Skip to content

Commit

Permalink
feat(fabric): move hashicorp vault functions to a single script
Browse files Browse the repository at this point in the history 
This commit decouples the vault related functionality from individual helm charts by utilizing the bevel-vault.sh script.

Changes made:

 • Removed vault-related code from individual Fabric Helm charts.
 • Updated all Helm charts to utilize the shared bevel-vault.sh script.
 • Deleted the vault_kubernetes_job.tpl template file from Fabric platform as we already move this feature to the shared platform.
 • Deleted the verify_chaincode Helm chart from Fabric platform as it is not in use and also there is no .tpl template file for the same Helm chart.

These changes will improve code maintainability and efficiency by reducing code duplication and making it easier to maintain consistency.

fixes #2323

Signed-off-by: saurabhkumarkardam <[email protected]>
  • Loading branch information
@saurabhkumarkardam @suvajit-sarkar
saurabhkumarkardam authored and suvajit-sarkar committed Aug 16, 2023
1 parent be2ea3b commit 0113fb8
Show file tree
Hide file tree
Showing 41 changed files with 631 additions and 1,558 deletions.
71 changes: 23 additions & 48 deletions platforms/hyperledger-fabric/charts/anchorpeer/templates/anchorpeer.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,9 @@ spec:
- name: anchorpeer-artifacts
configMap:
name: anchorpeer-{{ $.Values.channel.name }}-{{ $.Values.peer.name }}-artifacts
- name: scripts-volume
configMap:
name: bevel-vault-script
initContainers:
- name: certificates-init
image: {{ $.Values.metadata.images.alpineutils }}
Expand All @@ -63,66 +66,35 @@ spec:
value: "{{ $.Values.vault.orderersecretprefix }}"
- name: MOUNT_PATH
value: /secret
- name: VAULT_TYPE
value: "{{ $.Values.vault.type }}"
command: ["sh", "-c"]
args:
- |-
#!/usr/bin/env sh
validateVaultResponse () {
if echo ${2} | grep "errors" || [ "${2}" = "" ]; then
echo "ERROR: unable to retrieve ${1}: ${2}"
exit 1
fi
if [ "$3" == "LOOKUPSECRETRESPONSE" ]
then
http_code=$(curl -fsS -o /dev/null -w "%{http_code}" \
--header "X-Vault-Token: ${VAULT_CLIENT_TOKEN}" \
${VAULT_ADDR}/v1/${vault_secret_key})
curl_response=$?
if test "$http_code" != "200" ; then
echo "Http response code from Vault - $http_code"
if test "$curl_response" != "0"; then
echo "Error: curl command failed with error code - $curl_response"
exit 1
fi
fi
fi
}
source /scripts/bevel-vault.sh
KUBE_SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
echo "Getting secrets from Vault Server: ${VAULT_ADDR}"
# Login to Vault and so I can get an approle token
VAULT_CLIENT_TOKEN=$(curl -sS --request POST ${VAULT_ADDR}/v1/auth/${KUBERNETES_AUTH_PATH}/login \
-H "Content-Type: application/json" \
-d '{"role":"'"${VAULT_APP_ROLE}"'","jwt":"'"${KUBE_SA_TOKEN}"'"}' | \
jq -r 'if .errors then . else .auth.client_token end')
validateVaultResponse 'vault login token' "${VAULT_CLIENT_TOKEN}"
# Calling a function to retrieve the vault token.
vaultBevelFunc "init"
vault_secret_key="${VAULT_ORDERER_SECRET_PREFIX}/tls"
echo "Getting Orderer TLS certificates from Vault using key $vault_secret_key"
echo "Getting Orderer TLS certificates from Vault."
vaultBevelFunc "readJson" "${VAULT_ORDERER_SECRET_PREFIX}/tls"
TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r '.["ca.crt"]')
OUTPUT_PATH="${MOUNT_PATH}/orderer/tls"
LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_CLIENT_TOKEN}" ${VAULT_ADDR}/v1/${vault_secret_key} | jq -r 'if .errors then . else . end')
validateVaultResponse "secret (${vault_secret_key})" "${LOOKUP_SECRET_RESPONSE}" "LOOKUPSECRETRESPONSE"
