Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[quorum] integrate aws secrets manager #2623

Merged
merged 1 commit into from
Sep 25, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
124 changes: 124 additions & 0 deletions docs/source/concepts/integrate-aws-secrets-manager-with-eks.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
# `Integrating AWS Secrets Manager with an EKS Cluster`

This guide walks you through the steps needed to create IAM policies, trust policies, and roles to securely integrate AWS Secrets Manager with your EKS cluster. By following these steps, you will enable your EKS workloads to securely access secrets stored in AWS Secrets Manager using OpenID Connect (OIDC) authentication.

## Step 1: Create the `policy.json` File

The `policy.json` file defines the permissions required to interact with AWS Secrets Manager. The IAM policy allows specific actions on all secrets within a region under your account.

### `policy.json` content:

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:UntagResource",
"secretsmanager:DescribeSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:CancelRotateSecret",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:UpdateSecret",
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:StopReplicationToReplica",
"secretsmanager:ReplicateSecretToRegions",
"secretsmanager:RestoreSecret",
"secretsmanager:RotateSecret",
"secretsmanager:UpdateSecretVersionStage",
"secretsmanager:RemoveRegionsFromReplication",
"secretsmanager:TagResource"
],
"Resource": "arn:aws:secretsmanager:<region>:<account-id>:secret:*"
}
]
}
```

### Notes:
- **Replace `<account-id>`**: Your actual AWS account ID.
- **Replace `<region>`**: AWS region where your secret is stored.


## Step 2: Create the Secrets Manager Policy

Now that you have the `policy.json` file, create the IAM policy using the AWS CLI.

### Command:

```bash
aws iam create-policy --policy-name BevelSecretsManagerAccessPolicy --policy-document file://<path-of-policy.json-file>
```

### Notes:
- **Replace `<path-of-policy.json-file>`**: Path to the `policy.json` file created in Step 1.
- This command creates an IAM policy named `BevelSecretsManagerAccessPolicy` with the specified permissions.


## Step 3: Create the `trust-policy.json` file

Creates a trust policy to allow role assumption through OpenID Connect (OIDC).

### `trust-policy.json` content:

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account-id>:oidc-provider/<OpenID-Connect-provider-URL>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<OpenID-Connect-provider-URL>:aud": "sts.amazonaws.com"
}
}
}
]
}
```

### Notes:
- **Replace `<account-id>`**: Use your AWS account ID.
- **Replace `<OpenID-Connect-provider-URL>`**:
- Insert your OpenID Connect provider URL without the `https://` prefix.
- For example, if your provider URL is `https://oidc.eks.eu-north-1.amazonaws.com/id/ABC1234567890`, you would use `oidc.eks.eu-north-1.amazonaws.com/id/ABC1234567890`.

## Step 4: Create an IAM Role

Once the trust policy is configured, create a IAM role that can assume this trust policy.

### Command:

```bash
aws iam create-role --role-name BevelEKSSecretsRole --assume-role-policy-document file://<path-to-trust-policy.json>
```

### Notes:
- **Replace `<path-to-trust-policy.json>`**: Path to the `trust-policy.json` file created in Step 3.
- **Role Name**: The role created is named `BevelEKSSecretsRole`.

This role now has the ability to assume the trust relationship defined by the OpenID Connect provider.


## Step 5: Attach the Secrets Manager Policy to the IAM Role

After creating the role, attach the previously created `BevelSecretsManagerAccessPolicy` to the role `BevelEKSSecretsRole`, granting it the necessary permissions to manage AWS Secrets.

