From 269941b4489ee068365628587ce523cd583669f1 Mon Sep 17 00:00:00 2001 From: sownak Date: Wed, 1 May 2024 09:29:50 +0000 Subject: [PATCH] [indy] Use only helm to deploy Indy network Signed-off-by: sownak --- platforms/hyperledger-besu/charts/README.md | 2 +- .../besu-genesis/templates/_helpers.tpl | 1 - .../charts/besu-node/README.md | 2 +- platforms/hyperledger-indy/charts/README.md | 173 ++++++-- .../charts/indy-auth-job/Chart.yaml | 11 - .../charts/indy-auth-job/README.md | 187 -------- .../indy-auth-job/templates/_helpers.tpl | 5 - .../charts/indy-auth-job/templates/job.yaml | 90 ---- .../charts/indy-auth-job/values.yaml | 79 ---- .../charts/indy-cli/README.md | 6 - .../charts/indy-domain-genesis/Chart.yaml | 12 - .../charts/indy-domain-genesis/README.md | 156 ------- .../templates/_helpers.tpl | 5 - .../templates/configmap.yaml | 18 - .../charts/indy-domain-genesis/values.yaml | 33 -- .../charts/indy-genesis/Chart.yaml | 26 ++ .../charts/indy-genesis/README.md | 125 ++++++ .../charts/indy-genesis/files/readme.txt | 1 + .../indy-genesis/templates/_helpers.tpl | 28 ++ .../indy-genesis/templates/configmap.yaml | 64 +++ .../templates/genesis-cleanup.yaml | 57 +++ .../indy-genesis/templates/genesis-job.yaml | 159 +++++++ .../charts/indy-genesis/values.yaml | 68 +++ .../charts/indy-key-mgmt/Chart.yaml | 21 +- .../charts/indy-key-mgmt/README.md | 193 +++------ .../charts/indy-key-mgmt/requirements.yaml | 11 + .../indy-key-mgmt/templates/_helpers.tpl | 33 +- .../indy-key-mgmt/templates/job-cleanup.yaml | 114 +++++ .../charts/indy-key-mgmt/templates/job.yaml | 404 +++++++----------- .../charts/indy-key-mgmt/values.yaml | 99 ++--- .../charts/indy-ledger-txn/Chart.yaml | 11 - .../charts/indy-ledger-txn/README.md | 200 --------- .../indy-ledger-txn/templates/_helpers.tpl | 5 - .../charts/indy-ledger-txn/templates/job.yaml | 120 ------ .../charts/indy-ledger-txn/values.yaml | 92 ---- .../charts/indy-node/Chart.yaml | 20 +- .../charts/indy-node/README.md | 276 +++--------- .../charts/indy-node/requirements.yaml | 7 + .../charts/indy-node/templates/_helpers.tpl | 33 +- .../charts/indy-node/templates/configmap.yaml | 31 +- .../charts/indy-node/templates/service.yaml | 55 ++- .../indy-node/templates/statefulset.yaml | 244 +++++------ .../charts/indy-node/values.yaml | 232 ++++------ .../charts/indy-pool-genesis/Chart.yaml | 12 - .../charts/indy-pool-genesis/README.md | 159 ------- .../indy-pool-genesis/templates/_helpers.tpl | 5 - .../charts/indy-pool-genesis/values.yaml | 32 -- .../charts/indy-register-identity/Chart.yaml | 26 ++ .../charts/indy-register-identity/README.md | 102 +++++ .../indy-register-identity/files/readme.txt | 1 + .../templates/_helpers.tpl | 28 ++ .../templates/configmap.yaml | 15 +- .../indy-register-identity/templates/job.yaml | 85 ++++ .../charts/indy-register-identity/values.yaml | 30 ++ .../noproxy-and-novault/authority-keys.yaml | 17 + .../noproxy-and-novault/genesis-sec.yaml | 14 + .../values/noproxy-and-novault/genesis.yaml | 30 ++ .../values/noproxy-and-novault/steward.yaml | 31 ++ .../noproxy-and-novault/university-keys.yaml | 22 + .../proxy-and-vault/authority-keys.yaml | 31 ++ .../values/proxy-and-vault/genesis-sec.yaml | 26 ++ .../values/proxy-and-vault/genesis.yaml | 46 ++ .../values/proxy-and-vault/steward.yaml | 31 ++ .../proxy-and-vault/university-keys.yaml | 38 ++ .../configuration/deploy-network.yaml | 1 - .../setup/vault_kubernetes/tasks/main.yaml | 4 +- .../images/indy-key-mgmt/Dockerfile | 4 +- .../images/indy-key-mgmt/README.md | 4 +- .../src/identity_crypto_generator.py | 33 +- .../src/identity_crypto_generator_v2.py | 32 +- .../images/indy-node/start-indy-node.sh | 2 +- platforms/hyperledger-indy/scripts/Setup | 5 - .../scripts/genesis/get_keys.sh | 33 ++ .../shared/charts/bevel-vault-mgmt/Chart.yaml | 2 +- .../bevel-vault-mgmt/templates/configmap.yaml | 8 + 75 files changed, 2099 insertions(+), 2319 deletions(-) delete mode 100644 platforms/hyperledger-indy/charts/indy-auth-job/Chart.yaml delete mode 100644 platforms/hyperledger-indy/charts/indy-auth-job/README.md delete mode 100644 platforms/hyperledger-indy/charts/indy-auth-job/templates/_helpers.tpl delete mode 100644 platforms/hyperledger-indy/charts/indy-auth-job/templates/job.yaml delete mode 100644 platforms/hyperledger-indy/charts/indy-auth-job/values.yaml delete mode 100644 platforms/hyperledger-indy/charts/indy-cli/README.md delete mode 100644 platforms/hyperledger-indy/charts/indy-domain-genesis/Chart.yaml delete mode 100644 platforms/hyperledger-indy/charts/indy-domain-genesis/README.md delete mode 100644 platforms/hyperledger-indy/charts/indy-domain-genesis/templates/_helpers.tpl delete mode 100644 platforms/hyperledger-indy/charts/indy-domain-genesis/templates/configmap.yaml delete mode 100644 platforms/hyperledger-indy/charts/indy-domain-genesis/values.yaml create mode 100644 platforms/hyperledger-indy/charts/indy-genesis/Chart.yaml create mode 100644 platforms/hyperledger-indy/charts/indy-genesis/README.md create mode 100644 platforms/hyperledger-indy/charts/indy-genesis/files/readme.txt create mode 100644 platforms/hyperledger-indy/charts/indy-genesis/templates/_helpers.tpl create mode 100644 platforms/hyperledger-indy/charts/indy-genesis/templates/configmap.yaml create mode 100644 platforms/hyperledger-indy/charts/indy-genesis/templates/genesis-cleanup.yaml create mode 100644 platforms/hyperledger-indy/charts/indy-genesis/templates/genesis-job.yaml create mode 100644 platforms/hyperledger-indy/charts/indy-genesis/values.yaml create mode 100644 platforms/hyperledger-indy/charts/indy-key-mgmt/requirements.yaml create mode 100644 platforms/hyperledger-indy/charts/indy-key-mgmt/templates/job-cleanup.yaml delete mode 100644 platforms/hyperledger-indy/charts/indy-ledger-txn/Chart.yaml delete mode 100644 platforms/hyperledger-indy/charts/indy-ledger-txn/README.md delete mode 100644 platforms/hyperledger-indy/charts/indy-ledger-txn/templates/_helpers.tpl delete mode 100644 platforms/hyperledger-indy/charts/indy-ledger-txn/templates/job.yaml delete mode 100644 platforms/hyperledger-indy/charts/indy-ledger-txn/values.yaml create mode 100644 platforms/hyperledger-indy/charts/indy-node/requirements.yaml delete mode 100644 platforms/hyperledger-indy/charts/indy-pool-genesis/Chart.yaml delete mode 100644 platforms/hyperledger-indy/charts/indy-pool-genesis/README.md delete mode 100644 platforms/hyperledger-indy/charts/indy-pool-genesis/templates/_helpers.tpl delete mode 100644 platforms/hyperledger-indy/charts/indy-pool-genesis/values.yaml create mode 100644 platforms/hyperledger-indy/charts/indy-register-identity/Chart.yaml create mode 100644 platforms/hyperledger-indy/charts/indy-register-identity/README.md create mode 100644 platforms/hyperledger-indy/charts/indy-register-identity/files/readme.txt create mode 100644 platforms/hyperledger-indy/charts/indy-register-identity/templates/_helpers.tpl rename platforms/hyperledger-indy/charts/{indy-pool-genesis => indy-register-identity}/templates/configmap.yaml (54%) create mode 100644 platforms/hyperledger-indy/charts/indy-register-identity/templates/job.yaml create mode 100644 platforms/hyperledger-indy/charts/indy-register-identity/values.yaml create mode 100644 platforms/hyperledger-indy/charts/values/noproxy-and-novault/authority-keys.yaml create mode 100644 platforms/hyperledger-indy/charts/values/noproxy-and-novault/genesis-sec.yaml create mode 100644 platforms/hyperledger-indy/charts/values/noproxy-and-novault/genesis.yaml create mode 100644 platforms/hyperledger-indy/charts/values/noproxy-and-novault/steward.yaml create mode 100644 platforms/hyperledger-indy/charts/values/noproxy-and-novault/university-keys.yaml create mode 100644 platforms/hyperledger-indy/charts/values/proxy-and-vault/authority-keys.yaml create mode 100644 platforms/hyperledger-indy/charts/values/proxy-and-vault/genesis-sec.yaml create mode 100644 platforms/hyperledger-indy/charts/values/proxy-and-vault/genesis.yaml create mode 100644 platforms/hyperledger-indy/charts/values/proxy-and-vault/steward.yaml create mode 100644 platforms/hyperledger-indy/charts/values/proxy-and-vault/university-keys.yaml delete mode 100644 platforms/hyperledger-indy/scripts/Setup create mode 100755 platforms/hyperledger-indy/scripts/genesis/get_keys.sh diff --git a/platforms/hyperledger-besu/charts/README.md b/platforms/hyperledger-besu/charts/README.md index 3690797ea0c..c0ddcc017cd 100644 --- a/platforms/hyperledger-besu/charts/README.md +++ b/platforms/hyperledger-besu/charts/README.md @@ -6,7 +6,7 @@ # Charts for Hyperledger Besu components ## About -This folder contains the helm charts which are used for the deployment of the Hyperledger Besu components. Each helm that you can use has the following keys and you need to set them. The `global.cluster.provider` is used as a key for the various cloud features enabled. Also you only need to specify one cloud provider, **not** both if deploying to cloud. As of writing this doc, AWS is fully supported. +This folder contains the helm charts which are used for the deployment of the Hyperledger Besu components. Each helm chart that you can use has the following keys and you need to set them. The `global.cluster.provider` is used as a key for the various cloud features to be enabled. Also you only need to specify one cloud provider, **not** both if deploying to cloud. As of writing this doc, AWS is fully supported. ```yaml global: diff --git a/platforms/hyperledger-besu/charts/besu-genesis/templates/_helpers.tpl b/platforms/hyperledger-besu/charts/besu-genesis/templates/_helpers.tpl index 3b8a9a0febe..48be575a0f7 100644 --- a/platforms/hyperledger-besu/charts/besu-genesis/templates/_helpers.tpl +++ b/platforms/hyperledger-besu/charts/besu-genesis/templates/_helpers.tpl @@ -27,4 +27,3 @@ Create chart name and version as used by the chart label. {{- define "besu-genesis.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} - diff --git a/platforms/hyperledger-besu/charts/besu-node/README.md b/platforms/hyperledger-besu/charts/besu-node/README.md index 164034fc478..434e3b1756d 100644 --- a/platforms/hyperledger-besu/charts/besu-node/README.md +++ b/platforms/hyperledger-besu/charts/besu-node/README.md @@ -14,7 +14,7 @@ helm repo add bevel https://hyperledger.github.io/bevel helm install validator-1 bevel/besu-node ``` -## Prerequisitess +## Prerequisites - Kubernetes 1.19+ - Helm 3.2.0+ diff --git a/platforms/hyperledger-indy/charts/README.md b/platforms/hyperledger-indy/charts/README.md index cd44972df0d..397176f1b13 100644 --- a/platforms/hyperledger-indy/charts/README.md +++ b/platforms/hyperledger-indy/charts/README.md @@ -3,40 +3,151 @@ [//]: # (SPDX-License-Identifier: Apache-2.0) [//]: # (##############################################################################################) -# Charts for Indy components +# Charts for Hyperledger Indy components ## About -This folder contains helm charts which are used by the ansible playbooks for the deployment of the component. Each chart folder contain a folder for templates, chart file and the corresponding value file. +This folder contains the helm charts which are used for the deployment of the Hyperledger Indy components. Each helm chart that you can use has the following keys and you need to set them. The `global.cluster.provider` is used as a key for the various cloud features to be enabled. Also you only need to specify one cloud provider, **not** both if deploying to cloud. As of writing this doc, AWS ans Azure is fully supported. -## Example Folder Structure ### +```yaml +global: + serviceAccountName: vault-auth + cluster: + provider: aws # choose from: minikube | aws | azure | gcp + cloudNativeServices: false # future: set to true to use Cloud Native Services + kubernetesUrl: "https://kubernetes.url" # Provide the k8s URL, ignore if not using Hashicorp Vault + vault: + type: hashicorp # choose from hashicorp | kubernetes + network: indy # must be indy for these charts + # Following are necessary only when hashicorp vault is used. + address: "http://vault.url:8200" + authPath: authority + secretEngine: secretsv2 + secretPrefix: "data/authority" + role: vault-role ``` -/indy-node -|-- templates -| |--_helpers.tpl -| |-- volumes.yaml -| |-- deployment.yaml -| |-- service.yaml -|-- Chart.yaml -|-- values.yaml + +## Usage + +### Pre-requisites + +- Kubernetes Cluster (either Managed cloud option like EKS or local like minikube) +- Accessible and unsealed Hahsicorp Vault (if using Vault) +- Configured Ambassador AES (if using Ambassador as proxy) +- Update the dependencies + ``` + helm dependency update indy-key-mgmt + helm dependency update indy-node + ``` + +### _Without Proxy or Vault_ + +> **Important:** As Indy nodes need IP Address, the no-proxy option works only with minikube or cluster with 1 node in nodepool. + +Replace the `publicIp` in all the files in `./values/noproxy-and-novault/` folder with the IP address of your Minikube or the single node in your Cloud Cluster. + +For Indy, the keys need to be created first for each organisation +```bash +# Create keys for first trustee +helm install authority-keys ./indy-key-mgmt --namespace authority-ns --create-namespace --values ./values/noproxy-and-novault/authority-keys.yaml +# Create keys for endorser and stewards from another org namespace +helm install university-keys ./indy-key-mgmt --namespace university-ns --create-namespace --values ./values/noproxy-and-novault/university-keys.yaml + +# Get the public keys from Kubernetes for genesis +cd ../scripts/genesis +chmod +x get_keys.sh +./get_keys.sh + +cd ../../charts +# Update the IP address and Ports in ./values/noproxy-and-novault/genesis.yaml +helm install genesis ./indy-genesis --namespace authority-ns --values ./values/noproxy-and-novault/genesis.yaml + +# Get the genesis files from existing authority and place in indy-genesis/files +cd ./indy-genesis/files/ +kubectl --namespace authority-ns get configmap dtg -o jsonpath='{.data.domain_transactions_genesis}' > domain_transactions_genesis.json +kubectl --namespace authority-ns get configmap ptg -o jsonpath='{.data.pool_transactions_genesis}' > pool_transactions_genesis.json + +# Run secondary genesis +cd ../.. +helm install genesis ./indy-genesis --namespace university-ns --values ./values/noproxy-and-novault/genesis-sec.yaml + +# Then deploy the stewards +helm install university-steward-1 ./indy-node --namespace university-ns --values ./values/noproxy-and-novault/steward.yaml +helm install university-steward-2 ./indy-node --namespace university-ns --values ./values/noproxy-and-novault/steward.yaml --set settings.node.externalPort=30021 --set settings.client.externalPort=30022 --set settings.node.port=30021 --set settings.client.port=30022 +helm install university-steward-3 ./indy-node --namespace university-ns --values ./values/noproxy-and-novault/steward.yaml --set settings.node.externalPort=30031 --set settings.client.externalPort=30032 --set settings.node.port=30031 --set settings.client.port=30032 + +# Get endorser public keys +cd ./indy-register-identity/files +kubectl --namespace university-ns get secret university-endorser-identity-public -o jsonpath='{.data.value}' | base64 -d | jq '.["did"]'> university-endorser-did.json +kubectl --namespace university-ns get secret university-endorser-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["verification-key"]' > university-endorser-verkey.json +# Register endorser identity from admin +cd ../.. +helm install university-endorser-id ./indy-register-identity --namespace authority-ns +``` + +### _With Ambassador proxy and Vault_ +Replace the `global.vault.address`, `global.cluster.kubernetesUrl` and `publicIp` of your Ambassador Loadbalancer in all the files in `./values/proxy-and-vault/` folder. + +For Indy, the keys need to be created first for each organisation +```bash +kubectl create namespace authority-ns # if the namespace does not exist already +# Create the roottoken secret +kubectl -n authority-ns create secret generic roottoken --from-literal=token= + +kubectl create namespace university-ns # if the namespace does not exist already +# Create the roottoken secret +kubectl -n university-ns create secret generic roottoken --from-literal=token= + +# Create keys for first trustee +helm install authority-keys ./indy-key-mgmt --namespace authority-ns --values ./values/proxy-and-vault/authority-keys.yaml +# Create keys for endorser and stewards from another org namespace +helm install university-keys ./indy-key-mgmt --namespace university-ns --values ./values/proxy-and-vault/university-keys.yaml + +# Get the public keys from Kubernetes for genesis +cd ../scripts/genesis +chmod +x get_keys.sh +./get_keys.sh + +cd ../../charts +# Update the IP address and Ports in ./values/proxy-and-vault/genesis.yaml +helm install genesis ./indy-genesis --namespace authority-ns --values ./values/proxy-and-vault/genesis.yaml + +# Get the genesis files from existing authority and place in indy-genesis/files +cd ./indy-genesis/files/ +kubectl --namespace authority-ns get configmap dtg -o jsonpath='{.data.domain_transactions_genesis}' > domain_transactions_genesis.json +kubectl --namespace authority-ns get configmap ptg -o jsonpath='{.data.pool_transactions_genesis}' > pool_transactions_genesis.json + +# Run secondary genesis +cd ../.. +helm install genesis ./indy-genesis --namespace university-ns --values ./values/proxy-and-vault/genesis-sec.yaml + +# Then deploy the stewards +helm install university-steward-1 ./indy-node --namespace university-ns --values ./values/proxy-and-vault/steward.yaml +helm install university-steward-2 ./indy-node --namespace university-ns --values ./values/proxy-and-vault/steward.yaml --set settings.node.externalPort=15021 --set settings.client.externalPort=15022 +helm install university-steward-3 ./indy-node --namespace university-ns --values ./values/proxy-and-vault/steward.yaml --set settings.node.externalPort=15031 --set settings.client.externalPort=15032 +helm install university-steward-4 ./indy-node --namespace university-ns --values ./values/proxy-and-vault/steward.yaml --set settings.node.externalPort=15041 --set settings.client.externalPort=15042 + +# Get endorser public keys +cd ./indy-register-identity/files +kubectl --namespace university-ns get secret university-endorser-identity-public -o jsonpath='{.data.value}' | base64 -d | jq '.["did"]'> university-endorser-did.json +kubectl --namespace university-ns get secret university-endorser-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["verification-key"]' > university-endorser-verkey.json +# Register endorser identity from admin +cd ../.. +helm install university-endorser-id ./indy-register-identity --namespace authority-ns ``` -## Pre-requisites - - Helm to be installed and configured - -## Charts description ## - -### 1. indy-auth-job ### -- This folder contains chart templates and default values for creation of indy authotization job. -### 2. indy-cli ### -- This folder contains chart templates and default values for creation of indy cli. -### 4. indy-domain-genesis ### -- This folder contains chart templates and default values for creation of indy domain genesis. -### 5. indy-key-mgmt ### -- This folder contains chart templates and default values for creation of indy key management. -### 6. indy-ledger-txn ### -- This folder contains chart templates and default values for creation of indy ledger txn. -### 7. indy-node ### -- This folder contains chart templates and default values for creation of indy node. -### 8. indy-pool-genesis ### -- This folder contains chart templates and default values for creation of indy pool genesis. +### Clean-up + +To clean up, simply uninstall the Helm releases. It's important to uninstall the genesis Helm chart at the end to prevent any cleanup failure. + +```bash +helm uninstall --namespace university-ns university-steward-1 +helm uninstall --namespace university-ns university-steward-2 +helm uninstall --namespace university-ns university-steward-3 +helm uninstall --namespace university-ns university-steward-4 +helm uninstall --namespace university-ns genesis +helm uninstall --namespace university-ns university-keys + +helm uninstall --namespace authority-ns university-endorser-id +helm uninstall --namespace authority-ns genesis +helm uninstall --namespace authority-ns authority-keys +``` diff --git a/platforms/hyperledger-indy/charts/indy-auth-job/Chart.yaml b/platforms/hyperledger-indy/charts/indy-auth-job/Chart.yaml deleted file mode 100644 index 8308f3148df..00000000000 --- a/platforms/hyperledger-indy/charts/indy-auth-job/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -apiVersion: v1 -appVersion: "2.0" -description: "hyperledger-indy: Creates an indy authorization job" -name: indy-auth-job -version: 1.0.0 diff --git a/platforms/hyperledger-indy/charts/indy-auth-job/README.md b/platforms/hyperledger-indy/charts/indy-auth-job/README.md deleted file mode 100644 index 6f21d33bba8..00000000000 --- a/platforms/hyperledger-indy/charts/indy-auth-job/README.md +++ /dev/null @@ -1,187 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Accenture. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - - -# indy-auth-job - -- [indy-auth-job Helm Chart](#indy-auth-node-deployment-helm-chart) -- [Prerequisites](#prerequisites) -- [Chart Structure](#chart-structure) -- [Configuration](#configuration) -- [Deployment](#deployment) -- [Verification](#verification) -- [Updating the Deployment](#updating-the-deployment) -- [Deletion](#deletion) -- [Contributing](#contributing) -- [License](#license) - - -## indy-auth-job Helm Chart ---- -This [Helm chart](https://github.com/hyperledger/bevel/tree/develop/platforms/hyperledger-indy/charts/indy-auth-job) helps to deploy indy authorization job. - - -## Prerequisites ---- -Before deploying the Helm chart, make sure to have the following prerequisites: - -- Kubernetes cluster up and running. -- A HashiCorp Vault instance is set up and configured to use Kubernetes service account token-based authentication. -- The Vault is unsealed and initialized. -- Helm installed. - - -## Chart Structure ---- -The structure of the Helm chart is as follows: - -``` -indy-auth-job/ - |- templates/ - |- helpers.tpl - |- job.yaml - |- Chart.yaml - |- README.md - |- values.yaml -``` - -- `templates/`: This directory contains the template files for generating Kubernetes resources. -- `_helpers.tpl`: Contains custom label definitions used in other templates. -- `job.yaml`: This file provides information about the kubernetes job -- `Chart.yaml`: Provides metadata about the chart, such as its name, version, and description. -- `README.md`: This file provides information and instructions about the Helm chart. -- `values.yaml`: Contains the default configuration values for the chart. It includes configuration for the metadata, image, node, Vault, etc. - - -## Configuration ---- -The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-indy/charts/indy-auth-job/values.yaml) file contains configurable values for the Helm chart. We can modify these values according to the deployment requirements. Here are some important configuration options: - -## Parameters ---- -### metadata - -| Name | Description | Default Value | -| ----------------| ----------------------------------------------- | ------------- | -| namespace | Provide the namespace for organization's peer | bevel | -| name | Provide the name for indy-auth-job release | indy-auth-job | - - -### network - -| Name | Description | Default Value | -| ------------ | ------------------------------------| ---------------------- | -| name | Provide the name of the network | bevel | -| kubernetes_url | Provide the kubernetes host url | https://10.3.8.5:6443 | - -### image - -| Name | Description | Default Value | -| -------- | ----------------------------------------------------------- | ------------- | -| name | Provide the image name for the indy-auth-job container | indy-auth-job | -| repository | Provide the image repoitory for the indy-auth-job container | alpine:3.9. 