diff --git a/platforms/hyperledger-indy/charts/README.md b/platforms/hyperledger-indy/charts/README.md index 397176f1b13..d0255bf7122 100644 --- a/platforms/hyperledger-indy/charts/README.md +++ b/platforms/hyperledger-indy/charts/README.md @@ -79,7 +79,8 @@ helm install university-steward-3 ./indy-node --namespace university-ns --values cd ./indy-register-identity/files kubectl --namespace university-ns get secret university-endorser-identity-public -o jsonpath='{.data.value}' | base64 -d | jq '.["did"]'> university-endorser-did.json kubectl --namespace university-ns get secret university-endorser-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["verification-key"]' > university-endorser-verkey.json -# Register endorser identity from admin +# Register the endorser identity using the trustee's credentials +# Deploy the endorser identity registration Helm chart in the authority namespace, where the trustee resides cd ../.. helm install university-endorser-id ./indy-register-identity --namespace authority-ns ``` @@ -130,24 +131,26 @@ helm install university-steward-4 ./indy-node --namespace university-ns --values cd ./indy-register-identity/files kubectl --namespace university-ns get secret university-endorser-identity-public -o jsonpath='{.data.value}' | base64 -d | jq '.["did"]'> university-endorser-did.json kubectl --namespace university-ns get secret university-endorser-node-public-verif-keys -o jsonpath='{.data.value}' | base64 -d | jq '.["verification-key"]' > university-endorser-verkey.json -# Register endorser identity from admin +# Register the endorser identity using the trustee's credentials +# Deploy the endorser identity registration Helm chart in the authority namespace, where the trustee resides cd ../.. helm install university-endorser-id ./indy-register-identity --namespace authority-ns ``` ### Clean-up -To clean up, simply uninstall the Helm releases. It's important to uninstall the genesis Helm chart at the end to prevent any cleanup failure. +To clean up, simply uninstall the Helm charts. +> **NOTE**: It's important to uninstall the genesis Helm chart at the end to prevent any cleanup failure. ```bash helm uninstall --namespace university-ns university-steward-1 helm uninstall --namespace university-ns university-steward-2 helm uninstall --namespace university-ns university-steward-3 helm uninstall --namespace university-ns university-steward-4 -helm uninstall --namespace university-ns genesis helm uninstall --namespace university-ns university-keys +helm uninstall --namespace university-ns genesis helm uninstall --namespace authority-ns university-endorser-id -helm uninstall --namespace authority-ns genesis helm uninstall --namespace authority-ns authority-keys +helm uninstall --namespace authority-ns genesis ``` diff --git a/platforms/hyperledger-indy/configuration/cleanup.yaml b/platforms/hyperledger-indy/configuration/cleanup.yaml index a0b5da8760c..92b70722c2e 100644 --- a/platforms/hyperledger-indy/configuration/cleanup.yaml +++ b/platforms/hyperledger-indy/configuration/cleanup.yaml @@ -13,17 +13,19 @@ no_log: "{{ no_ansible_log | default(false) }}" tasks: # Cleanup all organizations' vault indy crypto - - name: Cleanup Vault indy crypto + - name: "Clean up Vault indy crypto" include_role: name: clean/vault vars: - organization: "{{ organizationItem.name | lower }}" - organization_ns: "{{ organization }}-ns" - services: "{{ organizationItem.services }}" - acount: "{{ organization }}-admin-vault-auth" - vault: "{{ organizationItem.vault }}" - role: "rw" - auth_path: "kubernetes-{{ organization }}" + org_name: "{{ org.name | lower }}" + org_ns: "{{ org_name }}-ns" + services: "{{ org.services }}" + vault: "{{ org.vault }}" loop: "{{ network['organizations'] }}" loop_control: - loop_var: organizationItem + loop_var: org + + # Clean up helpers directory + - name: "Clean up helpers directory" + include_role: + name: clean/local_directories diff --git a/platforms/hyperledger-indy/configuration/deploy-network.yaml b/platforms/hyperledger-indy/configuration/deploy-network.yaml index d75e640101d..bb2a555fdb7 100644 --- a/platforms/hyperledger-indy/configuration/deploy-network.yaml +++ b/platforms/hyperledger-indy/configuration/deploy-network.yaml @@ -4,10 +4,11 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -######################### +############################################################################################## # Playbook to create deployment files for namespaces, service account and clusterrolebinding # Playbook arguments: complete network.yaml -######################### +############################################################################################## +--- - hosts: ansible_provisioners gather_facts: no no_log: "{{ no_ansible_log | default(false) }}" @@ -24,203 +25,100 @@ name: check/validation # Create namespaces for organizations - - name: 'Create namespace' + - name: "Create namespace" include_role: name: create/namespace vars: - component_name: "{{ organizationItem.name | lower }}-ns" - component_type_name: "{{ organizationItem.type | lower }}" - kubernetes: "{{ organizationItem.k8s }}" - release_dir: "{{playbook_dir}}/../../../{{organizationItem.gitops.release_dir}}/{{ organizationItem.name | lower }}" + component_name: "{{ org.name | lower }}-ns" + component_type_name: "{{ org.type | lower }}" + kubernetes: "{{ org.k8s }}" + release_dir: "{{playbook_dir}}/../../../{{org.gitops.release_dir}}/{{ org.name | lower }}" loop: "{{ network['organizations'] }}" loop_control: - loop_var: organizationItem + loop_var: org - # Create service accounts - - name: 'Create service accounts' + # Create necessary Kubernetes secrets for each organization + - name: "Create k8s secrets" include_role: - name: create/serviceaccount/main + name: create/secrets vars: - component_ns: "{{ organizationItem.name | lower }}-ns" - organization: "{{ organizationItem.name | lower }}" - component_type_name: "{{ organization }}" - services: "{{ organizationItem.services }}" - gitops: "{{ organizationItem.gitops }}" - kubernetes: "{{ organizationItem.k8s }}" + component_ns: "{{ org.name | lower }}-ns" + kubernetes: "{{ org.k8s }}" + vault: "{{ org.vault }}" loop: "{{ network['organizations'] }}" loop_control: - loop_var: organizationItem - when: organizationItem.org_status is not defined or organizationItem.org_status == 'new' + loop_var: org - # Create StorageClass - - name: Create Storage Class + # Generate keys for each nodes + - name: "Generate keys" include_role: - name: "{{ playbook_dir }}/../../../platforms/shared/configuration/roles/setup/storageclass" + name: setup/generate-keys vars: org_name: "{{ org.name | lower }}" - sc_name: "{{ org_name }}-bevel-storageclass" - region: "{{ org.k8s.region | default('eu-west-1') }}" + stewards: "{{ org.services.stewards }}" + cloud_provider: "{{ org.cloud_provider | lower }}" + vault: "{{ org.vault }}" + kubernetes: "{{ org.k8s }}" + component_type: "generate-keys" + component_ns: "{{ org_name }}-ns" + component_name: "{{ org_name }}-keys" + values_dir: "{{playbook_dir}}/../../../{{org.gitops.release_dir}}" + charts_dir: "{{ org.gitops.chart_source }}" loop: "{{ network['organizations'] }}" loop_control: loop_var: org - when: org.org_status is not defined or org.org_status == 'new' - - # Admin K8S auth - - name: Admin K8S auth - include_role: - name: setup/vault_kubernetes - vars: - organization: "{{ organizationItem.name | lower }}" - component_ns: "{{ organizationItem.name | lower }}-ns" - component_name: "{{ organization }}-bevel-ac-vault-auth" - component_type: "GetServiceAccount" - vault: "{{ organizationItem.vault }}" - auth_path: "kubernetes-{{ organization }}-admin-auth" - kubernetes: "{{ organizationItem.k8s }}" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: organizationItem - when: organizationItem.org_status is not defined or organizationItem.org_status == 'new' - - # Generate auth job - - name: 'Generate auth job' - include_role: - name: setup/auth_job - vars: - organization: "{{ organizationItem.name | lower }}" - component_ns: "{{ organizationItem.name | lower }}-ns" - component_name: "{{ organization }}" - services: "{{ organizationItem.services }}" - kubernetes: "{{ organizationItem.k8s }}" - vault: "{{ organizationItem.vault }}" - gitops: "{{ organizationItem.gitops }}" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: organizationItem - when: organizationItem.org_status is not defined or organizationItem.org_status == 'new' - - # Get Vault AC Token via Service Account - - name: Get Vault AC Token via Service Account - include_role: - name: check/k8_component - vars: - organization: "{{ organizationItem.name | lower }}" - component_ns: "{{ organizationItem.name | lower }}-ns" - component_name: "{{ organization }}-bevel-ac-vault-auth" - component_type: "GetServiceAccount" - vault: "{{ organizationItem.vault }}" - kubernetes: "{{ organizationItem.k8s }}" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: organizationItem - # Generate indy crypto and insert into Vault - - name: 'Generate indy crypto and insert into Vault' + # Get each node keys for the Genesis setup + - name: "Get keys for the Genesis setup" include_role: - name: setup/crypto + name: setup/genesis-node-keys vars: - organization: "{{ organizationItem.name | lower }}" - component_ns: "{{ organizationItem.name | lower }}-ns" - component_name: "{{ organization }}" - services: "{{ organizationItem.services }}" - kubernetes: "{{ organizationItem.k8s }}" - vault: "{{ organizationItem.vault }}" - gitops: "{{ organizationItem.gitops }}" - vault_ac_token: "{{ ac_vault_tokens[organization] }}" + component_ns: "{{ org.name | lower }}-ns" + kubernetes: "{{ org.k8s }}" loop: "{{ network['organizations'] }}" loop_control: - loop_var: organizationItem - when: organizationItem.org_status is not defined or organizationItem.org_status == 'new' - - # Create and deploy domain genesis - - name: 'Create domain genesis' - include_role: - name: setup/domain_genesis - - # Create and deploy pool genesis - - name: 'Create pool genesis' - include_role: - name: setup/pool_genesis + loop_var: org - # Add new Trustees via existing Trustee - - name: "Add New Trustees via existing Trustee" + # Install Genesis + - name: "Install Genesis" include_role: - name: setup/trustees - vars: - new_org_query: "organizations[?org_status=='new']" - neworg: "{{ network | json_query(new_org_query) | first }}" - organization: "{{ organizationItem.name | lower }}" - component_ns: "{{ organizationItem.name | lower }}-ns" - component_name: "{{ organization }}" - kubernetes: "{{ organizationItem.k8s }}" - gitops: "{{ organizationItem.gitops }}" - vault: "{{ organizationItem.vault }}" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: organizationItem - when: - - (add_new_org|bool and add_new_org_network_trustee_present|bool) - - (organizationItem.org_status is not defined or organizationItem.org_status == 'existing') + name: setup/genesis - # Add new Stewards via existing Trustee - - name: "Add New Stewards via existing Trustee" + # Install Steward nodes + - name: Install Steward nodes include_role: name: setup/stewards vars: - new_org_query: "organizations[?org_status=='new']" - neworg: "{{ network | json_query(new_org_query) | first }}" - organization: "{{ organizationItem.name | lower }}" - component_ns: "{{ organizationItem.name | lower }}-ns" - component_name: "{{ organization }}" - kubernetes: "{{ organizationItem.k8s }}" - gitops: "{{ organizationItem.gitops }}" - vault: "{{ organizationItem.vault }}" + org_name: "{{ org.name | lower }}" + cloud_provider: "{{ org.cloud_provider | lower }}" + kubernetes: "{{ org.k8s }}" + component_ns: "{{ org_name }}-ns" + component_type: "stewards" + values_dir: "{{playbook_dir}}/../../../{{org.gitops.release_dir}}" + charts_dir: "{{ org.gitops.chart_source }}" loop: "{{ network['organizations'] }}" loop_control: - loop_var: organizationItem - when: - - (add_new_org|bool and add_new_org_network_trustee_present|bool) - - (organizationItem.org_status is not defined or organizationItem.org_status == 'existing') + loop_var: org - # Deploy all other nodes - - name: 'Deploy nodes' + # Install Endorser node + - name: "Install Endorser node" include_role: - name: setup/node + name: setup/endorser vars: - organization: "{{ organizationItem.name | lower }}" - sc_name: "{{ organization }}-bevel-storageclass" - component_ns: "{{ organizationItem.name | lower }}-ns" - services: "{{ organizationItem.services }}" - kubernetes: "{{ organizationItem.k8s }}" - vault: "{{ organizationItem.vault }}" - gitops: "{{ organizationItem.gitops }}" - genesis: "{{ network.genesis }}" + org_name: "{{ org.name | lower }}" + endorser: "{{ org.services.endorser.name | lower }}" + trustee: "{{ org.services.trustee.name | lower }}" + kubernetes: "{{ org.k8s }}" + component_name: "{{ endorser }}" + component_ns: "{{ org_name }}-ns" + values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}/{{ org_name }}/build" + charts_dir: "{{ org.gitops.chart_source }}" loop: "{{ network['organizations'] }}" loop_control: - loop_var: organizationItem + loop_var: org when: - - (organizationItem.type == 'peer') - - (organizationItem.org_status is not defined or organizationItem.org_status == 'new') - - (not add_new_org|bool or (add_new_org|bool and add_new_org_new_nyms_on_ledger_present|bool)) + - (org.services.endorser is defined) and (org.services.endorser.name | length > 0) - # Create and deploy Endorser Identities - - name: 'Create Endorser Identities' - include_role: - name: setup/endorsers - vars: - organization: "{{ organizationItem.name | lower }}" - component_ns: "{{ organizationItem.name | lower }}-ns" - kubernetes: "{{ organizationItem.k8s }}" - gitops: "{{ organizationItem.gitops }}" - vault: "{{ organizationItem.vault }}" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: organizationItem - when: - - (organizationItem.type == 'peer') - - (organizationItem.org_status is not defined or organizationItem.org_status == 'new') - - (not add_new_org|bool or (add_new_org|bool and add_new_org_new_nyms_on_ledger_present|bool)) - # These variables can be overriden from the command line vars: install_os: "linux" # Default to linux OS diff --git a/platforms/hyperledger-indy/configuration/roles/check/validation/tasks/check_count.yaml b/platforms/hyperledger-indy/configuration/roles/check/validation/tasks/check_count.yaml index 3f90de962ae..10131d9f5b6 100644 --- a/platforms/hyperledger-indy/configuration/roles/check/validation/tasks/check_count.yaml +++ b/platforms/hyperledger-indy/configuration/roles/check/validation/tasks/check_count.yaml @@ -4,40 +4,23 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -# Reset counters -- name: Reset counters +# Counting the number of steward nodes +- name: "Count steward nodes" set_fact: - trustee_count=0 - steward_count=0 - endorser_count=0 + total_stewards: "{{ total_stewards | int + 1 }}" + loop: "{{ org.services.stewards }}" + loop_control: + loop_var: stewards + when: (stewards is defined) and (stewards | length > 0) -# Counting Genesis Stewards -- name: "Counting Genesis Stewards" +# Counting the number of trustee nodes +- name: "Count trustee nodes" set_fact: - steward_count={{ steward_count|default(0)|int + 1 }} - total_stewards={{ total_stewards|default(0)|int + 1 }} - loop: "{{ stewards }}" + total_trustee: "{{ total_trustee | int + 1 }}" + when: (org.services.trustee is defined) and (org.services.trustee.name | length > 0) -# Counting trustees per Org -- name: "Counting trustees per Org" +# Counting the number of endorser nodes +- name: "Count endorser nodes" set_fact: - trustee_count={{ trustee_count|default(0)|int + 1 }} - total_trustees={{ total_trustees|default(0)|int + 1 }} - loop: "{{ trustees }}" - -# Print error and end playbook if trustee count limit fails -- name: Print error and end playbook if trustee count limit fails - debug: msg="The trustee count is {{ trustee_count }}. There should be max 1 trustee per organization." - failed_when: trustee_count|int > 1 - -# Counting Endorsers -- name: "Counting Endorsers" - set_fact: - endorser_count={{ endorser_count|default(0)|int + 1 }} - loop: "{{ endorsers }}" - -# Print error abd end playbook if endorser count limit fails -- name: Print error abd end playbook if endorser count limit fails - debug: msg="The endorser count is {{ endorser_count }}. There should be max 1 endorser per organization." - failed_when: endorser_count|int > 1 - when: endorser_count is defined + total_endorser: "{{ total_endorser | int + 1 }}" + when: (org.services.endorser is defined) and (org.services.endorser.name | length > 0) diff --git a/platforms/hyperledger-indy/configuration/roles/check/validation/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/check/validation/tasks/main.yaml index aa4835adeaa..da3abda8212 100644 --- a/platforms/hyperledger-indy/configuration/roles/check/validation/tasks/main.yaml +++ b/platforms/hyperledger-indy/configuration/roles/check/validation/tasks/main.yaml @@ -6,36 +6,43 @@ ############################################################################################## # This role checks for validation of network.yaml -# Conditions to be checked -# At least 4 genesis stewards -# Max 1 trustee per org -# Max 1 endorser per org -# At least one trustee per network.yaml +# Conditions to be checked: +# - Exactly 1 trustee is required per organization. +# - Up to 1 endorser is allowed per organization. +# - At least 4 stewards are required collectively across the entire Indy network. ############################################################################################## # Set variables - name: Set counters set_fact: total_stewards=0 - total_trustees=0 + total_trustee=0 + total_endorser=0 + organization_count="{{ network['organizations'] | length }}" -# Check Validation -- name: "Check Validation" +# Loop through each organization to count nodes +- name: Count nodes include_tasks: check_count.yaml vars: - trustees: "{{ organizationItem.services.trustees|default([]) }}" - endorsers: "{{ organizationItem.services.endorsers|default([]) }}" - stewards: "{{ organizationItem.services.stewards|default([]) }}" + peers: "{{ item.services.peers }}" loop: "{{ network['organizations'] }}" loop_control: - loop_var: organizationItem + loop_var: org -# Print error and end playbook if genesis steward count limit fails -- name: Print error and end playbook if genesis steward count limit fails - debug: msg="The total genesis steward count is {{ total_stewards }}. There should be at least 4 genesis stewards (in case of a fully Hyperledger Bevel-managed cluster)." - failed_when: not add_new_org and total_stewards|int < 4 +# Stop execution if total trustee is not equal to 1 +- name: "Stop execution if total trustee is not equal to 1" + fail: + msg: "Exactly 1 trustee is required per indy network." + when: (total_trustee | int) != (organization_count | int) -# Print error and end playbook if total trustee count limit fails -- name: Print error and end playbook if total trustee count limit fails - debug: msg="The total trustee count is {{ total_trustees }}. There should be at least 1 trustee per network (in case of a fully Hyperledger Bevel-managed cluster)." - failed_when: not add_new_org and total_trustees|int < 1 +# Stop execution if total endorser is not equal to 1 +- name: "Stop execution if total endorser is not equal to 1" + fail: + msg: "Up to 1 endorser is allowed per organization." + when: (total_endorser | int) > (organization_count | int) + +# Stop execution if total stewards are less than 4 +- name: Stop execution if total stewards are less than 4 + fail: + msg: "At least 4 stewards are required collectively across the entire Indy network." + when: (total_stewards | int) < 4 diff --git a/platforms/hyperledger-indy/configuration/roles/clean/local_directories/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/clean/local_directories/tasks/main.yaml new file mode 100644 index 00000000000..113569f1da5 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/clean/local_directories/tasks/main.yaml @@ -0,0 +1,33 @@ +# Find and delete .json files in platforms/hyperledger-indy/charts/indy-genesis/files directory +- name: "Find .json files in indy-genesis files directory" + find: + paths: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-genesis/files" + patterns: "*.json" + register: genesis_files_to_delete + +# Delete .json files in indy-genesis files directory +- name: "Delete .json files in indy-genesis files directory" + file: + path: "{{ item.path }}" + state: absent + loop: "{{ genesis_files_to_delete.files }}" + +# Find and delete .json files in platforms/hyperledger-indy/charts/indy-register-identity/files directory +- name: "Find .json files in indy-register-identity files directory" + find: + paths: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-register-identity/files" + patterns: "*.json" + register: register_files_to_delete + +# Delete .json files in indy-register-identity files directory +- name: "Delete .json files in indy-register-identity files directory" + file: + path: "{{ item.path }}" + state: absent + loop: "{{ register_files_to_delete.files }}" + +# Delete the build directory in platforms/hyperledger-indy/configuration +- name: "Remove build directory from configuration" + file: + path: "{{ playbook_dir }}/../../hyperledger-indy/configuration/build" + state: absent diff --git a/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/delete_node_keys.yaml b/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/delete_node_keys.yaml new file mode 100644 index 00000000000..7d1f0436b98 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/delete_node_keys.yaml @@ -0,0 +1,19 @@ +# Delete keys from HashiCorp Vault +- name: "Delete keys for {{ node_name }} in {{ org_name }} organization from Vault" + shell: | + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/client/private/private_keys + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/client/private/sig_keys + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/client/public/public_keys + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/client/public/verif_keys + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/identity/private + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/identity/public + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/node/private/bls_keys + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/node/private/private_keys + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/node/private/sig_keys + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/node/public/bls_keys + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/node/public/public_keys + vault kv delete {{ vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ node_type }}/{{ node_name }}/node/public/verif_keys + environment: + VAULT_ADDR: "{{ vault.url }}" + VAULT_TOKEN: "{{ vault.root_token }}" + ignore_errors: true diff --git a/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/delete_policy_auth.yaml b/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/delete_policy_auth.yaml new file mode 100644 index 00000000000..95fb4f0ebc6 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/delete_policy_auth.yaml @@ -0,0 +1,29 @@ +# Remove Policies of trustees +- name: Remove Policies of trustees + environment: + vault_token: "{{ vault.root_token }}" + shell: | + validateVaultResponse () { + if [ ${1} != 204 ]; then + echo "ERROR: Unable to retrieve. Http status: ${1}" + exit 1 + fi + } + response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/policy/bevel-vault-mgmt-{{ org_name }}-keys-{{ org_ns }}-policy) + validateVaultResponse ${response_status} + ignore_errors: true + +# Remove Kubernetes Authentication Methods of organizations +- name: Remove Kubernetes Authentication Methods of {{ org_name }} + environment: + vault_token: "{{ vault.root_token }}" + shell: | + validateVaultResponse () { + if [ ${1} != 204 ]; then + echo "ERROR: Unable to retrieve. Http status: ${1}" + exit 1 + fi + } + response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/auth/{{ org_name }}) + validateVaultResponse ${response_status} + ignore_errors: true diff --git a/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/main.yaml index 2eae964156e..38f2d696771 100644 --- a/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/main.yaml +++ b/platforms/hyperledger-indy/configuration/roles/clean/vault/tasks/main.yaml @@ -9,166 +9,34 @@ ############################################################################################## --- -# Remove Indy Crypto -- name: Remove Indy Crypto of {{ organization }} - environment: - vault_token: "{{ vault.root_token }}" - shell: | - validateVaultResponse () { - if [ ${1} != 200 ]; then - echo "ERROR: Unable to retrieve. Http status: ${1}" - exit 1 - fi - } - # Check if vault URL is valid - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" {{ vault.url }}/ui/) - validateVaultResponse ${response_status} - - curl --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/mounts/{{ organization }} - -# Remove Policies of trustees -- name: Remove Policies of trustees - environment: - vault_token: "{{ vault.root_token }}" - shell: | - validateVaultResponse () { - if [ ${1} != 204 ]; then - echo "ERROR: Unable to retrieve. Http status: ${1}" - exit 1 - fi - } - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/policy/{{ organization }}-{{ serviceItem.name }}-ro) - validateVaultResponse ${response_status} - loop: "{{ services.trustees }}" - loop_control: - loop_var: serviceItem - when: services.trustees is defined - -# Remove Policies of stewards -- name: Remove Policies of stewards - environment: - vault_token: "{{ vault.root_token }}" - shell: | - validateVaultResponse () { - if [ ${1} != 204 ]; then - echo "ERROR: Unable to retrieve. Http status: ${1}" - exit 1 - fi - } - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/policy/{{ organization }}-{{ serviceItem.name }}-ro) - validateVaultResponse ${response_status} - loop: "{{ services.stewards }}" - loop_control: - loop_var: serviceItem - when: services.stewards is defined - -# Remove Policies of endorsers -- name: Remove Policies of endorsers - environment: - vault_token: "{{ vault.root_token }}" - shell: | - validateVaultResponse () { - if [ ${1} != 204 ]; then - echo "ERROR: Unable to retrieve. Http status: ${1}" - exit 1 - fi - } - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/policy/{{ organization }}-{{ serviceItem.name }}-ro) - validateVaultResponse ${response_status} - loop: "{{ services.endorsers }}" - loop_control: - loop_var: serviceItem - when: services.endorsers is defined - -# Remove Policies of organization -- name: Remove Policies of {{ organization }} - environment: - vault_token: "{{ vault.root_token }}" - shell: | - validateVaultResponse () { - if [ ${1} != 204 ]; then - echo "ERROR: Unable to retrieve. Http status: ${1}" - exit 1 - fi - } - - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/policy/{{ organization }}-bevel-ac-ro) - validateVaultResponse ${response_status} - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/policy/{{ organization }}-admin-rw) - validateVaultResponse ${response_status} - -# Remove Kubernetes Authentication Methods of organizations -- name: Remove Kubernetes Authentication Methods of {{ organization }} +# Delete keys associated with trustee nodes +- name: Delete trustee keys + include_tasks: delete_node_keys.yaml vars: - auth_path: "kubernetes-{{ organization }}" - environment: - vault_token: "{{ vault.root_token }}" - shell: | - validateVaultResponse () { - if [ ${1} != 204 ]; then - echo "ERROR: Unable to retrieve. Http status: ${1}" - exit 1 - fi - } - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/auth/{{ auth_path }}-admin-auth) - validateVaultResponse ${response_status} - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/auth/{{ auth_path }}-bevel-ac-auth) - validateVaultResponse ${response_status} - when: vault.root_token is defined + node_name: "{{ org.services.trustee.name | lower }}" + node_type: "trustees" + when: (org.services.trustee is defined) and (org.services.trustee.name | length > 0) -# Remove Kubernetes Authentication Methods of trustees -- name: Remove Kubernetes Authentication Methods of {{ organization }} of trustees - environment: - vault_token: "{{ vault.root_token }}" - shell: | - validateVaultResponse () { - if [ ${1} != 204 ]; then - echo "ERROR: Unable to retrieve. Http status: ${1}" - exit 1 - fi - } - auth_path="kubernetes-{{ organization }}-{{ serviceItem.name }}-auth" - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/auth/${auth_path}) - validateVaultResponse ${response_status} - loop: "{{ services.trustees }}" - loop_control: - loop_var: serviceItem - when: vault.root_token is defined and services.trustees is defined +# Delete keys associated with endorser nodes +- name: Delete endorser keys + include_tasks: delete_node_keys.yaml + vars: + node_name: "{{ org.services.endorser.name | lower }}" + node_type: "endorsers" + when: (org.services.endorser is defined) and (org.services.endorser.name | length > 0) -# Remove Kubernetes Authentication Methods of stewards -- name: Remove Kubernetes Authentication Methods of {{ organization }} of stewards - environment: - vault_token: "{{ vault.root_token }}" - shell: | - validateVaultResponse () { - if [ ${1} != 204 ]; then - echo "ERROR: Unable to retrieve. Http status: ${1}" - exit 1 - fi - } - auth_path="kubernetes-{{ organization }}-{{ serviceItem.name }}-auth" - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/auth/${auth_path}) - validateVaultResponse ${response_status} - loop: "{{ services.stewards }}" +# Delete keys associated with steward nodes +- name: Delete steward keys + include_tasks: delete_node_keys.yaml + vars: + node_name: "{{ stewards.name | lower }}" + node_type: "stewards" + loop: "{{ org.services.stewards }}" loop_control: - loop_var: serviceItem - when: vault.root_token is defined and services.stewards is defined + loop_var: stewards + when: (stewards is defined) and (stewards | length > 0) -# Remove Kubernetes Authentication Methods of endorsers -- name: Remove Kubernetes Authentication Methods of {{ organization }} of endorsers - environment: - vault_token: "{{ vault.root_token }}" - shell: | - validateVaultResponse () { - if [ ${1} != 204 ]; then - echo "ERROR: Unable to retrieve. Http status: ${1}" - exit 1 - fi - } - auth_path="kubernetes-{{ organization }}-{{ serviceItem.name }}-auth" - response_status=$(curl -o /dev/null -s -w "%{http_code}\n" --header "X-Vault-Token: ${vault_token}" --request DELETE {{ vault.url }}/v1/sys/auth/${auth_path}) - validateVaultResponse ${response_status} - loop: "{{ services.endorsers }}" - loop_control: - loop_var: serviceItem - when: vault.root_token is defined and services.endorsers is defined +# Delete Organization policy and auth engine +- name: "Delete Organization {{ org_name }} policy and auth engine" + include_tasks: delete_policy_auth.yaml + when: vault.root_token is defined diff --git a/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/tasks/main.yaml new file mode 100644 index 00000000000..e48cdedcb61 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/tasks/main.yaml @@ -0,0 +1,24 @@ +# Ensure teh required dir exists +- name: "Ensure {{ values_dir }}/{{ org_name }} dir exists" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/directory" + vars: + path: "{{ values_dir }}/{{ org_name }}" + +# Generate Indy vault policy and role for stewards +- name: Stewards vault policy and role generating + template: + src: "{{ dlt_templates[component_type] }}" + dest: "{{ values_dir }}/{{ org_name }}/{{ component_name }}.yaml" + +############################################################################################ +# Test the value file for syntax errors/ missing values +# This is done by calling the helm_lint role and passing the value file parameter +# When a new helm_component is added, changes should be made in helm_lint role as well +- name: Helm lint + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/helm_lint" + vars: + helmtemplate_type: "{{ component_type }}" + chart_path: "{{ charts_dir }}" + value_file: "{{ values_dir }}/{{ org_name }}/{{ component_name }}.yaml" diff --git a/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/generate_genesis.tpl b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/generate_genesis.tpl new file mode 100644 index 00000000000..f0886271502 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/generate_genesis.tpl @@ -0,0 +1,53 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: "{{ component_name }}" + annotations: + fluxcd.io/automated: "false" + namespace: "{{ component_ns }}" +spec: + releaseName: "{{ component_name }}" + interval: 1m + chart: + spec: + interval: 1m + chart: "{{ charts_dir }}/indy-genesis" + sourceRef: + kind: GitRepository + name: flux-{{ network.env.type }} + namespace: flux-{{ network.env.type }} + values: + global: + serviceAccountName: vault-auth + cluster: + provider: "{{ cloud_provider }}" + cloudNativeServices: false + kubernetesUrl: "{{ kubernetes_server }}" + vault: + type: hashicorp + role: vault-role + network: indy + address: "{{ vault.url }}" + authPath: "{{ org_name }}" + secretEngine: secretsv2 + secretPrefix: "data/{{ org_name }}" + proxy: + provider: ambassador + image: + alpineutils: "{{ network.docker.url }}/bevel-alpine-ext:latest" + settings: + removeKeysOnDelete: true + secondaryGenesis: {{ secondaryGenesis }} +{% if (not secondaryGenesis) and (trustee_name is defined) %} + trustees: + - name: "{{ trustee_name }}" +{% if steward_list is defined %} + stewards: +{% for steward in steward_list %} + - name: {{ steward.name }} + publicIp: {{ steward.publicIp }} + nodePort: {{ steward.nodePort }} + clientPort: {{ steward.clientPort }} +{% endfor %} +{% endif %} +{% endif %} diff --git a/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/generate_keys.tpl b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/generate_keys.tpl new file mode 100644 index 00000000000..7d64eaf4b67 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/generate_keys.tpl @@ -0,0 +1,52 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: "{{ component_name }}" + annotations: + fluxcd.io/automated: "false" + namespace: "{{ component_ns }}" +spec: + releaseName: "{{ component_name }}" + interval: 1m + chart: + spec: + interval: 1m + chart: "{{ charts_dir }}/indy-key-mgmt" + sourceRef: + kind: GitRepository + name: flux-{{ network.env.type }} + namespace: flux-{{ network.env.type }} + values: + global: + serviceAccountName: vault-auth + cluster: + provider: "{{ cloud_provider }}" + cloudNativeServices: false + kubernetesUrl: "{{ kubernetes_server }}" + vault: + type: hashicorp + role: vault-role + network: indy + address: "{{ vault.url }}" + authPath: "{{ org_name }}" + secretEngine: secretsv2 + secretPrefix: "data/{{ org_name }}" + proxy: + provider: ambassador + image: + alpineutils: "{{ network.docker.url }}/bevel-indy-key-mgmt:1.12.6" + settings: + removeKeysOnDelete: true + identities: +{% if trustee_name %} + trustee: "{{ trustee_name }}" +{% endif %} +{% if endorser_name %} + endorser: "{{ endorser_name }}" +{% endif %} +{% if steward_list %} + stewards: +{% for steward in steward_list %} + - "{{ steward }}" +{% endfor %} +{% endif %} diff --git a/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/stewards.tpl b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/stewards.tpl new file mode 100644 index 00000000000..e3ac494f6f7 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/templates/stewards.tpl @@ -0,0 +1,50 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: "{{ component_name }}" + annotations: + fluxcd.io/automated: "false" + namespace: "{{ component_ns }}" +spec: + releaseName: "{{ component_name }}" + interval: 1m + chart: + spec: + interval: 1m + chart: "{{ charts_dir }}/indy-node" + sourceRef: + kind: GitRepository + name: flux-{{ network.env.type }} + namespace: flux-{{ network.env.type }} + values: + global: + serviceAccountName: vault-auth + cluster: + provider: "{{ cloud_provider }}" + cloudNativeServices: false + proxy: + provider: ambassador + storage: + keys: "512Mi" + data: "4Gi" + reclaimPolicy: "Delete" + volumeBindingMode: Immediate + allowedTopologies: + enabled: false + image: + initContainer: "{{ network.docker.url }}/bevel-alpine-ext:latest" + cli: "{{ network.docker.url }}/bevel-indy-ledger-txn:latest" + indyNode: + repository: "{{ network.docker.url }}/bevel-indy-node" + tag: 1.12.6 + settings: + network: bevel + serviceType: ClusterIP + node: + publicIp: {{ node_public_ip }} + port: {{ node_port }} + externalPort: {{ node_external_port }} + client: + publicIp: {{ client_public_ip }} + port: {{ client_port }} + externalPort: {{ client_external_port }} diff --git a/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/vars/main.yaml b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/vars/main.yaml new file mode 100644 index 00000000000..80c755ef91e --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/create/helm_component/peer/vars/main.yaml @@ -0,0 +1,10 