From 1df8e569d30705d618e179948493aa95705a1253 Mon Sep 17 00:00:00 2001 From: saikumarbommakanti Date: Tue, 13 Feb 2024 15:55:23 +0000 Subject: [PATCH 1/9] chore: Updated kubeconfig configuration in storage class helm chart Signed-off-by: saikumarbommakanti --- .../configuration/roles/setup/storageclass/tasks/main.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/platforms/shared/configuration/roles/setup/storageclass/tasks/main.yaml b/platforms/shared/configuration/roles/setup/storageclass/tasks/main.yaml index feddc19d6ad..53c86168e8f 100644 --- a/platforms/shared/configuration/roles/setup/storageclass/tasks/main.yaml +++ b/platforms/shared/configuration/roles/setup/storageclass/tasks/main.yaml @@ -51,6 +51,7 @@ values_files: - "{{ playbook_dir }}/../../../platforms/shared/configuration/build/{{ sc_name }}-storageclass.yaml" force: true + kubeconfig: "{{ org.k8s.config_file }}" when: storageclass_state.resources|length == 0 ############################################################################################# From 541bd8f50514d0c4f40b4d320c51c4378cfac083 Mon Sep 17 00:00:00 2001 From: sownak Date: Fri, 31 May 2024 09:31:52 +0000 Subject: [PATCH 2/9] [fabric] Fix approve chaincode Signed-off-by: sownak --- .../charts/besu-genesis/requirements.yaml | 4 +-- .../charts/besu-node/requirements.yaml | 6 ++-- .../besu-tessera-node/requirements.yaml | 2 +- .../configuration/external-chaincode-ops.yaml | 28 +++++++++---------- .../templates/approve_chaincode_job.tpl | 2 +- .../configuration/setup-k8s-environment.yaml | 2 +- 6 files changed, 22 insertions(+), 22 deletions(-) diff --git a/platforms/hyperledger-besu/charts/besu-genesis/requirements.yaml b/platforms/hyperledger-besu/charts/besu-genesis/requirements.yaml index b1195396c5f..b878161ca1a 100644 --- a/platforms/hyperledger-besu/charts/besu-genesis/requirements.yaml +++ b/platforms/hyperledger-besu/charts/besu-genesis/requirements.yaml @@ -1,11 +1,11 @@ dependencies: - name: bevel-vault-mgmt - repository: "file://../../../shared/charts/bevel-vault-mgmt" + repository: "https://hyperledger.github.io/bevel" tags: - bevel version: ~1.0.0 - name: bevel-scripts - repository: "file://../../../shared/charts/bevel-scripts" + repository: "https://hyperledger.github.io/bevel" tags: - bevel version: ~1.0.0 diff --git a/platforms/hyperledger-besu/charts/besu-node/requirements.yaml b/platforms/hyperledger-besu/charts/besu-node/requirements.yaml index 059282799c1..9244f887e30 100644 --- a/platforms/hyperledger-besu/charts/besu-node/requirements.yaml +++ b/platforms/hyperledger-besu/charts/besu-node/requirements.yaml @@ -1,20 +1,20 @@ dependencies: - name: bevel-storageclass alias: storage - repository: "file://../../../shared/charts/bevel-storageclass" + repository: "https://hyperledger.github.io/bevel" tags: - storage version: ~1.0.0 - name: besu-tessera-node alias: tessera - repository: "file://../besu-tessera-node" + repository: "https://hyperledger.github.io/bevel" tags: - tessera version: ~1.0.0 condition: tessera.enabled - name: besu-tlscert-gen alias: tls - repository: "file://../besu-tlscert-gen" + repository: "https://hyperledger.github.io/bevel" tags: - bevel version: ~1.0.0 diff --git a/platforms/hyperledger-besu/charts/besu-tessera-node/requirements.yaml b/platforms/hyperledger-besu/charts/besu-tessera-node/requirements.yaml index 5f3ec035eee..21dec6373ba 100644 --- a/platforms/hyperledger-besu/charts/besu-tessera-node/requirements.yaml +++ b/platforms/hyperledger-besu/charts/besu-tessera-node/requirements.yaml @@ -1,7 +1,7 @@ dependencies: - name: bevel-storageclass alias: storage - repository: "file://../../../shared/charts/bevel-storageclass" + repository: "https://hyperledger.github.io/bevel" tags: - storage version: ~1.0.0 diff --git a/platforms/hyperledger-fabric/configuration/external-chaincode-ops.yaml b/platforms/hyperledger-fabric/configuration/external-chaincode-ops.yaml index 3ff73511ba9..831628ba575 100644 --- a/platforms/hyperledger-fabric/configuration/external-chaincode-ops.yaml +++ b/platforms/hyperledger-fabric/configuration/external-chaincode-ops.yaml @@ -1,5 +1,5 @@ -# This playbook executes required tasks to install and instantiate external chaincode -# on existing Kubernetes clusters. The Kubernetes clusters should already be created and the infomation +# This playbook executes required tasks to install and instantiate external chaincode +# on existing Kubernetes clusters. The Kubernetes clusters should already be created and the infomation # to connect to the clusters be updated in the network.yaml file that is used as an input to this playbook ########################################################################################### # To Run this playbook from this directory, use the following command (network.yaml also in this directory) @@ -77,7 +77,7 @@ - item.type == 'peer' ############################################################################################ - # This task generates the crypto material by executing the generate-crypto-peer-chaincode.sh script + # This task generates the crypto material by executing the generate-crypto-peer-chaincode.sh script - name: Generate crypto material for peer to interact with external chaincode servers include_role: name: "create/chaincode/peer_certs" @@ -94,7 +94,7 @@ ca_server_url: "{{ item.ca_data.url }}" setup_user_env: true loop: "{{ network['organizations'] }}" - when: + when: - item.type == 'peer' ############################################################################################ @@ -115,7 +115,7 @@ ca_server_url: "{{ item.ca_data.url }}" setup_user_env: true loop: "{{ network['organizations'] }}" - when: + when: - item.type == 'peer' ############################################################################################ @@ -140,7 +140,7 @@ charts_dir: "{{ item.gitops.chart_source }}" values_dir: "{{playbook_dir}}/../../../{{item.gitops.release_dir}}/{{ item.name | lower }}" loop: "{{ network['organizations'] }}" - when: + when: - item.type == 'peer' - item.org_status == 'new' @@ -165,8 +165,8 @@ charts_dir: "{{ item.gitops.chart_source }}" values_dir: "{{playbook_dir}}/../../../{{item.gitops.release_dir}}/{{ item.name | lower }}" loop: "{{ network['organizations'] }}" - when: - - item.type == 'peer' + when: + - item.type == 'peer' - item.org_status == 'new' ############################################################################################ @@ -202,11 +202,11 @@ docker_url: "{{ network.docker.url }}" approvers: "{{ item.endorsers | default('', true) }}" loop: "{{ network['channels'] }}" - when: add_new_org == 'true' or '2.' in network.version + when: add_new_org == 'true' or '2.' in network.version vars: #These variables can be overriden from the command line - privilege_escalate: false #Default to NOT escalate to root privledges - install_os: "linux" #Default to linux OS - install_arch: "amd64" #Default to amd64 architecture - bin_install_dir: "~/bin" #Default to /bin install directory for binaries - add_new_org: 'false' # Default to false as this is for main network creation + privilege_escalate: false #Default to NOT escalate to root privledges + install_os: "linux" #Default to linux OS + install_arch: "amd64" #Default to amd64 architecture + bin_install_dir: "~/bin" #Default to /bin install directory for binaries + add_new_org: "false" # Default to false as this is for main network creation diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/approve_chaincode_job.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/approve_chaincode_job.tpl index 31e1a52548c..b410289091e 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/approve_chaincode_job.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/approve_chaincode_job.tpl @@ -53,7 +53,7 @@ spec: lang: {{ component_chaincode.lang | default('golang') }} commitarguments: {{ component_chaincode.arguments | default('') | quote }} endorsementpolicies: {{ component_chaincode.endorsements | default('') | quote }} - initrequired: {{ component_chaincode.init_required }} + initrequired: {{ component_chaincode.init_required | default('false') | quote }} {% if component_chaincode.repository is defined %} repository: hostname: "{{ component_chaincode.repository.url.split('/')[0] | lower }}" diff --git a/platforms/shared/configuration/setup-k8s-environment.yaml b/platforms/shared/configuration/setup-k8s-environment.yaml index e0e8d5eb1cd..6a78682ed3f 100644 --- a/platforms/shared/configuration/setup-k8s-environment.yaml +++ b/platforms/shared/configuration/setup-k8s-environment.yaml @@ -30,7 +30,7 @@ git_protocol: "{{ item.gitops.git_protocol | default('https') }}" git_url: "{{ item.gitops.git_url }}" git_key: "{{ item.gitops.private_key | default() }}" - flux_version: "0.35.0" + flux_version: "0.41.2" with_items: "{{ network.organizations }}" when: network.env.type != 'operator' From 43469a43deaccce9d2e5666553689d897a4529c4 Mon Sep 17 00:00:00 2001 From: alvaropicazo Date: Thu, 6 Jun 2024 09:24:34 +0000 Subject: [PATCH 3/9] feat(fabric): update playbooks to refresh certificates for fabric version 2.5.x Signed-off-by: alvaropicazo --- .../configuration/refresh-certificates.yaml | 2 ++ .../roles/create/orderers/tasks/main.yaml | 4 ++-- .../create_channel_block/tasks/main.yaml | 20 ++++++++++++++++++- .../tasks/nested_create_cli.yaml | 2 ++ .../tasks/nested_main.yaml | 2 +- .../templates/update_consenter_script.tpl | 2 ++ 6 files changed, 28 insertions(+), 4 deletions(-) diff --git a/platforms/hyperledger-fabric/configuration/refresh-certificates.yaml b/platforms/hyperledger-fabric/configuration/refresh-certificates.yaml index 617a80bf99b..568a5dca276 100644 --- a/platforms/hyperledger-fabric/configuration/refresh-certificates.yaml +++ b/platforms/hyperledger-fabric/configuration/refresh-certificates.yaml @@ -47,6 +47,7 @@ component: "{{ item.name | lower}}" component_type: "{{ item.type | lower}}" component_services: "{{ item.services }}" + sc_name: "{{ item.name | lower}}-bevel-storageclass" kubernetes: "{{ item.k8s }}" vault: "{{ item.vault }}" ca: "{{ item.services.ca }}" @@ -81,6 +82,7 @@ component_type: "{{ item.type | lower}}" component_services: "{{ item.services }}" orderer_org: "{{ item.orderer_org | lower }}" + sc_name: "{{ item.name | lower}}-bevel-storageclass" kubernetes: "{{ item.k8s }}" vault: "{{ item.vault }}" ca: "{{ item.services.ca }}" diff --git a/platforms/hyperledger-fabric/configuration/roles/create/orderers/tasks/main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/orderers/tasks/main.yaml index 5aeecf336a4..ed1c13d4e7b 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/orderers/tasks/main.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/orderers/tasks/main.yaml @@ -14,12 +14,12 @@ - name: "Set Variable channel_name" set_fact: channel_name: "{{ network['channels'] | map(attribute='channel_name') | first | lower }}" - when: item.type == 'orderer' and ('2.2.' in network.version or '1.4.' in network.version) + when: item.type == 'orderer' and ('2.2.' in network.version or '1.4.' in network.version or '2.5.' in network.version) # Fetch the genesis block from vault to the build directory - name: Fetch the genesis block from vault shell: | - vault kv get -field={{ network.env.type }}GenesisBlock {{ item.vault.secret_path | default('secretsv2') }}/{{ item.name | lower }}/ordererOrganizations/{{ item.name | lower }}-net > {{ channel_name}}.genesis.block.base64 + vault kv get -field={{ network.env.type }}GenesisBlock {{ item.vault.secret_path | default('secretsv2') }}/{{ item.name | lower }}/ordererOrganizations/{{ item.name | lower }}-net > {{ channel_name }}.genesis.block.base64 mkdir -p ./build/channel-artifacts mv {{ channel_name}}.genesis.block.base64 ./build/channel-artifacts/ environment: diff --git a/platforms/hyperledger-fabric/configuration/roles/create/refresh_certs/create_channel_block/tasks/main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/refresh_certs/create_channel_block/tasks/main.yaml index 6261d71565e..039b80cd55b 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/refresh_certs/create_channel_block/tasks/main.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/refresh_certs/create_channel_block/tasks/main.yaml @@ -19,6 +19,7 @@ channel_name: "{{ sys_channel_name }}" orderer: "{{ org.services.orderers | first }}" check: "latest_block" + when: add_new_org == 'false' and ('2.2.' in network.version or '1.4.' in network.version) # Call get_update_block to get the latest from appchannel channel block. - name: Call get_update_block to get latest appchannel block @@ -37,10 +38,23 @@ path: "{{ build_path }}/channel-artifacts" state: directory +# Create the genesis block by consuming the latest config block for 2.5.x fabric versions +- name: "Create genesis block" + shell: | + cat {{ build_path }}/{{ channel.channel_name | lower }}_config_block.pb | base64 > {{ build_path }}/channel-artifacts/{{ channel.channel_name | lower }}.genesis.block.base64 + loop: "{{ network.channels }}" + loop_control: + loop_var: channel + when: add_new_org == 'false' and ('2.5.' in network.version) + # Create the genesis block by consuming the latest config block - name: "Create genesis block" shell: | - cat {{ build_path }}/{{ sys_channel_name }}_config_block.pb | base64 > {{ build_path }}/channel-artifacts/{{ channel.channel_name | lower }}.genesis.block.base64 + cat {{ build_path }}/{{ sys_channel_name | lower }}_config_block.pb | base64 > {{ build_path }}/channel-artifacts/{{ channel.channel_name | lower }}.genesis.block.base64 + loop: "{{ network.channels }}" + loop_control: + loop_var: channel + when: add_new_org == 'false' and ('2.2.' in network.version or '1.4.' in network.version) # Add new genesis block to the vault - name: "Write genesis block to Vault" @@ -49,6 +63,10 @@ environment: VAULT_ADDR: "{{ org.vault.url }}" VAULT_TOKEN: "{{ org.vault.root_token }}" + loop: "{{ network.channels }}" + loop_control: + loop_var: channel + when: add_new_org == 'false' and ('2.5.' in network.version) # Delete the orderer cli - name: "Delete all temp {{ orderer.name }}-{{ org.name }}-cli" diff --git a/platforms/hyperledger-fabric/configuration/roles/create/refresh_certs/create_channel_block/tasks/nested_create_cli.yaml b/platforms/hyperledger-fabric/configuration/roles/create/refresh_certs/create_channel_block/tasks/nested_create_cli.yaml index 93073adc660..431afcf6788 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/refresh_certs/create_channel_block/tasks/nested_create_cli.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/refresh_certs/create_channel_block/tasks/nested_create_cli.yaml @@ -52,6 +52,7 @@ script: "syschannel-update-script.sh" channel_name: "{{ sys_channel_name }}" check: "fetch_block" + when: add_new_org == 'false' and ('1.4.' in network.version or '2.2.' in network.version) # Call get_update_block to fetch the appchannel channels block - name: Call get_update_block to fetch the {{ channel_name }} channel block @@ -71,6 +72,7 @@ script: "syschannel-update-script.sh" channel_name: "{{ sys_channel_name }}" check: "update_block" + when: add_new_org == 'false' and ('1.4.' in network.version or '2.2.' in network.version) # Call get_update_block to fetch the appchannel channels block - name: Call get_update_block to update the {{ channel_name }} channel block diff --git a/platforms/hyperledger-fabric/configuration/roles/create/refresh_certs/create_channel_block/tasks/nested_main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/refresh_certs/create_channel_block/tasks/nested_main.yaml index 56a9612c308..d813c9521aa 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/refresh_certs/create_channel_block/tasks/nested_main.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/refresh_certs/create_channel_block/tasks/nested_main.yaml @@ -22,7 +22,7 @@ channel_name: "{{ sys_channel_name }}" namespace: "{{ component_ns }}" -# Create the update-channel-scriptk.sh file for organizations +# Create the update-channel-script.sh file for organizations - name: "Create update-channel-script.sh script file for orderers" template: src: "update_consenter_script.tpl" diff --git a/platforms/hyperledger-fabric/configuration/roles/create/refresh_certs/create_channel_block/templates/update_consenter_script.tpl b/platforms/hyperledger-fabric/configuration/roles/create/refresh_certs/create_channel_block/templates/update_consenter_script.tpl index 0c6ff6efdf1..39dca6c8615 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/refresh_certs/create_channel_block/templates/update_consenter_script.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/create/refresh_certs/create_channel_block/templates/update_consenter_script.tpl @@ -6,6 +6,8 @@ CURRENT_DIR=${PWD} echo "installing jq " apt-get install -y jq +echo "installing wget " +apt-get wget echo "installing sed " apk add sed echo "installing configtxlator" From f9c4e2a8150efc2e19bd5d2615c421fb6308e129 Mon Sep 17 00:00:00 2001 From: Suvajit Sarkar <55580532+suvajit-sarkar@users.noreply.github.com> Date: Mon, 17 Jun 2024 12:38:21 +0530 Subject: [PATCH 4/9] Create scorecard.yml Signed-off-by: Suvajit Sarkar <55580532+suvajit-sarkar@users.noreply.github.com> --- .github/workflows/scorecard.yml | 73 +++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000000..ac9a9b41b0b --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,73 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '37 8 * * 3' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + with: + sarif_file: results.sarif From 5f6ac4612d2bdfd565377254b1ae11ff14c80ff6 Mon Sep 17 00:00:00 2001 From: suvajit-sarkar Date: Mon, 17 Jun 2024 07:23:28 +0000 Subject: [PATCH 5/9] docs: added repo md files as per lfx best practices Signed-off-by: suvajit-sarkar --- CHANGELOG.md | 3 +++ GOVERNANCE.md | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 1 + ROADMAP.md | 3 +++ SECURITY.md | 9 +++++++ 5 files changed, 84 insertions(+) create mode 100644 CHANGELOG.md create mode 100644 GOVERNANCE.md create mode 100644 ROADMAP.md create mode 100644 SECURITY.