From b66e82f408f12847d96d918af57b9219fbd37ee5 Mon Sep 17 00:00:00 2001 From: mgCepeda Date: Tue, 22 Aug 2023 12:22:33 +0000 Subject: [PATCH] [fabric] Added creation of Vault auths through cluster_id. Primary Changes -------------- 1. Added creation of Vaulh auths through cluster_id. 2. Fixed errors related to storage class for the add orderer operation Modifications in roles and tpl files ----------------------- platforms/hyperledger-fabric/configuration/add-orderer.yaml platforms/hyperledger-fabric/configuration/deploy-network.yaml platforms/hyperledger-fabric/configuration/roles/create/anchorpeer/tasks/nested_anchorpeer.yaml platforms/hyperledger-fabric/configuration/roles/create/ca_tools/orderer/tasks/main.yaml platforms/hyperledger-fabric/configuration/roles/create/channels/tasks/valuefile.yaml platforms/hyperledger-fabric/configuration/roles/create/channels_join/tasks/nested_channel_join.yaml platforms/hyperledger-fabric/configuration/roles/create/new_orderer/create_appchannel_block/tasks/nested_create_cli.yaml platforms/hyperledger-fabric/configuration/roles/create/new_orderer/create_syschannel_block/tasks/nested_create_cli.yaml platforms/hyperledger-fabric/configuration/roles/delete/vault_secrets/tasks/main.yaml platforms/hyperledger-fabric/configuration/roles/helm_component/templates/anchorpeer_job.tpl platforms/hyperledger-fabric/configuration/roles/helm_component/templates/approve_chaincode_job.tpl platforms/hyperledger-fabric/configuration/roles/helm_component/templates/ca-orderer.tpl platforms/hyperledger-fabric/configuration/roles/helm_component/templates/ca-peer.tpl platforms/hyperledger-fabric/configuration/roles/helm_component/templates/ca-tools.tpl platforms/hyperledger-fabric/configuration/roles/helm_component/templates/cacerts_job.tpl platforms/hyperledger-fabric/configuration/roles/helm_component/templates/cli.tpl platforms/hyperledger-fabric/configuration/roles/helm_component/templates/commit_chaincode_job.tpl platforms/hyperledger-fabric/configuration/roles/helm_component/templates/create_channel_job.tpl platforms/hyperledger-fabric/configuration/roles/helm_component/templates/install_chaincode_job.tpl platforms/hyperledger-fabric/configuration/roles/helm_component/templates/install_external_chaincode_job.tpl platforms/hyperledger-fabric/configuration/roles/helm_component/templates/instantiate_chaincode_job.tpl platforms/hyperledger-fabric/configuration/roles/helm_component/templates/invoke_chaincode_job.tpl platforms/hyperledger-fabric/configuration/roles/helm_component/templates/join_channel_job.tpl platforms/hyperledger-fabric/configuration/roles/helm_component/templates/orderernode.tpl platforms/hyperledger-fabric/configuration/roles/helm_component/templates/upgrade_chaincode_job.tpl platforms/hyperledger-fabric/configuration/roles/helm_component/templates/value_peer.tpl platforms/hyperledger-fabric/configuration/roles/helm_component/templates/vault_kubernetes_job.tpl platforms/hyperledger-fabric/configuration/roles/k8_component/templates/existing_peer_cli.tpl platforms/hyperledger-fabric/configuration/roles/k8_component/templates/orderer_cli.tpl platforms/network-schema.json platforms/shared/charts/vault-k8s-mgmt/templates/job.yaml Signed-off-by: mgCepeda --- .../configuration/add-orderer.yaml | 1 + .../configuration/deploy-network.yaml | 21 +++++++++++++++++++ .../anchorpeer/tasks/nested_anchorpeer.yaml | 1 + .../create/ca_tools/orderer/tasks/main.yaml | 2 +- .../create/channels/tasks/valuefile.yaml | 1 + .../tasks/nested_channel_join.yaml | 1 + .../tasks/nested_create_cli.yaml | 2 +- .../tasks/nested_create_cli.yaml | 2 +- .../delete/vault_secrets/tasks/main.yaml | 10 +++++++++ .../templates/anchorpeer_job.tpl | 4 ++++ .../templates/approve_chaincode_job.tpl | 4 ++++ .../helm_component/templates/ca-orderer.tpl | 4 ++++ .../helm_component/templates/ca-peer.tpl | 4 ++++ .../helm_component/templates/ca-tools.tpl | 4 ++++ .../helm_component/templates/cacerts_job.tpl | 4 ++++ .../roles/helm_component/templates/cli.tpl | 4 ++++ .../templates/commit_chaincode_job.tpl | 4 ++++ .../templates/create_channel_job.tpl | 4 ++++ .../templates/install_chaincode_job.tpl | 4 ++++ .../install_external_chaincode_job.tpl | 4 ++++ .../templates/instantiate_chaincode_job.tpl | 4 ++++ .../templates/invoke_chaincode_job.tpl | 4 ++++ .../templates/join_channel_job.tpl | 4 ++++ .../helm_component/templates/orderernode.tpl | 4 ++++ .../templates/upgrade_chaincode_job.tpl | 4 ++++ .../helm_component/templates/value_peer.tpl | 4 ++++ .../templates/existing_peer_cli.tpl | 4 ++++ .../k8_component/templates/orderer_cli.tpl | 4 ++++ platforms/network-schema.json | 1 + .../charts/vault-k8s-mgmt/templates/job.yaml | 2 ++ 30 files changed, 117 insertions(+), 3 deletions(-) diff --git a/platforms/hyperledger-fabric/configuration/add-orderer.yaml b/platforms/hyperledger-fabric/configuration/add-orderer.yaml index 9d7f7764b31..a948eddebb4 100644 --- a/platforms/hyperledger-fabric/configuration/add-orderer.yaml +++ b/platforms/hyperledger-fabric/configuration/add-orderer.yaml @@ -33,6 +33,7 @@ component: "{{ item.name | lower}}" component_type: "{{ item.type | lower}}" component_services: "{{ item.services }}" + sc_name: "{{ component }}-{{ item.cloud_provider | lower }}-storageclass" kubernetes: "{{ item.k8s }}" vault: "{{ item.vault }}" ca: "{{ item.services.ca }}" diff --git a/platforms/hyperledger-fabric/configuration/deploy-network.yaml b/platforms/hyperledger-fabric/configuration/deploy-network.yaml index b4c5e5f293c..620604ba5c0 100644 --- a/platforms/hyperledger-fabric/configuration/deploy-network.yaml +++ b/platforms/hyperledger-fabric/configuration/deploy-network.yaml @@ -64,6 +64,27 @@ loop: "{{ network['organizations'] }}" loop_control: loop_var: org + when: org.k8s.cluster_id is not defined + + #Setup Vault-Kubernetes accesses and Regcred for docker registry + - name: Setup Vault Kubernetes for each organization + include_role: + name: "{{playbook_dir}}/../../shared/configuration/roles/setup/vault_kubernetes" + vars: + name: "{{ org.name | lower }}" + component_name: "{{ org.name | lower }}-vaultk8s-job" + component_type: "{{ org.type | lower }}" + component_ns: "{{ org.name | lower }}-net" + component_auth: "{{ org.k8s.cluster_id }}{{ component_ns }}-auth" + kubernetes: "{{ org.k8s }}" + vault: "{{ org.vault }}" + policy_type: "fabric" + gitops: "{{ org.gitops }}" + reset_path: "platforms/hyperledger-fabric/configuration" + loop: "{{ network['organizations'] }}" + loop_control: + loop_var: org + when: org.k8s.cluster_id is defined # Create Storageclass - name: Create storageclass for each organization diff --git a/platforms/hyperledger-fabric/configuration/roles/create/anchorpeer/tasks/nested_anchorpeer.yaml b/platforms/hyperledger-fabric/configuration/roles/create/anchorpeer/tasks/nested_anchorpeer.yaml index 6d7a3097e86..3f93919e685 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/anchorpeer/tasks/nested_anchorpeer.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/anchorpeer/tasks/nested_anchorpeer.yaml @@ -35,6 +35,7 @@ git_branch: "{{ org.gitops.branch }}" charts_dir: "{{ org.gitops.chart_source }}" vault: "{{ org.vault }}" + k8s: "{{ org.k8s }}" fabrictools_image: "hyperledger/fabric-tools:{{ network.version }}" alpine_image: "{{ docker_url }}/alpine-utils:1.0" anchorstx: "{{ lookup('file', '{{ build_path }}/channel-artifacts/{{item.channel_name|lower}}{{participant.name|lower}}MSPAnchor.tx.base64') }}" diff --git a/platforms/hyperledger-fabric/configuration/roles/create/ca_tools/orderer/tasks/main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/ca_tools/orderer/tasks/main.yaml index e6321b48dc1..458e9f490a5 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/ca_tools/orderer/tasks/main.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/ca_tools/orderer/tasks/main.yaml @@ -8,7 +8,7 @@ # This role creates value file for the deployment of CA Tools CLI ############################################################################################# -# # Check if CA server is available +# Check if CA server is available - name: "waiting for the CA server to be created in {{ item.name | lower }}-net" include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" diff --git a/platforms/hyperledger-fabric/configuration/roles/create/channels/tasks/valuefile.yaml b/platforms/hyperledger-fabric/configuration/roles/create/channels/tasks/valuefile.yaml index 40a5e6edad4..0d8f407f521 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/channels/tasks/valuefile.