddress.."
# Define the path for crypto data
CRYPTO_PATH=/crypto
# Iterate through each peer and validator node in the organization
{{- range .Values.organisation.nodes }}
# Check if a marker file indicates the absence of node crypto data for {{ .name }}
if [ -f ${CRYPTO_PATH}/{{ .name }}/node_crypto_absent ]
then
# Create a directory to store the generated keypair and nodeAddress for {{ .name }}
mkdir ${CRYPTO_PATH}/{{ .name }}/data
echo "Generating keypair and nodeAddress for {{ .name }}.."
echo "Generating keypair and nodeAddress for {{ .name }}..."
# Use Besu to export the nodeAddress and key.pub to the specified directory
besu --data-path ${CRYPTO_PATH}/{{ .name }}/data public-key export-address --to ${CRYPTO_PATH}/{{ .name }}/data/nodeAddress
besu --data-path ${CRYPTO_PATH}/{{ .name }}/data public-key export --to ${CRYPTO_PATH}/{{ .name }}/data/key.pub
else
echo "keypair and nodeAddress for {{ .name }} already present in vault.."
echo "keypair and nodeAddress for {{ .name }} are already present in the vault."
fi
{{- end }}
# Create a marker file to indicate the completion of keypair and nodeAddress generation
touch ${CRYPTO_PATH}/generate_node_keys_complete
volumeMounts:
- name: node-crypto
mountPath: /crypto
- name: node-crypto
mountPath: /crypto
- name: "store-node-keys"
image: "{{ $.Values.image.alpineutils }}"
imagePullPolicy: IfNotPresent
Expand All @@ -153,77 +177,104 @@ spec:
args:
- |-
#!/usr/bin/env sh
# Source the bevel-vault.sh script to perform the Vault-CURD operations
. /scripts/bevel-vault.sh
echo "Work on mount path.."
cd ${MOUNT_PATH}
# Get the Vault token
echo "Getting Vault Token..."
vaultBevelFunc 'init'
# Wait for the generation of node keys to complete
while ! [ -f ${MOUNT_PATH}/generate_node_keys_complete ]
do
echo 'Waiting for node keys..'
echo 'Waiting for the generation of node keys...'
sleep 2s
done
CRYPTO_PATH=${MOUNT_PATH}
# Iterate through each peer and validator node in the organization
{{- range .Values.organisation.nodes }}
COUNTER=1
while [ "$COUNTER" -le {{ $.Values.healthcheck.retries }} ]
do
if [ -f ${CRYPTO_PATH}/{{ .name }}/node_crypto_absent ]
then
NODE_ADDRESS=$(cat ${CRYPTO_PATH}/{{ .name }}/data/nodeAddress)
NODE_KEY=$(cat ${CRYPTO_PATH}/{{ .name }}/data/key)
NODE_KEY_PUB=$(cat ${CRYPTO_PATH}/{{ .name }}/data/key.pub)
# create the payload for node crypto
echo "
{
\"data\":
{
\"nodeAddress\": \"${NODE_ADDRESS}\",
\"key\": \"${NODE_KEY}\",
\"key_pub\": \"${NODE_KEY_PUB}\"
}
}" > payload.json
# create the vault path for node cryto
VAULT_PATH_NODE_CRYPTO=data/{{ $.Values.metadata.namespace }}/crypto/{{ .name }}/data
vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_PATH_NODE_CRYPTO}"
# This command copy the tls certificates to the Vault
vaultBevelFunc 'write' "${vault_secret_key}" 'payload.json'
# Check for node crypto ..
vaultBevelFunc 'readJson' ${vault_secret_key}
NODE_KEY=$(echo ${VAULT_SECRET} | jq -r '.["key"]')
for field in "$NODE_KEY"
do
if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ]
# Initialize a counter variable
COUNTER=1
# Perform retries for health checks
while [ "$COUNTER" -le {{ $.Values.healthcheck.retries }} ]
do
# Check the presence of specified file
if [ -f ${CRYPTO_PATH}/{{ .name }}/node_crypto_absent ]
then
# Read the nodeAddress, key, and key.pub from the generated data
NODE_ADDRESS=$(cat ${CRYPTO_PATH}/{{ .name }}/data/nodeAddress)
NODE_KEY=$(cat ${CRYPTO_PATH}/{{ .name }}/data/key)
NODE_KEY_PUB=$(cat ${CRYPTO_PATH}/{{ .name }}/data/key.pub)
# create a JSON file for the data related to node crypto
echo "
{
\"data\":
{
\"nodeAddress\": \"${NODE_ADDRESS}\",
\"key\": \"${NODE_KEY}\",
\"key_pub\": \"${NODE_KEY_PUB}\"
}
}" > payload.json
# create the vault path for node crypto
VAULT_PATH_NODE_CRYPTO=data/{{ $.Values.metadata.namespace }}/crypto/{{ .name }}/data
vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_PATH_NODE_CRYPTO}"
# Copy the node crypto data to the Vault
vaultBevelFunc 'write' "${vault_secret_key}" 'payload.json'
# Check for the presence of node crypto in the Vault
vaultBevelFunc 'readJson' ${vault_secret_key}
# Extract the key field from the Vault Response
NODE_KEY=$(echo ${VAULT_SECRET} | jq -r '.["key"]')
# Check if the NODE_KEY field is null, contains a parse error, or is empty
for field in "$NODE_KEY"
do
if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ]
then
NODE_CRYPTO_WRITTEN=false
break
else
NODE_CRYPTO_WRITTEN=true
fi
done
# Delete the same JSON file that we created to perform the write operation in the vault
rm payload.json
# Check if the node crypto data is successfully stored in the Vault
if [ "$NODE_CRYPTO_WRITTEN" = "true" ]
then
NODE_CRYPTO_WRITTEN=false
echo "Success: store crypto for {{ .name }}"
break
else
NODE_CRYPTO_WRITTEN=true
echo "Crypto materials are not ready, sleeping for {{ $.Values.healthcheck.sleepTimeAfterError }} - $COUNTER "
sleep {{ $.Values.healthcheck.sleepTimeAfterError }}
COUNTER=`expr "$COUNTER" + 1`
fi
done
rm payload.json
if [ "$NODE_CRYPTO_WRITTEN" = "true" ]
then
echo "Success: store crypto for {{ .name }}"
break
else
echo "Crypto materials are not ready, sleeping for {{ $.Values.healthcheck.sleepTimeAfterError }} - $COUNTER "
sleep {{ $.Values.healthcheck.sleepTimeAfterError }}
COUNTER=`expr "$COUNTER" + 1`
echo "Skipped: store cryto for {{ .name }}"
break
fi
else
echo "Skipped: store cryto for {{ .name }}"
break
done
# Check if the maximum number of retries has been reached
if [ "$COUNTER" -gt {{ $.Values.healthcheck.retries }} ]
then
# Error message and exit with a non-zero status
echo "Retry attempted `expr $COUNTER - 1` times, Crypto materials have not been saved."
exit 1
fi
done
if [ "$COUNTER" -gt {{ $.Values.healthcheck.retries }} ]
then
echo "Retry attempted `expr $COUNTER - 1` times, Crypto materials have not been saved."
exit 1
fi
{{- end }}
volumeMounts:
- name: node-crypto
Expand Down
Loading

0 comments on commit 1e12794

Please sign in to comment.