### Command:

```bash
aws iam attach-role-policy --role-name BevelEKSSecretsRole --policy-arn arn:aws:iam::<account-id>:policy/BevelSecretsManagerAccessPolicy
```

### Notes:
- **Replace `<account-id>`**: Ensure you substitute `<account-id>` with your AWS account ID.
- The policy **`BevelSecretsManagerAccessPolicy`** is now attached to the role **`BevelEKSSecretsRole`**, allowing it to perform actions defined in the `policy.json` file.
---
77 changes: 63 additions & 14 deletions platforms/quorum/charts/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,25 +26,27 @@ global:
role: vault-role
```

## Usage
<hr style="border: 10px solid green;">

### Pre-requisites
## `Usage`

### Pre-requisites:

- Kubernetes Cluster (either Managed cloud option like EKS or local like minikube)
- Accessible and unsealed Hahsicorp Vault (if using Vault)
- Configured Ambassador AES (if using Ambassador as proxy)
- Update the dependencies
```
helm dependency update quorum-genesis
helm dependency update quorum-node
```
```
helm dependency update quorum-genesis
helm dependency update quorum-node
```

<hr style="border: 10px solid green;">

## `Without Proxy and Vault`

### 1. Install Genesis Node
```bash
# Install the genesis node
helm install genesis ./quorum-genesis --namespace supplychain-quo --create-namespace --values ./values/noproxy-and-novault/genesis.yaml
```

Expand All @@ -59,26 +61,68 @@ helm install validator-3 ./quorum-node --namespace supplychain-quo --values ./va

### 3. Deploy Member and Tessera Node Pair
```bash
# Deploy Quorum and Tessera node pair
helm install member-1 ./quorum-node --namespace supplychain-quo --values ./values/noproxy-and-novault/txnode.yaml
helm install member-0 ./quorum-node --namespace supplychain-quo --values ./values/noproxy-and-novault/txnode.yaml
```

### Setting Up Another Member in a Different Namespace

```bash
# Get the genesis and static nodes from existing member and and place them in the directory 'besu-genesis/files'
# Get the genesis and static nodes from existing member and place them in the directory 'besu-genesis/files'
cd ./quorum-genesis/files/
kubectl --namespace supplychain-quo get configmap quorum-peers -o jsonpath='{.data.static-nodes\.json}' > static-nodes.json
kubectl --namespace supplychain-quo get configmap quorum-genesis -o jsonpath='{.data.genesis\.json}' > genesis.json

# Install secondary genesis node
helm install genesis ./quorum-genesis --namespace carrier-quo --values ./values/noproxy-and-novault/genesis-sec.yaml
helm install genesis ./quorum-genesis --namespace carrier-quo --create-namespace --values ./values/noproxy-and-novault/genesis-sec.yaml

# Install secondary member node
helm install member-2 ./quorum-node --namespace carrier-quo --values ./values/noproxy-and-novault/txnode-sec.yaml
helm install member-1 ./quorum-node --namespace carrier-quo --values ./values/noproxy-and-novault/txnode-sec.yaml
```

<hr style="border: 10px solid green;">

## `Without Proxy and AWS-Secret-Manager`

### 1. Prerequisite:
- To securely integrate AWS Secrets Manager with an EKS Cluster, refer to the guide available [here.](../../../docs/source/concepts/integrate-aws-secrets-manager-with-eks.md)
- After completing all the steps mentioned in the guide, keep the IAM Role ARN handy. For example, it should look something like this: `arn:aws:iam::<account-id>:role/BevelEKSSecretsRole`

### 2. Install genesis node:
```bash
helm install genesis ./quorum-genesis --namespace supplychain-quo --create-namespace --values ./values/noproxy-and-novault/genesis.yaml --set global.cluster.cloudNativeServices=true,global.cluster.secretManagerArn="<YOUR_AWS_SECRET_MANAGER_ROLE_ARN>",global.cluster.secretManagerRegion="<YOUR_AWS_REGION>"
```

### 3. Install validator nodes:
```bash
helm install validator-0 ./quorum-node --namespace supplychain-quo --values ./values/noproxy-and-novault/validator.yaml --set global.cluster.cloudNativeServices=true,global.cluster.secretManagerRegion="<YOUR_AWS_REGION>"
helm install validator-1 ./quorum-node --namespace supplychain-quo --values ./values/noproxy-and-novault/validator.yaml --set global.cluster.cloudNativeServices=true,global.cluster.secretManagerRegion="<YOUR_AWS_REGION>"
helm install validator-2 ./quorum-node --namespace supplychain-quo --values ./values/noproxy-and-novault/validator.yaml --set global.cluster.cloudNativeServices=true,global.cluster.secretManagerRegion="<YOUR_AWS_REGION>"
helm install validator-3 ./quorum-node --namespace supplychain-quo --values ./values/noproxy-and-novault/validator.yaml --set global.cluster.cloudNativeServices=true,global.cluster.secretManagerRegion="<YOUR_AWS_REGION>"
```

### 4. Install member node:
```bash
helm install member-0 ./quorum-node --namespace supplychain-quo --values ./values/noproxy-and-novault/txnode.yaml --set global.cluster.cloudNativeServices=true,global.cluster.secretManagerRegion="<YOUR_AWS_REGION>",tessera.enabled=false
```

---
### 5. Setting Up Another Member in a Different Namespace