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/channels/tasks/valuefile.yaml @@ -49,6 +49,7 @@ git_branch: "{{ org.gitops.branch }}" charts_dir: "{{ org.gitops.chart_source }}" vault: "{{ org.vault }}" + k8s: "{{ org.k8s }}" fabrictools_image: "hyperledger/fabric-tools:{{ network.version }}" alpine_image: "{{ docker_url }}/alpine-utils:1.0" channeltx: "{{ lookup('file', '{{ build_path }}/channel-artifacts/{{item.channel_name|lower}}.tx.base64') }}" diff --git a/platforms/hyperledger-fabric/configuration/roles/create/channels_join/tasks/nested_channel_join.yaml b/platforms/hyperledger-fabric/configuration/roles/create/channels_join/tasks/nested_channel_join.yaml index 7e40598a6f0..6a8b9908d11 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/channels_join/tasks/nested_channel_join.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/channels_join/tasks/nested_channel_join.yaml @@ -37,6 +37,7 @@ fabrictools_image: "hyperledger/fabric-tools:{{ network.version }}" alpine_image: "{{ docker_url }}/alpine-utils:1.0" vault: "{{ org.vault }}" + k8s: "{{ org.k8s }}" values_dir: "{{playbook_dir}}/../../../{{org.gitops.release_dir}}/{{ org.name | lower }}" loop: "{{ participant.peers }}" loop_control: diff --git a/platforms/hyperledger-fabric/configuration/roles/create/new_orderer/create_appchannel_block/tasks/nested_create_cli.yaml b/platforms/hyperledger-fabric/configuration/roles/create/new_orderer/create_appchannel_block/tasks/nested_create_cli.yaml index 7f3090e2eb8..7ba131a9608 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/new_orderer/create_appchannel_block/tasks/nested_create_cli.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/new_orderer/create_appchannel_block/tasks/nested_create_cli.yaml @@ -25,7 +25,7 @@ fabrictools_image: "hyperledger/fabric-tools:{{ network.version }}" alpine_image: "{{ docker_url }}/alpine-utils:1.0" channel_name: "{{ channel_name }}" - storage_class: "{{ org.name }}sc" + storage_class: "{{ org.name }}-{{ org.cloud_provider | lower }}-storageclass" release_dir: "{{ build_path }}" orderer_component: "{{ orderer.name | lower }}.{{ org.name | lower }}-net" orderer_address: "{{ orderer.ordererAddress }}" diff --git a/platforms/hyperledger-fabric/configuration/roles/create/new_orderer/create_syschannel_block/tasks/nested_create_cli.yaml b/platforms/hyperledger-fabric/configuration/roles/create/new_orderer/create_syschannel_block/tasks/nested_create_cli.yaml index 8d038c35d1e..3af4deac080 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/new_orderer/create_syschannel_block/tasks/nested_create_cli.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/new_orderer/create_syschannel_block/tasks/nested_create_cli.yaml @@ -24,7 +24,7 @@ fabrictools_image: "hyperledger/fabric-tools:{{ network.version }}" alpine_image: "{{ docker_url }}/alpine-utils:1.0" channel_name: "{{ channel_name }}" - storage_class: "{{ org.name }}sc" + storage_class: "{{ org.name }}-{{ org.cloud_provider | lower }}-storageclass" release_dir: "{{ build_path }}" orderer_component: "{{ orderer.name | lower }}.{{ component_ns }}" orderer_address: "{{ orderer.ordererAddress }}" diff --git a/platforms/hyperledger-fabric/configuration/roles/delete/vault_secrets/tasks/main.yaml b/platforms/hyperledger-fabric/configuration/roles/delete/vault_secrets/tasks/main.yaml index 51f9b84a260..4f01f16e351 100644 --- a/platforms/hyperledger-fabric/configuration/roles/delete/vault_secrets/tasks/main.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/delete/vault_secrets/tasks/main.yaml @@ -82,6 +82,16 @@ VAULT_ADDR: "{{ item.vault.url }}" VAULT_TOKEN: "{{ item.vault.root_token }}" +############################################################################################ +# This task deletes vault auth +- name: Delete vault-auth path + shell: | + vault kv delete sys/auth/{{ item.k8s.cluster_id }}{{ component_name }}-auth + environment: + VAULT_ADDR: "{{ item.vault.url }}" + VAULT_TOKEN: "{{ item.vault.root_token }}" + when: item.k8s.cluster_id is defined + ############################################################################################ # This task deletes crypto materials from vault - name: Delete Crypto for orderers diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/anchorpeer_job.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/anchorpeer_job.tpl index fa5ceb486d3..6b10084b9d2 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/anchorpeer_job.