From 1e127946f0a4cbf189e0917f0ea6c87b1f460068 Mon Sep 17 00:00:00 2001 From: saurabhkumarkardam Date: Wed, 25 Oct 2023 08:24:33 +0000 Subject: [PATCH] feat(besu): replace ansible roles readme with inline code comments This PR enhances the readability and understanding of our roles by adding comment messages throughout the code. Changes: - Added clear and concise comment messages in ansible roles. - Maintained proper code indentation for increased code reliability. - Removed the roles' Readme.md if it existed. Additional changes: - Added comments to all the Besu Helm chart's bash code. - Deleted the entire storageclass role along with its tpl as we have already migrated it to the shared platform. fixes #2326 Signed-off-by: saurabhkumarkardam --- .../templates/job.yaml | 151 +++++++-- .../node_besu/templates/deployment.yaml | 47 ++- .../charts/node_key_mgmt/templates/job.yaml | 201 +++++++----- .../node_tessera/templates/deployment.yaml | 128 +++++--- .../node_validator/templates/deployment.yaml | 50 ++- .../tessera_key_mgmt/templates/job.yaml | 74 ++--- .../hyperledger-besu/configuration/README.md | 61 ---- .../configuration/add-validator.yaml | 289 +++++++++--------- .../configuration/cleanup.yaml | 20 +- .../configuration/generate-crypto.yaml | 242 +++++++-------- .../create/certificates/ambassador/Readme.md | 62 ---- .../certificates/ambassador/tasks/main.yaml | 22 +- .../ambassador/tasks/nested_main.yaml | 20 +- .../create/crypto/key_generation/README.md | 12 - .../crypto/key_generation/tasks/main.yaml | 19 +- .../roles/create/crypto/node/tasks/main.yaml | 8 +- .../crypto/tessera/tasks/check_vault.yaml | 4 +- .../create/crypto/tessera/tasks/main.yaml | 9 +- .../create/genesis/tasks/check_vault.yaml | 3 +- .../genesis/tasks/generate_extraData.yaml | 8 +- .../roles/create/helm_component/Readme.md | 42 --- .../create/helm_component/tasks/main.yaml | 12 +- .../roles/create/k8_component/tasks/main.yaml | 7 +- .../k8_component/templates/storageclass.tpl | 29 -- .../roles/create/k8_component/vars/main.yaml | 4 - .../roles/create/k8s_secrets/Readme.md | 64 ---- .../roles/create/k8s_secrets/tasks/main.yaml | 21 +- .../roles/create/member_node/Readme.md | 216 ------------- .../member_node/tasks/add_new_peer.yaml | 4 +- .../create/member_node/tasks/enode_data.yaml | 2 +- .../roles/create/member_node/tasks/main.yaml | 12 +- .../member_node/tasks/nested_enode_data.yaml | 3 +- .../member_node/tasks/nested_nodelist.yaml | 4 +- .../create/member_node/tasks/nodelist.yaml | 2 +- .../roles/create/namespace/Readme.md | 73 ----- .../roles/create/namespace/tasks/main.yaml | 4 +- .../roles/create/storageclass/Readme.md | 51 ---- .../roles/create/storageclass/tasks/main.yaml | 5 +- .../roles/create/tessera/Readme.md | 103 ------- .../create/tessera/tasks/check_vault.yaml | 4 +- .../roles/create/tessera/tasks/main.yaml | 4 +- .../roles/create/validator/Readme.md | 93 ------ .../create/validator/tasks/enode_data.yaml | 2 +- .../validator/tasks/nested_enode_data.yaml | 2 +- .../validator_node/tasks/check_vault.yaml | 3 +- .../create/validator_node/tasks/main.yaml | 16 +- .../tasks/nested_enode_data.yaml | 4 +- .../validator_node/tasks/nested_nodelist.yaml | 4 +- .../tasks/nested_validator_vote.yaml | 9 +- .../create/validator_node/tasks/nodelist.yaml | 2 +- .../validator_node/tasks/validator_vote.yaml | 4 +- .../validator_node/tasks/value_files.yaml | 2 +- .../certificates/ambassador/tasks/main.yaml | 4 +- .../ambassador/tasks/nested_main.yaml | 1 + .../roles/delete/vault_secrets/Readme.md | 58 ---- .../delete/vault_secrets/tasks/main.yaml | 10 +- .../roles/setup/get_crypto/Readme.md | 41 --- .../roles/setup/get_crypto/tasks/main.yaml | 14 +- .../configuration/setup-cactus-connector.yaml | 23 +- 59 files changed, 890 insertions(+), 1498 deletions(-) delete mode 100644 platforms/hyperledger-besu/configuration/README.md delete mode 100644 platforms/hyperledger-besu/configuration/roles/create/certificates/ambassador/Readme.md delete mode 100644 platforms/hyperledger-besu/configuration/roles/create/crypto/key_generation/README.md delete mode 100644 platforms/hyperledger-besu/configuration/roles/create/helm_component/Readme.md delete mode 100644 platforms/hyperledger-besu/configuration/roles/create/k8_component/templates/storageclass.tpl delete mode 100644 platforms/hyperledger-besu/configuration/roles/create/k8s_secrets/Readme.md delete mode 100644 platforms/hyperledger-besu/configuration/roles/create/member_node/Readme.md delete mode 100644 platforms/hyperledger-besu/configuration/roles/create/namespace/Readme.md delete mode 100644 platforms/hyperledger-besu/configuration/roles/create/storageclass/Readme.md delete mode 100644 platforms/hyperledger-besu/configuration/roles/create/tessera/Readme.md delete mode 100644 platforms/hyperledger-besu/configuration/roles/create/validator/Readme.md delete mode 100644 platforms/hyperledger-besu/configuration/roles/delete/vault_secrets/Readme.md delete mode 100644 platforms/hyperledger-besu/configuration/roles/setup/get_crypto/Readme.md diff --git a/platforms/hyperledger-besu/charts/generate_ambassador_certs/templates/job.yaml b/platforms/hyperledger-besu/charts/generate_ambassador_certs/templates/job.yaml index ad5e1d551492..7affd783c1b9 100644 --- a/platforms/hyperledger-besu/charts/generate_ambassador_certs/templates/job.yaml +++ b/platforms/hyperledger-besu/charts/generate_ambassador_certs/templates/job.yaml @@ -3,6 +3,7 @@ # # SPDX-License-Identifier: Apache-2.0 ############################################################################################## + apiVersion: batch/v1 kind: Job metadata: @@ -77,43 +78,68 @@ spec: command: ["sh", "-c"] args: - |- + + # Source the bevel-vault.sh script to perform the Vault-CURD operations . /scripts/bevel-vault.sh - echo "Getting the vault Token..." + + # Get the Vault token + echo "Getting vault Token..." vaultBevelFunc "init" + # Set the output path. OUTPUT_PATH=${MOUNT_PATH}/check_certs; mkdir -p ${OUTPUT_PATH} + + # Obtain the rootCA certificates from the Vault if exists vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_SECRET_ROOTCA}" - echo "Checking certs in ${vault_secret_key}" - vaultBevelFunc "readJson" ${vault_secret_key} + echo "Checking certs in vault at path: ${vault_secret_key}" + vaultBevelFunc "readJson" ${vault_secret_key} + + # Get the rootCA PEM and key from Vault CA_PEM=$(echo ${VAULT_SECRET} | jq -r '.["rootca_pem"]') CA_KEY=$(echo ${VAULT_SECRET} | jq -r '.["rootca_key"]') + # If the CA_PEM variable is null, empty, or contains a parse error, then the certificates do not exist in Vault if [ "$CA_PEM" == "null" ] || [[ "$CA_PEM" = "parse error"* ]] || [ "$CA_PEM" = "" ] then + # Create a file to indicate that the rootCA certificates are absent echo "Certficates absent in vault. Ignore error warning" touch ${OUTPUT_PATH}/rootca_absent.txt else + # Create a file to indicate that the rootCA certificates are present echo "Certificates present in vault" touch ${OUTPUT_PATH}/rootca_present.txt + + # Create the rootCA directory. ROOTCA_PATH=${MOUNT_PATH}/rootca mkdir -p ${ROOTCA_PATH} + + # Base64 decode the root CA PEM and key and save them to the rootCA directory echo $CA_PEM | base64 -d >> ${ROOTCA_PATH}/rootca.pem echo $CA_KEY | base64 -d >> ${ROOTCA_PATH}/rootca.key fi + + # Obtain the ambassador TLS certificates from Vault if exists vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_SECRET_AMBASSADORTLS}" - echo "Checking certs in ${vault_secret_key}" - vaultBevelFunc "readJson" ${vault_secret_key} + echo "Checking certs in vault at path: ${vault_secret_key}" + vaultBevelFunc "readJson" ${vault_secret_key} + + # Get the ambassador TLS data info from Vault data_info=$(echo ${VAULT_SECRET} | jq -r '.["rootca_pem"]') + + # If the data_info is null, empty, or contains a parse error, then the certificates do not exist in Vault if [ "$data_info" == "null" ] || [[ "$data_info" = "parse error"* ]] || [ "$data_info" = "" ] then + # Create a file to indicate that the ambassador TLS certificates are absent echo "Certficates absent in vault. Ignore error warning" touch ${OUTPUT_PATH}/ambassadortls_absent.txt else + # Create a file to indicate that the ambassador TLS certificates are present echo "Certificates present in vault" touch ${OUTPUT_PATH}/ambassadortls_present.txt fi - echo "Done checking for certificates in vault" + + echo "Done checking for certificates in vault." volumeMounts: - name: certificates mountPath: /certificates @@ -158,35 +184,45 @@ spec: command: ["sh", "-c"] args: - |- + + # Set the directories path CERTS_CHECKS_PATH=${MOUNT_PATH}/check_certs AMBASSADORTLS_PATH=${MOUNT_PATH}/ambassadortls; ROOTCA_PATH=${MOUNT_PATH}/rootca + + # Create the ambassadortls directory if it doesn't exist mkdir -p ${AMBASSADORTLS_PATH} + + # Check if the rootca_absent.txt file exists if [ -e ${CERTS_CHECKS_PATH}/rootca_absent.txt ] then + # Create the rootca directory if it doesn't exist mkdir -p ${ROOTCA_PATH} cd ${ROOTCA_PATH} - # Generates the CA Root certificates + + # Generates the rootCA certificates openssl genrsa -out rootca.key 2048 openssl req -x509 -new -nodes -key rootca.key -sha256 -days 1024 -out rootca.pem -subj "/${CERT_SUBJECT}" - fi + fi; + + # Check if either rootca_absent.txt or ambassadortls_absent.txt file exists if [ -e ${CERTS_CHECKS_PATH}/rootca_absent.txt ] || [ -e ${CERTS_CHECKS_PATH}/ambassadortls_absent.txt ] then # Generates the openssl file for domain cd ${AMBASSADORTLS_PATH} echo "[req] - req_extensions = v3_req - distinguished_name = dn - [dn] - [ v3_req ] - basicConstraints = CA:FALSE - keyUsage = nonRepudiation, digitalSignature, keyEncipherment - subjectAltName = @alt_names - [alt_names] - DNS.1 = ${DOMAIN_NAME_PUB} - DNS.2 = ${DOMAIN_NAME_PRIV} - DNS.3 = ${DOMAIN_NAME_TESSERA} - " > openssl${NODE_NAME}.conf + req_extensions = v3_req + distinguished_name = dn + [dn] + [ v3_req ] + basicConstraints = CA:FALSE + keyUsage = nonRepudiation, digitalSignature, keyEncipherment + subjectAltName = @alt_names + [alt_names] + DNS.1 = ${DOMAIN_NAME_PUB} + DNS.2 = ${DOMAIN_NAME_PRIV} + DNS.3 = ${DOMAIN_NAME_TESSERA} + " > openssl${NODE_NAME}.conf # Generates the ambassador tls certificates openssl genrsa -out ${NODE_NAME}.key 2048 openssl req -new -nodes -key ${NODE_NAME}.key -days 1000 -out ${NODE_NAME}.csr -subj "/CN=${DOMAIN_NAME_PUB}" -config "openssl${NODE_NAME}.conf" @@ -194,6 +230,7 @@ spec: cat ${NODE_NAME}.pem > ${NODE_NAME}-certchain.pem cat ${ROOTCA_PATH}/rootca.pem >> ${NODE_NAME}-certchain.pem fi; + # Check if TM_TLS_ENABLED is true or ambassadortls_absent.txt file exists if [ "$TM_TLS_ENABLED" == "true" ] || [ -e ${CERTS_CHECKS_PATH}/ambassadortls_absent.txt ] then # Generate crypto for besu nodes and knownserver file @@ -207,6 +244,7 @@ spec: export DIGEST=$(awk '{print $2}' ${NODE_NAME}-certchain-sha256 | sed -n 's/Fingerprint=\(.*\)/\1/p') printf '%s\n' "${NODE_NAME}-tessera.${COMPONENT_NS}:${TM_CLIENT_PORT} $DIGEST" "${DOMAIN_NAME_PUB} $DIGEST" > ${NODE_NAME}-knownServer fi; + touch ${MOUNT_PATH}/flag_finish.txt volumeMounts: - name: certificates @@ -238,6 +276,8 @@ spec: command: ["sh", "-c"] args: - |- + + # Function to format a certificate file and save it to the specified path formatCertificate () { NAME="${1##*/}" while read line || [ -n "$line" ]; @@ -245,57 +285,81 @@ spec: echo "$line\n"; done < ${1} > ${2}/${NAME}.txt } + + # Source the bevel-vault.sh script to perform the Vault-CURD operations . /scripts/bevel-vault.sh + + # Get the Vault token echo "Getting the vault Token.." vaultBevelFunc 'init' + # Wait for the existence of a flag file 'flag_finish.txt' in the specified directory while ! [ -f ${MOUNT_PATH}/flag_finish.txt ] do echo 'Waiting for generation of certificates' sleep 2s done + + # Define paths for various directories and files CERTS_CHECKS_PATH=${MOUNT_PATH}/check_certs ROOTCA_PATH=${MOUNT_PATH}/rootca AMBASSADORTLS_PATH=${MOUNT_PATH}/ambassadortls; FORMAT_CERTIFICATE_PATH="/formatcertificate" + + # Create necessary subdirectories for certificate storage mkdir -p ${FORMAT_CERTIFICATE_PATH}/rootca mkdir -p ${FORMAT_CERTIFICATE_PATH}/ambassadortls + + # Check the existence of certain flag files to determine if certificates are written if [ -e ${CERTS_CHECKS_PATH}/rootca_present.txt ]; then ROOTCA_CERT_WRITTEN=true; else ROOTCA_CERT_WRITTEN=false; fi if [ -e ${CERTS_CHECKS_PATH}/ambassadortls_present.txt ]; then AMBASSADORTLS_CERT_WRITTEN=true; else AMBASSADORTLS_CERT_WRITTEN=false; fi + + # Initialize a counter variable COUNTER=1 + + # Set up a loop that will run until the COUNTER is less than or equal to the specified number of retries while [ "$COUNTER" -le {{ $.Values.healthcheck.retries }} ] do + # Check if either the rootca or ambassadortls certificates are absent and not yet written if ([ -e ${CERTS_CHECKS_PATH}/rootca_absent.txt ] && [ "$ROOTCA_CERT_WRITTEN" = "false" ]) || ([ -e ${CERTS_CHECKS_PATH}/ambassadortls_absent.txt ] && [ "$AMBASSADORTLS_CERT_WRITTEN" = "false" ]) then - # these commands encode files + # Encode the certificate and key files in base64 format base64 ${ROOTCA_PATH}/rootca.key > ${ROOTCA_PATH}/encode_rootca.key base64 ${ROOTCA_PATH}/rootca.pem > ${ROOTCA_PATH}/encode_rootca.pem base64 ${AMBASSADORTLS_PATH}/${NODE_NAME}-certchain.pem > ${AMBASSADORTLS_PATH}/encode_${NODE_NAME}-certchain.pem base64 ${AMBASSADORTLS_PATH}/${NODE_NAME}.key > ${AMBASSADORTLS_PATH}/encode_${NODE_NAME}.key - # these commands add the correct format to the files to save it in the vault + + # Format the certificate files for saving in the vault formatCertificate "${ROOTCA_PATH}/encode_rootca.key" "${FORMAT_CERTIFICATE_PATH}/rootca" formatCertificate "${ROOTCA_PATH}/encode_rootca.pem" "${FORMAT_CERTIFICATE_PATH}/rootca" formatCertificate "${AMBASSADORTLS_PATH}/encode_${NODE_NAME}-certchain.pem" "${FORMAT_CERTIFICATE_PATH}/ambassadortls" formatCertificate "${AMBASSADORTLS_PATH}/encode_${NODE_NAME}.key" "${FORMAT_CERTIFICATE_PATH}/ambassadortls" + + # Read the formatted certificate files ROOTCAKEY_FORMAT=$(cat ${FORMAT_CERTIFICATE_PATH}/rootca/encode_rootca.key.txt) ROOTCAPEM_FORMAT=$(cat ${FORMAT_CERTIFICATE_PATH}/rootca/encode_rootca.pem.txt) AMBASSADORCRT_FORMAT=$(cat ${FORMAT_CERTIFICATE_PATH}/ambassadortls/encode_${NODE_NAME}-certchain.pem.txt) AMBASSADORKEY_FORMAT=$(cat ${FORMAT_CERTIFICATE_PATH}/ambassadortls/encode_${NODE_NAME}.key.txt) + + # Check if tm_tls is enabled if [ "$TM_TLS_ENABLED" == "true" ] then - # these commands encode files when tm_tls is true + # Encode additional certificate files when tm_tls is true base64 ${AMBASSADORTLS_PATH}/${NODE_NAME}-besu-node.pkcs12 > ${AMBASSADORTLS_PATH}/encode_${NODE_NAME}-besu-node.pkcs12 base64 ${AMBASSADORTLS_PATH}/${NODE_NAME}-password > ${AMBASSADORTLS_PATH}/encode_${NODE_NAME}-password base64 ${AMBASSADORTLS_PATH}/${NODE_NAME}-knownServer > ${AMBASSADORTLS_PATH}/encode_${NODE_NAME}-knownServer - # these commands add the correct format to the files to save it in the vault when tm_tls is true + + # Format the additional certificate files for saving in the vault formatCertificate "${AMBASSADORTLS_PATH}/encode_${NODE_NAME}-besu-node.pkcs12" "${FORMAT_CERTIFICATE_PATH}/ambassadortls" formatCertificate "${AMBASSADORTLS_PATH}/encode_${NODE_NAME}-password" "${FORMAT_CERTIFICATE_PATH}/ambassadortls" formatCertificate "${AMBASSADORTLS_PATH}/encode_${NODE_NAME}-knownServer" "${FORMAT_CERTIFICATE_PATH}/ambassadortls" + + # Read the additional formatted certificate files KEYSTORE_FORMAT=$(cat ${FORMAT_CERTIFICATE_PATH}/ambassadortls/encode_${NODE_NAME}-besu-node.pkcs12.txt) PASSWORD_FORMAT=$(cat ${FORMAT_CERTIFICATE_PATH}/ambassadortls/encode_${NODE_NAME}-password.txt) KNOWNSERVER_FORMAT=$(cat ${FORMAT_CERTIFICATE_PATH}/ambassadortls/encode_${NODE_NAME}-knownServer.txt) - # this command creates the json with the data that will be saved in the vault when tm_tls is true + # Create a JSON file with the data to be saved in the vault when tm_tls is true echo " { \"data\": @@ -310,7 +374,7 @@ spec: } }" > payload.json else - # this command creates the json with the data that will be saved in the vault when tm_tls is false + # Create a JSON file with the data to be saved in the vault when tm_tls is false echo " { \"data\": @@ -323,13 +387,16 @@ spec: }" > payload.json fi; - # This command copy the tls certificates to the Vault + # Copy the TLS certificates to the Vault vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_AMBASSADORTLS}" 'payload.json' + # Check if TLS certificates are written successfully and read them to validate if [ "$TM_TLS_ENABLED" == "true" ] then - # Check tls certificates when tm_tls is true + # Obtain TLS certificates from the Vault when tm_tls is true vaultBevelFunc 'readJson' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_AMBASSADORTLS}" + + # Extract TLS certificate and key information from the response obtained from the Vault CA_PEM=$(echo ${VAULT_SECRET} | jq -r '.["rootca_pem"]') CA_KEY=$(echo ${VAULT_SECRET} | jq -r '.["rootca_key"]') AMBASSADORCRT=$(echo ${VAULT_SECRET} | jq -r '.["ambassadorcrt"]') @@ -337,7 +404,8 @@ spec: KEYSTORE=$(echo ${VAULT_SECRET} | jq -r '.["keystore"]') PASSWORD=$(echo ${VAULT_SECRET} | jq -r '.["password"]') KNOWNSERVER=$(echo ${VAULT_SECRET} | jq -r '.["knownServer"]') - + + # Check if any of the certificate and key fields are missing, empty or having any kind of error for field in "$CA_PEM" "$CA_KEY" "$AMBASSADORCRT" "$AMBASSADORKEY" "$KEYSTORE" "$PASSWORD" "$KNOWNSERVER" do if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] @@ -350,13 +418,16 @@ spec: done echo "if code - Value of AMBASSADORTLS_CERT_WRITTEN:$AMBASSADORTLS_CERT_WRITTEN" else - # Check tls certificates when tm_tls is false + # Obtain the TLS certificates from the Vault when tm_tls is false vaultBevelFunc 'readJson' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_AMBASSADORTLS}" + + # Extract TLS certificate and key information from the response obtained from the Vault CA_PEM=$(echo ${VAULT_SECRET} | jq -r '.["rootca_pem"]') CA_KEY=$(echo ${VAULT_SECRET} | jq -r '.["rootca_key"]') AMBASSADORCRT=$(echo ${VAULT_SECRET} | jq -r '.["ambassadorcrt"]') AMBASSADORKEY=$(echo ${VAULT_SECRET} | jq -r '.["ambassadorkey"]') + # Check if any of the certificate and key fields are missing, empty or having any kind of error for field in "$CA_PEM" "$CA_KEY" "$AMBASSADORCRT" "$AMBASSADORKEY" do if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] @@ -368,11 +439,15 @@ spec: fi done fi; + + # Delete the same JSON file that we created to perform the write operation in the vault rm payload.json fi; + + # Check if the rootCA certificate is absent and not yet written to the Vault if [ -e ${CERTS_CHECKS_PATH}/rootca_absent.txt ] && [ "$ROOTCA_CERT_WRITTEN" = "false" ] then - # this command creates the json with the data that will be saved in the vault + # Create a JSON payload with rootCA certificate and key data for Vault storage echo " { \"data\": @@ -381,13 +456,18 @@ spec: \"rootca_key\": \"${ROOTCAKEY_FORMAT}\" } }" > payload.json - # This command copy the rootca certificates to the Vault + + # Write the rootCA certificates to the Vault vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_ROOTCA}" 'payload.json' - # Check rootca certificates + + # Obtain rootCA certificates from the Vault if exists vaultBevelFunc 'readJson' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_ROOTCA}" + + # Extract TLS certificate and key information from the response obtained from the Vault CA_PEM=$(echo ${VAULT_SECRET} | jq -r '.["rootca_pem"]') CA_KEY=$(echo ${VAULT_SECRET} | jq -r '.["rootca_key"]') + # Check if any of the certificate and key fields are missing, empty or having any kind of error for field in "$CA_PEM" "$CA_KEY" do if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] @@ -398,9 +478,12 @@ spec: ROOTCA_CERT_WRITTEN=true fi done + + # Delete the same JSON file that we created to perform write operation in the vault rm payload.json fi + # Check if both root CA and Ambassador TLS certificates are successfully written to the Vault if [ "$ROOTCA_CERT_WRITTEN" = "true" ] && [ "$AMBASSADORTLS_CERT_WRITTEN" = "true" ] then echo "Certificates are successfully stored in vault" @@ -411,6 +494,8 @@ spec: COUNTER=`expr "$COUNTER" + 1` fi done + + # Check if the maximum number of retries is reached if [ "$COUNTER" -gt {{ $.Values.healthcheck.retries }} ] then echo "Retry attempted `expr $COUNTER - 1` times, Certificates have not been saved." diff --git a/platforms/hyperledger-besu/charts/node_besu/templates/deployment.yaml b/platforms/hyperledger-besu/charts/node_besu/templates/deployment.yaml index db38294e6e14..cb5ac7d2c9e4 100644 --- a/platforms/hyperledger-besu/charts/node_besu/templates/deployment.yaml +++ b/platforms/hyperledger-besu/charts/node_besu/templates/deployment.yaml @@ -108,37 +108,50 @@ spec: args: - |- #!/usr/bin/env sh + + # Source the bevel-vault.sh script to perform the Vault-CURD operations . /scripts/bevel-vault.sh + + # Get the Vault token echo "Getting the vault Token..." vaultBevelFunc 'init' - + mkdir -p ${MOUNT_PATH} + # Obtain node's private key from Vault vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/{{ .Values.vault.keyname }}" vaultBevelFunc 'readJson' ${vault_secret_key} node_private_key=$(echo ${VAULT_SECRET} | jq -r '.