TLS_CA_CERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["ca.crt"]')
mkdir -p ${OUTPUT_PATH}
echo "${TLS_CA_CERT}" >> ${OUTPUT_PATH}/ca.crt
vault_secret_key="${VAULT_PEER_SECRET_PREFIX}/msp"
echo "Getting MSP certificates from Vault using key $vault_secret_key"
echo "Getting MSP certificates from Vault."
vaultBevelFunc "readJson" "${VAULT_PEER_SECRET_PREFIX}/msp"
OUTPUT_PATH="${MOUNT_PATH}/admin/msp"
LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_CLIENT_TOKEN}" ${VAULT_ADDR}/v1/${vault_secret_key} | jq -r 'if .errors then . else . end')
validateVaultResponse "secret (${vault_secret_key})" "${LOOKUP_SECRET_RESPONSE}" "LOOKUPSECRETRESPONSE"
ADMINCERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["admincerts"]')
CACERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["cacerts"]')
KEYSTORE=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["keystore"]')
SIGNCERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["signcerts"]')
TLSCACERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["tlscacerts"]')
ADMINCERT=$(echo ${VAULT_SECRET} | jq -r '.["admincerts"]')
CACERTS=$(echo ${VAULT_SECRET} | jq -r '.["cacerts"]')
KEYSTORE=$(echo ${VAULT_SECRET} | jq -r '.["keystore"]')
SIGNCERTS=$(echo ${VAULT_SECRET} | jq -r '.["signcerts"]')
TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r '.["tlscacerts"]')
OUTPUT_PATH="${MOUNT_PATH}/admin/msp"
mkdir -p ${OUTPUT_PATH}/admincerts
mkdir -p ${OUTPUT_PATH}/cacerts
mkdir -p ${OUTPUT_PATH}/keystore
Expand All @@ -141,7 +113,10 @@ spec:
readOnly: true
{{ end }}
- name: certificates
mountPath: /secret
mountPath: /secret
- name: scripts-volume
mountPath: /scripts/bevel-vault.sh
subPath: bevel-vault.sh
containers:
- name: anchorpeer
image: {{ $.Values.metadata.images.fabrictools }}
Expand Down
75 changes: 23 additions & 52 deletions platforms/hyperledger-fabric/charts/approve_chaincode/templates/approve_chaincode.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,9 @@ spec:
defaultMode: 420
name: {{ .Release.Name }}-collections-config
{{ end }}
- name: scripts-volume
configMap:
name: bevel-vault-script
initContainers:
- name: certificates-init
image: {{ $.Values.metadata.images.alpineutils }}
Expand All @@ -67,70 +70,35 @@ spec:
value: "{{ $.Values.vault.orderersecretprefix }}"
- name: MOUNT_PATH
value: /secret
- name: VAULT_TYPE
value: "{{ $.Values.vault.type }}"
command: ["sh", "-c"]
args:
- |-
#!/usr/bin/env sh
validateVaultResponse () {
if echo ${2} | grep "errors" || [ "${2}" = "" ]; then
echo "ERROR: unable to retrieve ${1}: ${2}"
exit 1
fi
if [ "$3" == "LOOKUPSECRETRESPONSE" ]
then
http_code=$(curl -fsS -o /dev/null -w "%{http_code}" \
--header "X-Vault-Token: ${VAULT_CLIENT_TOKEN}" \
${VAULT_ADDR}/v1/${vault_secret_key})
curl_response=$?
if test "$http_code" != "200" ; then
echo "Http response code from Vault - $http_code"
if test "$curl_response" != "0"; then
echo "Error: curl command failed with error code - $curl_response"
exit 1
fi
fi
fi
}
KUBE_SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
echo "Getting secrets from Vault Server: ${VAULT_ADDR}"
# Login to Vault and so I can get an approle token
VAULT_CLIENT_TOKEN=$(curl -sS --request POST ${VAULT_ADDR}/v1/auth/${KUBERNETES_AUTH_PATH}/login \
-H "Content-Type: application/json" \
-d '{"role":"'"${VAULT_APP_ROLE}"'","jwt":"'"${KUBE_SA_TOKEN}"'"}' | \
jq -r 'if .errors then . else .auth.client_token end')
validateVaultResponse 'vault login token' "${VAULT_CLIENT_TOKEN}"
source /scripts/bevel-vault.sh
vault_secret_key="${VAULT_ORDERER_SECRET_PREFIX}/tls"