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 00000000000..136d7b10409 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,3 @@ +# Change Log + +All notable changes to this project will be documented in the release [logs](https://github.com/hyperledger/bevel/releases). \ No newline at end of file diff --git a/GOVERNANCE.md b/GOVERNANCE.md new file mode 100644 index 00000000000..751cf8529af --- /dev/null +++ b/GOVERNANCE.md @@ -0,0 +1,68 @@ +# Governance + +Hyperledger Bevel is managed under an open governance model as described in the Hyperledger charter. Bevel is led by a set of maintainers, who can be found in the MAINTAINERS.md file. + +**Maintainers** + +Bevel is led by the project’s maintainers. The maintainers are responsible for reviewing and merging all patches submitted for review, and they guide the overall technical direction of the project within the guidelines established by the Hyperledger Technical Oversighting Committee (TOC). + +**Becoming a Maintainer** + +The project’s maintainers will, from time-to-time, consider adding or removing a maintainer. An existing maintainer can submit a change set to the MAINTAINERS.md file. A nominated contributor may become a maintainer by a three-quarters approval of the proposal by the existing maintainers. Once approved, the change set is then merged and the individual is added to (or alternatively, removed from) the maintainers group. + +Maintainers may be removed by explicit resignation, for prolonged inactivity (3 or more months), or for some infraction of the code of conduct or by consistently demonstrating poor judgement. A maintainer removed for inactivity should be restored following a sustained resumption of contributions and reviews (a month or more) demonstrating a renewed commitment to the project. We require that maintainers that will be temporarily inactive do so “gracefully” and update other maintainers on their status and time availability rather than appearing to “fall off the face of the earth.” + +**Releases** + +A majority of the maintainers may decide to create a release of Bevel. Any broader rules of Hyperledger pertaining to releases must be followed. Once the project is mature, there will be a stable LTS (long term support) release branch, as well as the main branch for upcoming new features. + +**Making Feature/Enhancement Proposals** + +Code changes that are either bug fixes, direct and small improvements, or things that are on the roadmap (see below) can be issued as PRs in a relatively quick time period, although we recommend creating a Github ticket to track even bugs and small improvements. For more substantial changes, however, a feature/enhancement proposal is required. These proceed through the approval process like typical PRs, and require the same “1 + 1” approval policy for acceptance. + +In particular, all contributors to the project should have enough time to voice an opinion on feature/enhancement proposals before they are accepted. So the maintainers will determine some “comment period” between proposal submission and acceptance so that contributors have enough time to voice their opinions. + +We also recommend reading our CONTRIBUTING.md file (https://github.com/hyperledger/bevel/blob/main/CONTRIBUTING.md) for more information about contributing. + +**Approving Pull Requests** + +Maintainers designated for review are required to review PRs in a timely manner (all circumstances considered, of course). Any pull request must be reviewed by at least two maintainers, and if a PR is submitted by a maintainer, these two reviewers must be different from the original submitter. + +The technical requirements for submitting/approving/merging pull requests are further detailed in the CONTRIBUTING.md file where it is laid out in detail how to ensure git commit graph tidiness. + +**Reviewing Pull Requests** + +We are strongly committed to processing pull requests from everyone in a fair manner meaning that pull requests are to be +reviewed in order of submission. +Reviewing PRs in order of submission does not guarantee nor necessitate accepting/merging said PRs in order of submission +since some PRs may require lengthy feedback loops while others may pass the muster without any change requests or +feedback at all, depending on the nature of the change being proposed. +Security related pull requests may be fast tracked even against the "in order of submission" principle if it appears +that a vulnerability makes a pull request a time sensitive issue where the sooner we propagate a fix the better it is. + +**Maintainers Meeting** + +The maintainers hold regular maintainers meetings, which are open to everyone. The purpose of the maintainers meeting is to plan for and review the progress of releases, and to discuss the technical and operational direction of the project. + +Please see the wiki for maintainer meeting details. + +One point to mention about meetings is that new feature/enhancement proposals as described above should be presented to a maintainers meeting for consideration, feedback, and acceptance. + +**Roadmap** + +The Bevel maintainers are required to maintain a roadmap. There is a public-friendly [roadmap](https://hyperledger-bevel.readthedocs.io/en/latest/references/roadmap/) that anyone can digest. The required features to be implemented will be maintained as issues at the official github repository of Bevel with tag string ‘for current release’ or ‘for future release’. The task which is not volunteered to work, will be dispatched to specific contributors following consensus among the majority of maintainers. + + +**Communications** + +We use the Bevel email list for long-form communications and Discord for short, informal announcements and other communications. We encourage all communication, whenever possible, to be public and in the clear (i.e. rather than sending an email directly to a person or two, send it out to the whole list if it pertains to the project). + +**Future Changes** + +The governance of Bevel may change as the project evolves. In particular, if the project becomes large, we will incorporate tiered maintainership, with top-level maintainers, subprojects, subproject maintainers, release managers, and so forth. We emphasize that this document is intended to be “living” and will be updated periodically. + +We require that changes to this document require a three-quarters approval of the existing maintainers. Note that this may also be changed in the future if deemed necessary. + +**Attribution** + +This document is based on the Hyperledger Cacti governance document, with some substantial changes. \ No newline at end of file diff --git a/README.md b/README.md index 846edd5a658..0162b24d02c 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,7 @@ [chat-image]: https://img.shields.io/discord/905194001349627914?logo=Hyperledger&style=plastic.svg [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE) [![Documentation Status](https://readthedocs.org/projects/hyperledger-bevel/badge/?version=latest)](https://hyperledger-bevel.readthedocs.io/en/latest/?badge=latest) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/3548/badge)](https://bestpractices.coreinfrastructure.org/projects/3548) + [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/hyperledger/bevel/badge)](https://scorecard.dev/viewer/?uri=github.com/hyperledger/bevel) [![DCI Lint Status](https://github.com/hyperledger/bevel/actions/workflows/dci_lint.yml/badge.svg)](https://github.com/hyperledger/bevel/actions/workflows/dci_lint.yml) - [Short Description](#short-description) diff --git a/ROADMAP.md b/ROADMAP.md new file mode 100644 index 00000000000..b61088d9a12 --- /dev/null +++ b/ROADMAP.md @@ -0,0 +1,3 @@ +# Hyperledger Bevel Roadmap + +Roadmap to this project will be documented [here](https://hyperledger-bevel.readthedocs.io/en/latest/references/roadmap/) \ No newline at end of file diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000000..22a9b2b603f --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,9 @@ +# Hyperledger Security Policy + +## Reporting a Security Bug + +If you think you have discovered a security issue in any of the Hyperledger projects, we'd love to hear from you. We will take all security bugs seriously and if confirmed upon investigation we will patch it within a reasonable amount of time and release a public security bulletin discussing the impact and credit the discoverer. + +In order to report a security bug please email a description of the flaw and any related information (e.g. reproduction steps, version) to [security at hyperledger dot org](mailto:security@hyperledger.org). + +The process by which the Hyperledger Security Team handles security bugs is documented further in our [Defect Response page](https://wiki.hyperledger.org/display/SEC/Defect+Response) on our [wiki](https://wiki.hyperledger.org). From 00d017048814d356cafc9643fe8f3136e82dce41 Mon Sep 17 00:00:00 2001 From: alvaropicazo Date: Thu, 6 Jun 2024 09:24:34 +0000 Subject: [PATCH 6/9] feat(fabric): update manage-user-certificate playbook to refresh user certificates Signed-off-by: alvaropicazo --- .../fabric-catools/templates/deployment.yaml | 4 ++- .../charts/fabric-catools/values.yaml | 1 + .../manage-user-certificate.yaml | 30 ++++++++++++------- .../ca_tools/peer/tasks/delete_old_certs.yaml | 20 ++++++++++++- .../create/ca_tools/peer/tasks/main.yaml | 6 ++-- .../helm_component/templates/ca-tools.tpl | 1 + 6 files changed, 47 insertions(+), 15 deletions(-) diff --git a/platforms/hyperledger-fabric/charts/fabric-catools/templates/deployment.yaml b/platforms/hyperledger-fabric/charts/fabric-catools/templates/deployment.yaml index 89209c4fe07..0ba1a2f0c7c 100644 --- a/platforms/hyperledger-fabric/charts/fabric-catools/templates/deployment.