["key"]') + # Save the node's private key to a file echo "${node_private_key}" > ${MOUNT_PATH}/node_private_key + # Check if transaction manager (TM) functionality is enabled if [ {{ $.Values.privacy.tm_flag }} == "true" ] then + # Obtain the TM's public key from Vault vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/{{ .Values.vault.tmdir }}" echo "Getting transaction manager public key from $vault_secret_key" vaultBevelFunc 'readJson' ${vault_secret_key} tm_key_pub=$(echo ${VAULT_SECRET} | jq -r '.["publicKey"]') + # Save the TM's public key to a file echo "${tm_key_pub}" > ${MOUNT_PATH}/tm_key_pub fi + # Check if TM TLS (Transport Layer Security) is enabled if [ {{ $.Values.tm.tls }} == "true" ] then + # Obtain TM TLS data from Vault vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/{{ .Values.vault.tlsdir }}" echo "Getting tls knownServer, keystore and keystore password from $vault_secret_key" vaultBevelFunc 'readJson' ${vault_secret_key} + # Extract TM TLS data from the Vault response tm_known_server=$(echo ${VAULT_SECRET} | jq -r '.["knownServer"]'| base64 -d) keystore_b64=$(echo ${VAULT_SECRET} | jq -r '.["keystore"]') keystore=$(echo ${keystore_b64} | sed 's/ //g' ) # removing white spaces from keystore because sometimes while fetching b64 string, '+' is replaced with white spaces. keystore_password=$(echo ${VAULT_SECRET} | jq -r '.["password"]' | base64 -d) + # Save the TM TLS data to respective files echo "${tm_known_server}" > ${MOUNT_PATH}/known_server echo "${keystore}" > ${MOUNT_PATH}/keystore base64 -d ${MOUNT_PATH}/keystore > ${MOUNT_PATH}/keystore.pkcs12 @@ -157,18 +170,29 @@ spec: args: - |- #!/usr/bin/env sh + + # Check if liveliness check is enabled {{- if .Values.liveliness_check.enabled }} + # Initialize a counter variable COUNTER=1 + + # Use a loop to perform liveliness checks while [ "$COUNTER" -lt {{ $.Values.healthcheck.readinessthreshold }} ] do - # get truststore from vault to see if registration is done or not + # Get truststore from vault to see if registration is done or not LOOKUP_SECRET_RESPONSE=$(curl -X GET {{ .Values.liveliness_check.url }}:{{ .Values.liveliness_check.port }}/liveness | jq -r 'if .errors then . else . end') + + # Check if the response does not contain "UP" (indicating service is not ready) if ! echo ${LOOKUP_SECRET_RESPONSE} | grep -E "UP" then + # Sleep for the specified readiness check interval before the next check sleep {{ $.Values.healthcheck.readinesscheckinterval }} else + # Break the loop if the service is ready (contains "UP") break - fi + fi + + # Increment the counter COUNTER=`expr "$COUNTER" + 1` done {{- end }} @@ -183,16 +207,27 @@ spec: - /bin/sh - -c args: - - | + - | + # Set the static-nodes.json file content with the JSON representation of static nodes echo -n {{ .Values.staticnodes | toJson | quote }} > {{ .Values.node.mountPath }}/static-nodes.json + + # Create a temporary directory for the genesis file mkdir -p /tmp/genesis; + + # Decode and save the base64-encoded genesis file to the temporary directory cat /etc/genesis/genesis.json.base64 | base64 -d > /tmp/genesis/genesis.json + + # Remove any newline and carriage return characters from the tm_key_pub file and save it as tm_key.pub tr -d "\n\r" < /secrets/tm_key_pub > /secrets/tm_key.pub + + # Check the consensus mechanism and set arguments accordingly if [ "$CONSENSUS" = "qbft" ]; then args="--rpc-http-enabled --rpc-http-api=ETH,NET,QBFT,DEBUG,ADMIN,WEB3,EEA,PRIV --rpc-ws-enabled --rpc-ws-api=ETH,NET,WEB3 --p2p-port {{ .Values.node.ports.p2p }} --rpc-http-port {{ .Values.node.ports.rpc }} --rpc-ws-port={{ .Values.node.ports.ws }}" else args="--rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,DEBUG,ADMIN,WEB3,EEA,PRIV --rpc-ws-enabled --rpc-ws-api=ETH,NET,WEB3 --p2p-port {{ .Values.node.ports.p2p }} --rpc-http-port {{ .Values.node.ports.rpc }} --rpc-ws-port={{ .Values.node.ports.ws }}" fi + + # Check if privacy (TM TLS) is enabled and set arguments accordingly if {{ $.Values.tm.tls }} == "true" then tls_args="--privacy-tls-enabled --privacy-tls-keystore-file=/secrets/keystore.pkcs12 --privacy-tls-keystore-password-file=/secrets/keystore_password --privacy-tls-known-enclave-file=/secrets/known_server --privacy-url={{ .Values.tm.url }}" @@ -200,16 +235,20 @@ spec: tls_args="--privacy-url={{ .Values.tm.url }}" fi + # Check if metrics are enabled and set metrics-related arguments if {{ $.Values.metrics.enabled }} == "true" then metrics_args="--metrics-enabled --metrics-port={{ template "metrics_port" . }} --metrics-host=0.0.0.0" fi + + # Check if onchain-permissioning is enabled and set permissioning-related arguments if {{ $.Values.node.permissioning.enabled }} == "true" then permissioning_args="--permissions-accounts-contract-enabled --permissions-accounts-contract-address=0x0000000000000000000000000000000000008888 --permissions-nodes-contract-enabled --permissions-nodes-contract-address=0x0000000000000000000000000000000000009999 --permissions-nodes-contract-version=2" args="--rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,DEBUG,ADMIN,WEB3,EEA,PRIV,PERM --rpc-ws-enabled --rpc-ws-api=ETH,NET,WEB3 --p2p-port {{ .Values.node.ports.p2p }} --rpc-http-port {{ .Values.node.ports.rpc }} --rpc-ws-port={{ .Values.node.ports.ws }}" fi + # Execute the Besu node with the specified arguments and configuration exec /opt/besu/bin/besu \ --identity={{ .Values.node.name }} \ --discovery-enabled=false \ diff --git a/platforms/hyperledger-besu/charts/node_key_mgmt/templates/job.yaml b/platforms/hyperledger-besu/charts/node_key_mgmt/templates/job.yaml index 26c0ca00c0e7..7c51efb9b625 100644 --- a/platforms/hyperledger-besu/charts/node_key_mgmt/templates/job.yaml +++ b/platforms/hyperledger-besu/charts/node_key_mgmt/templates/job.yaml @@ -74,31 +74,44 @@ spec: args: - |- #!/usr/bin/env sh + + # Source the bevel-vault.sh script to perform the Vault-CURD operations . /scripts/bevel-vault.sh + + # Get the Vault token echo "Getting the vault Token..." vaultBevelFunc 'init' + # Define the path for node crypto data CRYPTO_PATH=/crypto - + + # Iterate through each peer and validator nodes in the organization {{- range .Values.organisation.nodes }} - mkdir ${CRYPTO_PATH}/{{ .name }} - VAULT_PATH_NODE_CRYPTO=data/{{ $.Values.metadata.namespace }}/crypto/{{ .name }}/data - vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_PATH_NODE_CRYPTO}" - # Check for node crypto .. - vaultBevelFunc 'readJson' ${vault_secret_key} - NODE_KEY=$(echo ${VAULT_SECRET} | jq -r '.["key"]') - - for field in "$NODE_KEY" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] - then - echo "data absent in ${VAULT_PATH_NODE_CRYPTO}" - touch ${CRYPTO_PATH}/{{ .name }}/node_crypto_absent - else - echo "data present in ${VAULT_PATH_NODE_CRYPTO}" - fi - done + mkdir ${CRYPTO_PATH}/{{ .name }} + + # Obtain node's crypto data from the Vault for the specific node + VAULT_PATH_NODE_CRYPTO=data/{{ $.Values.metadata.namespace }}/crypto/{{ .name }}/data + vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_PATH_NODE_CRYPTO}" + vaultBevelFunc 'readJson' ${vault_secret_key} + + # Extract the key field from the Vault response + NODE_KEY=$(echo ${VAULT_SECRET} | jq -r '.["key"]') + + # Check if the NODE_KEY field is null, contains a parse error, or is empty + for field in "$NODE_KEY" + do + if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] + then + echo "Node crypto data is absent at vault path: ${VAULT_PATH_NODE_CRYPTO}" + + # Create a marker file to indicate the absence of node crypto data + touch ${CRYPTO_PATH}/{{ .name }}/node_crypto_absent + else + echo "Node crypto data is present at vault path: ${VAULT_PATH_NODE_CRYPTO}" + fi + done {{- end }} + echo "Done checking for crypto in vault" volumeMounts: - name: node-crypto @@ -117,22 +130,33 @@ spec: args: - |- echo "Generating keypair and nodeAddress.." + + # Define the path for crypto data CRYPTO_PATH=/crypto + + # Iterate through each peer and validator node in the organization {{- range .Values.organisation.nodes }} + # Check if a marker file indicates the absence of node crypto data for {{ .name }} if [ -f ${CRYPTO_PATH}/{{ .name }}/node_crypto_absent ] then + # Create a directory to store the generated keypair and nodeAddress for {{ .name }} mkdir ${CRYPTO_PATH}/{{ .name }}/data - echo "Generating keypair and nodeAddress for {{ .name }}.." + + echo "Generating keypair and nodeAddress for {{ .name }}..." + + # Use Besu to export the nodeAddress and key.pub to the specified directory besu --data-path ${CRYPTO_PATH}/{{ .name }}/data public-key export-address --to ${CRYPTO_PATH}/{{ .name }}/data/nodeAddress besu --data-path ${CRYPTO_PATH}/{{ .name }}/data public-key export --to ${CRYPTO_PATH}/{{ .name }}/data/key.pub else - echo "keypair and nodeAddress for {{ .name }} already present in vault.." + echo "keypair and nodeAddress for {{ .name }} are already present in the vault." fi {{- end }} + + # Create a marker file to indicate the completion of keypair and nodeAddress generation touch ${CRYPTO_PATH}/generate_node_keys_complete volumeMounts: - - name: node-crypto - mountPath: /crypto + - name: node-crypto + mountPath: /crypto - name: "store-node-keys" image: "{{ $.Values.image.alpineutils }}" imagePullPolicy: IfNotPresent @@ -153,77 +177,104 @@ spec: args: - |- #!/usr/bin/env sh + + # Source the bevel-vault.sh script to perform the Vault-CURD operations . /scripts/bevel-vault.sh + echo "Work on mount path.." cd ${MOUNT_PATH} + # Get the Vault token + echo "Getting Vault Token..." vaultBevelFunc 'init' + + # Wait for the generation of node keys to complete while ! [ -f ${MOUNT_PATH}/generate_node_keys_complete ] do - echo 'Waiting for node keys..' + echo 'Waiting for the generation of node keys...' sleep 2s done + CRYPTO_PATH=${MOUNT_PATH} + + # Iterate through each peer and validator node in the organization {{- range .Values.organisation.nodes }} - COUNTER=1 - while [ "$COUNTER" -le {{ $.Values.healthcheck.retries }} ] - do - if [ -f ${CRYPTO_PATH}/{{ .name }}/node_crypto_absent ] - then - NODE_ADDRESS=$(cat ${CRYPTO_PATH}/{{ .name }}/data/nodeAddress) - NODE_KEY=$(cat ${CRYPTO_PATH}/{{ .name }}/data/key) - NODE_KEY_PUB=$(cat ${CRYPTO_PATH}/{{ .name }}/data/key.pub) - # create the payload for node crypto - echo " - { - \"data\": - { - \"nodeAddress\": \"${NODE_ADDRESS}\", - \"key\": \"${NODE_KEY}\", - \"key_pub\": \"${NODE_KEY_PUB}\" - } - }" > payload.json - # create the vault path for node cryto - VAULT_PATH_NODE_CRYPTO=data/{{ $.Values.metadata.namespace }}/crypto/{{ .name }}/data - - vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_PATH_NODE_CRYPTO}" - # This command copy the tls certificates to the Vault - vaultBevelFunc 'write' "${vault_secret_key}" 'payload.json' - - # Check for node crypto .. - vaultBevelFunc 'readJson' ${vault_secret_key} - NODE_KEY=$(echo ${VAULT_SECRET} | jq -r '.["key"]') - - for field in "$NODE_KEY" - do - if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] + # Initialize a counter variable + COUNTER=1 + + # Perform retries for health checks + while [ "$COUNTER" -le {{ $.Values.healthcheck.retries }} ] + do + # Check the presence of specified file + if [ -f ${CRYPTO_PATH}/{{ .name }}/node_crypto_absent ] + then + # Read the nodeAddress, key, and key.pub from the generated data + NODE_ADDRESS=$(cat ${CRYPTO_PATH}/{{ .name }}/data/nodeAddress) + NODE_KEY=$(cat ${CRYPTO_PATH}/{{ .name }}/data/key) + NODE_KEY_PUB=$(cat ${CRYPTO_PATH}/{{ .name }}/data/key.pub) + + # create a JSON file for the data related to node crypto + echo " + { + \"data\": + { + \"nodeAddress\": \"${NODE_ADDRESS}\", + \"key\": \"${NODE_KEY}\", + \"key_pub\": \"${NODE_KEY_PUB}\" + } + }" > payload.json + + # create the vault path for node crypto + VAULT_PATH_NODE_CRYPTO=data/{{ $.Values.metadata.namespace }}/crypto/{{ .name }}/data + vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_PATH_NODE_CRYPTO}" + + # Copy the node crypto data to the Vault + vaultBevelFunc 'write' "${vault_secret_key}" 'payload.json' + + # Check for the presence of node crypto in the Vault + vaultBevelFunc 'readJson' ${vault_secret_key} + + # Extract the key field from the Vault Response + NODE_KEY=$(echo ${VAULT_SECRET} | jq -r '.["key"]') + + # Check if the NODE_KEY field is null, contains a parse error, or is empty + for field in "$NODE_KEY" + do + if [ "$field" = "null" ] || [[ "$field" = "parse error"* ]] || [ "$field" = "" ] + then + NODE_CRYPTO_WRITTEN=false + break + else + NODE_CRYPTO_WRITTEN=true + fi + done + + # Delete the same JSON file that we created to perform the write operation in the vault + rm payload.json + + # Check if the node crypto data is successfully stored in the Vault + if [ "$NODE_CRYPTO_WRITTEN" = "true" ] then - NODE_CRYPTO_WRITTEN=false + echo "Success: store crypto for {{ .name }}" break else - NODE_CRYPTO_WRITTEN=true + echo "Crypto materials are not ready, sleeping for {{ $.Values.healthcheck.sleepTimeAfterError }} - $COUNTER " + sleep {{ $.Values.healthcheck.sleepTimeAfterError }} + COUNTER=`expr "$COUNTER" + 1` fi - done - rm payload.json - if [ "$NODE_CRYPTO_WRITTEN" = "true" ] - then - echo "Success: store crypto for {{ .name }}" - break else - echo "Crypto materials are not ready, sleeping for {{ $.Values.healthcheck.sleepTimeAfterError }} - $COUNTER " - sleep {{ $.Values.healthcheck.sleepTimeAfterError }} - COUNTER=`expr "$COUNTER" + 1` + echo "Skipped: store cryto for {{ .name }}" + break fi - else - echo "Skipped: store cryto for {{ .name }}" - break + done + + # Check if the maximum number of retries has been reached + if [ "$COUNTER" -gt {{ $.Values.healthcheck.retries }} ] + then + # Error message and exit with a non-zero status + echo "Retry attempted `expr $COUNTER - 1` times, Crypto materials have not been saved." + exit 1 fi - done - if [ "$COUNTER" -gt {{ $.Values.healthcheck.retries }} ] - then - echo "Retry attempted `expr $COUNTER - 1` times, Crypto materials have not been saved." - exit 1 - fi {{- end }} volumeMounts: - name: node-crypto diff --git a/platforms/hyperledger-besu/charts/node_tessera/templates/deployment.yaml b/platforms/hyperledger-besu/charts/node_tessera/templates/deployment.yaml index 10db819a6f32..749a6bb26a38 100644 --- a/platforms/hyperledger-besu/charts/node_tessera/templates/deployment.yaml +++ b/platforms/hyperledger-besu/charts/node_tessera/templates/deployment.yaml @@ -32,7 +32,7 @@ spec: app.kubernetes.io/name: {{ .Values.tessera.name }} helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/instance: {{ .Release.Name }} {{- include "labels.custom" . | nindent 2 }} {{- if $.Values.labels }} {{- range $key, $value := $.Values.labels.deployment }} @@ -44,13 +44,13 @@ spec: template: metadata: creationTimestamp: null - labels: + labels: name: {{ .Values.tessera.name }} service.rpc: {{ .Values.tessera.name }} app.kubernetes.io/name: {{ .Values.tessera.name }} helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/instance: {{ .Release.Name }} {{- include "labels.custom" . | nindent 2 }} {{- if $.Values.labels }} {{- range $key, $value := $.Values.labels.deployment }} @@ -73,7 +73,7 @@ spec: medium: Memory - name: mysql-jar emptyDir: - medium: Memory + medium: Memory - name: tessera-config configMap: name: tessera-config-{{ .Values.tessera.name }} @@ -107,47 +107,56 @@ spec: args: - |- #!/bin/bash + + # Source the bevel-vault.sh script to perform the Vault-CURD operations . /scripts/bevel-vault.sh + + # Get the Vault token echo "Getting the vault Token..." vaultBevelFunc 'init' + # Store the Vault token in the specified file echo $VAULT_TOKEN > /secret/VAULT_CLIENT_TOKEN + # Obtain keys from the specified path within the Vault vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/{{ .Values.vault.keyname }}" - echo "Getting 2 keys from $vault_secret_key" + echo "Getting 5 keys from $vault_secret_key" vaultBevelFunc 'readJson' ${vault_secret_key} - - nodekey=$(echo ${VAULT_SECRET} | jq -r '.["nodekey"]') - keystore=$(echo ${VAULT_SECRET} | jq -r '.["keystore"]') - vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/{{ .Values.vault.keyname }}" - echo "Getting 3 keys from $vault_secret_key" - vaultBevelFunc 'readJson' ${vault_secret_key} - + # Extract keys from the response obtained from the Vault + nodekey=$(echo ${VAULT_SECRET} | jq -r '.["nodekey"]') + keystore=$(echo ${VAULT_SECRET} | jq -r '.["keystore"]') gethpassword=$(echo ${VAULT_SECRET} | jq -r '.["gethpassword"]') username=$(echo ${VAULT_SECRET} | jq -r '.["db_user"]') password=$(echo ${VAULT_SECRET} | jq -r '.["db_password"]') + # Define the output directory path OUTPUT_PATH="${MOUNT_PATH}/keys" mkdir -p ${OUTPUT_PATH} + # Write the extracted values to respective files in the output directory echo -n "${gethpassword}" > ${OUTPUT_PATH}/passwords.txt echo -n "${nodekey}" > ${OUTPUT_PATH}/nodekey echo -n "${keystore}" > ${OUTPUT_PATH}/keystore echo "${username}" > ${OUTPUT_PATH}/username echo "${password}" > ${OUTPUT_PATH}/password + # Check if the value of 'tessera.tls' is 'STRICT' if [ {{ $.Values.tessera.tls }} == "STRICT" ] then - vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/{{ .Values.vault.tlsdir }}" - vaultBevelFunc 'readJson' ${vault_secret_key} + # Obtain TLS-related data from the Vault + vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/{{ .Values.vault.tlsdir }}" + vaultBevelFunc 'readJson' ${vault_secret_key} + # Extract and decode TLS-related data from the response obtained from the Vault tessera_ca=$(echo ${VAULT_SECRET} | jq -r '.["rootca_pem"]' | base64 -d) - tessera_cer_pem=$(echo ${VAULT_SECRET} | jq -r '.["ambassadorcrt"]' | base64 -d) + tessera_cer_pem=$(echo ${VAULT_SECRET} | jq -r '.["ambassadorcrt"]' | base64 -d) tessera_cer_key=$(echo ${VAULT_SECRET} | jq -r '.["ambassadorkey"]' | base64 -d) tessera_known_server=$(echo ${VAULT_SECRET} | jq -r '.["knownServer"]'| base64 -d) keystore=$(echo ${VAULT_SECRET} | jq -r '.["keystore"]') keystore_password=$(echo ${VAULT_SECRET} | jq -r '.["password"]' | base64 -d) + + # Write the decoded TLS-related data to files echo "${tessera_ca}" > ${MOUNT_PATH}/tessera_ca.pem echo "${tessera_cer_pem}" > ${MOUNT_PATH}/tessera_cer.pem echo "${tessera_cer_key}" > ${MOUNT_PATH}/tessera_cer.key @@ -158,7 +167,7 @@ spec: echo "${keystore_password}" > ${MOUNT_PATH}/keystore_password fi - #copy mysql jar + # Copy MySQL jar files to the '/mysql-jar' directory cp /mysql/* /mysql-jar volumeMounts: - name: certificates @@ -177,23 +186,28 @@ spec: - |- #!