echo "Getting Orderer TLS certificates from Vault using key $vault_secret_key"
OUTPUT_PATH="${MOUNT_PATH}/orderer/tls"
LOOKUP_SECRET_RESPONSE=$(curl -sS \
--header "X-Vault-Token: ${VAULT_CLIENT_TOKEN}" \
${VAULT_ADDR}/v1/${vault_secret_key} | jq -r 'if .errors then . else . end')
# Calling a function to retrieve the vault token.
vaultBevelFunc "init"
validateVaultResponse "secret (${vault_secret_key})" "${LOOKUP_SECRET_RESPONSE}" "LOOKUPSECRETRESPONSE"
TLS_CA_CERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["ca.crt"]')
echo "Getting Orderer TLS certificates from Vault."
vaultBevelFunc "readJson" "${VAULT_ORDERER_SECRET_PREFIX}/tls"
TLS_CA_CERT=$(echo ${VAULT_SECRET} | jq -r '.["ca.crt"]')
OUTPUT_PATH="${MOUNT_PATH}/orderer/tls"
mkdir -p ${OUTPUT_PATH}
echo "${TLS_CA_CERT}" >> ${OUTPUT_PATH}/ca.crt
vault_secret_key="${VAULT_PEER_SECRET_PREFIX}/msp"
echo "Getting MSP certificates from Vault using key $vault_secret_key"
OUTPUT_PATH="${MOUNT_PATH}/admin/msp"
LOOKUP_SECRET_RESPONSE=$(curl -sS \
--header "X-Vault-Token: ${VAULT_CLIENT_TOKEN}" \
${VAULT_ADDR}/v1/${vault_secret_key} | jq -r 'if .errors then . else . end')
validateVaultResponse "secret (${vault_secret_key})" "${LOOKUP_SECRET_RESPONSE}" "LOOKUPSECRETRESPONSE"
echo "Getting MSP certificates from Vault."
vaultBevelFunc "readJson" "${VAULT_PEER_SECRET_PREFIX}/msp"
ADMINCERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["admincerts"]')
CACERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["cacerts"]')
KEYSTORE=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["keystore"]')
SIGNCERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["signcerts"]')
TLSCACERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data.data["tlscacerts"]')
ADMINCERT=$(echo ${VAULT_SECRET} | jq -r '.["admincerts"]')
CACERTS=$(echo ${VAULT_SECRET} | jq -r '.["cacerts"]')
KEYSTORE=$(echo ${VAULT_SECRET} | jq -r '.["keystore"]')
SIGNCERTS=$(echo ${VAULT_SECRET} | jq -r '.["signcerts"]')
TLSCACERTS=$(echo ${VAULT_SECRET} | jq -r '.["tlscacerts"]')
OUTPUT_PATH="${MOUNT_PATH}/admin/msp" # /secret/admin/msp
mkdir -p ${OUTPUT_PATH}/admincerts
mkdir -p ${OUTPUT_PATH}/cacerts
mkdir -p ${OUTPUT_PATH}/keystore
Expand All @@ -150,6 +118,9 @@ spec:
{{ end }}
- name: certificates
mountPath: /secret
- name: scripts-volume
mountPath: /scripts/bevel-vault.sh
subPath: bevel-vault.sh
containers:
- name: approvechaincode
image: {{ $.Values.metadata.images.fabrictools }}
Expand Down
78 changes: 27 additions & 51 deletions platforms/hyperledger-fabric/charts/ca/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,11 +64,14 @@ spec:
{{ if .Values.vault.tls }}
- name: vaultca
secret:
secretName: {{ $.Values.vault.tls }}
secretName: "{{ .Values.vault.tls }}"
items:
- key: ca.crt.pem
path: ca-certificates.crt
{{ end }}
{{- end }}
- name: scripts-volume
configMap:
name: bevel-vault-script
initContainers:
- name: ca-certs-init
image: {{ $.Values.metadata.images.alpineutils }}
Expand All @@ -82,73 +85,43 @@ spec:
value: {{ $.Values.vault.role }}
- name: MOUNT_PATH
value: /secret
- name: VAULT_TYPE
value: "{{ $.Values.vault.type }}"
command: ["sh", "-c"]
args:
- |-
#!/usr/bin/env sh
validateVaultResponse () {
if echo ${2} | grep "errors" || [ "${2}" = "" ]; then
echo "ERROR: unable to retrieve ${1}: ${2}"
exit 1
fi
if [ "$3" == "LOOKUPSECRETRESPONSE" ]
then
http_code=$(curl -fsS -o /dev/null -w "%{http_code}" \
--header "X-Vault-Token: ${VAULT_CLIENT_TOKEN}" \
${VAULT_ADDR}/v1/${vault_secret_key})
curl_response=$?
if test "$http_code" != "200" ; then
echo "Http response code from Vault - $http_code"