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/anchorpeer_job.tpl @@ -37,7 +37,11 @@ spec: vault: role: vault-role address: {{ vault.url }} +{% if k8s.cluster_id is defined %} + authpath: {{ k8s.cluster_id }}{{ component_ns }}-auth +{% else %} authpath: {{ network.env.type }}{{ component_ns }}-auth +{% endif %} adminsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ component_ns }}/users/admin orderersecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ component_ns }}/orderer serviceaccountname: vault-auth diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/approve_chaincode_job.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/approve_chaincode_job.tpl index 11e90339705..68fbdc7c04f 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/approve_chaincode_job.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/approve_chaincode_job.tpl @@ -31,7 +31,11 @@ spec: vault: role: vault-role address: {{ vault.url }} +{% if org.k8s.cluster_id is defined %} + authpath: {{ org.k8s.cluster_id }}{{ namespace | e }}-auth +{% else %} authpath: {{ network.env.type }}{{ namespace | e }}-auth +{% endif %} adminsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ namespace }}/users/admin orderersecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ namespace }}/orderer serviceaccountname: vault-auth diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/ca-orderer.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/ca-orderer.tpl index 6ac776ac553..7474622c024 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/ca-orderer.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/ca-orderer.tpl @@ -57,7 +57,11 @@ spec: vault: role: vault-role address: {{ vault.url }} +{% if item.k8s.cluster_id is defined %} + authpath: {{ item.k8s.cluster_id }}{{ component_name }}-auth +{% else %} authpath: {{ network.env.type }}{{ component_name }}-auth +{% endif %} secretcert: {{ vault.secret_path | default('secretsv2') }}/data/crypto/ordererOrganizations/{{ component_name | e }}/ca?ca.{{ component_name | e }}-cert.pem secretkey: {{ vault.secret_path | default('secretsv2') }}/data/crypto/ordererOrganizations/{{ component_name | e }}/ca?{{ component_name | e }}-CA.key secretadminpass: {{ vault.secret_path | default('secretsv2') }}/data/credentials/{{ component_name | e }}/ca/{{ component }}?user diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/ca-peer.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/ca-peer.tpl index 3cdcaa5c4bd..e6c7732d858 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/ca-peer.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/ca-peer.tpl @@ -57,7 +57,11 @@ spec: vault: role: vault-role address: {{ vault.url }} +{% if item.k8s.cluster_id is defined %} + authpath: {{ item.k8s.cluster_id }}{{ component_name | e }}-auth +{% else %} authpath: {{ network.env.type }}{{ component_name | e }}-auth +{% endif %} secretcert: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ component_name | e }}/ca?ca.{{ component_name | e }}-cert.pem secretkey: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ component_name | e }}/ca?{{ component_name | e }}-CA.key secretadminpass: {{ vault.secret_path | default('secretsv2') }}/data/credentials/{{ component_name | e }}/ca/{{ component }}?user diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/ca-tools.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/ca-tools.tpl index 043365448f3..bcce6de9ff7 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/ca-tools.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/ca-tools.tpl @@ -59,7 +59,11 @@ spec: vault: role: vault-role address: {{ vault.url }} +{% if item.k8s.cluster_id is defined %} + authpath: {{ item.k8s.cluster_id }}{{ component_name }}-auth +{% else %} authpath: {{ network.env.type }}{{ component_name }}-auth +{% endif %} secretusers: {{ vault.secret_path | default('secretsv2') }}/data/crypto/{{ component_type }}Organizations/{{ component_name }}/users secretorderer: {{ vault.secret_path | default('secretsv2') }}/data/crypto/{{ component_type }}Organizations/{{ component_name }}/orderers secretpeer: {{ vault.secret_path | default('secretsv2') }}/data/crypto/{{ component_type }}Organizations/{{ component_name }}/peers diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/cacerts_job.