diff --git a/platforms/r3-corda-ent/charts/cenm-networkmap/templates/service.yaml b/platforms/r3-corda-ent/charts/cenm-networkmap/templates/service.yaml index bb492e1dfa0..bb3e4a7a8a1 100644 --- a/platforms/r3-corda-ent/charts/cenm-networkmap/templates/service.yaml +++ b/platforms/r3-corda-ent/charts/cenm-networkmap/templates/service.yaml @@ -47,7 +47,7 @@ kind: Host metadata: name: {{ .Release.Name }}-nms spec: - hostname: {{ .Values.cenm.prefix }}-nms.{{ .Values.global.proxy.externalUrlSuffix }} + hostname: {{ .Values.prefix }}-nms.{{ .Values.global.proxy.externalUrlSuffix }} acmeProvider: authority: none requestPolicy: @@ -64,7 +64,7 @@ metadata: name: {{ .Release.Name }}-mapping namespace: {{ .Release.Namespace }} spec: - host: {{ .Values.cenm.prefix }}-nms.{{ .Values.global.proxy.externalUrlSuffix }} + host: {{ .Values.prefix }}-nms.{{ .Values.global.proxy.externalUrlSuffix }} prefix: / service: {{ include "networkmap.name" . }}.{{ .Release.Namespace }}:{{ .Values.global.cenm.networkmap.port }} {{- end }} diff --git a/platforms/r3-corda-ent/charts/cenm/templates/hooks-pre-install.yaml b/platforms/r3-corda-ent/charts/cenm/templates/hooks-pre-install.yaml index 2a0045e779d..ced58af0d53 100644 --- a/platforms/r3-corda-ent/charts/cenm/templates/hooks-pre-install.yaml +++ b/platforms/r3-corda-ent/charts/cenm/templates/hooks-pre-install.yaml @@ -9,6 +9,7 @@ metadata: "helm.sh/hook-weight": "0" "helm.sh/hook-delete-policy": "before-hook-creation" labels: + app: "{{ .Release.Name }}" app.kubernetes.io/name: pre-install-hook app.kubernetes.io/component: certgen app.kubernetes.io/part-of: {{ include "cenm.fullname" . }} @@ -21,6 +22,7 @@ spec: template: metadata: labels: + app: "{{ .Release.Name }}" app.kubernetes.io/name: pre-install-hook app.kubernetes.io/component: certgen app.kubernetes.io/part-of: {{ include "cenm.fullname" . }} diff --git a/platforms/r3-corda-ent/configuration/cleanup.yaml b/platforms/r3-corda-ent/configuration/cleanup.yaml index 4962c50145c..a6657cc4d94 100644 --- a/platforms/r3-corda-ent/configuration/cleanup.yaml +++ b/platforms/r3-corda-ent/configuration/cleanup.yaml @@ -21,8 +21,12 @@ - include_role: name: "delete/vault_secrets" vars: + org_name: "{{ org.name | lower }}" gitops: "{{ org.gitops }}" - component_name: "{{ org.name | lower }}-ent" + component_name: "{{ org_name }}-ent" + component_type: "{{ org.type | lower }}" + services: "{{ org.services }}" + kubernetes: "{{ org.k8s }}" loop: "{{ network['organizations'] }}" loop_control: loop_var: org diff --git a/platforms/r3-corda-ent/configuration/deploy-network.yaml b/platforms/r3-corda-ent/configuration/deploy-network.yaml index 0d803aa585b..49c159f146f 100644 --- a/platforms/r3-corda-ent/configuration/deploy-network.yaml +++ b/platforms/r3-corda-ent/configuration/deploy-network.yaml @@ -54,12 +54,15 @@ component_name: "{{ org_name }}-init" component_ns: "{{ org_name }}-ent" kubernetes: "{{ org.k8s }}" + init_type: "corda_ent_init" vault: "{{ org.vault }}" values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}/{{ org_name }}/build" charts_dir: "{{ org.gitops.chart_source }}" loop: "{{ network['organizations'] }}" loop_control: loop_var: org + when: + - org.type == 'cenm' # Setup CENM - name: "Setup cenm" @@ -76,6 +79,11 @@ external_url_suffix: "{{ org.external_url_suffix }}" charts_dir: "{{ org.gitops.chart_source }}" values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}/{{ org_name }}/build" + loop: "{{ network['organizations'] }}" + loop_control: + loop_var: org + when: + - org.type == 'cenm' # Deploy notaries - name: Deploy notary service @@ -97,8 +105,9 @@ loop_control: loop_var: org when: + - org.type == 'cenm' - org.services.notaries is defined - + # Setup NETWORK_MAP - name: "Setup network_map" include_role: @@ -116,7 +125,34 @@ external_url_suffix: "{{ org.external_url_suffix }}" charts_dir: "{{ org.gitops.chart_source }}" values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}/{{ org_name }}" - + loop: "{{ network['organizations'] }}" + loop_control: + loop_var: org + when: + - org.type == 'cenm' + + # Deploy all other nodes + - name: Deploy Corda nodes + include_role: + name: setup/node + vars: + org_name: "{{ org.name | lower }}" + component_name: "{{ org_name }}-node" + component_ns: "{{ org_name }}-ent" + cloud_provider: "{{ org.cloud_provider }}" + external_url_suffix: "{{ org.external_url_suffix }}" + node: "{{ org.services.peers }}" + kubernetes: "{{ org.k8s }}" + vault: "{{ org.vault }}" + gitops: "{{ org.gitops }}" + charts_dir: "{{ org.gitops.chart_source }}" + values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}/{{ component_ns }}" + loop: "{{ network['organizations'] }}" + loop_control: + loop_var: org + when: + - org.type == 'node' + - org.org_status is not defined or org.org_status == 'new' # These variables can be overriden from the command line vars: diff --git a/platforms/r3-corda-ent/configuration/roles/create/certificates/cenm/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/create/certificates/cenm/tasks/main.yaml deleted file mode 100644 index f92dfd15de1..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/create/certificates/cenm/tasks/main.yaml +++ /dev/null @@ -1,144 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# This role generates certificates for ambassador proxy -# and places them in vault. Certificates are created using openssl. -# It also creates the corresponding Kubernetes secret ---- - -# Check if the Ambassador tls directory exists -- name: Check if the Ambassador directory exists - stat: - path: "{{ tlscert_path }}" - register: ambassadordir_check - -# Create the ambassador directory if it doesn't exist -- name: Create the Ambassador directory if it doesn't exist - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/directory" - vars: - path: "{{ tlscert_path }}" - when: not ambassadordir_check.stat.exists - -# Check if the ambassador tls is already created -- name: Check if the Ambassador TLS is already created - shell: | - vault kv get -field=tlskey {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ service_name }}/tlscerts - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: ambassador_tls_certs - ignore_errors: yes - -# Get the existing ambassador certificates from vault if any -- name: Get all ambassador certs data from vault - shell: | - vault kv get -format=yaml {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ service_name }}/tlscerts - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: ambassador_tls_certs_yaml - when: not ambassador_tls_certs.failed - -# Save the ambassador certs if they exist -- name: Save the ambassador certs if they exist in the vault - include_role: - name: "setup/get_crypto" - vars: - vault_output: "{{ ambassador_tls_certs_yaml.stdout | from_yaml }}" - type: "ambassador" - cert_path: "{{ tlscert_path }}" - when: ambassador_tls_certs.failed == False - -# Check if openssl conf file exists -- name: Check if openssl.conf file exists - stat: - path: "{{ tlscert_path }}/openssl.conf" - register: openssl_conf_check - -# Generates the openssl file for domain -- name: Generate openssl.conf file - shell: | - cd {{ tlscert_path }} - cat <openssl.conf - [dn] - CN={{ domain_name }} - [req] - distinguished_name = dn - [EXT] - subjectAltName=DNS:{{ domain_name }} - keyUsage=digitalSignature - extendedKeyUsage=serverAuth - EOF - vars: - domain_name: "{{ service_name }}.{{ org.external_url_suffix }}" - when: not openssl_conf_check.stat.exists - -# Check if tls ca file exists -- name: Check if tls ca file exists - stat: - path: "./build/ambassador/corda-ssl-root-ca.key" - register: corda_ssl_ca_check - -# Download from vault tls ca and convert from jks to p12 -- name: Get Corda SSL root ca - shell: | - echo $TRUSTSTORE_PASS - vault kv get -field=corda-ssl-root-keys.jks {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/root/certs |base64 -d > ./build/ambassador/corda-ssl-root-keys.jks - yes|keytool -importkeystore -srcstorepass $TRUSTSTORE_PASS -srckeystore ./build/ambassador/corda-ssl-root-keys.jks -deststorepass $TRUSTSTORE_PASS -destkeystore ./build/ambassador/corda-ssl-root-keys.p12 -deststoretype PKCS12 - openssl pkcs12 -in ./build/ambassador/corda-ssl-root-keys.p12 -passin pass:$TRUSTSTORE_PASS -nokeys -out ./build/ambassador/corda-ssl-root-ca.crt - openssl pkcs12 -in ./build/ambassador/corda-ssl-root-keys.p12 -passin pass:$TRUSTSTORE_PASS -nocerts -nodes -out ./build/ambassador/corda-ssl-root-ca.key - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - TRUSTSTORE_PASS: "{{ org.credentials.truststore.ssl }}" - when: not corda_ssl_ca_check.failed - -# Create ambassador certificates -- name: Create Ambassador certificates - shell: | - # generate new key - openssl genrsa -out {{ tlscert_path }}/ambassador.key 2048 - # create request - openssl req -new -key {{ tlscert_path }}/ambassador.key -out {{ tlscert_path }}/ambassador.csr -config {{ tlscert_path }}/openssl.conf -newkey rsa:2048 -nodes -sha256 -subj "/CN={{ domain_name }}" -extensions EXT - # sign with CA key - openssl x509 -req -in {{ tlscert_path }}/ambassador.csr -CA ./build/ambassador/corda-ssl-root-ca.crt -CAkey ./build/ambassador/corda-ssl-root-ca.key -CAcreateserial -outform PEM -out {{ tlscert_path }}/ambassador.pem -days 730 -extensions EXT -extfile {{ tlscert_path }}/openssl.conf - vars: - domain_name: "{{ service_name }}.{{ org.external_url_suffix }}" - when: ambassador_tls_certs.failed == True - -# Store the ambassador certificates into the vault -- name: Store the Ambassador certs to vault - shell: | - vault kv put {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ service_name }}/tlscerts tlscacerts="$(cat {{ tlscert_path }}/ambassador.pem | base64)" tlskey="$(cat {{ tlscert_path }}/ambassador.key | base64)" - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - when: ambassador_tls_certs.failed == True - -# Check if the ambassador secret is created in the org namespace -- name: Check Ambassador cred exists - k8s_info: - kind: Secret - namespace: "{{ namespace }}" - name: "{{ service_name }}-ambassador-certs" - kubeconfig: "{{ org.k8s.config_file }}" - context: "{{ org.k8s.context }}" - register: get_ambassador_secret - -# Create the ambassador secret if it doesn't exist -- name: Create the Ambassador credentials - shell: | - KUBECONFIG={{ org.k8s.config_file }} kubectl create secret tls {{ service_name }}-ambassador-certs --cert="{{ tlscert_path }}/ambassador.pem" --key="{{ tlscert_path }}/ambassador.key" -n {{ namespace }} - when: get_ambassador_secret.resources|length == 0 - -# Copy generated crt to build location -- name: Copy generated Ambassador tls certs to given build location - copy: - src: "{{ tlscert_path }}/ambassador.pem" - dest: "{{ dest_path }}" - follow: yes - when: dest_path is defined diff --git a/platforms/r3-corda-ent/configuration/roles/create/certificates/node/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/create/certificates/node/tasks/main.yaml deleted file mode 100644 index 36e009a6cb1..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/create/certificates/node/tasks/main.yaml +++ /dev/null @@ -1,115 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# This role generates certificates for ambassador -# and places them in vault. Certificates are created using openssl -# This also creates the corresponding Kubernetes secret ---- -# Check if the ambassador tls directory exists -- name: Check if the Ambassador directory exists or not - stat: - path: "./build/ambassador/{{ node_name }}" - register: ambassadordir_check - -# Create the ambassador directory if it doesn't exist -- name: Create the Ambassador directory if it doesn't exist - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/directory" - vars: - path: "./build/ambassador/{{ node_name }}" - when: not ambassadordir_check.stat.exists - -# Check if the ambassador tls is already created -- name: Check if the Ambassador TLS is already created - shell: | - vault kv get -field=tlskey {{ vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ node_name }}/tlscerts - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: ambassador_tls_certs - ignore_errors: yes - -# Get the existing ambassador certificates from vault if any -- name: Get all ambassador certs data from vault - shell: | - vault kv get -format=yaml {{ vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ node_name }}/tlscerts - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: ambassador_tls_certs_yaml - when: not ambassador_tls_certs.failed - -# Save the ambassador certs if they exist -- name: Save the Ambassador certs if they exist in the vault - include_role: - name: "setup/get_crypto" - vars: - vault_output: "{{ ambassador_tls_certs_yaml.stdout | from_yaml }}" - type: "ambassador" - cert_path: "./build/ambassador/{{ node_name }}" - when: ambassador_tls_certs.failed == False - -# Check if the openssl.conf file exists or not -- name: Check if openssl.conf file exists or not - stat: - path: "./build/ambassador/{{ node_name }}/openssl{{ node_name }}.conf" - register: openssl_conf_check - -# Generates the openssl.conf file for domain -- name: Generate openssl.conf file - shell: | - cd ./build/ambassador/{{ node_name }} - cat <openssl{{ node_name }}.conf - [dn] - CN={{ domain_name }} - [req] - distinguished_name = dn - [EXT] - keyUsage=digitalSignature - extendedKeyUsage=serverAuth - subjectAltName = @alt_names - - [alt_names] - DNS.1 = {{ domain_name }} - DNS.2 = {{ domain_name_api }} - DNS.3 = {{ domain_name_web }} - EOF - vars: - domain_name_api: "{{ node_name }}api.