4 | - - -### vault - -| Name | Description | Default Value | -| ----------------- | ----------------------------------| -----------------------------------------| -| address | Provide the vault server address | http://54.226.163.39:8200 | -| identity | Provide the vault identity | my-identity | -| admin_auth_path | Provide the admin authpath | kubernetes-bevel-provider-admin-auth | -| policy | Provide the vault policy name | bevel-provider-steward-1-ro | -| policy_content | Provide the vault policy content | path "/kv/{{ organization }} | -| auth_path | Provide the authpath | kubernetes-bevel-provider-steward-1-auth | - -### account - -| Name | Description | Default Value | -| --------------| --------------------------------------- | --------------------------------------| -| admin_service | Provide the admin service account name | | -| admin_role | Provide the admin service account role | bevel-provider-admin-vault-auth | -| service | Provide the service account name | rw | -| role | Provide the service account role | provider-steward-1-vault-auth | - - - -## Deployment ---- - -To deploy the indy-auth-job Helm chart, follow these steps: - -1. Modify the [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-indy/charts/indy-auth-job/values.yaml) file to set the desired configuration values. -2. Run the following Helm command to install the chart: - ``` - $ helm repo add bevel https://hyperledger.github.io/bevel/ - $ helm install ./indy-auth-job - ``` -Replace `` with the desired name for the release. - -This will deploy the indy auth job to the Kubernetes cluster based on the provided configurations. - - - -## Verification ---- - -To verify the jobs, we can use the following command: -``` -$ kubectl get jobs -n -``` -Replace `` with the actual namespace where the job was created. The command will display information about the jobs. - - - -## Updating the job ---- - -If we need to update the job with new configurations or changes, modify the same [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-indy/charts/indy-auth-job/values.yaml) file with the desired changes and run the following Helm command: -``` -$ helm upgrade ./indy-auth-job -``` -Replace `` with the name of the release. This command will apply the changes to the job , ensuring the job is up to date. - - - -## Deletion ---- - -To delete the jobs and associated resources, run the following Helm command: -``` -$ helm uninstall -``` -Replace `` with the name of the release. This command will remove all the resources created by the Helm chart. - - - -## Contributing ---- -If you encounter any bugs, have suggestions, or would like to contribute to the [INDY authorization job Helm Chart](https://github.com/hyperledger/bevel/tree/develop/platforms/hyperledger-indy/charts/indy-auth-job), please feel free to open an issue or submit a pull request on the [project's GitHub repository](https://github.com/hyperledger/bevel). - - - -## License - -This chart is licensed under the Apache v2.0 license. - -Copyright © 2023 Accenture - -### Attribution - -This chart is adapted from the [charts](https://hyperledger.github.io/bevel/) which is licensed under the Apache v2.0 License which is reproduced here: - -``` -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -``` diff --git a/platforms/hyperledger-indy/charts/indy-auth-job/templates/_helpers.tpl b/platforms/hyperledger-indy/charts/indy-auth-job/templates/_helpers.tpl deleted file mode 100644 index d43c09d8cef..00000000000 --- a/platforms/hyperledger-indy/charts/indy-auth-job/templates/_helpers.tpl +++ /dev/null @@ -1,5 +0,0 @@ -{{- define "labels.custom" }} - {{ range $key, $val := $.Values.metadata.labels }} - {{ $key }}: {{ $val }} - {{ end }} -{{- end }} diff --git a/platforms/hyperledger-indy/charts/indy-auth-job/templates/job.yaml b/platforms/hyperledger-indy/charts/indy-auth-job/templates/job.yaml deleted file mode 100644 index 87f20ad739a..00000000000 --- a/platforms/hyperledger-indy/charts/indy-auth-job/templates/job.yaml +++ /dev/null @@ -1,90 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -apiVersion: batch/v1 -kind: Job -metadata: - name: "{{ $.Values.metadata.name }}" - namespace: "{{ $.Values.metadata.namespace }}" - labels: - app: "{{ $.Values.metadata.name }}" -spec: - template: - metadata: - labels: - app: "{{ $.Values.metadata.name }}" - spec: - restartPolicy: OnFailure - imagePullSecrets: - - name: "{{ $.Values.image.pullSecret }}" - serviceAccountName: {{ $.Values.account.admin_service }} - containers: - - name: "{{ $.Values.image.name }}" - image: "{{ $.Values.image.repository }}" - imagePullPolicy: IfNotPresent - command: - - "sh" - - "-c" - - > - apk update && apk add curl git jq; - - curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.15.1/bin/linux/amd64/kubectl; - - chmod u+x kubectl && mv kubectl /bin/kubectl; - - - validateVaultResponse () { - if [ ${1} != 200 -a ${1} != 204 ]; then - echo "ERROR: Unable to retrieve. Http status: ${1}" - exit 1 - fi - }; - - export KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token); - export KUBE_CERT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt); - - export VAULT_SA_NAME=$(kubectl get sa {{ $.Values.account.service }} -n {{ $.Values.metadata.namespace }} -o jsonpath="{.secrets[*]['name']}"); - - export SA_JWT_TOKEN=$(kubectl get secret $VAULT_SA_NAME -n {{ $.Values.metadata.namespace }} -o jsonpath="{.data.token}" | base64 -d; echo) - - VAULT_TOKEN="$(curl --request POST --data '{"jwt": "'"$KUBE_TOKEN"'", "role": "{{ $.Values.account.admin_role }}"}' -s -k {{ $.Values.vault.address }}/v1/auth/{{ $.Values.vault.admin_auth_path }}/login | jq -r '.auth.client_token')"; - - export SA_CA_CRT_ONELINE=$(kubectl get secret $VAULT_SA_NAME -n {{ $.Values.metadata.namespace }} -o jsonpath="{.data['ca\.crt']}" | base64 -d | awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}'); - - - # Create auth - - curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"type": "kubernetes"}' {{ $.Values.vault.address }}/v1/sys/auth/{{ $.Values.vault.auth_path }}; - - curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"kubernetes_host": "{{ $.Values.network.kubernetes_url }}", "kubernetes_ca_cert": "'"$SA_CA_CRT_ONELINE"'","disable_iss_validation": "true"}' -s -k {{ $.Values.vault.address }}/v1/auth/{{ $.Values.vault.auth_path }}/config; - - # Check auth - - response_status=$(curl -s -o /dev/null -w "%{http_code}" --header "X-Vault-Token: $VAULT_TOKEN" {{ $.Values.vault.address }}/v1/auth/{{ $.Values.vault.auth_path }}/config); - - validateVaultResponse ${response_status}; - - - # Create policy - - curl --header "X-Vault-Token: $VAULT_TOKEN" --request PUT --data '{"policy": "{{ $.Values.vault.policy_content }}"}' {{ $.Values.vault.address }}/v1/sys/policy/{{ $.Values.vault.policy }}; - - # Check policy - - response_status=$(curl -s -o /dev/null -w "%{http_code}" --header "X-Vault-Token: $VAULT_TOKEN" {{ $.Values.vault.address }}/v1/sys/policy/{{ $.Values.vault.policy }}); - - validateVaultResponse ${response_status}; - - - # Create role - - curl -s -o /dev/null -w "%{http_code}" --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"bound_service_account_names": "{{ $.Values.account.service }}","bound_service_account_namespaces": "{{ $.Values.metadata.namespace }}","policies": ["{{ $.Values.vault.policy }}"], "ttl": 3600}' {{ $.Values.vault.address }}/v1/auth/{{ $.Values.vault.auth_path }}/role/{{ $.Values.account.role }}; - - # Check role - - response_status=$(curl -s -o /dev/null -w "%{http_code}" --header "X-Vault-Token: $VAULT_TOKEN" {{ $.Values.vault.address }}/v1/auth/{{ $.Values.vault.auth_path }}/role/{{ $.Values.account.role }}); - - validateVaultResponse ${response_status}; diff --git a/platforms/hyperledger-indy/charts/indy-auth-job/values.yaml b/platforms/hyperledger-indy/charts/indy-auth-job/values.yaml deleted file mode 100644 index e71a32594ca..00000000000 --- a/platforms/hyperledger-indy/charts/indy-auth-job/values.yaml +++ /dev/null @@ -1,79 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# Default values for indy-auth-job. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -metadata: - #Provide the namespace for organization's peer - #Eg. namespace: bevel - namespace: - - #Provide the name for indy-auth-job release - #Eg. name: indy-auth-job - name: - -network: - #Provide the name for network - #Eg. name: bevel - name: - - #Provide the kubernetes host url - #Eg. kubernetes_url: https://10.3.8.5:6443 - kubernetes_url: - -image: - #Provide the image name for the indy-auth-job container - #Eg. name: indy-auth-job - name: - - #Provide the image repoitory for the indy-auth-job container - #Eg. repository: alpine:3.9.4 - repository: - - -vault: - #Provide the vault server address - #Eg. address: http://54.226.163.39:8200 - address: - - #Provide the vault identity - #Eg. identity: my-identity - identity: - - #Provide the admin authpath - #Eg. admin_auth_path: kubernetes-bevel-provider-admin-auth - admin_auth_path: - - #Provide the vault policy name - #Eg. policy: bevel-provider-steward-1-ro - policy: - - #Provide the vault policy content - #Eg. policy_content: path "/kv/{{ organization }}/bevel-ac/+/+/+/public*" {capabilities = [ "read", "list" ]} - policy_content: - - #Provide the authpath - #Eg. authpath: kubernetes-bevel-provider-steward-1-auth - auth_path: - -account: - #Provide the admin service account name - #Eg. admin_service: bevel-provider-admin-vault-auth - admin_service: - - #Provide the admin service account role - #Eg. admin_role: rw - admin_role: - - #Provide the service account name - #Eg. service: provider-steward-1-vault-auth - service: - - #Provide the service account role - #Eg. role: ro - role: diff --git a/platforms/hyperledger-indy/charts/indy-cli/README.md b/platforms/hyperledger-indy/charts/indy-cli/README.md deleted file mode 100644 index 987b5ea6923..00000000000 --- a/platforms/hyperledger-indy/charts/indy-cli/README.md +++ /dev/null @@ -1,6 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Accenture. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - -# Hyperledger Bevel Indy indy-cli Helm chart diff --git a/platforms/hyperledger-indy/charts/indy-domain-genesis/Chart.yaml b/platforms/hyperledger-indy/charts/indy-domain-genesis/Chart.yaml deleted file mode 100644 index a38c2a093cf..00000000000 --- a/platforms/hyperledger-indy/charts/indy-domain-genesis/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -apiVersion: v1 -appVersion: "2.0" -description: "hyperledger-indy: Creates config map for domain transactions genesis" -name: indy-domain-genesis -version: 1.0.0 - diff --git a/platforms/hyperledger-indy/charts/indy-domain-genesis/README.md b/platforms/hyperledger-indy/charts/indy-domain-genesis/README.md deleted file mode 100644 index 64aead47c26..00000000000 --- a/platforms/hyperledger-indy/charts/indy-domain-genesis/README.md +++ /dev/null @@ -1,156 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Accenture. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - - -# indy-domain-genesis - -- [indy-domain-genesis Helm Chart](#indy-node-deployment-helm-chart) -- [Prerequisites](#prerequisites) -- [Chart Structure](#chart-structure) -- [Configuration](#configuration) -- [Deployment](#deployment) -- [Verification](#verification) -- [Updating the Deployment](#updating-the-job) -- [Deletion](#deletion) -- [Contributing](#contributing) -- [License](#license) - - -## indy-domain-genesis Helm Chart ---- -This [Helm chart](https://github.com/hyperledger/bevel/tree/develop/platforms/hyperledger-indy/charts/indy-domain-genesis) helps to deploy the indy-domain-genesis job. - - -## Prerequisites ---- -Before deploying the Helm chart, make sure to have the following prerequisites: - -- Kubernetes cluster up and running. -- Helm installed. - - -## Chart Structure ---- -The structure of the Helm chart is as follows: - -``` -indy-domain-genesis/ - |- templates/ - |- _helpers.tpl - |- configmap.yaml - |- Chart.yaml - |- README.md - |- values.yaml -``` - -- `templates/`: This directory contains the template files for generating Kubernetes resources. -- `_helpers.tpl`: Contains custom label definitions used in other templates. -- `configmap.yaml`: This file provides information about the kubernetes configmap job -- `Chart.yaml`: Provides metadata about the chart, such as its name, version, and description. -- `README.md`: This file provides information and instructions about the Helm chart. -- `values.yaml`: Contains the default configuration values for the chart. It includes configuration for the metadata, image, node, Vault, etc. - - -## Configuration ---- -The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-indy/charts/indy-domain-genesis/values.yaml) file contains configurable values for the Helm chart. We can modify these values according to the deployment requirements. Here are some important configuration options: - -## Parameters ---- -### metadata - -| Name | Description | Default Value | -| ----------------| ----------------------------------------------- | --------------------| -| namespace | Provide the namespace for organization's peer | bevel | -| name | Provide the name for indy-domain-genesis release | indy-domain-genesis | - - -### organization - -| Name | Description | Default Value | -| ----------------| -------------------------------------------------| ------------- | -| name | Provide the namespace for organization's peer | provider | -| configmap | Provide the name for organization | configmap | - - -## Deployment ---- - -To deploy the indy-domain-genesis job Helm chart, follow these steps: - -1. Modify the [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-indy/charts/indy-domain-genesis/values.yam) file to set the desired configuration values. -2. Run the following Helm command to install the chart: - ``` - $ helm repo add bevel https://hyperledger.github.io/bevel/ - $ helm install ./indy-domain-genesis - ``` -Replace `` with the desired name for the release. - -This will deploy the indy-domain-genesis job to the Kubernetes cluster based on the provided configurations. - - - -## Verification ---- - -To verify the jobs, we can use the following command: -``` -$ kubectl get jobs -n -``` -Replace `` with the actual namespace where the job was created. The command will display information about the jobs. - - - -## Updating the Deployment ---- - -If we need to update the job with new configurations or changes, modify the same [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-indy/charts/indy-domain-genesis/values.yaml) file with the desired changes and run the following Helm command: -``` -$ helm upgrade ./indy-domain-genesis -``` -Replace `` with the name of the release. This command will apply the changes to the job , ensuring the job is up to date. - - - -## Deletion ---- - -To delete the jobs and associated resources, run the following Helm command: -``` -$ helm uninstall -``` -Replace `` with the name of the release. This command will remove all the resources created by the Helm chart. - - - -## Contributing ---- -If you encounter any bugs, have suggestions, or would like to contribute to the [INDY authorization job Helm Chart](https://github.com/hyperledger/bevel/tree/develop/platforms/hyperledger-indy/charts/indy-auth-job), please feel free to open an issue or submit a pull request on the [project's GitHub repository](https://github.com/hyperledger/bevel). - - - -## License - -This chart is licensed under the Apache v2.0 license. - -Copyright © 2023 Accenture - -### Attribution - -This chart is adapted from the [charts](https://hyperledger.github.io/bevel/) which is licensed under the Apache v2.0 License which is reproduced here: - -``` -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -``` diff --git a/platforms/hyperledger-indy/charts/indy-domain-genesis/templates/_helpers.tpl b/platforms/hyperledger-indy/charts/indy-domain-genesis/templates/_helpers.tpl deleted file mode 100644 index d43c09d8cef..00000000000 --- a/platforms/hyperledger-indy/charts/indy-domain-genesis/templates/_helpers.tpl +++ /dev/null @@ -1,5 +0,0 @@ -{{- define "labels.custom" }} - {{ range $key, $val := $.Values.metadata.labels }} - {{ $key }}: {{ $val }} - {{ end }} -{{- end }} diff --git a/platforms/hyperledger-indy/charts/indy-domain-genesis/templates/configmap.yaml b/platforms/hyperledger-indy/charts/indy-domain-genesis/templates/configmap.yaml deleted file mode 100644 index 160d30479b5..00000000000 --- a/platforms/hyperledger-indy/charts/indy-domain-genesis/templates/configmap.yaml +++ /dev/null @@ -1,18 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ $.Values.organization.name }}-dtg - namespace: {{ $.Values.metadata.namespace }} - labels: - app.kubernetes.io/name: {{ $.Values.organization.name }}-dtg - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/instance: {{ .Release.Name }} -data: - domain_transactions_genesis: | - {{ $.Values.configmap.domainGenesis | nindent 6 }} diff --git a/platforms/hyperledger-indy/charts/indy-domain-genesis/values.yaml b/platforms/hyperledger-indy/charts/indy-domain-genesis/values.yaml deleted file mode 100644 index 24acff6fc9b..00000000000 --- a/platforms/hyperledger-indy/charts/indy-domain-genesis/values.yaml +++ /dev/null @@ -1,33 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# Default values for indy-domain-genesis. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -metadata: - #Provide the namespace for organization's peer - #Eg. namespace: bevel - namespace: - - #Provide the name for indy-domain-genesis release - #Eg. name: indy-domain-genesis - name: - -organization: - #Provide the name for organization - #Eg. name: provider - name: - - configmap: - #Provide the domain Genesis - #Eg. domainGenesis: |- - # {"reqSignature":{},"txn":{"data":{"alias":"authority-trustee","dest":"68N4MNTN9K9cQJQhz4pKA2","role":"0","verkey":"3o5EVpzadvVYzT7X4sy1uD1d9zrRptQ72YiipCVyHroW"},"metadata":{},"type":"1"},"txnMetadata":{"seqNo":1},"ver":"1"} - # {"reqSignature":{},"txn":{"data":{"alias":"provider-steward-1","dest":"JerLtFwVmp8f4LS6tdTDwA","role":"2","verkey":"Ad2wXywwt8NiBDXhQU6am2CVHbHyYRRY38HCxATE7pzz"},"metadata":{"from":"68N4MNTN9K9cQJQhz4pKA2"},"type":"1"},"txnMetadata":{"seqNo":2},"ver":"1"} - # {"reqSignature":{},"txn":{"data":{"alias":"provider-steward-2","dest":"4M286TT2qVTSWn2i7d6Ggg","role":"2","verkey":"2pkLP55RVqjwPPZvRyrMXNasNxkGfvUuHs2sXgpvjgLv"},"metadata":{"from":"68N4MNTN9K9cQJQhz4pKA2"},"type":"1"},"txnMetadata":{"seqNo":3},"ver":"1"} - # {"reqSignature":{},"txn":{"data":{"alias":"partner-steward-1","dest":"Rsn88jsgAGSyABaB8b73V4","role":"2","verkey":"EZN4GQMvFhUv7jqDbf3Q7aow9Yb7JcKgidfSTR8zbsp5"},"metadata":{"from":"68N4MNTN9K9cQJQhz4pKA2"},"type":"1"},"txnMetadata":{"seqNo":4},"ver":"1"} - # {"reqSignature":{},"txn":{"data":{"alias":"partner-steward-2","dest":"8QrUxhXHb7v63D2PPwdZr3","role":"2","verkey":"53HWJHMUDFEaVwRLk8awK9meoatqZrqiyNsJqHP3M6sN"},"metadata":{"from":"68N4MNTN9K9cQJQhz4pKA2"},"type":"1"},"txnMetadata":{"seqNo":5},"ver":"1"} - domainGenesis: diff --git a/platforms/hyperledger-indy/charts/indy-genesis/Chart.yaml b/platforms/hyperledger-indy/charts/indy-genesis/Chart.yaml new file mode 100644 index 00000000000..c40d3ec1ac6 --- /dev/null +++ b/platforms/hyperledger-indy/charts/indy-genesis/Chart.yaml @@ -0,0 +1,26 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +apiVersion: v1 +name: indy-genesis +description: "Hyperledger Indy: Genesis generator" +version: 1.1.0 +appVersion: latest +keywords: + - bevel + - identity + - indy + - hyperledger + - enterprise + - blockchain + - deployment + - accenture +home: https://hyperledger-bevel.readthedocs.io/en/latest/ +sources: + - https://github.com/hyperledger/bevel +maintainers: + - name: Hyperledger Bevel maintainers + email: bevel@lists.hyperledger.org diff --git a/platforms/hyperledger-indy/charts/indy-genesis/README.md b/platforms/hyperledger-indy/charts/indy-genesis/README.md new file mode 100644 index 00000000000..f113c1263f5 --- /dev/null +++ b/platforms/hyperledger-indy/charts/indy-genesis/README.md @@ -0,0 +1,125 @@ +[//]: # (##############################################################################################) +[//]: # (Copyright Accenture. All Rights Reserved.) +[//]: # (SPDX-License-Identifier: Apache-2.0) +[//]: # (##############################################################################################) + +# indy-genesis + +This chart is a component of Hyperledger Bevel. The indy-genesis chart creates the domain_transactions_genesis and pool_transaction_genesis files as Kubernetes config maps for Indy network. If enabled, the genesis files are then stored on the configured vault. See [Bevel documentation](https://hyperledger-bevel.readthedocs.io/en/latest/) for details. + +> **Important**: All the public key files should already be placed in `files` before installing this chart. Check **Prerequisites**. + +## TL;DR + +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install genesis bevel/indy-genesis +``` + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ + +If Hashicorp Vault is used, then +- HashiCorp Vault Server 1.13.1+ + +Before running indy-genesis, the public key information for each trustee and steward should be saved in the `files` directory. For example, given a trustee called `authority-trustee` and a steward called `university-steward-1`, run the following commands to save the public key info. + +> **Important**: The [indy-key-mgmt](../indy-key-mgmt/README.md) chart generates these keys, so should be installed before this chart. + +```bash +cd files +# trustee files are in authority-ns namespace +trustee_namespace=authority-ns +trustee_name=authority-trustee +kubectl --namespace $trustee_namespace get secret $trustee_name-identity-public -o jsonpath='{.data.value}' | base64 -d | jq '.["did"]'> $trustee_name-did.json +kubectl --namespace $trustee_namespace get secret $trustee_name-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["verification-key"]' > $trustee_name-verkey.json + +# steward files are in university-ns namespace +steward_namespace=university-ns +steward_name=university-steward-1 +kubectl --namespace $steward_namespace get secret $steward_name-identity-public -o jsonpath='{.data.value}' | base64 -d | jq '.["did"]'> $steward_name-did.json +kubectl --namespace $steward_namespace get secret $steward_name-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["verification-key"]' > $steward_name-verkey.json +kubectl --namespace $steward_namespace get secret $steward_name-node-public-bls-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["bls-key-pop"]' > $steward_name-blspop.json +kubectl --namespace $steward_namespace get secret $steward_name-node-public-bls-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["bls-public-key"]' > $steward_name-blspub.json +``` + +## Installing the Chart + +To install the chart with the release name `genesis`: + +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install genesis bevel/indy-genesis +``` + +The command deploys the chart on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `genesis` deployment: + +```bash +helm uninstall genesis +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +### Global parameters +These parameters are refered to as same in each parent or child chart +| Name | Description | Default Value | +|--------|---------|-------------| +|`global.serviceAccountName` | The serviceaccount name that will be created for Vault Auth and k8S Secret management| `vault-auth` | +| `global.cluster.provider` | Kubernetes cluster provider like AWS EKS or minikube. Currently ony `aws`, `azure` and `minikube` is tested | `aws` | +| `global.cluster.cloudNativeServices` | only `false` is implemented, `true` to use Cloud Native Services (SecretsManager and IAM for AWS; KeyVault & Managed Identities for Azure) is for future | `false` | +| `global.vault.type` | Type of Vault to support other providers. Currently, only `hashicorp` and `kubernetes` is supported. | `hashicorp` | +| `global.vault.role` | Role used for authentication with Vault | `vault-role` | +| `global.vault.network` | Network type that is being deployed | `indy` | +| `global.vault.address`| URL of the Vault server. | `""` | +| `global.vault.authPath` | Authentication path for Vault | `authority` | +| `global.vault.secretEngine` | The value for vault secret engine name | `secretsv2` | +| `global.vault.secretPrefix` | The value for vault secret prefix which must start with `data/` | `data/authority` | + +### Image + +| Name | Description | Default Value | +| -------------| ---------- | --------- | +| `image.alpineutils` | Alpine utils image repository | `ghcr.io/hyperledger/bevel-alpine-ext:latest` | +| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | + +### Settings + +| Name | Description | Default Value | +|--------|---------|-------------| +|`settings.removeGenesisOnDelete` | Setting to delete the genesis configmaps when uninstalling the release | `true` | +| `settings.secondaryGenesis` | Flag to copy genesis and static nodes from `files` for secondary members | `false` | +| `settings.trustees` | Array of trustees and the relatedß stewards with IP and port details | `- name: authority-trustee`
  `stewards:`
  `- name: university-steward-1`
      `publicIp:`
      `clientPort: 15011`