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/cacerts_job.tpl index 7c06ab54ff8..f021e5e9f68 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/cacerts_job.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/cacerts_job.tpl @@ -28,7 +28,11 @@ spec: vault: role: vault-role address: {{ vault.url }} +{% if item.k8s.cluster_id is defined %} + authpath: {{ item.k8s.cluster_id }}{{ component_ns }}-auth +{% else %} authpath: {{ network.env.type }}{{ component_ns }}-auth +{% endif %} secretcryptoprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/{{ component_type }}Organizations/{{ component }}-net/ca secretcredentialsprefix: {{ vault.secret_path | default('secretsv2') }}/data/credentials/{{ component }}-net/ca/{{ component }} serviceaccountname: vault-auth diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/cli.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/cli.tpl index a7dd2104b7a..b6d56e612be 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/cli.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/cli.tpl @@ -28,7 +28,11 @@ spec: vault: role: vault-role address: {{ vault.url }} +{% if org.k8s.cluster_id is defined %} + authpath: {{ org.k8s.cluster_id }}{{ component_ns }}-auth +{% else %} authpath: {{ network.env.type }}{{ component_ns }}-auth +{% endif %} adminsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ component_ns }}/users/admin orderersecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ component_ns }}/orderer serviceaccountname: vault-auth diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/commit_chaincode_job.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/commit_chaincode_job.tpl index d4b2027999f..3134ab10b77 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/commit_chaincode_job.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/commit_chaincode_job.tpl @@ -31,7 +31,11 @@ spec: vault: role: vault-role address: {{ vault.url }} +{% if org.k8s.cluster_id is defined %} + authpath: {{ org.k8s.cluster_id }}{{ namespace | e }}-auth +{% else %} authpath: {{ network.env.type }}{{ namespace | e }}-auth +{% endif %} adminsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ namespace }}/users/admin orderersecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ namespace }}/orderer secretpath: {{ vault.secret_path | default('secretsv2') }} diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/create_channel_job.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/create_channel_job.tpl index f95348d446c..3646fa0c785 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/create_channel_job.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/create_channel_job.tpl @@ -34,7 +34,11 @@ spec: vault: role: vault-role address: {{ vault.url }} +{% if k8s.cluster_id is defined %} + authpath: {{ k8s.cluster_id }}{{ component_ns }}-auth +{% else %} authpath: {{ network.env.type }}{{ component_ns }}-auth +{% endif %} adminsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ component_ns }}/users/admin orderersecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ component_ns }}/orderer serviceaccountname: vault-auth diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/install_chaincode_job.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/install_chaincode_job.tpl index ab58bed529a..550a036c4a0 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/install_chaincode_job.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/install_chaincode_job.tpl @@ -33,7 +33,11 @@ spec: vault: role: vault-role address: {{ vault.url }} +{% if org.k8s.cluster_id is defined %} + authpath: {{ org.k8s.cluster_id }}{{ namespace | e }}-auth +{% else %} authpath: {{ network.env.type }}{{ namespace | e }}-auth +{% endif %} adminsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ namespace }}/users/admin orderersecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ namespace }}/orderer secretgitprivatekey: {{ vault.secret_path | default('secretsv2') }}/data/credentials/{{ namespace }}/git diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/install_external_chaincode_job.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/install_external_chaincode_job.tpl index 6764767e120..bde543c32b9 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/install_external_chaincode_job.