{{ org.external_url_suffix }}" - domain_name_web: "{{ node_name }}web.{{ org.external_url_suffix }}" - when: not openssl_conf_check.stat.exists - -# Create ambassador certificates -- name: Create Ambassador certificates - shell: | - cd ./build/ambassador/{{ node_name }} - openssl req -x509 -out ambassador.pem -keyout ambassador.key -newkey rsa:2048 -nodes -sha256 -subj "/CN={{ domain_name }}" -extensions EXT -config openssl{{ node_name }}.conf - when: ambassador_tls_certs.failed - -# Store the ambassador certificates into the vault -- name: Store the Ambassador certs to vault - shell: | - vault kv put {{ vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ node_name }}/tlscerts tlscacerts="$(cat ./build/ambassador/{{ node_name }}/ambassador.pem | base64)" tlskey="$(cat ./build/ambassador/{{ node_name }}/ambassador.key | base64)" - environment: - VAULT_ADDR: "{{ vault.url }}" - VAULT_TOKEN: "{{ vault.root_token }}" - when: ambassador_tls_certs.failed - -# Check if the ambassador secret is created in the namespace -- name: Check if Ambassador creds exists - k8s_info: - kind: Secret - namespace: "{{ namespace }}" - name: "{{ node_name }}-ambassador-certs" - kubeconfig: "{{ k8s.config_file }}" - context: "{{ k8s.context }}" - register: get_ambassador_secret - -# Create the ambassador secret if it doesn't exist -- name: Create the Ambassador credentials - shell: | - KUBECONFIG={{ k8s.config_file }} kubectl create secret tls {{ node_name }}-ambassador-certs --cert="./build/ambassador/{{ node_name }}/ambassador.pem" --key="./build/ambassador/{{ node_name }}/ambassador.key" -n {{ namespace }} - when: get_ambassador_secret.resources|length == 0 diff --git a/platforms/r3-corda-ent/configuration/roles/create/certificates/notary/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/create/certificates/notary/tasks/main.yaml deleted file mode 100644 index fe1ca512500..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/create/certificates/notary/tasks/main.yaml +++ /dev/null @@ -1,112 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# This role generates certificates for ambassador -# and places them in vault. Certificates are created using openssl -# This also creates the corresponding Kubernetes secret ---- -# Check if the ambassador tls directory exists -- name: Check if the Ambassador directory exists or not - stat: - path: "./build/ambassador/{{ node_name }}" - register: ambassadordir_check - -# Create the ambassador directory if it doesn't exist -- name: Create the Ambassador directory if it doesn't exist - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/directory" - vars: - path: "./build/ambassador/{{ node_name }}" - when: not ambassadordir_check.stat.exists - -# Check if the ambassador tls is already created -- name: Check if the Ambassador TLS is already created - shell: | - vault kv get -field=tlskey {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/tlscerts - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: ambassador_tls_certs - ignore_errors: yes - -# Get the existing ambassador certificates from vault if any -- name: Get all ambassador certs data from vault - shell: | - vault kv get -format=yaml {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/tlscerts - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: ambassador_tls_certs_yaml - when: not ambassador_tls_certs.failed - -# Save the ambassador certs if they exist -- name: Save the Ambassador certs if they exist in the vault - include_role: - name: "setup/get_crypto" - vars: - vault_output: "{{ ambassador_tls_certs_yaml.stdout | from_yaml }}" - type: "ambassador" - cert_path: "./build/ambassador/{{ node_name }}" - when: ambassador_tls_certs.failed == False - -# Check if the openssl.conf file exists or not -- name: Check if openssl.conf file exists or not - stat: - path: "./build/ambassador/{{ node_name }}/openssl{{ node_name }}.conf" - register: openssl_conf_check - -# Generates the openssl.conf file for domain -- name: Generate openssl.conf file - shell: | - cd ./build/ambassador/{{ node_name }} - cat <openssl{{ node_name }}.conf - [dn] - CN={{ domain_name }} - [req] - distinguished_name = dn - [EXT] - subjectAltName=DNS:{{ domain_name }} - keyUsage=digitalSignature - extendedKeyUsage=serverAuth - EOF - vars: - domain_name: "{{ node_name }}.{{ org.external_url_suffix }}" - when: not openssl_conf_check.stat.exists - - -# Create ambassador certificates -- name: Create Ambassador certificates - shell: | - cd ./build/ambassador/{{ node_name }} - openssl req -x509 -out ambassador.pem -keyout ambassador.key -newkey rsa:2048 -nodes -sha256 -subj "/CN={{ domain_name }}" -extensions EXT -config openssl{{ node_name }}.conf - vars: - domain_name: "{{ node_name }}.{{ org.external_url_suffix }}" - when: ambassador_tls_certs.failed - -# Store the ambassador certificates into the vault -- name: Store the Ambassador certs to vault - shell: | - vault kv put {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/tlscerts tlscacerts="$(cat ./build/ambassador/{{ node_name }}/ambassador.pem | base64)" tlskey="$(cat ./build/ambassador/{{ node_name }}/ambassador.key | base64)" - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - when: ambassador_tls_certs.failed - -# Check if the ambassador secret is created in the namespace -- name: Check if Ambassador creds exists - k8s_info: - kind: Secret - namespace: "{{ namespace }}" - name: "{{ node_name }}-ambassador-certs" - kubeconfig: "{{ org.k8s.config_file }}" - context: "{{ org.k8s.context }}" - register: get_ambassador_secret - -# Create the ambassador secret if it doesn't exist -- name: Create the Ambassador credentials - shell: | - KUBECONFIG={{ org.k8s.config_file }} kubectl create secret tls {{ node_name }}-ambassador-certs --cert="./build/ambassador/{{ node_name }}/ambassador.pem" --key="./build/ambassador/{{ node_name }}/ambassador.key" -n {{ namespace }} - when: get_ambassador_secret.resources|length == 0 diff --git a/platforms/r3-corda-ent/configuration/roles/create/namespace_serviceaccount/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/create/namespace_serviceaccount/tasks/main.yaml deleted file mode 100644 index 65855526a85..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/create/namespace_serviceaccount/tasks/main.yaml +++ /dev/null @@ -1,49 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# Create the deployment files for namespaces, vault-auth, vault-reviewer and clusterrolebinding for each node -# Check Namespace exists already -- name: "Checking if the namespace {{ component_ns }} already exists" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" - vars: - component_type: "Namespace" - component_name: "{{ component_ns }}" - type: "no_retry" - -# Set Variable -- name: "Set Variable" - set_fact: - get_namespace: "{{ result }}" - -# Create namespace -- name: Create namespace for {{ organisation }} - include_role: - name: create/k8_component - vars: - component_name: "{{ component_ns }}" - component_type: "namespace" - helm_lint: "false" - release_dir: "{{ playbook_dir }}/../../../{{ gitops.release_dir }}" - when: get_namespace.resources|length == 0 - -# Create vault reviewer service account for organisation -- name: Create vault reviewer for {{ organisation }} - include_role: - name: create/k8_component - vars: - component_name: "{{ component_ns }}" - component_type: "vault-reviewer" - helm_lint: "false" - release_dir: "{{ playbook_dir }}/../../../{{ gitops.release_dir }}" - -# Git Push: Push the created deployment files to repository -- name: "Push the created deployment files to repository" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" - vars: - GIT_DIR: "{{ playbook_dir }}/../../../" - msg: "[ci skip] Pushing deployment files for namespace and service accounts" diff --git a/platforms/r3-corda-ent/configuration/roles/delete/vault_secrets/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/delete/vault_secrets/tasks/main.yaml index 04d1f385eac..ca5dbef3f1f 100644 --- a/platforms/r3-corda-ent/configuration/roles/delete/vault_secrets/tasks/main.yaml +++ b/platforms/r3-corda-ent/configuration/roles/delete/vault_secrets/tasks/main.yaml @@ -12,208 +12,48 @@ - name: Delete docker creds k8s: kind: Secret - namespace: "{{ org.name | lower }}-ent" + namespace: "{{ component_name }}" name: "regcred" state: absent - kubeconfig: "{{ org.k8s.config_file }}" - context: "{{ org.k8s.context }}" - ignore_errors: yes + kubeconfig: "{{ kubernetes.config_file }}" + context: "{{ kubernetes.context }}" + ignore_errors: true + changed_when: false -# Delete the Ambassador Creds for idman -- name: Delete Ambassador creds for idman - k8s: - kind: Secret - namespace: "{{ org.name | lower }}-ent" - name: "{{ org.services.idman.name }}-ambassador-certs" - kubeconfig: "{{ org.k8s.config_file }}" - context: "{{ org.k8s.context }}" - state: absent - ignore_errors: yes - when: org.type == 'cenm' - -# Delete the Ambassador Creds for networkmap -- name: Delete Ambassador creds for networkmap - k8s: - kind: Secret - namespace: "{{ org.name | lower }}-ent" - name: "{{ org.services.networkmap.name }}-ambassador-certs" - kubeconfig: "{{ org.k8s.config_file }}" - context: "{{ org.k8s.context }}" - state: absent - ignore_errors: yes - when: org.type == 'cenm' - -# Delete the Ambassador Creds for notary -- name: Delete Ambassador creds for notary - k8s: - kind: Secret - namespace: "{{ org.name | lower }}-ent" - name: "{{ notary.name }}-ambassador-certs" - kubeconfig: "{{ org.k8s.config_file }}" - context: "{{ org.k8s.context }}" - state: absent - loop: "{{ org.services.notaries }}" - loop_control: - loop_var: notary - ignore_errors: yes - when: org.type == 'cenm' or org.type == 'notary' - -# Delete the Ambassador Creds for each peer of all nodes -- name: Delete Ambassador creds for each peer of all nodes - k8s: - kind: Secret - namespace: "{{ org.name | lower }}-ent" - name: "{{ peer.name }}-ambassador-certs" - kubeconfig: "{{ org.k8s.config_file }}" - context: "{{ org.k8s.context }}" - state: absent - loop: "{{ org.services.peers }}" - loop_control: - loop_var: peer - ignore_errors: yes - when: org.type == 'node' - -# Delete vault auth for organizations -- name: Delete vault-auth path for organizations - shell: | - vault kv delete sys/auth/cordaent{{ org.name | lower }} - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - -# Delete vault auth for float -- name: Delete vault-auth path for organizations float vault - shell: | - vault kv delete sys/auth/cordaent{{ org.name | lower }}float - vault kv delete sys/auth/cordaentfloat{{ org.name | lower }} - environment: - VAULT_ADDR: "{{ org.services.float.vault.url }}" - VAULT_TOKEN: "{{ org.services.float.vault.root_token }}" - when: org.type == 'node' and org.firewall.enabled - -# Delete crypto materials from vault for cenm -- name: Delete Crypto for CENM - shell: | - vault secrets disable {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }} - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - -# Delete crypto material -- name: Delete Crypto material for CENM - shell: | - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/root/certs - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ org.services.idman.name }}/certs - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ org.services.idman.name }}/crls - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ org.services.idman.name }}/tlscerts - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ org.services.networkmap.name }}/certs - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ org.services.networkmap.name }}/tlscerts - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ org.services.signer.name }}/certs - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/keystore - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/truststore - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/ssl - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/cordapps - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/user - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/gateway/tlscerts - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - when: org.type == 'cenm' - -# Delete crypto material -- name: Delete Crypto material for CENM Notaries - shell: | - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ notary.name }}/tlscerts - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ notary.name }}/certs/nodekeystore - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ notary.name }}/certs/sslkeystore - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ notary.name }}/certs/truststore - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ notary.name }}/nodeInfo - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - loop: "{{ org.services.notaries }}" - loop_control: - loop_var: notary - when: org.type == 'cenm' - -# Delete crypto material for additional notaries -- name: Delete Crypto material for Notary orgs +# Delete crypto materials from vault +- name: Delete Crypto for nodes shell: | - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/root/certs - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/tlscerts - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ notary.name }}/tlscerts - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ notary.name }}/certs/nodekeystore - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ notary.name }}/certs/sslkeystore - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ notary.name }}/certs/truststore - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ notary.name }}/nodeInfo - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/keystore - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/truststore - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/cordapps + vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ org_name }}-{{ org.type }}-certs + vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ org_name }}-{{ org.type }}-registrationcerts + vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ org_name }}-{{ org.type }}-tlscerts environment: VAULT_ADDR: "{{ org.vault.url }}" VAULT_TOKEN: "{{ org.vault.root_token }}" - loop: "{{ org.services.notaries }}" + loop: "{{ services.peers }}" loop_control: - loop_var: notary - when: org.type == 'notary' - ignore_errors: yes + loop_var: peer + when: services.peers is defined + ignore_errors: true -# Delete crypto material -- name: Delete Crypto material for nodes +- name: Delete Crypto for notary shell: | - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/certs/customnodekeystore - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/certs/{{ network | json_query('network_services[?type==`idman`].name') | first }} - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/certs/{{ network | json_query('network_services[?type==`networkmap`].name') | first }} - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/certs/networkmaptruststore - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/certs/nodekeystore - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/certs/sslkeystore - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/certs/truststore - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/certs/firewall - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/tlscerts - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/certs - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/root/certs - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/network-parameters - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/credentials + vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ org_name }}-{{ org.type }}-certs + vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ org_name }}-{{ org.type }}-registrationcerts + vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{{ org_name }}/{{ org_name }}-{{ org.type }}-tlscerts environment: VAULT_ADDR: "{{ org.vault.url }}" VAULT_TOKEN: "{{ org.vault.root_token }}" - loop: "{{ org.services.peers }}" - loop_control: - loop_var: peer - when: org.type == 'node' + vars: + peer: "{{ services.notary }}" + when: services.notary is defined + ignore_errors: true -# Delete crypto material from float vault path -- name: Delete Crypto material for nodes +- name: Delete Crypto for network service shell: | - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/certs/nodekeystore - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/certs/sslkeystore - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/certs/truststore - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/certs/firewall - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/tlscerts - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/certs - vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/credentials - environment: - VAULT_ADDR: "{{ org.services.float.vault.url }}" - VAULT_TOKEN: "{{ org.services.float.vault.root_token }}" - loop: "{{ org.services.peers }}" - loop_control: - loop_var: peer - when: org.type == 'node' and org.firewall.enabled - -# Delete crypto materials from vault for nodes -- name: Delete Crypto for nodes - shell: | - vault secrets disable {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }} + vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ org_name }}-{{ org.type }}-certs + vault kv delete {{ org.vault.secret_path | default('secretsv2') }}/{{ org_name }}/{{ org_name }}-{{ org.type }}-tlscerts environment: VAULT_ADDR: "{{ org.vault.url }}" VAULT_TOKEN: "{{ org.vault.root_token }}" - when: org.type == 'node' - -# Delete crypto materials from float vault -- name: Delete Crypto for float vault - shell: | - vault secrets disable {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }} - environment: - VAULT_ADDR: "{{ org.services.float.vault.url }}" - VAULT_TOKEN: "{{ org.services.float.vault.root_token }}" - when: org.type == 'node' and org.firewall.enabled + ignore_errors: true + when: component_type == 'node' diff --git a/platforms/r3-corda-ent/configuration/roles/setup/get_crypto/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/delete/vault_secrets/tasks/nested_main.yaml similarity index 51% rename from platforms/r3-corda-ent/configuration/roles/setup/get_crypto/tasks/main.yaml rename to platforms/r3-corda-ent/configuration/roles/delete/vault_secrets/tasks/nested_main.yaml index 4d35b56420a..1f31afb9508 100644 --- a/platforms/r3-corda-ent/configuration/roles/setup/get_crypto/tasks/main.yaml +++ b/platforms/r3-corda-ent/configuration/roles/delete/vault_secrets/tasks/nested_main.yaml @@ -5,15 +5,17 @@ ############################################################################################## ############################################################################################# -# This role saves the crypto from Vault into ansible_provisioner +# This role deletes the Vault configurations for each service ############################################################################################# -# Save the cert file -- name: Save cert - local_action: copy content="{{ vault_output['data'].data.tlscacerts | b64decode }}" dest="{{ cert_path }}/{{ type }}.pem" - when: type == 'ambassador' - -# Save the key file -- name: Save key - local_action: copy content="{{ vault_output['data'].data.tlskey | b64decode }}" dest="{{ cert_path }}/{{ type }}.key" - when: type == 'ambassador' +# Delete Ambassador Creds +- name: Delete Ambassador creds + k8s: + kind: Secret + namespace: "{{ component_name }}" + name: "{{ service.value['name'] }}-ambassador-certs" + kubeconfig: "{{ kubernetes.config_file }}" + context: "{{ kubernetes.context }}" + state: absent + ignore_errors: true + changed_when: false diff --git a/platforms/r3-corda-ent/configuration/roles/get/certs/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/get/certs/tasks/main.yaml new file mode 100644 index 00000000000..cbcb8c01d6e --- /dev/null +++ b/platforms/r3-corda-ent/configuration/roles/get/certs/tasks/main.yaml @@ -0,0 +1,66 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +- name: Set fact for files location + ansible.builtin.set_fact: + files_loc: "{{ playbook_dir }}/../../../{{ charts_dir }}/enterprise-node/build" + +- name: Create directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: '0755' + loop: + - "{{ files_loc }}" + - "{{ files_loc }}/doorman" + - "{{ files_loc }}/nms" + +# Get the cenm certs from network-service org +- name: Get cenm cert from current org + kubernetes.core.k8s_info: + kubeconfig: "{{ kubernetes.config_file }}" + kind: Secret + name: "cenm-certs" + namespace: "{{ component_ns }}" + register: cenm_data +- debug: + msg: "{{ cenm_data }}" +- name: Print the value of component_ns + debug: + msg: "component_ns={{ component_ns }}" +# Get the doorman cert from network-service org +- name: Get doorman cert from current org + kubernetes.core.k8s_info: + kubeconfig: "{{ kubernetes.config_file }}" + kind: Secret + name: "doorman-tls-certs" + namespace: "{{ component_ns }}" + register: doorman_data + +# Get the networkmap cert from network-service org +- name: Get nms cert from current org + kubernetes.core.k8s_info: + kubeconfig: "{{ kubernetes.config_file }}" + kind: Secret + name: "nms-tls-certs" + namespace: "{{ component_ns }}" + register: nms_data + +- name: Save cenm-certs secret locally + ansible.builtin.copy: + content: "{{ cenm_data.resources[0].data['network-root-truststore.jks'] | b64decode }}" + dest: "{{ files_loc }}/network-root-truststore.jks" + +- name: Save doorman-tls-certs secret locally + ansible.builtin.copy: + content: "{{ doorman_data.resources[0].data['tls.crt'] | b64decode }}" + dest: "{{ files_loc }}/doorman/tls.crt" + +- name: Save nms-tls-certs secret locally + ansible.builtin.copy: + content: "{{ nms_data.resources[0].data['tls.crt'] | b64decode }}" + dest: "{{ files_loc }}/nms/tls.crt" + diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/auth.tpl b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/auth.tpl deleted file mode 100644 index 3a72523c1e5..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/auth.tpl +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: {{ org.services.auth.name }} - namespace: {{ component_ns }} - annotations: - fluxcd.io/automated: "false" -spec: - releaseName: {{ component_name }} - interval: 1m - chart: - spec: - chart: {{ charts_dir }}/cenm-auth - sourceRef: - kind: GitRepository - name: flux-{{ network.env.type }} - namespace: flux-{{ network.env.type }} - values: - metadata: - namespace: {{ component_ns }} - labels: {} - prefix: {{ name }} - nodeName: {{ component_name }} - image: - initContainerName: {{ network.docker.url }}/{{ init_container_image }} - authContainerName: {{ network.docker.url }}/{{ main_container_image }} - imagePullSecrets: - - name: regcred - pullPolicy: IfNotPresent - storage: - name: {{ sc_name }} - vault: - address: {{ vault.url }} - role: vault-role - authPath: {{ component_auth }} - serviceAccountName: vault-auth - certSecretPrefix: {{ vault.secret_path | default('secretsv2') }}/data/{{ name }} - - database: - driverClassName: "org.h2.Driver" - jdbcDriver: "" - url: "jdbc:h2:file:./h2/auth-persistence;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=10000;WRITE_DELAY=0;AUTO_SERVER_PORT=0" - user: "{{ org.services.auth.name }}-db-user" - password: "{{ org.services.auth.name }}-db-password" - runMigration: "true" - - config: - volume: - baseDir: /opt/cenm - replicas: 1 - - pvc: - annotations: {} - volumeSizeAuthEtc: 1Gi - volumeSizeAuthH2: 5Gi - volumeSizeAuthLogs: 5Gi - deployment: - annotations: {} - pod: - resources: - limits: 514Mi - requests: 514Mi - - sleepTimeAfterError: 300 - logsContainerEnabled: true - - nameOverride: "" - fullnameOverride: "" - - service: - type: ClusterIP - port: {{ org.services.auth.port }} - - authSubject: "{{ org.services.auth.subject }}" diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/bridge.tpl b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/bridge.tpl deleted file mode 100644 index 59ef32e0495..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/bridge.tpl +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: {{ component_name }} - namespace: {{ component_ns }} - annotations: - fluxcd.io/automated: "false" -spec: - releaseName: {{ component_name }} - interval: 1m - chart: - spec: - chart: {{ charts_dir }}/corda-ent-bridge - sourceRef: - kind: GitRepository - name: flux-{{ network.env.type }} - namespace: flux-{{ network.env.type }} - values: - deployment: - annotations: {} - nodeName: {{ component_name }} - metadata: - namespace: {{ component_ns }} - labels: {} - replicas: 1 - image: - initContainerName: {{ network.docker.url }}/{{ init_container_image }} - mainContainerName: {{ network.docker.url }}/{{ main_container_image }} - imagePullSecret: regcred - pullPolicy: IfNotPresent - vault: - address: {{ vault.url }} - role: vault-role - authpath: {{ network.env.type }}{{ name }} - serviceaccountname: vault-auth - certsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/{{ name }}/{{ peer.name | lower }} - retries: 20 - sleepTimeAfterError: 20 - volume: - baseDir: /opt/corda/base - storage: - name: {{ sc_name }} - pvc: - annotations: {} - cordaJarMx: 1024 - healthCheckNodePort: 0 - healthcheck: - readinesscheckinterval: 10 - readinessthreshold:: 15 - float: - address: {{ org.services.float.name | lower }}.