if test "$curl_response" != "0"; then
echo "Error: curl command failed with error code - $curl_response"
exit 1
fi
fi
fi
}
KUBE_SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
echo "Getting secrets from Vault Server: ${VAULT_ADDR}"
# Login to Vault and so I can get an approle token
VAULT_CLIENT_TOKEN=$(curl -sS --request POST ${VAULT_ADDR}/v1/auth/${KUBERNETES_AUTH_PATH}/login \
-H "Content-Type: application/json" \
-d '{"role":"'"${VAULT_APP_ROLE}"'","jwt":"'"${KUBE_SA_TOKEN}"'"}' | \
jq -r 'if .errors then . else .auth.client_token end')
validateVaultResponse 'vault login token' "${VAULT_CLIENT_TOKEN}"
source /scripts/bevel-vault.sh
# Calling a function to retrieve the vault token.
vaultBevelFunc "init"
SECRET_CERT={{ $.Values.vault.secretcert }}
vault_secret_key=$(echo ${SECRET_CERT} |awk -F "?" '{print $1}')
vault_data_key=$(echo ${SECRET_CERT} |awk -F "?" '{print $2}')
LOOKUP_SECRET_RESPONSE=$(curl -sS \
--header "X-Vault-Token: ${VAULT_CLIENT_TOKEN}" \
${VAULT_ADDR}/v1/${vault_secret_key} | \
jq -r 'if .errors then . else . end')
validateVaultResponse "secret (${vault_secret_key})" "${LOOKUP_SECRET_RESPONSE}" "LOOKUPSECRETRESPONSE"
VALUE_OF_SECRET=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r ".data.data[\"${vault_data_key}\"]")
# Calling a function to retrieve secrets from Vault only if they exist.
vaultBevelFunc "readJson" "${vault_secret_key}"
VALUE_OF_SECRET=$(echo ${VAULT_SECRET} | jq -r ".[\"${vault_data_key}\"]")
echo "${VALUE_OF_SECRET}" >> ${MOUNT_PATH}/server.crt
SECRET_KEY={{ $.Values.vault.secretkey }}
vault_secret_key=$(echo ${SECRET_KEY} |awk -F "?" '{print $1}')
vault_data_key=$(echo ${SECRET_KEY} |awk -F "?" '{print $2}')
LOOKUP_SECRET_RESPONSE=$(curl -sS \
--header "X-Vault-Token: ${VAULT_CLIENT_TOKEN}" \
${VAULT_ADDR}/v1/${vault_secret_key} | \
jq -r 'if .errors then . else . end')
validateVaultResponse "secret (${vault_secret_key})" "${LOOKUP_SECRET_RESPONSE}" "LOOKUPSECRETRESPONSE"
VALUE_OF_SECRET=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r ".data.data[\"${vault_data_key}\"]")
echo "${VALUE_OF_SECRET}" >> ${MOUNT_PATH}/server.key
# Calling a function to retrieve secrets from Vault only if they exist.
vaultBevelFunc "readJson" "${vault_secret_key}"
VALUE_OF_SECRET=$(echo ${VAULT_SECRET} | jq -r ".[\"${vault_data_key}\"]")
echo "${VALUE_OF_SECRET}" >> ${MOUNT_PATH}/server.key
SECRET_ADMIN_PASS={{ $.Values.vault.secretadminpass }}
vault_secret_key=$(echo ${SECRET_ADMIN_PASS} |awk -F "?" '{print $1}')
vault_data_key=$(echo ${SECRET_ADMIN_PASS} |awk -F "?" '{print $2}')
LOOKUP_SECRET_RESPONSE=$(curl -sS \
--header "X-Vault-Token: ${VAULT_CLIENT_TOKEN}" \
${VAULT_ADDR}/v1/${vault_secret_key} | jq -r 'if .errors then . else . end')
validateVaultResponse "secret (${vault_secret_key})" "${LOOKUP_SECRET_RESPONSE}" "LOOKUPSECRETRESPONSE"
VALUE_OF_SECRET=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r ".data.data[\"${vault_data_key}\"]")
echo "${VALUE_OF_SECRET}" >> ${MOUNT_PATH}/user_cred
# Calling a function to retrieve secrets from Vault only if they exist.
vaultBevelFunc "readJson" "${vault_secret_key}"
VALUE_OF_SECRET=$(echo ${VAULT_SECRET} | jq -r ".[\"${vault_data_key}\"]")
echo "${VALUE_OF_SECRET}" >> ${MOUNT_PATH}/user_cred
volumeMounts:
- name: certificates
mountPath: /secret
Expand All @@ -157,6 +130,9 @@ spec:
mountPath: "/etc/ssl/certs/"
readOnly: true
{{ end }}
- name: scripts-volume
mountPath: /scripts/bevel-vault.sh
subPath: bevel-vault.sh
containers:
- name: ca
image: {{ $.Values.metadata.images.ca }}
Expand Down
Loading

0 comments on commit 0113fb8

Please sign in to comment.