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/install_external_chaincode_job.tpl @@ -33,7 +33,11 @@ spec: vault: role: vault-role address: {{ vault.url }} +{% if item.k8s.cluster_id is defined %} + authpath: {{ item.k8s.cluster_id }}{{ namespace | e }}-auth +{% else %} authpath: {{ network.env.type }}{{ namespace | e }}-auth +{% endif %} chaincodesecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ namespace }}/peers/{{ peer_name }}.{{ namespace }}/chaincodes adminsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ namespace }}/users/admin orderersecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ namespace }}/orderer diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/instantiate_chaincode_job.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/instantiate_chaincode_job.tpl index ba8011b47d0..54b50f6d6d0 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/instantiate_chaincode_job.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/instantiate_chaincode_job.tpl @@ -31,7 +31,11 @@ spec: vault: role: vault-role address: {{ vault.url }} +{% if org.k8s.cluster_id is defined %} + authpath: {{ org.k8s.cluster_id }}{{ namespace | e }}-auth +{% else %} authpath: {{ network.env.type }}{{ namespace | e }}-auth +{% endif %} adminsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ namespace }}/users/admin orderersecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ namespace }}/orderer serviceaccountname: vault-auth diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/invoke_chaincode_job.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/invoke_chaincode_job.tpl index 46c9f58ee4a..8cdabc5d0ac 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/invoke_chaincode_job.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/invoke_chaincode_job.tpl @@ -34,7 +34,11 @@ spec: vault: role: vault-role address: {{ vault.url }} +{% if org.k8s.cluster_id is defined %} + authpath: {{ org.k8s.cluster_id }}{{ namespace | e }}-auth +{% else %} authpath: {{ network.env.type }}{{ namespace | e }}-auth +{% endif %} secretpath: {{ vault.secret_path | default('secretsv2') }} adminsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ namespace }}/users/admin orderersecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ namespace }}/orderer diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/join_channel_job.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/join_channel_job.tpl index d32a2d02ad1..314e8ea3275 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/join_channel_job.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/join_channel_job.tpl @@ -37,7 +37,11 @@ spec: vault: role: vault-role address: {{ vault.url }} +{% if k8s.cluster_id is defined %} + authpath: {{ k8s.cluster_id }}{{ component_ns }}-auth +{% else %} authpath: {{ network.env.type }}{{ component_ns }}-auth +{% endif %} adminsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ component_ns }}/users/admin orderersecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ component_ns }}/orderer serviceaccountname: vault-auth diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/orderernode.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/orderernode.tpl index 5956dfb12fc..7c3196c6912 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/orderernode.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/orderernode.tpl @@ -73,7 +73,11 @@ spec: vault: address: {{ vault.url }} role: vault-role +{% if item.k8s.cluster_id is defined %} + authpath: {{ item.k8s.cluster_id }}{{ namespace }}-auth +{% else %} authpath: {{ network.env.type }}{{ namespace }}-auth +{% endif %} type: {{ vault.type | default("hashicorp") }} secretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/ordererOrganizations/{{ namespace }}/orderers/{{ orderer.name }}.{{ namespace }} {% if network.docker.username is defined and network.docker.password is defined %} diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/upgrade_chaincode_job.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/upgrade_chaincode_job.tpl index 512186e4f4a..2140811dec0 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/upgrade_chaincode_job.