{{ name }}.{{ org.services.float.external_url_suffix }} - port: {{ org.services.float.ports.ambassador_p2p_port }} - subject: {{ org.services.float.subject }} - node: - messagingServerAddress: {{ (org.services.peers[0].name | lower) ~ '.' ~ component_ns }} - messagingServerPort: {{ org.services.peers[0].p2p.port }} - tunnel: - port: {{ org.services.float.ports.ambassador_tunnel_port }} diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/corda_ent_network_map.tpl b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/corda_ent_network_map.tpl index 1c355e144a2..56e0a67ec15 100644 --- a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/corda_ent_network_map.tpl +++ b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/corda_ent_network_map.tpl @@ -32,7 +32,6 @@ spec: provider: "ambassador" externalUrlSuffix: "{{ external_url_suffix }}" cenm: - prefix: "{{ org_name }}-cenm" sharedCreds: truststore: {{ cred_truststore }} keystore: {{ cred_keystore}} @@ -52,7 +51,7 @@ spec: internal: port: {{ network_map_int_port }} port: {{ network_map_ext_port }} - + prefix: "{{ org_name }}-cenm" storage: size: 1Gi dbSize: 5Gi diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/db.tpl b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/db.tpl deleted file mode 100644 index bae15cc7075..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/db.tpl +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: {{ component_name }} - namespace: {{ component_ns }} - annotations: - fluxcd.io/automated: "false" -spec: - releaseName: {{ component_name }} - interval: 1m - chart: - spec: - chart: {{ charts_dir }}/corda-ent-h2 - sourceRef: - kind: GitRepository - name: flux-{{ network.env.type }} - namespace: flux-{{ network.env.type }} - values: - nodeName: {{ node_name }} - metadata: - namespace: {{ component_ns }} - replicaCount: 1 - image: - containerName: {{ container_name }} - imagePullSecret: regcred - pullPolicy: IfNotPresent - resources: - limits: 512Mi - requests: 512Mi - storage: - name: {{ sc_name }} - memory: 512Mi - service: - type: NodePort - tcp: - port: {{ tcp_port}} - targetPort: {{ tcp_targetport }} - web: - targetPort: {{ web_targetport }} - port: {{ web_port }} - deployment: - annotations: {} - pvc: - annotations: {} diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/float.tpl b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/float.tpl deleted file mode 100644 index 7f79a939447..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/float.tpl +++ /dev/null @@ -1,64 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: {{ component_name }} - namespace: {{ component_ns }} - annotations: - fluxcd.io/automated: "false" -spec: - releaseName: {{ component_name }} - interval: 1m - chart: - spec: - chart: {{ charts_dir }}/corda-ent-float - sourceRef: - kind: GitRepository - name: flux-{{ network.env.type }} - namespace: flux-{{ network.env.type }} - values: - deployment: - annotations: {} - nodeName: {{ component_name }} - metadata: - namespace: {{ component_ns }} - labels: {} - replicas: 1 - image: - initContainerName: {{ network.docker.url }}/{{ init_container_image }} - mainContainerName: {{ network.docker.url }}/{{ main_container_image }} - imagePullSecret: regcred - pullPolicy: IfNotPresent - vault: - address: {{ vault.url }} - role: vault-role - authpath: {{ network.env.type }}{{ name }}float - serviceaccountname: vault-auth - certsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/{{ name }}/{{ peer.name | lower }} - retries: 20 - sleepTimeAfterError: 20 - volume: - baseDir: /opt/corda/base - storage: - name: {{ sc_name }} - pvc: - annotations: {} - sleepTime: 0 - cordaJarMx: 1024 - bridge: - subject: {{ org.services.bridge.subject }} - tunnelPort: {{ org.services.float.ports.tunnelport }} - healthCheckNodePort: 0 - healthcheck: - readinesscheckinterval: 10 - readinessthreshold: 15 - float: - loadBalancerIP: {{ org.services.float.name | lower }}.{{ component_ns }} - node: - p2pPort: {{ org.services.float.ports.p2p_port }} - ambassador: - p2pPort: {{ org.services.float.ports.ambassador_p2p_port }} - tunnelPort: {{ org.services.float.ports.ambassador_tunnel_port }} - external_url_suffix: {{ org.services.float.external_url_suffix }} - dmz: - internal: "0.0.0.0" - external: "0.0.0.0" diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/gateway.tpl b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/gateway.tpl deleted file mode 100644 index 67123bc3b24..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/gateway.tpl +++ /dev/null @@ -1,68 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: {{ component_name }} - namespace: {{ component_ns }} - annotations: - fluxcd.io/automated: "false" -spec: - releaseName: {{ component_name }} - interval: 1m - chart: - spec: - chart: {{ charts_dir }}/cenm-gateway - sourceRef: - kind: GitRepository - name: flux-{{ network.env.type }} - namespace: flux-{{ network.env.type }} - values: - nodeName: {{ component_name }} - metadata: - namespace: {{ component_ns }} - labels: - prefix: {{ name }} - image: - initContainerName: {{ network.docker.url }}/{{ init_container_image }} - gatewayContainerName: {{ main_container_image }} - imagePullSecrets: - - name: "regcred" - pullPolicy: IfNotPresent - cenmServices: - idmanName: {{ org.services.idman.name }} - zoneName: {{ org.services.zone.name }} - zonePort: {{ org.services.zone.ports.admin }} - gatewayPort: {{ org.services.gateway.ports.servicePort }} - authName: {{ org.services.auth.name }} - authPort: {{ org.services.auth.port }} - storage: - name: {{ sc_name }} - acceptLicense: YES - vault: - address: {{ vault.url }} - role: vault-role - authPath: {{ component_auth }} - serviceAccountName: vault-auth - certSecretPrefix: {{ vault.secret_path | default('secretsv2') }}/data/{{ name }} - retries: 10 - sleepTimeAfterError: 15 - config: - volume: - baseDir: /opt/cenm - jarPath: bin - configPath: etc - pvc: - volumeSizeGatewayEtc: 1Gi - volumeSizeGatewayLogs: 5Gi - pod: - resources: - limits: - memory: 2Gi - requests: - memory: 2Gi - replicas: 1 - service: - type: ClusterIP - port: 8080 - ambassador: - external_url_suffix: "{{ org.external_url_suffix }}" - port: {{ org.services.gateway.ports.ambassadorPort }} diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/idman.tpl b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/idman.tpl deleted file mode 100644 index f93ce6eb18b..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/idman.tpl +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: {{ component_name }} - namespace: {{ component_ns }} - annotations: - fluxcd.io/automated: "false" -spec: - releaseName: {{ component_name }} - interval: 1m - chart: - spec: - chart: {{ charts_dir }}/cenm-idman - sourceRef: - kind: GitRepository - name: flux-{{ network.env.type }} - namespace: flux-{{ network.env.type }} - values: - nodeName: {{ org.services.idman.name | lower }} - bashDebug: false - prefix: {{ name }} - metadata: - namespace: {{ component_ns }} - image: - initContainer: {{ network.docker.url }}/{{ init_container_image }} - idmanContainer: {{ network.docker.url }}/{{ main_container_image }} - enterpriseCliContainer: {{ docker_images.cenm["enterpriseCli-1.5"] }} - pullPolicy: IfNotPresent - imagePullSecrets: - - name: "regcred" - storage: - name: {{ sc_name }} - memory: 700Mi - acceptLicense: YES - vault: - address: {{ org.vault.url }} - certSecretPrefix: {{ org.vault.secret_path | default('secretsv2') }}/data/{{ name }} - role: vault-role - authPath: {{ network.env.type }}{{ name }} - serviceAccountName: vault-auth - retries: 10 - sleepTimeAfterError: 15 - service: - external: - port: {{ org.services.idman.port }} - internal: - port: 5052 - revocation: - port: 5053 - adminListener: - port: 6000 - database: - driverClassName: "org.h2.Driver" - url: "jdbc:h2:file:./h2/identity-manager-persistence;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=10000;WRITE_DELAY=0;AUTO_SERVER_PORT=0" - user: "{{ org.services.idman.name }}-db-user" - password: "{{ org.services.idman.name }}-db-password" - runMigration: "true" - config: - volume: - baseDir: /opt/cenm - jarPath: bin - configPath: etc - cordaJar: - memorySize: 512 - unit: M - pod: - resources: - limits: 512M - requests: 512M - replicas: 1 - sleepTimeAfterError: 120 - ambassador: - external_url_suffix: "{{ org.external_url_suffix }}" - cenmServices: - gatewayName: {{ org.services.gateway.name }} - gatewayPort: {{ org.services.gateway.ports.servicePort }} - zoneName: {{ org.services.zone.name }} - zonePort: {{ org.services.zone.ports.admin }} - zoneEnmPort: {{ org.services.zone.ports.enm }} - authName: {{ org.services.auth.name }} - authPort: {{ org.services.auth.port }} diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/nmap.tpl b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/nmap.tpl deleted file mode 100644 index eb837a438df..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/nmap.tpl +++ /dev/null @@ -1,107 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: {{ component_name }} - namespace: {{ component_ns }} - annotations: - fluxcd.io/automated: "false" -spec: - releaseName: {{ component_name }} - interval: 1m - chart: - spec: - chart: {{ charts_dir }}/cenm-networkmap - sourceRef: - kind: GitRepository - name: flux-{{ network.env.type }} - namespace: flux-{{ network.env.type }} - values: - nodeName: {{ org.services.networkmap.name | lower }} - bashDebug: false - prefix: {{ name }} - metadata: - namespace: {{ component_ns }} - storage: - name: {{ sc_name }} - memory: 512Mi - image: - initContainer: {{ network.docker.url }}/{{ init_container_image }} - nmapContainer: {{ network.docker.url }}/{{ main_container_image }} - enterpriseCliContainer: {{ docker_images.cenm["enterpriseCli-1.5"] }} - pullPolicy: IfNotPresent - imagePullSecrets: - - name: "regcred" - acceptLicense: YES - vault: - address: {{ org.vault.url }} - role: vault-role - authPath: {{ network.env.type }}{{ name }} - serviceAccountName: vault-auth - certSecretPrefix: {{ org.vault.secret_path | default('secretsv2') }}/data/{{ name }} - retries: 10 - sleepTimeAfterError: 15 - service: - external: - port: {{ org.services.networkmap.ports.servicePort }} - internal: - port: 5050 - revocation: - port: 5053 - adminListener: - port: 6000 - serviceLocations: - identityManager: - name: {{ org.services.idman.name }} - domain: {{ idman_url.split(':')[1] | regex_replace('/', '') }} - host: {{ org.services.idman.name }}.{{ component_ns }} - port: 5052 - notary: -{% for notary in org.services.notaries %} - - {{ notary.name }} -{% endfor %} - database: - driverClassName: "org.h2.Driver" - url: "jdbc:h2:file:./h2/networkmap-persistence;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=10000;WRITE_DELAY=0;AUTO_SERVER_PORT=0" - user: "{{ org.services.networkmap.name }}-db-user" - password: "{{ org.services.networkmap.name }}-db-password" - runMigration: "true" - config: - volume: - baseDir: /opt/cenm - jarPath: bin - configPath: etc - cordaJar: - memorySize: 1024 - unit: M - pod: - resources: - limits: 1026M - requests: 1024M - replicas: 1 - ambassador: - external_url_suffix: "{{ org.external_url_suffix }}" - cenmServices: - gatewayName: {{ org.services.gateway.name }} - gatewayPort: {{ org.services.gateway.ports.servicePort }} - zoneName: {{ org.services.zone.name }} - zonePort: {{ org.services.zone.ports.admin }} - zoneEnmPort: {{ org.services.zone.ports.enm }} - authName: {{ org.services.auth.name }} - authPort: {{ org.services.auth.port }} -{% if nmap_update is defined and nmap_update %} - nmapUpdate: true - addNotaries: -{% for enode in node_list %} - - notary: - nodeinfoFileName: {{ enode.nodeinfo_name }} - nodeinfoFile: {{ enode.nodeinfo }} - validating: {{ enode.validating }} -{% endfor %} -{% else %} - nmapUpdate: false - addNotaries: - - notary: - nodeinfoFileName: dummy - nodeinfoFile: dummy - validating: false -{% endif %} diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/node.tpl b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/node.tpl index a6089b64569..20f07ac3b14 100644 --- a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/node.tpl +++ b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/node.tpl @@ -10,112 +10,47 @@ spec: interval: 1m chart: spec: - chart: {{ charts_dir }}/corda-ent-node + chart: {{ charts_dir }}/enterprise-node sourceRef: kind: GitRepository name: flux-{{ network.env.type }} namespace: flux-{{ network.env.type }} values: - nodeName: {{ node_name }} - metadata: - namespace: {{ component_ns }} - labels: + global: + serviceAccountName: vault-auth + cluster: + provider: "{{ cloud_provider }}" + cloudNativeServices: false + kubernetesUrl: "{{ kubernetes_server }}" + vault: + type: hashicorp + role: vault-role + network: corda-enterprise + address: "{{ vault.url }}" + authPath: "{{ org_name }}" + secretEngine: secretsv2 + secretPrefix: "data/{{ org_name }}" + proxy: + provider: ambassador + externalUrlSuffix: {{ external_url_suffix }} image: - initContainerName: {{ network.docker.url }}/{{ init_container_image }} - nodeContainerName: {{ network.docker.url }}/{{ main_container_image }} - imagepullsecret: regcred - pullPolicy: IfNotPresent - acceptLicence: true + node: + repository: corda/corda-enterprise + tag: 4.10.3-zulu-openjdk8-alpine + network: + creds: + truststore: password + tls: + nameOverride: {{ node_name }} # should match the release name + enabled: true storage: - name: {{ sc_name }} - replicas: 1 - networkServices: - doormanURL: {{ doorman_url }} - networkMapURL: {{ networkmap_url }} - idmanDomain: "{{ doorman_url.split(':')[1] | regex_replace('/', '') }}" - networkMapDomain: "{{ networkmap_url.split(':')[1] | regex_replace('/', '') }}" - idmanName: "{{ network | json_query('network_services[?type==`idman`].name') | first }}" - networkmapName: "{{ network | json_query('network_services[?type==`networkmap`].name') | first }}" - firewall: - enabled: {{ org.firewall.enabled }} - vault: - address: {{ org.vault.url }} - role: vault-role - authpath: {{ network.env.type }}{{ name }} - serviceaccountname: vault-auth - certsecretprefix: {{ org.vault.secret_path | default('secretsv2') }}/data/{{ name }}/{{ peer.name | lower }} - nodePath: {{ peer.name | lower }} - retries: 30 - retryInterval: 30 -{% if (org.cordapps is defined) and (org.cordapps|length > 0) %} - cordapps: - getcordapps: true - jars: - {% for jars in org.cordapps.jars %} -- url: {{ jars.jar.url }} - {% endfor %} -{% else %} - cordapps: - getcordapps: false -{% endif %} - + size: 1Gi + dbSize: 5Gi nodeConf: - ambassador: - external_url_suffix: {{ org.external_url_suffix }} - p2pPort: {{ peer.p2p.ambassador }} -{% if org.firewall.enabled == true %} - p2pAddress: {{ org.services.float.name }}.