```bash
# 5.1. Get the genesis and static nodes from existing member and place them in the directory 'besu-genesis/files'
cd ./quorum-genesis/files/

kubectl --namespace supplychain-quo get configmap quorum-peers -o jsonpath='{.data.static-nodes\.json}' > static-nodes.json

kubectl --namespace supplychain-quo get configmap quorum-genesis -o jsonpath='{.data.genesis\.json}' > genesis.json

# 5.2. Install secondary genesis node
helm install genesis ./quorum-genesis --namespace carrier-quo --create-namespace --values ./values/noproxy-and-novault/genesis-sec.yaml --set global.cluster.cloudNativeServices=true,global.cluster.secretManagerArn="<YOUR_AWS_SECRET_MANAGER_ROLE_ARN>"

# 5.3. Install secondary member node
helm install member-1 ./quorum-node --namespace carrier-quo --values ./values/noproxy-and-novault/txnode-sec.yaml --set global.cluster.cloudNativeServices=true,global.cluster.secretManagerRegion="<YOUR_AWS_REGION>",tessera.enabled=false
```

<hr style="border: 10px solid green;">

## `With Ambassador Proxy and Vault`

Expand Down Expand Up @@ -127,12 +171,14 @@ kubectl create namespace carrier-quo
kubectl -n carrier-quo create secret generic roottoken --from-literal=token=<VAULT_ROOT_TOKEN>

# Install secondary genesis node
helm install genesis ./quorum-genesis --namespace carrier-quo --values ./values/proxy-and-vault/genesis-sec.yaml
helm install genesis ./quorum-genesis --namespace carrier-quo --create-namespace --values ./values/proxy-and-vault/genesis-sec.yaml

# Install secondary member node
helm install member-0 ./quorum-node --namespace carrier-quo --values ./values/proxy-and-vault/txnode-sec.yaml --set global.proxy.p2p=15016
```

<hr style="border: 10px solid green;">

## `API call`

Once your services are deployed, they can be accessed using the domain name provided in your `global.proxy.externalUrlSuffix`.
Expand Down Expand Up @@ -171,6 +217,8 @@ Once your services are deployed, they can be accessed using the domain name prov

This confirms that your node is syncing as expected.

<hr style="border: 10px solid green;">

## `Managing IBFT Validators Deployment`

To deploy the proposed validator chart for IBFT, you first need to set up the Quorum DLT network. Below are the steps you can follow:
Expand Down Expand Up @@ -203,6 +251,7 @@ To deploy the proposed validator chart for IBFT, you first need to set up the Qu

Replace `<SOURCE-HOST>` with the appropriate host address.

<hr style="border: 10px solid green;">

## `Clean-up`

Expand Down
Loading
Loading