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-catools/templates/deployment.yaml @@ -357,6 +357,8 @@ spec: value: {{ $.Values.metadata.org_name }} - name: REFRESH_CERTS value: "{{ $.Values.checks.refresh_cert_value }}" + - name: REFRESH_USER_CERTS + value: "{{ $.Values.checks.refresh_user_cert_value }}" - name: ADD_PEER value: "{{ $.Values.checks.add_peer_value }}" - name: ORDERERS_NAMES @@ -453,7 +455,7 @@ spec: list=$(echo "$USERS_IDENTITIES" | tr "-" "\n") for USER in $list do - if ([ "$USERS" ] && [ -e ${MOUNT_PATH}/absent_msp_${USER}.txt ]) || [ "$REFRESH_CERTS" = "true" ] + if ([ "$USERS" ] && [ -e ${MOUNT_PATH}/absent_msp_${USER}.txt ]) || [ "$REFRESH_CERTS" = "true" || [ "$REFRESH_USER_CERTS" = "true" ] then cd /root/ca-tools/${ORG_NAME_EXT} ./generate-user-crypto.sh peer ${USERS} diff --git a/platforms/hyperledger-fabric/charts/fabric-catools/values.yaml b/platforms/hyperledger-fabric/charts/fabric-catools/values.yaml index 3e7cd16946e..97135404c83 100644 --- a/platforms/hyperledger-fabric/charts/fabric-catools/values.yaml +++ b/platforms/hyperledger-fabric/charts/fabric-catools/values.yaml @@ -140,5 +140,6 @@ users: checks: #Provides the need to refresh user certificates refresh_cert_value: false + refresh_user_cert_value: false #Add a peer to an existing network add_peer_value: False diff --git a/platforms/hyperledger-fabric/configuration/manage-user-certificate.yaml b/platforms/hyperledger-fabric/configuration/manage-user-certificate.yaml index 770a0d93aca..46f7fa7d1cb 100644 --- a/platforms/hyperledger-fabric/configuration/manage-user-certificate.yaml +++ b/platforms/hyperledger-fabric/configuration/manage-user-certificate.yaml @@ -54,22 +54,30 @@ loop: "{{ network['organizations'] }}" ############################################################################################ - # This task generates the crypto material by executing the generate-user-crypto.sh script file - # present in the Organization's CA Tools CLI + # This task generates the crypto material by running the ca_tools/peer playbook - name: Generate crypto material for user include_role: - name: "create/users" + name: "create/ca_tools/peer" vars: component_name: "{{ item.name | lower}}-net" + component: "{{ item.name | lower}}" component_type: "{{ item.type | lower}}" - org_name: "{{ item.name }}" - services: "{{ item.services }}" - subject: "{{ item.subject }}" - cert_subject: "{{ item.subject | regex_replace('/', ';') | regex_replace(',', '/') | regex_replace(';', ',') }}" # replace , to / and / to , for certpath + component_services: "{{ item.services }}" + orderer_org: "{{ item.orderer_org | lower }}" + sc_name: "{{ component }}-bevel-storageclass" kubernetes: "{{ item.k8s }}" vault: "{{ item.vault }}" - users: "{{ item.users }}" - proxy: "{{ network.env.proxy }}" - ca_url: "{{ item.ca_data.url }}" + ca: "{{ item.services.ca }}" + docker_url: "{{ network.docker.url }}" + gitops: "{{ item.gitops }}" + values_dir: "{{ playbook_dir }}/../../../{{ item.gitops.release_dir }}/{{ item.name | lower }}" loop: "{{ network['organizations'] }}" - when: item.type == 'peer' and item.users is defined + when: item.type == 'peer' + + vars: #These variables can be overriden from the command line + privilege_escalate: false #Default to NOT escalate to root privledges + install_os: "linux" #Default to linux OS + install_arch: "amd64" #Default to amd64 architecture + refresh_user_cert: 'true' #Default for this playbook is true + bin_install_dir: "~/bin" #Default to ~/bin install directory for binaries + add_new_org: "false" diff --git a/platforms/hyperledger-fabric/configuration/roles/create/ca_tools/peer/tasks/delete_old_certs.yaml b/platforms/hyperledger-fabric/configuration/roles/create/ca_tools/peer/tasks/delete_old_certs.yaml index fa568860ed8..d2631cb3169 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/ca_tools/peer/tasks/delete_old_certs.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/ca_tools/peer/tasks/delete_old_certs.yaml @@ -19,10 +19,28 @@ vault kv delete {{ item.vault.secret_path | default('secretsv2') }}/{{ item.name | lower }}/peerOrganizations/{{ component_name }}/peers/{{peer.name}}.{{ component_name }}/tls vault kv delete {{ item.vault.secret_path | default('secretsv2') }}/{{ item.name | lower }}/peerOrganizations/{{ component_name }}/peers/{{peer.name}}.{{ component_name }}/msp {% endfor %} + {% for user in users %} + vault kv delete {{ item.vault.secret_path | default('secretsv2') }}/{{ item.name | lower }}/peerOrganizations/{{ component_name }}/users/{{user.identity}}/tls + vault kv delete {{ item.vault.secret_path | default('secretsv2') }}/{{ item.name | lower }}/peerOrganizations/{{ component_name }}/users/{{user.identity}}/msp + {% endfor %} vault kv delete {{ item.vault.secret_path | default('secretsv2') }}/{{ item.name | lower }}/credentials/{{ component_name }}/couchdb/{{ org_name }} vars: peers: "{{ item.services.peers }}" environment: VAULT_ADDR: "{{ item.vault.url }}" VAULT_TOKEN: "{{ item.vault.root_token }}" - when: component_type == 'peer' + when: component_type == 'peer' and refresh_cert is defined and refresh_cert == 'true' + +# Delete crypto materials from vault only for users +- name: Delete Crypto for peers + shell: | + {% for user in users %} + vault kv delete {{ item.vault.secret_path | default('secretsv2') }}/{{ item.name | lower }}/peerOrganizations/{{ component_name }}/users/{{user.identity}}/tls + vault kv delete {{ item.vault.secret_path | default('secretsv2') }}/{{ item.name | lower }}/peerOrganizations/{{ component_name }}/users/{{user.identity}}/msp + {% endfor %} + vars: + peers: "{{ item.services.peers }}" + environment: + VAULT_ADDR: "{{ item.vault.url }}" + VAULT_TOKEN: "{{ item.vault.root_token }}" + when: component_type == 'peer' and refresh_user_cert is defined and refresh_user_cert == 'true' diff --git a/platforms/hyperledger-fabric/configuration/roles/create/ca_tools/peer/tasks/main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/ca_tools/peer/tasks/main.yaml index b3f4cba47ca..337533ade06 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/ca_tools/peer/tasks/main.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/ca_tools/peer/tasks/main.yaml @@ -31,14 +31,15 @@ component_ns: "{{ component_name }}" kubernetes: "{{ item.k8s }}" hr_name: "{{ component_name }}-ca-tools" - when: (add_peer is defined and add_peer == 'true') or (refresh_cert is defined and refresh_cert == 'true') + when: (add_peer is defined and add_peer == 'true') or (refresh_cert is defined and refresh_cert == 'true') or (refresh_user_cert is defined and refresh_user_cert == 'true') # Delete old certificates - name: "Delete old certificates" include_tasks: delete_old_certs.yaml vars: org_name: "{{ item.name | lower }}" - when: refresh_cert is defined and refresh_cert == 'true' + users: "{{ item.users }}" + when: (refresh_cert is defined and refresh_cert == 'true') or (refresh_user_cert is defined and refresh_user_cert == 'true') # Get Orderer certificates - name: "Get Orderer certificates" @@ -105,6 +106,7 @@ component_location: "{{ item.location }}" ca_url: "{{ item.ca_data.url }}" refresh_cert_value: "{{ refresh_cert | default(false) | quote }}" + refresh_user_cert_value: "{{ refresh_user_cert | default(false) | quote }}" proxy: "{{ network.env.proxy }}" git_protocol: "{{ item.gitops.git_protocol }}" git_url: "{{ gitops.git_url }}" diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/ca-tools.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/ca-tools.tpl index 4ba4e6ff381..e8426fda057 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/ca-tools.