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +dlt_templates: + generate-keys: generate_keys.tpl + generate-genesis: generate_genesis.tpl + stewards: stewards.tpl diff --git a/platforms/hyperledger-indy/configuration/roles/create/namespace/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/create/namespace/tasks/main.yaml index 001241ccc72..19ecefdf744 100644 --- a/platforms/hyperledger-indy/configuration/roles/create/namespace/tasks/main.yaml +++ b/platforms/hyperledger-indy/configuration/roles/create/namespace/tasks/main.yaml @@ -35,5 +35,5 @@ name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" vars: GIT_DIR: "{{ playbook_dir }}/../../../" - gitops: "{{ organizationItem.gitops }}" + gitops: "{{ org.gitops }}" msg: "[ci skip] Pushing deployment files for namespace" diff --git a/platforms/hyperledger-indy/configuration/roles/create/secrets/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/create/secrets/tasks/main.yaml new file mode 100644 index 00000000000..cc31dd73c32 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/create/secrets/tasks/main.yaml @@ -0,0 +1,32 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Wait for namespace to be created by flux +- name: "Wait for the namespace {{ component_ns }} to be created" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" + vars: + component_type: "Namespace" + component_name: "{{ component_ns }}" + type: "retry" + +# Create the vault roottoken secret +- name: "Create vault token secret" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/create/shared_k8s_secrets" + vars: + namespace: "{{ component_ns }}" + check: "token_secret" + +# Create the docker pull credentials for image registry +- name: "Create docker credentials secret" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/create/shared_k8s_secrets" + vars: + namespace: "{{ component_ns }}" + check: "docker_credentials" + when: + - network.docker.username is defined diff --git a/platforms/hyperledger-indy/configuration/roles/setup/endorser/tasks/endorser_keys.yaml b/platforms/hyperledger-indy/configuration/roles/setup/endorser/tasks/endorser_keys.yaml new file mode 100644 index 00000000000..f93e9a74075 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/endorser/tasks/endorser_keys.yaml @@ -0,0 +1,41 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Get endorser public identity secret +- name: "Get endorser public identity secret" + k8s_info: + kind: Secret + name: "{{ endorser }}-identity-public" + namespace: "{{ component_ns }}" + kubeconfig: "{{ kubernetes.config_file }}" + register: endorser_identity_public + +# Extract and save the endorser's DID to a JSON file +- name: "Extract and save endorser DID to a JSON file" + copy: + content: "{{ endorser_identity_public.resources[0].data.value | b64decode | from_json | json_query('did') }}" + dest: "{{ files_dir }}/{{ endorser }}-did.json" + vars: + files_dir: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-register-identity/files" + when: endorser_identity_public is defined and endorser_identity_public.resources[0].data.value is defined + +# Get endorser node public verification keys secret +- name: "Get endorser node public verification keys secret" + k8s_info: + kind: Secret + name: "{{ endorser }}-node-public-verif-keys" + namespace: "{{ component_ns }}" + kubeconfig: "{{ kubernetes.config_file }}" + register: endorser_node_public_verif_keys + +# Extract and save the endorser's verification key to a JSON file +- name: "Extract and save the endorser's verification key to a JSON file" + copy: + content: "{{ endorser_node_public_verif_keys.resources[0].data.value | b64decode | from_json | json_query('\"verification-key\"') }}" + dest: "{{ files_dir }}/{{ endorser }}-verkey.json" + vars: + files_dir: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-register-identity/files" + when: endorser_node_public_verif_keys is defined and endorser_node_public_verif_keys.resources[0].data.value is defined diff --git a/platforms/hyperledger-indy/configuration/roles/setup/endorser/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/setup/endorser/tasks/main.yaml new file mode 100644 index 00000000000..fc0d4e0d4ab --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/endorser/tasks/main.yaml @@ -0,0 +1,24 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Get Endorser keys +- name: "Get Endorser keys" + include_tasks: endorser_keys.yaml + +# Deploy endorser node +- name: "Deploy endorser node" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/create/job_component" + vars: + type: "indy_endorser" + +# Check if endorser job is completed +- name: "Check if endorser job is completed" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" + vars: + component_type: Job + namespace: "{{ component_ns }}" diff --git a/platforms/hyperledger-indy/configuration/roles/setup/endorsers/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/setup/endorsers/tasks/main.yaml deleted file mode 100644 index ab771d7c78f..00000000000 --- a/platforms/hyperledger-indy/configuration/roles/setup/endorsers/tasks/main.yaml +++ /dev/null @@ -1,49 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -################################################################################################### -# This role creates the deployment files for endorsers and pushes them to repository -################################################################################################### - -# Wait for namespace creation for identities - - name: "Wait for namespace creation for identities" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" - vars: - component_type: "Namespace" - component_name: "{{ component_ns }}" - type: "retry" - -# Create image pull secrets - - name: "Create image pull secret for identities" - include_role: - name: create/imagepullsecret - -# Create Deployment files for new Identities - - name: "Create Deployment files" - include_tasks: nested_main.yaml - vars: - component_type: "identity" - component_name: "{{ organizationItem.name }}" - indy_version: "indy-{{ network.version }}" - release_dir: "{{playbook_dir}}/../../../{{organizationItem.gitops.release_dir}}/{{ organizationItem.name | lower }}" - newIdentity: "{{ organizationItem.services.endorsers }}" - component_ns: "{{ organizationItem.name | lower }}-ns" - org_vault_url: "{{ organizationItem.vault.url}}" - when: organizationItem is defined and organizationItem.services.endorsers is defined - -# Wait until identities are creating - - name: "Wait until identities are creating" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Job" - namespace: "{{ component_ns }}" - component_name: "{{ organizationItem.name }}-{{ endorserItem.name }}-transaction" - loop: "{{ organizationItem.services.endorsers }}" - when: organizationItem is defined and organizationItem.services.endorsers is defined - loop_control: - loop_var: endorserItem diff --git a/platforms/hyperledger-indy/configuration/roles/setup/endorsers/tasks/nested_main.yaml b/platforms/hyperledger-indy/configuration/roles/setup/endorsers/tasks/nested_main.yaml deleted file mode 100644 index fbc71bacc26..00000000000 --- a/platforms/hyperledger-indy/configuration/roles/setup/endorsers/tasks/nested_main.yaml +++ /dev/null @@ -1,131 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# This Selects the Admin Identity for an organization from Network yaml. -# If trustee is present the first trustee will be the admin -# If Steward is present the first steward will be the admin -# If both trustee and steward are not present in a particular organization, -# the first global admin will be the trustee for this organization. ---- -- name: Select Admin Identity for Organisation {{ component_name }} - shell: | - selectedAdmin="" - first_global_admin="" - admin_Org="" - global_Org="" - admin_url="" - global_url="" - global_type="" - admin_type="" - {% if network['organizations'] is defined %} - {% for organization in network['organizations'] %} - first_admin_in_org="" - {% if organization.services.trustees is defined %} - {% for trustee in organization.services.trustees %} - if [ -z "$first_admin_in_org" ] - then - if [ {{ organization.name }} == "{{ component_name }}" ] - then - first_admin_in_org="{{ trustee.name }}" - admin_Org="{{ organization.name }}" - admin_url="{{ organization.vault.url }}" - admin_type="trustees" - fi - fi - if [ -z "$first_global_admin" ] - then - first_global_admin="{{ trustee.name }}" - global_Org="{{ organization.name }}" - global_url="{{ organization.vault.url }}" - global_type="trustees" - fi - {% endfor %} - {% endif %} - {% if organization.services.stewards is defined %} - {% for steward in organization.services.stewards %} - if [ -z "$first_admin_in_org" ] - then - if [ {{ organization.name }} == "{{ component_name }}" ] - then - first_admin_in_org="{{ steward.name }}" - admin_Org="{{ organization.name }}" - admin_url="{{ organization.vault.url }}" - admin_type="stewards" - fi - fi - if [ -z "$first_global_admin" ] - then - first_global_admin="{{ steward.name }}" - global_Org="{{ organization.name }}" - global_url="{{ organization.vault.url }}" - global_type="stewards" - fi - {% endfor %} - {% endif %} - {% endfor %} - {% endif %} - - if [ ! -z "$first_admin_in_org" ] - then - selectedAdmin="${first_admin_in_org}" - adminUrl="${admin_url}" - adminOrg="${admin_Org}" - admin_type="${admin_type}" - else - selectedAdmin="${first_global_admin}" - adminUrl="${global_url}" - adminOrg="${global_Org}" - admin_type="${global_type}" - fi - rm -rf admin.yaml - echo "selectedAdmin: ${selectedAdmin}" >> admin.yaml - echo "adminUrl: ${adminUrl}" >> admin.yaml - echo "adminOrg: ${adminOrg}" >> admin.yaml - echo "type: ${admin_type}" >> admin.yaml - register: admin_file - -#---------------------------------------------------------------------------------------------- -- name: "Inserting file into Variable" - include_vars: - file: admin.yaml - name: admin_var - -#---------------------------------------------------------------------------------------------- -# Create Deployment files for new Identities -- name: "Calling Helm Release Development Role..." - include_role: - name: create/helm_component/ledger_txn - vars: - component_type: "identity" - component_name: "{{ organizationItem.name }}" - indy_version: "indy-{{ network.version }}" - release_dir: "{{playbook_dir}}/../../../{{organizationItem.gitops.release_dir}}/{{ organizationItem.name | lower }}" - component_ns: "{{ organizationItem.name | lower }}-ns" - newIdentityName: "{{ newIdentityItem.name }}" - newIdentityRole: "ENDORSER" - adminIdentityName: "{{ admin_var.selectedAdmin }}" - admin_component_name: "{{ admin_var.adminOrg }}" - admin_org_vault_url: "{{ admin_var.adminUrl }}" - new_org_vault_url: "{{ organizationItem.vault.url}}" - new_component_name: "{{ component_name }}" - admin_type: "{{ admin_var.type }}" - identity_type: "endorsers" - loop: "{{ newIdentity }}" - loop_control: - loop_var: newIdentityItem - when: newIdentity is defined - -- name: "Delete file" - shell: | - rm admin.yaml -# --------------------------------------------------------------------- -# push the created deployment files to repository -- name: "Push the created deployment files to repository" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" - vars: - GIT_DIR: "{{ playbook_dir }}/../../../" - msg: "[ci skip] Pushing deployment files" diff --git a/platforms/hyperledger-indy/configuration/roles/setup/generate-keys/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/setup/generate-keys/tasks/main.yaml new file mode 100644 index 00000000000..e5c9dc3a183 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/generate-keys/tasks/main.yaml @@ -0,0 +1,56 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Initialize variables for trustee, endorser, and stewards +- name: "Initialize trustee, endorser and stewards variables" + set_fact: + trustee_name: "{{ org.services.trustee.name | default('') }}" + endorser_name: "{{ org.services.endorser.name | default('') }}" + steward_list: [] + +# Add stewards to the steward list +- name: "Add stewards to the steward list" + set_fact: + steward_list: "{{ steward_list + [stewards_item.name] }}" + loop: "{{ stewards }}" + loop_control: + loop_var: stewards_item + ignore_errors: true + +# Gather Kubernetes cluster information +- name: Gather Kubernetes cluster information + community.kubernetes.k8s_cluster_info: + kubeconfig: "{{ kubernetes.config_file }}" + register: cluster_info + +# Set the Kubernetes server URL fact +- name: Set kubernetes_server_url fact + set_fact: + kubernetes_server_url: "{{ cluster_info.connection.host }}" + +# Generate the HR file for the specified organization +- name: "Generate HR file for {{ org_name }} organization" + include_role: + name: create/helm_component/peer + vars: + kubernetes_server: "{{ kubernetes_server_url }}" + +# Push the created deployment files to repository +- name: "Push the created deployment files to repository" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" + vars: + GIT_DIR: "{{ playbook_dir }}/../../../" + msg: "[ci skip] Pushing key management job files for {{ component_ns }}" + gitops: "{{ org.gitops }}" + +# Check if the job is completed +- name: "Check if {{ component_name }} job is completed in the {{ org_name }} organization" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" + vars: + component_type: Job + namespace: "{{ component_ns }}" diff --git a/platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/main.yaml new file mode 100644 index 00000000000..b8030a3f871 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/main.yaml @@ -0,0 +1,22 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Retrieve Trustee's keys if Trustee service is defined +- name: "Retrieve Trustee's keys" + include_tasks: trustee_keys.yaml + when: + - org.services.trustee is defined + - org.services.trustee.name | length > 0 + +# Retrieve Steward's keys for each steward in the list of stewards if stewards are defined +- name: "Retrieve Steward's keys" + include_tasks: steward_keys.yaml + loop: "{{ org.services.stewards }}" + loop_control: + loop_var: steward + when: + - steward is defined + - steward | length > 0 diff --git a/platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/steward_keys.yaml b/platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/steward_keys.yaml new file mode 100644 index 00000000000..a68683bb5d2 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/steward_keys.yaml @@ -0,0 +1,68 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Get steward public identity secret +- name: "Get steward public identity secret" + k8s_info: + kind: Secret + name: "{{ steward.name }}-identity-public" + namespace: "{{ component_ns }}" + kubeconfig: "{{ kubernetes.config_file }}" + register: steward_identity_public + +# Extract and save steward DID to a JSON file +- name: "Extract and save steward DID to a JSON file" + copy: + content: "{{ steward_identity_public.resources[0].data.value | b64decode | from_json | json_query('did') }}" + dest: "{{ files_dir }}/{{ steward.name }}-did.json" + vars: + files_dir: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-genesis/files" + when: steward_identity_public is defined and steward_identity_public.resources[0].data.value is defined + +# Get steward node public verif keys +- name: "Get steward node public verif keys" + k8s_info: + kind: Secret + name: "{{ steward.name }}-node-public-verif-keys" + namespace: "{{ component_ns }}" + kubeconfig: "{{ kubernetes.config_file }}" + register: steward_node_public_verif_keys + +# Extract and save the steward's verification key to a JSON file +- name: "Extract and save the steward's verification key to a JSON file" + copy: + content: "{{ steward_node_public_verif_keys.resources[0].data.value | b64decode | from_json | json_query('\"verification-key\"') }}" + dest: "{{ files_dir }}/{{ steward.name }}-verkey.json" + vars: + files_dir: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-genesis/files" + when: steward_node_public_verif_keys is defined and steward_node_public_verif_keys.resources[0].data.value is defined + +# Get steward's node public BLS keys +- name: "Get steward's node public BLS keys" + k8s_info: + kind: Secret + name: "{{ steward.name }}-node-public-bls-keys" + namespace: "{{ component_ns }}" + kubeconfig: "{{ kubernetes.config_file }}" + register: steward_node_public_bls_keys + +# Extract and save the steward's BLS POP to a JSON file +- name: "Extract and save the steward's BLS POP to a JSON file" + copy: + content: "{{ steward_node_public_bls_keys.resources[0].data.value | b64decode | from_json | json_query('\"bls-key-pop\"') }}" + dest: "{{ files_dir }}/{{ steward.name }}-blspop.json" + vars: + files_dir: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-genesis/files" + when: steward_node_public_bls_keys is defined and steward_node_public_bls_keys.resources[0].data.value is defined + +# Extract and save the steward's BLS public key to a JSON file +- name: "Extract and save the steward's BLS public key to a JSON file" + copy: + content: "{{ steward_node_public_bls_keys.resources[0].data.value | b64decode | from_json | json_query('\"bls-public-key\"') }}" + dest: "{{ files_dir }}/{{ steward.name }}-blspub.json" + vars: + files_dir: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-genesis/files" + when: steward_node_public_bls_keys is defined and steward_node_public_bls_keys.resources[0].data.value is defined diff --git a/platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/trustee_keys.yaml b/platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/trustee_keys.yaml new file mode 100644 index 00000000000..dbe0c679490 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/genesis-node-keys/tasks/trustee_keys.yaml @@ -0,0 +1,41 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Get trustee public identity secret +- name: "Get trustee public identity secret" + k8s_info: + kind: Secret + name: "{{ org.services.trustee.name }}-identity-public" + namespace: "{{ component_ns }}" + kubeconfig: "{{ kubernetes.config_file }}" + register: trustee_identity_public_secret + +# Extract and save trustee DID to a JSON file +- name: "Extract and save trustee DID to a JSON file" + copy: + content: "{{ trustee_identity_public_secret.resources[0].data.value | b64decode | from_json | json_query('did') }}" + dest: "{{ files_dir }}/{{ org.services.trustee.name }}-did.json" + vars: + files_dir: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-genesis/files" + when: trustee_identity_public_secret is defined and trustee_identity_public_secret.resources[0].data.value is defined + +# Get trustee node public verif keys +- name: "Get trustee node public verif keys" + k8s_info: + kind: Secret + name: "{{ org.services.trustee.name }}-node-public-verif-keys" + namespace: "{{ component_ns }}" + kubeconfig: "{{ kubernetes.config_file }}" + register: trustee_node_public_verif_keys + +# Extract and save the trustee's verification key to a JSON file +- name: "Extract and save the trustee's verification key to a JSON file" + copy: + content: "{{ trustee_node_public_verif_keys.resources[0].data.value | b64decode | from_json | json_query('\"verification-key\"') }}" + dest: "{{ files_dir }}/{{ org.services.trustee.name }}-verkey.json" + vars: + files_dir: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-genesis/files" + when: trustee_node_public_verif_keys is defined and trustee_node_public_verif_keys.resources[0].data.value is defined diff --git a/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/main.yaml new file mode 100644 index 00000000000..f36a00cfc33 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/main.yaml @@ -0,0 +1,14 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Primary genesis setup +- name: "Primary genesis setup" + include_tasks: primary_genesis.yaml + +# Secondary genesis setup if there are multiple organizations +- name: "Secondary genesis Setup" + include_tasks: secondary_genesis.yaml + when: network['organizations'] | length > 1 diff --git a/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/primary_genesis.yaml b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/primary_genesis.yaml new file mode 100644 index 00000000000..e92de1006d5 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/primary_genesis.yaml @@ -0,0 +1,66 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Initialize variable and list +- name: "Initialize variable and list" + set_fact: + trustee_list: [] + steward_list: [] + +# Store Trustee, Endorser and Stewards info +- name: "Store Trustee, Endorser and Stewards info" + include_tasks: primary_genesis_peers.yaml + vars: + org_name: "{{ org.name | lower }}" + stewards: "{{ org.services.stewards }}" + loop: "{{ network['organizations'] }}" + loop_control: + loop_var: org + +# Gather Kubernetes cluster information +- name: Gather Kubernetes cluster information + community.kubernetes.k8s_cluster_info: + kubeconfig: "{{ network['organizations'][0].k8s.config_file }}" + register: cluster_info + +# Set the Kubernetes server URL fact +- name: Set kubernetes_server_url fact + set_fact: + kubernetes_server_url: "{{ cluster_info.connection.host }}" + +# Install primary genesis +- name: "Install primary genesis" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/create/job_component" + vars: + type: "indy_genesis" + org: "{{ network['organizations'] | first }}" + org_name: "{{ org.name | lower }}" + stewards: "{{ org.services.stewards }}" + cloud_provider: "{{ org.cloud_provider | lower }}" + vault: "{{ org.vault }}" + kubernetes_server: "{{ kubernetes_server_url }}" + kubernetes: "{{ org.k8s }}" + component_type: "generate-genesis" + component_ns: "{{ org_name }}-ns" + component_name: "{{ org_name }}-genesis" + secondaryGenesis: false + values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}/{{ org_name }}/build" + charts_dir: "{{ org.gitops.chart_source }}" + +# Check if primary genesis job is completed +- name: "Check if primary genesis job is completed" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" + vars: + org: "{{ network['organizations'] | first }}" + org_name: "{{ org.name | lower }}" + component_name: "{{ org_name }}-genesis" + component_type: Job + org: "{{ network['organizations'] | first }}" + component_ns: "{{ org.name | lower }}-ns" + namespace: "{{ component_ns }}" + kubernetes: "{{ org.k8s }}" diff --git a/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/primary_genesis_peers.yaml b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/primary_genesis_peers.yaml new file mode 100644 index 00000000000..849461468b3 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/primary_genesis_peers.yaml @@ -0,0 +1,20 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Store trustee's name if it is not already set +- name: "Store trustee's name" + set_fact: + trustee_list: "{{ trustee_list + [org.services.trustee.name] }}" + when: (org.services.trustee is defined) and (org.services.trustee.name | length > 0) + +# Add each steward's details (name, public IP, node port, client port) to the steward_list +- name: "Maintain each steward's node info" + set_fact: + steward_list: "{{ steward_list + [{'name': stewards_item.name, 'publicIp': stewards_item.publicIp, 'nodePort': stewards_item.node.ambassador, 'clientPort': stewards_item.client.ambassador}] }}" + loop: "{{ stewards }}" + loop_control: + loop_var: stewards_item + ignore_errors: true diff --git a/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/secondary_genesis.yaml b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/secondary_genesis.yaml new file mode 100644 index 00000000000..e2820cea0a2 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/secondary_genesis.yaml @@ -0,0 +1,60 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Initialize variables for the first organization +- name: "Initialize variables for the first organization" + set_fact: + first_org_name: "{{ network.organizations[0].name | lower }}" + first_org_kubernetes: "{{ network.organizations[0].k8s }}" + +# Retrieve the ConfigMap for domain transactions genesis for the first organization +- name: "Get domain transactions genesis ConfigMap" + community.kubernetes.k8s_info: + api_version: v1 + kind: ConfigMap + name: dtg + namespace: "{{ first_org_name }}-ns" + kubeconfig: "{{ first_org_kubernetes.config_file }}" + register: dtg_configmap + +# Retrieve the ConfigMap for pool transactions genesis for the first organization +- name: "Get pool transactions genesis ConfigMap" + community.kubernetes.k8s_info: + api_version: v1 + kind: ConfigMap + name: ptg + namespace: "{{ first_org_name }}-ns" + kubeconfig: "{{ first_org_kubernetes.config_file }}" + register: ptg_configmap + +# Save the domain transactions genesis content to a file +- name: "Save domain transactions genesis to file" + copy: + content: "{{ dtg_configmap.resources[0].data.domain_transactions_genesis }}" + dest: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-genesis/files/domain_transactions_genesis.json" + when: dtg_configmap.resources[0].data.domain_transactions_genesis is defined + +# Save the pool transactions genesis content to a file +- name: "Save pool transactions genesis to file" + copy: + content: "{{ ptg_configmap.resources[0].data.pool_transactions_genesis }}" + dest: "{{ playbook_dir }}/../../hyperledger-indy/charts/indy-genesis/files/pool_transactions_genesis.json" + when: ptg_configmap.resources[0].data.pool_transactions_genesis is defined + +# Generate secondary genesis HR files for the remaining organizations +- name: "Generate secondary genesis HR file for the remaining organization" + include_tasks: secondary_genesis_orgs.yaml + vars: + org_name: "{{ org.name | lower }}" + component_name: "{{ org_name }}-genesis" + component_ns: "{{ org_name }}-ns" + component_type: "generate-genesis" + cloud_provider: "{{ org.cloud_provider | lower }}" + kubernetes: "{{ org.k8s }}" + vault: "{{ org.vault }}" + loop: "{{ network['organizations'][1:] }}" # Skip the first organization + loop_control: + loop_var: org diff --git a/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/secondary_genesis_orgs.yaml b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/secondary_genesis_orgs.yaml new file mode 100644 index 00000000000..1e3d3a34b66 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/genesis/tasks/secondary_genesis_orgs.yaml @@ -0,0 +1,35 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Gather Kubernetes cluster information +- name: Gather cluster info + community.kubernetes.k8s_cluster_info: + kubeconfig: "{{ kubernetes.config_file }}" + register: cluster_info + +# Set the Kubernetes server URL fact +- name: Set kubernetes_server_url fact + set_fact: + kubernetes_server_url: "{{ cluster_info.connection.host }}" + +# Install the secondary genesis component for the specified organization +- name: "Install secondary genesis for the {{ org_name }} organization" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/create/job_component" + vars: + type: "indy_genesis" + kubernetes_server: "{{ kubernetes_server_url }}" + secondaryGenesis: true + values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}/{{ org_name }}/build" + charts_dir: "{{ org.gitops.chart_source }}" + +# Check if the secondary genesis job for the specified organization is completed +- name: "Check if secondary genesis job {{ org_name }} for is completed" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" + vars: + component_type: Job + namespace: "{{ component_ns }}" diff --git a/platforms/hyperledger-indy/configuration/roles/setup/stewards/tasks/main.yaml b/platforms/hyperledger-indy/configuration/roles/setup/stewards/tasks/main.yaml index f7ef830772c..7d966e3a485 100644 --- a/platforms/hyperledger-indy/configuration/roles/setup/stewards/tasks/main.yaml +++ b/platforms/hyperledger-indy/configuration/roles/setup/stewards/tasks/main.yaml @@ -4,45 +4,10 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -################################################################################################### -# This role creates the deployment files for stewards and pushes them to repository -################################################################################################### - -# Wait for namespace creation for identities - - name: "Wait for namespace creation for identities" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" - vars: - component_type: "Namespace" - component_name: "{{ component_ns }}" - type: "retry" - -# Create image pull secrets - - name: "Create image pull secret for identities" - include_role: - name: create/imagepullsecret - -# Create Deployment files for new Identities - - name: "Create Deployment files" - include_tasks: nested_main.yaml - vars: - component_type: "identity" - component_name: "{{ organizationItem.name }}" - indy_version: "indy-{{ network.version }}" - release_dir: "{{playbook_dir}}/../../../{{organizationItem.gitops.release_dir}}/{{ organizationItem.name | lower }}" - newIdentity: "{{ neworg.services.stewards }}" - org_vault_url: "{{ organizationItem.vault.url }}" - when: organizationItem is defined and organizationItem.services.stewards is defined - -# Wait until identities are creating - - name: "Wait until identities are creating" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Job" - namespace: "{{ component_ns }}" - component_name: "{{ organizationItem.name }}-{{ stewardItem.name }}-transaction" - loop: "{{ neworg.services.stewards }}" - when: neworg is defined and neworg.services.stewards is defined - loop_control: - loop_var: stewardItem +# Deploy Steward nodes +- name: "Deploy Steward nodes" + include_tasks: nested.yaml + loop: "{{ org.services.stewards }}" + loop_control: + loop_var: steward + when: steward is defined and steward | length > 0 diff --git a/platforms/hyperledger-indy/configuration/roles/setup/stewards/tasks/nested.yaml b/platforms/hyperledger-indy/configuration/roles/setup/stewards/tasks/nested.yaml new file mode 100644 index 00000000000..b0a778572b4 --- /dev/null +++ b/platforms/hyperledger-indy/configuration/roles/setup/stewards/tasks/nested.yaml @@ -0,0 +1,38 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Deploy Steward's node +- name: "Deploy {{ steward.name }} node in the {{ org.name }} organization" + include_role: + name: create/helm_component/peer + vars: + node_public_ip: "{{ steward.publicIp }}" + node_port: "{{ steward.node.port | int }}" + node_external_port: "{{ steward.node.ambassador | int }}" + client_public_ip: "{{ steward.publicIp }}" + client_port: "{{ steward.client.port | int }}" + client_external_port: "{{ steward.client.ambassador | int }}" + component_name: "{{ steward.name | lower }}" + +# Push the created deployment files to repository +- name: "Push the created deployment files to repository" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" + vars: + GIT_DIR: "{{ playbook_dir }}/../../../" + msg: "[ci skip] Pushing key management job files for {{ component_ns }}" + gitops: "{{ org.gitops }}" + +# Check if Steward's node is running +- name: "Check if {{ steward.name }} node is running in the {{ org.name }} organization" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" + vars: + component_type: Pod + component_name: "{{ steward.name | lower }}" + label_selectors: + - app = {{ component_name }} + namespace: "{{ component_ns }}" diff --git a/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-baf-network.yaml b/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-baf-network.yaml index acdf23a9647..891e610abfb 100644 --- a/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-baf-network.yaml +++ b/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-baf-network.yaml @@ -97,10 +97,6 @@ network: # Services maps to the pods that will be deployed on the k8s cluster # This sample has trustee, 2 stewards and endoorser services: - trustees: - - trustee: - name: university-trustee - genesis: true stewards: - steward: name: university-steward-1 @@ -154,18 +150,6 @@ network: port: 9720 targetPort: 9720 ambassador: 9720 # Port for ambassador service - endorsers: - - endorser: - name: university-endorser - full_name: Some Decentralized Identity Mobile Services Partner - avatar: http://university.com/avatar.png - # public endpoint will be {{ endorser.name}}.{{ external_url_suffix}}:{{endorser.server.httpPort}} - # Eg. In this sample http://university-endorser.indy.blockchaincloudpoc.com:15033/ - # For minikube: http://>:15033 - server: - httpPort: 15033 - apiPort: 15034 - webhookPort: 15035 - organization: name: bank type: peer @@ -211,10 +195,6 @@ network: # Services maps to the pods that will be deployed on the k8s cluster # This sample has trustee, 2 stewards and endoorser services: - trustees: - - trustee: - name: bank-trustee - genesis: true stewards: - steward: name: bank-steward-1 @@ -229,8 +209,3 @@ network: port: 9712 targetPort: 9712 ambassador: 9712 # Port for ambassador service - endorsers: - - endorser: - name: bank-endorser - full_name: Some Decentralized Identity Mobile Services Provider - avatar: http://bank.com/avatar.png diff --git a/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-non-baf-network.yaml b/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-non-baf-network.yaml index d26e88b9bb4..40e6149037f 100644 --- a/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-non-baf-network.yaml +++ b/platforms/hyperledger-indy/configuration/samples/network-indy-newnode-to-non-baf-network.yaml @@ -110,8 +110,3 @@ network: port: 9712 targetPort: 9712 ambassador: 9712 # Port for ambassador service - endorsers: - - endorser: - name: bank-endorser - full_name: Some Decentralized Identity Mobile Services Provider - avatar: http://bank.com/avatar.png diff --git a/platforms/hyperledger-indy/configuration/samples/network-indyv3-aries.yaml b/platforms/hyperledger-indy/configuration/samples/network-indyv3-aries.yaml index 6f6b4cebbd4..ea7ada93189 100644 --- a/platforms/hyperledger-indy/configuration/samples/network-indyv3-aries.yaml +++ b/platforms/hyperledger-indy/configuration/samples/network-indyv3-aries.yaml @@ -96,8 +96,7 @@ network: # Services maps to the pods that will be deployed on the k8s cluster # This sample has trustee services: - trustees: - - trustee: + trustee: name: authority-trustee genesis: true server: @@ -150,6 +149,12 @@ network: # Services maps to the pods that will be deployed on the k8s cluster # This sample has trustee, 4 stewards and endorser services: + trustee: + name: university-trustee + genesis: true + server: + port: 8000 + ambassador: 15010 stewards: - steward: name: university-steward-1 @@ -203,8 +208,7 @@ network: port: 15742 targetPort: 15742 ambassador: 15742 # Port for ambassador service - endorsers: - - endorser: + endorser: name: university-endorser full_name: Faber university of the Demo. avatar: http://faber.com/avatar.png @@ -214,4 +218,4 @@ network: server: httpPort: 15033 apiPort: 15034 - webhookPort: 15035 + webhookPort: 15035 diff --git a/platforms/hyperledger-indy/configuration/samples/network-indyv3.yaml b/platforms/hyperledger-indy/configuration/samples/network-indyv3.yaml index ea514813973..cd33f02c6e3 100644 --- a/platforms/hyperledger-indy/configuration/samples/network-indyv3.yaml +++ b/platforms/hyperledger-indy/configuration/samples/network-indyv3.yaml @@ -5,33 +5,48 @@ ############################################################################################## --- -# yaml-language-server: $schema=../../../../platforms/network-schema.json -# This is a sample configuration file for hyperledger indy which can reused for a sample indy network of 9 nodes. -# It has 3 organizations: -# 1. organization "authority" with 1 trustee -# 2. organization "provider" with 1 trustee, 2 stewards and 1 endorser -# 3. organization "partner" with 1 trustee, 2 stewards and 1 endorser +############################################################################################## +# Network Configuration File for HyperLedger-Indy Distributed Ledger Technology (DLT) Platform + +## Overview +# This configuration file is intended for deploying a HyperLedger-Indy platform. +# The deployment must adhere to the following network rules: +# - Exactly 1 trustee is required per organization. +# - Up to 1 endorser is allowed per organization. +# - At least 4 stewards are required collectively across the entire Indy network. + +## Sample Configuration +# This sample configuration file demonstrates a HyperLedger-Indy network with four organizations: +# - Organization 1: Contains only the Trustee. +# - Organization 2: Contains one Trustee, two Stewards, and one Endorser. +# - Organization 3: Contains one Trustee, two Stewards, and one Endorser. +# - Organization 4: Contains one Trustee and one Endorser. + +## Customization +# We can customize this configuration to include any number of organizations. +# However, it is imperative to comply with the network rules mentioned in the Overview section. +############################################################################################## network: # Network level configuration specifies the attributes required for each organization # to join an existing