{{ name }}.{{ org.services.float.external_url_suffix }}:{{ org.services.float.ports.ambassador_p2p_port | default('10002') }} -{% else %} - p2pAddress: {{ node_name }}.{{ org.external_url_suffix }}:{{ peer.p2p.ambassador | default('10002') }} -{% endif %} - legalName: "{{ peer.subject }}" - emailAddress: "dev-node@bevel.com" - crlCheckSoftFail: true - tlsCertCrlDistPoint: "" - tlsCertCrlIssuer: "{{ network | json_query('network_services[?type==`idman`].crlissuer_subject') | first }}" - devMode: false - volume: - baseDir: /opt/corda/base - jarPath: bin - configPath: etc - cordaJar: - memorySize: 1524 - unit: M - pod: - resources: - limits: 1524M - requests: 1524M - service: - p2pPort: {{ peer.p2p.port }} - p2pAddress: {{ peer.name | lower }}.{{ component_ns }} - messagingServerPort: {{ peer.p2p.port }} - ssh: - enabled: true - sshdPort: 2222 - rpc: - port: {{ peer.rpc.port }} - adminPort: {{ peer.rpcadmin.port }} - users: - - name: {{ peer.name | lower }} - password: {{ peer.name | lower }}P - permissions: ALL - dataSourceProperties: - dataSource: - user: {{ peer.name | lower }}-db-user - password: {{ peer.name | lower }}-db-password - url: "jdbc:h2:tcp://{{ peer.name | lower }}db:9101/persistence;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=10000;WRITE_DELAY=100;AUTO_RECONNECT=TRUE;" - dataSourceClassName: org.h2.jdbcx.JdbcDataSource - dbUrl: "{{ component_name }}db" - dbPort: 9101 - monitoring: - enabled: true - port: 8090 - allowDevCorDapps: - enabled: true - retries: 20 - retryInterval: 15 - sleepTimeAfterError: 120 - sleepTime: 0 - healthcheck: - readinesscheckinterval: 10 - readinessthreshold: 15 + legalName: {{ subject }} + doormanPort: 443 + networkMapPort: 443 + doormanDomain: {{ network.organizations[0].name }}-cenm-doorman.{{ external_url_suffix }} + networkMapDomain: {{ network.organizations[0].name }}-cenm-nms.{{ external_url_suffix }} + doormanURL: https://{{ network.organizations[0].name }}-cenm-doorman.{{ external_url_suffix }} + networkMapURL: https://{{ network.organizations[0].name }}-cenm-nms.{{ external_url_suffix }} diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/node_registration.tpl b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/node_registration.tpl deleted file mode 100644 index 03365d194e7..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/node_registration.tpl +++ /dev/null @@ -1,115 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: {{ component_name }} - namespace: {{ component_ns }} - annotations: - fluxcd.io/automated: "false" -spec: - releaseName: {{ component_name }} - interval: 1m - chart: - spec: - chart: {{ charts_dir }}/corda-ent-node-initial-registration - sourceRef: - kind: GitRepository - name: flux-{{ network.env.type }} - namespace: flux-{{ network.env.type }} - values: - nodeName: {{ peer.name | lower }}-registration - metadata: - namespace: {{ component_ns }} - labels: {} - image: - initContainerName: {{ network.docker.url }}/{{ init_container_image }} - nodeContainerName: {{ network.docker.url }}/{{ main_container_image }} - imagepullsecret: regcred - pullPolicy: IfNotPresent - truststorePassword: password - keystorePassword: password - acceptLicence: true - networkServices: - doormanURL: {{ doorman_url }} - networkMapURL: {{ networkmap_url }} - idmanDomain: "{{ doorman_url.split(':')[1] | regex_replace('/', '') }}" - networkMapDomain: "{{ networkmap_url.split(':')[1] | regex_replace('/', '') }}" - idmanName: "{{ network | json_query('network_services[?type==`idman`].name') | first }}" - networkmapName: "{{ network | json_query('network_services[?type==`networkmap`].name') | first }}" - vault: - address: {{ org.vault.url }} -{% if org.firewall.enabled == true %} - floatVaultAddress: {{ org.services.float.vault.url }} - authpathFloat: {{ network.env.type }}{{ name }}float -{% else %} - floatVaultAddress: "" - authpathFloat: "" -{% endif %} - role: vault-role - authpath: {{ network.env.type }}{{ name }} - serviceaccountname: vault-auth - certsecretprefix: {{ org.vault.secret_path | default('secretsv2') }}/data/{{ name }}/{{ peer.name }} - nodePath: {{ peer.name | lower }} - retries: 30 - retryInterval: 30 - firewall: - enabled: {{ org.firewall.enabled }} - nodeConf: - ambassador: - external_url_suffix: {{ org.external_url_suffix }} - p2pPort: {{ peer.p2p.ambassador }} -{% if org.firewall.enabled == true %} - p2pAddress: {{ org.services.float.name }}.{{ name }}.{{ org.services.float.external_url_suffix }}:{{ org.services.float.ports.ambassador_p2p_port | default('10002') }} -{% else %} - p2pAddress: {{ node_name }}.{{ org.external_url_suffix }}:{{ peer.p2p.ambassador | default('10002') }} -{% endif %} - legalName: "{{ peer.subject }}" - emailAddress: dev-node@bevel.com - crlCheckSoftFail: true - tlsCertCrlDistPoint: "" - tlsCertCrlIssuer: "{{ network | json_query('network_services[?type==`idman`].crlissuer_subject') | first }}" - devMode: false - volume: - baseDir: /opt/corda - jarPath: bin - configPath: etc - cordaJar: - memorySize: 1524 - unit: M - pod: - resources: - limits: 1524M - requests: 1524M - service: - p2pPort: {{ peer.p2p.port }} - p2pAddress: {{ peer.name | lower }}.{{ component_ns }} - messagingServerPort: {{ peer.p2p.port }} - ssh: - enabled: true - sshdPort: 2222 - rpc: - port: {{ peer.rpc.port }} - adminPort: {{ peer.rpcadmin.port }} - users: - - name: {{ peer.name | lower }} - password: {{ peer.name | lower }}P - permissions: ALL - dataSourceProperties: - dataSource: - user: {{ peer.name | lower }}-db-user - password: {{ peer.name | lower }}-db-password - url: "jdbc:h2:tcp://{{ peer.name | lower }}db:9101/persistence;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=10000;WRITE_DELAY=100;AUTO_RECONNECT=TRUE;" - dataSourceClassName: org.h2.jdbcx.JdbcDataSource - dbUrl: "{{ node_name }}db" - dbPort: 9101 - monitoring: - enabled: true - port: 8090 - allowDevCorDapps: - enabled: true - retries: 20 - retryInterval: 15 - sleepTimeAfterError: 120 - sleepTime: 0 - healthcheck: - readinesscheckinterval: 10 - readinessthreshold: 15 diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/notary.tpl b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/notary.tpl deleted file mode 100644 index 84c6f8f1a73..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/notary.tpl +++ /dev/null @@ -1,112 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: {{ component_name }} - namespace: {{ component_ns }} - annotations: - fluxcd.io/automated: "false" -spec: - releaseName: {{ component_name }} - interval: 1m - chart: - spec: - chart: {{ charts_dir }}/corda-ent-notary - sourceRef: - kind: GitRepository - name: flux-{{ network.env.type }} - namespace: flux-{{ network.env.type }} - values: - nodeName: {{ component_name }} - metadata: - namespace: {{ component_ns }} - image: - initContainerName: {{ network.docker.url }}/{{ init_container_image }} - nodeContainerName: {{ network.docker.url }}/{{ main_container_image }} - imagePullSecret: regcred - pullPolicy: IfNotPresent - privateCertificate: true - vault: - address: {{ org.vault.url }} - certSecretPrefix: {{ org.vault.secret_path | default('secretsv2') }}/data/{{ name }} - serviceAccountName: vault-auth - role: vault-role - authPath: {{ network.env.type }}{{ name }} - retries: 30 - retryInterval: 10 - service: - p2pPort: {{ notary_service.p2p.port }} - sshdPort: 2222 - rpc: - address: "0.0.0.0" - addressPort: 10003 - admin: - address: "localhost" - addressPort: 10770 - standAloneBroker: false - useSSL: false - users: - username: notary - password: notaryP - networkServices: - doormanURL: {{ idman_url }} - idmanDomain: {{ idman_domain }} - networkMapURL: {{ networkmap_url }} - networkMapDomain: {{ networkmap_domain }} - idmanName: "{{ network | json_query('network_services[?type==`idman`].name') | first }}" - networkmapName: "{{ network | json_query('network_services[?type==`networkmap`].name') | first }}" - dataSourceProperties: - dataSource: - password: "{{ notary_service.name }}-db-password" - url: "jdbc:h2:tcp://{{ component_name }}db:{{ notary_service.dbtcp.port }}/persistence;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=10000;WRITE_DELAY=100;AUTO_RECONNECT=TRUE;" - user: "{{ notary_service.name }}-db-user" - dataSourceClassName: "org.h2.jdbcx.JdbcDataSource" - dbUrl: "{{ component_name }}db" - dbPort: {{ notary_service.dbtcp.port }} -{% if (org.cordapps is defined) and (org.cordapps|length > 0) %} - cordapps: - getcordapps: true - jars: - {% for jars in org.cordapps.jars %} -- url: {{ jars.jar.url }} - {% endfor %} -{% else %} - cordapps: - getcordapps: false -{% endif %} - - nodeConf: - legalName: {{ notary_service.subject }} - emailAddress: {{ notary_service.emailAddress }} - notaryPublicIP: {{ notary_service.name }}.{{ org.external_url_suffix }} - devMode: false - notary: - serviceLegalName: {{ notary_service.serviceName }} - validating: {{ notary_service.validating }} - type: {{ org.type }} - p2p: - url: {{ component_name }}.{{ component_ns }} - ambassador: - p2pPort: {{ notary_service.p2p.ambassador | default('10002') }} - external_url_suffix: {{ org.external_url_suffix }} - p2pAddress: {{ component_name }}.{{ org.external_url_suffix }}:{{ notary_service.p2p.ambassador | default('10002') }} - jarPath: bin - configPath: etc - cordaJar: - memorySize: 1524 - unit: M - volume: - baseDir: /opt/corda/base - pod: - resources: - limits: 2056M - requests: 2056M - storage: - name: {{ sc_name }} - memory: 512Mi - replicas: 1 - healthCheckNodePort: 0 - sleepTimeAfterError: 60 - sleepTime: 10 - healthcheck: - readinesscheckinterval: 10 - readinessthreshold: 15 diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/notary_initial_registration.tpl b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/notary_initial_registration.tpl deleted file mode 100644 index 34577386c5a..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/notary_initial_registration.tpl +++ /dev/null @@ -1,96 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: {{ component_name }} - namespace: {{ component_ns }} - annotations: - fluxcd.io/automated: "false" -spec: - releaseName: {{ component_name }} - interval: 1m - chart: - spec: - chart: {{ charts_dir }}/corda-ent-notary-initial-registration - sourceRef: - kind: GitRepository - name: flux-{{ network.env.type }} - namespace: flux-{{ network.env.type }} - values: - nodeName: {{ notary_service.name }}-initial-registration - nodePath: {{ notary_service.name }} - metadata: - namespace: {{ component_ns }} - image: - initContainerName: {{ network.docker.url}}/{{ init_container_image }} - nodeContainerName: {{ network.docker.url}}/{{ main_container_image }} - imagePullSecret: regcred - pullPolicy: IfNotPresent - privateCertificate: true - vault: - address: {{ org.vault.url }} - certSecretPrefix: {{ org.vault.secret_path | default('secretsv2') }}/data/{{ name }} - serviceAccountName: vault-auth - role: vault-role - authPath: {{ network.env.type }}{{ name }} - retries: 30 - retryInterval: 10 - service: - p2pPort: {{ notary_service.p2p.port }} - rpc: - address: "0.0.0.0" - addressPort: 10003 - admin: - address: "localhost" - addressPort: 10770 - standAloneBroker: false - useSSL: false - users: - username: notary - password: notaryP - networkServices: - doormanURL: {{ idman_url }} - idmanDomain: {{ idman_domain }} - networkMapURL: {{ networkmap_url }} - networkMapDomain: {{ networkmap_domain }} - idmanName: "{{ network | json_query('network_services[?type==`idman`].name') | first }}" - networkmapName: "{{ network | json_query('network_services[?type==`networkmap`].name') | first }}" - dataSourceProperties: - dataSource: - password: "{{ notary_service.name }}-db-password" - url: "jdbc:h2:tcp://{{ notary_name }}db:{{ notary_service.dbtcp.port }}/persistence;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=10000;WRITE_DELAY=100;AUTO_RECONNECT=TRUE;" - user: "{{ notary_service.name }}-db-user" - dataSourceClassName: "org.h2.jdbcx.JdbcDataSource" - dbUrl: "{{ notary_name }}db" - dbPort: {{ notary_service.dbtcp.port }} - nodeConf: - legalName: {{ notary_service.subject }} - emailAddress: {{ notary_service.emailAddress }} - notaryPublicIP: {{ notary_service.name }}.