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/ca-tools.tpl @@ -114,5 +114,6 @@ spec: {% endif %} checks: refresh_cert_value: {{ refresh_cert_value }} + refresh_user_cert_value: {{ refresh_user_cert_value }} add_peer_value: {{ add_peer_value }} {% endif %} From d38f214be27e01195a3d15d0f62f1a2fb942d5a2 Mon Sep 17 00:00:00 2001 From: saurabhkumarkardam Date: Mon, 24 Jun 2024 08:44:02 +0000 Subject: [PATCH 7/9] feat(indy): refactor codebase for effective deployment This PR enhances our deployment process for the Indy DLT platform by using the Main branch code. Changes: - Updated various tasks and the `Helmrelease` template file. - Added support for the new Indy version 1.12.6. fixes #quick-fix Signed-off-by: saurabhkumarkardam --- .../indy-node/templates/statefulset.yaml | 4 +++- .../roles/check/k8_component/tasks/main.yaml | 6 +++--- .../helm_component/node/templates/node.tpl | 6 ++++-- .../k8_component/templates/serviceaccount.tpl | 9 +++++++++ .../network-indy-newnode-to-baf-network.yaml | 18 +++++++++++++----- ...etwork-indy-newnode-to-non-baf-network.yaml | 16 +++++++++++----- .../samples/network-indyv3-aries.yaml | 18 ++++++++++++++---- .../configuration/samples/network-indyv3.yaml | 18 +++++++++++++++--- .../samples/network-minikube-aries.yaml | 12 ++++++++---- .../samples/network-minikube.yaml | 14 ++++++++++---- platforms/network-schema.json | 9 ++++++--- .../edge-stack/templates/aes-custom-values.tpl | 16 ++++++++++------ 12 files changed, 106 insertions(+), 40 deletions(-) diff --git a/platforms/hyperledger-indy/charts/indy-node/templates/statefulset.yaml b/platforms/hyperledger-indy/charts/indy-node/templates/statefulset.yaml index cf4c7ee931c..a3b87a10946 100644 --- a/platforms/hyperledger-indy/charts/indy-node/templates/statefulset.yaml +++ b/platforms/hyperledger-indy/charts/indy-node/templates/statefulset.yaml @@ -9,6 +9,8 @@ kind: StatefulSet metadata: name: "{{ $.Values.metadata.name }}" namespace: "{{ $.Values.metadata.namespace }}" + labels: + app: "{{ $.Values.metadata.name }}" spec: serviceName: "{{ $.Values.metadata.name }}" replicas: 1 @@ -217,7 +219,7 @@ spec: - containerPort: {{ $.Values.client.port }} env: - name: INDY_NODE_NAME - value: "{{ $.Values.node.name }}" + value: "{{ $.Values.vault.nodeId }}" - name: INDY_NODE_IP value: "{{ $.Values.node.ip }}" - name: INDY_NODE_PORT diff --git a/platforms/hyperledger-indy/configuration/roles/check/k8_component/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/check/k8_component/tasks/main.yaml index 2441a097580..bbba207ce33 100644 --- a/platforms/hyperledger-indy/configuration/roles/check/k8_component/tasks/main.yaml +++ b/platforms/hyperledger-indy/configuration/roles/check/k8_component/tasks/main.yaml @@ -27,10 +27,10 @@ service_account: "{{ component_name }}" role: "ro" shell: | - secret="$(KUBECONFIG={{ kubernetes.config_file }} kubectl get serviceaccount {{ service_account }} -n {{ component_ns }} -o go-template={% raw %}'{{ (index .secrets 0).name }}'{% endraw %})" - kube_token="$(KUBECONFIG={{ kubernetes.config_file }} kubectl get secret ${secret} -n {{ component_ns }} -o go-template={% raw %}'{{ .data.token }}'{% endraw %} | base64 -d)" + secret="{{ service_account }}-token" + kube_token=$(kubectl --kubeconfig={{ kubernetes.config_file }} -n {{ component_ns }} get secret ${secret} -o jsonpath="{.data.token}" | base64 --decode) vault_token=$(curl --request POST --data '{"jwt": "'"$kube_token"'", "role": "{{ role }}"}' {{ vault.url }}/v1/auth/kubernetes-{{ organization }}-bevel-ac-auth/login | jq -j '.auth.client_token') - echo ${vault_token} + echo $vault_token register: token_output when: component_type == "GetServiceAccount" diff --git a/platforms/hyperledger-indy/configuration/roles/create/helm_component/node/templates/node.tpl b/platforms/hyperledger-indy/configuration/roles/create/helm_component/node/templates/node.tpl index 0006eee891b..58017acc7b7 100644 --- a/platforms/hyperledger-indy/configuration/roles/create/helm_component/node/templates/node.tpl +++ b/platforms/hyperledger-indy/configuration/roles/create/helm_component/node/templates/node.tpl @@ -40,15 +40,18 @@ spec: name: {{ component_name }} repository: {{ network.docker.url }}/bevel-indy-node:{{ network.version }} node: - name: {{ stewardItem.name }} + name: {{ component_name }} ip: 0.0.0.0 publicIp: {{ stewardItem.publicIp }} port: {{ stewardItem.node.port }} + targetPort: {{ stewardItem.node.targetPort }} ambassadorPort: {{ stewardItem.node.ambassador }} client: + name: {{ component_name }} publicIp: {{ stewardItem.publicIp }} ip: 0.0.0.0 port: {{ stewardItem.client.port }} + targetPort: {{ stewardItem.client.targetPort }} ambassadorPort: {{ stewardItem.client.ambassador }} service: {% if organizationItem.cloud_provider != 'minikube' %} @@ -99,4 +102,3 @@ spec: keys: storagesize: 3Gi storageClassName: {{ sc_name }} - diff --git a/platforms/hyperledger-indy/configuration/roles/create/k8_component/templates/serviceaccount.tpl b/platforms/hyperledger-indy/configuration/roles/create/k8_component/templates/serviceaccount.tpl index 13e76dd761e..b6d626a245b 100644 --- a/platforms/hyperledger-indy/configuration/roles/create/k8_component/templates/serviceaccount.tpl +++ b/platforms/hyperledger-indy/configuration/roles/create/k8_component/templates/serviceaccount.tpl @@ -3,3 +3,12 @@ kind: ServiceAccount metadata: name: {{ component_name }} namespace: {{ component_namespace }} +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: {{ component_name }}-token + namespace: {{ component_namespace }} + annotations: + kubernetes.io/service-account.name: "{{ component_name }}" diff --git a/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-baf-network.yaml b/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-baf-network.yaml index 39f9a49a915..c6cfc9d2b97 100644 --- a/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-baf-network.yaml +++ b/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-baf-network.yaml @@ -15,16 +15,20 @@ network: # Network level configuration specifies the attributes required for each organization # to join an existing network. type: indy - version: 1.11.0 # Supported versions 1.11.0 and 1.12.1 + version: 1.12.6 # Supported versions 1.11.0, 1.12.1 & 1.12.6 #Environment section for Kubernetes setup env: - type: indy # tag for the environment. Important to run multiple flux on single cluster + type: indy # tag for the environment. Important to run multiple flux on single cluster proxy: ambassador # value has to be 'ambassador' as 'haproxy' has not been implemented for Indy + proxy_namespace: "ambassador" # Namespace for the proxy ambassadorPorts: - portRange: # For a range of ports - from: 9711 - to: 9720 + # Specify a list of individual ports to use + ports: [15010, 15023, 15024, 15025, 15033, 15034, 15035, 15043, 15044, 15045] + # Alternatively, specify a range of ports to use all ports within the specified range + # portRange: + # from: 15010 # Starting port of the range + # to: 15045 # Ending port of the range loadBalancerSourceRanges: # (Optional) Default value is '0.0.0.0/0', this value can be changed to any other IP adres or list (comma-separated without spaces) of IP adresses, this is valid only if proxy='ambassador' retry_count: 40 # Retry count for the checks external_dns: enabled # Should be enabled if using external-dns for automatic route configuration @@ -64,6 +68,8 @@ network: region: "region" # AWS region publicIps: ["3.221.78.194"] # List of all public IP addresses of each availability zone from all organizations in the same k8s cluster + azure: + node_resource_group: "MC_myResourceGroup_myCluster_westeurope" # Kubernetes cluster deployment variables. The config file path has to be provided in case # the cluster has already been created. @@ -178,6 +184,8 @@ network: region: "region" # AWS region publicIps: ["3.221.78.194"] # List of all public IP addresses of each availability zone from all organizations in the same k8s cluster # List of all public IP addresses of each availability zone + azure: + node_resource_group: "MC_myResourceGroup_myCluster_westeurope" # Kubernetes cluster deployment variables. The config file path has to be provided in case # the cluster has already been created. diff --git a/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-non-baf-network.yaml b/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-non-baf-network.yaml index 87381ca9615..47796592ec0 100644 --- a/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-non-baf-network.yaml +++ b/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-non-baf-network.yaml @@ -14,16 +14,20 @@ network: # Network level configuration specifies the attributes required for each organization # to join an existing network. type: indy - version: 1.11.0 # Supported versions 1.11.0 and 1.12.1 + version: 1.12.6 # Supported versions 1.11.0, 1.12.1 & 1.12.6 #Environment section for Kubernetes setup env: - type: indy # tag for the environment. Important to run multiple flux on single cluster + type: indy # tag for the environment. Important to run multiple flux on single cluster proxy: ambassador # value has to be 'ambassador' as 'haproxy' has not been implemented for Indy + proxy_namespace: "ambassador" # Namespace for the proxy ambassadorPorts: - portRange: # For a range of ports - from: 9711 - to: 9712 + # Specify a list of individual ports to use + ports: [15010, 15023, 15024, 15025, 15033, 15034, 15035, 15043, 15044, 15045] + # Alternatively, specify a range of ports to use all ports within the specified range + # portRange: + # from: 15010 # Starting port of the range + # to: 15045 # Ending port of the range loadBalancerSourceRanges: # (Optional) Default value is '0.0.0.0/0', this value can be changed to any other IP adres or list (comma-separated without spaces) of IP adresses, this is valid only if proxy='ambassador' retry_count: 40 # Retry count for the checks external_dns: enabled # Should be enabled if using external-dns for automatic route configuration @@ -63,6 +67,8 @@ network: region: "region" # AWS region publicIps: ["3.221.78.194"] # List of all public IP addresses of each availability zone from all organizations in the same k8s cluster # List of all public IP addresses of each availability zone + azure: + node_resource_group: "MC_myResourceGroup_myCluster_westeurope" # Kubernetes cluster deployment variables. The