/bin/bash - echo "getting username and password from vault" - var=$(cat /secret/keys/password) + echo "Getting Username and Password from the Vault" + + # Read the password from the specified file and store it in 'var' + var=$(cat /secret/keys/password) + + # create an SQL script file + # This SQL script updates user passwords and creates database tables cat << EOF > /docker-entrypoint-initdb.d/createTables.sql - UPDATE mysql.user SET authentication_string = PASSWORD('$var') WHERE User = 'demouser'; - UPDATE mysql.user SET authentication_string = PASSWORD('$var') WHERE User = 'root'; - CREATE TABLE IF NOT EXISTS ENCRYPTED_TRANSACTION (ENCODED_PAYLOAD BLOB NOT NULL, HASH VARBINARY(100) NOT NULL, TIMESTAMP BIGINT, PRIMARY KEY (HASH)); - CREATE TABLE IF NOT EXISTS PRIVACY_GROUP(ID VARBINARY(100) NOT NULL, LOOKUP_ID BLOB NOT NULL, DATA BLOB NOT NULL, TIMESTAMP BIGINT, PRIMARY KEY (ID)); - CREATE TABLE IF NOT EXISTS ENCRYPTED_RAW_TRANSACTION (ENCRYPTED_KEY BLOB NOT NULL, ENCRYPTED_PAYLOAD BLOB NOT NULL, NONCE BLOB NOT NULL, SENDER BLOB NOT NULL, TIMESTAMP BIGINT, HASH VARBINARY(100) NOT NULL, PRIMARY KEY (HASH)); - CREATE TABLE ST_TRANSACTION(ID BIGINT(19) NOT NULL, HASH VARCHAR(100) NOT NULL, PAYLOAD BLOB, PRIVACY_MODE BIGINT(10), TIMESTAMP BIGINT(19), VALIDATION_STAGE BIGINT(19), PRIMARY KEY (ID)); - CREATE TABLE ST_AFFECTED_TRANSACTION(ID BIGINT(19) NOT NULL, AFFECTED_HASH VARCHAR(100) NOT NULL, TXN_ID BIGINT(19) NOT NULL, CONSTRAINT FK_ST_AFFECTED_TRANSACTION_TXN_ID FOREIGN KEY (TXN_ID) REFERENCES ST_TRANSACTION(ID), PRIMARY KEY (ID)); - CREATE INDEX IF NOT EXISTS ST_TRANSACTION_VALSTG ON ST_TRANSACTION(VALIDATION_STAGE); + UPDATE mysql.user SET authentication_string = PASSWORD('$var') WHERE User = 'demouser'; + UPDATE mysql.user SET authentication_string = PASSWORD('$var') WHERE User = 'root'; + CREATE TABLE IF NOT EXISTS ENCRYPTED_TRANSACTION (ENCODED_PAYLOAD BLOB NOT NULL, HASH VARBINARY(100) NOT NULL, TIMESTAMP BIGINT, PRIMARY KEY (HASH)); + CREATE TABLE IF NOT EXISTS PRIVACY_GROUP(ID VARBINARY(100) NOT NULL, LOOKUP_ID BLOB NOT NULL, DATA BLOB NOT NULL, TIMESTAMP BIGINT, PRIMARY KEY (ID)); + CREATE TABLE IF NOT EXISTS ENCRYPTED_RAW_TRANSACTION (ENCRYPTED_KEY BLOB NOT NULL, ENCRYPTED_PAYLOAD BLOB NOT NULL, NONCE BLOB NOT NULL, SENDER BLOB NOT NULL, TIMESTAMP BIGINT, HASH VARBINARY(100) NOT NULL, PRIMARY KEY (HASH)); + CREATE TABLE ST_TRANSACTION(ID BIGINT(19) NOT NULL, HASH VARCHAR(100) NOT NULL, PAYLOAD BLOB, PRIVACY_MODE BIGINT(10), TIMESTAMP BIGINT(19), VALIDATION_STAGE BIGINT(19), PRIMARY KEY (ID)); + CREATE TABLE ST_AFFECTED_TRANSACTION(ID BIGINT(19) NOT NULL, AFFECTED_HASH VARCHAR(100) NOT NULL, TXN_ID BIGINT(19) NOT NULL, CONSTRAINT FK_ST_AFFECTED_TRANSACTION_TXN_ID FOREIGN KEY (TXN_ID) REFERENCES ST_TRANSACTION(ID), PRIMARY KEY (ID)); + CREATE INDEX IF NOT EXISTS ST_TRANSACTION_VALSTG ON ST_TRANSACTION(VALIDATION_STAGE); EOF volumeMounts: - name: mysql mountPath: /docker-entrypoint-initdb.d - name: certificates - mountPath: /secret + mountPath: /secret containers: - name: mysql-db image: {{ .Values.images.mysql }} @@ -223,23 +237,39 @@ spec: command: ["sh", "-c"] args: - |- + + # Create directories for Tessera logs and tm mkdir -p $TESSERA_HOME/logs; mkdir -p $TESSERA_HOME/tm; + + # Set the DDIR to the 'tm' directory DDIR=$TESSERA_HOME/tm; + + # Read the password from the specified file and store it in the 'PASSWORD' variable PASSWORD=$(cat $TESSERA_HOME/crypto/keys/password); - # required for tessera vault integration + # Set the 'HASHICORP_TOKEN' environment variable by reading the 'VAULT_CLIENT_TOKEN' file + # This is required for Tessera Vault integration export HASHICORP_TOKEN=$(cat $TESSERA_HOME/crypto/VAULT_CLIENT_TOKEN); + # Print the current environment variables printenv; - # mysql connector required for mysql tessera DB + + # Copy, extract, and place the MySQL connector file into the Tessera library directory, ensuring that Tessera can use it for database connectivity. cp /mysql-jar/mysql-connector-java-8.0.25.tar.gz mysql-connector-java-8.0.25.tar.gz tar -xf mysql-connector-java-8.0.25.tar.gz; cp /mysql-connector-java-8.0.25/mysql-connector-java-8.0.25.jar /tessera/lib/; + + # Read the contents of the Tessera configuration template into 'CONFIG_TMPL' CONFIG_TMPL=$(cat ${TESSERA_HOME}/tessera-config.json.tmpl); + + # Write the contents of the configuration template to a file in the 'tm' directory echo $CONFIG_TMPL > ${DDIR}/tessera-config-with-hosts.json; + + # Display the contents of the generated Tessera configuration file cat ${DDIR}/tessera-config-with-hosts.json; - + + # Run Tessera with the generated configuration file, passing the 'jdbc.password' parameter /tessera/bin/tessera --configfile ${DDIR}/tessera-config-with-hosts.json -o jdbc.password=$PASSWORD; ports: - containerPort: {{ .Values.tessera.ports.tm }} @@ -249,7 +279,7 @@ spec: - name: QHOME value: {{ .Values.tessera.mountPath }} - name: VAULT_ADDR - value: {{ $.Values.vault.address }} + value: {{ $.Values.vault.address }} - name: KUBERNETES_AUTH_PATH value: {{ $.Values.vault.authpath }} - name: VAULT_APP_ROLE @@ -261,21 +291,21 @@ spec: mountPath: {{ .Values.tessera.mountPath }} - name: tessera-config mountPath: {{ .Values.tessera.mountPath }}/tessera-config.json.tmpl - subPath: tessera-config.json.tmpl + subPath: tessera-config.json.tmpl - name: mysql-jar - mountPath: /mysql-jar + mountPath: /mysql-jar restartPolicy: Always - volumeClaimTemplates: + volumeClaimTemplates: - metadata: name: {{ .Values.tessera.name }}-pv labels: - {{- if $.Values.labels }} - {{- range $key, $value := $.Values.labels.pvc }} - {{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} - {{- end }} - {{- end }} - {{- end }} + {{- if $.Values.labels }} + {{- range $key, $value := $.Values.labels.pvc }} + {{- range $k, $v := $value }} + {{ $k }}: {{ $v | quote }} + {{- end }} + {{- end }} + {{- end }} spec: storageClassName: {{ .Values.storage.storageclassname }} accessModes: [ "ReadWriteOnce" ] @@ -285,15 +315,15 @@ spec: - metadata: name: {{ .Values.tessera.name }}-mysql labels: - {{- if $.Values.labels }} - {{- range $key, $value := $.Values.labels.pvc }} - {{- range $k, $v := $value }} - {{ $k }}: {{ $v | quote }} - {{- end }} - {{- end }} - {{- end }} + {{- if $.Values.labels }} + {{- range $key, $value := $.Values.labels.pvc }} + {{- range $k, $v := $value }} + {{ $k }}: {{ $v | quote }} + {{- end }} + {{- end }} + {{- end }} spec: - storageClassName: {{ .Values.storage.storageclassname }} + storageClassName: {{ .Values.storage.storageclassname }} accessModes: [ "ReadWriteOnce" ] resources: requests: diff --git a/platforms/hyperledger-besu/charts/node_validator/templates/deployment.yaml b/platforms/hyperledger-besu/charts/node_validator/templates/deployment.yaml index 0fbaf88f13c8..abe8875ecbe8 100644 --- a/platforms/hyperledger-besu/charts/node_validator/templates/deployment.yaml +++ b/platforms/hyperledger-besu/charts/node_validator/templates/deployment.yaml @@ -109,28 +109,41 @@ spec: args: - |- #!/usr/bin/env sh + + # Source the bevel-vault.sh script, contains functions to perform the Vault-CURD operations . /scripts/bevel-vault.sh + + # Get the Vault token echo "Getting the vault Token..." vaultBevelFunc 'init' + # Create a directory if it doesn't already exist mkdir -p ${MOUNT_PATH} + # Obtain the 'key' from the Vault vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/{{ .Values.vault.keyname }}" vaultBevelFunc 'readJson' ${vault_secret_key} + # Extract 'key' from the response obtained from the Vault and save it to a file nodekey=$(echo ${VAULT_SECRET} | jq -r '.["key"]') echo "${nodekey}" > ${MOUNT_PATH}/nodekey + # Check if node TLS is enabled if [ {{ $.Values.node.tls }} == "true" ] then + # Obtain TLS-related data from the Vault vault_secret_key="${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/{{ .Values.vault.tlsdir }}" vaultBevelFunc 'readJson' ${vault_secret_key} + # Extract 'keystore' and 'password' from the response obtained from the Vault keystore=$(echo ${VAULT_SECRET} | jq -r '.["keystore"]') keystore_password=$(echo ${VAULT_SECRET} | jq -r '.["password"]' | base64 -d) + # Save 'keystore' to a file and decode it from base64 to a PKCS12 file. echo "${keystore}" > ${MOUNT_PATH}/keystore base64 -d ${MOUNT_PATH}/keystore > ${MOUNT_PATH}/keystore.pkcs12 + + # Save the keystore password to a file. echo "${keystore_password}" > ${MOUNT_PATH}/keystore_password fi volumeMounts: @@ -146,18 +159,29 @@ spec: args: - |- #!/usr/bin/env sh + + # Check if liveliness check is enabled in the configuration {{- if .Values.liveliness_check.enabled }} + # Initialize a counter variable COUNTER=1 + + # Start a while loop that runs until the counter reaches the readiness threshold. while [ "$COUNTER" -lt {{ $.Values.healthcheck.readinessthreshold }} ] do - # get truststore from vault to see if registration is done or not + # Get truststore from vault to see if registration is done or not LOOKUP_SECRET_RESPONSE=$(curl -X GET {{ .Values.liveliness_check.url }}:{{ .Values.liveliness_check.port }}/liveness | jq -r 'if .errors then . else . end') + + # Check if the response from the liveliness check does not contain "UP". if ! echo ${LOOKUP_SECRET_RESPONSE} | grep -E "UP" then + # If the check indicates a non-UP state, sleep for the specified readiness check interval. sleep {{ $.Values.healthcheck.readinesscheckinterval }} else + # If the check is successful (UP), break out of the loop. break - fi + fi + + # Increment the counter COUNTER=`expr "$COUNTER" + 1` done {{- end }} @@ -173,30 +197,43 @@ spec: - -c args: - | + + # Create a static-nodes.json file with JSON contents and store it in the specified directory echo -n {{ .Values.staticnodes | toJson | quote }} > {{ .Values.node.mountPath }}/static-nodes.json + + # Create a temporary directory for the genesis file mkdir -p /tmp/genesis; + + # Decode the Base64-encoded genesis file and save it to the temporary directory cat /etc/genesis/genesis.json.base64 | base64 -d > /tmp/genesis/genesis.json + + # Check the consensus type and set the 'args' variable accordingly if [ "$CONSENSUS" = "qbft" ]; then args="--rpc-http-enabled --rpc-http-api=ETH,NET,QBFT,DEBUG,ADMIN,WEB3 --rpc-ws-enabled --rpc-ws-api=ETH,NET,WEB3 --p2p-port {{ .Values.node.ports.p2p }} --rpc-http-port {{ .Values.node.ports.rpc }} --rpc-ws-port={{ .Values.node.ports.ws }}" else args="--rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,DEBUG,ADMIN,WEB3 --rpc-ws-enabled --rpc-ws-api=ETH,NET,WEB3 --p2p-port {{ .Values.node.ports.p2p }} --rpc-http-port {{ .Values.node.ports.rpc }} --rpc-ws-port={{ .Values.node.ports.ws }}" fi - if {{ $.Values.node.tls }} == "true" + + # Check if TLS is enabled and set 'tls_args' with TLS-related configuration + if {{ $.Values.node.tls }} == "true" then tls_args="--privacy-tls-enabled --privacy-tls-keystore-file=/secrets/keystore.pkcs12 --privacy-tls-keystore-password-file=/secrets/keystore_password" fi + # Check if metrics are enabled and set 'metrics_args' with metrics-related configuration if {{ $.Values.metrics.enabled }} == "true" then metrics_args="--metrics-enabled --metrics-port={{ template "metrics_port" . }} --metrics-host=0.0.0.0" fi + # Check if onchain-permissioning for the node is enabled and set 'permissioning_args' with permissioning-related configuration. if {{ $.Values.node.permissioning.enabled }} == "true" then permissioning_args="--permissions-accounts-contract-enabled --permissions-accounts-contract-address=0x0000000000000000000000000000000000008888 --permissions-nodes-contract-enabled --permissions-nodes-contract-address=0x0000000000000000000000000000000000009999 --permissions-nodes-contract-version=2" args="--rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,DEBUG,ADMIN,WEB3,PERM --rpc-ws-enabled --rpc-ws-api=ETH,NET,WEB3 --p2p-port {{ .Values.node.ports.p2p }} --rpc-http-port {{ .Values.node.ports.rpc }} --rpc-ws-port={{ .Values.node.ports.ws }}" fi + # Execute the Besu node with the configured options. exec /opt/besu/bin/besu \ --identity={{ .Values.node.name }} \ --discovery-enabled=false \ @@ -219,7 +256,7 @@ spec: --Xdns-update-enabled=true \ $args \ $tls_args \ - $metrics_args + $metrics_args $permissioning_args ports: - name: json-rpc @@ -249,9 +286,9 @@ spec: mountPath: /secrets readOnly: true - name: {{ .Values.node.name }}-pv - mountPath: {{ .Values.node.mountPath }} + mountPath: {{ .Values.node.mountPath }} restartPolicy: Always - volumeClaimTemplates: + volumeClaimTemplates: - metadata: name: {{ .Values.node.name }}-pv labels: @@ -262,7 +299,6 @@ spec: {{- end }} {{- end }} {{- end }} - spec: storageClassName: {{ .Values.storage.storageclassname }} accessModes: [ "ReadWriteOnce" ] diff --git a/platforms/hyperledger-besu/charts/tessera_key_mgmt/templates/job.yaml b/platforms/hyperledger-besu/charts/tessera_key_mgmt/templates/job.yaml index 403e405528d9..bd9d417f72ec 100644 --- a/platforms/hyperledger-besu/charts/tessera_key_mgmt/templates/job.yaml +++ b/platforms/hyperledger-besu/charts/tessera_key_mgmt/templates/job.yaml @@ -53,39 +53,44 @@ spec: name: bevel-vault-script defaultMode: 0777 initContainers: - - name: "fetch-vault-token" - image: "{{ $.Values.image.alpineutils }}" - env: - - name: VAULT_ADDR - value: {{ $.Values.vault.address }} - - name: VAULT_SECRET_ENGINE - value: {{ $.Values.vault.secretengine }} - - name: VAULT_KEY_PREFIX - value: "{{ $.Values.vault.keyprefix }}" - - name: PEER_NAME - value: {{ $.Values.peer.name }} - - name: KUBERNETES_AUTH_PATH - value: {{ $.Values.vault.authpath }} - - name: VAULT_APP_ROLE - value: {{ $.Values.vault.role }} - - name: VAULT_SECRET_PREFIX - value: "{{ $.Values.vault.tmprefix }}" - - name: VAULT_TYPE - value: "{{ $.Values.vault.type }}" - command: ["sh", "-c"] - args: - - |- - . /scripts/bevel-vault.sh - echo "Getting the vault Token..." - vaultBevelFunc 'init' + - name: "fetch-vault-token" + image: "{{ $.Values.image.alpineutils }}" + env: + - name: VAULT_ADDR + value: {{ $.Values.vault.address }} + - name: VAULT_SECRET_ENGINE + value: {{ $.Values.vault.secretengine }} + - name: VAULT_KEY_PREFIX + value: "{{ $.Values.vault.keyprefix }}" + - name: PEER_NAME + value: {{ $.Values.peer.name }} + - name: KUBERNETES_AUTH_PATH + value: {{ $.Values.vault.authpath }} + - name: VAULT_APP_ROLE + value: {{ $.Values.vault.role }} + - name: VAULT_SECRET_PREFIX + value: "{{ $.Values.vault.tmprefix }}" + - name: VAULT_TYPE + value: "{{ $.Values.vault.type }}" + command: ["sh", "-c"] + args: + - |- + + # Source the bevel-vault.sh script, contains functions to perform the Vault-CURD operations + . /scripts/bevel-vault.sh + + # Get the Vault token + echo "Getting the vault Token..." + vaultBevelFunc 'init' - echo $VAULT_TOKEN > /secret/VAULT_CLIENT_TOKEN - volumeMounts: - - name: vault-token - mountPath: /secret - - name: scripts-volume - mountPath: /scripts/bevel-vault.sh - subPath: bevel-vault.sh + # Store the value of the 'VAULT_TOKEN' variable in a secret location, which can be accessed later. + echo $VAULT_TOKEN > /secret/VAULT_CLIENT_TOKEN + volumeMounts: + - name: vault-token + mountPath: /secret + - name: scripts-volume + mountPath: /scripts/bevel-vault.sh + subPath: bevel-vault.sh containers: - name: "tessera-crypto" image: "{{ $.Values.image.repository }}" @@ -108,11 +113,12 @@ spec: command: ["sh", "-c"] args: - |- + # Get the vault client token export HASHICORP_TOKEN=$(cat /secret/VAULT_CLIENT_TOKEN) # Generate tessera keys /tessera/bin/tessera -keygen -keygenvaulttype HASHICORP -keygenvaulturl ${VAULT_ADDR} -keygenvaultsecretengine ${VAULT_SECRET_ENGINE} -filename ${VAULT_KEY_PREFIX}/${PEER_NAME}/tm volumeMounts: - - name: vault-token - mountPath: /secret + - name: vault-token + mountPath: /secret diff --git a/platforms/hyperledger-besu/configuration/README.md b/platforms/hyperledger-besu/configuration/README.md deleted file mode 100644 index fc54b858be00..000000000000 --- a/platforms/hyperledger-besu/configuration/README.md +++ /dev/null @@ -1,61 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Accenture. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - -# Hyperledger Besu Configuration -This configuration folder contains Ansible playbooks and their corresponding roles, which are used to deploy Hyperledger Besu on Managed Kubernetes Cluster(s). - - -## Approaches -There are two approaches to deploy a DLT network using Hyperledger Bevel: -- Use a machine to deploy and manage the DLT network. This is recommended for production environments, and requires manual setup of Ansible, and other required libraries/tools for setting up the controller machine. More info on setting up this machine is found [here](https://hyperledger-bevel.readthedocs.io/en/latest/operations/configure_prerequisites.html#ansible-inventory-file). -- Use the 'Hyperledger Bevel Build container' to create a containerized Ansible controller from which to deploy/manage your networks. This is recommended for development instances, as it is an easy way to build the required base environment for Hyperledger Bevel deployment. More info can be found [here](https://hyperledger-bevel.readthedocs.io/en/latest/developer/docker-build.html). - -## Installation pre-requisites -Hyperledger Bevel requires tools such as Kubernetes, Git (repository), Vault and more to be installed. -For more information on the installation pre-requisites, please refer to [this guide](https://hyperledger-bevel.readthedocs.io/en/latest/prerequisites.html). - -## Configuration pre-requisites -For each organization in the DLT network you need to set up the following: -1. One Managed Kubernetes cluster; Hyperledger Bevel is currently tested on Amazon EKS, which means you will need AWS CLI set up as well. -2. A Hashicorp Vault installation for each organization which is initialized and unsealed. The Vault Address should be accessible from this machine (where the playbook is run) and the Kubernetes cluster. The Vault root token is used in the network configuration, so this should be available as well. -3. A Git User with write access to all the branches in the chosen Git repository; as well as an access token. -4. The network configuration file (`network.yaml`) which has been filled in according to your requirements. Sample `network.yaml`s for Hyperledger Besu can be found in [this folder](./samples/). - -For other general pre-quisites, such as Docker images, Ambassador and DNS setup, please refer to the ['Configure Pre-requisites' guide](https://hyperledger-bevel.readthedocs.io/en/latest/operations/configure_prerequisites.html). - -## Execution -### Step 1 -Ensure that the `network.yaml` is edited properly and saved. Follow the guidance on our [docs for Hyperledger Besu `network.yaml`](https://hyperledger-bevel.readthedocs.io/en/latest/operations/besu_networkyaml.html). - -### Step 2 -Execute the playbook by running the command below - executed from the root of the project: -``` -ansible-playbook platforms/shared/configuration/site.yaml -e "@/path/to/network-besu.yaml" -``` -The [platforms/shared/configuration/site.yaml](../../shared/configuration/site.yaml) is the main playbook which does basic environment setup, configures the Kubernetes cluster and then calls platform specific deployment playbooks. - -You can also only run the platform specific deployment playbooks by running the command below (after the prerequisites have been installed) - executed from the root of the project: -``` -ansible-playbook platforms/hyperledger-besu/deploy-network.yaml -e "@/path/to/network-besu.yaml" -``` - -### Step 3 -After your Ansible command has completed. your nodes or the participants in the Hyperledger Besu network should be up and running. We are working on a verification document for Hyperledger Besu. - -## Miscellaneous - -1. `./openssl.conf`: This is the configuration file used to generate the Root CA certificates for Besu-CA. - -2. If you want to reset the network, i.e. delete all created resources while setting up the Hyperledger Besu network, then run the following command from the root folder of the project: - ``` - # Call the shared playbook with `reset=true` which will first clean up the configuration (Helm, Kubernetes, Vault) and then reset the network - ansible-playbook platforms/shared/configuration/site.yaml -e "@/path/to/network-besu.yaml" -e "reset=true" - ``` - ``` - # Directly call the platform-specific reset playbook - ansible-playbook platforms/hyperledger-besu/reset-network.yaml -e "@/path/to/network-besu.yaml" - ``` -3. You can maintain separate `network.yaml`'s for separate environments (different amount of organizations, different configuration, etc.). - diff --git a/platforms/hyperledger-besu/configuration/add-validator.yaml b/platforms/hyperledger-besu/configuration/add-validator.yaml index d9b3109afb01..42eaa120eb72 100644 --- a/platforms/hyperledger-besu/configuration/add-validator.yaml +++ b/platforms/hyperledger-besu/configuration/add-validator.yaml @@ -1,149 +1,164 @@ -############################################################################################## +################################################################################################################################## # Copyright Accenture. All Rights Reserved. # # SPDX-License-Identifier: Apache-2.0 -############################################################################################## +################################################################################################################################## # This playbook adds a new validator org / validator to a DLT network on existing Kubernetes clusters # The Kubernetes clusters should already be created and the infomation to connect to the -# clusters be updated in the network.yaml file that is used as an input to this playbook -########################################################################################### +# clusters be updated in the network.yaml file that is used as an input to this playbook + +################################################################################################################################## + # To Run this playbook from this directory, use the following command (network.yaml also in this directory) -# ansible-playbook add-validator.yaml -e "@./network.yaml" # "add_new_org='true'" (for adding a new validator organization) -# ansible-playbook add-validator.yaml -e "@./network.yaml" # (for adding just a validator node) -############################################################################################ -# Please ensure that the ../../shared/configuration playbooks have been run and a DLT network exists. +# ansible-playbook add-validator.yaml -e "@./network.yaml" # "add_new_org='true'" (for adding a new validator organization) +# ansible-playbook add-validator.yaml -e "@./network.yaml" # (for adding just a validator node) + +################################################################################################################################## + +# Note: Please ensure that the ../../shared/configuration playbooks have been run and a DLT network exists. + +################################################################################################################################## + --- +# This will apply to ansible_provisioners. /etc/ansible/hosts should be configured with this group - hosts: ansible_provisioners gather_facts: no no_log: "{{ no_ansible_log | default(false) }}" - tasks: - # delete build directory - - name: Remove build directory - file: - path: "./build" - state: absent - - # Create namespaces and service accounts - - name: "Create namespace and service account" - include_role: - name: create/namespace - vars: - component_ns: "{{ org.name | lower }}-bes" - organisation: "{{ org.name | lower }}" - kubernetes: "{{ org.k8s }}" - gitops: "{{ org.gitops }}" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: org - when: add_new_org == 'true' - - # Create Storageclass - - name: Create Storage Class - include_role: - name: create/storageclass - vars: - org_name: "{{ org.name | lower }}" - cloudProvider: "{{ org.cloud_provider | lower }}" - sc_name: "{{ org_name }}-{{ cloudProvider }}-storageclass" - kubernetes: "{{ org.k8s }}" - region: "{{ org.k8s.region | default('eu-west-1') }}" - git_dir: "{{ org.gitops.release_dir }}" - charts_dir: "platforms/shared/charts" - platform_suffix: "bes" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: org - when: add_new_org == 'true' - - # Create Vault scrit as configmap for Vault CRUD operations - - name: setup vault script - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault-script" - vars: - component_ns: "{{ org.name | lower }}-bes" - kubernetes: "{{ org.k8s }}" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: org - when: add_new_org == 'true' - - # Setup Vault-Kubernetes accesses and Regcred for docker registry - - name: "Setup vault" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault_kubernetes" - vars: - policy_type: "besu" - name: "{{ org.name | lower }}" - component_ns: "{{ org.name | lower }}-bes" - component_name: "{{ org.name | lower }}-vaultk8s-job" - component_auth: "besu{{ org.name | lower }}" - component_type: "{{ org.type | lower }}" - kubernetes: "{{ org.k8s }}" - vault: "{{ org.vault }}" - gitops: "{{ org.gitops }}" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: org - when: add_new_org == 'true' - - # Installs cert-manager - - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/certmanager" - vars: - kubeconfig_path: "{{ item.k8s.config_file }}" - kubecontext: "{{ item.k8s.context }}" - aws: "{{ item.aws }}" - organization: "{{ item }}" - with_items: "{{ network.organizations }}" - when: - - network.env.proxy == 'ambassador' - - network.type == 'besu' - - # Generate Ambassador certificate for nodes. These certificates are used for tm tls as well - - name: "Create ambassador certificates for Nodes" - include_role: - name: create/certificates/ambassador - vars: - root_subject: "{{ network.config.subject }}" - cert_subject: "{{ network.config.subject | regex_replace(',', '/') }}" - services: "{{ org.services }}" - organisation: "{{ org.name | lower }}" - component_ns: "{{ org.name | lower }}-bes" - component_name: "{{ org.name | lower }}" - kubernetes: "{{ org.k8s }}" - vault: "{{ org.vault }}" - gitops: "{{ org.gitops }}" - charts_dir: "{{ org.gitops.chart_source }}" - values_dir: "{{ playbook_dir }}/../../../{{org.gitops.release_dir}}/{{ org.name | lower }}" - loop: "{{ network['organizations']}}" - loop_control: - loop_var: org - - # This role generates the admin PPK for permissioning - - name: Generate admin key for permissioning - include_role: - name: create/crypto/key_generation - vars: - build_path: "{{ playbook_dir }}/build" - component_ns: "{{ org.name | lower }}-bes" - vault: "{{ org.vault }}" - user: "admin" - loop: "{{ network['organizations'] }}" - loop_control: + tasks: + # delete build directory + - name: Remove build directory + file: + path: "./build" + state: absent + + # Create namespaces and service accounts + - name: "Create namespace and service account" + include_role: + name: create/namespace + vars: + component_ns: "{{ org.name | lower }}-bes" + organisation: "{{ org.name | lower }}" + kubernetes: "{{ org.k8s }}" + gitops: "{{ org.gitops }}" + loop: "{{ network['organizations'] }}" + loop_control: loop_var: org - when: network.permissioning.enabled is defined and network.permissioning.enabled == true - - # This role generates the enode for the new validators and its acceptance for the network - - name: "Generates new validator materials and voting for its acceptance" - include_role: - name: create/validator_node - vars: - build_path: "./build" - when: network.config.consensus == 'ibft' or network.config.consensus == 'qbft' - - vars: #These variables can be overriden from the command line - install_os: "linux" #Default to linux OS - install_arch: "amd64" #Default to amd64 architecture - bin_install_dir: "~/bin" #Default to /bin install directory for binaries - add_new_org: 'false' #Default for this playbook is false + when: add_new_org == 'true' + + # Create Storageclass + - name: Create Storage Class + include_role: + name: create/storageclass + vars: + org_name: "{{ org.name | lower }}" + cloudProvider: "{{ org.cloud_provider | lower }}" + sc_name: "{{ org_name }}-{{ cloudProvider }}-storageclass" + kubernetes: "{{ org.k8s }}" + region: "{{ org.k8s.region | default('eu-west-1') }}" + git_dir: "{{ org.gitops.release_dir }}" + charts_dir: "platforms/shared/charts" + platform_suffix: "bes" + loop: "{{ network['organizations'] }}" + loop_control: + loop_var: org + when: add_new_org == 'true' + + # Create Vault scrit as configmap for Vault CRUD operations + - name: setup vault script + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault-script" + vars: + component_ns: "{{ org.name | lower }}-bes" + kubernetes: "{{ org.k8s }}" + loop: "{{ network['organizations'] }}" + loop_control: + loop_var: org + when: add_new_org == 'true' + + # Setup Vault-Kubernetes accesses and Regcred for docker registry + - name: "Setup vault" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault_kubernetes" + vars: + policy_type: "besu" + name: "{{ org.name | lower }}" + component_ns: "{{ org.name | lower }}-bes" + component_name: "{{ org.name | lower }}-vaultk8s-job" + component_auth: "besu{{ org.name | lower }}" + component_type: "{{ org.type | lower }}" + kubernetes: "{{ org.k8s }}" + vault: "{{ org.vault }}" + gitops: "{{ org.gitops }}" + loop: "{{ network['organizations'] }}" + loop_control: + loop_var: org + when: add_new_org == 'true' + + # Installs cert-manager + - include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/certmanager" + vars: + kubeconfig_path: "{{ item.k8s.config_file }}" + kubecontext: "{{ item.k8s.context }}" + aws: "{{ item.aws }}" + organization: "{{ item }}" + with_items: "{{ network.organizations }}" + when: + - network.env.proxy == 'ambassador' + - network.type == 'besu' + + # Generate Ambassador certificate for nodes. These certificates are used for tm tls as well + - name: "Create ambassador certificates for Nodes" + include_role: + name: create/certificates/ambassador + vars: + root_subject: "{{ network.config.subject }}" + cert_subject: "{{ network.config.subject | regex_replace(',', '/') }}" + services: "{{ org.services }}" + organisation: "{{ org.name | lower }}" + component_ns: "{{ org.name | lower }}-bes" + component_name: "{{ org.name | lower }}" + kubernetes: "{{ org.k8s }}" + vault: "{{ org.vault }}" + gitops: "{{ org.gitops }}" + charts_dir: "{{ org.gitops.chart_source }}" + values_dir: "{{ playbook_dir }}/../../../{{org.gitops.release_dir}}/{{ org.name | lower }}" + loop: "{{ network['organizations']}}" + loop_control: + loop_var: org + + # This role generates the admin PPK for permissioning + - name: Generate admin key for permissioning + include_role: + name: create/crypto/key_generation + vars: + build_path: "{{ playbook_dir }}/build" + component_ns: "{{ org.name | lower }}-bes" + vault: "{{ org.vault }}" + user: "admin" + loop: "{{ network['organizations'] }}" + loop_control: + loop_var: org + when: network.permissioning.enabled is defined and network.permissioning.enabled == true + + # This role generates the enode for the new validators and its acceptance for the network + - name: "Generates new validator materials and voting for its acceptance" + include_role: + name: create/validator_node + vars: + build_path: "./build" + component_ns: "{{ orgItem.name | lower }}-bes" + loop: "{{ network['organizations'] }}" + loop_control: + loop_var: orgItem + when: + - network.config.consensus == 'ibft' or network.config.consensus == 'qbft' + - add_new_org == 'true' + + # These variables can be overriden from the command line + vars: + install_os: "linux" # Default to linux OS + install_arch: "amd64" # Default to amd64 architecture + bin_install_dir: "~/bin" # Default to /bin install directory for binaries + add_new_org: 'false' # 'add_new_org' flag, defaults to false when not defined. diff --git a/platforms/hyperledger-besu/configuration/cleanup.yaml b/platforms/hyperledger-besu/configuration/cleanup.yaml index 8df379fdc391..e772d4c25864 100644 --- a/platforms/hyperledger-besu/configuration/cleanup.yaml +++ b/platforms/hyperledger-besu/configuration/cleanup.yaml @@ -8,11 +8,14 @@ # using Hyperledger Bevel. # Please use the same network.yaml to run this playbook as used for deploy-network.yaml -################################################## +############################################################################################## + # Playbook to cleanup platform specific resources -################################################## + +############################################################################################## + --- - # This will apply to ansible_provisioners. /etc/ansible/hosts should be configured with this group +# This will apply to ansible_provisioners. /etc/ansible/hosts should be configured with this group - hosts: ansible_provisioners gather_facts: no no_log: "{{ no_ansible_log | default(false) }}" @@ -49,8 +52,9 @@ file: path: "./build" state: absent - vars: #These variables can be overriden from the command line - privilege_escalate: false #Default to NOT escalate to root privledges - install_os: "linux" #Default to linux OS - install_arch: "amd64" #Default to amd64 architecture - bin_install_dir: "~/bin" #Default to /bin install directory for binaries + # These variables can be overriden from the command line + vars: + privilege_escalate: false # Default to NOT escalate to root privledges + install_os: "linux" # Default to linux OS + install_arch: "amd64" # Default to amd64 architecture + bin_install_dir: "~/bin" # Default to /bin install directory for binaries diff --git a/platforms/hyperledger-besu/configuration/generate-crypto.yaml b/platforms/hyperledger-besu/configuration/generate-crypto.yaml index 641d989f5fff..c47664e2a7c3 100644 --- a/platforms/hyperledger-besu/configuration/generate-crypto.yaml +++ b/platforms/hyperledger-besu/configuration/generate-crypto.yaml @@ -4,134 +4,138 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## +--- +# This will apply to ansible_provisioners. /etc/ansible/hosts should be configured with this group - hosts: ansible_provisioners gather_facts: no no_log: "{{ no_ansible_log | default(false) }}" tasks: - # delete build directory - - name: Remove build directory - file: - path: "./build" - state: absent + # delete build directory + - name: Remove build directory + file: + path: "./build" + state: absent - # Create namespaces and service accounts - - name: "Create namespace and service account" - include_role: - name: create/namespace - vars: - component_ns: "{{ org.name | lower }}-bes" - organisation: "{{ org.name | lower }}" - kubernetes: "{{ org.k8s }}" - gitops: "{{ org.gitops }}" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: org - - # Create Storageclass - - name: Create Storage Class - include_role: - name: "{{ playbook_dir }}/../../../platforms/shared/configuration/roles/setup/storageclass" - vars: - org_name: "{{ org.name | lower }}" - cloudProvider: "{{ org.cloud_provider | lower }}" - sc_name: "{{ org_name }}-{{ cloudProvider }}-storageclass" - git_dir: "{{ org.gitops.release_dir }}" - charts_dir: "platforms/shared/charts" - org: "{{ org }}" - kubernetes: "{{ org.k8s }}" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: org + # Create namespaces and service accounts + - name: "Create namespace and service account" + include_role: + name: create/namespace + vars: + component_ns: "{{ org.name | lower }}-bes" + organisation: "{{ org.name | lower }}" + kubernetes: "{{ org.k8s }}" + gitops: "{{ org.gitops }}" + loop: "{{ network['organizations'] }}" + loop_control: + loop_var: org - # Setup Vault-Kubernetes accesses and Regcred for docker registry - - name: "Setup vault" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault_kubernetes" - vars: - policy_type: "besu" - name: "{{ org.name | lower }}" - component_ns: "{{ org.name | lower }}-bes" - component_name: "{{ org.name | lower }}-vaultk8s-job" - component_auth: "besu{{ org.name | lower }}" - component_type: "organization" - kubernetes: "{{ org.k8s }}" - vault: "{{ org.vault }}" - gitops: "{{ org.gitops }}" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: org + # Create Storageclass + - name: Create Storage Class + include_role: + name: "{{ playbook_dir }}/../../../platforms/shared/configuration/roles/setup/storageclass" + vars: + org_name: "{{ org.name | lower }}" + cloudProvider: "{{ org.cloud_provider | lower }}" + sc_name: "{{ org_name }}-{{ cloudProvider }}-storageclass" + git_dir: "{{ org.gitops.release_dir }}" + charts_dir: "platforms/shared/charts" + org: "{{ org }}" + kubernetes: "{{ org.k8s }}" + loop: "{{ network['organizations'] }}" + loop_control: + loop_var: org - # Generate Ambassador certificate for nodes. These certificates are used for tm tls as well - - name: "Create ambassador certificates for Nodes" - include_role: - name: create/certificates/ambassador - vars: - root_subject: "{{ network.config.subject }}" - cert_subject: "{{ network.config.subject | regex_replace(',', '/') }}" - services: "{{ org.services }}" - organisation: "{{ org.name | lower }}" - component_ns: "{{ org.name | lower }}-bes" - component_name: "{{ org.name | lower }}" - kubernetes: "{{ org.k8s }}" - vault: "{{ org.vault }}" - charts_dir: "{{ org.gitops.chart_source }}" - gitops: "{{ org.gitops }}" - values_dir: "{{ playbook_dir }}/../../../{{org.gitops.release_dir}}/{{ org.name | lower }}" - loop: "{{ network['organizations']}}" - loop_control: - loop_var: org + # Setup Vault-Kubernetes accesses and Regcred for docker registry + - name: "Setup vault" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault_kubernetes" + vars: + policy_type: "besu" + name: "{{ org.name | lower }}" + component_ns: "{{ org.name | lower }}-bes" + component_name: "{{ org.name | lower }}-vaultk8s-job" + component_auth: "besu{{ org.name | lower }}" + component_type: "organization" + kubernetes: "{{ org.k8s }}" + vault: "{{ org.vault }}" + gitops: "{{ org.gitops }}" + loop: "{{ network['organizations'] }}" + loop_control: + loop_var: org - # This role generates key pair and nodeaddress for all orgs of the network - - name: "Generate crypto for the network nodes" - include_role: - name: create/crypto/node - vars: - build_path: "{{ playbook_dir }}/build" - organisation: "{{ org.name | lower }}" - organisation_ns: "{{ org.name | lower }}-bes" - kubernetes: "{{ org.k8s }}" - vault: "{{ org.vault }}" - charts_dir: "{{ org.gitops.chart_source }}" - gitops: "{{ org.gitops }}" - values_dir: "{{ playbook_dir }}/../../../{{org.gitops.release_dir}}/{{ org.name | lower }}" - loop: "{{ network['organizations']}}" - loop_control: - loop_var: org + # Generate Ambassador certificate for nodes. These certificates are used for tm tls as well + - name: "Create ambassador certificates for Nodes" + include_role: + name: create/certificates/ambassador + vars: + root_subject: "{{ network.config.subject }}" + cert_subject: "{{ network.config.subject | regex_replace(',', '/') }}" + services: "{{ org.services }}" + organisation: "{{ org.name | lower }}" + component_ns: "{{ org.name | lower }}-bes" + component_name: "{{ org.name | lower }}" + kubernetes: "{{ org.k8s }}" + vault: "{{ org.vault }}" + charts_dir: "{{ org.gitops.chart_source }}" + gitops: "{{ org.gitops }}" + values_dir: "{{ playbook_dir }}/../../../{{org.gitops.release_dir}}/{{ org.name | lower }}" + loop: "{{ network['organizations']}}" + loop_control: + loop_var: org - # This role generates the crypto materials for tessera tm - - name: "Generate crypto for the Tessera transaction manager" - include_role: - name: create/crypto/tessera - vars: - build_path: "{{ playbook_dir }}/build" - component_ns: "{{ org.name }}-bes" - kubernetes: "{{ org.k8s }}" - vault: "{{ org.vault }}" - gitops: "{{ org.gitops }}" - charts_dir: "{{ org.gitops.chart_source }}" - values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: org - when: - - org.type == 'member' - - network.config.transaction_manager == 'tessera' + # Generates key pair and nodeaddress for all orgs of the network + - name: "Generate crypto for the network nodes" + include_role: + name: create/crypto/node + vars: + build_path: "{{ playbook_dir }}/build" + organisation: "{{ org.name | lower }}" + organisation_ns: "{{ org.name | lower }}-bes" + kubernetes: "{{ org.k8s }}" + vault: "{{ org.vault }}" + charts_dir: "{{ org.gitops.chart_source }}" + gitops: "{{ org.gitops }}" + values_dir: "{{ playbook_dir }}/../../../{{org.gitops.release_dir}}/{{ org.name | lower }}" + loop: "{{ network['organizations']}}" + loop_control: + loop_var: org - - name: Generate admin key for permissioning - include_role: - name: create/crypto/key_generation - vars: - build_path: "{{ playbook_dir }}/build" - component_ns: "{{ org.name | lower }}-bes" - vault: "{{ org.vault }}" - user: "admin" - loop: "{{ network['organizations'] }}" - loop_control: + # Generates the crypto materials for tessera tm + - name: "Generate crypto for the Tessera transaction manager" + include_role: + name: create/crypto/tessera + vars: + build_path: "{{ playbook_dir }}/build" + component_ns: "{{ org.name }}-bes" + kubernetes: "{{ org.k8s }}" + vault: "{{ org.vault }}" + gitops: "{{ org.gitops }}" + charts_dir: "{{ org.gitops.chart_source }}" + values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}" + loop: "{{ network['organizations'] }}" + loop_control: loop_var: org - when: network.permissioning.enabled is defined and network.permissioning.enabled == true + when: + - org.type == 'member' + - network.config.transaction_manager == 'tessera' + + # Generate admin key for permissioning + - name: Generate admin key for permissioning + include_role: + name: create/crypto/key_generation + vars: + build_path: "{{ playbook_dir }}/build" + component_ns: "{{ org.name | lower }}-bes" + vault: "{{ org.vault }}" + user: "admin" + loop: "{{ network['organizations'] }}" + loop_control: + loop_var: org + when: network.permissioning.enabled is defined and network.permissioning.enabled == true - vars: #These variables can be overriden from the command line - install_os: "linux" #Default to linux OS - install_arch: "amd64" #Default to amd64 architecture - bin_install_dir: "~/bin" #Default to /bin install directory for binaries - add_new_org: false + #These variables can be overriden from the command line + vars: + install_os: "linux" # Default to linux OS + install_arch: "amd64" # Default to amd64 architecture + bin_install_dir: "~/bin" # Default to /bin install directory for binaries + add_new_org: false # 'add_new_org' flag, defaults to false when not defined. diff --git a/platforms/hyperledger-besu/configuration/roles/create/certificates/ambassador/Readme.md b/platforms/hyperledger-besu/configuration/roles/create/certificates/ambassador/Readme.md deleted file mode 100644 index f6daa70f478c..000000000000 --- a/platforms/hyperledger-besu/configuration/roles/create/certificates/ambassador/Readme.md +++ /dev/null @@ -1,62 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Accenture. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - -## ROLE: create/certificates/ambassador -This role generates certificates for ambassador and places them in vault. Certificates are created using openssl.This also creates the Kubernetes secrets - -### Tasks -(Variables with * are fetched from the playbook which is calling this role) -#### 1. Call nested_main for each node in an organisation -This task calls nested_main -##### Input Variables - *node_name: Name of the node -**include_tasks**: It includes the name of intermediary task which is required for creating the ambassador certificates. -**loop**: loops over all the node in an organisation -**loop_control**: Specifies the condition for controlling the loop. - - loop_var: loop variable used for iterating over the loop. - ---------------- - -### nested_main.yaml -This task initaiates the nested_main role for each node in the organisation -### Tasks -#### 1. Ensure ambassador tls dir exists -This tasks checks if the ambassador tls dir already created or not. -##### Input Variables - - path: The path to the directory is specified here. - recurse: Yes/No to recursively check inside the path specified. - -#### 2. Create ambassador certs helmrelease file -This task creates ambassador certs helmrelease file by calling the create/helm_component role -##### Input Variables - - *component_name: "The name of the component" - *name: "{{ node_name }}" - *external_url_suffix: "External url of the organization" - *tm_clientport: "Contains the port obtained from network.yaml or the default value if tm_clientport not defined" - *tls_enabled: "Contains the option fetched from network.yaml. Options are True and False" - type: "ambassador_besu" - -**include_role**: It includes the name of intermediatory role which is required for creating the helm value file, here create/helm_component - -#### 3. Git Push -This task pushes the above generated value files to git repo. -##### Input Variables - GIT_DIR: "The path of directory which needs to be pushed" - msg: "Message for git commit" -**include_role**: It includes the name of intermediatory role which is required for pushing the value file to git repository. - -#### 4. Create the Ambassador credentials -This task creates the Ambassador TLS credentials -##### Input Variables - *namespace: "Namespace of org , Format: {{ org.name | lower }}-bes" - *vault: "Vault Details" - *kubernetes: "{{ org.k8s }}" -**include_role**: It includes the name of intermediatory role which is required for creating the secrets, here `k8s_secrets`. - -#### Note: -vars folder has environment variable for ambassador role. diff --git a/platforms/hyperledger-besu/configuration/roles/create/certificates/ambassador/tasks/main.yaml b/platforms/hyperledger-besu/configuration/roles/create/certificates/ambassador/tasks/main.yaml index 16b6ead5eb77..9a2ff4592f02 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/certificates/ambassador/tasks/main.