{{ org.external_url_suffix }} - devMode: false - notary: - serviceLegalName: {{ notary_service.serviceName }} - validating: {{ notary_service.validating }} - type: {{ org.type }} - p2p: - url: {{ notary_name }}.{{ component_ns }} - ambassador: - p2pPort: {{ notary_service.p2p.ambassador | default('10002') }} - external_url_suffix: {{ org.external_url_suffix }} - p2pAddress: {{ component_name }}.{{ org.external_url_suffix }}:{{ notary_service.p2p.ambassador | default('10002') }} - jarPath: bin - configPath: etc - cordaJar: - memorySize: 1524 - unit: M - volume: - baseDir: /opt/corda - pod: - resources: - limits: 2056M - requests: 2056M - healthCheckNodePort: 0 - sleepTimeAfterError: 60 - sleepTime: 10 - healthcheck: - readinesscheckinterval: 10 - readinessthreshold: 15 \ No newline at end of file diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/pki-generator-node.tpl b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/pki-generator-node.tpl deleted file mode 100644 index 341df40dde6..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/pki-generator-node.tpl +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: {{ component_name }} - namespace: {{ component_ns }} - annotations: - fluxcd.io/automated: "false" -spec: - releaseName: {{ component_name }} - interval: 1m - chart: - spec: - chart: {{ charts_dir }}/corda-ent-node-pki-gen - sourceRef: - kind: GitRepository - name: flux-{{ network.env.type }} - namespace: flux-{{ network.env.type }} - values: - nodeName: {{ name }} - metadata: - namespace: {{ component_ns }} - image: - initContainerName: {{ network.docker.url }}/{{ init_container_image }} - pkiContainerName: {{ network.docker.url }}/{{ main_container_image }} - imagePullSecret: regcred - pullPolicy: IfNotPresent - acceptLicense: YES - volume: - baseDir: /opt/corda - vault: - address: {{ vault.url }} - floatVaultAddress: {{ org.services.float.vault.url }} - role: vault-role - authpath: {{ network.env.type }}{{ name }} - authpathFloat: {{ network.env.type }}{{ name }}float - serviceaccountname: vault-auth - certsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/{{ name }}/{{ peer.name | lower }} - retries: 20 - sleepTimeAfterError: 20 - subjects: - firewallca: "{{ org.firewall.subject }}" - float: "{{ org.services.float.subject }}" - bridge: "{{ org.services.bridge.subject }}" - replicas: 1 - cordaJarMx: 256 - configPath: etc diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/pki-generator.tpl b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/pki-generator.tpl deleted file mode 100644 index 89c59b01602..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/pki-generator.tpl +++ /dev/null @@ -1,54 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: {{ component_name }} - namespace: {{ component_ns }} - annotations: - fluxcd.io/automated: "false" -spec: - releaseName: {{ component_name }} - interval: 1m - chart: - spec: - chart: {{ charts_dir }}/cenm-pki-gen - sourceRef: - kind: GitRepository - name: flux-{{ network.env.type }} - namespace: flux-{{ network.env.type }} - values: - nodeName: {{ name }} - metadata: - namespace: {{ component_ns }} - image: - initContainerName: {{ network.docker.url }}/{{ init_container_image }} - pkiContainerName: {{ network.docker.url }}/{{ main_container_image }} - imagePullSecret: regcred - pullPolicy: IfNotPresent - acceptLicense: YES - volume: - baseDir: /opt/cenm - vault: - address: {{ vault.url }} - role: vault-role - authpath: {{ network.env.type }}{{ name }} - serviceaccountname: vault-auth - certsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/{{ name }} - retries: 20 - sleepTimeAfterError: 20 - cenmServices: - signerName: {{ services.signer.name }} - idmanName: {{ services.idman.name }} - networkmapName: {{ services.networkmap.name }} - identityManager: - publicIp: {{ org.services.idman.name }}.{{ org.external_url_suffix }} - publicPort: 443 - subjects: - tlscrlsigner: "{{ services.signer.subject }}" - tlscrlissuer: "{{ services.idman.crlissuer_subject }}" - rootca: "{{ org.subject }}" - subordinateca: "{{ org.subordinate_ca_subject }}" - idmanca: "{{ services.idman.subject }}" - networkmap: "{{ services.networkmap.subject }}" - replicas: 1 - cordaJarMx: 256 - configPath: etc diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/signer.tpl b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/signer.tpl deleted file mode 100644 index 4fbd7eb699f..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/signer.tpl +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: {{ org.services.signer.name }} - annotations: - fluxcd.io/automated: "false" - namespace: {{ component_ns }} -spec: - releaseName: {{ org.services.signer.name }} - interval: 1m - chart: - spec: - chart: {{ org.gitops.chart_source }}/{{ chart }} - sourceRef: - kind: GitRepository - name: flux-{{ network.env.type }} - namespace: flux-{{ network.env.type }} - values: - nodeName: {{ org.services.signer.name }} - metadata: - namespace: {{ component_ns }} - image: - initContainer: {{ network.docker.url }}/{{ init_container_image }} - signerContainer: {{ network.docker.url }}/{{ main_container_image }} - pullPolicy: IfNotPresent - imagePullSecrets: - - name: "regcred" - acceptLicense: YES - vault: - address: {{ vault.url }} - role: vault-role - authPath: {{ component_auth }} - serviceAccountName: vault-auth - certsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/{{ name }} - retries: 10 - sleepTimeAfterError: 15 - service: - type: ClusterIP - adminListener: - port: 6000 - serviceLocations: - identityManager: - host: {{ org.services.idman.name }}.{{ name }}-ent - publicIp: {{ org.services.idman.name }}.{{ org.external_url_suffix }} - port: 5052 - publicPort: 443 - networkMap: - host: {{ org.services.networkmap.name }}.{{ name }}-ent - port: 5050 - revocation: - port: 5053 - cenmServices: - authName: {{ org.services.auth.name }} - authPort: {{ org.services.auth.port }} - idmanName: {{ org.services.idman.name }} - signers: - CSR: - schedule: - interval: 1m - CRL: - schedule: - interval: 1d - NetworkMap: - schedule: - interval: 1m - NetworkParameters: - schedule: - interval: 1m - config: - volume: - baseDir: /opt/cenm - jarPath: bin - configPath: etc - cordaJar: - memorySize: 512 - unit: M - pod: - resources: - limits: 512M - requests: 512M - replicas: 1 diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/zone.tpl b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/zone.tpl deleted file mode 100644 index 73ae7482937..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/zone.tpl +++ /dev/null @@ -1,69 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: {{ org.services.zone.name }} - annotations: - fluxcd.io/automated: "false" - namespace: {{ component_ns }} -spec: - releaseName: {{ org.services.zone.name }} - interval: 1m - chart: - spec: - chart: {{ org.gitops.chart_source }}/{{ chart }} - sourceRef: - kind: GitRepository - name: flux-{{ network.env.type }} - namespace: flux-{{ network.env.type }} - values: - metadata: - namespace: {{ component_ns }} - nodeName: {{ org.services.zone.name }} - prefix: {{ org.name }} - image: - initContainer: {{ network.docker.url }}/{{ init_container_image }} - zoneContainer: {{ network.docker.url }}/{{ main_container_image }} - pullPolicy: IfNotPresent - imagePullSecrets: - - name: "regcred" - config: - volume: - baseDir: /opt/cenm - pvc: - volumeSizeZoneH2: 1Gi - volumeSizeZoneLogs: 1Gi - volumeSizeZoneData: 1Gi - pod: - resources: - limits: - memory: 1Gi - requests: - memory: 1Gi - zoneJar: - path: bin - cenmServices: - idmanName: {{ org.services.idman.name }} - authName: {{ org.services.auth.name }} - authPort: {{ org.services.auth.port }} - database: - driverClassName: "org.h2.Driver" - jdbcDriver: "" - url: "jdbc:h2:file:./h2/zone-persistence;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=10000;WRITE_DELAY=0;AUTO_SERVER_PORT=0" - user: "example-db-user" - password: "example-db-password" - runMigration: true - service: - type: ClusterIP - port: 80 - listenerPort: - enm: {{ org.services.zone.ports.enm }} - admin: {{ org.services.zone.ports.admin }} - storageClass: {{ sc_name }} - vault: - address: {{ vault.url }} - role: vault-role - authPath: {{ component_auth }} - serviceAccountName: vault-auth - certsecretprefix: {{ vault.secret_path | default('secretsv2') }}/data/{{ name }} - retries: 10 - sleepTimeAfterError: 15 diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/vars/main.yaml b/platforms/r3-corda-ent/configuration/roles/helm_component/vars/main.yaml index 2deb67e6a29..e17a6907380 100644 --- a/platforms/r3-corda-ent/configuration/roles/helm_component/vars/main.yaml +++ b/platforms/r3-corda-ent/configuration/roles/helm_component/vars/main.yaml @@ -5,22 +5,9 @@ ############################################################################################## helm_templates: - pki-generator: pki-generator.tpl - pki-generator-node: pki-generator-node.tpl - auth: auth.tpl - gateway: gateway.tpl - signer: signer.tpl - idman: idman.tpl - nmap: nmap.tpl - zone: zone.tpl - notary-initial-registration: notary_initial_registration.tpl - db: db.tpl - bridge: bridge.tpl - float: float.tpl - node_registration: node_registration.tpl - node: node.tpl corda_ent_notary: corda_ent_notary.tpl corda_ent_network_map: corda_ent_network_map.tpl + corda_ent_node: node.tpl docker_images: cenm: # list of various nodes supporting version 1.2 diff --git a/platforms/r3-corda-ent/configuration/roles/setup/auth/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/auth/tasks/main.yaml deleted file mode 100644 index 52e6571a258..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/auth/tasks/main.yaml +++ /dev/null @@ -1,52 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# Create value files for the auth chart and pushes it into the git repisitory -# Check if certs and crypto are there in the vault or not -- name: Check if auth certificates are present in the vault - shell: | - vault kv get -field=corda-ssl-auth-keys.jks {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/root/certs - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: auth_certs - ignore_errors: yes - -# Wait for the PKI job to complete -- name: "Wait for PKI job to complete" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Job" - namespace: "{{ component_ns }}" - component_name: "{{ org.name | lower }}-generate-pki" - kubernetes: "{{ org.k8s }}" - when: auth_certs.failed - -# Create the helm release files for the Auth service -- name: "Create Auth helm release files" - include_role: - name: helm_component - vars: - type: "auth" - chart: "auth" - corda_service_version: auth-{{ org.version }} - name: "{{ org.name | lower }}" - component_name: "{{ org.services.auth.name }}" - charts_dir: "{{ org.gitops.chart_source }}" - vault: "{{ org.vault }}" - component_auth: "{{ network.env.type }}{{ name }}" - values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}" - helm_lint: "true" - -# Git Push: Push the created deployment files to git repository -- name: "Push deployment files to git" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" - vars: - GIT_DIR: "{{ playbook_dir }}/../../../" - gitops: "{{ org.gitops }}" - msg: "[ci skip] Pushing deployment files for auth service" diff --git a/platforms/r3-corda-ent/configuration/roles/setup/bridge/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/bridge/tasks/main.yaml deleted file mode 100644 index e277388e96c..