config file path has to be provided in case # the cluster has already been created. diff --git a/platforms/hyperledger-indy/configuration/samples/network-indyv3-aries.yaml b/platforms/hyperledger-indy/configuration/samples/network-indyv3-aries.yaml index cb3835fd6da..0a169ab5886 100644 --- a/platforms/hyperledger-indy/configuration/samples/network-indyv3-aries.yaml +++ b/platforms/hyperledger-indy/configuration/samples/network-indyv3-aries.yaml @@ -14,15 +14,21 @@ network: # Network level configuration specifies the attributes required for each organization # to join an existing network. type: indy - version: 1.11.0 # Supported versions 1.11.0 and 1.12.1 + version: 1.12.6 # Supported versions 1.11.0, 1.12.1 & 1.12.6 #Environment section for Kubernetes setup env: type: "bevel" # tag for the environment. Important to run multiple flux on single cluster - proxy: ambassador # value has to be 'ambassador' as 'haproxy' has not been implemented for Indy + proxy: ambassador # value has to be 'ambassador' as 'haproxy' has not been implemented for Indy + proxy_namespace: "ambassador" # Namespace for the proxy # Must be different from all stward ambassador ports specified in the rest of this network yaml - ambassadorPorts: # Any additional Ambassador ports can be given here, this is valid only if proxy='ambassador' - ports: 15010,15023,15024,15025,15033,15034,15035,15043,15044,15045 # Each Client Agent uses 3 ports # Indy does not use a port range as it creates an NLB, and only necessary ports should be opened + ambassadorPorts: # Any additional Ambassador ports can be given here, this is valid only if proxy='ambassador' + # Specify a list of individual ports to use + ports: [15010,15023,15024,15025,15033,15034,15035,15043,15044,15045] # Each Client Agent uses 3 ports # Indy does not use a port range as it creates an NLB, and only necessary ports should be opened + # Alternatively, specify a range of ports to use all ports within the specified range + # portRange: + # from: 15010 # Starting port of the range + # to: 15045 # Ending port of the range loadBalancerSourceRanges: # (Optional) Default value is '0.0.0.0/0', this value can be changed to any other IP adres or list (comma-separated without spaces) of IP adresses, this is valid only if proxy='ambassador' retry_count: 20 # Retry count for the checks external_dns: enabled # Should be enabled if using external-dns for automatic route configuration @@ -61,6 +67,8 @@ network: region: "region" # AWS region publicIps: ["1.1.1.1", "2.2.2.2"] # List of all public IP addresses of each availability zone from all organizations in the same k8s cluster + azure: + node_resource_group: "MC_myResourceGroup_myCluster_westeurope" # Kubernetes cluster deployment variables. The config file path has to be provided in case # the cluster has already been created. @@ -114,6 +122,8 @@ network: region: "region" # AWS region publicIps: ["192.168.99.173"] # List of all public IP addresses of each availability zone from all organizations in the same k8s cluster + azure: + node_resource_group: "MC_myResourceGroup_myCluster_westeurope" # Kubernetes cluster deployment variables. The config file path has to be provided in case # the cluster has already been created. diff --git a/platforms/hyperledger-indy/configuration/samples/network-indyv3.yaml b/platforms/hyperledger-indy/configuration/samples/network-indyv3.yaml index 4b221b2a615..1bfd1806dc5 100644 --- a/platforms/hyperledger-indy/configuration/samples/network-indyv3.yaml +++ b/platforms/hyperledger-indy/configuration/samples/network-indyv3.yaml @@ -16,15 +16,21 @@ network: # Network level configuration specifies the attributes required for each organization # to join an existing network. type: indy - version: 1.11.0 # Supported versions 1.11.0 and 1.12.1 + version: 1.12.6 # Supported versions 1.11.0, 1.12.1 & 1.12.6 #Environment section for Kubernetes setup env: - type: "dev" # tag for the environment. Important to run multiple flux on single cluster + type: "dev" # tag for the environment. Important to run multiple flux on single cluster proxy: ambassador # value has to be 'ambassador' as 'haproxy' has not been implemented for Indy + proxy_namespace: "ambassador" # Namespace for the proxy # Must be different from all other ports specified in the rest of this network yaml ambassadorPorts: # Any additional Ambassador ports can be given here, this is valid only if proxy='ambassador' - ports: 15010,15023,15024,15025,15033,15034,15035,15043,15044,15045 # Each Client Agent uses 3 ports # Indy does not use a port range as it creates an NLB, and only necessary ports should be opened + # Specify a list of individual ports to use + ports: [15010,15023,15024,15025,15033,15034,15035,15043,15044,15045] # Each Client Agent uses 3 ports # Indy does not use a port range as it creates an NLB, and only necessary ports should be opened + # Alternatively, specify a range of ports to use all ports within the specified range + # portRange: + # from: 15010 # Starting port of the range + # to: 15045 # Ending port of the range loadBalancerSourceRanges: # (Optional) Default value is '0.0.0.0/0', this value can be changed to any other IP adres or list (comma-separated without spaces) of IP adresses, this is valid only if proxy='ambassador' retry_count: 20 # Retry count for the checks external_dns: enabled # Should be enabled if using external-dns for automatic route configuration @@ -63,6 +69,8 @@ network: region: "region" # AWS region publicIps: ["1.1.1.1", "2.2.2.2"] # List of all public IP addresses of each availability zone from all organizations in the same k8s cluster + azure: + node_resource_group: "MC_myResourceGroup_myCluster_westeurope" # Kubernetes cluster deployment variables. The config file path has to be provided in case # the cluster has already been created. @@ -116,6 +124,8 @@ network: region: "region" # AWS region publicIps: ["3.221.78.194"] # List of all public IP addresses of each availability zone from all organizations in the same k8s cluster + azure: + node_resource_group: "MC_myResourceGroup_myCluster_westeurope" # Kubernetes cluster deployment variables. The config file path has to be provided in case # the cluster has already been created. @@ -205,6 +215,8 @@ network: region: "region" # AWS region publicIps: ["3.221.78.194"] # List of all public IP addresses of each availability zone from all organizations in the same k8s cluster + azure: + node_resource_group: "MC_myResourceGroup_myCluster_westeurope" # Kubernetes cluster deployment variables. The config file path has to be provided in case # the cluster has already been created. diff --git a/platforms/hyperledger-indy/configuration/samples/network-minikube-aries.yaml b/platforms/hyperledger-indy/configuration/samples/network-minikube-aries.yaml index 69fa9eacb64..026efe9594f 100644 --- a/platforms/hyperledger-indy/configuration/samples/network-minikube-aries.yaml +++ b/platforms/hyperledger-indy/configuration/samples/network-minikube-aries.yaml @@ -14,14 +14,14 @@ network: # Network level configuration specifies the attributes required for each organization # to join an existing network. type: indy - version: 1.11.0 # Supported versions 1.11.0 and 1.12.1 + version: 1.12.6 # Supported versions 1.11.0, 1.12.1 & 1.12.6 #Environment section for Kubernetes setup env: type: "bevel" # tag for the environment. Important to run multiple flux on single cluster - proxy: none # proxy is none for minikube/single cluster - retry_count: 20 # Retry count for the checks - external_dns: disabled # Should be enabled if using external-dns for automatic route configuration + proxy: none # proxy is none for minikube/single cluster + retry_count: 20 # Retry count for the checks + external_dns: disabled # Should be enabled if using external-dns for automatic route configuration # Docker registry details where images are stored. This will be used to create k8s secrets # Please ensure all required images are built and stored in this registry. @@ -48,6 +48,8 @@ network: type: peer cloud_provider: minikube publicIps: [] # Public Ips of stewards/nodes [public ip of minikube] + azure: + node_resource_group: "MC_myResourceGroup_myCluster_westeurope" # Kubernetes cluster deployment variables. The config file path has to be provided in case # the cluster has already been created. @@ -92,6 +94,8 @@ network: type: peer cloud_provider: minikube publicIps: ["192.168.99.173"] # Public Ips of stewards/nodes [public ip of minikube] + azure: + node_resource_group: "MC_myResourceGroup_myCluster_westeurope" # Kubernetes cluster deployment variables. The config file path has to be provided in case # the cluster has already been created. diff --git a/platforms/hyperledger-indy/configuration/samples/network-minikube.yaml b/platforms/hyperledger-indy/configuration/samples/network-minikube.yaml index 53d0aca3033..af0f2e66cc1 100644 --- a/platforms/hyperledger-indy/configuration/samples/network-minikube.yaml +++ b/platforms/hyperledger-indy/configuration/samples/network-minikube.yaml @@ -11,14 +11,14 @@ network: # Network level configuration specifies the attributes required for each organization # to join an existing