      `nodePort: 15012` | + +## License + +This chart is licensed under the Apache v2.0 license. + +Copyright © 2024 Accenture + +### Attribution + +This chart is adapted from the [charts](https://hyperledger.github.io/bevel/) which is licensed under the Apache v2.0 License which is reproduced here: + +``` +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +``` diff --git a/platforms/hyperledger-indy/charts/indy-genesis/files/readme.txt b/platforms/hyperledger-indy/charts/indy-genesis/files/readme.txt new file mode 100644 index 00000000000..672160e2f49 --- /dev/null +++ b/platforms/hyperledger-indy/charts/indy-genesis/files/readme.txt @@ -0,0 +1 @@ +This is a dummy file. Place the public key files in this folder. \ No newline at end of file diff --git a/platforms/hyperledger-indy/charts/indy-genesis/templates/_helpers.tpl b/platforms/hyperledger-indy/charts/indy-genesis/templates/_helpers.tpl new file mode 100644 index 00000000000..34fc4d9e2cb --- /dev/null +++ b/platforms/hyperledger-indy/charts/indy-genesis/templates/_helpers.tpl @@ -0,0 +1,28 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "indy-genesis.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "indy-genesis.fullname" -}} +{{- $name := default .Chart.Name -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" $name .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "indy-genesis.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/platforms/hyperledger-indy/charts/indy-genesis/templates/configmap.yaml b/platforms/hyperledger-indy/charts/indy-genesis/templates/configmap.yaml new file mode 100644 index 00000000000..07526145207 --- /dev/null +++ b/platforms/hyperledger-indy/charts/indy-genesis/templates/configmap.yaml @@ -0,0 +1,64 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## +{{- if .Values.settings.secondaryGenesis }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: dtg + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/instance: {{ $.Release.Name }} +data: + domain_transactions_genesis: |- + {{ .Files.Get "files/domain_transactions_genesis.json" | nindent 8 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: ptg + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/instance: {{ $.Release.Name }} +data: + pool_transactions_genesis: |- + {{ .Files.Get "files/pool_transactions_genesis.json" | nindent 8 }} +{{- else }} +{{- range .Values.settings.trustees }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .name }}-keys + namespace: {{ $.Release.Namespace }} + labels: + app.kubernetes.io/instance: {{ $.Release.Name }} +data: + did: | +{{ $.Files.Get (printf "files/%s-did.json" .name) | replace "\"" "" | indent 4 }} + verkey: | +{{ $.Files.Get (printf "files/%s-verkey.json" .name) | replace "\"" "" | indent 4 }} +{{- range .stewards }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .name }}-keys + namespace: {{ $.Release.Namespace }} + labels: + app.kubernetes.io/instance: {{ $.Release.Name }} +data: + did: | +{{ $.Files.Get (printf "files/%s-did.json" .name) | replace "\"" "" | indent 4 }} + verkey: | +{{ $.Files.Get (printf "files/%s-verkey.json" .name) | replace "\"" "" | indent 4 }} + blspop: | +{{ $.Files.Get (printf "files/%s-blspop.json" .name) | replace "\"" "" | indent 4 }} + blspub: | +{{ $.Files.Get (printf "files/%s-blspub.json" .name) | replace "\"" "" | indent 4 }} +{{- end -}} +{{- end }} +{{- end }} diff --git a/platforms/hyperledger-indy/charts/indy-genesis/templates/genesis-cleanup.yaml b/platforms/hyperledger-indy/charts/indy-genesis/templates/genesis-cleanup.yaml new file mode 100644 index 00000000000..0aa3b2032e6 --- /dev/null +++ b/platforms/hyperledger-indy/charts/indy-genesis/templates/genesis-cleanup.yaml @@ -0,0 +1,57 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "indy-genesis.name" . }}-cleanup + namespace: {{ .Release.Namespace }} + annotations: + helm.sh/hook-weight: "0" + helm.sh/hook: "pre-delete" + helm.sh/hook-delete-policy: "hook-succeeded" + labels: + app: {{ .Release.Name }} + app.kubernetes.io/name: indy-genesis-cleanup + app.kubernetes.io/component: genesis-cleanup + app.kubernetes.io/part-of: {{ include "indy-genesis.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm +spec: + backoffLimit: 5 + template: + metadata: + labels: + app: {{ .Release.Name }} + app.kubernetes.io/name: indy-genesis-cleanup + app.kubernetes.io/component: genesis-cleanup + app.kubernetes.io/part-of: {{ include "indy-genesis.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm + spec: + restartPolicy: Never + imagePullSecrets: + {{- if .Values.image.pullSecret }} + - name: {{ .Values.image.pullSecret }} + {{- end }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + containers: + - name: genesis-cleanup + image: {{ .Values.image.alpineutils }} + imagePullPolicy: IfNotPresent + command: ["sh", "-c"] + args: + - | +{{- if .Values.settings.removeGenesisOnDelete }} + if kubectl get configmap --namespace {{ $.Release.Namespace }} dtg &> /dev/null; then + kubectl delete configmap --namespace {{ $.Release.Namespace }} dtg + fi + if kubectl get configmap --namespace {{ $.Release.Namespace }} ptg &> /dev/null; then + kubectl delete configmap --namespace {{ $.Release.Namespace }} ptg + fi +{{- end }} diff --git a/platforms/hyperledger-indy/charts/indy-genesis/templates/genesis-job.yaml b/platforms/hyperledger-indy/charts/indy-genesis/templates/genesis-job.yaml new file mode 100644 index 00000000000..9bff0c1fbf3 --- /dev/null +++ b/platforms/hyperledger-indy/charts/indy-genesis/templates/genesis-job.yaml @@ -0,0 +1,159 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "indy-genesis.name" . }} + namespace: {{ .Release.Namespace }} + annotations: + helm.sh/hook-delete-policy: "hook-succeeded" + labels: + app: {{ .Release.Name }} + app.kubernetes.io/name: indy-genesis-job + app.kubernetes.io/component: genesis-job + app.kubernetes.io/part-of: {{ include "indy-genesis.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm +spec: + backoffLimit: 5 + template: + metadata: + labels: + app: {{ .Release.Name }} + app.kubernetes.io/name: indy-genesis-job + app.kubernetes.io/component: genesis-job + app.kubernetes.io/part-of: {{ include "indy-genesis.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm + spec: + restartPolicy: OnFailure + imagePullSecrets: + {{- if .Values.image.pullSecret }} + - name: {{ .Values.image.pullSecret }} + {{- end }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + containers: + - name: genesis + image: {{ .Values.image.alpineutils }} + imagePullPolicy: IfNotPresent + volumeMounts: + - name: package-manager + mountPath: /scripts/package-manager.sh + subPath: package-manager.sh + {{- if eq .Values.global.vault.type "hashicorp" }} + - name: scripts-volume + mountPath: /scripts/bevel-vault.sh + subPath: bevel-vault.sh + env: + - name: VAULT_ADDR + value: "{{ .Values.global.vault.address }}" + - name: VAULT_SECRET_ENGINE + value: "{{ .Values.global.vault.secretEngine }}" + - name: VAULT_SECRET_PREFIX + value: "{{ .Values.global.vault.secretPrefix }}" + - name: KUBERNETES_AUTH_PATH + value: "{{ .Values.global.vault.authPath }}" + - name: VAULT_APP_ROLE + value: "{{ .Values.global.vault.role }}" + - name: VAULT_TYPE + value: "{{ .Values.global.vault.type }}" + {{- end }} + command: ["sh", "-c"] + args: + - | + + #!/bin/bash +{{- if .Values.settings.secondaryGenesis }} + echo "Secondary Genesis, config maps are created from local files." +{{- else }} + domain_genesis="" + first_global_trustee_did="" + seqNo=1 + pool_genesis="" + pseqNo=1 + {{- range .Values.settings.trustees }} + echo "Trustee: {{ .name }}" + trustee_did=$(kubectl get configmap {{ .name }}-keys -o jsonpath='{.data.did}') + trustee_verkey=$(kubectl get configmap {{ .name }}-keys -o jsonpath='{.data.verkey}') + if [ -z "$first_global_trustee_did" ] + then + first_global_trustee_did="${trustee_did}" + JSON_STRING=$( jq -n -c \ + --arg trustee_did "${trustee_did}" \ + --arg trustee_verkey "${trustee_verkey}" \ + --arg seqNo $seqNo \ + --arg alias "{{ .name }}" \ + '{"reqSignature":{},"txn":{"data":{"alias":$alias,"dest":$trustee_did,"role":"0","verkey":$trustee_verkey},"metadata":{},"type":"1"},"txnMetadata":{"seqNo":$seqNo|tonumber},"ver":"1"}') + else + JSON_STRING=$( jq -n -c \ + --arg trustee_did "${trustee_did}" \ + --arg trustee_verkey "${trustee_verkey}" \ + --arg first_global_trustee_did "${first_global_trustee_did}" \ + --arg seqNo $seqNo \ + --arg alias "{{ .name }}" \ + '{"reqSignature":{},"txn":{"data":{"alias":$alias,"dest":$trustee_did,"role":"0","verkey":$trustee_verkey},"metadata":{"from":$first_global_trustee_did},"type":"1"},"txnMetadata":{"seqNo":$seqNo|tonumber},"ver":"1"}') + fi + seqNo=$((seqNo + 1)) + domain_genesis="${domain_genesis}${JSON_STRING}\n" + + {{- range .stewards }} + echo "Steward: {{ .name }}" + steward_did=$(kubectl get configmap {{ .name }}-keys -o jsonpath='{.data.did}') + steward_verkey=$(kubectl get configmap {{ .name }}-keys -o jsonpath='{.data.verkey}') + + JSON_STRING=$( jq -n -c \ + --arg steward_did "${steward_did}" \ + --arg trustee_did "${trustee_did}" \ + --arg steward_verkey "${steward_verkey}" \ + --arg seqNo $seqNo \ + --arg alias "{{ .name }}" \ + '{"reqSignature":{},"txn":{"data":{"alias":$alias,"dest":$steward_did,"role":"2","verkey":$steward_verkey},"metadata":{"from":$trustee_did},"type":"1"},"txnMetadata":{"seqNo":$seqNo|tonumber},"ver":"1"}') + + seqNo=$((seqNo + 1)) + domain_genesis="${domain_genesis}${JSON_STRING}\n" + + bls_key=$(kubectl get configmap {{ .name }}-keys -o jsonpath='{.data.blspub}') + bls_key_pop=$(kubectl get configmap {{ .name }}-keys -o jsonpath='{.data.blspop}') + txn_id=$(echo {{ .name }} | sha256sum | awk '{print $1}') + json=$( jq -n -c \ + --arg alias "{{ .name }}" \ + --arg blskey "${bls_key}" \ + --arg blskey_pop "${bls_key_pop}" \ + --arg client_ip "{{ .publicIp }}" \ + --arg client_port {{ .clientPort }} \ + --arg node_ip "{{ .publicIp }}" \ + --arg node_port {{ .nodePort }} \ + --arg type "VALIDATOR" \ + --arg dest "${steward_verkey}" \ + --arg from "${steward_did}" \ + --arg seqNo ${pseqNo} \ + --arg txnId "${txn_id}" \ + '{"reqSignature":{},"txn":{"data":{"data":{"alias":$alias,"blskey":$blskey,"blskey_pop":$blskey_pop,"client_ip":$client_ip,"client_port":$client_port|tonumber,"node_ip":$node_ip,"node_port":$node_port|tonumber,"services":[$type]},"dest":$dest},"metadata":{"from":$from},"type":"0"},"txnMetadata":{"seqNo":$seqNo|tonumber,"txnId":$txnId},"ver":"1"}') + + pool_genesis="${pool_genesis}${json}\n" + pseqNo=$((pseqNo + 1)) + {{- end }} + {{- end }} + + echo -e "${domain_genesis}" + kubectl create configmap --namespace {{ .Release.Namespace }} dtg --from-literal=domain_transactions_genesis="$(echo -e $domain_genesis)" + echo -e "${pool_genesis}" + kubectl create configmap --namespace {{ .Release.Namespace }} ptg --from-literal=pool_transactions_genesis="$(echo -e $pool_genesis)" +{{- end }} + volumes: + {{- if eq .Values.global.vault.type "hashicorp" }} + - name: scripts-volume + configMap: + name: bevel-vault-script + defaultMode: 0777 + {{- end }} + - name: package-manager + configMap: + name: package-manager + defaultMode: 0777 diff --git a/platforms/hyperledger-indy/charts/indy-genesis/values.yaml b/platforms/hyperledger-indy/charts/indy-genesis/values.yaml new file mode 100644 index 00000000000..d6e17fbdbf9 --- /dev/null +++ b/platforms/hyperledger-indy/charts/indy-genesis/values.yaml @@ -0,0 +1,68 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Default values for indy-genesis. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +--- +# The following are for overriding global values +global: + #Provide the service account name which will be created. + serviceAccountName: vault-auth + cluster: + provider: aws # choose from: minikube | aws | azure | gcp + cloudNativeServices: false # only 'false' is implemented now + vault: + #Provide the type of vault + type: kubernetes # hashicorp | kubernetes + #Provide the vault role used. + role: vault-role + #Provide the network type + network: indy + #Provide the vault server address + address: + #Provide the vault authPath configured to be used. + authPath: authority + #Provide the secret engine. + secretEngine: secretsv2 + #Provide the vault path where the secrets will be stored + secretPrefix: "data/authority" + +image: + #Provide the image for the job container + #Eg. alpineutils: ghcr.io/hyperledger/bevel-alpine-ext:latest + alpineutils: ghcr.io/hyperledger/bevel-alpine-ext:latest + #Provide the secret to use if private repository + #Eg. pullSecret: regcred + pullSecret: + +settings: + # Flag to ensure the genesis configmaps are removed on helm uninstall + removeGenesisOnDelete: true + # Flag to copy domain and pool genesis from files for secondary members + secondaryGenesis: false + # Provide the steward details by following trustee tree as per example below + trustees: + - name: authority-trustee + stewards: + - name: university-steward-1 # Steward name + publicIp: # Steward public IP Address /Kubernetes API IP for noproxy + nodePort: 15011 # Node external port + clientPort: 15012 # Client external port + # - name: university-steward-2 + # publicIp: + # nodePort: 15021 + # clientPort: 15022 + # - name: partner-trustee + # stewards: + # - name: partner-steward-1 + # publicIp: + # nodePort: 15031 + # clientPort: 15032 + # - name: partner-steward-2 + # publicIp: + # nodePort: 15041 + # clientPort: 15042 diff --git a/platforms/hyperledger-indy/charts/indy-key-mgmt/Chart.yaml b/platforms/hyperledger-indy/charts/indy-key-mgmt/Chart.yaml index ccae66eba31..5b7e293fb62 100644 --- a/platforms/hyperledger-indy/charts/indy-key-mgmt/Chart.yaml +++ b/platforms/hyperledger-indy/charts/indy-key-mgmt/Chart.yaml @@ -5,7 +5,22 @@ ############################################################################################## apiVersion: v1 -appVersion: "2.0" -description: "hyperledger-indy: indy-key-mgmt" name: indy-key-mgmt -version: 1.0.0 +description: "hyperledger Indy: Keys generator" +version: 1.1.0 +appVersion: latest +keywords: + - bevel + - identity + - indy + - hyperledger + - enterprise + - blockchain + - deployment + - accenture +home: https://hyperledger-bevel.readthedocs.io/en/latest/ +sources: + - https://github.com/hyperledger/bevel +maintainers: + - name: Hyperledger Bevel maintainers + email: bevel@lists.hyperledger.org diff --git a/platforms/hyperledger-indy/charts/indy-key-mgmt/README.md b/platforms/hyperledger-indy/charts/indy-key-mgmt/README.md index a6b009f4cfd..f7bff6e576b 100644 --- a/platforms/hyperledger-indy/charts/indy-key-mgmt/README.md +++ b/platforms/hyperledger-indy/charts/indy-key-mgmt/README.md @@ -3,170 +3,89 @@ [//]: # (SPDX-License-Identifier: Apache-2.0) [//]: # (##############################################################################################) - # indy-key-mgmt -- [indy-key-mgmt Helm Chart](#indy-node-deployment-helm-chart) -- [Prerequisites](#prerequisites) -- [Chart Structure](#chart-structure) -- [Configuration](#configuration) -- [Deployment](#deployment) -- [Verification](#verification) -- [Updating the Deployment](#updating-the-job) -- [Deletion](#deletion) -- [Contributing](#contributing) -- [License](#license) - - -## indy-key-mgmt Helm Chart ---- -This [Helm chart](https://github.com/hyperledger/bevel/tree/develop/platforms/hyperledger-indy/charts/indy-key-mgmt) helps to deploy the indy-key-mgmt job. - - -## Prerequisites ---- -Before deploying the Helm chart, make sure to have the following prerequisites: - -- Kubernetes cluster up and running. -- A HashiCorp Vault instance is set up and configured to use Kubernetes service account token-based authentication. -- The Vault is unsealed and initialized. -- Helm installed. +This chart is a component of Hyperledger Bevel. The indy-key-mgmt chart generates the various keys needed for a Hyperledger Indy node. If enabled, the keys are then stored on the configured vault and stored as Kubernetes secrets. See [Bevel documentation](https://hyperledger-bevel.readthedocs.io/en/latest/) for details. - -## Chart Structure ---- -The structure of the Helm chart is as follows: +## TL;DR +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install authority-keys bevel/indy-key-mgmt ``` -indy-key-mgmt/ - |- templates/ - |- _helpers.tpl - |- configmap.yaml - |- Chart.yaml - |- README.md - |- values.yaml -``` - -- `templates/`: This directory contains the template files for generating Kubernetes resources. -- `_helpers.tpl`: Contains custom label definitions used in other templates. -- `configmap.yaml`: This file provides information about the kubernetes configmap job -- `Chart.yaml`: Provides metadata about the chart, such as its name, version, and description. -- `README.md`: This file provides information and instructions about the Helm chart. -- `values.yaml`: Contains the default configuration values for the chart. It includes configuration for the metadata, image, node, Vault, etc. - - -## Configuration ---- -The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-indy/charts/indy-key-mgmt/values.yaml) file contains configurable values for the Helm chart. We can modify these values according to the deployment requirements. Here are some important configuration options: - -## Parameters ---- -### metadata - -| Name | Description | Default Value | -| ----------------| ----------------------------------------------- | ----------------| -| namespace | Provide the namespace for organization's peer | bevel | -| name | Provide the name for indy-key-mgmt release | indy-key-mgmt | - -### network - -| Name | Description | Default Value | -| ----------------| ----------------------------------------------- | ------------- | -| name | Provide the name for network | bevel | - -### image -| Name | Description | Default Value | -| ----------------| ----------------------------------------------------------- | ----------------| -| name | Provide the image name for the indy-key-mgmt container | indy-key-mgmt | -| repository | Provide the image repository for the indy-key-mgmt container | ind-key-mgmt:lts| -| pullSecret | Provide the image pull secret of image | regcred | - -### vault - -| Name | Description | Default Value | -| ---------------- | ------------------------------------------- | ------------- | -| address | Provide the vault server address | http://54.226.163.39:8200 | -| version | Provide the vault secret version address | "1 or 2" | -| keyPath | Provide the key path for vault | provider.stewards | -| identity | Provide the identity for vault | my-identity | -| auth_path | Provide the authpath | kubernetes-bevel-provider-admin-auth | -| certsecretprefix | Provide the vault path where the certificates are stored | secret/organisation-name | -| retries | Provide The amount of times to retry fetching from/writing to Vault before giving up | "10" | -| sleepTimeAfterError | The amount of time in seconds to wait after an error occurs when fetching from/writing to Vault"" | "15" | +## Prerequisites +- Kubernetes 1.19+ +- Helm 3.2.0+ +If Hashicorp Vault is used, then +- HashiCorp Vault Server 1.13.1+ -### account - -| Name | Description | Default Value | -| --------| --------------------------------- | ------------- | -| service | Provide the service account name | vault-auth-provider-agent-app | -| role |Provide the service account role | ro | - - - -## Deployment ---- - -To deploy the indy-key-mgmt job Helm chart, follow these steps: - -1. Modify the [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-indy/charts/indy-key-mgmt/values.yam) file to set the desired configuration values. -2. Run the following Helm command to install the chart: - ``` - $ helm repo add bevel https://hyperledger.github.io/bevel/ - $ helm install ./indy-key-mgmt - ``` -Replace `` with the desired name for the release. - -This will deploy the indy-key-mgmt job to the Kubernetes cluster based on the provided configurations. +> **Important**: Also check the dependent charts. +## Installing the Chart - -## Verification ---- +To install the chart with the release name `authority-keys`: -To verify the jobs, we can use the following command: +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install authority-keys bevel/indy-key-mgmt ``` -$ kubectl get jobs -n -``` -Replace `` with the actual namespace where the job was created. The command will display information about the jobs. - - -## Updating the deployment ---- +The command deploys the chart on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. -If we need to update the job with new configurations or changes, modify the same [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-indy/charts/indy-key-mgmt/values.yaml) file with the desired changes and run the following Helm command: -``` -$ helm upgrade ./indy-key-mgmt -``` -Replace `` with the name of the release. This command will apply the changes to the job , ensuring the job is up to date. +> **Tip**: List all releases using `helm list` +## Uninstalling the Chart - -## Deletion ---- +To uninstall/delete the `authority-keys` deployment: -To delete the jobs and associated resources, run the following Helm command: -``` -$ helm uninstall +```bash +helm uninstall authority-keys ``` -Replace `` with the name of the release. This command will remove all the resources created by the Helm chart. +The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Contributing ---- -If you encounter any bugs, have suggestions, or would like to contribute to the [INDY authorization job Helm Chart](https://github.com/hyperledger/bevel/tree/develop/platforms/hyperledger-indy/charts/indy-auth-job), please feel free to open an issue or submit a pull request on the [project's GitHub repository](https://github.com/hyperledger/bevel). +## Parameters +### Global parameters +These parameters are refered to as same in each parent or child chart +| Name | Description | Default Value | +|--------|---------|-------------| +|`global.serviceAccountName` | The serviceaccount name that will be created for Vault Auth and k8S Secret management| `vault-auth` | +| `global.cluster.provider` | Kubernetes cluster provider like AWS EKS, AKS or minikube. Currently ony `aws`, `azure` and `minikube` is tested | `aws` | +| `global.cluster.cloudNativeServices` | only `false` is implemented, `true` to use Cloud Native Services (SecretsManager and IAM for AWS; KeyVault & Managed Identities for Azure) is for future | `false` | +| `global.cluster.kubernetesUrl` | URL of the Kubernetes Cluster | `""` | +| `global.vault.type` | Type of Vault to support other providers. Currently, only `hashicorp` and `kubernetes` is supported. | `hashicorp` | +| `global.vault.role` | Role used for authentication with Vault | `vault-role` | +| `global.vault.network` | Network type that is being deployed | `indy` | +| `global.vault.address`| URL of the Vault server. | `""` | +| `global.vault.authPath` | Authentication path for Vault | `authority` | +| `global.vault.secretEngine` | The value for vault secret engine name | `secretsv2` | +| `global.vault.secretPrefix` | The value for vault secret prefix which must start with `data/` | `data/authority` | + +### Image + +| Name | Description | Default Value | +| -------------| ---------- | --------- | +| `image.keyUtils` | Indy Key Gen image repository for the Indy version | `ghcr.io/hyperledger/bevel-indy-key-mgmt:1.12.6` | +| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | + +### Settings + +| Name | Description | Default Value | +|--------|---------|-------------| +|`settings.removeKeysOnDelete` | Setting to delete the keys when uninstalling the release | `true` | +| `settings.identities.trustee` | Single trustee identity to be created for the organization. Set to empty if not needed | `authority-trustee` | +| `settings.identities.endorser` | Single endorser identity to be created for the organization. Set to empty if not needed | `""` | +| `settings.identities.stewards` | Array of steward identities to be created for the orgnaization. Set to empty if not needed | `[]` | - ## License This chart is licensed under the Apache v2.0 license. -Copyright © 2023 Accenture +Copyright © 2024 Accenture ### Attribution diff --git a/platforms/hyperledger-indy/charts/indy-key-mgmt/requirements.yaml b/platforms/hyperledger-indy/charts/indy-key-mgmt/requirements.yaml new file mode 100644 index 00000000000..b1195396c5f --- /dev/null +++ b/platforms/hyperledger-indy/charts/indy-key-mgmt/requirements.yaml @@ -0,0 +1,11 @@ +dependencies: + - name: bevel-vault-mgmt + repository: "file://../../../shared/charts/bevel-vault-mgmt" + tags: + - bevel + version: ~1.0.0 + - name: bevel-scripts + repository: "file://../../../shared/charts/bevel-scripts" + tags: + - bevel + version: ~1.0.0 diff --git a/platforms/hyperledger-indy/charts/indy-key-mgmt/templates/_helpers.tpl b/platforms/hyperledger-indy/charts/indy-key-mgmt/templates/_helpers.tpl index d43c09d8cef..0d54910e220 100644 --- a/platforms/hyperledger-indy/charts/indy-key-mgmt/templates/_helpers.tpl +++ b/platforms/hyperledger-indy/charts/indy-key-mgmt/templates/_helpers.tpl @@ -1,5 +1,28 @@ -{{- define "labels.custom" }} - {{ range $key, $val := $.Values.metadata.labels }} - {{ $key }}: {{ $val }} - {{ end }} -{{- end }} +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "indy-key-mgmt.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "indy-key-mgmt.fullname" -}} +{{- $name := default .Chart.Name -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" $name .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "indy-key-mgmt.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/platforms/hyperledger-indy/charts/indy-key-mgmt/templates/job-cleanup.yaml b/platforms/hyperledger-indy/charts/indy-key-mgmt/templates/job-cleanup.yaml new file mode 100644 index 00000000000..61ba3d89a37 --- /dev/null +++ b/platforms/hyperledger-indy/charts/indy-key-mgmt/templates/job-cleanup.yaml @@ -0,0 +1,114 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "indy-key-mgmt.name" . }}-cleanup + namespace: {{ .Release.Namespace }} + annotations: + helm.sh/hook-weight: "0" + helm.sh/hook: "pre-delete" + helm.sh/hook-delete-policy: "hook-succeeded" + labels: + app: {{ .Release.Name }} + app.kubernetes.io/name: indy-key-mgmt-cleanup + app.kubernetes.io/component: key-mgmt-cleanup + app.kubernetes.io/part-of: {{ include "indy-key-mgmt.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm +spec: + backoffLimit: 3 + completions: 1 + template: + metadata: + labels: + app: {{ .Release.Name }} + app.kubernetes.io/name: indy-key-mgmt-cleanup + app.kubernetes.io/component: key-mgmt-cleanup + app.kubernetes.io/part-of: {{ include "indy-key-mgmt.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm + spec: + restartPolicy: Never + imagePullSecrets: + {{- if .Values.image.pullSecret }} + - name: {{ .Values.image.pullSecret }} + {{- end }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + containers: + - name: cleanup-keys + image: {{ .Values.image.keyUtils }} + imagePullPolicy: IfNotPresent + volumeMounts: + - name: package-manager + mountPath: /scripts/package-manager.sh + subPath: package-manager.sh + command: ["/bin/bash", "-c"] + args: + - | + + # Install necessary packages using custom package manager script + . /scripts/package-manager.sh + packages_to_install="curl" + install_packages "$packages_to_install" + # Download kubectl binary + curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.27.0/bin/linux/amd64/kubectl; + chmod u+x kubectl && mv kubectl /usr/local/bin/kubectl; + + #function to delete kubernetes secrets + function deleteAllSecret { + identity=$1 + secretData=$2 + jq -r 'to_entries[] | "\(.key) \(.value)"' <<< "$secretData" | \ + while read -r key value; do + jq -r 'to_entries[] | "\(.key) \(.value)"' <<< "$value" | \ + while read -r subkey subvalue; do + if [ "$key" == "identity" ]; then + # Do not iterate as identity has only 1 level of keys + secretName=$(echo "$identity-$key-$subkey" |sed 's/_/-/g') + if kubectl get secret --namespace {{ $.Release.Namespace }} $secretName &> /dev/null; then + kubectl delete secret --namespace {{ $.Release.Namespace }} $secretName + fi + else + # Otherwise, iterate over next set of key-value pairs + jq -r 'to_entries[] | "\(.key) \(.value)"' <<< "$subvalue" | \ + while read -r key1 value1; do + secretName=$(echo "$identity-$key-$subkey-$key1" |sed 's/_/-/g') + if kubectl get secret --namespace {{ $.Release.Namespace }} $secretName &> /dev/null; then + kubectl delete secret --namespace {{ $.Release.Namespace }} $secretName + fi + done + fi + done + done + } + +{{- if .Values.settings.removeKeysOnDelete }} + echo "Deleting Kubernetes Secrets" + {{- if .Values.settings.identities.trustee }} + trustees_json=$(generate_identity {{ .Values.settings.identities.trustee }} trustees) + json=$(echo "$trustees_json" | jq -r '.trustees."