network. type: indy - version: 1.12.1 # Supported versions 1.11.0 and 1.12.1 + version: 1.12.1 # Supported versions 1.11.0 and 1.12.1 #Environment section for Kubernetes setup env: - type: "dev" # tag for the environment. Important to run multiple flux on single cluster - proxy: ambassador # value has to be 'ambassador' as 'haproxy' has not been implemented for Indy - proxy_namespace: "ambassador" + type: "dev" # Environment tag, useful for running multiple instances on a single cluster + proxy: ambassador # Must be 'ambassador' as 'haproxy' is not implemented for Indy + proxy_namespace: "ambassador" # Namespace for the proxy # These ports are enabled per cluster, so if you have multiple clusters you do not need so many ports # This sample uses a single cluster, so we have to open 3 ports for each Node. These ports are again specified for each organization below - ambassadorPorts: # Any additional Ambassador ports can be given here, this is valid only if proxy='ambassador' - portRange: # For a range of ports + ambassadorPorts: # Any additional Ambassador ports can be given here, this is valid only if proxy='ambassador' + portRange: # Range of ports for Ambassador from: 15010 to: 15052 - loadBalancerSourceRanges: # (Optional) Default value is '0.0.0.0/0', this value can be changed to any other IP adres or list (comma-separated without spaces) of IP adresses, this is valid only if proxy='ambassador' - retry_count: 20 # Retry count for the checks - external_dns: enabled # Should be enabled if using external-dns for automatic route configuration + loadBalancerSourceRanges: # (Optional) Default value is '0.0.0.0/0', this value can be changed to any other IP adres or list (comma-separated without spaces) of IP adresses, this is valid only if proxy='ambassador' + retry_count: 20 # Retry count for the checks + external_dns: enabled # Should be enabled if using external-dns for automatic route configuration # Docker registry details where images are stored. This will be used to create k8s secrets # Please ensure all required images are built and stored in this registry. @@ -41,15 +56,6 @@ network: username: "docker_username" password: "docker_password" - # It's used as the Indy network name (has impact e.g. on paths where the Indy nodes look for crypto files on their local filesystem) - name: bevel - - # Information about pool transaction genesis and domain transactions genesis - genesis: - state: absent # must be absent when network is created from scratch - pool: /path/to/pool_transactions_genesis # path where pool_transactions_genesis will be stored locally - domain: /path/to/domain_transactions_genesis # path where domain_transactions_genesis will be stored locally - # Allows specification of one or many organizations that will be connecting to a network. organizations: # Specification for the 1st organization. Each organization maps to a VPC and a separate k8s cluster @@ -57,7 +63,7 @@ network: name: authority type: peer external_url_suffix: indy.blockchaincloudpoc.com # Provide the external dns suffix. Only used when Indy webserver/Clients are deployed. - cloud_provider: aws-baremetal # Values can be 'aws-baremetal', 'aws' or 'minikube' + cloud_provider: aws # Supported values: 'aws-baremetal' | 'aws' | 'azure' | 'gcp' | 'minikube' | aws: access_key: "aws_access_key" # AWS Access key @@ -69,6 +75,7 @@ network: publicIps: ["1.1.1.1", "2.2.2.2"] # List of all public IP addresses of each availability zone from all organizations in the same k8s cluster azure: node_resource_group: "MC_myResourceGroup_myCluster_westeurope" + # Kubernetes cluster deployment variables. The config file path has to be provided in case # the cluster has already been created. k8s: @@ -98,8 +105,7 @@ network: # Services maps to the pods that will be deployed on the k8s cluster # This sample has trustee services: - trustees: - - trustee: + trustee: name: authority-trustee genesis: true server: @@ -108,9 +114,9 @@ network: # Specification for the 2nd organization. Each organization maps to a VPC and a separate k8s cluster - organization: - name: provider + name: university type: peer - cloud_provider: aws + cloud_provider: aws # Supported values: 'aws-baremetal' | 'aws' | 'azure' | 'gcp' | 'minikube' | external_url_suffix: indy.blockchaincloudpoc.com # Provide the external dns suffix. Only used when Indy webserver/Clients are deployed. aws: @@ -123,6 +129,7 @@ network: publicIps: ["3.221.78.194"] # List of all public IP addresses of each availability zone from all organizations in the same k8s cluster azure: node_resource_group: "MC_myResourceGroup_myCluster_westeurope" + # Kubernetes cluster deployment variables. The config file path has to be provided in case # the cluster has already been created. k8s: @@ -152,13 +159,15 @@ network: # Services maps to the pods that will be deployed on the k8s cluster # This sample has trustee, 2 stewards and endoorser services: - trustees: - - trustee: - name: provider-trustee + trustee: + name: university-trustee genesis: true + server: + port: 8001 + ambassador: 15011 stewards: - steward: - name: provider-steward-1 + name: university-steward-1 type: VALIDATOR genesis: true publicIp: 3.221.78.194 # IP address of current organization in current availability zone @@ -171,48 +180,48 @@ network: targetPort: 9712 ambassador: 9712 # Port for ambassador service - steward: - name: provider-steward-2 + name: university-steward-2 type: VALIDATOR genesis: true - publicIp: 3.221.78.194 # IP address of current organization in current availability zone + publicIp: 108.142.59.4 # 3.221.78.194 # IP address of current organization in current availability zone node: port: 9721 targetPort: 9721 - ambassador: 9721 # Port for ambassador service + ambassador: 9721 # Port for ambassador service client: port: 9722 targetPort: 9722 - ambassador: 9722 # Port for ambassador service - endorsers: - - endorser: - name: provider-endorser - full_name: Some Decentralized Identity Mobile Services Provider - avatar: http://provider.com/avatar.png + ambassador: 9722 # Port for ambassador service + endorser: + name: university-endorser + full_name: Some Decentralized Identity Mobile Services Partner + avatar: http://partner.com/avatar.png # public endpoint will be {{ endorser.name}}.{{ external_url_suffix}}:{{endorser.server.httpPort}} - # Eg. In this sample http://provider-endorser.indy.blockchaincloudpoc.com:15023/ - # For minikube: http://>:15023 + # Eg. In this sample http://partner-endorser.indy.blockchaincloudpoc.com:15012/ + # For minikube: http://>:15012 server: - httpPort: 15023 - apiPort: 15024 - webhookPort: 15025 - - # Specification for the 3rd organization. Each organization maps to a VPC and a separate k8s cluster + httpPort: 15012 + apiPort: 15013 + webhookPort: 15014 + + # Specification for the 3nd organization. Each organization maps to a VPC and a separate k8s cluster - organization: - name: partner + name: provider type: peer - cloud_provider: aws + cloud_provider: aws # Supported values: 'aws-baremetal' | 'aws' | 'azure' | 'gcp' | 'minikube' | external_url_suffix: indy.blockchaincloudpoc.com # Provide the external dns suffix. Only used when Indy webserver/Clients are deployed. - + aws: access_key: "aws_access_key" # AWS Access key secret_key: "aws_secret_key" # AWS Secret key encryption_key: "encryption_key_id" # AWS encryption key. If present, it's used as the KMS key id for K8S storage class encryption. zone: "availability_zone" # AWS availability zone region: "region" # AWS region - - publicIps: ["3.221.78.194"] # List of all public IP addresses of each availability zone from all organizations in the same k8s cluster + + publicIps: ["3.221.78.194"] # List of all public IP addresses of each availability zone from all organizations in the same k8s cluster azure: node_resource_group: "MC_myResourceGroup_myCluster_westeurope" + # Kubernetes cluster deployment variables. The config file path has to be provided in case # the cluster has already been created. k8s: @@ -229,59 +238,125 @@ network: # Do not check-in git_access_token gitops: git_protocol: "https" # Option for git over https or ssh - git_url: "https://github.com//bevel.git" # Gitops https or ssh url for flux value files - branch: "develop" # Git branch where release is being made - release_dir: "platforms/hyperledger-indy/releases/dev" # Relative Path in the Git repo for flux sync per environment. - chart_source: "platforms/hyperledger-indy/charts" # Relative Path where the Helm charts are stored in Git repo - git_repo: "github.com//bevel.git" # Gitops git repository URL for git push - username: "git_username" # Git Service user who has rights to check-in in all branches - password: "git_access_token" # Git Server user password - email: "git@email.com" # Email to use in git config - private_key: "path_to_private_key" # Path to private key file which has write-access to the git repo (Optional for https; Required for ssh) + git_url: "https://github.com//bevel.git" # Gitops https or ssh url for flux value files + branch: "develop" # Git branch where release is being made + release_dir: "platforms/hyperledger-indy/releases/dev" # Relative Path in the Git repo for flux sync per environment. + chart_source: "platforms/hyperledger-indy/charts" # Relative Path where the Helm charts are stored in Git repo + git_repo: "github.com//bevel.git" # Gitops git repository URL for git push + username: "git_username" # Git Service user who has rights to check-in in all branches + password: "git_access_token" # Git Server user password + email: "git@email.com" # Email to use in git config + private_key: "path_to_private_key" # Path to private key file which has write-access to the git repo (Optional for https; Required for ssh) # Services maps to the pods that will be deployed on the k8s cluster # This sample has trustee, 2 stewards and endoorser services: - trustees: - - trustee: - name: partner-trustee + trustee: + name: provider-trustee genesis: true + server: + port: 8002 + ambassador: 15021 stewards: - steward: - name: partner-steward-1 + name: provider-steward-1 type: VALIDATOR genesis: true - publicIp: 3.221.78.194 # IP address of current organization in current availability zone + publicIp: 3.221.78.194 # IP address of the ambassador proxy node: port: 9731 targetPort: 9731 - ambassador: 9731 # Port for ambassador service + ambassador: 9721 # Port for ambassador service client: port: 9732 targetPort: 9732 - ambassador: 9732 # Port for ambassador service + ambassador: 9722 # Port for ambassador service - steward: - name: partner-steward-2 + name: provider-steward-2 type: VALIDATOR genesis: true - publicIp: 3.221.78.194 # IP address of current organization in current availability zone + publicIp: 3.221.78.194 # IP address of the ambassador proxy node: port: 9741 targetPort: 9741 - ambassador: 9741 # Port for ambassador service + ambassador: 9721 # Port for ambassador service client: port: 9742 targetPort: 9742 - ambassador: 9742 # Port for ambassador service - endorsers: - - endorser: + ambassador: 9722 # Port for ambassador service + endorser: + name: provider-endorser + full_name: Some Decentralized Identity Mobile Services Provider + avatar: http://provider.com/avatar.png + # public endpoint will be {{ endorser.name}}.