network. type: indy - version: 1.11.0 # Supported versions 1.11.0 and 1.12.1 + version: 1.12.6 # Supported versions 1.11.0, 1.12.1 & 1.12.6 #Environment section for Kubernetes setup env: type: "bevel" # tag for the environment. Important to run multiple flux on single cluster - proxy: none # proxy is none for minikube/single cluster - retry_count: 20 # Retry count for the checks - external_dns: disabled # Should be enabled if using external-dns for automatic route configuration + proxy: none # proxy is none for minikube/single cluster + retry_count: 20 # Retry count for the checks + external_dns: disabled # Should be enabled if using external-dns for automatic route configuration # Docker registry details where images are stored. This will be used to create k8s secrets # Please ensure all required images are built and stored in this registry. @@ -45,6 +45,8 @@ network: type: peer cloud_provider: minikube publicIps: [] # Public Ips of stewards/nodes [public ip of minikube] + azure: + node_resource_group: "MC_myResourceGroup_myCluster_westeurope" # Kubernetes cluster deployment variables. The config file path has to be provided in case # the cluster has already been created. @@ -89,6 +91,8 @@ network: type: peer cloud_provider: minikube publicIps: ["192.168.99.173"] # Public Ips of stewards/nodes [public ip of minikube] + azure: + node_resource_group: "MC_myResourceGroup_myCluster_westeurope" # Kubernetes cluster deployment variables. The config file path has to be provided in case # the cluster has already been created. @@ -165,6 +169,8 @@ network: type: peer cloud_provider: minikube publicIps: ["192.168.99.173"] # Public Ips of stewards/nodes [public ip of minikube] + azure: + node_resource_group: "MC_myResourceGroup_myCluster_westeurope" # Kubernetes cluster deployment variables. The config file path has to be provided in case # the cluster has already been created. diff --git a/platforms/network-schema.json b/platforms/network-schema.json index 26793be49c4..6a89ec9f1ad 100755 --- a/platforms/network-schema.json +++ b/platforms/network-schema.json @@ -233,7 +233,8 @@ "type": "string", "enum": [ "1.11.0", - "1.12.1" + "1.12.1", + "1.12.6" ] }, "env": { @@ -480,8 +481,10 @@ "type": "object", "properties": { "ports": { - "type": "string", - "pattern": "^\\d{1,5}(?:,\\d{1,5})*$" + "type": "array", + "items": { + "type": "integer" + } }, "portRange": { "type": "object", diff --git a/platforms/shared/configuration/roles/setup/edge-stack/templates/aes-custom-values.tpl b/platforms/shared/configuration/roles/setup/edge-stack/templates/aes-custom-values.tpl index dae458b6b3b..4140f684117 100644 --- a/platforms/shared/configuration/roles/setup/edge-stack/templates/aes-custom-values.tpl +++ b/platforms/shared/configuration/roles/setup/edge-stack/templates/aes-custom-values.tpl @@ -14,11 +14,16 @@ namespaceOverride: '' # Emissary Chart Values. emissary-ingress: service: -{% if network.type == 'indy' %} +{% if network.type == 'indy' and item.cloud_provider in ['aws', 'aws-baremetal'] %} annotations: service.beta.kubernetes.io/aws-load-balancer-type: "nlb" service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" service.beta.kubernetes.io/aws-load-balancer-eip-allocations: "{{ elastic_ip }}" +{% endif %} +{% if network.type == 'indy' and item.cloud_provider == 'azure' %} + annotations: + service.beta.kubernetes.io/azure-load-balancer-resource-group: "{{ item.azure.node_resource_group }}" + service.beta.kubernetes.io/azure-load-balancer-ipv4: "{{ elastic_ip }}" {% endif %} type: LoadBalancer @@ -31,7 +36,7 @@ emissary-ingress: - name: https port: 443 targetPort: 8443 -{% for port in ports or [] %} +{% for port in ports %} - name: tcp-{{ port }} port: {{ port | int }} targetPort: {{ port | int }} @@ -44,8 +49,6 @@ emissary-ingress: {% endfor %} {% endif %} adminService: - # IP address to assign (if cloud provider supports it) - loadBalancerIP: # Passed to cloud provider load balancer if created (e.g: AWS ELB) loadBalancerSourceRanges: {{ loadBalancerSourceRanges }} @@ -57,7 +60,9 @@ emissary-ingress: ################################################################################ ## Ambassador Edge Stack Configuration ## ################################################################################ - +redis: + image: + tag: 7.2.4 # The Ambassador Edge Stack is free for limited use without a license key. # Go to https://{ambassador-host}/edge_stack/admin/#dashboard to register # for a community license key. @@ -68,4 +73,3 @@ licenseKey: secretName: # Annotations to attach to the license-key-secret. annotations: {} - From 6fc34f451ac14e3dc3e1674cc50b095a3bfce892 Mon Sep 17 00:00:00 2001 From: saurabhkumarkardam Date: Mon, 24 Jun 2024 13:41:57 +0000 Subject: [PATCH 8/9] feat(substrate): refactor codebase for effective deployment This PR improves Substrate DLT deployment using code from the main branch. Changes: - Updated the Vault-Auth path for pods to match the expected Vault Authentication Engine in Vault. - Updated the Storage-class name for pods to match the name of the expected storage-class. fixes #quick-fix Signed-off-by: saurabhkumarkardam --- .../helm_component/templates/dscp_ipfs_node.tpl | 2 +- .../helm_component/templates/genesis_job.tpl | 2 +- .../helm_component/templates/node_substrate.tpl | 2 +- .../templates/substrate_keys_job.tpl | 2 +- .../roles/create/ipfs_bootnode/tasks/main.yaml | 2 +- .../roles/create/member_node/tasks/main.yaml | 4 ++-- .../roles/create/validator_node/tasks/main.yaml | 2 +- .../roles/delete/vault_secrets/tasks/main.yaml | 5 +++-- .../configuration/samples/network-sample.yaml | 15 +++++++++------ .../configuration/samples/network-substrate.yaml | 14 +++++++++----- reset.sh | 5 ++--- run.sh | 4 ++-- 12 files changed, 33 insertions(+), 26 deletions(-) diff --git a/platforms/substrate/configuration/roles/create/helm_component/templates/dscp_ipfs_node.tpl b/platforms/substrate/configuration/roles/create/helm_component/templates/dscp_ipfs_node.tpl index fcb9350c769..a5e678e26ef 100644 --- a/platforms/substrate/configuration/roles/create/helm_component/templates/dscp_ipfs_node.tpl +++ b/platforms/substrate/configuration/roles/create/helm_component/templates/dscp_ipfs_node.tpl @@ -69,6 +69,6 @@ spec: vault: address: {{ vault.url }} role: vault-role - authpath: substrate{{ name }} + authpath: {{ network.env.type }}{{ name }} serviceaccountname: vault-auth certsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/{{ name }}/{{ peer.name }} diff --git a/platforms/substrate/configuration/roles/create/helm_component/templates/genesis_job.tpl b/platforms/substrate/configuration/roles/create/helm_component/templates/genesis_job.tpl index 3a02c860a1d..382d0411345 100644 --- a/platforms/substrate/configuration/roles/create/helm_component/templates/genesis_job.tpl +++ b/platforms/substrate/configuration/roles/create/helm_component/templates/genesis_job.tpl @@ -29,7 +29,7 @@ spec: vault: address: {{ vault.url }} role: vault-role - authpath: substrate{{ name }} + authpath: {{ network.env.type }}{{ name }} serviceaccountname: vault-auth certsecretprefix: {{ vault.secret_path | default('secretsv2') }}/{{ name }} chain: {{ network.config.chain }} diff --git a/platforms/substrate/configuration/roles/create/helm_component/templates/node_substrate.tpl b/platforms/substrate/configuration/roles/create/helm_component/templates/node_substrate.tpl index eff28269cbf..bff9ddb145b 100644 --- a/platforms/substrate/configuration/roles/create/helm_component/templates/node_substrate.tpl +++ b/platforms/substrate/configuration/roles/create/helm_component/templates/node_substrate.tpl @@ -111,6 +111,6 @@ spec: vault: address: {{ vault.url }} secretPrefix: {{ vault.secret_path | default('secretsv2') }}/data/{{ name }} - authPath: substrate{{ name }} + authPath: {{ network.env.type }}{{ name }} appRole: vault-role image: ghcr.io/hyperledger/alpine-utils:1.0 diff --git a/platforms/substrate/configuration/roles/create/helm_component/templates/substrate_keys_job.tpl b/platforms/substrate/configuration/roles/create/helm_component/templates/substrate_keys_job.tpl index ce95c33f45c..eabfd0a0843 100644 --- a/platforms/substrate/configuration/roles/create/helm_component/templates/substrate_keys_job.tpl +++ b/platforms/substrate/configuration/roles/create/helm_component/templates/substrate_keys_job.tpl @@ -32,6 +32,6 @@ spec: vault: address: {{ vault.url }} role: vault-role - authpath: substrate{{ name }} + authpath: {{ network.env.type }}{{ name }} serviceaccountname: vault-auth certsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/{{ name }} diff --git a/platforms/substrate/configuration/roles/create/ipfs_bootnode/tasks/main.yaml b/platforms/substrate/configuration/roles/create/ipfs_bootnode/tasks/main.yaml index 4f47620241d..8d250caeadc 100644 --- a/platforms/substrate/configuration/roles/create/ipfs_bootnode/tasks/main.yaml +++ b/platforms/substrate/configuration/roles/create/ipfs_bootnode/tasks/main.yaml @@ -11,7 +11,7 @@ vars: component_name: "{{ peer.name }}-ipfs-node" type: "dscp_ipfs_node" - storageclass_name: "{{ item.name | lower }}-bevel-storageclass" + storageclass_name: "{{ name }}-bevel-storageclass" external_url: "{{ item.external_url_suffix }}" git_url: "{{ item.gitops.git_url }}" git_branch: "{{ item.gitops.branch }}" diff --git a/platforms/substrate/configuration/roles/create/member_node/tasks/main.yaml b/platforms/substrate/configuration/roles/create/member_node/tasks/main.yaml index 08279c2fdf0..be034000cbf 100644 --- a/platforms/substrate/configuration/roles/create/member_node/tasks/main.yaml +++ b/platforms/substrate/configuration/roles/create/member_node/tasks/main.yaml @@ -11,7 +11,7 @@ vars: component_name: "{{ name }}{{ peer.name }}membernode" type: "node_substrate" - storageclass_name: "{{ item.name | lower }}-bevel-storageclass" + storageclass_name: "{{ name }}-bevel-storageclass" external_url: "{{ item.external_url_suffix }}" vault: "{{ item.vault }}" git_url: "{{ item.gitops.git_url }}" @@ -35,7 +35,7 @@ vars: component_name: "{{ peer.name }}-ipfs-node" type: "dscp_ipfs_node" - storageclass_name: "{{ item.name | lower }}-bevel-storageclass" + storageclass_name: "{{ name }}-bevel-storageclass" external_url: "{{ item.external_url_suffix }}" git_url: "{{ item.gitops.git_url }}" git_branch: "{{ item.gitops.branch }}" diff --git a/platforms/substrate/configuration/roles/create/validator_node/tasks/main.yaml b/platforms/substrate/configuration/roles/create/validator_node/tasks/main.yaml index 74075c31133..be6ee749b46 100644 --- a/platforms/substrate/configuration/roles/create/validator_node/tasks/main.yaml +++ b/platforms/substrate/configuration/roles/create/validator_node/tasks/main.yaml @@ -11,7 +11,7 @@ vars: component_name: "{{ name }}{{ peer.name }}validatornode" type: "node_substrate" - storageclass_name: "{{ item.cloud_provider }}storageclass" + storageclass_name: "{{ name }}-bevel-storageclass" external_url: "{{ item.external_url_suffix }}" vault: "{{ item.vault }}" git_url: "{{ item.gitops.git_url }}" diff --git a/platforms/substrate/configuration/roles/delete/vault_secrets/tasks/main.yaml b/platforms/substrate/configuration/roles/delete/vault_secrets/tasks/main.yaml index 272ea64cb65..8166cb3bfa5 100644 --- a/platforms/substrate/configuration/roles/delete/vault_secrets/tasks/main.yaml +++ b/platforms/substrate/configuration/roles/delete/vault_secrets/tasks/main.yaml @@ -9,6 +9,7 @@ ############################################################################################# ############################################################################################# + # Delete the Docker credentials - name: Delete docker creds k8s: @@ -37,8 +38,8 @@ # Delete Peer Crypto material - name: Delete Peer Crypto material shell: | - vault kv delete {{ item.vault.secret_path | default('secretsv2') }}/{{ item.name }}/{{ peer.name }}/substrate - vault kv delete {{ item.vault.secret_path | default('secretsv2') }}/{{ item.name }}/{{ peer.name }}/ipfs + vault kv delete {{ item.vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ peer.name }}/substrate + vault kv delete {{ item.vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ peer.name }}/ipfs environment: VAULT_ADDR: "{{ item.vault.url }}" VAULT_TOKEN: "{{ item.vault.root_token }}" diff --git a/platforms/substrate/configuration/samples/network-sample.yaml b/platforms/substrate/configuration/samples/network-sample.yaml index 1c15ca43e60..38c72cc51c4 100644 --- a/platforms/substrate/configuration/samples/network-sample.yaml +++ b/platforms/substrate/configuration/samples/network-sample.yaml @@ -21,9 +21,12 @@ network: # These ports are enabled per cluster, so if you have multiple clusters you do not need so many ports # This sample uses a single cluster, so we have to open 4 ports for each Node. These ports are again specified for each organization below ambassadorPorts: # Any additional Ambassador ports can be given here, this is valid only if proxy='ambassador' - portRange: # For a range of ports - from: 15010 - to: 15043 + # Specify a list of individual ports to use + ports: [15010, 15023, 15024, 15025, 15033, 15034, 15035, 15043, 15044, 15045] + # Alternatively, specify a range of ports to use all ports within the specified range + # portRange: + # from: 15010 # Starting port of the range + # to: 15045 # Ending port of the range # ports: 15020,15021 # For specific ports retry_count: 20 # Retry count for the checks on Kubernetes cluster external_dns: enabled # Should be enabled if using external-dns for automatic route configuration @@ -32,9 +35,9 @@ network: # Please ensure all required images are built and stored in this registry. # Do not check-in docker_password. docker: - url: "ghcr.io" - #username: "docker_username" - #password: "docker_password" + url: "docker.io" + username: "docker_username" + password: "docker_password" # Following are the configurations for the common Substrate network config: diff --git a/platforms/substrate/configuration/samples/network-substrate.yaml b/platforms/substrate/configuration/samples/network-substrate.yaml index 929d9a09daf..bd4132064cb 100644 --- a/platforms/substrate/configuration/samples/network-substrate.yaml +++ b/platforms/substrate/configuration/samples/network-substrate.yaml @@ -17,13 +17,17 @@ network: #Environment section for Kubernetes setup env: type: "substratedev" # tag for the environment. Important to run multiple flux on single cluster - proxy: ambassador # value has to be 'ambassador' as 'haproxy' has not been implemented for Substrate + proxy: ambassador # value has to be 'ambassador' as 'haproxy' has not been implemented for Substrate + proxy_namespace: "ambassador" # Namespace for the proxy # These ports are enabled per cluster, so if you have multiple clusters you do not need so many ports # This sample uses a single cluster, so we have to open 4 ports for each Node. These ports are again specified for each organization below ambassadorPorts: # Any additional Ambassador ports can be given here, this is valid only if proxy='ambassador' - portRange: # For a range of ports - from: 15010 - to: 15043 + # Specify a list of individual ports to use + ports: [15010, 15023, 15024, 15025, 15033, 15034, 15035, 15043, 15044, 15045] + # Alternatively, specify a range of ports to use all ports within the specified range + # portRange: + # from: 15010 # Starting port of the range + # to: 15045 # Ending port of the range # ports: 15020,15021 # For specific ports retry_count: 20 # Retry count for the checks on Kubernetes cluster external_dns: enabled # Should be enabled if using external-dns for automatic route configuration @@ -59,7 +63,7 @@ network: name: carrier type: superuser external_url_suffix: subs.example.com # This is the url suffix that will be added in DNS recordset. Must be different for different clusters - cloud_provider: gcp # Options: aws, azure, gcp + cloud_provider: aws # Options: aws, azure, gcp aws: access_key: "AWS_ACCESS_KEY" # AWS Access key, only used when cloud_provider=aws secret_key: "AWS_SECRET_KEY" # AWS Secret key, only used when cloud_provider=aws diff --git a/reset.sh b/reset.sh index 98b72aecf1b..4a400619040 100644 --- a/reset.sh +++ b/reset.sh @@ -12,9 +12,8 @@ echo "Starting build process..." echo "Adding env variables..." export PATH=/root/bin:$PATH -#Path to k8s config file -KUBECONFIG=/home/bevel/build/config - +# Path to k8s config file +export KUBECONFIG=/home/bevel/build/config echo "Running the playbook..." exec ansible-playbook -vv /home/bevel/platforms/shared/configuration/site.yaml --inventory-file=/home/bevel/platforms/shared/inventory/ -e "@/home/bevel/build/network.yaml" -e 'ansible_python_interpreter=/usr/bin/python3' -e "reset='true'" diff --git a/run.sh b/run.sh index fcf014bd3fd..ef19ba134e8 100644 --- a/run.sh +++ b/run.sh @@ -12,8 +12,8 @@ echo "Starting build process..." echo "Adding env variables..." export PATH=/root/bin:$PATH -#Path to k8s config file -KUBECONFIG=/home/bevel/build/config +# Path to k8s config file +export KUBECONFIG=/home/bevel/build/config echo "Validatin network yaml" ajv validate -s /home/bevel/platforms/network-schema.json -d /home/bevel/build/network.yaml From 2cb4d29c04f9f705f877d0c597785037ebbbdbb2 Mon Sep 17 00:00:00 2001 From: mgCepeda Date: Fri, 28 Jun 2024 10:07:46 +0000 Subject: [PATCH 9/9] fabric hotfix Signed-off-by: mgCepeda --- platforms/shared/configuration/add-new-organization.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/platforms/shared/configuration/add-new-organization.yaml b/platforms/shared/configuration/add-new-organization.yaml index 5afdc4794a2..efca4f81bd0 100644 --- a/platforms/shared/configuration/add-new-organization.yaml +++ b/platforms/shared/configuration/add-new-organization.yaml @@ -18,10 +18,6 @@ vars: add_new_org: 'true' when: network.type == 'fabric' and (reset is undefined or reset == 'false') - - import_playbook: "{{ playbook_dir }}/../../hyperledger-fabric/configuration/chaincode-ops.yaml" - vars: - add_new_org: 'true' - when: network.type == 'fabric' and (reset is undefined or reset == 'false') - import_playbook: "{{ playbook_dir }}/../../r3-corda/configuration/deploy-network.yaml" when: network.type == 'corda' and (reset is undefined or reset == 'false') - import_playbook: "{{ playbook_dir }}/../../r3-corda-ent/configuration/deploy-network.yaml"