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/certificates/ambassador/tasks/main.yaml @@ -4,9 +4,10 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -# This role calls for ambassador certificate creation for each node. +# This role creates Ambassador certificates for each node. + --- -# Checks if ClusterIssuer is installed +# Check if the ClusterIssuer is installed - name: check ClusterIssuer status kubernetes.core.k8s_info: kubeconfig: "{{ kubernetes.config_file }}" @@ -14,7 +15,7 @@ name: letsencrypt-prod register: clusterissuer -# Checks if Mapping for acme is installed +# Check if the Mapping for ACME (Automated Certificate Management Environment) is installed - name: check Mapping for acme kubernetes.core.k8s_info: kubeconfig: "{{ kubernetes.config_file }}" @@ -22,7 +23,7 @@ name: "acme-challenge-mapping-{{ component_ns }}" register: acmemapping -# Checks if challenge service for mapping is created +# Check if the challenge service for the ACME mapping is created - name: check challenge service for acme kubernetes.core.k8s_info: kubeconfig: "{{ kubernetes.config_file }}" @@ -31,7 +32,7 @@ namespace: "{{ component_ns }}" register: acmechallengeservice -# Delete challenge for acme +# Delete the ACME challenge service if it exists - name: delete acme challenge service kubernetes.core.k8s: kubeconfig: "{{ kubernetes.config_file }}" @@ -43,7 +44,7 @@ when: - acmechallengeservice.resources[0] is defined -# Delete mapping for acme +# Delete the Mapping for ACME if it exists - name: delete mapping for acme kubernetes.core.k8s: kubeconfig: "{{ kubernetes.config_file }}" @@ -55,7 +56,7 @@ when: - acmemapping.resources[0] is defined -# Delete clusterissuer +# Delete the ClusterIssuer if it exists - name: delete clusterissuer kubernetes.core.k8s: kubeconfig: "{{ kubernetes.config_file }}" @@ -67,14 +68,14 @@ when: - clusterissuer.resources[0] is defined -# Installs clusterissuer helm chart +# Install the ClusterIssuer Helm chart if the organization's issuer is "letsencrypt" - name: Install ClusterIssuer shell: | KUBECONFIG={{ kubernetes.config_file }} helm upgrade --install letsencrypt-clusterissuer --set namespace="{{ component_ns }}" --set email="{{ gitops.email }}" {{ playbook_dir }}/../../../platforms/shared/charts/letsencrypt-issuer when: - (org.issuer is defined) and (org.issuer|lower == "letsencrypt") -# Checks if ClusterIssuer is up and ready +# Check if the ClusterIssuer is up and ready, and wait for it to be ready - name: check for an existing ClusterIssuer and wait for it to be ready kubernetes.core.k8s_info: kubeconfig: "{{ kubernetes.config_file }}" @@ -86,7 +87,8 @@ until: cissuer.resources[0].status.conditions[0].status|lower == "true" when: - (org.issuer is defined) and (org.issuer|lower == "letsencrypt") - + +# Create Ambassador certificates for each node using a nested task - name: Create Ambassador certificates include_tasks: nested_main.yaml vars: diff --git a/platforms/hyperledger-besu/configuration/roles/create/certificates/ambassador/tasks/nested_main.yaml b/platforms/hyperledger-besu/configuration/roles/create/certificates/ambassador/tasks/nested_main.yaml index ae940baa8c7b..4c5060dd1d97 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/certificates/ambassador/tasks/nested_main.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/certificates/ambassador/tasks/nested_main.yaml @@ -4,25 +4,25 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -# This role generates certificates for rootca and ambassador -# and places them in vault. Certificates are created using openssl +# This role generates certificates for rootCA (Certificate Authority) and Ambassador. +# and then, places them in a vault. The Certificates are created using OpenSSL. --- -# Ensures the ambassador tls directory +# Ensure the existence of the Ambassador TLS directory - name: "Ensure ambassadortls dir exists" include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/check/directory" vars: path: "{{ ambassadortls }}" -# Creates TLS certificate -- name: Create TLS certificate +# Generate a TLS certificate for the specified node using Helm and letsencrypt issuer. +- name: "Create TLS certificate" shell: | KUBECONFIG={{ kubernetes.config_file }} helm upgrade --install "letsencrypt-cert-{{node_name}}" --set nodename="{{ node_name }}" --set namespace="{{ component_ns }}" --set externalurlsuffix="{{ org.external_url_suffix }}" {{ playbook_dir }}/../../../platforms/shared/charts/letsencrypt-cert when: - (org.issuer is defined) and (org.issuer|lower == "letsencrypt") -# Create ambassador certs helmrelease file +# Create an Ambassador Certs HelmRelease file for certificate management - name: "Create ambassador certs helmrelease file" include_role: name: create/helm_component @@ -36,7 +36,7 @@ when: - (org.issuer is undefined) or (org.issuer|lower == "default") -# push the created deployment files to repository +# push the created deployment files to a Git repository - name: "Push the created deployment files to repository" include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" @@ -44,8 +44,8 @@ GIT_DIR: "{{ playbook_dir }}/../../../" msg: "[ci skip] Pushing ambassador job files for {{ component_ns }}" -# Check if ambassador certs job is completed -- name: Check if ambassador certs job is completed +# Check if the Ambassador certs job is completed +- name: "Check if ambassador certs job is completed" include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" vars: @@ -55,7 +55,7 @@ when: - (org.issuer is undefined) or (org.issuer|lower == "default") -# This task creates the Ambassador TLS credentials +# Creates the Ambassador TLS credentials - name: "Create the Ambassador credentials" include_role: name: create/k8s_secrets diff --git a/platforms/hyperledger-besu/configuration/roles/create/crypto/key_generation/README.md b/platforms/hyperledger-besu/configuration/roles/create/crypto/key_generation/README.md deleted file mode 100644 index 5e28f42ad189..000000000000 --- a/platforms/hyperledger-besu/configuration/roles/create/crypto/key_generation/README.md +++ /dev/null @@ -1,12 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Walmart Inc. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - -## ROLE: create/key_generation -This role generates public and private for each organization and store it to vault. -##### Input Variables - *component_ns: Organization namespace - *vault: Vault uri and token read from network.yaml - *build_path: Path to the build directory - *user: Name using which keys will be stored in vault diff --git a/platforms/hyperledger-besu/configuration/roles/create/crypto/key_generation/tasks/main.yaml b/platforms/hyperledger-besu/configuration/roles/create/crypto/key_generation/tasks/main.yaml index 515df887625c..934a4ec1af2e 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/crypto/key_generation/tasks/main.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/crypto/key_generation/tasks/main.yaml @@ -4,15 +4,19 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## +--- + +# Ensure the directory exists for storing keys - name: Ensure directory exists file: path: "{{ build_path }}/crypto/{{ user }}//{{ org.name }}" state: directory recurse: yes -# check if key present in vault -- name: Check the {{ user }} key of {{ org.name }} in Vault +# Check if the key is present in Vault +- name: Check if the {{ user }} key of {{ org.name }} is present in Vault shell: | + # Retrieve the public and private keys from Vault vault kv get -field=key_pub {{ vault.secret_path | default('secretsv2') }}/{{ component_ns }}/crypto/{{ user }} > "{{ build_path }}/crypto/{{ user }}/{{ org.name }}/key_pub" vault kv get -field=key {{ vault.secret_path | default('secretsv2') }}/{{ component_ns }}/crypto/{{ user }} > "{{ build_path }}/crypto/{{ user }}/{{ org.name }}/key" environment: @@ -21,21 +25,24 @@ register: vault_result ignore_errors: yes +# Set a flag to generate keys if they are not found in Vault - set_fact: generate_key: True when: vault_result.failed is defined and vault_result.failed == True -# generate ppk -- name: Generate {{ user }} key for {{ org.name }} +# Generate a public key +- name: Generate {{ user }}'s public key for {{ org.name }} shell: | + # Generate a public key and move it to the specified location {{ bin_install_dir }}/besu/besu-{{ network.version }}/besu public-key export-address --to={{ build_path }}/crypto/{{ user }}/{{ org.name }}/key_pub mv {{ bin_install_dir }}/besu/key {{ build_path }}/crypto/{{ user }}/{{ org.name }}/key register: output when: generate_key is defined and generate_key == True -# Store the keys in vault at {{org}}/crypto/{{user}}. -- name: Copy the {{ user }} key to Vault +# Store the public and private keys in Vault +- name: Store the {{ user }}'s public and private keys in Vault shell: | + # Store the public and private keys in Vault vault kv put {{ vault.secret_path | default('secretsv2') }}/{{ component_ns }}/crypto/{{ user }} key="$(cat {{ build_path }}/crypto/{{ user }}/{{ org.name }}/key)" key_pub="$(cat {{ build_path }}/crypto/{{ user }}/{{ org.name }}/key_pub)" environment: VAULT_ADDR: "{{ vault.url }}" diff --git a/platforms/hyperledger-besu/configuration/roles/create/crypto/node/tasks/main.yaml b/platforms/hyperledger-besu/configuration/roles/create/crypto/node/tasks/main.yaml index 0baced1c04c6..dd55ba453573 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/crypto/node/tasks/main.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/crypto/node/tasks/main.yaml @@ -9,7 +9,7 @@ set_fact: node_list: [] -# This task delete the previously created release file +# Delete the previously created release file - name: Delete release file {{ organisation }}-node-key-mgmt file: path: "{{ values_dir }}/{{ organisation }}/{{ organisation }}-node-key-mgmt.yaml" @@ -24,7 +24,7 @@ gitops: "{{ org.gitops }}" msg: "[ci skip] Delete previous node key mgmt files" -# This task delete the previously created HelmRelease +# Delete the previously created HelmRelease - name: Delete the previous {{ organisation }}-node-key-mgmt HelmRelease k8s: api_version: "helm.toolkit.fluxcd.io/v2beta1" @@ -35,7 +35,7 @@ kubeconfig: "{{ kubernetes.config_file }}" context: "{{ kubernetes.context }}" -# This task fetch all node (peers and validators) present in all organizations of the network +# Fetch all node (peers and validators) present in all organizations of the network - name: Fetching all nodes of the organisation set_fact: node_list={{ node_list | default([]) + [ {'name':peer.name} ] }} @@ -43,7 +43,7 @@ loop_control: loop_var: peer -# This task creates node key mgmt value file for each organization +# Creates node key mgmt value file for each organization - name: Create node key mgmt value file for each organization include_role: name: create/helm_component diff --git a/platforms/hyperledger-besu/configuration/roles/create/crypto/tessera/tasks/check_vault.yaml b/platforms/hyperledger-besu/configuration/roles/create/crypto/tessera/tasks/check_vault.yaml index f858f671c469..04037922a197 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/crypto/tessera/tasks/check_vault.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/crypto/tessera/tasks/check_vault.yaml @@ -5,7 +5,7 @@ ############################################################################################## -# This tasks checks for the crypto material to the vault +# Check for the crypto material to the vault - name: Check the crypto material to Vault shell: | vault kv get -field=privateKey {{ vault.secret_path | default('secretsv2') }}/{{ component_ns }}/crypto/{{ item.name }}/tm @@ -16,7 +16,7 @@ register: vault_result ignore_errors: yes -# This sets a fact vault_result +# Set a fact based on vault_result - set_fact: generate_crypto_tessera: True when: vault_result.failed is defined and vault_result.failed == True diff --git a/platforms/hyperledger-besu/configuration/roles/create/crypto/tessera/tasks/main.yaml b/platforms/hyperledger-besu/configuration/roles/create/crypto/tessera/tasks/main.yaml index e0d4d5c70f99..1b4ea201415b 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/crypto/tessera/tasks/main.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/crypto/tessera/tasks/main.yaml @@ -4,13 +4,14 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -# This tasks checks the crypto material in the vault +# Check the crypto material in the vault - name: Check for the crypto material in the vault include_tasks: check_vault.yaml vars: vault: "{{ org.vault }}" peers: "{{ org.services.peers }}" +# Wait for namespace creation for members - name: "Wait for namespace creation for members" include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" @@ -22,8 +23,7 @@ - generate_crypto_tessera is defined - generate_crypto_tessera -# --------------------------------------------------------------------- -# generate Tessera crypto helmrelease file +# Generate Tessera crypto helmrelease file - name: "Create tessera crypto file" include_role: name: create/helm_component @@ -39,8 +39,7 @@ - generate_crypto_tessera is defined - generate_crypto_tessera -# --------------------------------------------------------------------- -# push the created deployment files to repository +# Push the created deployment files to repository - name: "Push the created deployment files to repository" include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" diff --git a/platforms/hyperledger-besu/configuration/roles/create/genesis/tasks/check_vault.yaml b/platforms/hyperledger-besu/configuration/roles/create/genesis/tasks/check_vault.yaml index 1ae3f1cc7d80..2ad402ba5ae6 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/genesis/tasks/check_vault.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/genesis/tasks/check_vault.yaml @@ -4,13 +4,14 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## +# Check if validator directory exist - name: Ensure validator directory exist file: path: "{{ build_path }}/crypto/{{ org.name }}/{{ item.name }}/data" state: directory with_items: "{{ org.services.peers is defined | ternary(org.services.peers, org.services.validators) }}" -# This tasks checks and keeps retrying for the crypto materials to be ready +# Checks and keeps retrying for the crypto materials to be ready - name: Check for node key pair in vault shell: | vault kv get -field=key_pub {{ vault.secret_path | default('secretsv2') }}/{{ component_ns }}/crypto/{{ item.name }}/data > "{{ build_path }}/crypto/{{ org.name }}/{{ item.name }}/data/key.pub" diff --git a/platforms/hyperledger-besu/configuration/roles/create/genesis/tasks/generate_extraData.yaml b/platforms/hyperledger-besu/configuration/roles/create/genesis/tasks/generate_extraData.yaml index 64e7d29becd4..8ba831e8b1e7 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/genesis/tasks/generate_extraData.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/genesis/tasks/generate_extraData.yaml @@ -4,7 +4,7 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -# This task creates the rlp encoded string and adds it to extraData field in newGenesis.json +# Creates the rlp encoded string and adds it to extraData field in newGenesis.json - name: Create the new genesis file with information for validator nodes vars: argument: "{{ '--type=QBFT_EXTRA_DATA' if network.config.consensus=='qbft' else '' }}" @@ -14,9 +14,9 @@ awk 'NR == 1' {{ build_path }}/extraData > {{ build_path }}/extraData_format jq '.extraData = $newVal' --arg newVal $(cat {{ build_path }}/extraData_format) << cat {{ build_path }}/crypto/genesis.json > {{ build_path }}/crypto/newGenesis.json when: - - network.config.consensus in ["ibft","qbft","ethash"] + - network.config.consensus in ["ibft", "qbft", "ethash"] -# This task creates the rlp encoded string and add it to extraData field in newGenesis.json +# Creates the rlp encoded string and add it to extraData field in newGenesis.json - name: Create the new genesis file with information for validator nodes vars: - PREFIX: '0x0000000000000000000000000000000000000000000000000000000000000000' @@ -25,4 +25,4 @@ cat {{ build_path }}/validatorinfo | awk -v prefix={{ PREFIX }} -v suffix={{ SUFFIX }} 'BEGIN {printf prefix}; {gsub(/"/,"",$1); gsub(/^0x/,"",$1); printf "%s",$1}; END {printf suffix}' > {{ build_path }}/extraData jq '.extraData = $newVal' --arg newVal $(cat {{ build_path }}/extraData) << cat {{ build_path }}/crypto/genesis.json > {{ build_path }}/crypto/newGenesis.json when: - - network.config.consensus == "clique" + - network.config.consensus == "clique" diff --git a/platforms/hyperledger-besu/configuration/roles/create/helm_component/Readme.md b/platforms/hyperledger-besu/configuration/roles/create/helm_component/Readme.md deleted file mode 100644 index 8d5b57f525c3..000000000000 --- a/platforms/hyperledger-besu/configuration/roles/create/helm_component/Readme.md +++ /dev/null @@ -1,42 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Accenture. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - -## helm_component -helm_component roles helps in generating value file for various helm releases. Helm component uses the templates folder to generate helm value files. To generate a new helm file, it uses template files stored in template folder. The task uses a variable *type* which is used to filter through the templates in template folder. -The mapping for *type* variable and its corresponding value file is provided in `vars/main.yaml`. -To add a new template, add the tpl file to template folder and add its key-value entry in `vars/main.yaml`. -This role consists of the following tasks - -### Tasks -(Variables with * are fetched from the playbook which is calling this role) -#### 1. "Ensures {{ values_dir }}/{{ name }} dir exists" -This task ensures that the value directory is present on the ansible container which is refered by `values_dir` variable which is defined at `/platforms/hyperledger-besu/playbooks/roles/create/helm_component/vars/main.yaml` -##### Input Variables - - *name: Type of the Helm Release file - *values_dir: The path where the generated files are stored - *path: The path/directory where to check is specified here. - recurse: Yes/No to recursively check inside the path specified. - state: Type of file i.e. directory. - - -#### 2. create value file for {{ *component_name* }} -This task creates the value file for the role which calls it. -##### Input Variables - *component_name: The name of the component for whom the value file is created. - *name: Type of the Helm Release file - *values_dir: The path where the generated files are stored - *type:The corresponding template file is chosen based on this type variable. -The mapping is stored at `/platforms/hyperledger-besu/playbooks/roles/create/helm_component/vars/main.yaml`. If the type is not found in the mapping then it takes in the default `helm_component.tpl` template. - - -#### 3. Helm lint -This task tests the value file for syntax errors/ missing values.This is done by calling the helm_lint role and passing the value file parameter. When a new helm_component is added, changes should be made in `helm_lint` role as well -##### Input Variables - helmtemplate_type: The corresponding template file is chosen based on this type variable. - chart_path: The path for the charts directory. - value_file: The final path of the value file to be created along with name. - -**include_role**: It includes the name of intermediatory role ( `{{ playbook_dir }}/../../shared/configuration/roles/helm_lint` which is required for creating the Vault Reviewer value file. diff --git a/platforms/hyperledger-besu/configuration/roles/create/helm_component/tasks/main.yaml b/platforms/hyperledger-besu/configuration/roles/create/helm_component/tasks/main.yaml index 224d11987fb1..97b5d528d9f3 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/helm_component/tasks/main.