{{ .Values.settings.identities.trustee }}"') + deleteAllSecret "{{ .Values.settings.identities.trustee }}" "$json" + {{- end }} + {{- if .Values.settings.identities.endorser }} + endorsers_json=$(generate_identity {{ .Values.settings.identities.endorser }} endorsers) + json=$(echo "$endorsers_json" | jq -r '.endorsers."{{ .Values.settings.identities.endorser }}"') + deleteAllSecret "{{ .Values.settings.identities.endorser }}" "$json" + {{- end }} + {{- range .Values.settings.identities.stewards }} + stewards_json=$(generate_identity {{ . }} stewards) + json=$(echo "$stewards_json" | jq -r '.stewards."{{ . }}"') + deleteAllSecret "{{ . }}" "$json" + {{- end }} +{{- end }} + volumes: + - name: package-manager + configMap: + name: package-manager + defaultMode: 0777 diff --git a/platforms/hyperledger-indy/charts/indy-key-mgmt/templates/job.yaml b/platforms/hyperledger-indy/charts/indy-key-mgmt/templates/job.yaml index dd65c746a12..652fffa6af0 100644 --- a/platforms/hyperledger-indy/charts/indy-key-mgmt/templates/job.yaml +++ b/platforms/hyperledger-indy/charts/indy-key-mgmt/templates/job.yaml @@ -7,276 +7,172 @@ apiVersion: batch/v1 kind: Job metadata: - name: "{{ $.Values.metadata.name }}" - namespace: "{{ $.Values.metadata.namespace }}" + name: {{ include "indy-key-mgmt.name" . }}-job + namespace: {{ .Release.Namespace }} + annotations: + helm.sh/hook-delete-policy: "hook-succeeded" labels: - app: "{{ $.Values.metadata.name }}" + app: {{ .Release.Name }} + app.kubernetes.io/name: indy-key-mgmt-job + app.kubernetes.io/component: key-mgmt-job + app.kubernetes.io/part-of: {{ include "indy-key-mgmt.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm spec: + backoffLimit: 3 template: metadata: labels: - app: "{{ $.Values.metadata.name }}" + app: {{ .Release.Name }} + app.kubernetes.io/name: indy-key-mgmt-job + app.kubernetes.io/component: key-mgmt-job + app.kubernetes.io/part-of: {{ include "indy-key-mgmt.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm spec: restartPolicy: OnFailure imagePullSecrets: - - name: "{{ $.Values.image.pullSecret }}" - serviceAccountName: {{ $.Values.account.service }} + {{- if .Values.image.pullSecret }} + - name: {{ .Values.image.pullSecret }} + {{- end }} + serviceAccountName: {{ .Values.global.serviceAccountName }} containers: - - name: "{{ $.Values.image.name }}" - image: "{{ $.Values.image.repository }}" + - name: generate-keys + image: {{ .Values.image.keyUtils }} imagePullPolicy: IfNotPresent + volumeMounts: + - name: package-manager + mountPath: /scripts/package-manager.sh + subPath: package-manager.sh + {{- if eq .Values.global.vault.type "hashicorp" }} + - name: scripts-volume + mountPath: /scripts/bevel-vault.sh + subPath: bevel-vault.sh + env: + - name: VAULT_ADDR + value: "{{ .Values.global.vault.address }}" + - name: VAULT_SECRET_ENGINE + value: "{{ .Values.global.vault.secretEngine }}" + - name: VAULT_SECRET_PREFIX + value: "{{ .Values.global.vault.secretPrefix }}" + - name: KUBERNETES_AUTH_PATH + value: "{{ .Values.global.vault.authPath }}" + - name: VAULT_APP_ROLE + value: "{{ .Values.global.vault.role }}" + - name: VAULT_TYPE + value: "{{ .Values.global.vault.type }}" + {{- end }} command: ["/bin/bash", "-c"] args: - - |- - apt-get update; - apt-get install curl -y; - validateVaultResponse () { - if echo ${2} | grep "errors"; then - echo "ERROR: unable to retrieve ${1}: ${2}" - exit 1 - fi - if [ "$3" == "LOOKUPSECRETRESPONSE" ] + - | + + # Install necessary packages using custom package manager script + . /scripts/package-manager.sh + packages_to_install="curl" + install_packages "$packages_to_install" + # Download kubectl binary + curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.27.0/bin/linux/amd64/kubectl; + chmod u+x kubectl && mv kubectl /usr/local/bin/kubectl; + +{{- if eq .Values.global.vault.type "hashicorp" }} + . /scripts/bevel-vault.sh + echo "Getting Vault Token..." + vaultBevelFunc "init" + # Function to store secrets into Vault as well as K8s + function safeWriteSecret { + path=$1 + subpath=$2 + value=$3 + secretName=$(echo $subpath | sed 's/\//-/g' |sed 's/_/-/g') + vaultBevelFunc "readJson" "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${path}/${subpath}" + if [ "$SECRETS_AVAILABLE" == "yes" ] then - http_code=$(curl -sS -o /dev/null -w "%{http_code}" \ - --header "X-Vault-Token: ${VAULT_TOKEN}" \ - ${VAULT_ADDR}/v1/${1}) - curl_response=$? - if test "$http_code" != "200" ; then - echo "Http response code from Vault - $http_code" - if test "$curl_response" != "0"; then - echo "Error: curl command failed with error code - $curl_response" - exit 1 - fi + # Create the Kubernetes Secret with data from Vault + echo "Secret found in Vault, only creating k8s secrets" + kubectl get secret --namespace {{ $.Release.Namespace }} "${secretName}" + if [ $? -ne 0 ]; then + kubectl create secret --namespace {{ $.Release.Namespace }} generic "${secretName}" --from-literal="value=${VAULT_SECRET}" fi + else + echo "Secret to be created on Vault and k8s" + # Store the value in Vault + echo " + { + \"data\": $value + }" > payload.json + + vaultBevelFunc 'write' "${VAULT_SECRET_ENGINE}/${VAULT_SECRET_PREFIX}/${path}/${subpath}" 'payload.json' + rm payload.json + # Create the Kubernetes Secret using kubectl + kubectl create secret --namespace {{ $.Release.Namespace }} generic "${secretName}" --from-literal="value=$value" fi } - - KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token); - curl --request POST --data '{"jwt": "'"$KUBE_TOKEN"'", "role": "{{ $.Values.account.role }}"}' {{ $.Values.vault.address }}/v1/auth/{{ $.Values.vault.auth_path }}/login | jq -j '.auth.client_token' > token; - VAULT_TOKEN=$(cat token); - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${VAULT_TOKEN}" {{ $.Values.vault.address }}/v1/auth/token/lookup-self) - validateVaultResponse ${response_status}; - - {{- if eq $.Values.vault.version "2" }} - generate_identityv2 {{ $.Values.vault.identity }} {{ $.Values.vault.keyPath }} vault {{ $.Values.vault.address }} 2 - {{- else }} - generate_identity {{ $.Values.vault.identity }} {{ $.Values.vault.keyPath }} vault {{ $.Values.vault.address }} - {{- end }} - - echo "Check if certs are stored in vault" - curl --request POST --data '{"jwt": "'"$KUBE_TOKEN"'", "role": "{{ $.Values.account.role }}"}' {{ $.Values.vault.address }}/v1/auth/{{ $.Values.vault.auth_path }}/login | jq -j '.auth.client_token' > token; - VAULT_TOKEN=$(cat token); - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${VAULT_TOKEN}" {{ $.Values.vault.address }}/v1/auth/token/lookup-self) - validateVaultResponse ${response_status}; - - trustees_path={{ $.Values.vault.certsecretprefix }}/data/trustees - stewards_path={{ $.Values.vault.certsecretprefix }}/data/stewards - endorsers_path={{ $.Values.vault.certsecretprefix }}/data/endorsers - - client_public_keys=false client_verif_keys=false client_private_keys=false client_sig_keys=false identity_private_keys=false identity_public_keys=false node_verif_keys=false node_bls_keys=false node_public_keys=false node_sig_keys=false node_private_bls_keys=false node_private_keys=false - COUNTER=1 - while [ ${COUNTER} -lt {{ $.Values.vault.retries }} ] - do - # client_public_keys=false client_verif_keys=false client_private_keys=false client_sig_keys=false identity_private_keys=false identity_public_keys=false node_verif_keys=false node_bls_keys=false node_public_keys=false node_sig_keys=false node_private_bls_keys=false node_private_keys=false - - for field in $stewards_path $endorsers_path $trustees_path - do - if [ "$client_public_keys" == false ] - then - # Check if client public keys are stored in vault or not - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" {{ $.Values.vault.address }}/v1/${field}/{{ $.Values.vault.identity }}/client/public/public_keys | jq -r 'if .errors then . else . end') - public_key=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["public_key"]' 2>&1) - if [ "$public_key" == "null" ] || [ "$public_key" == "parse error"* ] - then - client_public_keys=false - echo "Client public keys are not present in vault" - else - client_public_keys=true - echo "Successfully got client public keys" - fi - fi - - # Check if client verif keys are stored in vault or not - if [ "$client_verif_keys" == false ] - then - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" {{ $.Values.vault.address }}/v1/${field}/{{ $.Values.vault.identity }}/client/public/verif_keys | jq -r 'if .errors then . else . end') - verification_key=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["verification-key"]' 2>&1) - if [ "$verification_key" == "null" ] || [ "$verification_key" == "parse error"* ] - then - client_verif_keys=false - echo "Client verif keys are not present in vault" - else - client_verif_keys=true - echo "Successfully got client verification keys" - fi - fi - - # Check if client private keys are stored in vault or not - if [ "$client_private_keys" == false ] - then - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" {{ $.Values.vault.address }}/v1/${field}/{{ $.Values.vault.identity }}/client/private/private_keys | jq -r 'if .errors then . else . end') - private_key=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["{{ $.Values.vault.identity }}C.key_secret"]' 2>&1) - if [ "$private_key" == "null" ] || [ "$private_key" == "parse error"* ] - then - client_private_keys=false - echo "Client private keys are not present in vault" - else - client_private_keys=true - echo "Successfully got client private keys" - fi - fi - - # Check if client sig keys are stored in vault or not - if [ "$client_sig_keys" == false ] - then - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" {{ $.Values.vault.address }}/v1/${field}/{{ $.Values.vault.identity }}/client/private/sig_keys | jq -r 'if .errors then . else . end') - sig_key=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["{{ $.Values.vault.identity }}C.key_secret"]' 2>&1) - if [ "$sig_key" == "null" ] || [ "$sig_key" == "parse error"* ] - then - client_sig_keys=false - echo "Client sig keys are not present in vault" - else - client_sig_keys=true - echo "Successfully got client private signature keys" - fi - fi - - # Check if identity private keys are stored in vault or not - if [ "$identity_private_keys" == false ] - then - # Check if identity keys are stored in vault or not - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" {{ $.Values.vault.address }}/v1/${field}/{{ $.Values.vault.identity }}/identity/private | jq -r 'if .errors then . else . end') - private_key=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["seed"]' 2>&1) - if [ "$private_key" == "null" ] || [ "$private_key" == "parse error"* ] - then - identity_private_keys=false - echo "Identity private keys are not present in vault" - else - identity_private_keys=true - echo "Successfully got identity private keys" - fi - fi - - # Check if identity public keys are stored in vault or not - if [ "$identity_public_keys" == false ] - then - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" {{ $.Values.vault.address }}/v1/${field}/{{ $.Values.vault.identity }}/identity/public | jq -r 'if .errors then . else . end') - public_key=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["did"]' 2>&1) - if [ "$public_key" == "null" ] || [ "$public_key" == "parse error"* ] - then - identity_public_keys=false - echo "Identity public keys are not present in vault" - else - identity_public_keys=true - echo "Successfully got identity public keys" - fi - fi - - # Check if node verif keys are stored in vault or not - if [ "$node_verif_keys" == false ] - then - # Check if node keys are stored in vault or not - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" {{ $.Values.vault.address }}/v1/${field}/{{ $.Values.vault.identity }}/node/public/verif_keys | jq -r 'if .errors then . else . end') - verification_key=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["verification-key"]' 2>&1) - if [ "$verification_key" == "null" ] || [ "$verification_key" == "parse error"* ] - then - node_verif_keys=false - echo "Node verif keys are not present in vault" - else - node_verif_keys=true - echo "Successfully got node verification keys" - fi - fi - - # Check if node bls keys are stored in vault or not - if [ "$node_bls_keys" == false ] - then - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" {{ $.Values.vault.address }}/v1/${field}/{{ $.Values.vault.identity }}/node/public/bls_keys | jq -r 'if .errors then . else . end') - bls_public_key=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["bls-public-key"]' 2>&1) - bls_key_pop=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["bls-key-pop"]' 2>&1) - bls_pk=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["bls_pk"]' 2>&1) - if [ "$bls_public_key" = "null" ] || [ "$bls_key_pop" = "null" ] || [ "$bls_pk" = "null" ] || [ "$bls_public_key" == "parse error"* ] || [ "$bls_key_pop" == "parse error"* ] || [ "$bls_pk" == "parse error"* ] - then - node_bls_keys=false - echo "Node bls keys are not present in vault" - else - node_bls_keys=true - echo "Successfully got node bls keys" - fi - fi - - # Check if node public keys are stored in vault or not - if [ "$node_public_keys" == false ] - then - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" {{ $.Values.vault.address }}/v1/${field}/{{ $.Values.vault.identity }}/node/public/public_keys | jq -r 'if .errors then . else . end') - public_key=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["public_key"]' 2>&1) - if [ "$public_key" == "null" ] || [ "$public_key" == "parse error"* ] - then - node_public_keys=false - echo "Node public keys are not present in vault" - else - node_public_keys=true - echo "Successfully got node public keys" - fi - fi - - # Check if node sig keys are stored in vault or not - if [ "$node_sig_keys" == false ] - then - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" {{ $.Values.vault.address }}/v1/${field}/{{ $.Values.vault.identity }}/node/private/sig_keys | jq -r 'if .errors then . else . end') - sig_key=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["{{ $.Values.vault.identity }}.key_secret"]' 2>&1) - if [ "$sig_key" == "null" ] || [ "$sig_key" == "parse error"* ] - then - node_sig_keys=false - echo "Node sig keys are not present in vault" - else - node_sig_keys=true - echo "Successfully got node private signature keys" - fi - fi - - # Check if node private bls keys are stored in vault or not - if [ "$node_private_bls_keys" == false ] - then - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" {{ $.Values.vault.address }}/v1/${field}/{{ $.Values.vault.identity }}/node/private/bls_keys | jq -r 'if .errors then . else . end') - bls_sk=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["bls_sk"]' 2>&1) - if [ "$bls_sk" == "null" ] || [ "$bls_sk" == "parse error"* ] - then - node_private_bls_keys=false - echo "Node private bls keys are not present in vault" - else - node_private_bls_keys=true - echo "Successfully got node private bls keys" - fi - fi - - # Check if node private keys are stored in vault or not - if [ "$node_private_keys" == false ] - then - LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_TOKEN}" {{ $.Values.vault.address }}/v1/${field}/{{ $.Values.vault.identity }}/node/private/private_keys | jq -r 'if .errors then . else . end') - private_key=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["{{ $.Values.vault.identity }}.key_secret"]' 2>&1) - if [ "$private_key" == "null" ] || [ "$private_key" == "parse error"* ] - then - node_private_keys=false - echo "Node private keys are not present in vault" +{{- else }} + # When Vault type is not hahsicorp + # function to create kubernetes secrets, add additional conditions here if cloud KMS is used + function safeWriteSecret { + path=$1 + subpath=$2 + value=$3 + secretName=$(echo $subpath | sed 's/\//-/g' |sed 's/_/-/g') + # Create the Kubernetes Secret using kubectl + kubectl get secret --namespace {{ $.Release.Namespace }} "${secretName}" + if [ $? -ne 0 ]; then + kubectl create secret --namespace {{ $.Release.Namespace }} generic "${secretName}" --from-literal="value=$value" + fi + } +{{- end }} + # function to write/save all secrets by parsing the json + function writeAllSecret { + identity=$1 + secretData=$2 + path=$3 + jq -r 'to_entries[] | "\(.key) \(.value)"' <<< "$secretData" | \ + while read -r key value; do + jq -r 'to_entries[] | "\(.key) \(.value)"' <<< "$value" | \ + while read -r subkey subvalue; do + if [ "$key" == "identity" ]; then + # Do not iterate as identity has only 1 level of keys + safeWriteSecret $path "$identity/$key/$subkey" "$subvalue" else - node_private_keys=true - echo "Successfully got node private keys" + # Otherwise, iterate over next set of key-value pairs + jq -r 'to_entries[] | "\(.key) \(.value)"' <<< "$subvalue" | \ + while read -r key1 value1; do + safeWriteSecret $path "$identity/$key/$subkey/$key1" "$value1" + done fi - fi - - if [ "$client_public_keys" == true ] || [ "$client_verif_keys" == true ] || [ "$client_private_keys" == true ] || [ "$client_sig_keys" == true ] || [ "$identity_private_keys" == true ] || [ "$identity_public_keys" == true ] || [ "$node_verif_keys" == true ] || [ "$node_bls_keys" == true ] || [ "$node_public_keys" == true ] || [ "$node_sig_keys" == true ] || [ "$node_private_bls_keys" == true ] || [ "$node_private_keys" == true ] - then - echo "All crypto materials are successfully stored in vault" - break - else - echo "Crypto materials are not stored in vault" - if [ "$COUNTER" -ge {{ $.Values.vault.retries }} ] - then - echo "Retry attempted $COUNTER times, certificates have not been saved in vault" - exit 1 - fi - fi + done done - COUNTER=`expr "$COUNTER" + 1` - done + } + echo "Generating the secrets for each identity" + {{- if .Values.settings.identities.trustee }} + trustees_json=$(generate_identity {{ .Values.settings.identities.trustee }} trustees) + # Parse the JSON and create Kubernetes secrets + json=$(echo "$trustees_json" | jq -r '.trustees."{{ .Values.settings.identities.trustee }}"') + writeAllSecret "{{ .Values.settings.identities.trustee }}" "$json" "trustees" + {{- end }} + {{- if .Values.settings.identities.endorser }} + endorsers_json=$(generate_identity {{ .Values.settings.identities.endorser }} endorsers) + # Parse the JSON and create Kubernetes secrets + json=$(echo "$endorsers_json" | jq -r '.endorsers."{{ .Values.settings.identities.endorser }}"') + writeAllSecret "{{ .Values.settings.identities.endorser }}" "$json" "endorsers" + {{- end }} + {{- range .Values.settings.identities.stewards }} + stewards_json=$(generate_identity {{ . }} stewards) + # Parse the JSON and create Kubernetes secrets + json=$(echo "$stewards_json" | jq -r '.stewards."{{ . }}"') + writeAllSecret "{{ . }}" "$json" "stewards" + {{- end }} + volumes: + {{- if eq .Values.global.vault.type "hashicorp" }} + - name: scripts-volume + configMap: + name: bevel-vault-script + defaultMode: 0777 + {{- end }} + - name: package-manager + configMap: + name: package-manager + defaultMode: 0777 diff --git a/platforms/hyperledger-indy/charts/indy-key-mgmt/values.yaml b/platforms/hyperledger-indy/charts/indy-key-mgmt/values.yaml index f877a088930..81ea01bfa72 100644 --- a/platforms/hyperledger-indy/charts/indy-key-mgmt/values.yaml +++ b/platforms/hyperledger-indy/charts/indy-key-mgmt/values.yaml @@ -3,74 +3,47 @@ # # SPDX-License-Identifier: Apache-2.0 ############################################################################################## - -# Default values for indy-key-mgmt. # This is a YAML-formatted file. # Declare variables to be passed into your templates. - -metadata: - #Provide the namespace for organization's peer - #Eg. namespace: bevel - namespace: - - #Provide the name for indy-key-mgmt release - #Eg. name: indy-key-mgmt - name: - -network: - #Provide the name for network - #Eg. name: bevel - name: +--- +# The following are for overriding global values +global: + #Provide the service account name which will be created. + serviceAccountName: vault-auth + cluster: + provider: aws # choose from: minikube | aws | azure | gcp + cloudNativeServices: false # only 'false' is implemented + #Provide the kubernetes host url + #Eg. kubernetesUrl: https://10.3.8.5:8443 + kubernetesUrl: + vault: + #Provide the type of vault + type: hashicorp # hashicorp | kubernetes + #Provide the vault role used. + role: vault-role + #Provide the network type + network: indy + #Provide the vault server address + address: + #Provide the vault authPath configured to be used. + authPath: authority + #Provide the secret engine. + secretEngine: secretsv2 + #Provide the vault path where the secrets will be stored + secretPrefix: "data/authority" image: - #Provide the image name for the indy-key-mgmt container - #Eg. name: indy-key-mgmt - name: - - #Provide the image repository for the indy-key-mgmt container - #Eg. repository: indy-key-mgmt:latest - repository: - - #Provide the image pull secret of image + #Provide the image for the job container + #Eg. keyUtils: ghcr.io/hyperledger/bevel-indy-key-mgmt:1.12.6 + keyUtils: ghcr.io/hyperledger/bevel-indy-key-mgmt:1.12.6 + #Provide the secret to use if private repository #Eg. pullSecret: regcred pullSecret: +settings: + removeKeysOnDelete: true + identities: + trustee: authority-trustee + endorser: + stewards: [] -vault: - #Provide the vault server address - #Eg. address: http://54.226.163.39:8200 - address: - - #Provide the vault secret version address - # Supported are "1" or "2" - version: "1" - - #Provide the key path for vault - #Eg. keyPath: provider.stewards - keyPath: - - #Provide the identity for vault - #Eg. identity: my-identity - identity: - - #Provide the authpath - #Eg. authpath: kubernetes-bevel-provider-admin-auth - auth_path: - # Provide the vault path where the certificates are stored - # Eg. certsecretprefix: secret/organisation-name - certsecretprefix: - # The amount of times to retry fetching from/writing to Vault before giving up. - # Eg. retries: 10 - retries: 10 - # The amount of time in seconds to wait after an error occurs when fetching from/writing to Vault. - # Eg. sleepTimeAfterError: 15 - sleepTimeAfterError: 15 - -account: - #Provide the service account name - #Eg. service: vault-auth-provider-agent-app - service: - - #Provide the service account role - #Eg. role: ro - role: diff --git a/platforms/hyperledger-indy/charts/indy-ledger-txn/Chart.yaml b/platforms/hyperledger-indy/charts/indy-ledger-txn/Chart.yaml deleted file mode 100644 index 8590567a4f3..00000000000 --- a/platforms/hyperledger-indy/charts/indy-ledger-txn/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -apiVersion: v1 -appVersion: "2.0" -description: "hyperledger-indy: Indy Ledger Script for Issuing a NYM Transaction" -name: indy-ledger-chart -version: 1.0.0 diff --git a/platforms/hyperledger-indy/charts/indy-ledger-txn/README.md b/platforms/hyperledger-indy/charts/indy-ledger-txn/README.md deleted file mode 100644 index ff012480d1e..00000000000 --- a/platforms/hyperledger-indy/charts/indy-ledger-txn/README.md +++ /dev/null @@ -1,200 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Accenture. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - - -# indy-ledger-txn - -- [indy-ledger-txn Helm Chart](#indy-ledger-txn-helm-chart) -- [Prerequisites](#prerequisites) -- [Chart Structure](#chart-structure) -- [Configuration](#configuration) -- [Deployment](#deployment) -- [Verification](#verification) -- [Updating the Deployment](#updating-the-deployment) -- [Deletion](#deletion) -- [Contributing](#contributing) -- [License](#license) - - -## indy-ledger-txn Helm Chart ---- -This [Helm chart](https://github.com/hyperledger/bevel/tree/develop/platforms/hyperledger-indy/charts/indy-ledger-txn) helps to deploy indy ledger txn job. - - -## Prerequisites ---- -Before deploying the Helm chart, make sure to have the following prerequisites: - -- Kubernetes cluster up and running. -- A HashiCorp Vault instance is set up and configured to use Kubernetes service account token-based authentication. -- The Vault is unsealed and initialized. -- Helm installed. - - -## Chart Structure ---- -The structure of the Helm chart is as follows: - -``` -indy-ledger-txn/ - |- templates/ - |- _helpers.tpl - |- job.yaml - |- Chart.yaml - |- README.md - |- values.yaml -``` - -- `templates/`: This directory contains the template files for generating Kubernetes resources. -- `_helpers.tpl`: Contains custom label definitions used in other templates. -- `job.yaml`: This file provides information about the kubernetes job -- `Chart.yaml`: Provides metadata about the chart, such as its name, version, and description. -- `README.md`: This file provides information and instructions about the Helm chart. -- `values.yaml`: Contains the default configuration values for the chart. It includes configuration for the metadata, image, node, Vault, etc. - - -## Configuration ---- -The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-indy/charts/indy-ledger-txn/values.yaml) file contains configurable values for the Helm chart. We can modify these values according to the deployment requirements. Here are some important configuration options: - -## Parameters ---- -### metadata - -| Name | Description | Default Value | -| ----------------| ----------------------------------------------- | ------------- | -| namespace | Provide the namespace for organization's peer | bevel | -| name | Provide the name for indy-ledger-txn release | indy-ledger-txn | - - -### network - -| Name | Description | Default Value | -| ------------ | ------------------------------------| ------------- | -| name | Provide the name of the network | bevel | - - -### organization - -| Name | Description | Default Value | -| -------- | ----------------------------------| ------------- | -| name | | bevel | -| adminIdentity | Provide the admin identity name | | -| name | Provide the admin identity name | admin_name | -| path | Provide the admin identity path |admin_path | -| newIdentity | -| name | Provide the new identity name | identity_name | -| path | Provide the new identity path | identity_path | -| role | Provide the new identity role | identity_role | -| did | Provide the new identity did | identity_did | -| verkey | Provide the new identity verkey | verification key value | - - -### image - -| Name | Description | Default Value | -| ------------ | ---------------------------------------------------------- | ------------- | -| name | Provide the image name for the indy-ledger-txn container | indy-ledger-txn | -| repository | Provide the image pull secret of image |alpine:3.9.4 | -| pullSecret | Provide the vault identity | regcred | - -### vault - -| Name | Description | Default Value | -| -------------------- | --------------------------------------| ------------- | -| address | Provide the vault server address | http://54.226.163.39:8200 | -| role | Provide the service account role | ro | -| serviceAccountName | Provide the authpath | vault-auth | -| auth_path | Provide the indy-ledger-txn node name | kubernetes-bevel-provider-steward-1-auth| - - -### node - -| Name | Description | Default Value | -| --------------| --------------------------------------- | ------------ | -| name | Provide the indy-ledger-txn node name | indy-ledger | - - - - -## Deployment ---- - -To deploy the indy-ledger-txn Helm chart, follow these steps: - -1. Modify the [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-indy/charts/indy-ledger-txn/values.yaml) file to set the desired configuration values. -2. Run the following Helm command to install the chart: - ``` - $ helm repo add bevel https://hyperledger.github.io/bevel/ - $ helm install ./indy-ledger-txn - ``` -Replace `` with the desired name for the release. - -This will deploy the indy auth job to the Kubernetes cluster based on the provided configurations. - - - -## Verification ---- - -To verify the jobs, we can use the following command: -``` -$ kubectl get jobs -n -``` -Replace `` with the actual namespace where the job was created. The command will display information about the jobs. - - - -## Updating the job ---- - -If we need to update the job with new configurations or changes, modify the same [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-indy/charts/indy-ledger-txn/values.yaml) file with the desired changes and run the following Helm command: -``` -$ helm upgrade ./indy-ledger-txn -``` -Replace `` with the name of the release. This command will apply the changes to the job , ensuring the job is up to date. - - - -## Deletion ---- - -To delete the jobs and associated resources, run the following Helm command: -``` -$ helm uninstall -``` -Replace `` with the name of the release. This command will remove all the resources created by the Helm chart. - - - -## Contributing ---- -If you encounter any bugs, have suggestions, or would like to contribute to the [INDY authorization job Helm Chart](https://github.com/hyperledger/bevel/tree/develop/platforms/hyperledger-indy/charts/indy-ledger-txn), please feel free to open an issue or submit a pull request on the [project's GitHub repository](https://github.com/hyperledger/bevel). - - - -## License - -This chart is licensed under the Apache v2.0 license. - -Copyright © 2023 Accenture - -### Attribution - -This chart is adapted from the [charts](https://hyperledger.github.io/bevel/) which is licensed under the Apache v2.0 License which is reproduced here: - -``` -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -``` diff --git a/platforms/hyperledger-indy/charts/indy-ledger-txn/templates/_helpers.tpl b/platforms/hyperledger-indy/charts/indy-ledger-txn/templates/_helpers.tpl deleted file mode 100644 index d43c09d8cef..00000000000 --- a/platforms/hyperledger-indy/charts/indy-ledger-txn/templates/_helpers.tpl +++ /dev/null @@ -1,5 +0,0 @@ -{{- define "labels.custom" }} - {{ range $key, $val := $.Values.metadata.labels }} - {{ $key }}: {{ $val }} - {{ end }} -{{- end }} diff --git a/platforms/hyperledger-indy/charts/indy-ledger-txn/templates/job.yaml b/platforms/hyperledger-indy/charts/indy-ledger-txn/templates/job.yaml deleted file mode 100644 index f602a70f9f3..00000000000 --- a/platforms/hyperledger-indy/charts/indy-ledger-txn/templates/job.yaml +++ /dev/null @@ -1,120 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -apiVersion: batch/v1 -kind: Job -metadata: - name: "{{ $.Values.metadata.name }}" - namespace: "{{ $.Values.metadata.namespace }}" - labels: - app: "{{ $.Values.metadata.name }}" - app.kubernetes.io/name: "{{ $.Values.metadata.name }}" - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} -spec: - backoffLimit: 7 - template: - metadata: - labels: - app: "{{ $.Values.metadata.name }}" - app.kubernetes.io/name: "{{ $.Values.metadata.name }}" - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - spec: - restartPolicy: OnFailure - serviceAccountName: "{{ $.Values.vault.serviceAccountName }}" - imagePullSecrets: - - name: "{{ $.Values.image.cli.pullSecret }}" - volumes: - - name: {{ $.Values.organization.name }}-ptg - configMap: - name: {{ $.Values.organization.name }}-ptg - - name: shared-data - emptyDir: - medium: Memory - containers: - - name: init-container - image: "{{ $.Values.image.cli.repository }}" - stdin: true - tty: true - command: ["sh", "-c"] - args: - - |- - #!/usr/bin/env sh - validateVaultResponse () { - if echo ${2} | grep "errors"; then - echo "ERROR: unable to retrieve ${1}: ${2}" - exit 1 - fi - } - - KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token); - echo "Getting secrets from Vault Server: ${VAULT_ADDR}" - # Login to Vault to get an approle token - curl --request POST --data '{"jwt": "'"${KUBE_TOKEN}"'", "role": "{{ $.Values.vault.role }}"}' ${VAULT_ADDR}/v1/auth/{{ $.Values.vault.auth_path }}/login | jq -j '.auth.client_token' > token; - VAULT_TOKEN=$(cat token); - validateVaultResponse 'vault login token' "${VAULT_TOKEN}" - QUERY_RES=$(curl -sS --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/$ADMIN_PATH/$ADMIN_NAME/identity/private | jq -r 'if .errors then . else . end') - validateVaultResponse 'Admin Seed' "${QUERY_RES}" - admin_seed=$(echo ${QUERY_RES} | jq -r ".data.data[\"seed\"]"); - mkdir -p /data/seed; - echo "${admin_seed}" > /data/seed/adminseed.txt; - env: - - name: VAULT_APP_ROLE - value: {{ $.Values.vault.role }} - - name: KUBERNETES_AUTH_PATH - value: "{{ $.Values.vault.authpath }}" - - name: VAULT_ADDR - value: "{{ $.Values.vault.address }}" - - name: ADMIN_PATH - value: "{{ $.Values.organization.adminIdentity.path }}" - - name: ADMIN_NAME - value: "{{ $.Values.organization.adminIdentity.name }}" - - name: IDENTITY_NAME - value: "{{ $.Values.organization.newIdentity.name }}" - - name: IDENTITY_PATH - value: "{{ $.Values.organization.newIdentity.path }}" - volumeMounts: - - name: shared-data - mountPath: /data - - name: "{{ $.Values.image.cli.name }}" - image: "{{ $.Values.image.cli.repository }}" - stdin: true - tty: true - command: ["sh", "-c"] - args: - - |- - apt-get install curl -y - - ADMIN_SEED=$( cat /data/seed/adminseed.txt) - echo "Running ledger Transaction Script..."; - - ./home/indy-ledger.sh $ADMIN_DID $ADMIN_SEED $IDENTITY_DID $IDENTITY_ROLE $IDENTITY_VERKEY $POOL_GENESIS_PATH; - env: - - name: VAULT_APP_ROLE - value: {{ $.Values.vault.role }} - - name: KUBERNETES_AUTH_PATH - value: "{{ $.Values.vault.authpath }}" - - name: VAULT_ADDR - value: "{{ $.Values.vault.address }}" - - name: ADMIN_DID - value: "{{ $.Values.organization.adminIdentity.did }}" - - name: IDENTITY_DID - value: "{{ $.Values.organization.newIdentity.did }}" - - name: IDENTITY_ROLE - value: "{{ $.Values.organization.newIdentity.role }}" - - name: IDENTITY_VERKEY - value: "{{ $.Values.organization.newIdentity.verkey }}" - - name: POOL_GENESIS_PATH - value: /var/lib/indy/genesis/{{ $.Values.network.name }}/pool_transactions_genesis - volumeMounts: - - name: {{ $.Values.organization.name }}-ptg - mountPath: /var/lib/indy/genesis/{{ $.Values.network.name }}/pool_transactions_genesis - subPath: pool_transactions_genesis - - name: shared-data - mountPath: /data diff --git a/platforms/hyperledger-indy/charts/indy-ledger-txn/values.yaml b/platforms/hyperledger-indy/charts/indy-ledger-txn/values.yaml deleted file mode 100644 index 0587ee09bc2..00000000000 --- a/platforms/hyperledger-indy/charts/indy-ledger-txn/values.yaml +++ /dev/null @@ -1,92 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# Default values for indy-ledger-txn. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -metadata: - #Provide the namespace for organization's peer - #Eg. namespace: bevel - namespace: - - #Provide the name for indy-ledger-txn release - #Eg. name: indy-ledger-txn - name: - -network: - #Provide the name for network - #Eg. name: bevel - name: - -organization: - name: - #Provide the organization name - adminIdentity: - #Provide the admin identity name - #Eg. name: admin_name - name: - - #Provide the admin identity path - #Eg. path: admin_path - path: - - newIdentity: - #Provide the new identity name - #Eg. name: identity_name - name: - - #Provide the new identity path - #Eg. path: identity_path - path: - - #Provide the new identity role - #Eg. role: identity_role - role: - - #Provide the new identity did - #Eg. did: identity_did - did: - - #Provide the new identity did - #Eg. verkey: verification key value - verkey: - -image: - cli: - #Provide the image name for the indy-ledger-txn container - #Eg. name: indy-ledger-txn - name: - - #Provide the image repository for the indy-ledger-txn container - #Eg. repository: alpine:3.9.4 - repository: - - #Provide the image pull secret of image - #Eg. pullSecret: regcred - pullSecret: - -vault: - #Provide the vault server address - #Eg. address: http://54.226.163.39:8200 - address: - - #Provide the service account role - #Eg. role: ro - role: - - #Provide the servicea ccount name for vault - #Eg. serviceaccountname: vault-auth - serviceAccountName: - - #Provide the authpath - #Eg. authpath: kubernetes-bevel-provider-steward-1-auth - auth_path: - -node: - #Provide the indy-ledger-txn node name - #Eg. name: indy-ledger - name: diff --git a/platforms/hyperledger-indy/charts/indy-node/Chart.yaml b/platforms/hyperledger-indy/charts/indy-node/Chart.yaml index 6337aec9fcb..cc6da6d6140 100644 --- a/platforms/hyperledger-indy/charts/indy-node/Chart.yaml +++ b/platforms/hyperledger-indy/charts/indy-node/Chart.yaml @@ -3,9 +3,23 @@ # # SPDX-License-Identifier: Apache-2.0 ############################################################################################## - apiVersion: v1 -appVersion: "2.0" -description: "hyperledger-indy: charts for indy-node StatefulSet" name: indy-node +description: Hyperledger Indy nodes for a SSI network version: 1.0.1 +appVersion: latest +keywords: + - bevel + - identity + - indy + - hyperledger + - enterprise + - blockchain + - deployment + - accenture +home: https://hyperledger-bevel.readthedocs.io/en/latest/ +sources: + - https://github.com/hyperledger/bevel +maintainers: + - name: Hyperledger Bevel maintainers + email: bevel@lists.hyperledger.org diff --git a/platforms/hyperledger-indy/charts/indy-node/README.md b/platforms/hyperledger-indy/charts/indy-node/README.md index 6496a4947e6..2b95eb19921 100644 --- a/platforms/hyperledger-indy/charts/indy-node/README.md +++ b/platforms/hyperledger-indy/charts/indy-node/README.md @@ -3,234 +3,100 @@ [//]: # (SPDX-License-Identifier: Apache-2.0) [//]: # (##############################################################################################) - # indy-node -- [indy-node Helm Chart](#indy-node-helm-chart) -- [Prerequisites](#prerequisites) -- [Chart Structure](#chart-structure) -- [Configuration](#configuration) -- [Deployment](#deployment) -- [Verification](#verification) -- [Updating the Deployment](#updating-the-deployment) -- [Deletion](#deletion) -- [Contributing](#contributing) -- [License](#license) - - -## indy-node Helm Chart ---- -This [Helm chart](https://github.com/hyperledger/bevel/tree/develop/platforms/hyperledger-indy/charts/indy-node) helps to deploy indy node job. - - -## Prerequisites ---- -Before deploying the Helm chart, make sure to have the following prerequisites: - -- Kubernetes cluster up and running. -- A HashiCorp Vault instance is set up and configured to use Kubernetes service account token-based authentication. -- The Vault is unsealed and initialized. -- Helm installed. +This chart is a component of Hyperledger Bevel. The indy-node chart deploys a Hyperledger Indy node as a steward. See [Bevel documentation](https://hyperledger-bevel.readthedocs.io/en/latest/) for more details. - -## Chart Structure ---- -The structure of the Helm chart is as follows: +## TL;DR -``` -indy-node/ - |- templates/ - |- _helpers.tpl - |- job.yaml - |- Chart.yaml - |- README.md - |- values.yaml +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install university-steward-1 bevel/indy-node ``` -- `templates/`: This directory contains the template files for generating Kubernetes resources. -- `helpers.tpl`: Contains custom label definitions used in other templates. -- `job.yaml`: This file provides information about the kubernetes job -- `Chart.yaml`: Provides metadata about the chart, such as its name, version, and description. -- `README.md`: This file provides information and instructions about the Helm chart. -- `values.yaml`: Contains the default configuration values for the chart. It includes configuration for the metadata, image, node, Vault, etc. +## Prerequisites - -## Configuration ---- -The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-indy/charts/indy-node/values.yaml) file contains configurable values for the Helm chart. We can modify these values according to the deployment requirements. Here are some important configuration options: +- Kubernetes 1.19+ +- Helm 3.2.0+ -## Parameters ---- -### metadata - -| Name | Description | Default Value | -| ----------------| ----------------------------------------------- | ------------- | -| namespace | Provide the namespace for organization's peer | bevel | -| name | Provide the name for indy-node release | indy-node | - - -### replicas - -| Name | Description | Default Value | -| --------- | ---------------------------------------- | ------------- | -| replicas | Provide the number of indy-node replicas | 1 | - -### network - -| Name | Description | Default Value | -| ------- | ---------------------------- | ------------- | -| name | Provide the name for network | bevel | - - -### organization - -| Name | Description | Default Value | -| -------- | ----------------------------------- | ------------- | -| name | Provide the name for organization | provider | - -# add_new_org is true when adding new validator node to existing network -add_new_org: false - - - -### image - -| Name | Description | Default Value | -| ------------ | -------------------------------------------------------------- | ------------- | -| initContainer | -| name | Provide the image name for the indy-node init container | indy-node | -| repository | provide the image repository for the indy-node init | alpine:3.9.4 | -| cli | | | -| name | Provide the image name for the indy-ledger-txn container | indy-ledger-txn | -| repository | Provide the image repository for the indy-ledger-txn container | alpine:3.9.4 | -| indyNode | | | -| name | Provide the name for the indy node | indy-node | -| repository | Provide the image name for the indy-node container | alpine:3.9.4 | -| pullSecret | Provide the image pull secret of image | regcred | - - - -### node - -| Name | Description | Default Value | -| -----------------| -------------------------| ------------- | -| name | Provide the node name | indy-node | -| ip | Provide the node ip | 0.0.0.0 | -| publicIp | Provide the node ip | 0.0.0.0 | -| port | Provide the node port | 9752 | -| ambassadorPort | Provide the node port | 15911 | - -### client - -| Name | Description | Default Value | -| -----------------| -------------------------| ------------- | -| ip | Provide the node ip | 0.0.0.0 | -| publicIp | Provide the node ip | 0.0.0.0 | -| port | Provide the node port | 9752 | -| ambassadorPort | Provide the node port | 15912 | - -#### service -| Name | Description | Default Value | -| -------------------- | ---------------------------------------------| ------------- | -| type | Provide type of service (NodePort/ClusterIp) | NodePort | -| ports | | | -| nodePort | Provide the service node port | 9711 | -| nodeTargetPort | Provide the service node target port | 9711 | -| clientPort Provide | the service client port | 9712 | -| clientTargetPort | Provide the service client target port | 9712 | - -### configmap - -| Name | Description | Default Value | -| -------------------- | ---------------------------------------------| ------------- | -| domainGenesis | Provide the domain genesis | "" | -| poolGenesis | Provide the pool genesis | "" | - -### vault - -| Name | Description | Default Value | -| -------------------- | ---------------------------------------------| ------------- | -| address | Provide the vault server address | http://54.226.163.39:8200 | -| serviceAccountName | Provide the service account name for vault |vault-auth-provider-agent-app"" | -| keyPath | Provide the key path for vault | /keys/udisp/keys/indy-node | -| auth_path | Provide the authpath | kubernetes-bevel-provider-steward-1-auth | -| nodeId | Provide the indy-node node Id | indy-node | -| role | Provide the indy-node role | ro| - - -### storage - -| Name | Description | Default Value | -| -------------------- | -------------------------------------------------- | ------------- | -| keys | | | -| storagesize | Provide the storage size for storage for keys | 512Mi | -| storageClassName | Provide the storageClassName for storage for keys | ebs | -| data | | | -| storagesize | Provide the storage size for storage for data | 5Gi| -| storageClassName | Provide the storageClassName for storage for data | ebs | - - -## Deployment ---- - -To deploy the indy-node Helm chart, follow these steps: - -1. Modify the [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-indy/charts/indy-node/values.yaml) file to set the desired configuration values. -2. Run the following Helm command to install the chart: - ``` - $ helm repo add bevel https://hyperledger.github.io/bevel/ - $ helm install ./indy-node - ``` -Replace `` with the desired name for the release. - -This will deploy the indy auth job to the Kubernetes cluster based on the provided configurations. - - - -## Verification ---- - -To verify the jobs, we can use the following command: -``` -$ kubectl get jobs -n -``` -Replace `` with the actual namespace where the job was created. The command will display information about the jobs. +If Hashicorp Vault is used, then +- HashiCorp Vault Server 1.13.1+ +> **Important**: Ensure the `indy-key-mgmt` and `indy-genesis` charts has been installed correctly before installing this. - -## Updating the job ---- +## Installing the Chart -If we need to update the job with new configurations or changes, modify the same [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-indy/charts/indy-node/values.yaml) file with the desired changes and run the following Helm command: -``` -$ helm upgrade ./indy-node +To install the chart with the release name `university-steward-1`: + +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install university-steward-1 bevel/indy-node ``` -Replace `` with the name of the release. This command will apply the changes to the job , ensuring the job is up to date. +The command deploys the chart on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. - -## Deletion ---- +> **Tip**: List all releases using `helm list` -To delete the jobs and associated resources, run the following Helm command: -``` -$ helm uninstall -``` -Replace `` with the name of the release. This command will remove all the resources created by the Helm chart. +## Uninstalling the Chart +To uninstall/delete the `university-steward-1` deployment: - -## Contributing ---- -If you encounter any bugs, have suggestions, or would like to contribute to the [INDY authorization job Helm Chart](https://github.com/hyperledger/bevel/tree/develop/platforms/hyperledger-indy/charts/indy-node), please feel free to open an issue or submit a pull request on the [project's GitHub repository](https://github.com/hyperledger/bevel). +```bash +helm uninstall university-steward-1 +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. +## Parameters +### Global parameters +These parameters are refered to as same in each parent or child chart +| Name | Description | Default Value | +|--------|---------|-------------| +|`global.serviceAccountName` | The serviceaccount name that will be created for Vault Auth management| `vault-auth` | +| `global.cluster.provider` | Kubernetes cluster provider like AWS EKS or minikube. Currently ony `aws` and `minikube` is tested | `aws` | +| `global.cluster.cloudNativeServices` | only `false` is implemented, `true` to use Cloud Native Services (SecretsManager and IAM for AWS; KeyVault & Managed Identities for Azure) is for future | `false` | +| `global.proxy.provider` | The proxy or Ingress provider. Can be `none` or `ambassador` | `ambassador` | + +### Storage + +| Name | Description | Default Value | +|--------|---------|-------------| +| `storage.keys` | Size of the PVC needed storing the formatted keys | `512Mi` | +| `storage.data` | Size of the PVC needed storing the node data | `4Gi` | +| `storage.reclaimPolicy` | Reclaim policy for the PVC. Choose from: `Delete` or `Retain` | `Delete` | +| `storage.volumeBindingMode` | Volume binding mode for the PVC. Choose from: `Immediate` or `WaitForFirstConsumer` | `Immediate` | +| `storage.allowedTopologies.enabled` | Check [bevel-storageclass](../../../shared/charts/bevel-storageclass/README.md) for details | `false` | + +### Image +| Name | Description | Default Value | +| -------------| ---------- | --------- | +| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | +| `image.initContainer` | Init-container image repository and tag | `ghcr.io/hyperledger/bevel-alpine-ext:latest`| +| `image.cli` | Indy-cli indy-ledger-txn image repository and tag | `ghcr.io/hyperledger/bevel-indy-ledger-txn:latest`| +| `image.indyNode.repository` | Indy Node image repository | `ghcr.io/hyperledger/bevel-indy-node` | +| `image.indyNode.tag` | Indy Node image tag/version | `1.12.6` | + +### Settings + +| Name | Description | Default Value | +|--------|---------|-------------| +| `settings.network` | Network Name for Indy | `bevel` | +| `settings.addOrg` | Flag to denote if this is a new Node for existing Indy network | `false` | +| `settings.serviceType` | Choose between `ClusterIP` or `NodePort`; `NodePort` must be used for no-proxy | `ClusterIP` | +| `settings.node.ip` | Internal IP of the Indy node service | `0.0.0.0` | +| `settings.node.publicIp` | External IP of the Indy node service, use same IP from genesis | `""` | +| `settings.node.port` | Internal Port of the Indy node service | `9711` | +| `settings.node.externalPort` | External IP of the Indy node service, use same port from genesis | `15011` | +| `settings.client.ip` | Internal IP of the Indy client service | `0.0.0.0` | +| `settings.client.publicIp` | External IP of the Indy client service, use same IP from genesis | `""` | +| `settings.client.port` | Internal Port of the Indy client service | `9712` | +| `settings.client.externalPort` | External IP of the Indy client service, use same port from genesis | `15012` | - ## License This chart is licensed under the Apache v2.0 license. -Copyright © 2023 Accenture +Copyright © 2024 Accenture ### Attribution diff --git a/platforms/hyperledger-indy/charts/indy-node/requirements.yaml b/platforms/hyperledger-indy/charts/indy-node/requirements.yaml new file mode 100644 index 00000000000..895f0a0e1cf --- /dev/null +++ b/platforms/hyperledger-indy/charts/indy-node/requirements.yaml @@ -0,0 +1,7 @@ +dependencies: + - name: bevel-storageclass + alias: storage + repository: "file://../../../shared/charts/bevel-storageclass" + tags: + - storage + version: ~1.0.0 diff --git a/platforms/hyperledger-indy/charts/indy-node/templates/_helpers.tpl b/platforms/hyperledger-indy/charts/indy-node/templates/_helpers.tpl index d43c09d8cef..4dc76acaefc 100644 --- a/platforms/hyperledger-indy/charts/indy-node/templates/_helpers.tpl +++ b/platforms/hyperledger-indy/charts/indy-node/templates/_helpers.tpl @@ -1,5 +1,28 @@ -{{- define "labels.custom" }} - {{ range $key, $val := $.Values.metadata.labels }} - {{ $key }}: {{ $val }} - {{ end }} -{{- end }} +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "indy-node.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "indy-node.fullname" -}} +{{- $name := default .Chart.Name -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" $name .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "indy-node.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/platforms/hyperledger-indy/charts/indy-node/templates/configmap.yaml b/platforms/hyperledger-indy/charts/indy-node/templates/configmap.yaml index b1ac7049794..0721163cd45 100644 --- a/platforms/hyperledger-indy/charts/indy-node/templates/configmap.yaml +++ b/platforms/hyperledger-indy/charts/indy-node/templates/configmap.yaml @@ -7,13 +7,32 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ $.Values.node.name }}-config + name: {{ .Release.Name }}-config namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: {{ $.Values.node.name }}-config - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }}-config + app.kubernetes.io/component: config + app.kubernetes.io/part-of: {{ include "indy-node.