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/bridge/tasks/main.yaml +++ /dev/null @@ -1,59 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# Create the the value file for bridge chart and pushes it to the git repository -# Wait till the node is running -- name: "Waiting for node pod to come up" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Pod" - namespace: "{{ component_ns }}" - component_name: "{{ org.services.peers[0].name }}" - kubernetes: "{{ org.k8s }}" - label_selectors: - - app = {{ component_name }} - -# Create value file for bridge -- name: Create value file for bridge - include_role: - name: helm_component - vars: - component_name: "{{ org.services.bridge.name }}" - type: bridge - name: "{{ org.name | lower }}" - corda_service_version: "firewall-{{ org.firewall_version }}" - charts_dir: "{{ org.gitops.chart_source }}" - values_dir: "{{playbook_dir}}/../../../{{ org.gitops.release_dir }}" - -# Git Push : Push the above generated files to git directory -- name: Git Push - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" - vars: - GIT_DIR: "{{ playbook_dir }}/../../../" - gitops: "{{ org.gitops }}" - msg: "[ci skip] Pushing bridge files" - -# Wait till the bridge is running -- name: "Waiting for bridge pod to come up" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Pod" - namespace: "{{ component_ns }}" - component_name: "{{ org.services.bridge.name }}" - kubernetes: "{{ org.k8s }}" - label_selectors: - - app = {{ component_name }} - -# Copy network-parameter file into the bride pod -- name: Copy the network-parameter file into the bride pod - shell: | - export BRIDGE_POD=$(KUBECONFIG={{ kubernetes.config_file }} kubectl get po -n {{ component_ns }} -l app={{ org.services.bridge.name }} | grep {{ org.services.bridge.name }} | awk '{print $1}') - export PEER_POD=$(KUBECONFIG={{ kubernetes.config_file }} kubectl get po -n {{ component_ns }} -l app={{ peer.name }} | grep {{ org.name }} | awk '{print $1}') - KUBECONFIG={{ kubernetes.config_file }} kubectl cp {{ component_ns }}/${PEER_POD}:base/network-parameters ./build/np-{{ org.name }} - KUBECONFIG={{ kubernetes.config_file }} kubectl cp ./build/np-{{ org.name }} {{ component_ns }}/${BRIDGE_POD}:base/network-parameters diff --git a/platforms/r3-corda-ent/configuration/roles/setup/cenm/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/cenm/tasks/main.yaml index f3bf4fad139..0ecf1688cc8 100644 --- a/platforms/r3-corda-ent/configuration/roles/setup/cenm/tasks/main.yaml +++ b/platforms/r3-corda-ent/configuration/roles/setup/cenm/tasks/main.yaml @@ -15,7 +15,7 @@ kubernetes_server: "{{ cluster_info.connection.host }}" # Install init node -- name: "Install init node" +- name: "Install cenm node" include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/create/job_component" vars: diff --git a/platforms/r3-corda-ent/configuration/roles/setup/credentials/tasks/cenm_tasks.yaml b/platforms/r3-corda-ent/configuration/roles/setup/credentials/tasks/cenm_tasks.yaml deleted file mode 100644 index 63a24844864..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/credentials/tasks/cenm_tasks.yaml +++ /dev/null @@ -1,94 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# This role fetches the credentials from the network.yaml and pushes them to the vault of corresponding organizations - -# Check if the keystore credentials are already present in the vault -- name: Check if the keystore credentials are already present in the vault - shell: | - vault kv get -field=idman {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/keystore - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: vault_credentials_keystore - ignore_errors: yes - -# Write the keystore credentials to the vault -- name: Write the keystore credentials to the vault if they dont exist - shell: | - vault kv put {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/keystore idman={{ org.credentials.keystore.idman }} networkmap={{ org.credentials.keystore.networkmap }} subordinateca={{ org.credentials.keystore.subordinateca }} rootca={{ org.credentials.keystore.rootca }} tlscrlsigner={{ org.credentials.keystore.tlscrlsigner }} keyStorePassword={{ org.credentials.keystore.keystore }} - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - when: vault_credentials_keystore.failed == True - -# Check if the truststore credentials are already present in the vault -- name: Check if the truststore credentials are already present in the vault - shell: | - vault kv get -field=rootca {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/truststore - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: vault_credentials_truststore - ignore_errors: yes - -# Write the truststore credentials to the vault -- name: Write the truststore credentials to the vault if they dont exist - shell: | - vault kv put {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/truststore rootca={{ org.credentials.truststore.rootca }} ssl={{ org.credentials.truststore.ssl }} trustStorePassword={{ org.credentials.truststore.truststore }} - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - when: vault_credentials_truststore.failed == True - -# Check if the ssl credentials are already present in the vault -- name: Check if the ssl credentials are already present in the vault - shell: | - vault kv get -field=signer {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/ssl - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: vault_credentials_ssl - ignore_errors: yes - -# Write the ssl credentials to the vault -- name: Write the ssl credentials to the vault if they dont exist - shell: | - vault kv put {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/ssl idman={{ org.credentials.ssl.idman }} networkmap={{ org.credentials.ssl.networkmap }} signer={{ org.credentials.ssl.signer }} root={{ org.credentials.ssl.root }} auth={{ org.credentials.ssl.auth }} - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - when: vault_credentials_ssl.failed == True - -# Check if the initial user credentials are already present in the vault -- name: Check if the initial user credentials are already present in the vault - shell: | - vault kv get -field=user {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/user - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: vault_credentials_user - ignore_errors: yes - -# Write the initial user credentials to the vault -- name: Write the initial user credentials to the vault if they dont exist - shell: | - vault kv put {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/user username={{ org.services.auth.username }} userpwd={{ org.services.auth.userpwd }} - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - when: vault_credentials_user.failed == True - -# Write cordapps credentials to vault -- name: "Write cordapps credentials to vault" - shell: | - vault kv put {{ vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/cordapps repo_username="{{ org.cordapps.username }}" repo_password="{{ org.cordapps.password }}" - environment: - VAULT_ADDR: "{{ vault.url }}" - VAULT_TOKEN: "{{ vault.root_token }}" - when: - - org.cordapps is defined - - org.cordapps.password is defined diff --git a/platforms/r3-corda-ent/configuration/roles/setup/credentials/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/credentials/tasks/main.yaml deleted file mode 100644 index cc056248925..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/credentials/tasks/main.yaml +++ /dev/null @@ -1,26 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# Call credential tasks for org type as cenm -- name: Call cenm_tasks.yaml for org as type cenm - include_tasks: cenm_tasks.yaml - when: org.type == 'cenm' - -# Call credential tasks for org type as node -- name: Call node_tasks.yaml for org as type node - include_tasks: node_tasks_nested.yaml - loop: "{{ org.services.peers }}" - loop_control: - loop_var: peer - when: org.type == 'node' - -# Call credential tasks for org type as notary -- name: Call notary_tasks.yaml for org as type notary - include_tasks: notary_tasks.yaml - loop: "{{ org.services.notaries }}" - loop_control: - loop_var: peer - when: org.type == 'notary' diff --git a/platforms/r3-corda-ent/configuration/roles/setup/credentials/tasks/node_tasks_nested.yaml b/platforms/r3-corda-ent/configuration/roles/setup/credentials/tasks/node_tasks_nested.yaml deleted file mode 100644 index e1173613e52..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/credentials/tasks/node_tasks_nested.yaml +++ /dev/null @@ -1,56 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# Check if the node credentials are present in the vault -- name: Check if the node credentials are already present in the vault - shell: | - vault kv get -field=nodekeystore.jks {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/credentials - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: vault_credentials_node - ignore_errors: yes - -# Check if the node credentials are present in the vault -- name: Check if the float credentials are already present in the vault - shell: | - vault kv get -field=sslkeystore.jks {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/credentials - environment: - VAULT_ADDR: "{{ org.services.float.vault.url }}" - VAULT_TOKEN: "{{ org.services.float.vault.root_token }}" - register: float_vault_credentials - ignore_errors: yes - when: org.firewall.enabled - -# Write the networkroot truststore, node truststore, node keystore, firewallca, float and bridge passwords to the vault -- name: Write the networkroot truststore, node truststore, node keystore, firewallca, float and bridge passwords to the vault - shell: | - vault kv put {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/credentials root={{ network | json_query('network_services[?type==`networkmap`].truststore_pass') | first }} truststore={{ peer.credentials.truststore }} keystore={{ peer.credentials.keystore }} firewallca={{ org.firewall.credentials.firewallca }} float={{ org.firewall.credentials.float }} bridge={{ org.firewall.credentials.bridge }} {{ peer.name }}={{ peer.name }}P - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - when: vault_credentials_node.failed == True - -# Write the networkroot truststore, node truststore, node keystore, firewallca, float and bridge passwords to the vault -- name: Write the truststore, node truststore, node keystore, firewallca, float and bridge passwords to the vault - shell: | - vault kv put {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/credentials truststore={{ peer.credentials.truststore }} keystore={{ peer.credentials.keystore }} firewallca={{ org.firewall.credentials.firewallca }} float={{ org.firewall.credentials.float }} bridge={{ org.firewall.credentials.bridge }} {{ peer.name }}={{ peer.name }}P - environment: - VAULT_ADDR: "{{ org.services.float.vault.url }}" - VAULT_TOKEN: "{{ org.services.float.vault.root_token }}" - when: org.firewall.enabled and float_vault_credentials.failed == True - -# Write cordapps credentials to vault -- name: "Write cordapps credentials to vault" - shell: | - vault kv put {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/credentials root={{ network | json_query('network_services[?type==`networkmap`].truststore_pass') | first }} truststore={{ peer.credentials.truststore }} keystore={{ peer.credentials.keystore }} firewallca={{ org.firewall.credentials.firewallca }} float={{ org.firewall.credentials.float }} bridge={{ org.firewall.credentials.bridge }} {{ peer.name }}={{ peer.name }}P repo_username="{{ org.cordapps.username }}" repo_password="{{ org.cordapps.password }}" - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - when: - - vault_credentials_node.failed == True - - org.cordapps is defined - - org.cordapps.password is defined diff --git a/platforms/r3-corda-ent/configuration/roles/setup/credentials/tasks/notary_tasks.yaml b/platforms/r3-corda-ent/configuration/roles/setup/credentials/tasks/notary_tasks.yaml deleted file mode 100644 index cf8ba48cb41..