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/helm_component/tasks/main.yaml @@ -8,26 +8,22 @@ # This role generates the value file for the helm releases ############################################################################################# - -############################################################################################ -# This task ensures that the directory exists, and creates it, if it does not exist +# Ensure that the directory exists, and creates it, if it does not exist - name: "Ensures {{ values_dir }}/{{ name }} dir exists" include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/check/directory" vars: path: "{{ values_dir }}/{{ name }}" -############################################################################################ -# This task creates the value file for the helm release +# Create the value file for the helm release # This is done by consuming a template file which is passes as a variable by the role # including this helm_component role - name: "create value file for {{ component_name }}" template: src: "{{ helm_templates[type] | default('helm_component.tpl') }}" dest: "{{ values_dir }}/{{ name }}/{{ component_name }}.yaml" - -############################################################################################ -# This task tests the value file for syntax errors/ missing values + +# Test the value file for syntax errors/ missing values # This is done by calling the helm_lint role and passing the value file parameter # When a new helm_component is added, changes should be made in helm_lint role as well - name: Helm lint diff --git a/platforms/hyperledger-besu/configuration/roles/create/k8_component/tasks/main.yaml b/platforms/hyperledger-besu/configuration/roles/create/k8_component/tasks/main.yaml index 20e16dbeb69d..77a43fb48157 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/k8_component/tasks/main.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/k8_component/tasks/main.yaml @@ -13,13 +13,13 @@ ################################################################################################ --- -# Task to create and/or check if the target directory exists +# Create and/or check if the target directory exists - name: "Ensures {{ release_dir }}/{{ component_name }} dir exists" file: path: "{{ release_dir }}/{{ component_name }}" state: directory -# Task to create deployment file from a template +# Create deployment file from a template - name: "create {{ component_type }} file for {{ component_name }}" template: src: "{{ dlt_templates[component_type] }}" @@ -27,8 +27,7 @@ vars: values_file: "{{ release_dir }}/{{ component_name }}/{{ component_type }}.yaml" -################################################################################################ -# This task tests the value file for syntax errors/ missing values +# Test the value file for syntax errors/ missing values # This is done by calling the helm_lint role and passing the value file parameter # When a new k8_component is added, changes should be made in helm_lint role as well - name: "Helm lint" diff --git a/platforms/hyperledger-besu/configuration/roles/create/k8_component/templates/storageclass.tpl b/platforms/hyperledger-besu/configuration/roles/create/k8_component/templates/storageclass.tpl deleted file mode 100644 index e46035e01bd3..000000000000 --- a/platforms/hyperledger-besu/configuration/roles/create/k8_component/templates/storageclass.tpl +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: {{ sc_name }} - namespace: {{ org_name }}-{{ platform_suffix }} - annotations: - flux.weave.works/automated: "false" -spec: - releaseName: {{ sc_name }} - interval: 1m - chart: - spec: - chart: {{ charts_dir }}/storage_class - sourceRef: - kind: GitRepository - name: flux-{{ network.env.type }} - namespace: flux-{{ network.env.type }} - values: - metadata: - name: {{ sc_name }} - cloud_provider: {{ cloudProvider }} - reclaimPolicy: Delete - volumeBindingMode: Immediate - allowedTopologies: - - matchLabelExpressions: - - key: failure-domain.beta.kubernetes.io/zone - values: - - "{{ region }}a" - - "{{ region }}b" diff --git a/platforms/hyperledger-besu/configuration/roles/create/k8_component/vars/main.yaml b/platforms/hyperledger-besu/configuration/roles/create/k8_component/vars/main.yaml index 6dae5fb3c078..100681030678 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/k8_component/vars/main.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/k8_component/vars/main.yaml @@ -6,7 +6,3 @@ dlt_templates: namespace: namespace.tpl - aws-storageclass: storageclass.tpl - minikube-storageclass: storageclass.tpl - gcp-storageclass: storageclass.tpl - azure-storageclass: storageclass.tpl diff --git a/platforms/hyperledger-besu/configuration/roles/create/k8s_secrets/Readme.md b/platforms/hyperledger-besu/configuration/roles/create/k8s_secrets/Readme.md deleted file mode 100644 index 24b9027e9bec..000000000000 --- a/platforms/hyperledger-besu/configuration/roles/create/k8s_secrets/Readme.md +++ /dev/null @@ -1,64 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Accenture. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - -## ROLE: k8s_secrets -This role creates secrets to store the following resources: ambassador credentials. -#### 1. Check Ambassador cred exists -This tasks check if the Check Ambassador credentials exists or not. -##### Input Variables - - *kind: This defines the kind of Kubernetes resource - *namespace: The namespace of the component - *name: Name of the component - *kubeconfig: The config file of the cluster - *context: This refer to the required kubernetes cluster context -##### Output Variables - - get_ambassador_secret: This variable stores the output of Ambassador credentials check query. - -#### 2. Check if ambassador tls certs already created -This tasks checks if ambassador tls certificates are already created or not. -##### Input Variables - - *VAULT_ADDR: Contains Vault URL, Fetched using 'vault.' from network.yaml - *VAULT_TOKEN: Contains Vault Token, Fetched using 'vault.' from network.yaml - ignore_errors: Ignore if any error occurs - -##### Output Variables - - certs: This variable stores the output of root certificates check query. - - -#### 3. Gets the existing ambassador tls certs -This tasks get ambassador and tls certs from Vault -##### Input Variables - - *VAULT_ADDR: Contains Vault URL, Fetched using 'vault.' from network.yaml - *VAULT_TOKEN: Contains Vault Token, Fetched using 'vault.' from network.yaml -##### Output Variables - - certs_yaml: This variable stores the output of ambassador tls certificates check query. - -**when**: It runs when *certs*.failed == False, i.e. ambassador tls certs are present. - -#### 4. Get ambassador tls certs -This task fetches the generated ambassador tls certificates by calling role *setup/get_crypto - -##### Input Variables - *cert_path: The path where to check/create is specified here. - *vault_output: Yaml with certs_yaml output. - type: ambassador - -**when**: It runs when *certs*.failed == False, i.e. ambassador tls certs are present. - -#### 5. Create the Ambassador credentials -This task creates the Ambassador TLS credentials -##### Input Variables - *KUBECONFIG: Contains config file of cluster, Fetched using 'kubernetes.' from network.yaml - *namespace: Namespace of the component -**when**: Conditions is specified here, runs only when *get_ambassador_secret.resources* are not found and *certs*.failed == False - -#### Note: -vars folder has environment variable for ambassador role. diff --git a/platforms/hyperledger-besu/configuration/roles/create/k8s_secrets/tasks/main.yaml b/platforms/hyperledger-besu/configuration/roles/create/k8s_secrets/tasks/main.yaml index ed0f937ca724..8f67b740d054 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/k8s_secrets/tasks/main.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/k8s_secrets/tasks/main.yaml @@ -8,7 +8,7 @@ # This role creates secrets ############################################################################################# -# This task checks if Ambassador credentials exist already +# Checks if Ambassador credentials exist already - name: Check Ambassador cred exists k8s_info: kind: Secret @@ -19,7 +19,7 @@ register: get_ambassador_secret when: check == "ambassador_creds" -# Checks if certificates are already created and stored in vault. +# Check if ambassador and tls certs already created & available in the vault - name: Check if ambassador and tls certs already created shell: | vault kv get -field=rootca_pem {{ vault.secret_path | default('secretsv2') }}/{{ component_ns }}/crypto/{{ node_name }}/tls @@ -27,10 +27,12 @@ VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" register: certs - when: check == "ambassador_creds" + when: + - check == "ambassador_creds" + - get_ambassador_secret.resources|length == 0 # Newly added condition ignore_errors: yes -# Gets the existing ambassador tls certs +# Get ambassador and tls certs from Vault - name: Get ambassador and tls certs from Vault shell: | vault kv get -format=yaml {{ vault.secret_path | default('secretsv2') }}/{{ component_ns }}/crypto/{{ node_name }}/tls @@ -38,8 +40,11 @@ VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" register: certs_yaml - when: certs.failed == False and check == "ambassador_creds" + when: + - certs.failed == False and check == "ambassador_creds" + - get_ambassador_secret.resources|length == 0 # Newly added condition +# Get ambassador tls certs - name: Get ambassador tls certs include_role: name: "setup/get_crypto" @@ -47,9 +52,11 @@ vault_output: "{{ certs_yaml.stdout | from_yaml }}" type: "ambassador" cert_path: "{{ ambassadortls }}" - when: certs.failed == False and check == "ambassador_creds" + when: + - certs.failed == False and check == "ambassador_creds" + - get_ambassador_secret.resources|length == 0 # Newly added condition -# This task creates the Ambassador TLS credentials +# creates the Ambassador TLS credentials - name: Create the Ambassador credentials k8s: definition: diff --git a/platforms/hyperledger-besu/configuration/roles/create/member_node/Readme.md b/platforms/hyperledger-besu/configuration/roles/create/member_node/Readme.md deleted file mode 100644 index a396bf100b73..000000000000 --- a/platforms/hyperledger-besu/configuration/roles/create/member_node/Readme.md +++ /dev/null @@ -1,216 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Accenture. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - -## ROLE: create/member_node -This role creates the helm value file of member node for each node of all organizations. -### main.yaml -### Tasks -(Variables with * are fetched from the playbook which is calling this role) - -#### 1. Set enode_data to an empty list -This task initializes the enode_data variable to an empty string - -**set_fact**: This module sets the variable assignment as globally accessible variable - -#### 2. Set nodelist to an empty list -This task initializes the enode_data variable to an empty string - -**set_fact**: This module sets the variable assignment as globally accessible variable - -#### 3. Get enode data -This task gets the enode data in the format of -peer_name -enodeval -p2p_ambassador -raft_ambassador -node_ambassador -peer_publicIP - -**include_task**: enode_data.yaml -**loop**: loop over the organizations -**loop_control**: Specify conditions for controlling the loop. - - loop_var: loop variable used for iterating the loop. - -#### 4. Get nodelist data -This task creates a file for each peer consisting of the peernode url of other peers - -**include_task**: enode_data.yaml -**loop**: loop over the organizations -**loop_control**: Specify conditions for controlling the loop. - - loop_var: loop variable used for iterating the loop. - -#### 5. Adding the enode of new peer to all existing peer. -This task adds the enode of new organizations to each of the existing nodes using rpc call - -**include_task**: add_new_peer.yaml -**loop**: loop over the list of rpc address in *network.config.besu_nodes* -**loop_control**: Specify conditions for controlling the loop. - - loop_var: loop variable used for iterating the loop. -**when**: It runs when *add_new_org* == True, i.e. to add new organization. - -#### 6. Git Push -This task pushes the above generated value files to git repo. -##### Input Variables - GIT_DIR: "The path of directory which needs to be pushed" - gitops: *item.gitops* from network.yaml - msg: "Message for git commit" -**include_role**: It includes the name of intermediatory role which is required for pushing the value file to git repository. - ----------------- - -### enode_data.yaml -### Tasks - -#### 1. Create the enode_data -**include_task**: nested_enode_data.yaml -**loop**: loop over peers in the organization -**loop_control**: Specify the conditions for controlling the loop. - - loop_var: loop variable used for iterating the loop. - -------------------- - -### nested_enode_data.yaml -### Tasks - -#### 1. Check if enode is present in the build directory or not -This task checks if enode is present in the build directory or not - -**stat**: This module checks the file exist or not. -##### Input variables - *path: path to the enode. -##### Output variables - *file_status: output of the enode exists or not task - -#### 2. Creates the build directory -This task creates the build directory if it does not exist - -**file**: This module creates the directory - -##### Input variables - - *path: path where the folders need to be created. - -**when**: It runs when *file_status.stat.exists* == False, i.e. folder does not exists. - -#### 3. Get the nodekey from vault and generate the enode - -##### Input variables - *VAULT_ADDR: Vault URI - *VAULT_TOKEN: Vault token -**shell**: It reads the nodekey from vault and places at the specified address and then generates the enode using bootnode binary and write at the specified location. -**when**: It runs when *file_status.stat.exists* == False - - -#### 4. Get enode_data - -**set_fact**: This modules sets the enode_data variable globally to enode data of the organisation. - -#### 5. Get Validator node data - -**set_fact**: This modules sets the enode_data_list variable globally to Get information about each validator node present in network.yaml and store it as a list of org, node. - ----------------- - -### nodelist.yaml -### Tasks - -#### 1. creates nodelist data -**include_task**: nested_nodelist.yaml -**loop**: loop over peers in the organization -**loop_control**: Specify the conditions for controlling the loop. - - loop_var: loop variable used for iterating the loop. - -------------------- - -### nested_nodelist.yaml -### Tasks - -#### 1. Check if enode is present in the build directory or not - This task checks if enode is present in the build directory or not - -**stat**: This module checks the file exist or not. -##### Input variables - *path: path to the enode. -##### Output variables - *file_status: output of the enode exists or not task - -#### 2. Creates the build directory - This task creates the build directory if it does not exist - -**file**: This module creates the directory - -##### Input variables - - *path: path where the folders need to be created. - -**when**: It runs when *file_status.stat.exists* == False, i.e. folder does not exists. - -#### 3. Touch nodelist file - creates a file if not exist - -**file**: This module creates the file - -##### Input variables - - *path: path where the file need to be created. - - -#### 4. nodelist loop when tls is true - Add othernodes data to the file when tls is true for the transaction manager - -**lineinfile**: This module add the line to the file - -**with_items**: loops over the -**when**: It runs when *enode_item.peer_name* != *peer.name* - -#### 5. nodelist loop when tls is false - Add othernodes data to the file when tls is false for transaction manager - -**lineinfile**: This module add the line to the file - -**with_items**: loops over the -**when**: It runs when *enode_item.peer_name* != *peer.name* - -#### 6. nodelist loop for networkyaml list of tm_nodes - Add othernodes data to the file when tm_nodes are defined - -**lineinfile**: This module add the line to the file - -**with_items**: loops over the -**when**: It runs when *network.config.tm_nodes* is defined - ----------------- - -### add_new_peer.yaml -### Tasks - -#### 1. Add a new node to the existing network - This task adds a new node to the existing network -**uri**: This module sends a api request. -##### Input variables - *path: path to the enode. - *url: url for the request. - *method: method for the request. - *body_format: format of the request. - *body: content of the request. - *headers: content of the header for the request. -**loop**: loop over peers in the organization -**loop_control**: Specify the conditions for controlling the loop. - - loop_var: loop variable used for iterating the loop. - -#### 2. Touch nodelist file - This task fetches the new peer_id as a verification step of the addition of the enode information to a node - -**set_fact**: This sets a variable value. - -##### Input variables - - *peer_id: peer_id returned by json response in the above task. diff --git a/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/add_new_peer.yaml b/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/add_new_peer.yaml index 3f06044a9431..414427fb0d41 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/add_new_peer.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/add_new_peer.yaml @@ -4,7 +4,7 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -# This task adds a new node to the existing network +# Add a new node to the existing network - name: Add a new node to the existing network uri: url: "{{ node }}" @@ -23,7 +23,7 @@ retries: "{{ network.env.retry_count }}" delay: 50 -# This task fetches the new peer_id +# Fetch the new peer_id - name: Get peer_id set_fact: peer_id: "{{ peer_id.results[0].json.id }}" diff --git a/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/enode_data.yaml b/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/enode_data.yaml index 0252c8672d01..e106ed63944b 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/enode_data.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/enode_data.yaml @@ -4,7 +4,7 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -#Get enode data +# Get enode data - name: Get enode data include_tasks: nested_enode_data.yaml loop: "{{ org.services.peers is defined | ternary(org.services.peers, org.services.validators)}}" diff --git a/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/main.yaml b/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/main.yaml index 29d60bf0f47d..99e67771fe5b 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/main.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/main.yaml @@ -29,7 +29,7 @@ loop_var: org when: org.type == 'member' -# This task adds the enode of new organizations to each of the existing nodes using rpc call +# Add the enode of new organizations to each of the existing nodes using rpc call - name: Adding the enode of new peer to all existing peer. include_tasks: add_new_peer.yaml loop: "{{ network.config.besu_nodes }}" @@ -39,13 +39,13 @@ - add_new_org is defined and add_new_org|bool == True - network.config.besu_nodes is defined -# Check for local genesis file +# Checks for local genesis file - name: Check that the gensis file exists stat: path: "{{ network.config.genesis }}" register: stat_result -# This task gets the genesis file when there isno local genesis +# Gets the genesis file when there isno local genesis - name: get genesis from vault shell: | vault kv get -field=genesis {{ vault.secret_path | default('secretsv2') }}/{{ component_ns }}/crypto/genesis @@ -56,13 +56,13 @@ ignore_errors: yes when: stat_result.stat.exists == False -#This task only runs when there is no local genesis file +# Execute only if there is no local genesis file - name: Copy genesis from vault to correct path shell: | echo {{ vault_genesis.stdout }} > {{ network.config.genesis }} when: stat_result.stat.exists == False -# This task creates the Besu node value files for each node of organization +# Creates the Besu node value files for each node of organization - name: Create value file for Besu node include_role: name: create/helm_component @@ -75,7 +75,7 @@ loop_control: loop_var: peer -# Git Push : Pushes the above generated files to git directory +# Pushes the above generated files to git directory - name: Git Push include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" diff --git a/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/nested_enode_data.yaml b/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/nested_enode_data.yaml index 040e9d8bf4bb..307b7308df43 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/nested_enode_data.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/nested_enode_data.yaml @@ -10,7 +10,7 @@ path: "{{ build_path }}/{{ org.name }}/{{ peer.name }}/enode" register: file_status -# This task creates the build directory if it does not exist +# Creates the build directory if it does not exist - name: Create build directory if it does not exist file: path: "{{ build_path }}/{{ org.name }}/{{ peer.name }}" @@ -67,6 +67,7 @@ - org.type == "member" - network.env.proxy == 'ambassador' +# Get validator node data - name: Get validator node data set_fact: enode_data_list={{ enode_data_list|default([]) + [ {'peer_name':peer.name, 'enodeval':enode_data, 'publicIp':host_ip, 'external_url':org.external_url_suffix, 'p2p_ambassador':peer.p2p.port, 'node_ambassador':peer.tm_nodeport.port } ] }} diff --git a/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/nested_nodelist.yaml b/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/nested_nodelist.yaml index be4a13e4ac36..3e8f40744e0c 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/nested_nodelist.