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/upgrade_chaincode_job.tpl @@ -31,7 +31,11 @@ spec: vault: role: vault-role address: {{ vault.url }} +{% if org.k8s.cluster_id is defined %} + authpath: {{ org.k8s.cluster_id }}{{ namespace | e }}-auth +{% else %} authpath: {{ network.env.type }}{{ namespace | e }}-auth +{% endif %} adminsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ namespace }}/users/admin orderersecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ namespace }}/orderer serviceaccountname: vault-auth diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/value_peer.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/value_peer.tpl index e7a153eb879..5eec16d2034 100755 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/value_peer.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/value_peer.tpl @@ -78,7 +78,11 @@ spec: vault: role: vault-role address: {{ vault.url }} +{% if item.k8s.cluster_id is defined %} + authpath: {{ item.k8s.cluster_id }}{{ namespace }}-auth +{% else %} authpath: {{ network.env.type }}{{ namespace }}-auth +{% endif %} secretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ namespace }}/peers/{{ peer_name }}.{{ namespace }} secretambassador: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ namespace }}/ambassador serviceaccountname: vault-auth diff --git a/platforms/hyperledger-fabric/configuration/roles/k8_component/templates/existing_peer_cli.tpl b/platforms/hyperledger-fabric/configuration/roles/k8_component/templates/existing_peer_cli.tpl index 2267df8d464..0565e68d8dc 100644 --- a/platforms/hyperledger-fabric/configuration/roles/k8_component/templates/existing_peer_cli.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/k8_component/templates/existing_peer_cli.tpl @@ -9,7 +9,11 @@ storage: vault: role: vault-role address: {{ vault.url }} +{% if org.k8s.cluster_id is defined %} + authpath: {{ org.k8s.cluster_id }}{{ component_ns }}-auth +{% else %} authpath: {{ network.env.type }}{{ component_ns }}-auth +{% endif %} adminsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ component_ns }}/users/admin orderersecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/peerOrganizations/{{ component_ns }}/orderer serviceaccountname: vault-auth diff --git a/platforms/hyperledger-fabric/configuration/roles/k8_component/templates/orderer_cli.tpl b/platforms/hyperledger-fabric/configuration/roles/k8_component/templates/orderer_cli.tpl index 17d4c14de73..de55441753b 100644 --- a/platforms/hyperledger-fabric/configuration/roles/k8_component/templates/orderer_cli.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/k8_component/templates/orderer_cli.tpl @@ -9,7 +9,11 @@ storage: vault: role: vault-role address: {{ vault.url }} +{% if org.k8s.cluster_id is defined %} + authpath: {{ org.k8s.cluster_id }}{{ component_ns }}-auth +{% else %} authpath: {{ network.env.type }}{{ component_ns }}-auth +{% endif %} adminsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/ordererOrganizations/{{ component_ns }}/users/admin orderersecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/crypto/ordererOrganizations/{{ component_ns }}/orderers/{{ orderer_component }} serviceaccountname: vault-auth diff --git a/platforms/network-schema.json b/platforms/network-schema.json index ac4975ec7b8..7a5500d21bc 100755 --- a/platforms/network-schema.json +++ b/platforms/network-schema.json @@ -178,6 +178,7 @@ "shared_k8s":{ "type": "object", "properties": { + "cluster_id": { "type": "string"}, "provider": { "type": "string","enum": ["aws", "azure","gcp","minikube"]}, "region": { "type": "string"}, "context":{ "type": "string","description": "Context/Name of the cluster where the organization entities should be deployed"}, diff --git a/platforms/shared/charts/vault-k8s-mgmt/templates/job.yaml b/platforms/shared/charts/vault-k8s-mgmt/templates/job.yaml index af79571ffee..2e471e1e9b7 100644 --- a/platforms/shared/charts/vault-k8s-mgmt/templates/job.yaml +++ b/platforms/shared/charts/vault-k8s-mgmt/templates/job.yaml @@ -120,10 +120,12 @@ spec: done < /var/run/secrets/kubernetes.io/serviceaccount/ca.crt > ca_formatted.txt KUBE_SA_CRT_ONELINE=$(cat ca_formatted.txt) + SA_JWT_TOKEN=$(cat cat /var/run/secrets/kubernetes.io/serviceaccount/token) # This echo get the certificate for the cluster echo " { + \"token_reviewer_jwt\": \"${SA_JWT_TOKEN}\", \"kubernetes_host\": \"${KUBERNETES_URL}\", \"kubernetes_ca_cert\": \"${KUBE_SA_CRT_ONELINE}\", \"disable_iss_validation\": \"true\"