{{ external_url_suffix}}:{{endorser.server.httpPort}} + # Eg. In this sample http://provider-endorser.indy.blockchaincloudpoc.com:15022/ + # For minikube: http://>:15022 + server: + httpPort: 15022 + apiPort: 15023 + webhookPort: 15024 + + # Specification for the 4th organization. Each organization maps to a VPC and a separate k8s cluster + - organization: + name: partner + type: peer + cloud_provider: aws # Supported values: 'aws-baremetal' | 'aws' | 'azure' | 'gcp' | 'minikube' | + external_url_suffix: indy.blockchaincloudpoc.com # Provide the external dns suffix. Only used when Indy webserver/Clients are deployed. + + aws: + access_key: "aws_access_key" # AWS Access key + secret_key: "aws_secret_key" # AWS Secret key + encryption_key: "encryption_key_id" # AWS encryption key. If present, it's used as the KMS key id for K8S storage class encryption. + zone: "availability_zone" # AWS availability zone + region: "region" # AWS region + + publicIps: ["3.221.78.194"] # List of all public IP addresses of each availability zone from all organizations in the same k8s cluster + azure: + node_resource_group: "MC_myResourceGroup_myCluster_westeurope" + + # Kubernetes cluster deployment variables. The config file path has to be provided in case + # the cluster has already been created. + k8s: + config_file: "/path/to/cluster_config" + context: "kubernetes-admin@kubernetes" + + # Hashicorp Vault server address and root-token. Vault should be unsealed. + # Do not check-in root_token + vault: + url: "vault_addr" + root_token: "vault_root_token" + + # Git Repo details which will be used by GitOps/Flux. + # Do not check-in git_access_token + gitops: + git_protocol: "https" # Option for git over https or ssh + git_url: "https://github.com//bevel.git" # Gitops https or ssh url for flux value files + branch: "develop" # Git branch where release is being made + release_dir: "platforms/hyperledger-indy/releases/dev" # Relative Path in the Git repo for flux sync per environment. + chart_source: "platforms/hyperledger-indy/charts" # Relative Path where the Helm charts are stored in Git repo + git_repo: "github.com//bevel.git" # Gitops git repository URL for git push + username: "git_username" # Git Service user who has rights to check-in in all branches + password: "git_access_token" # Git Server user password + email: "git@email.com" # Email to use in git config + private_key: "path_to_private_key" # Path to private key file which has write-access to the git repo (Optional for https; Required for ssh) + + # Services maps to the pods that will be deployed on the k8s cluster + # This sample has trustee, 2 stewards and endoorser + services: + trustee: + name: partner-trustee + genesis: true + server: + port: 8004 + ambassador: 15031 + endorser: name: partner-endorser full_name: Some Decentralized Identity Mobile Services Partner avatar: http://partner.com/avatar.png # public endpoint will be {{ endorser.name}}.{{ external_url_suffix}}:{{endorser.server.httpPort}} - # Eg. In this sample http://partner-endorser.indy.blockchaincloudpoc.com:15033/ - # For minikube: http://>:15033 + # Eg. In this sample http://partner-endorser.indy.blockchaincloudpoc.com:15032/ + # For minikube: http://>:15032 server: - httpPort: 15033 - apiPort: 15034 - webhookPort: 15035 + httpPort: 15032 + apiPort: 15033 + webhookPort: 15034 diff --git a/platforms/hyperledger-indy/configuration/samples/network-minikube-aries.yaml b/platforms/hyperledger-indy/configuration/samples/network-minikube-aries.yaml index 24285b2ff32..fc4aedd0899 100644 --- a/platforms/hyperledger-indy/configuration/samples/network-minikube-aries.yaml +++ b/platforms/hyperledger-indy/configuration/samples/network-minikube-aries.yaml @@ -78,8 +78,7 @@ network: # Services maps to the pods that will be deployed on the k8s cluster # This sample has trustee services: - trustees: - - trustee: + trustee: name: authority-trustee genesis: true server: @@ -175,8 +174,7 @@ network: port: 15742 targetPort: 15742 ambassador: 15742 - endorsers: - - endorser: + endorser: name: university-endorser full_name: Faber university of the Demo. avatar: http://faber.com/avatar.png diff --git a/platforms/hyperledger-indy/configuration/samples/network-minikube.yaml b/platforms/hyperledger-indy/configuration/samples/network-minikube.yaml index 70ccc3ec684..efda66868fe 100644 --- a/platforms/hyperledger-indy/configuration/samples/network-minikube.yaml +++ b/platforms/hyperledger-indy/configuration/samples/network-minikube.yaml @@ -75,8 +75,7 @@ network: # Services maps to the pods that will be deployed on the k8s cluster # This sample has trustee services: - trustees: - - trustee: + trustee: name: authority-trustee genesis: true server: @@ -146,8 +145,7 @@ network: port: 15722 targetPort: 15722 ambassador: 15722 - endorsers: - - endorser: + endorser: name: provider-endorser full_name: Some Decentralized Identity Mobile Services Provider avatar: http://provider.com/avatar.png @@ -222,15 +220,3 @@ network: port: 15742 targetPort: 15742 ambassador: 15742 - endorsers: - - endorser: - name: partner-endorser - full_name: Some Decentralized Identity Mobile Services Partner - avatar: http://partner.com/avatar.png - # public endpoint will be {{ endorser.name}}.{{ external_url_suffix}}:{{endorser.server.httpPort}} - # Eg. In this sample http://provider-endorser.indy.blockchaincloudpoc.com:15033/ - # For minikube: http://>:15033 - server: - httpPort: 15033 - apiPort: 15034 - webhookPort: 15035 diff --git a/platforms/network-schema.json b/platforms/network-schema.json index 848014438a3..45d6670c50b 100755 --- a/platforms/network-schema.json +++ b/platforms/network-schema.json @@ -2433,8 +2433,7 @@ "indy_services": { "type": "object", "properties": { - "trustees": { - "type": "array", + "trustee": { "items": { "$ref": "#/definitions/indy_service_trustee" } @@ -2445,8 +2444,7 @@ "$ref": "#/definitions/indy_service_steward" } }, - "endorsers": { - "type": "array", + "endorser": { "items": { "$ref": "#/definitions/indy_service_endorser" } diff --git a/platforms/shared/configuration/delete-network.yaml b/platforms/shared/configuration/delete-network.yaml index 5d152ddd387..5ecbd6ad4a2 100644 --- a/platforms/shared/configuration/delete-network.yaml +++ b/platforms/shared/configuration/delete-network.yaml @@ -12,8 +12,6 @@ gather_facts: no no_log: "{{ no_ansible_log | default(false) }}" tasks: - # ---------------------------------------------------------------------- - # Uninstalling Flux for organisation - name: Delete Flux include_role: diff --git a/platforms/shared/configuration/roles/create/job_component/tasks/main.yaml b/platforms/shared/configuration/roles/create/job_component/tasks/main.yaml index aed786c8241..3be1a403b78 100644 --- a/platforms/shared/configuration/roles/create/job_component/tasks/main.yaml +++ b/platforms/shared/configuration/roles/create/job_component/tasks/main.yaml @@ -25,8 +25,8 @@ # Dependency update and test the value file for syntax errors/ missing values - name: Helm dependency update and lint shell: | - helm dependency update "{{playbook_dir}}/../../../{{charts_dir}}/{{charts[type]}}" - helm lint -f "{{ values_dir }}/{{ component_name }}.yaml" "{{playbook_dir}}/../../../{{charts_dir}}/{{charts[type]}}" + helm dependency update "{{ playbook_dir }}/../../../{{ charts_dir }}/{{ charts[type] }}" + helm lint -f "{{ values_dir }}/{{ component_name }}.yaml" "{{ playbook_dir }}/../../../{{ charts_dir }}/{{ charts[type] }}" - name: Check if helm release already exists in {{ component_ns }} kubernetes.core.helm_info: @@ -40,7 +40,7 @@ kubernetes.core.helm: release_name: "{{ component_name }}" release_namespace: "{{ component_ns }}" - chart_ref: "{{playbook_dir}}/../../../{{charts_dir}}/{{charts[type]}}" + chart_ref: "{{ playbook_dir }}/../../../{{ charts_dir }}/{{ charts[type] }}" values_files: - "{{ values_dir }}/{{ component_name }}.yaml" force: true diff --git a/platforms/shared/configuration/roles/create/job_component/templates/indy_endorser.tpl b/platforms/shared/configuration/roles/create/job_component/templates/indy_endorser.tpl new file mode 100644 index 00000000000..d139fd07a55 --- /dev/null +++ b/platforms/shared/configuration/roles/create/job_component/templates/indy_endorser.tpl @@ -0,0 +1,8 @@ +image: + cli: ghcr.io/hyperledger/bevel-indy-ledger-txn:latest + pullSecret: +network: bevel +admin: {{ trustee }} +newIdentity: + name: {{ endorser }} + role: ENDORSER diff --git a/platforms/shared/configuration/roles/create/job_component/templates/indy_genesis.tpl b/platforms/shared/configuration/roles/create/job_component/templates/indy_genesis.tpl new file mode 100644 index 00000000000..b287c74c623 --- /dev/null +++ b/platforms/shared/configuration/roles/create/job_component/templates/indy_genesis.tpl @@ -0,0 +1,34 @@ +global: + serviceAccountName: vault-auth + cluster: + provider: "{{ cloud_provider }}" + cloudNativeServices: false + kubernetesUrl: "{{ kubernetes_server }}" + vault: + type: hashicorp + role: vault-role + network: indy + address: "{{ vault.url }}" + authPath: "{{ org_name }}" + secretEngine: secretsv2 + secretPrefix: "data/{{ org_name }}" +proxy: + provider: ambassador +settings: + removeKeysOnDelete: true + secondaryGenesis: {{ secondaryGenesis }} +{% if (not secondaryGenesis) and (trustee_list is defined) %} + trustees: +{% for trustee in trustee_list %} + - name: "{{ trustee }}" +{% endfor %} +{% if steward_list is defined %} + stewards: +{% for steward in steward_list %} + - name: "{{ steward.name }}" + publicIp: {{ steward.publicIp }} + nodePort: {{ steward.nodePort }} + clientPort: {{ steward.clientPort }} +{% endfor %} +{% endif %} +{% endif %} diff --git a/platforms/shared/configuration/roles/create/job_component/vars/main.yaml b/platforms/shared/configuration/roles/create/job_component/vars/main.yaml index 77488d3b028..a6bdd050905 100644 --- a/platforms/shared/configuration/roles/create/job_component/vars/main.yaml +++ b/platforms/shared/configuration/roles/create/job_component/vars/main.yaml @@ -9,8 +9,12 @@ job_templates: secondary_genesis: secondary_genesis.tpl primary_init: primary_init.tpl secondary_init: secondary_init.tpl + indy_genesis: indy_genesis.tpl + indy_endorser: indy_endorser.tpl charts: primary_genesis: "{{ network.type }}-genesis" secondary_genesis: "{{ network.type }}-genesis" primary_init: corda-init secondary_init: corda-init + indy_genesis: indy-genesis + indy_endorser: indy-register-identity diff --git a/platforms/shared/configuration/roles/git_push/tasks/main.yaml b/platforms/shared/configuration/roles/git_push/tasks/main.yaml index 36fdda731b0..e9624b56178 100644 --- a/platforms/shared/configuration/roles/git_push/tasks/main.yaml +++ b/platforms/shared/configuration/roles/git_push/tasks/main.yaml @@ -28,9 +28,8 @@ when: - gitops.git_protocol is defined - gitops.git_protocol == "ssh" - ignore_errors: yes - tags: - - notest + ignore_errors: true + # Git push the new files, reset config files - name: "Execute git push for https" @@ -47,9 +46,7 @@ register: GIT_OUTPUT when: gitops.git_protocol is not defined or gitops.git_protocol == "https" - ignore_errors: yes - tags: - - notest + ignore_errors: true # Display output of shell excution - name: "stdout for SSH gitpush" @@ -58,8 +55,6 @@ when: - gitops.git_protocol is defined - gitops.git_protocol == "ssh" - tags: - - notest - name: "stderr for SSH gitpush" debug: @@ -67,21 +62,15 @@ when: - gitops.git_protocol is defined - gitops.git_protocol == "ssh" - tags: - - notest # Display output of shell excution - name: "stdout for gitpush" debug: msg: "{{ GIT_OUTPUT.stdout.split('\n') }}" when: gitops.git_protocol is not defined or gitops.git_protocol == "https" - tags: - - notest # Display error of shell task - name: "stderr for git_push" debug: msg: "{{ GIT_OUTPUT.stderr.split('\n') }}" when: gitops.git_protocol is not defined or gitops.git_protocol == "https" - tags: - - notest diff --git a/platforms/shared/configuration/roles/helm_lint/vars/main.yaml b/platforms/shared/configuration/roles/helm_lint/vars/main.yaml index d81b402eddb..a1f7669809b 100644 --- a/platforms/shared/configuration/roles/helm_lint/vars/main.yaml +++ b/platforms/shared/configuration/roles/helm_lint/vars/main.yaml @@ -67,3 +67,6 @@ charts: quorum-connector: quorum-cacti-connector external_chaincode: fabric-external-chaincode install_external_chaincode_job: fabric-external-chaincode-install + generate-keys: indy-key-mgmt + generate-genesis: indy-genesis + stewards: indy-node diff --git a/platforms/shared/configuration/setup-k8s-environment.yaml b/platforms/shared/configuration/setup-k8s-environment.yaml index d92faddc203..558b34de2ee 100644 --- a/platforms/shared/configuration/setup-k8s-environment.yaml +++ b/platforms/shared/configuration/setup-k8s-environment.yaml @@ -30,7 +30,7 @@ git_protocol: "{{ item.gitops.git_protocol | default('https') }}" git_url: "{{ item.gitops.git_url }}" git_key: "{{ item.gitops.private_key | default() }}" - flux_version: "0.41.2" + flux_version: "2.3.0" with_items: "{{ network.organizations }}" when: network.env.type != 'operator' diff --git a/run.sh b/run.sh index fcf014bd3fd..ef19ba134e8 100644 --- a/run.sh +++ b/run.sh @@ -12,8 +12,8 @@ echo "Starting build process..." echo "Adding env variables..." export PATH=/root/bin:$PATH -#Path to k8s config file -KUBECONFIG=/home/bevel/build/config +# Path to k8s config file +export KUBECONFIG=/home/bevel/build/config echo "Validatin network yaml" ajv validate -s /home/bevel/platforms/network-schema.json -d /home/bevel/build/network.yaml