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm data: indy_config.py: | - {{ $.Values.configmap.indyConfig | nindent 6 }} + NETWORK_NAME = '{{ .Values.settings.network }}' + # Enable stdout logging + enableStdOutLogging = True + logRotationBackupCount = 10 + # Directory to store ledger. + LEDGER_DIR = '/var/lib/indy/data' + # Directory to store logs. + LOG_DIR = '/var/log/indy' + # Directory to store keys. + KEYS_DIR = '/var/lib/indy/keys' + # Directory to store genesis transactions files. + GENESIS_DIR = '/var/lib/indy/genesis' + # Directory to store backups. + BACKUP_DIR = '/var/lib/indy/backup' + # Directory to store plugins. + PLUGINS_DIR = '/var/lib/indy/plugins' + # Directory to store node info. + NODE_INFO_DIR = '/var/lib/indy/data' diff --git a/platforms/hyperledger-indy/charts/indy-node/templates/service.yaml b/platforms/hyperledger-indy/charts/indy-node/templates/service.yaml index 100e47dbe0c..8790b3c8012 100644 --- a/platforms/hyperledger-indy/charts/indy-node/templates/service.yaml +++ b/platforms/hyperledger-indy/charts/indy-node/templates/service.yaml @@ -7,35 +7,45 @@ apiVersion: v1 kind: Service metadata: - name: "{{ $.Values.node.name }}" + name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "indy-node.fullname" . }} + app.kubernetes.io/component: service + app.kubernetes.io/part-of: {{ include "indy-node.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm spec: - type: {{ $.Values.service.type }} + type: {{ .Values.settings.serviceType }} ports: - name: indy-node-node - port: {{ $.Values.service.ports.nodePort }} - targetPort: {{ $.Values.service.ports.nodeTargetPort }} - {{ if eq $.Values.service.type "NodePort" }} - nodePort: {{ $.Values.service.ports.nodeTargetPort }} + port: {{ .Values.settings.node.port }} + targetPort: {{ .Values.settings.node.port }} + {{ if eq .Values.settings.serviceType "NodePort" }} + nodePort: {{ .Values.settings.node.externalPort }} {{ end }} - name: indy-node-client - port: {{ $.Values.service.ports.clientPort }} - targetPort: {{ $.Values.service.ports.clientTargetPort }} - {{ if eq $.Values.service.type "NodePort" }} - nodePort: {{ $.Values.service.ports.clientTargetPort }} + port: {{ .Values.settings.client.port }} + targetPort: {{ .Values.settings.client.port }} + {{ if eq .Values.settings.serviceType "NodePort" }} + nodePort: {{ .Values.settings.client.externalPort }} {{ end }} selector: - app: "{{ $.Values.node.name }}" + app: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ include "indy-node.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} -{{- if eq $.Values.proxy.provider "ambassador" }} +{{- if eq .Values.global.proxy.provider "ambassador" }} --- apiVersion: getambassador.io/v3alpha1 kind: Listener metadata: - name: "{{ .Values.node.name }}-node-listener" + name: "{{ .Release.Name }}-node-listener" namespace: {{ .Release.Namespace }} spec: - port: {{ .Values.node.ambassadorPort }} + port: {{ .Values.settings.node.externalPort }} protocol: TCP securityModel: XFP hostBinding: @@ -45,20 +55,20 @@ spec: apiVersion: getambassador.io/v3alpha1 kind: TCPMapping metadata: - name: "{{ .Values.node.name }}-node-mapping" + name: "{{ .Release.Name }}-node-mapping" namespace: {{ .Release.Namespace }} spec: - port: {{ .Values.node.ambassadorPort }} - service: "{{ .Values.node.name }}.{{ .Release.Namespace }}:{{ .Values.service.ports.nodeTargetPort }}" + port: {{ .Values.settings.node.externalPort }} + service: {{ .Release.Name }}.{{ .Release.Namespace }}:{{ .Values.settings.node.port }} --- apiVersion: getambassador.io/v3alpha1 kind: Listener metadata: - name: "{{ .Values.node.name }}-client-listener" + name: "{{ .Release.Name }}-client-listener" namespace: {{ .Release.Namespace }} spec: - port: {{ .Values.client.ambassadorPort }} + port: {{ .Values.settings.client.externalPort }} protocol: TCP securityModel: XFP hostBinding: @@ -68,10 +78,9 @@ spec: apiVersion: getambassador.io/v3alpha1 kind: TCPMapping metadata: - name: "{{ .Values.node.name }}-client-mapping" + name: "{{ .Release.Name }}-client-mapping" namespace: {{ .Release.Namespace }} spec: - port: {{ .Values.client.ambassadorPort }} - service: "{{ .Values.node.name }}.{{ .Release.Namespace }}:{{ .Values.service.ports.clientTargetPort }}" + port: {{ .Values.settings.client.externalPort }} + service: {{ .Release.Name }}.{{ .Release.Namespace }}:{{ .Values.settings.client.port }} {{- end }} - diff --git a/platforms/hyperledger-indy/charts/indy-node/templates/statefulset.yaml b/platforms/hyperledger-indy/charts/indy-node/templates/statefulset.yaml index 087a1eac3a2..37af62b1927 100644 --- a/platforms/hyperledger-indy/charts/indy-node/templates/statefulset.yaml +++ b/platforms/hyperledger-indy/charts/indy-node/templates/statefulset.yaml @@ -7,64 +7,63 @@ apiVersion: apps/v1 kind: StatefulSet metadata: - name: "{{ $.Values.node.name }}" + name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name }} + app.kubernetes.io/name: indy-node-statefulset + app.kubernetes.io/component: indy + app.kubernetes.io/part-of: {{ include "indy-node.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm spec: - serviceName: "{{ $.Values.node.name }}" + serviceName: {{ .Release.Name }} replicas: 1 + podManagementPolicy: OrderedReady + updateStrategy: + type: RollingUpdate selector: matchLabels: - app: "{{ $.Values.node.name }}" + app: {{ .Release.Name }} + app.kubernetes.io/name: indy-node-statefulset + app.kubernetes.io/component: indy + app.kubernetes.io/part-of: {{ include "indy-node.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm template: metadata: labels: - app: "{{ $.Values.node.name }}" + app: {{ .Release.Name }} + app.kubernetes.io/name: indy-node-statefulset + app.kubernetes.io/component: indy + app.kubernetes.io/part-of: {{ include "indy-node.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm spec: securityContext: fsGroup: 1000 - serviceAccountName: {{ $.Values.vault.serviceAccountName }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + imagePullSecrets: + {{- if .Values.image.pullSecret }} + - name: {{ .Values.image.pullSecret }} + {{- end }} initContainers: - - name: "{{ $.Values.image.initContainer.name }}" - image: "{{ $.Values.image.initContainer.repository }}" + - name: format-certs + image: {{ .Values.image.initContainer }} imagePullPolicy: IfNotPresent env: - - name: VAULT_ADDR - value: {{ $.Values.vault.address }} - - name: VAULT_AUTH_PATH - value: {{ $.Values.vault.authPath }} - - name: VAULT_ROLE - value: {{ $.Values.vault.role }} - - name: KEY_PATH - value: {{ $.Values.vault.keyPath }} - - name: NODE_ID - value: {{ $.Values.vault.nodeId }} - - name: ORGANIZATION_NAME - value: "{{ $.Values.organization.name }}" - - name: ADD_NEW_ORG - value: "{{ $.Values.add_new_org }}" - command: - - "sh" - - "-c" - - > - apk update; - apk add curl jq; - - validateVaultResponse () { - if echo ${2} | grep "errors"; then - echo "ERROR: unable to retrieve ${1}: ${2}" - exit 1 - fi - } - - KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token); - - response=$(curl -s -o /dev/null -w "%{http_code}" $VAULT_ADDR/v1/sys/health); - if [ $response != 200 ]; then - exit 1 - fi - - curl --request POST --data '{"jwt": "'"$KUBE_TOKEN"'", "role": "'"$VAULT_ROLE"'"}' $VAULT_ADDR/v1/auth/$VAULT_AUTH_PATH/login | jq -j '.auth.client_token' > token; - X_VAULT_TOKEN=$(cat token); + - name: KEY_PATH + value: "/keys/{{ .Values.settings.network }}/keys/{{ .Release.Name }}" + - name: NODE_ID + value: "{{ .Release.Name }}" + - name: ADD_NEW_ORG + value: "{{ .Values.settings.addOrg }}" + command: ["sh", "-c"] + args: + - | if $ADD_NEW_ORG ; then @@ -72,85 +71,70 @@ spec: else mkdir -p ${KEY_PATH}/bls_keys ${KEY_PATH}/private_keys ${KEY_PATH}/public_keys ${KEY_PATH}/sig_keys ${KEY_PATH}/verif_keys ${KEY_PATH}C/private_keys ${KEY_PATH}C/public_keys ${KEY_PATH}C/sig_keys ${KEY_PATH}C/verif_keys; fi; - - LOOKUP_SECRET_RESPONSE=$(curl --header "X-Vault-Token: $X_VAULT_TOKEN" $VAULT_ADDR/v1/"${ORGANIZATION_NAME}"/data/stewards/${NODE_ID}/node/public/bls_keys | jq -r 'if .errors then . else . end'); - validateVaultResponse "secret (${NODE_ID}/node/public/bls_keys)" "${LOOKUP_SECRET_RESPONSE}"; - echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".data.data.bls_pk" > ${KEY_PATH}/bls_keys/bls_pk; + # Get the secrets from Kubernetes secret and save as files + LOOKUP_SECRET_RESPONSE=$(kubectl get secret -n {{ .Release.Namespace }} ${NODE_ID}-node-public-bls-keys -o jsonpath='{.data.value}' | base64 -d); + echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".bls_pk" > ${KEY_PATH}/bls_keys/bls_pk; chmod 644 ${KEY_PATH}/bls_keys/bls_pk; - LOOKUP_SECRET_RESPONSE=$(curl --header "X-Vault-Token: $X_VAULT_TOKEN" $VAULT_ADDR/v1/"${ORGANIZATION_NAME}"/data/stewards/${NODE_ID}/node/private/bls_keys | jq -r 'if .errors then . else . end'); - validateVaultResponse "secret (${NODE_ID}/node/private/bls_keys)" "${LOOKUP_SECRET_RESPONSE}"; - echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".data.data.bls_sk" > ${KEY_PATH}/bls_keys/bls_sk; + LOOKUP_SECRET_RESPONSE=$(kubectl get secret -n {{ .Release.Namespace }} ${NODE_ID}-node-private-bls-keys -o jsonpath='{.data.value}' | base64 -d); + echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".bls_sk" > ${KEY_PATH}/bls_keys/bls_sk; chmod 640 ${KEY_PATH}/bls_keys/bls_sk; - LOOKUP_SECRET_RESPONSE=$(curl --header "X-Vault-Token: $X_VAULT_TOKEN" $VAULT_ADDR/v1/"${ORGANIZATION_NAME}"/data/stewards/${NODE_ID}/node/private/private_keys | jq -r 'if .errors then . else . end'); - validateVaultResponse "secret (${NODE_ID}/node/private/private_keys)" "${LOOKUP_SECRET_RESPONSE}"; - echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".data.data.\"${NODE_ID}.key_secret\"" > ${KEY_PATH}/private_keys/${NODE_ID}.key_secret; + LOOKUP_SECRET_RESPONSE=$(kubectl get secret -n {{ .Release.Namespace }} ${NODE_ID}-node-private-private-keys -o jsonpath='{.data.value}' | base64 -d); + echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".\"${NODE_ID}.key_secret\"" > ${KEY_PATH}/private_keys/${NODE_ID}.key_secret; chmod 640 ${KEY_PATH}/private_keys/${NODE_ID}.key_secret; - LOOKUP_SECRET_RESPONSE=$(curl --header "X-Vault-Token: $X_VAULT_TOKEN" $VAULT_ADDR/v1/"${ORGANIZATION_NAME}"/data/stewards/${NODE_ID}/node/public/public_keys | jq -r 'if .errors then . else . end'); - validateVaultResponse "secret (${NODE_ID}/node/public/public_keys)" "${LOOKUP_SECRET_RESPONSE}"; - echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".data.data.\"${NODE_ID}.key\"" > ${KEY_PATH}/public_keys/${NODE_ID}.key.bootstrap; + LOOKUP_SECRET_RESPONSE=$(kubectl get secret -n {{ .Release.Namespace }} ${NODE_ID}-node-public-public-keys -o jsonpath='{.data.value}' | base64 -d); + echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".\"${NODE_ID}.key\"" > ${KEY_PATH}/public_keys/${NODE_ID}.key.bootstrap; chmod 644 ${KEY_PATH}/public_keys/${NODE_ID}.key.bootstrap; - LOOKUP_SECRET_RESPONSE=$(curl --header "X-Vault-Token: $X_VAULT_TOKEN" $VAULT_ADDR/v1/"${ORGANIZATION_NAME}"/data/stewards/${NODE_ID}/node/private/sig_keys | jq -r 'if .errors then . else . end'); - validateVaultResponse "secret (${NODE_ID}/node/private/sig_keys)" "${LOOKUP_SECRET_RESPONSE}"; - echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".data.data.\"${NODE_ID}.key_secret\"" > ${KEY_PATH}/sig_keys/${NODE_ID}.key_secret; + LOOKUP_SECRET_RESPONSE=$(kubectl get secret -n {{ .Release.Namespace }} ${NODE_ID}-node-private-sig-keys -o jsonpath='{.data.value}' | base64 -d); + echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".\"${NODE_ID}.key_secret\"" > ${KEY_PATH}/sig_keys/${NODE_ID}.key_secret; chmod 640 ${KEY_PATH}/sig_keys/${NODE_ID}.key_secret; - LOOKUP_SECRET_RESPONSE=$(curl --header "X-Vault-Token: $X_VAULT_TOKEN" $VAULT_ADDR/v1/"${ORGANIZATION_NAME}"/data/stewards/${NODE_ID}/node/public/verif_keys | jq -r 'if .errors then . else . end'); - validateVaultResponse "secret (${NODE_ID}/node/public/verif_keys)" "${LOOKUP_SECRET_RESPONSE}"; - echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".data.data.\"${NODE_ID}.key\"" > ${KEY_PATH}/verif_keys/${NODE_ID}.key.bootstrap; + LOOKUP_SECRET_RESPONSE=$(kubectl get secret -n {{ .Release.Namespace }} ${NODE_ID}-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d); + echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".\"${NODE_ID}.key\"" > ${KEY_PATH}/verif_keys/${NODE_ID}.key.bootstrap; chmod 644 ${KEY_PATH}/verif_keys/${NODE_ID}.key.bootstrap; - LOOKUP_SECRET_RESPONSE=$(curl --header "X-Vault-Token: $X_VAULT_TOKEN" $VAULT_ADDR/v1/"${ORGANIZATION_NAME}"/data/stewards/${NODE_ID}/client/private/private_keys | jq -r 'if .errors then . else . end'); - validateVaultResponse "secret (${NODE_ID}/client/private/private_keys)" "${LOOKUP_SECRET_RESPONSE}"; - echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".data.data.\"${NODE_ID}C.key_secret\"" > ${KEY_PATH}C/private_keys/${NODE_ID}C.key_secret; + LOOKUP_SECRET_RESPONSE=$(kubectl get secret -n {{ .Release.Namespace }} ${NODE_ID}-client-private-private-keys -o jsonpath='{.data.value}' | base64 -d); + echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".\"${NODE_ID}C.key_secret\"" > ${KEY_PATH}C/private_keys/${NODE_ID}C.key_secret; chmod 640 ${KEY_PATH}C/private_keys/${NODE_ID}C.key_secret; - LOOKUP_SECRET_RESPONSE=$(curl --header "X-Vault-Token: $X_VAULT_TOKEN" $VAULT_ADDR/v1/"${ORGANIZATION_NAME}"/data/stewards/${NODE_ID}/client/public/public_keys | jq -r 'if .errors then . else . end'); - validateVaultResponse "secret (${NODE_ID}/client/public/public_keys)" "${LOOKUP_SECRET_RESPONSE}"; - echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".data.data.\"${NODE_ID}C.key\"" > ${KEY_PATH}C/public_keys/${NODE_ID}C.key; + LOOKUP_SECRET_RESPONSE=$(kubectl get secret -n {{ .Release.Namespace }} ${NODE_ID}-client-public-public-keys -o jsonpath='{.data.value}' | base64 -d); + echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".\"${NODE_ID}C.key\"" > ${KEY_PATH}C/public_keys/${NODE_ID}C.key; chmod 644 ${KEY_PATH}C/public_keys/${NODE_ID}C.key; - LOOKUP_SECRET_RESPONSE=$(curl --header "X-Vault-Token: $X_VAULT_TOKEN" $VAULT_ADDR/v1/"${ORGANIZATION_NAME}"/data/stewards/${NODE_ID}/client/private/sig_keys | jq -r 'if .errors then . else . end'); - validateVaultResponse "secret (${NODE_ID}/client/private/sig_keys)" "${LOOKUP_SECRET_RESPONSE}"; - echo "${LOOKUP_SECRET_RESPONSE}" |jq -j ".data.data.\"${NODE_ID}C.key_secret\"" > ${KEY_PATH}C/sig_keys/${NODE_ID}C.key_secret; + LOOKUP_SECRET_RESPONSE=$(kubectl get secret -n {{ .Release.Namespace }} ${NODE_ID}-client-private-sig-keys -o jsonpath='{.data.value}' | base64 -d); + echo "${LOOKUP_SECRET_RESPONSE}" |jq -j ".\"${NODE_ID}C.key_secret\"" > ${KEY_PATH}C/sig_keys/${NODE_ID}C.key_secret; chmod 640 ${KEY_PATH}C/sig_keys/${NODE_ID}C.key_secret; - LOOKUP_SECRET_RESPONSE=$(curl --header "X-Vault-Token: $X_VAULT_TOKEN" $VAULT_ADDR/v1/"${ORGANIZATION_NAME}"/data/stewards/${NODE_ID}/client/public/verif_keys | jq -r 'if .errors then . else . end'); - validateVaultResponse "secret (${NODE_ID}/client/public/verif_keys)" "${LOOKUP_SECRET_RESPONSE}"; - echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".data.data.\"${NODE_ID}C.key\"" > ${KEY_PATH}C/verif_keys/${NODE_ID}C.key; + LOOKUP_SECRET_RESPONSE=$(kubectl get secret -n {{ .Release.Namespace }} ${NODE_ID}-client-public-verif-keys -o jsonpath='{.data.value}' | base64 -d); + echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".\"${NODE_ID}C.key\"" > ${KEY_PATH}C/verif_keys/${NODE_ID}C.key; chmod 644 ${KEY_PATH}C/verif_keys/${NODE_ID}C.key; if $ADD_NEW_ORG ; then - LOOKUP_SECRET_RESPONSE=$(curl --header "X-Vault-Token: $X_VAULT_TOKEN" $VAULT_ADDR/v1/"${ORGANIZATION_NAME}"/data/stewards/${NODE_ID}/node/public/bls_keys | jq -r 'if .errors then . else . end'); - validateVaultResponse "secret (${NODE_ID}/node/public/bls_keys)" "${LOOKUP_SECRET_RESPONSE}"; - echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".data.data.\"bls-key-pop\"" > ${KEY_PATH}/bls_keys/bls-key-pop; + LOOKUP_SECRET_RESPONSE=$(kubectl get secret -n {{ .Release.Namespace }} ${NODE_ID}-node-public-bls-keys -o jsonpath='{.data.value}' | base64 -d); + echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".\"bls-key-pop\"" > ${KEY_PATH}/bls_keys/bls-key-pop; chmod 644 ${KEY_PATH}/bls_keys/bls-key-pop; - LOOKUP_SECRET_RESPONSE=$(curl --header "X-Vault-Token: $X_VAULT_TOKEN" $VAULT_ADDR/v1/"${ORGANIZATION_NAME}"/data/stewards/${NODE_ID}/node/public/verif_keys | jq -r 'if .errors then . else . end'); - validateVaultResponse "secret (${NODE_ID}/node/public/verif_keys)" "${LOOKUP_SECRET_RESPONSE}"; - echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".data.data.\"verification-key\"" > ${KEY_PATH}/verif_keys/verification-key; + LOOKUP_SECRET_RESPONSE=$(kubectl get secret -n {{ .Release.Namespace }} ${NODE_ID}-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d); + echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".\"verification-key\"" > ${KEY_PATH}/verif_keys/verification-key; chmod 644 ${KEY_PATH}/verif_keys/verification-key; - LOOKUP_SECRET_RESPONSE=$(curl --header "X-Vault-Token: $X_VAULT_TOKEN" $VAULT_ADDR/v1/"${ORGANIZATION_NAME}"/data/stewards/${NODE_ID}/identity/private | jq -r 'if .errors then . else . end'); - validateVaultResponse "secret (${NODE_ID}/identity/private)" "${LOOKUP_SECRET_RESPONSE}"; - echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".data.data.seed" > ${KEY_PATH}/identity/private/seed; + LOOKUP_SECRET_RESPONSE=$(kubectl get secret -n {{ .Release.Namespace }} ${NODE_ID}-identity-private -o jsonpath='{.data.value}' | base64 -d); + echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".seed" > ${KEY_PATH}/identity/private/seed; chmod 644 ${KEY_PATH}/identity/private/seed; - LOOKUP_SECRET_RESPONSE=$(curl --header "X-Vault-Token: $X_VAULT_TOKEN" $VAULT_ADDR/v1/"${ORGANIZATION_NAME}"/data/stewards/${NODE_ID}/identity/public | jq -r 'if .errors then . else . end'); - validateVaultResponse "secret (${NODE_ID}/identity/public)" "${LOOKUP_SECRET_RESPONSE}"; - echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".data.data.did" > ${KEY_PATH}/identity/public/did; + LOOKUP_SECRET_RESPONSE=$(kubectl get secret -n {{ .Release.Namespace }} ${NODE_ID}-identity-public -o jsonpath='{.data.value}' | base64 -d); + echo "${LOOKUP_SECRET_RESPONSE}" | jq -j ".did" > ${KEY_PATH}/identity/public/did; chmod 644 ${KEY_PATH}/identity/public/did; - fi; volumeMounts: - - name: ebs-indy-node-keys - mountPath: /keys -{{- if eq $.Values.add_new_org true }} - - name: "{{ $.Values.image.cli.name }}" - image: "{{ $.Values.image.cli.repository }}" + - name: ebs-indy-node-keys + mountPath: /keys +{{- if eq .Values.settings.addOrg true }} + - name: "add-org" + image: {{ .Values.image.cli }} stdin: true tty: true command: ["sh", "-c"] @@ -185,89 +169,87 @@ spec: cat init_node_txn.log; env: - name: POOL_GENESIS_PATH - value: /var/lib/indy/genesis/{{ $.Values.network.name }}/pool_transactions_genesis + value: /var/lib/indy/genesis/{{ .Values.settings.network }}/pool_transactions_genesis - name: INDY_NETWORK_NAME - value: "{{ $.Values.network.name }}" + value: {{ .Values.settings.network }} - name: INDY_NODE_NAME - value: "{{ $.Values.node.name }}" + value: {{ .Release.Name }} - name: INDY_NODE_IP - value: "{{ $.Values.node.publicIp }}" + value: "{{ .Values.settings.node.publicIp }}" - name: INDY_NODE_PORT - value: "{{ $.Values.node.ambassadorPort }}" + value: "{{ .Values.settings.node.externalPort }}" - name: INDY_CLIENT_IP - value: "{{ $.Values.client.publicIp }}" + value: "{{ .Values.settings.client.publicIp }}" - name: INDY_CLIENT_PORT - value: "{{ $.Values.client.ambassadorPort }}" + value: "{{ .Values.settings.client.externalPort }}" volumeMounts: - name: ebs-indy-node-keys mountPath: /var/lib/indy/keys - - name: {{ $.Values.organization.name }}-domain-transactions-genesis - mountPath: /var/lib/indy/genesis/{{ $.Values.network.name }}/domain_transactions_genesis + - name: domain-transactions-genesis + mountPath: /var/lib/indy/genesis/{{ .Values.settings.network }}/domain_transactions_genesis subPath: domain_transactions_genesis - - name: {{ $.Values.organization.name }}-pool-transactions-genesis - mountPath: /var/lib/indy/genesis/{{ $.Values.network.name }}/pool_transactions_genesis + - name: pool-transactions-genesis + mountPath: /var/lib/indy/genesis/{{ .Values.settings.network }}/pool_transactions_genesis subPath: pool_transactions_genesis {{- end }} containers: - - name: "{{ $.Values.image.indyNode.name }}" - image: "{{ $.Values.image.indyNode.repository }}" + - name: indy-node + image: {{ .Values.image.indyNode.repository }}:{{ .Values.image.indyNode.tag }} imagePullPolicy: IfNotPresent ports: - - containerPort: {{ $.Values.node.port }} - - containerPort: {{ $.Values.client.port }} + - containerPort: {{ .Values.settings.node.port }} + - containerPort: {{ .Values.settings.client.port }} env: - name: INDY_NODE_NAME - value: "{{ $.Values.node.name }}" + value: {{ .Release.Name }} - name: INDY_NODE_IP - value: "{{ $.Values.node.ip }}" + value: "{{ .Values.settings.node.ip }}" - name: INDY_NODE_PORT - value: "{{ $.Values.node.port }}" + value: "{{ .Values.settings.node.port }}" - name: INDY_CLIENT_IP - value: "{{ $.Values.client.ip }}" + value: "{{ .Values.settings.client.ip }}" - name: INDY_CLIENT_PORT - value: "{{ $.Values.client.port }}" + value: "{{ .Values.settings.client.port }}" - name: INDY_NETWORK_NAME - value: "{{ $.Values.network.name }}" + value: {{ .Values.settings.network }} volumeMounts: - name: ebs-indy-node-data mountPath: /var/lib/indy/data - name: ebs-indy-node-keys mountPath: /var/lib/indy/keys - - name: {{ $.Values.node.name }}-config + - name: {{ .Release.Name }}-config mountPath: /etc/indy/indy_config.py subPath: indy_config.py - - name: {{ $.Values.organization.name }}-domain-transactions-genesis - mountPath: /var/lib/indy/genesis/{{ $.Values.network.name }}/domain_transactions_genesis + - name: domain-transactions-genesis + mountPath: /var/lib/indy/genesis/{{ .Values.settings.network }}/domain_transactions_genesis subPath: domain_transactions_genesis - - name: {{ $.Values.organization.name }}-pool-transactions-genesis - mountPath: /var/lib/indy/genesis/{{ $.Values.network.name }}/pool_transactions_genesis + - name: pool-transactions-genesis + mountPath: /var/lib/indy/genesis/{{ .Values.settings.network }}/pool_transactions_genesis subPath: pool_transactions_genesis - imagePullSecrets: - - name: "{{ $.Values.image.pullSecret }}" volumes: - - name: {{ $.Values.node.name }}-config + - name: {{ .Release.Name }}-config configMap: - name: {{ $.Values.node.name }}-config - - name: {{ $.Values.organization.name }}-domain-transactions-genesis + name: {{ .Release.Name }}-config + - name: domain-transactions-genesis configMap: - name: {{ $.Values.organization.name }}-dtg - - name: {{ $.Values.organization.name }}-pool-transactions-genesis + name: dtg + - name: pool-transactions-genesis configMap: - name: {{ $.Values.organization.name }}-ptg + name: ptg volumeClaimTemplates: - metadata: name: ebs-indy-node-data spec: accessModes: ["ReadWriteOnce"] - storageClassName: "{{ $.Values.storage.data.storageClassName }}" + storageClassName: storage-{{ .Release.Name }} resources: requests: - storage: "{{ $.Values.storage.data.storagesize }}" + storage: "{{ .Values.storage.data }}" - metadata: name: ebs-indy-node-keys spec: accessModes: ["ReadWriteOnce"] - storageClassName: "{{ $.Values.storage.data.storageClassName }}" + storageClassName: storage-{{ .Release.Name }} resources: requests: - storage: "{{ $.Values.storage.keys.storagesize }}" + storage: "{{ .Values.storage.keys }}" diff --git a/platforms/hyperledger-indy/charts/indy-node/values.yaml b/platforms/hyperledger-indy/charts/indy-node/values.yaml index 8b6628d5059..9bc8a83b349 100644 --- a/platforms/hyperledger-indy/charts/indy-node/values.yaml +++ b/platforms/hyperledger-indy/charts/indy-node/values.yaml @@ -3,170 +3,86 @@ # # SPDX-License-Identifier: Apache-2.0 ############################################################################################## - # Default values for indy-node. # This is a YAML-formatted file. # Declare variables to be passed into your templates. - -metadata: - #Provide the namespace for organization's peer - #Eg. namespace: bevel - namespace: - -#Provide the number of indy-node replicas -#Eg. replicas: 1 -replicas: - -network: - #Provide the name for network - #Eg. name: bevel - name: - -organization: - #Provide the name for organization - #Eg. name: provider - name: - -# add_new_org is true when adding new validator node to existing network -add_new_org: false +global: + serviceAccountName: vault-auth + cluster: + provider: azure # choose from: minikube | aws | azure | gcp + cloudNativeServices: false # set to true to use Cloud Native Services (SecretsManager and IAM for AWS; KeyVault & Managed Identities for Azure) + # This section contains the proxy ports. + proxy: + # Mention the proxy provider. Currently ambassador or none is supported. + # Eg. provider: ambassador + provider: ambassador + +# Override necessary Subchart values +storage: + #Provide the storage size for storage for keys + #Eg. keys: 512Mi + keys: "512Mi" + #Provide the storage size for storage for data + #Eg. data: 5Gi + data: "4Gi" + # NOTE: when you set this to Retain, the volume WILL persist after the chart is delete and you need to manually delete it + reclaimPolicy: "Delete" # choose from: Delete | Retain + volumeBindingMode: Immediate # choose from: Immediate | WaitForFirstConsumer + allowedTopologies: + enabled: false image: - initContainer: - #Provide the image name for the indy-node init container - #Eg. name: indy-node - name: - - #Provide the image repository for the indy-node init container - #Eg. repository: alpine:3.9.4 - repository: - cli: - #Provide the image name for the indy-ledger-txn container - #Eg. name: indy-ledger-txn - name: - - #Provide the image repository for the indy-ledger-txn container - #Eg. repository: alpine:3.9.4 - repository: - - indyNode: - #Provide the name for the indy node - #Eg. name: indy-node - name: - - #Provide the image name for the indy-node container - #Eg. repository: xxxx.accenture.com/uisp/indy-node-1.9.2:SR1.0.0-SNAPSHOT - repository: - #Provide the image pull secret of image #Eg. pullSecret: regcred pullSecret: + #Provide the image repository for the init container + #Eg. initContainer: ghcr.io/hyperledger/bevel-alpine-ext:latest + initContainer: ghcr.io/hyperledger/bevel-alpine-ext:latest + #Provide the image repository for the indy-ledger-txn container + #Eg. cli: ghcr.io/hyperledger/bevel-indy-ledger-txn:latest + cli: ghcr.io/hyperledger/bevel-indy-ledger-txn:latest + indyNode: + #Provide the image name for the indy-node container + #Eg. repository: ghcr.io/hyperledger/bevel-indy-node + repository: ghcr.io/hyperledger/bevel-indy-node + #Provide the image version for the indy-node container + #Eg. tag: 1.12.6 + tag: 1.12.6 -node: - #Provide the node name - #Eg. name: indy-node - name: - - #Provide the node ip - #Eg. ip: 0.0.0.0 - ip: - - #Provide the node ip - #Eg. ip: 0.0.0.0 - publicIp: - - #Provide the node port - #Eg. port: 9752 - port: - - #Provide the node port - #Eg. port: 15911 - ambassadorPort: - -client: - #Provide the client ip - #Eg. ip: 0.0.0.0 - ip: - - #Provide the client port - #Eg. port: 9752 - port: - - #Provide the client ip - #Eg. ip: 0.0.0.0 - publicIp: - - #Provide the client port - #Eg. port: 15912 - ambassadorPort: - -service: - type: - #Provide type of service (NodePort/ClusterIp) - ports: - #Provide the service node port - #Eg. nodePort: 9711 - nodePort: - - #Provide the service node target port - #Eg. nodeTargetPort: 9711 - nodeTargetPort: - - #Provide the service client port - #Eg. clientPort: 9712 - clientPort: - - #Provide the service client target port - #Eg. clientTargetPort: 9712 - clientTargetPort: - -configmap: - #Provide the domain genesis - domainGenesis: - - #Provide the pool genesis - poolGenesis: - -vault: - #Provide the vault server address - #Eg. address: http://54.226.163.39:8200 - address: - - #Provide the service account name for vault - #Eg. serviceaccountname: vault-auth-provider-agent-app - serviceAccountName: - - #Provide the key path for vault - #Eg. keyPath: /keys/udisp/keys/indy-node - keyPath: - - #Provide the authpath - #Eg. authpath: kubernetes-bevel-provider-steward-1-auth - auth_path: - - #Provide the indy-node node Id - #Eg. nodeId: indy-node - nodeId: - - #Provide the indy-node role - #Eg. role: ro - role: - - -storage: - keys: - #Provide the storage size for storage for keys - #Eg. storagesize: 512Mi - storagesize: - - #Provide the storageClassName for storage for keys - #Eg. storageClassName: ebs - storageClassName: - - data: - #Provide the storage size for storage for data - #Eg. storagesize: 5Gi - storagesize: - - #Provide the storageClassName for storage for data - #Eg. storageClassName: ebs - storageClassName: +settings: + #Provide the name for network + #Eg. network: bevel + network: bevel + # addOrg is true when adding new validator node to existing network + addOrg: false + #Provide type of service (NodePort or ClusterIP) + serviceType: ClusterIP + node: + #Provide the node ip + #Eg. ip: 0.0.0.0 + ip: 0.0.0.0 + #Provide the node ip + #Eg. publicIp: 192.168.2.1 + publicIp: + #Provide the node port + #Eg. port: 9711 + port: 9711 + # Mention the external port configured on proxy. + # NOTE: Make sure that the port is enabled and not already used. + # Eg. externalPort: 15011 + externalPort: 15011 + + client: + #Provide the client ip + #Eg. ip: 0.0.0.0 + ip: 0.0.0.0 + #Provide the client ip + #Eg. ip: 192.168.2.1 + publicIp: + #Provide the client port + #Eg. port: 9752 + port: 9712 + # Mention the external port configured on proxy. + # NOTE: Make sure that the port is enabled and not already used. + # Eg. externalPort: 15012 + externalPort: 15012 diff --git a/platforms/hyperledger-indy/charts/indy-pool-genesis/Chart.yaml b/platforms/hyperledger-indy/charts/indy-pool-genesis/Chart.yaml deleted file mode 100644 index 222456797a6..00000000000 --- a/platforms/hyperledger-indy/charts/indy-pool-genesis/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -apiVersion: v1 -appVersion: "2.0" -description: "hyperledger-indy: indy-pool-genesis" -name: indy-pool-genesis -version: 1.0.0 - diff --git a/platforms/hyperledger-indy/charts/indy-pool-genesis/README.md b/platforms/hyperledger-indy/charts/indy-pool-genesis/README.md deleted file mode 100644 index 07325fbbe96..00000000000 --- a/platforms/hyperledger-indy/charts/indy-pool-genesis/README.md +++ /dev/null @@ -1,159 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Accenture. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - - -# indy-pool-genesis - -- [indy-pool-genesis Helm Chart](#indy-pool-genesis-helm-chart) -- [Prerequisites](#prerequisites) -- [Chart Structure](#chart-structure) -- [Configuration](#configuration) -- [Deployment](#deployment) -- [Verification](#verification) -- [Updating the Deployment](#updating-the-deployment) -- [Deletion](#deletion) -- [Contributing](#contributing) -- [License](#license) - - -## indy-pool-genesis Helm Chart ---- -This [Helm chart](https://github.com/hyperledger/bevel/tree/develop/platforms/hyperledger-indy/charts/indy-pool-genesis) helps to deploy indy pool genesis job. - - -## Prerequisites ---- -Before deploying the Helm chart, make sure to have the following prerequisites: - -- Kubernetes cluster up and running. -- A HashiCorp Vault instance is set up and configured to use Kubernetes service account token-based authentication. -- The Vault is unsealed and initialized. -- Helm installed. - - -## Chart Structure ---- -The structure of the Helm chart is as follows: - -``` -indy-pool-genesis/ - |- templates/ - |- _helpers.tpl - |- job.yaml - |- Chart.yaml - |- README.md - |- values.yaml -``` - -- `templates/`: This directory contains the template files for generating Kubernetes resources. -- `job.yaml`: This file provides information about the kubernetes job -- `_helpers.tpl`: Contains custom label definitions used in other templates. -- `Chart.yaml`: Provides metadata about the chart, such as its name, version, and description. -- `README.md`: This file provides information and instructions about the Helm chart. -- `values.yaml`: Contains the default configuration values for the chart. It includes configuration for the metadata, image, node, Vault, etc. - - -## Configuration ---- -The [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-indy/charts/indy-pool-genesis/values.yaml) file contains configurable values for the Helm chart. We can modify these values according to the deployment requirements. Here are some important configuration options: - -## Parameters ---- -### metadata - -| Name | Description | Default Value | -| ----------------| ----------------------------------------------- | ------------- | -| namespace | Provide the namespace for organization's peer | bevel | -| name | Provide the name for indy-pool-genesis release | indy-pool-genesis | - -### organization - -| Name | Description | Default Value | -| -------- | ----------------------------------- | ------------- | -| name | Provide the name for organization | provider | -| configmap | | | -| poolGenesis | Provide the poolGenesis | poolGenesis | - - - -## Deployment ---- - -To deploy the indy-pool-genesis Helm chart, follow these steps: - -1. Modify the [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-indy/charts/indy-pool-genesis/values.yaml) file to set the desired configuration values. -2. Run the following Helm command to install the chart: - ``` - $ helm repo add bevel https://hyperledger.github.io/bevel/ - $ helm install ./indy-pool-genesis - ``` -Replace `` with the desired name for the release. - -This will deploy the indy auth job to the Kubernetes cluster based on the provided configurations. - - - -## Verification ---- - -To verify the jobs, we can use the following command: -``` -$ kubectl get jobs -n -``` -Replace `` with the actual namespace where the job was created. The command will display information about the jobs. - - - -## Updating the job ---- - -If we need to update the job with new configurations or changes, modify the same [values.yaml](https://github.com/hyperledger/bevel/blob/develop/platforms/hyperledger-indy/charts/indy-pool-genesis/values.yaml) file with the desired changes and run the following Helm command: -``` -$ helm upgrade ./indy-pool-genesis -``` -Replace `` with the name of the release. This command will apply the changes to the job , ensuring the job is up to date. - - - -## Deletion ---- - -To delete the jobs and associated resources, run the following Helm command: -``` -$ helm uninstall -``` -Replace `` with the name of the release. This command will remove all the resources created by the Helm chart. - - - -## Contributing ---- -If you encounter any bugs, have suggestions, or would like to contribute to the [INDY authorization job Helm Chart](https://github.com/hyperledger/bevel/tree/develop/platforms/hyperledger-indy/charts/indy-pool-genesis), please feel free to open an issue or submit a pull request on the [project's GitHub repository](https://github.com/hyperledger/bevel). - - - -## License - -This chart is licensed under the Apache v2.0 license. - -Copyright © 2023 Accenture - -### Attribution - -This chart is adapted from the [charts](https://hyperledger.github.io/bevel/) which is licensed under the Apache v2.0 License which is reproduced here: - -``` -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -``` diff --git a/platforms/hyperledger-indy/charts/indy-pool-genesis/templates/_helpers.tpl b/platforms/hyperledger-indy/charts/indy-pool-genesis/templates/_helpers.tpl deleted file mode 100644 index d43c09d8cef..00000000000 --- a/platforms/hyperledger-indy/charts/indy-pool-genesis/templates/_helpers.tpl +++ /dev/null @@ -1,5 +0,0 @@ -{{- define "labels.custom" }} - {{ range $key, $val := $.Values.metadata.labels }} - {{ $key }}: {{ $val }} - {{ end }} -{{- end }} diff --git a/platforms/hyperledger-indy/charts/indy-pool-genesis/values.yaml b/platforms/hyperledger-indy/charts/indy-pool-genesis/values.yaml deleted file mode 100644 index 4df1b43f59e..00000000000 --- a/platforms/hyperledger-indy/charts/indy-pool-genesis/values.yaml +++ /dev/null @@ -1,32 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# Default values for indy-pool-genesis. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -metadata: - #Provide the namespace for organization's peer - #Eg. namespace: bevel - namespace: - - #Provide the name for indy-pool-genesis release - #Eg. name: indy-pool-genesis - name: - -organization: - #Provide the name for organization - #Eg. name: provider - name: - - configmap: - #Provide the poolGenesis - #Eg. poolGenesis: |- - #{"reqSignature":{},"txn":{"data":{"data":{"alias":"provider-steward-1","blskey":"HHoREgUbA932WS2b6UjuUqLCGftPwp5WHvRGHRhA4QrsbV56qf13u7v6JZSRLV3cw4voQ8tqevf8dikmacwtsNh6Lr7KTPJfYuYcZd3iM7RhV1KkMKy6xkYgHEz9HeKwS5EtmWbuK2hU5ADjjJyj8gHvyxGV45GtSyuv4SXXhk28og","blskey_pop":"QuvE3nzfx3Jb81H2HVB37TABzg7h9zUKu2cWD3EupQ9YCo3JTh1BQsY65WdEw9uwrywRgcfXRAkFf3t35JFXhi5eYKB42qpmcWqFi3XQ1aorXo1jz2WnX1rNJeRozTnsxTMMNABRr69exxNFbgH6z3pA44vgyeFQAR68Wd69LNrGsy","client_ip":"3.221.78.194","client_port":19712,"node_ip":"3.221.78.194","node_port":19711,"services":["VALIDATOR"]},"dest":"Ad2wXywwt8NiBDXhQU6am2CVHbHyYRRY38HCxATE7pzz"},"metadata":{"from":"JerLtFwVmp8f4LS6tdTDwA"},"type":"0"},"txnMetadata":{"seqNo":1,"txnId":"917292505e1e4063b0e6b30d73c131649e5a16271d3c96c3284751a66ef1ff50"},"ver":"1"} - #{"reqSignature":{},"txn":{"data":{"data":{"alias":"provider-steward-2","blskey":"2GaTCgC6qmGopiCGxirPWVQDT6odF2QXzwrPAFQZFvtrBTS8GNo5LHNq5iuP8KrXSXfV6RFJTpqyHzAxuCiU5CMGEGao4zTgQj3HvWhrZ7KUJDbLUgVcdyGv3sjwaU37oAQyKUv3gX8BKf6qwMyM9VAG1BqR8VRNXgQjNfV279FGV2h","blskey_pop":"R1VtRJprMMV7YrYaYGforT1sckiUZ2UzDTDSnTGKon611Mnv8VQiNXrW4W4eFsJBtU774PDNgvWbNbZd9Vujq8Tng8RgAfzLmbNeGjtze55X71Rf2EVG3swUyuTBoLChHfCh9VBogHZC18UJZxPvHwHE2kDn4shGcFWLfxNKqKHBzF","client_ip":"3.221.78.194","client_port":19722,"node_ip":"3.221.78.194","node_port":19721,"services":["VALIDATOR"]},"dest":"2pkLP55RVqjwPPZvRyrMXNasNxkGfvUuHs2sXgpvjgLv"},"metadata":{"from":"4M286TT2qVTSWn2i7d6Ggg"},"type":"0"},"txnMetadata":{"seqNo":2,"txnId":"aecd2adbe0d6c4c0ef6e3f78503bddfa8e6078f030381ae895bae9d0da84124f"},"ver":"1"} - #{"reqSignature":{},"txn":{"data":{"data":{"alias":"partner-steward-1","blskey":"3kpJ27VSF4mDKxkeTGa7CdvwGjFrJTT53MH7KaKsWgbAke38fznDhGCpe5QapkEhyoxb2xvCPfDRS3Nnu5GiRZ9GxEdZLsKkYGVkjCA4TysscXUeq6jKZnKkpZG2PMKM9YtfLjzF36tXHmXrvweZcAq4bUnhEckn2iJSuorK6ZyGmmZ","blskey_pop":"RFRVgKNbHe6EF2L419bgs8Yaws1NwYchPLKYFgdMi2bBZRiL1uDdqtpELrW5Q2TvXfKGDjChTvDiR8mCZLBDgxD54a8gzt5CNzPtkBrv96u8jAVj1LLLzx7T3Z6YuHvtSYKh4Bs83Uag8TkdDnrrcsgRdnER7jGhmq758z8Z1tb4MD","client_ip":"3.221.78.194","client_port":19732,"node_ip":"3.221.78.194","node_port":19731,"services":["VALIDATOR"]},"dest":"EZN4GQMvFhUv7jqDbf3Q7aow9Yb7JcKgidfSTR8zbsp5"},"metadata":{"from":"Rsn88jsgAGSyABaB8b73V4"},"type":"0"},"txnMetadata":{"seqNo":3,"txnId":"62a426a55142745dcd68456212d322c8b63682274fcdffd10c3d274e0f87469b"},"ver":"1"} - #{"reqSignature":{},"txn":{"data":{"data":{"alias":"partner-steward-2","blskey":"24sdVVdpMotejPMswqfuNks1tZUy2d6aB2Gxb74QXuP7LTWfxYcQUeedyL3J1zADDAf7Mj5oZfxupvV1yJrYwHscP6biY9sJVSMYYaEmdFjsy6LWYP5Gtja4uyBiYksXB3rzbp39cj4HLwwrxPrSAx4Ar6TRvEWGerYQBhXWBNYvR2W","blskey_pop":"Qkn8sg6RPLGihnap32vmLURjdA4z9CjjwmDadcdBrwRVLb6FSAbnNynkVkK9vXBYZti4xLBB6rtktZVwrVm6k3thZQZehMbEeEgpX148D5v7Z8aLz2AkhtJUZKeNtn6S2umhRTHgon6Fs4YxRRFYR3uVFMot6r1i4unYZeP6JChvD5","client_ip":"3.221.78.194","client_port":19742,"node_ip":"3.221.78.194","node_port":19741,"services":["VALIDATOR"]},"dest":"53HWJHMUDFEaVwRLk8awK9meoatqZrqiyNsJqHP3M6sN"},"metadata":{"from":"8QrUxhXHb7v63D2PPwdZr3"},"type":"0"},"txnMetadata":{"seqNo":4,"txnId":"bf525e539b7e0d3e0eeeb2a075198dde681f56ce7d724aca0ebf6d606289a523"},"ver":"1"} - poolGenesis: diff --git a/platforms/hyperledger-indy/charts/indy-register-identity/Chart.yaml b/platforms/hyperledger-indy/charts/indy-register-identity/Chart.yaml new file mode 100644 index 00000000000..7778aa5dcbc --- /dev/null +++ b/platforms/hyperledger-indy/charts/indy-register-identity/Chart.yaml @@ -0,0 +1,26 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +apiVersion: v1 +name: indy-register-identity +description: "Hyperledger Indy: Indy Ledger Script for registering new identities" +version: 1.1.0 +appVersion: latest +keywords: + - bevel + - identity + - indy + - hyperledger + - enterprise + - blockchain + - deployment + - accenture +home: https://hyperledger-bevel.readthedocs.io/en/latest/ +sources: + - https://github.com/hyperledger/bevel +maintainers: + - name: Hyperledger Bevel maintainers + email: bevel@lists.hyperledger.org diff --git a/platforms/hyperledger-indy/charts/indy-register-identity/README.md b/platforms/hyperledger-indy/charts/indy-register-identity/README.md new file mode 100644 index 00000000000..dc0d7ad1696 --- /dev/null +++ b/platforms/hyperledger-indy/charts/indy-register-identity/README.md @@ -0,0 +1,102 @@ +[//]: # (##############################################################################################) +[//]: # (Copyright Accenture. All Rights Reserved.) +[//]: # (SPDX-License-Identifier: Apache-2.0) +[//]: # (##############################################################################################) + +# indy-register-identity + +This chart is a component of Hyperledger Bevel. The indy-register-identity chart registers a new Identiy for an existing Indy network; it should be executed by a `trustee`. See [Bevel documentation](https://hyperledger-bevel.readthedocs.io/en/latest/) for more details. + +> **Important**: The public key files for the new identity should already be placed in `files` before installing this chart. Check **Prerequisites**. + +## TL;DR + +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install endorser-registration bevel/indy-register-identity +``` + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ + +If Hashicorp Vault is used, then +- HashiCorp Vault Server 1.13.1+ + +Before running indy-register-identity, the public key information for the endorser/identity should be saved in the `files` directory. For example, given an endorser called `university-endorser`, run the following commands to save the public key info. + +> **Important**: The [indy-key-mgmt](../indy-key-mgmt/README.md) chart generates these keys, so should be installed with matching endorser name before this chart. + +```bash +cd files +# endorser files are in university-ns namespace +endorser_namespace=university-ns +endorser_name=university-endorser +kubectl --namespace $endorser_namespace get secret $endorser_name-identity-public -o jsonpath='{.data.value}' | base64 -d | jq '.["did"]'> $endorser_name-did.json +kubectl --namespace $endorser_namespace get secret $endorser_name-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["verification-key"]' > $endorser_name-verkey.json + +``` + +## Installing the Chart +To install the chart with the release name `endorser-registration`: + +```bash +helm repo add bevel https://hyperledger.github.io/bevel +helm install endorser-registration bevel/indy-register-identity +``` + +The command deploys the chart on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `endorser-registration` deployment: + +```bash +helm uninstall endorser-registration +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters +### Image + +| Name | Description | Default Value | +| -------------| ---------- | --------- | +| `image.cli` | Indy Cli image repository and tag | `ghcr.io/hyperledger/bevel-indy-ledger-txn:latest` | +| `image.pullSecret` | Provide the docker secret name in the namespace | `""` | + +### Settings + +| Name | Description | Default Value | +|--------|---------|-------------| +|`network` | Network Name for Indy | `bevel` | +| `admin` | Trustee name who is running the registration, ensure the chart is installed on this trustee namespace | `authority-trustee` | +| `newIdentity.name` | Name of the new identity | `university-endorser` | +| `newIdentity.role` | Role of the new identity | `ENDORSER` | + +## License + +This chart is licensed under the Apache v2.0 license. + +Copyright © 2024 Accenture + +### Attribution + +This chart is adapted from the [charts](https://hyperledger.github.io/bevel/) which is licensed under the Apache v2.0 License which is reproduced here: + +``` +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +``` diff --git a/platforms/hyperledger-indy/charts/indy-register-identity/files/readme.txt b/platforms/hyperledger-indy/charts/indy-register-identity/files/readme.txt new file mode 100644 index 00000000000..672160e2f49 --- /dev/null +++ b/platforms/hyperledger-indy/charts/indy-register-identity/files/readme.txt @@ -0,0 +1 @@ +This is a dummy file. Place the public key files in this folder. \ No newline at end of file diff --git a/platforms/hyperledger-indy/charts/indy-register-identity/templates/_helpers.tpl b/platforms/hyperledger-indy/charts/indy-register-identity/templates/_helpers.tpl new file mode 100644 index 00000000000..a51345d5c81 --- /dev/null +++ b/platforms/hyperledger-indy/charts/indy-register-identity/templates/_helpers.tpl @@ -0,0 +1,28 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "indy-register-identity.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "indy-register-identity.fullname" -}} +{{- $name := default .Chart.Name -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" $name .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "indy-register-identity.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/platforms/hyperledger-indy/charts/indy-pool-genesis/templates/configmap.yaml b/platforms/hyperledger-indy/charts/indy-register-identity/templates/configmap.yaml similarity index 54% rename from platforms/hyperledger-indy/charts/indy-pool-genesis/templates/configmap.yaml rename to platforms/hyperledger-indy/charts/indy-register-identity/templates/configmap.yaml index cb98b4bae52..14248b6a03e 100644 --- a/platforms/hyperledger-indy/charts/indy-pool-genesis/templates/configmap.yaml +++ b/platforms/hyperledger-indy/charts/indy-register-identity/templates/configmap.yaml @@ -3,16 +3,17 @@ # # SPDX-License-Identifier: Apache-2.0 ############################################################################################## - +--- apiVersion: v1 kind: ConfigMap metadata: - name: {{ $.Values.organization.name }}-ptg - namespace: {{ $.Values.metadata.namespace }} + name: {{ .Release.Name }}-keys + namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: {{ $.Values.organization.name }}-ptg - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} app.kubernetes.io/instance: {{ .Release.Name }} data: - pool_transactions_genesis: | - {{ $.Values.configmap.poolGenesis | nindent 6 }} + did: | +{{ .Files.Get (printf "files/%s-did.json" .Values.newIdentity.name) | replace "\"" "" | indent 4 }} + verkey: | +{{ .Files.Get (printf "files/%s-verkey.json" .Values.newIdentity.name) | replace "\"" "" | indent 4 }} + diff --git a/platforms/hyperledger-indy/charts/indy-register-identity/templates/job.yaml b/platforms/hyperledger-indy/charts/indy-register-identity/templates/job.yaml new file mode 100644 index 00000000000..ccc30ff64ab --- /dev/null +++ b/platforms/hyperledger-indy/charts/indy-register-identity/templates/job.yaml @@ -0,0 +1,85 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + annotations: + helm.sh/hook-delete-policy: "hook-succeeded" + labels: + app: {{ .Release.Name }} + app.kubernetes.io/name: indy-register-identity-job + app.kubernetes.io/component: register-identity-job + app.kubernetes.io/part-of: {{ include "indy-register-identity.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm +spec: + backoffLimit: 7 + template: + metadata: + labels: + app: {{ .Release.Name }} + app.kubernetes.io/name: indy-register-identity-job + app.kubernetes.io/component: register-identity-job + app.kubernetes.io/part-of: {{ include "indy-register-identity.fullname" . }} + app.kubernetes.io/namespace: {{ .Release.Namespace }} + app.kubernetes.io/release: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm + spec: + restartPolicy: OnFailure + imagePullSecrets: + {{- if .Values.image.pullSecret }} + - name: {{ .Values.image.pullSecret }} + {{- end }} + volumes: + - name: {{ .Release.Name }}-ptg + configMap: + name: ptg + - name: identity-keys + configMap: + name: {{ .Release.Name }}-keys + - name: admin-public + secret: + secretName: {{ .Values.admin }}-identity-public + - name: admin-private + secret: + secretName: {{ .Values.admin }}-identity-private + containers: + - name: register-endorser + image: {{ .Values.image.cli }} + stdin: true + tty: true + command: ["sh", "-c"] + args: + - | + + #apt-get install curl -y + + ADMIN_SEED=$(cat /data/admin/private/value | jq -r ".seed") + ADMIN_DID=$(cat /data/admin/public/value | jq -r ".did") + IDENTITY_DID=$(cat /data/identity/did) + IDENTITY_VERKEY=$(cat /data/identity/verkey) + echo "Running ledger Transaction Script..."; + + ./home/indy-ledger.sh $ADMIN_DID $ADMIN_SEED $IDENTITY_DID $IDENTITY_ROLE $IDENTITY_VERKEY $POOL_GENESIS_PATH; + env: + - name: IDENTITY_ROLE + value: "{{ .Values.newIdentity.role }}" + - name: POOL_GENESIS_PATH + value: /var/lib/indy/genesis/{{ .Values.network }}/pool_transactions_genesis + volumeMounts: + - name: {{ .Release.Name }}-ptg + mountPath: /var/lib/indy/genesis/{{ .Values.network }}/pool_transactions_genesis + subPath: pool_transactions_genesis + - name: identity-keys + mountPath: /data/identity + - name: admin-public + mountPath: /data/admin/public + - name: admin-private + mountPath: /data/admin/private diff --git a/platforms/hyperledger-indy/charts/indy-register-identity/values.yaml b/platforms/hyperledger-indy/charts/indy-register-identity/values.yaml new file mode 100644 index 00000000000..396eafc2043 --- /dev/null +++ b/platforms/hyperledger-indy/charts/indy-register-identity/values.yaml @@ -0,0 +1,30 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Default values for indy-ledger-txn. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +image: + # Provide the image repository for the indy-ledger-txn container + #Eg. cli: ghcr.io/hyperledger/bevel-indy-ledger-txn:latest + cli: ghcr.io/hyperledger/bevel-indy-ledger-txn:latest + #Provide the image pull secret of image + #Eg. pullSecret: regcred + pullSecret: + +# Provide the name for network +#Eg. network: bevel +network: bevel +# Provide the admin trustee for this network, ensure the job is run on trustee namespace +#Eg. admin: authority-trustee +admin: authority-trustee +newIdentity: + # Provide the new identity name + #Eg. name: university-endorser + name: university-endorser + # Provide the new identity role + #Eg. role: ENDORSER + role: ENDORSER diff --git a/platforms/hyperledger-indy/charts/values/noproxy-and-novault/authority-keys.yaml b/platforms/hyperledger-indy/charts/values/noproxy-and-novault/authority-keys.yaml new file mode 100644 index 00000000000..0f9de2cdf04 --- /dev/null +++ b/platforms/hyperledger-indy/charts/values/noproxy-and-novault/authority-keys.yaml @@ -0,0 +1,17 @@ +--- +#helm install member-2 -f values/noproxy-and-novault/txnode-sec.yml -n carrier-bes besu-node +global: + serviceAccountName: bevel-auth + cluster: + provider: azure # choose from: minikube | aws | azure | gcp + cloudNativeServices: false + vault: + type: kubernetes + network: indy + proxy: + provider: none + +settings: + removeKeysOnDelete: true + identities: + trustee: authority-trustee diff --git a/platforms/hyperledger-indy/charts/values/noproxy-and-novault/genesis-sec.yaml b/platforms/hyperledger-indy/charts/values/noproxy-and-novault/genesis-sec.yaml new file mode 100644 index 00000000000..1f5393dc799 --- /dev/null +++ b/platforms/hyperledger-indy/charts/values/noproxy-and-novault/genesis-sec.yaml @@ -0,0 +1,14 @@ +#helm install genesis -f values/noproxy-and-novault/genesis.yaml -n supplychain-bes besu-genesis +global: + serviceAccountName: bevel-auth + vault: + type: kubernetes + cluster: + provider: azure # choose from: minikube | aws | azure | gcp + cloudNativeServices: false + +settings: + # Flag to ensure the genesis configmaps are removed on helm uninstall + removeGenesisOnDelete: true + # Flag to copy domain and pool genesis from files for secondary members + secondaryGenesis: true diff --git a/platforms/hyperledger-indy/charts/values/noproxy-and-novault/genesis.yaml b/platforms/hyperledger-indy/charts/values/noproxy-and-novault/genesis.yaml new file mode 100644 index 00000000000..b27e6db78e9 --- /dev/null +++ b/platforms/hyperledger-indy/charts/values/noproxy-and-novault/genesis.yaml @@ -0,0 +1,30 @@ +#helm install genesis -f values/noproxy-and-novault/genesis.yaml -n supplychain-bes besu-genesis +global: + serviceAccountName: bevel-auth + vault: + type: kubernetes + cluster: + provider: azure # choose from: minikube | aws | azure | gcp + cloudNativeServices: false + +settings: + # Flag to ensure the genesis configmaps are removed on helm uninstall + removeGenesisOnDelete: true + # Flag to copy domain and pool genesis from files for secondary members + secondaryGenesis: false + # Provide the steward details by following trustee tree as per example below + trustees: + - name: authority-trustee + stewards: + - name: university-steward-1 # Steward name + publicIp: "node-ip" # Steward public IP Address /Kubernetes API IP for noproxy + nodePort: 30011 # Node external port + clientPort: 30012 # Client external port + - name: university-steward-2 + publicIp: "node-ip" + nodePort: 30021 + clientPort: 30022 + - name: university-steward-3 + publicIp: "node-ip" + nodePort: 30031 + clientPort: 30032 diff --git a/platforms/hyperledger-indy/charts/values/noproxy-and-novault/steward.yaml b/platforms/hyperledger-indy/charts/values/noproxy-and-novault/steward.yaml new file mode 100644 index 00000000000..854014b2880 --- /dev/null +++ b/platforms/hyperledger-indy/charts/values/noproxy-and-novault/steward.yaml @@ -0,0 +1,31 @@ +--- +#helm install validator-1 -f values/noproxy-and-novault/validator.yml -n supplychain-bes besu-node +#helm upgrade validator-1 -f values/noproxy-and-novault/validator.yml -n supplychain-bes besu-node +global: + serviceAccountName: bevel-auth + cluster: + provider: azure # choose from: minikube | aws | azure | gcp + cloudNativeServices: false + proxy: + provider: none + +storage: + keys: "512Mi" + data: "4Gi" + +image: + indyNode: + repository: ghcr.io/hyperledger/bevel-indy-node + tag: 1.12.6 + +settings: + serviceType: NodePort + node: + publicIp: "node-ip" + port: 30011 + externalPort: 30011 + + client: + publicIp: "node-ip" + port: 30012 + externalPort: 30012 diff --git a/platforms/hyperledger-indy/charts/values/noproxy-and-novault/university-keys.yaml b/platforms/hyperledger-indy/charts/values/noproxy-and-novault/university-keys.yaml new file mode 100644 index 00000000000..1b7609b3262 --- /dev/null +++ b/platforms/hyperledger-indy/charts/values/noproxy-and-novault/university-keys.yaml @@ -0,0 +1,22 @@ +--- +#helm install member-2 -f values/noproxy-and-novault/txnode-sec.yml -n carrier-bes besu-node +global: + serviceAccountName: bevel-auth + cluster: + provider: azure # choose from: minikube | aws | azure | gcp + cloudNativeServices: false + vault: + type: kubernetes + network: indy + proxy: + provider: none + +settings: + removeKeysOnDelete: true + identities: + trustee: + endorser: university-endorser + stewards: + - university-steward-1 + - university-steward-2 + - university-steward-3 diff --git a/platforms/hyperledger-indy/charts/values/proxy-and-vault/authority-keys.yaml b/platforms/hyperledger-indy/charts/values/proxy-and-vault/authority-keys.yaml new file mode 100644 index 00000000000..0f953a18f27 --- /dev/null +++ b/platforms/hyperledger-indy/charts/values/proxy-and-vault/authority-keys.yaml @@ -0,0 +1,31 @@ +--- +#helm install member-2 -f values/noproxy-and-novault/txnode-sec.yml -n carrier-bes besu-node +global: + serviceAccountName: vault-auth + cluster: + provider: azure # choose from: minikube | aws | azure | gcp + cloudNativeServices: false + #Provide the kubernetes host url + #Eg. kubernetesUrl: https://10.3.8.5:8443 + kubernetesUrl: "https://kubernetes.url" + vault: + type: hashicorp + #Provide the vault role used. + role: vault-role + #Provide the network type + network: indy + #Provide the vault server address + address: "http://vault.url:8200" + #Provide the vault authPath configured to be used. + authPath: authority + #Provide the secret engine. + secretEngine: secretsv2 + #Provide the vault path where the secrets will be stored + secretPrefix: "data/authority" + proxy: + provider: ambassador + +settings: + removeKeysOnDelete: true + identities: + trustee: authority-trustee diff --git a/platforms/hyperledger-indy/charts/values/proxy-and-vault/genesis-sec.yaml b/platforms/hyperledger-indy/charts/values/proxy-and-vault/genesis-sec.yaml new file mode 100644 index 00000000000..dfa2da45175 --- /dev/null +++ b/platforms/hyperledger-indy/charts/values/proxy-and-vault/genesis-sec.yaml @@ -0,0 +1,26 @@ +#helm install genesis -f values/noproxy-and-novault/genesis.yaml -n supplychain-bes besu-genesis +global: + serviceAccountName: vault-auth + cluster: + provider: azure # choose from: minikube | aws | azure | gcp + cloudNativeServices: false + vault: + type: hashicorp + #Provide the vault role used. + role: vault-role + #Provide the network type + network: indy + #Provide the vault server address + address: "http://vault.url:8200" + #Provide the vault authPath configured to be used. + authPath: university + #Provide the secret engine. + secretEngine: secretsv2 + #Provide the vault path where the secrets will be stored + secretPrefix: "data/university" + +settings: + # Flag to ensure the genesis configmaps are removed on helm uninstall + removeGenesisOnDelete: true + # Flag to copy domain and pool genesis from files for secondary members + secondaryGenesis: true diff --git a/platforms/hyperledger-indy/charts/values/proxy-and-vault/genesis.yaml b/platforms/hyperledger-indy/charts/values/proxy-and-vault/genesis.yaml new file mode 100644 index 00000000000..4e2b2c14605 --- /dev/null +++ b/platforms/hyperledger-indy/charts/values/proxy-and-vault/genesis.yaml @@ -0,0 +1,46 @@ +#helm install genesis -f values/noproxy-and-novault/genesis.yaml -n supplychain-bes besu-genesis +global: + serviceAccountName: vault-auth + cluster: + provider: azure # choose from: minikube | aws | azure | gcp + cloudNativeServices: false + vault: + type: hashicorp + #Provide the vault role used. + role: vault-role + #Provide the network type + network: indy + #Provide the vault server address + address: "http://vault.url:8200" + #Provide the vault authPath configured to be used. + authPath: authority + #Provide the secret engine. + secretEngine: secretsv2 + #Provide the vault path where the secrets will be stored + secretPrefix: "data/authority" + +settings: + # Flag to ensure the genesis configmaps are removed on helm uninstall + removeGenesisOnDelete: true + # Flag to copy domain and pool genesis from files for secondary members + secondaryGenesis: false + # Provide the steward details by following trustee tree as per example below + trustees: + - name: authority-trustee + stewards: + - name: university-steward-1 # Steward name + publicIp: "ambassador-public-ip" # Steward public IP Address /Kubernetes API IP for noproxy + nodePort: 15011 # Client external port + clientPort: 15012 # Node external port + - name: university-steward-2 + publicIp: "ambassador-public-ip" + nodePort: 15021 + clientPort: 15022 + - name: university-steward-3 + publicIp: "ambassador-public-ip" + nodePort: 15031 + clientPort: 15032 + - name: university-steward-4 + publicIp: "ambassador-public-ip" + nodePort: 15041 + clientPort: 15042 diff --git a/platforms/hyperledger-indy/charts/values/proxy-and-vault/steward.yaml b/platforms/hyperledger-indy/charts/values/proxy-and-vault/steward.yaml new file mode 100644 index 00000000000..6b75829c302 --- /dev/null +++ b/platforms/hyperledger-indy/charts/values/proxy-and-vault/steward.yaml @@ -0,0 +1,31 @@ +--- +#helm install validator-1 -f values/noproxy-and-novault/validator.yml -n supplychain-bes besu-node +#helm upgrade validator-1 -f values/noproxy-and-novault/validator.yml -n supplychain-bes besu-node +global: + serviceAccountName: vault-auth + cluster: + provider: azure # choose from: minikube | aws | azure | gcp + cloudNativeServices: false + proxy: + provider: ambassador + +storage: + keys: "512Mi" + data: "4Gi" + +image: + indyNode: + repository: ghcr.io/hyperledger/bevel-indy-node + tag: 1.12.6 + +settings: + serviceType: ClusterIP + node: + publicIp: "ambassador-public-ip" + port: 9711 + externalPort: 15011 + + client: + publicIp: "ambassador-public-ip" + port: 9712 + externalPort: 15012 diff --git a/platforms/hyperledger-indy/charts/values/proxy-and-vault/university-keys.yaml b/platforms/hyperledger-indy/charts/values/proxy-and-vault/university-keys.yaml new file mode 100644 index 00000000000..c012cc29319 --- /dev/null +++ b/platforms/hyperledger-indy/charts/values/proxy-and-vault/university-keys.yaml @@ -0,0 +1,38 @@ +--- +#helm install member-2 -f values/noproxy-and-novault/txnode-sec.yml -n carrier-bes besu-node +global: + serviceAccountName: vault-auth + cluster: + provider: azure # choose from: minikube | aws | azure | gcp + cloudNativeServices: false + #Provide the kubernetes host url + #Eg. kubernetesUrl: https://10.3.8.5:8443 + kubernetesUrl: "https://kubernetes.url" + vault: + type: hashicorp + #Provide the vault role used. + role: vault-role + #Provide the network type + network: indy + #Provide the vault server address + address: "http://vault.url:8200" + #Provide the vault authPath configured to be used. + authPath: university + #Provide the secret engine. + secretEngine: secretsv2 + #Provide the vault path where the secrets will be stored + secretPrefix: "data/university" + proxy: + provider: ambassador + +settings: + removeKeysOnDelete: true + identities: + trustee: + endorser: university-endorser + stewards: + - university-steward-1 + - university-steward-2 + - university-steward-3 + - university-steward-4 + \ No newline at end of file diff --git a/platforms/hyperledger-indy/configuration/deploy-network.yaml b/platforms/hyperledger-indy/configuration/deploy-network.yaml index d39a207dbc5..d75e640101d 100644 --- a/platforms/hyperledger-indy/configuration/deploy-network.yaml +++ b/platforms/hyperledger-indy/configuration/deploy-network.yaml @@ -35,7 +35,6 @@ loop: "{{ network['organizations'] }}" loop_control: loop_var: organizationItem - when: organizationItem.org_status is not defined or organizationItem.org_status == 'new' # Create service accounts - name: 'Create service accounts' diff --git a/platforms/hyperledger-indy/configuration/roles/setup/vault_kubernetes/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/setup/vault_kubernetes/tasks/main.yaml index 1772a393d0b..6a97048382c 100644 --- a/platforms/hyperledger-indy/configuration/roles/setup/vault_kubernetes/tasks/main.yaml +++ b/platforms/hyperledger-indy/configuration/roles/setup/vault_kubernetes/tasks/main.yaml @@ -61,7 +61,7 @@ VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" when: not vault_auth_status # Only when auth_path is NOT in the output of auth_list - ignore_errors: yes + ignore_errors: true ############################################################################################ # This task get the certificate for the cluster mentioned in k8 secret @@ -90,7 +90,7 @@ VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" register: vault_policy_result - ignore_errors: yes + ignore_errors: true ##################################################################################################################### # This task creates the access policy for organizations diff --git a/platforms/hyperledger-indy/images/indy-key-mgmt/Dockerfile b/platforms/hyperledger-indy/images/indy-key-mgmt/Dockerfile index 66f3ef72d0d..2b8eefccf1e 100644 --- a/platforms/hyperledger-indy/images/indy-key-mgmt/Dockerfile +++ b/platforms/hyperledger-indy/images/indy-key-mgmt/Dockerfile @@ -45,7 +45,7 @@ RUN apt-get update && \ RUN add-apt-repository "deb http://us.archive.ubuntu.com/ubuntu xenial main universe" && \ apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CE7709D068DB5E88 && \ - add-apt-repository "deb https://repo.sovrin.org/deb xenial master" && \ + add-apt-repository "deb https://repo.sovrin.org/deb xenial stable" && \ add-apt-repository "deb https://repo.sovrin.org/sdk/deb xenial stable" && \ apt-get update @@ -66,7 +66,7 @@ RUN apt-get install -y libindy libindy-crypto=${LIBINDY_CRYPTO_VERSION} RUN mkdir -p ${INDY_HOME} WORKDIR ${INDY_HOME} COPY config/indy_config.py ${INDY_CONFIG_DIR} -RUN /bin/bash -c "source /usr/local/bin/virtualenvwrapper.sh; mkvirtualenv ${NETWORK_NAME}; workon ${NETWORK_NAME}; pip3 install Cython==0.29.36" +RUN /bin/bash -c "source /usr/local/bin/virtualenvwrapper.sh; mkvirtualenv ${NETWORK_NAME}; workon ${NETWORK_NAME}; pip3 install Cython==0.29.36 certifi==2021.10.8 pyzmq" RUN /bin/bash -c "source /usr/local/bin/virtualenvwrapper.sh; workon ${NETWORK_NAME}; pip3 install indy-node==${INDY_NODE_VERSION}" RUN /bin/bash -c "source /usr/local/bin/virtualenvwrapper.sh; workon ${NETWORK_NAME}; pip3 install flake8 requests" diff --git a/platforms/hyperledger-indy/images/indy-key-mgmt/README.md b/platforms/hyperledger-indy/images/indy-key-mgmt/README.md index 2d24117a830..1174d589b83 100644 --- a/platforms/hyperledger-indy/images/indy-key-mgmt/README.md +++ b/platforms/hyperledger-indy/images/indy-key-mgmt/README.md @@ -45,12 +45,12 @@ docker run -it --rm -e VAULT_TOKEN= /bevel-indy-key-mgmt Insert to vault: ```bash -docker run -it --rm -e VAULT_TOKEN="s.ev8ehHRFYgluTkVDYFH7X5vE" ghcr.io/hyperledger/bevel-indy-key-mgmt:1.12.1 generate_identity my-identity provider.stewards vault http://host.docker.internal:8200 +docker run -it --rm -e VAULT_TOKEN="s.ev8ehHRFYgluTkVDYFH7X5vE" ghcr.io/hyperledger/bevel-indy-key-mgmt:1.12.6 generate_identity my-identity provider.stewards vault http://host.docker.internal:8200 ``` Print on console: ```bash -docker run -it --rm ghcr.io/hyperledger/bevel-indy-key-mgmt:1.12.1 bash -c "generate_identity my-identity provider.stewards | jq" +docker run -it --rm ghcr.io/hyperledger/bevel-indy-key-mgmt:1.12.6 bash -c "generate_identity my-identity provider.stewards | jq" ``` > You could use `| jq` for smooth printing of JSON diff --git a/platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator.py b/platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator.py index 231519cadf1..91ff7042f22 100644 --- a/platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator.py +++ b/platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator.py @@ -6,6 +6,7 @@ import ujson as json import base58 import re +import html from crypto.bls.bls_crypto import BlsGroupParamsLoader from crypto.bls.bls_factory import BlsFactoryCrypto @@ -278,29 +279,27 @@ def path_iteration(dictionary, path): paths.append({path: {key: value}}) return paths return path_iteration(dictionary, '') +def prevent_injections(input_string): + # Regex pattern to prevent SQL injection + sql_injection_pattern = re.compile(r"\b(?:SELECT|INSERT|UPDATE|DELETE|DROP|UNION|CREATE|ALTER|EXEC|--)\b", re.IGNORECASE) + # Regex pattern to prevent HTML injection + html_injection_pattern = re.compile(r"<[a-z][\s\S]*>", re.IGNORECASE) -class IdentityCreator: - - def prevent_injections(input_string): - # Regex pattern to prevent SQL injection - sql_injection_pattern = re.compile(r"\b(?:SELECT|INSERT|UPDATE|DELETE|DROP|UNION|CREATE|ALTER|EXEC|--)\b", re.IGNORECASE) + # Check for SQL injection + if sql_injection_pattern.search(input_string): + raise ValueError("Invalid input. Detected potential SQL injection attempt.") - # Regex pattern to prevent HTML injection - html_injection_pattern = re.compile(r"<[a-z][\s\S]*>", re.IGNORECASE) + # Check for HTML injection + if html_injection_pattern.search(input_string): + raise ValueError("Invalid input. Detected potential HTML injection attempt.") - # Check for SQL injection - if sql_injection_pattern.search(input_string): - raise ValueError("Invalid input. Detected potential SQL injection attempt.") + # HTML escape the input + escaped_string = html.escape(input_string) - # Check for HTML injection - if html_injection_pattern.search(input_string): - raise ValueError("Invalid input. Detected potential HTML injection attempt.") + return escaped_string - # HTML escape the input - escaped_string = html.escape(input_string) - - return escaped_string +class IdentityCreator: @classmethod def process(cls): diff --git a/platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator_v2.py b/platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator_v2.py index 5337f786495..2d04855680e 100644 --- a/platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator_v2.py +++ b/platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator_v2.py @@ -6,6 +6,7 @@ import ujson as json import base58 import re +import html from crypto.bls.bls_crypto import BlsGroupParamsLoader from crypto.bls.bls_factory import BlsFactoryCrypto @@ -286,28 +287,27 @@ def path_iteration(dictionary, path): return paths return path_iteration(dictionary, '') +def prevent_injections(input_string): + # Regex pattern to prevent SQL injection + sql_injection_pattern = re.compile(r"\b(?:SELECT|INSERT|UPDATE|DELETE|DROP|UNION|CREATE|ALTER|EXEC|--)\b", re.IGNORECASE) -class IdentityCreatorV2: - - def prevent_injections(input_string): - # Regex pattern to prevent SQL injection - sql_injection_pattern = re.compile(r"\b(?:SELECT|INSERT|UPDATE|DELETE|DROP|UNION|CREATE|ALTER|EXEC|--)\b", re.IGNORECASE) + # Regex pattern to prevent HTML injection + html_injection_pattern = re.compile(r"<[a-z][\s\S]*>", re.IGNORECASE) - # Regex pattern to prevent HTML injection - html_injection_pattern = re.compile(r"<[a-z][\s\S]*>", re.IGNORECASE) + # Check for SQL injection + if sql_injection_pattern.search(input_string): + raise ValueError("Invalid input. Detected potential SQL injection attempt.") - # Check for SQL injection - if sql_injection_pattern.search(input_string): - raise ValueError("Invalid input. Detected potential SQL injection attempt.") + # Check for HTML injection + if html_injection_pattern.search(input_string): + raise ValueError("Invalid input. Detected potential HTML injection attempt.") - # Check for HTML injection - if html_injection_pattern.search(input_string): - raise ValueError("Invalid input. Detected potential HTML injection attempt.") + # HTML escape the input + escaped_string = html.escape(input_string) - # HTML escape the input - escaped_string = html.escape(input_string) + return escaped_string - return escaped_string +class IdentityCreatorV2: @classmethod def process(cls): diff --git a/platforms/hyperledger-indy/images/indy-node/start-indy-node.sh b/platforms/hyperledger-indy/images/indy-node/start-indy-node.sh index 2ce51f5ddce..e7146912156 100644 --- a/platforms/hyperledger-indy/images/indy-node/start-indy-node.sh +++ b/platforms/hyperledger-indy/images/indy-node/start-indy-node.sh @@ -3,7 +3,7 @@ set -u set -e mkdir -p /var/lib/indy/keys/$INDY_NETWORK_NAME/keys/$INDY_NODE_NAME/public_keys /var/lib/indy/keys/$INDY_NETWORK_NAME/keys/$INDY_NODE_NAME/verif_keys -chown indy:indy /var/lib/indy/keys /var/lib/indy/keys/$INDY_NETWORK_NAME /var/lib/indy/keys/$INDY_NETWORK_NAME/keys /var/lib/indy/keys/$INDY_NETWORK_NAME/keys/$INDY_NODE_NAME /var/lib/indy/keys/$INDY_NETWORK_NAME/keys/$INDY_NODE_NAME/public_keys /var/lib/indy/keys/$INDY_NETWORK_NAME/keys/$INDY_NODE_NAME/verif_keys +chown -R indy:indy /var/lib/indy/keys /var/lib/indy/keys/$INDY_NETWORK_NAME /var/lib/indy/keys/$INDY_NETWORK_NAME/keys /var/lib/indy/keys/$INDY_NETWORK_NAME/keys/$INDY_NODE_NAME /var/lib/indy/keys/$INDY_NETWORK_NAME/keys/$INDY_NODE_NAME/public_keys /var/lib/indy/keys/$INDY_NETWORK_NAME/keys/$INDY_NODE_NAME/verif_keys if [[ ! -f "/var/lib/indy/keys/$INDY_NETWORK_NAME/keys/$INDY_NODE_NAME/public_keys/$INDY_NODE_NAME.key" ]]; then cp /var/lib/indy/keys/$INDY_NETWORK_NAME/keys/$INDY_NODE_NAME/public_keys/$INDY_NODE_NAME.key.bootstrap /var/lib/indy/keys/$INDY_NETWORK_NAME/keys/$INDY_NODE_NAME/public_keys/$INDY_NODE_NAME.key diff --git a/platforms/hyperledger-indy/scripts/Setup b/platforms/hyperledger-indy/scripts/Setup deleted file mode 100644 index 5794d8306e9..00000000000 --- a/platforms/hyperledger-indy/scripts/Setup +++ /dev/null @@ -1,5 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Accenture. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - diff --git a/platforms/hyperledger-indy/scripts/genesis/get_keys.sh b/platforms/hyperledger-indy/scripts/genesis/get_keys.sh new file mode 100755 index 00000000000..6a3112acf90 --- /dev/null +++ b/platforms/hyperledger-indy/scripts/genesis/get_keys.sh @@ -0,0 +1,33 @@ +#!/bin/bash +FILES_DIR=../../charts/indy-genesis/files +kubectl --namespace authority-ns get secret authority-trustee-identity-public -o jsonpath='{.data.value}' | base64 -d | jq '.["did"]'> $FILES_DIR/authority-trustee-did.json +kubectl --namespace authority-ns get secret authority-trustee-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["verification-key"]' > $FILES_DIR/authority-trustee-verkey.json + +kubectl --namespace university-ns get secret university-steward-1-identity-public -o jsonpath='{.data.value}' | base64 -d | jq '.["did"]'> $FILES_DIR/university-steward-1-did.json +kubectl --namespace university-ns get secret university-steward-1-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["verification-key"]' > $FILES_DIR/university-steward-1-verkey.json +kubectl --namespace university-ns get secret university-steward-1-node-public-bls-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["bls-key-pop"]' > $FILES_DIR/university-steward-1-blspop.json +kubectl --namespace university-ns get secret university-steward-1-node-public-bls-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["bls-public-key"]' > $FILES_DIR/university-steward-1-blspub.json + +kubectl --namespace university-ns get secret university-steward-2-identity-public -o jsonpath='{.data.value}' | base64 -d | jq '.["did"]'> $FILES_DIR/university-steward-2-did.json +kubectl --namespace university-ns get secret university-steward-2-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["verification-key"]' > $FILES_DIR/university-steward-2-verkey.json +kubectl --namespace university-ns get secret university-steward-2-node-public-bls-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["bls-key-pop"]' > $FILES_DIR/university-steward-2-blspop.json +kubectl --namespace university-ns get secret university-steward-2-node-public-bls-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["bls-public-key"]' > $FILES_DIR/university-steward-2-blspub.json + +kubectl --namespace university-ns get secret university-steward-3-identity-public -o jsonpath='{.data.value}' | base64 -d | jq '.["did"]'> $FILES_DIR/university-steward-3-did.json +kubectl --namespace university-ns get secret university-steward-3-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["verification-key"]' > $FILES_DIR/university-steward-3-verkey.json +kubectl --namespace university-ns get secret university-steward-3-node-public-bls-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["bls-key-pop"]' > $FILES_DIR/university-steward-3-blspop.json +kubectl --namespace university-ns get secret university-steward-3-node-public-bls-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["bls-public-key"]' > $FILES_DIR/university-steward-3-blspub.json + +kubectl --namespace university-ns get secret university-steward-4-identity-public -o jsonpath='{.data.value}' | base64 -d | jq '.["did"]'> $FILES_DIR/university-steward-4-did.json +kubectl --namespace university-ns get secret university-steward-4-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["verification-key"]' > $FILES_DIR/university-steward-4-verkey.json +kubectl --namespace university-ns get secret university-steward-4-node-public-bls-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["bls-key-pop"]' > $FILES_DIR/university-steward-4-blspop.json +kubectl --namespace university-ns get secret university-steward-4-node-public-bls-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["bls-public-key"]' > $FILES_DIR/university-steward-4-blspub.json + +# Sample below for employer option +# kubectl --namespace employer-ns get secret employer-trustee-identity-public -o jsonpath='{.data.value}' | base64 -d | jq '.["did"]'> $FILES_DIR/employer-trustee-did.json +# kubectl --namespace employer-ns get secret employer-trustee-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["verification-key"]' > $FILES_DIR/employer-trustee-verkey.json + +# kubectl --namespace employer-ns get secret employer-steward-1-identity-public -o jsonpath='{.data.value}' | base64 -d | jq '.["did"]'> $FILES_DIR/employer-steward-1-did.json +# kubectl --namespace employer-ns get secret employer-steward-1-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["verification-key"]' > $FILES_DIR/employer-steward-1-verkey.json +# kubectl --namespace employer-ns get secret employer-steward-1-node-public-bls-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["bls-key-pop"]' > $FILES_DIR/employer-steward-1-blspop.json +# kubectl --namespace employer-ns get secret employer-steward-1-node-public-bls-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["bls-public-key"]' > $FILES_DIR/employer-steward-1-blspub.json diff --git a/platforms/shared/charts/bevel-vault-mgmt/Chart.yaml b/platforms/shared/charts/bevel-vault-mgmt/Chart.yaml index f769ba6ffe1..e9c1b1288aa 100644 --- a/platforms/shared/charts/bevel-vault-mgmt/Chart.yaml +++ b/platforms/shared/charts/bevel-vault-mgmt/Chart.yaml @@ -6,7 +6,7 @@ apiVersion: v2 name: bevel-vault-mgmt description: "Shared: Vault and Kubernetes configuration" -version: 1.0.0 +version: 1.0.1 appVersion: "latest" keywords: - bevel diff --git a/platforms/shared/charts/bevel-vault-mgmt/templates/configmap.yaml b/platforms/shared/charts/bevel-vault-mgmt/templates/configmap.yaml index c866f79909e..f2e3157cab0 100644 --- a/platforms/shared/charts/bevel-vault-mgmt/templates/configmap.yaml +++ b/platforms/shared/charts/bevel-vault-mgmt/templates/configmap.yaml @@ -75,3 +75,11 @@ data: }" } {{ end }} + {{ if eq .Values.global.vault.network "indy" -}} + { + "policy": + "path \"{{ .Values.global.vault.secretEngine }}/{{ .Values.global.vault.secretPrefix }}/*\" { + capabilities = [\"list\", \"read\", \"create\", \"update\"] + }" + } + {{ end }}