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/nested_nodelist.yaml @@ -10,7 +10,7 @@ path: "{{ build_path }}/{{ org.name }}/{{ peer.name }}/nodelist" register: file_status -# This task creates the build directory if it does not exist +# Creates the build directory if it does not exist - name: Create build directory if it does not exist file: path: "{{ build_path }}/{{ org.name }}/{{ peer.name }}" @@ -19,7 +19,7 @@ recurse: yes when: file_status.stat.exists == False -# creates a file if not exist +# Creates a file if not exist - name: Touch nodelist file file: path: "{{ build_path }}/{{ org.name }}/{{ peer.name }}/nodelist" diff --git a/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/nodelist.yaml b/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/nodelist.yaml index c4b8996ee26f..9b07f0305af0 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/nodelist.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/member_node/tasks/nodelist.yaml @@ -4,7 +4,7 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -#Get nodelist data +# Get nodelist data - name: Get nodelist data include_tasks: nested_nodelist.yaml loop: "{{ org.services.peers }}" diff --git a/platforms/hyperledger-besu/configuration/roles/create/namespace/Readme.md b/platforms/hyperledger-besu/configuration/roles/create/namespace/Readme.md deleted file mode 100644 index 47b4e7fb4495..000000000000 --- a/platforms/hyperledger-besu/configuration/roles/create/namespace/Readme.md +++ /dev/null @@ -1,73 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Accenture. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - -## ROLE: create/namespace_serviceaccount -This role creates the value files for namespaces, vault-auth, vault-reviewer and clusterrolebinding for each node. - -### Tasks -(Variables with * are fetched from the playbook which is calling this role) -#### 1. Check if namespace exists -This task check if the namespace is already created or not. -##### Input Variables - - kind: The path to the directory is specified here. - *component_ns: The organisation's namespace - *kubeconfig: The kubernetes config file - *context: The kubernetes current context - -##### Output Variables - - get_namespace: This variable stores the output of check if namespace exists. - -#### 2. Create namespace for {{ organisation }} -This task creates value file for namespace by calling create/k8_component role. -##### Input Variables - - component_type: It specifies the type of deployment to be created. In this case it is "namespace". - *component_name: The organisation's namespace. - *release_dir: absolute path for release git directory - helm_lint: Either true or false, for linting. - -**include_role**: It includes the name of intermediatory role which is required for creating the namespace. - -**when**: It runs when *get_namespace.resources|length* == 0, i.e. the namespace does not exist. - -#### 3. Create vault auth service account for {{ organisation }} -This task creates vault auth service account file for organisation by calling create/k8_component role. -##### Input Variables - - organisation: Organisation name - component_type: It specifies the type of deployment to be created. In this case it is "vault-reviewr". - *component_name: The organisation's namespace. - *release_dir: absolute path for release git directory. - helm_lint: Either true or false, for linting. - -#### 4. Create vault reviewer for {{ organisation }} -This task creates vault reviewer file for organisation by calling create/k8_component role. -##### Input Variables - - organisation: Organisation name - component_type: It specifies the type of deployment to be created. In this case it is "vault-reviewr". - *component_name: The organisation's namespace. - *release_dir: absolute path for release git directory. - helm_lint: Either true or false, for linting. - -#### 5. Create clusterrolebinding for {{ organisation }} -This task creates value file for clusterrolebinding by calling create/k8_component role. -##### Input Variables - - organisation: Organisation name - component_type: It specifies the type of deployment to be created. In this case it is "reviewer_rbac". - *component_name: The organisation's namespace. - *release_dir: absolute path for release git directory. - helm_lint: Either true or false, for linting. - -#### 6. Push the created deployment files to repository -This task pushes all the value files created to the git repo by calling git_push role in shared directory. -##### Input Variables - - GIT_DIR: root directory of the git cloned repository - gitops: *item.gitops* from network.yaml - msg: Git commit message diff --git a/platforms/hyperledger-besu/configuration/roles/create/namespace/tasks/main.yaml b/platforms/hyperledger-besu/configuration/roles/create/namespace/tasks/main.yaml index 67348207b33c..f84621d6189d 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/namespace/tasks/main.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/namespace/tasks/main.yaml @@ -4,7 +4,7 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -# This role creates the deployment files for namespaces +# Creates the deployment files for namespaces # Check Namespace exists already - name: "Checking if the namespace {{ component_ns }} already exists" include_role: @@ -14,6 +14,7 @@ component_name: "{{ component_ns }}" type: "no_retry" +# Set Global variable - name: "Set Variable" set_fact: get_namespace: "{{ result }}" @@ -29,6 +30,7 @@ release_dir: "{{ playbook_dir }}/../../../{{ gitops.release_dir }}" when: get_namespace.resources|length == 0 +# Push the created deployment files to the Git repository - name: "Push the created deployment files to repository" include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" diff --git a/platforms/hyperledger-besu/configuration/roles/create/storageclass/Readme.md b/platforms/hyperledger-besu/configuration/roles/create/storageclass/Readme.md deleted file mode 100644 index bc9588a622fd..000000000000 --- a/platforms/hyperledger-besu/configuration/roles/create/storageclass/Readme.md +++ /dev/null @@ -1,51 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Accenture. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - -## ROLE: create/storageclass -This role creates the storageclass value file for nodes - -### Tasks -(Variables with * are fetched from the playbook which is calling this role) -#### 1. Check if storageclass exists -This task check if the storageclass exists. -##### Input Variables - - kind: StorageClass - *name: storageclass name - *kubeconfig: The kubernetes config file - *context: The kubernetes current context - -##### Output Variables - - storageclass_state: This variable stores the output of check if storageclass exists. - -#### 2. Create storageclass -This task creates value file for storageclass by calling create/k8_component role. -##### Input Variables - - *component_name: The storageclass name. - *component_type: It specifies the type of deployment to be created. In this case it is "-storageclass" - helm_lint: This is a flag to run helm_list module. "false" in this case because storageclass is not a helm chart. - *release_dir: absolute path for release git directory - -**when**: It runs when *storageclass_state.resources|length* == 0, i.e. storageclass doen not exists . - -#### 3. Push the created deployment files to repository -This task pushes the generated value file to gitops repository by calling shared/configuration/roles/git_push role. -##### Input Variables - GIT_DIR: "The path of directory which needs to be pushed" - gitops: *item.gitops* from network.yaml - msg: "Message for git commit" - -#### 4. Wait for Storageclass creation for {{ component_name }} -This task checks storageclass is created or not by calling role check/k8_component role. -##### Input Variables - - component_type: The storageclass name. - *component_name: The storageclass resource name. - *kubeconfig: The kubernetes config file. - *context: The kubernetes current context. - -**when**: It runs when *storageclass_state.resources|length* == 0, i.e. storageclass did not exists before. diff --git a/platforms/hyperledger-besu/configuration/roles/create/storageclass/tasks/main.yaml b/platforms/hyperledger-besu/configuration/roles/create/storageclass/tasks/main.yaml index 63de7df8bda5..04297b7c612b 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/storageclass/tasks/main.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/storageclass/tasks/main.yaml @@ -7,6 +7,7 @@ ############################################################################################# # This role creates value files for storage class ############################################################################################# + # Check storageclass exists already - name: "Checking if the storage class {{ sc_name }} already exists" include_role: @@ -16,7 +17,7 @@ component_name: "{{ sc_name }}" type: "no_retry" -#set variable storageclass_state +# set variable storageclass_state - name: "Set Variable" set_fact: storageclass_state: "{{ result }}" @@ -41,7 +42,7 @@ msg: "[ci skip] Pushing deployment file for storageclass" when: storageclass_state.resources|length == 0 -#Wait for the creation of storage class +# Wait for the creation of storage class - name: "Waiting for the creation of {{ sc_name }} storage class for {{ component_name }}" include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" diff --git a/platforms/hyperledger-besu/configuration/roles/create/tessera/Readme.md b/platforms/hyperledger-besu/configuration/roles/create/tessera/Readme.md deleted file mode 100644 index 37d7a5ad3a9e..000000000000 --- a/platforms/hyperledger-besu/configuration/roles/create/tessera/Readme.md +++ /dev/null @@ -1,103 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Accenture. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - -## ROLE: create/tessera -This role creates the helm value file of Tessera transaction managere for each node of all organizations. -### main.yaml -### Tasks -(Variables with * are fetched from the playbook which is calling this role) - -#### 1. Set enode_data to an empty list -This task initializes the enode_data variable to an empty string - -**set_fact**: This module sets the variable assignment as globally accessible variable - -#### 2. Get enode data -This task gets the enode data in the format of -peer_name -enodeval -p2p_ambassador -raft_ambassador - -**include_task**: enode_data.yaml -**loop**: loop over the organizations -**loop_control**: Specify conditions for controlling the loop. - - loop_var: loop variable used for iterating the loop. - -#### 3. Create Value files for Tessera TM for each node -This task creates the value file by calling the helm_component role -##### Input Variables - - *genesis: "The genesis block fetched from .build/genesis.block.base64" - *component_name: "The name of the component" - type: "tessera" -**include_role**: It includes the name of intermediatory role which is required for creating the helm value file, here helm_component -**loop**: loops over peers list fetched using *{{ peers }}* from network yaml -**loop_control**: Specify conditions for controlling the loop. - - loop_var: loop variable used for iterating the loop. - -#### 4. Git Push -This task pushes the above generated value files to git repo. -##### Input Variables - GIT_DIR: "The path of directory which needs to be pushed" - gitops: *item.gitops* from network.yaml - msg: "Message for git commit" -**include_role**: It includes the name of intermediatory role which is required for pushing the value file to git repository. - ----------------- - -### enode_data.yaml -### Tasks - -#### 1. Check if nodekey is generated -**include_task**: nested_enode_data.yaml -**loop**: loop over peers in the organization -**loop_control**: Specify the conditions for controlling the loop. - - loop_var: loop variable used for iterating the loop. - -------------------- - -### nested_enode_data.yaml -### Tasks - -#### 1. Check if enode is present in the build directory or not -This task checks if enode is present in the build directory or not - -**stat**: This module checks the file exist or not. -##### Input variables - *path: path to the enode. -##### Output variables - *file_status: output of the enode exists or not task - -#### 2. Creates the build directory -This task creates the build directory if it does not exist - -**file**: This module creates the directory - -##### Input variables - - *path: path where the folders need to be created. - -**when**: It runs when *file_status.stat.exists* == False, i.e. folder does not exists. - -#### 3. Get the nodekey from vault and generate the enode - -##### Input variables - *VAULT_ADDR: Vault URI - *VAULT_TOKEN: Vault token -**shell**: It reads the nodekey from vault and places at the specified address and then generates the enode using bootnode binary and write at the specified location. -**when**: It runs when *file_status.stat.exists* == False - - -#### 4. Get enode_data - -**set_fact**: This modules sets the enode_data variable globally to enode data of the organisation. - -#### 5. Get Validator node data - -**set_fact**: This modules sets the enode_data_list variable globally to Get information about each validator node present in network.yaml and store it as a list of org, node. diff --git a/platforms/hyperledger-besu/configuration/roles/create/tessera/tasks/check_vault.yaml b/platforms/hyperledger-besu/configuration/roles/create/tessera/tasks/check_vault.yaml index bf0a817ca42a..860cb8276a38 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/tessera/tasks/check_vault.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/tessera/tasks/check_vault.yaml @@ -5,7 +5,7 @@ ############################################################################################## -# This task checks if the crypto material is already stored in the vault or not +# Checks if the crypto material is already stored in the vault or not - name: Check the crypto material in Vault shell: | vault kv get -field=db_user {{ vault.secret_path | default('secretsv2') }}/{{ component_ns }}/crypto/{{ item.name }}/credentials @@ -15,7 +15,7 @@ register: vault_cred_result ignore_errors: yes -# This tasks copy the crypto material to the vault +# Copy the crypto material to the vault - name: Copy the crypto material to Vault shell: | vault kv put {{ vault.secret_path | default('secretsv2') }}/{{ component_ns }}/crypto/{{ item.name }}/credentials db_user="demouser" db_password="password" gethpassword="{{ item.geth_passphrase }}" diff --git a/platforms/hyperledger-besu/configuration/roles/create/tessera/tasks/main.yaml b/platforms/hyperledger-besu/configuration/roles/create/tessera/tasks/main.yaml index 6eab599a69db..40ed86ffed23 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/tessera/tasks/main.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/tessera/tasks/main.yaml @@ -4,14 +4,14 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -# This tasks checks the crypto material in the vault +# Checks the crypto material in the vault - name: Check for the crypto material in the vault include_tasks: check_vault.yaml vars: vault: "{{ org.vault }}" with_items: "{{ org.services.peers }}" -# This task creates the Tessera Transaction Manager value files for each node of organization +# Creates the Tessera Transaction Manager value files for each node of organization - name: Create value file for Tessera TM for each node include_role: name: create/helm_component diff --git a/platforms/hyperledger-besu/configuration/roles/create/validator/Readme.md b/platforms/hyperledger-besu/configuration/roles/create/validator/Readme.md deleted file mode 100644 index c9ba3ee248da..000000000000 --- a/platforms/hyperledger-besu/configuration/roles/create/validator/Readme.md +++ /dev/null @@ -1,93 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Accenture. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - -## ROLE: create/validator -This role creates the helm value file of validator for each node of all organizations. -### main.yaml -### Tasks -(Variables with * are fetched from the playbook which is calling this role) - -#### 1. Set enode_data to an empty list -This task initializes the enode_data variable to an empty string - -**set_fact**: This module sets the variable assignment as globally accessible variable - -#### 3. Get enode data -This task gets the enode data in the format of -peer_name -enodeval -p2p_ambassador -raft_ambassador -node_ambassador -peer_publicIP - -**include_task**: enode_data.yaml -**loop**: loop over the organizations -**loop_control**: Specify conditions for controlling the loop. - - loop_var: loop variable used for iterating the loop. - -#### 5. Git Push -This task pushes the above generated value files to git repo. -##### Input Variables - GIT_DIR: "The path of directory which needs to be pushed" - gitops: *item.gitops* from network.yaml - msg: "Message for git commit" -**include_role**: It includes the name of intermediatory role which is required for pushing the value file to git repository. - ----------------- - -### enode_data.yaml -### Tasks - -#### 1. Create the enode_data -**include_task**: nested_enode_data.yaml -**loop**: loop over peers in the organization -**loop_control**: Specify the conditions for controlling the loop. - - loop_var: loop variable used for iterating the loop. - -------------------- - -### nested_enode_data.yaml -### Tasks - -#### 1. Check if enode is present in the build directory or not -This task checks if enode is present in the build directory or not - -**stat**: This module checks the file exist or not. -##### Input variables - *path: path to the enode. -##### Output variables - *file_status: output of the enode exists or not task - -#### 2. Creates the build directory -This task creates the build directory if it does not exist - -**file**: This module creates the directory - -##### Input variables - - *path: path where the folders need to be created. - -**when**: It runs when *file_status.stat.exists* == False, i.e. folder does not exists. - -#### 3. Get the nodekey from vault and generate the enode - -##### Input variables - *VAULT_ADDR: Vault URI - *VAULT_TOKEN: Vault token -**shell**: It reads the nodekey from vault and places at the specified address and then generates the enode using bootnode binary and write at the specified location. -**when**: It runs when *file_status.stat.exists* == False - - -#### 4. Get enode_data - -**set_fact**: This modules sets the enode_data variable globally to enode data of the organisation. - -#### 5. Get Validator node data - -**set_fact**: This modules sets the enode_data_list variable globally to Get information about each validator node present in network.yaml and store it as a list of org, node. - diff --git a/platforms/hyperledger-besu/configuration/roles/create/validator/tasks/enode_data.yaml b/platforms/hyperledger-besu/configuration/roles/create/validator/tasks/enode_data.yaml index b5a0adbb1a3a..762cee2c0c30 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/validator/tasks/enode_data.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/validator/tasks/enode_data.yaml @@ -4,7 +4,7 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -#Get enode data +# Get enode data - name: Get enode data include_tasks: nested_enode_data.yaml loop: "{{ org.services.peers is defined | ternary(org.services.peers,org.services.validators)}}" diff --git a/platforms/hyperledger-besu/configuration/roles/create/validator/tasks/nested_enode_data.yaml b/platforms/hyperledger-besu/configuration/roles/create/validator/tasks/nested_enode_data.yaml index 672dadf1e825..2062c9f8777f 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/validator/tasks/nested_enode_data.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/validator/tasks/nested_enode_data.yaml @@ -10,7 +10,7 @@ path: "{{ build_path }}/{{ org.name }}/{{ peer.name }}/enode" register: file_status -# This task creates the build directory if it does not exist +# Creates the build directory if it does not exist - name: Create build directory if it does not exist file: path: "{{ build_path }}/{{ org.name }}/{{ peer.name }}" diff --git a/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/check_vault.yaml b/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/check_vault.yaml index 018c24bb8aff..075650d47cea 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/check_vault.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/check_vault.yaml @@ -4,6 +4,7 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## +# Ensure validator directory exist - name: Ensure validator directory exist file: path: "{{ build_path }}/crypto/{{ org.name }}/{{ item.name }}/data" @@ -11,7 +12,7 @@ with_items: "{{ org.services.peers is defined | ternary(org.services.peers, org.services.validators) }}" when: item.status == 'new' and vault_result.failed is not defined -# This tasks checks and keeps retrying for the crypto materials to be ready +# Check and keep retrying for the crypto materials to be ready - name: Check for node key pair in vault shell: | vault kv get -field=key_pub {{ vault.secret_path | default('secretsv2') }}/{{ component_ns }}/crypto/{{ item.name }}/data > "{{ build_path }}/crypto/{{ org.name }}/{{ item.name }}/data/key.pub" diff --git a/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/main.yaml b/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/main.yaml index fd23141c2c8d..1ef2fedcc91c 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/main.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/main.yaml @@ -14,14 +14,14 @@ set_fact: new_validator_nodes: [] -# This task creates the build directory +# Creates the build directory - name: Create build directory if it does not exist include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/check/directory" vars: path: "{{ playbook_dir }}/build" -# This role generates key pair and nodeaddress for all orgs of the network +# Generates key pair and nodeaddress for all orgs of the network - name: "Generate crypto for the network nodes" include_role: name: create/crypto/node @@ -39,7 +39,7 @@ loop_var: org when: org.type == 'validator' -# This task fetch (org,node) pairs for the newest validators in the network +# Fetch (org, node) pairs for the newest validators in the network - name: Fetching data of validator nodes in the network from network.yaml include_tasks: node_data.yaml loop: "{{ network['organizations'] }}" @@ -47,7 +47,7 @@ loop_var: org when: org.type == 'validator' -# This tasks checks the crypto material in the vault +# Checks the crypto material in the vault - name: Get crypto from vault include_tasks: check_vault.yaml vars: @@ -82,23 +82,23 @@ - item[1].type == "validator" - (network.crypto_only is defined and network.crypto_only == false) or (network.crypto_only is undefined) -# This task converts the validator info to json format +# Converts the validator info to json format - name: Convert validatorInfo to json format shell: | cat {{ build_path }}/validatorinfo | paste -sd "," -| awk '{print "["$0"]"}'> {{ build_path }}/toEncode.json -# This task displays the JSON file content +# Displays the JSON file content - name: Display the JSON file content shell: | cat {{ build_path }}/toEncode.json register: result -# This task saves the JSON data to a variable for future use +# Saves the JSON data to a variable for future use - name: Save the data to a Variable as a Fact set_fact: validator_address: "{{ result.stdout }}" -# This task contains the voting from the existing validators for the new validator to be added +# Contains the voting from the existing validators for the new validator to be added - name: Voting for the addition of newest validator include_tasks: validator_vote.yaml vars: diff --git a/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/nested_enode_data.yaml b/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/nested_enode_data.yaml index 095465b50f05..c1549513cedc 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/nested_enode_data.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/nested_enode_data.yaml @@ -10,7 +10,7 @@ path: "{{ build_path }}/{{ org.name }}/{{ peer.name }}/enode" register: file_status -# This task creates the build directory if it does not exist +# Create the build directory if it does not exist - name: Create build directory if it does not exist file: path: "{{ build_path }}/{{ org.name }}/{{ peer.name }}" @@ -32,7 +32,7 @@ set_fact: enode_data: "{{ lookup('file', '{{ build_path }}/{{ org.name }}/{{ peer.name }}/enode') }}" -#Get IP Address using getent for ubuntu/linux +# Get IP Address using getent for ubuntu/linux - name: Get host ip shell: | getent hosts {{ peer.name }}.{{ org.external_url_suffix }} | awk '{ print $1 }' diff --git a/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/nested_nodelist.yaml b/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/nested_nodelist.yaml index ea7c8e554a61..f22afa288302 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/nested_nodelist.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/nested_nodelist.yaml @@ -10,7 +10,7 @@ path: "{{ build_path }}/{{ org.name }}/{{ validator.name }}/nodelist" register: file_status -# This task creates the build directory if it does not exist +# Create the build directory if it does not exist - name: Create build directory if it does not exist file: path: "{{ build_path }}/{{ org.name }}/{{ validator.name }}" @@ -19,7 +19,7 @@ recurse: yes when: file_status.stat.exists == False -# creates a file if not exist +# Create a file if not exist - name: Touch nodelist file file: path: "{{ build_path }}/{{ org.name }}/{{ validator.name }}/nodelist" diff --git a/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/nested_validator_vote.yaml b/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/nested_validator_vote.yaml index b1f84642ab73..9051e7700181 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/nested_validator_vote.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/nested_validator_vote.yaml @@ -4,7 +4,7 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -# This task does the JSON-RPC Call for adding a new validator to the network +# Making JSON-RPC Call for adding a new validator to the network - name: Voting by every existing validator - IBFT consensus uri: url: "{{ besu_node }}" @@ -24,7 +24,7 @@ loop_var: besu_node when: network.config.consensus == 'ibft' -# This task does the JSON-RPC Call for adding a new validator to the network (new nodes already added) +# Making JSON-RPC Call for adding a new validator to the network (new nodes already added) - name: Voting by every existing validator (new ones already added) - IBFT consensus uri: url: "{{ new_validator }}" @@ -44,7 +44,7 @@ loop_var: new_validator when: network.config.consensus == 'ibft' and new_validator_nodes is defined and new_validator_nodes | length > 0 -# This task does the JSON-RPC Call for adding a new validator to the network +# Making JSON-RPC Call for adding a new validator to the network - name: Voting by every existing validator - QBFT consensus uri: url: "{{ besu_node }}" @@ -64,7 +64,7 @@ loop_var: besu_node when: network.config.consensus == 'qbft' -# This task does the JSON-RPC Call for adding a new validator to the network (new nodes already added) +# Making JSON-RPC Call for adding a new validator to the network (new nodes already added) - name: Voting by every existing validator (new ones already added) - QBFT consensus uri: url: "{{ new_validator }}" @@ -84,6 +84,7 @@ loop_var: new_validator when: network.config.consensus == 'qbft' and new_validator_nodes is defined and new_validator_nodes | length > 0 +# Set the URL to access the RPC endpoint of the peer - name: Set url set_fact: url=http://{{ peer.0.name }}rpc.{{ val.external_url_suffix }}:{{ peer.0.rpc.ambassador | default(80) }} diff --git a/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/nodelist.yaml b/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/nodelist.yaml index 337dad427cb4..a269be945310 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/nodelist.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/nodelist.yaml @@ -4,7 +4,7 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -#Get nodelist data +# Get nodelist data - name: Get nodelist data include_tasks: nested_nodelist.yaml loop: "{{ org.services.validators }}" diff --git a/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/validator_vote.yaml b/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/validator_vote.yaml index 8665245294b2..3cbf426d439d 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/validator_vote.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/validator_vote.yaml @@ -46,7 +46,7 @@ path: "{{ network.config.genesis }}" register: stat_result -# This task gets the genesis file when there is no local genesis +# Gets the genesis file when there is no local genesis - name: get genesis from vault shell: | vault kv get -field=genesis {{ vault.secret_path | default('secretsv2') }}/{{ component_ns }}/crypto/genesis @@ -59,7 +59,7 @@ - stat_result.stat.exists == False - (network.crypto_only is undefined or network.crypto_only == false) -#This task only runs when there is no local genesis file +# Execute only if there is no local genesis file - name: Copy genesis from vault to correct path shell: | echo {{ vault_genesis.stdout }} > {{ network.config.genesis }} diff --git a/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/value_files.yaml b/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/value_files.yaml index 766950368c8e..b0ae123991ff 100644 --- a/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/value_files.yaml +++ b/platforms/hyperledger-besu/configuration/roles/create/validator_node/tasks/value_files.yaml @@ -4,7 +4,7 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -# This task creates the helm release files for each new validator node of organization +# Create the helm release files for each new validator node of organization - name: Create the helm release files for each new validator node include_role: name: create/helm_component diff --git a/platforms/hyperledger-besu/configuration/roles/delete/certificates/ambassador/tasks/main.yaml b/platforms/hyperledger-besu/configuration/roles/delete/certificates/ambassador/tasks/main.yaml index 5482c760d8a2..57000c869078 100644 --- a/platforms/hyperledger-besu/configuration/roles/delete/certificates/ambassador/tasks/main.yaml +++ b/platforms/hyperledger-besu/configuration/roles/delete/certificates/ambassador/tasks/main.yaml @@ -4,7 +4,9 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## --- -- name: delete Ambassador certificates + +# Delete Ambassador certificates +- name: delete Ambassador certificates include_tasks: nested_main.yaml vars: node_name: "{{ node.name | lower }}" diff --git a/platforms/hyperledger-besu/configuration/roles/delete/certificates/ambassador/tasks/nested_main.yaml b/platforms/hyperledger-besu/configuration/roles/delete/certificates/ambassador/tasks/nested_main.yaml index 023cb28fc2e7..4bd5f1814f4a 100644 --- a/platforms/hyperledger-besu/configuration/roles/delete/certificates/ambassador/tasks/nested_main.yaml +++ b/platforms/hyperledger-besu/configuration/roles/delete/certificates/ambassador/tasks/nested_main.yaml @@ -7,6 +7,7 @@ # This role generates certificates for rootca and ambassador # and places them in vault. Certificates are created using openssl --- + # Delete ambassador tls certificates created by cert-manager - name: Delete TLS certificate kubernetes.core.helm: diff --git a/platforms/hyperledger-besu/configuration/roles/delete/vault_secrets/Readme.md b/platforms/hyperledger-besu/configuration/roles/delete/vault_secrets/Readme.md deleted file mode 100644 index 42b7df1a92c4..000000000000 --- a/platforms/hyperledger-besu/configuration/roles/delete/vault_secrets/Readme.md +++ /dev/null @@ -1,58 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Accenture. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - -## delete/vault_secrets -This role deletes the Vault configurations -### main.yaml -### Tasks -(Variables with * are fetched from the playbook which is calling this role) -#### 1. Delete docker creds -This task deletes docker credentials. -##### Input Variables - kind: Secret - *namespace: Namespace of the component - name: "regcred" - state: absent ( This deletes any found result) - *kubeconfig: The config file of cluster - *context: The context of the cluster -**ignore_errors**: This flag ignores the any errors and proceeds furthur. - -#### 2. Delete ambassador creds -This task deletes ambassador credentials. -##### Input Variables - kind: Secret - namespace: Namespace of the component here it is default - name: "Name of the ambassador credential" - state: absent ( This deletes any found result) - *kubeconfig: The config file of cluster - *context: The context of the cluster -**loop**: iterates over all the peers. -**ignore_errors**: This flag ignores the any errors and proceeds furthur. - -#### 3. Delete vault-auth path -This task deletes vault auth. -##### Input Variables - *VAULT_ADDR: Contains Vault URL, Fetched using 'vault.' from network.yaml - *VAULT_TOKEN: Contains Vault Token, Fetched using 'vault.' from network.yaml - *org_name: The name of organisation -**shell** : This command deletes the vault auth. -**ignore_errors**: This flag ignores the any errors and proceeds furthur. - -#### 4. Delete Crypto material -This task deletes crypto material -##### Input Variables - *VAULT_ADDR: Contains Vault URL, Fetched using 'vault.' from network.yaml - *VAULT_TOKEN: Contains Vault Token, Fetched using 'vault.' from network.yaml -**shell** : This command deletes the secrets -**loop**: iterates over all peers -**ignore_errors**: This flag ignores any errors and proceeds further. - -#### 5. Delete Access policies -##### Input Variables - *VAULT_ADDR: Contains Vault URL, Fetched using 'vault.' from network.yaml - *VAULT_TOKEN: Contains Vault Token, Fetched using 'vault.' from network.yaml -**shell** : This module deletes the access policies -**loop**: iterates over all peers -**ignore_errors**: This flag ignores any errors and proceeds further. diff --git a/platforms/hyperledger-besu/configuration/roles/delete/vault_secrets/tasks/main.yaml b/platforms/hyperledger-besu/configuration/roles/delete/vault_secrets/tasks/main.yaml index 5984fd48ec0f..b59ff8c9db9e 100644 --- a/platforms/hyperledger-besu/configuration/roles/delete/vault_secrets/tasks/main.yaml +++ b/platforms/hyperledger-besu/configuration/roles/delete/vault_secrets/tasks/main.yaml @@ -9,7 +9,8 @@ ############################################################################################# ############################################################################################# -# This task deletes the Docker credentials + +# Delete Docker credentials - name: Delete docker creds k8s: kind: Secret @@ -20,6 +21,7 @@ context: "{{ kubernetes.context }}" ignore_errors: yes +# Delete Ambassador creds - name: Delete Ambassador creds k8s: kind: Secret @@ -33,7 +35,7 @@ loop_var: peer ignore_errors: yes -# This task deletes vault auth +# Delete vault auth path - name: Delete vault-auth path shell: | vault delete sys/auth/besu{{ org_name }} @@ -41,7 +43,7 @@ VAULT_ADDR: "{{ item.vault.url }}" VAULT_TOKEN: "{{ item.vault.root_token }}" -# This task deletes crypto material +# Deletes crypto materials - name: Delete Crypto material shell: | vault kv delete {{ item.vault.secret_path | default('secretsv2') }}/{{ org_namespace }}/crypto/{{ peer.name }}/data @@ -58,7 +60,7 @@ loop_var: peer ignore_errors: yes -# This task deletes vault policies +# Delete vault policies - name: Delete Access policies shell: | vault policy delete vault-crypto-{{ org_namespace }}-{{ item.name }}-ro diff --git a/platforms/hyperledger-besu/configuration/roles/setup/get_crypto/Readme.md b/platforms/hyperledger-besu/configuration/roles/setup/get_crypto/Readme.md deleted file mode 100644 index 16c0512da5cf..000000000000 --- a/platforms/hyperledger-besu/configuration/roles/setup/get_crypto/Readme.md +++ /dev/null @@ -1,41 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Accenture. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - -## ROLE: setup/get_crypto -This role saves the crypto from Vault into ansible_provisioner. - -### Tasks -(Variables with * are fetched from the playbook which is calling this role.) -#### 1. Ensure directory exists -This task checks whether admincerts directory present or not. If not present, creates one. -##### Input Variables - - *path: The path where to check is specified here - recurse: Yes/No to recursively check inside the path specified. - state: Type i.e. directory. - -#### 2. Save cert -This task takes the tlscacerts from vault and put in ansible controller. -##### Input Variables - * cert_path: path where the certificate getting stored -**when**: *type* == 'ambassador' - -#### 3. Save key -This task takes the tlskey from vault and put in ansible container. -##### Input Variables - * cert_path: path where the certificate getting stored -**when**: *type* == 'ambassador' - -#### 4. Save root keychain -This task takes the rootcakey from vault and put in ansible container. -##### Input Variables - * cert_path: path where the certificate getting stored -**when**: *type* == 'rootca' - -#### 5. Extracting root certificate from .jks -This task takes extracts root certificates from root,jks file from specified path -##### Input Variables - * cert_path: path where the certificate getting stored -**when**: *type* == 'rootca' diff --git a/platforms/hyperledger-besu/configuration/roles/setup/get_crypto/tasks/main.yaml b/platforms/hyperledger-besu/configuration/roles/setup/get_crypto/tasks/main.yaml index ba88bf135c89..0ec7dc3a3503 100644 --- a/platforms/hyperledger-besu/configuration/roles/setup/get_crypto/tasks/main.yaml +++ b/platforms/hyperledger-besu/configuration/roles/setup/get_crypto/tasks/main.yaml @@ -4,9 +4,9 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -############################################################################################# +############################################################################################## # This role saves the crypto from Vault into ansible_provisioner -############################################################################################# +############################################################################################## # Ensure admincerts directory is present in build - name: Ensure directory exists @@ -14,31 +14,37 @@ path: "{{ cert_path }}" state: directory -# Save the cert file +# Save the certificate file for the 'ambassador' type - name: Save cert local_action: copy content="{{ vault_output['data'].data.ambassadorcrt | b64decode }}" dest="{{ cert_path }}/ambassador.crt" when: type == "ambassador" -# Save the key file + +# Save the key file for the 'ambassador' type - name: Save key local_action: copy content="{{ vault_output['data'].data.ambassadorkey | b64decode }}" dest="{{ cert_path }}/ambassador.key" when: type == "ambassador" +# Save the root CA file for the 'rootca' type - name: Save rootca file local_action: copy content="{{ vault_output['data'].data.rootca_pem | b64decode }}" dest="{{ cert_path }}/rootca.pem" when: type == "rootca" +# Save the root key file for the 'rootca' type - name: Save root key local_action: copy content="{{ vault_output['data'].data.rootca_key | b64decode }}" dest="{{ cert_path }}/rootca.key" when: type == "rootca" +# Save the node key file for the 'node' type - name: Save nodekey file local_action: copy content="'{{ vault_output.data.data.key }}'" dest="{{ cert_path }}/key" when: type == "node" +# Save the node public key file for the 'node' type - name: Save nodepublic key local_action: copy content="'{{ vault_output.data.data.key_pub }}'" dest="{{ cert_path }}/key.pub" when: type == "node" +# Save the node address file for the 'node' type - name: Save nodeAddress file local_action: copy content="'{{ vault_output.data.data.nodeAddress }}'" dest="{{ cert_path }}/nodeAddress" when: type == "node" diff --git a/platforms/hyperledger-besu/configuration/setup-cactus-connector.yaml b/platforms/hyperledger-besu/configuration/setup-cactus-connector.yaml index db97f78a0cdc..a6b8649b0d89 100644 --- a/platforms/hyperledger-besu/configuration/setup-cactus-connector.yaml +++ b/platforms/hyperledger-besu/configuration/setup-cactus-connector.yaml @@ -4,12 +4,14 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## ---- -####################################### +############################################################################################## # Playbook to setup the environment for running Hyperledger Bevel configurations -# - checks and installs kubectl, helm and vault clients -# - If cloud platform is AWS, checks and installs aws-cli and aws-authenticator -####################################### +# - checks and installs kubectl, helm and vault clients +# - If cloud platform is AWS, checks and installs aws-cli and aws-authenticator +############################################################################################## + +--- +# This will apply to ansible_provisioners. /etc/ansible/hosts should be configured with this group - hosts: ansible_provisioners gather_facts: yes no_log: "{{ no_ansible_log | default(false) }}" @@ -24,8 +26,9 @@ charts_dir: "platforms/hyperledger-besu/charts" values_dir: "{{playbook_dir}}/../../../{{item.gitops.release_dir}}" with_items: "{{ network.organizations }}" - vars: #These variables can be overriden from the command line - privilege_escalate: false #Default to NOT escalate to root privledges - install_os: "linux" #Default to linux OS - install_arch: "amd64" #Default to amd64 architecture - bin_install_dir: "~/bin" #Default to ~/bin install directory for binaries + # These variables can be overriden from the command line + vars: + privilege_escalate: false # Default to NOT escalate to root privledges + install_os: "linux" # Default to linux OS + install_arch: "amd64" # Default to amd64 architecture + bin_install_dir: "~/bin" # Default to ~/bin install directory for binaries