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/credentials/tasks/notary_tasks.yaml +++ /dev/null @@ -1,65 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# Check if the truststore credentials are already present in the vault -- name: Check if the truststore credentials are already present in the vault - shell: | - vault kv get -field=rootca {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/truststore - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: vault_credentials_truststore - ignore_errors: yes - -# Write the truststore credentials to the vault -- name: Write the truststore credentials to the vault if they dont exist - shell: | - vault kv put {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/truststore rootca={{ network | json_query('network_services[?type==`networkmap`].truststore_pass') | first }} trustStorePassword={{ peer.credentials.truststore }} - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - when: vault_credentials_truststore.failed == True - -# Check if the keystore credentials are already present in the vault -- name: Check if the keystore credentials are already present in the vault - shell: | - vault kv get -field=networkmap {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/keystore - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: vault_credentials_keystore - ignore_errors: yes - -# Write the keystore credentials to the vault -- name: Write the keystore credentials to the vault if they dont exist - shell: | - vault kv put {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/keystore keyStorePassword={{ peer.credentials.keystore }} - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - when: vault_credentials_keystore.failed == True - -# Check if the node credentials are present in the vault -- name: Check if the cordapps credentials are already present in the vault - shell: | - vault kv get -field=repo_username {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/cordapps - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: vault_credentials_node - ignore_errors: yes - -# Write cordapps credentials to vault -- name: "Write cordapps credentials to vault" - shell: | - vault kv put {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/credentials/cordapps repo_username="{{ org.cordapps.username }}" repo_password="{{ org.cordapps.password }}" - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - when: - - vault_credentials_node.failed == True - - org.cordapps is defined - - org.cordapps.password is defined diff --git a/platforms/r3-corda-ent/configuration/roles/setup/float-environment/meta/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/float-environment/meta/main.yaml deleted file mode 100644 index 15ddaa50025..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/float-environment/meta/main.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -dependencies: - - role: "{{ playbook_dir }}/../../shared/configuration/roles/setup/aws-auth" - vars: - item: "{{ org.services.float }}" - aws_authenticator: - os: "{{ install_os }}" - arch: "{{ install_arch }}" - bin_directory: "{{ bin_install_dir }}" - checksum: "" - kubeconfig_path: "{{ item.k8s.config_file }}" - kubecontext: "{{ item.k8s.context }}" diff --git a/platforms/r3-corda-ent/configuration/roles/setup/float-environment/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/float-environment/tasks/main.yaml deleted file mode 100644 index a28f79ed379..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/float-environment/tasks/main.yaml +++ /dev/null @@ -1,85 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# This role creates enviorment for float cluster - -# Setup flux for float cluster -- name: Setup flux for float cluster - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/flux" - vars: - item: "{{ org.services.float }}" - kubeconfig_path: "{{ item.k8s.config_file }}" - kubecontext: "{{ item.k8s.context }}" - git_username: "{{ item.gitops.username }}" - git_password: "{{ item.gitops.password }}" - git_repo: "{{ item.gitops.git_repo }}" - git_branch: "{{ item.gitops.branch }}" - git_path: "{{ item.gitops.release_dir }}" - git_host: "{{ item.gitops.git_repo.split('/')[0] | lower }}" # extract the hostname from the git_repo - git_protocol: "{{ item.gitops.git_protocol | default('https') }}" - git_url: "{{ item.gitops.git_url }}" - git_key: "{{ item.gitops.private_key | default() }}" - flux_version: "0.35.0" - helm_operator_version: "1.2.0" - aws_authenticator: - os: "{{ install_os }}" - arch: "{{ install_arch }}" - bin_directory: "{{ bin_install_dir }}" - checksum: "" - -# Setup ambassador for float cluster -- name: Setup ambassador for float cluster - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/edge-stack" - vars: - item: "{{ org.services.float }}" - kubeconfig_path: "{{ item.k8s.config_file }}" - kubecontext: "{{ item.k8s.context }}" - aws: "{{ item.aws }}" - when: network.env.proxy == 'ambassador' - -# Create Storageclass that will be used for this deployment -- name: Create Storageclass - include_role: - name: "{{ playbook_dir }}/../../../platforms/shared/configuration/roles/setup/storageclass" - vars: - org_name: "{{ org.name | lower }}" - sc_name: "{{ org_name }}-bevel-storageclass" - kubernetes: "{{ org.services.float.k8s }}" - gitops: "{{ org.services.float.gitops }}" - -# Create namespace, service account and clusterrolebinding -- name: "Create namespace, service accounts and clusterrolebinding" - include_role: - name: create/namespace_serviceaccount - vars: - component_ns: "{{ org.name | lower }}-ent" - organisation: "{{ org.name | lower }}" - kubernetes: "{{ org.services.float.k8s }}" - gitops: "{{ org.services.float.gitops }}" - -# And wait for the enviorment creation -- name: "Wait for namespace creation for {{ organisation }}" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" - vars: - component_type: "Namespace" - component_name: "{{ component_ns }}" - kubernetes: "{{ org.services.float.k8s }}" - type: "retry" - -# Wait for vault-reviewer creation -- name: "Wait for vault-reviewer creation for {{ organisation }}" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" - vars: - component_type: "ServiceAccount" - component_name: "vault-reviewer" - kubernetes: "{{ org.services.float.k8s }}" - type: "retry" - tags: - - notest diff --git a/platforms/r3-corda-ent/configuration/roles/setup/float/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/float/tasks/main.yaml deleted file mode 100644 index 8b85e3d64f0..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/float/tasks/main.yaml +++ /dev/null @@ -1,47 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# Create the the value file for float chart and pushes it to the git repository -# Create the value file for float -- name: Create value file for float - include_role: - name: helm_component - vars: - component_name: "{{ org.services.float.name }}" - type: float - name: "{{ org.name | lower }}" - corda_service_version: "firewall-{{ org.firewall_version }}" - vault: "{{ org.services.float.vault }}" - charts_dir: "{{ gitops.chart_source }}" - values_dir: "{{playbook_dir}}/../../../{{ gitops.release_dir }}" - -# Git Push : Pushes the above generated files to git directory -- name: Git Push - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" - vars: - GIT_DIR: "{{ playbook_dir }}/../../../" - msg: "[ci skip] Pushing float files" - -# Wait till the float is running -- name: "Waiting for float pod to come up" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Pod" - namespace: "{{ component_ns }}" - component_name: "{{ org.services.float.name }}" - kubernetes: "{{ k8s }}" - label_selectors: - - app = {{ component_name }} - -# This task copies network-parameter file into the float pod -- name: Copy the network-parameter file into the float pod - shell: | - export FLOAT_POD=$(KUBECONFIG={{ k8s.config_file }} kubectl get po -n {{ component_ns }} -l app={{ org.services.float.name }} | grep {{ org.services.float.name }} | awk '{print $1}') - export PEER_POD=$(KUBECONFIG={{ k8s.config_file }} kubectl get po -n {{ component_ns }} -l app={{ peer.name }} | grep {{ org.name }} | awk '{print $1}') - KUBECONFIG={{ k8s.config_file }} kubectl cp {{ component_ns }}/${PEER_POD}:base/network-parameters ./build/np-{{ org.name }} - KUBECONFIG={{ k8s.config_file }} kubectl cp ./build/np-{{ org.name }} {{ component_ns }}/${FLOAT_POD}:base/network-parameters diff --git a/platforms/r3-corda-ent/configuration/roles/setup/gateway/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/gateway/tasks/main.yaml deleted file mode 100644 index 11f03f2278e..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/gateway/tasks/main.yaml +++ /dev/null @@ -1,58 +0,0 @@ -############################################################################################## -# This role sets up all gateway services -############################################################################################## - -# Check if the idman certs are already created -- name: "Check if the idman certs are already created" - shell: | - vault kv get -field=corda-ssl-identity-manager-keys.jks {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ org.services.idman.name }}/certs - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: idman_certs - ignore_errors: yes - -# Wait for the pki-generator job to complete -- name: "waiting for pki-generator job to complete" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Job" - namespace: "{{ component_ns }}" - component_name: "{{ org.name | lower }}-generate-pki" - kubernetes: "{{ org.k8s }}" - when: idman_certs.failed - -# Create ambassador certificates for idman -- name: Create gateway ambassador certificates - include_role: - name: create/certificates/cenm - vars: - tlscert_path: "./build/ambassador/{{ org.services.gateway.name }}" - service_name: "{{ org.services.gateway.name }}" - namespace: "{{ component_ns }}" - -# Create a value file for gateway service -- name: Create value file for gateway service - include_role: - name: helm_component - vars: - type: "gateway" - chart: "gateway" - corda_service_version: gateway-{{ org.version }} - name: "{{ org.name | lower }}" - component_name: "{{ org.services.gateway.name }}" - charts_dir: "{{ org.gitops.chart_source }}" - vault: "{{ org.vault }}" - component_auth: "{{ network.env.type }}{{ name }}" - values_dir: "{{playbook_dir}}/../../../{{ org.gitops.release_dir }}" - helm_lint: "true" - -# Git Push : Push the above generated files to git directory -- name: Git Push - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" - vars: - GIT_DIR: "{{ playbook_dir }}/../../../" - gitops: "{{ org.gitops }}" - msg: "[ci skip] Pushing gateway service files" diff --git a/platforms/r3-corda-ent/configuration/roles/setup/idman/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/idman/tasks/main.yaml deleted file mode 100644 index fb86ae51810..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/idman/tasks/main.yaml +++ /dev/null @@ -1,51 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# This role creates the the value file for idman chart and pushes it to the git repository - -# Waiting for the signer pod to come up -- name: "Waiting for Signer pod to come up" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Pod" - namespace: "{{ component_ns }}" - component_name: "{{ org.services.signer.name }}" - kubernetes: "{{ org.k8s }}" - label_selectors: - - app = {{ component_name }} - -# Create ambassador certificates for idman -- name: Create idman ambassador certificates - include_role: - name: create/certificates/cenm - vars: - tlscert_path: "./build/ambassador/{{ org.services.idman.name }}" - dest_path: "{{ network | json_query('network_services[?type==`idman`].certificate') | first }}" - service_name: "{{ org.services.idman.name }}" - namespace: "{{ component_ns }}" - -# Loop over the network.yaml to fetch the cenm details -- name: Create value file for idman - include_role: - name: helm_component - vars: - type: "idman" - name: "{{ org.name | lower }}" - component_name: "{{ org.name | lower }}idman" - charts_dir: "{{ org.gitops.chart_source }}" - values_dir: "{{playbook_dir}}/../../../{{ org.gitops.release_dir }}" - corda_service_version: idman-{{ org.version }} - helm_lint: "true" - -# Git Push : Push the above generated files to git directory -- name: Git Push - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" - vars: - GIT_DIR: "{{ playbook_dir }}/../../../" - gitops: "{{ org.gitops }}" - msg: "[ci skip] Pushing idman files" diff --git a/platforms/r3-corda-ent/configuration/roles/setup/init/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/init/tasks/main.yaml index fbfcec3dd67..bbab2fdf3a3 100644 --- a/platforms/r3-corda-ent/configuration/roles/setup/init/tasks/main.yaml +++ b/platforms/r3-corda-ent/configuration/roles/setup/init/tasks/main.yaml @@ -21,5 +21,5 @@ name: "{{ playbook_dir }}/../../shared/configuration/roles/create/job_component" vars: cloud_provider: "{{ org.cloud_provider | lower }}" - type: "corda_ent_init" - secondaryInit: false + component_name: "init" + type: "{{ init_type }}" diff --git a/platforms/r3-corda-ent/configuration/roles/setup/network_map/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/network_map/tasks/main.yaml index d8c50fbf5fb..b92a257a169 100644 --- a/platforms/r3-corda-ent/configuration/roles/setup/network_map/tasks/main.yaml +++ b/platforms/r3-corda-ent/configuration/roles/setup/network_map/tasks/main.yaml @@ -41,9 +41,11 @@ msg: "[ci skip] Pushing notary deployment file for notary" # Check if the job is completed -- name: "Check if {{ component_name }} job is completed in the {{ org_name }} organization" +- name: "Check if nms pod is running in the {{ org_name }} organization" include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" vars: - component_type: Job + component_type: Pod + label_selectors: + - app.kubernetes.io/component = networkmap namespace: "{{ component_ns }}" diff --git a/platforms/r3-corda-ent/configuration/roles/setup/nmap/README.md b/platforms/r3-corda-ent/configuration/roles/setup/nmap/README.md deleted file mode 100644 index 4589e7c51e3..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/nmap/README.md +++ /dev/null @@ -1,108 +0,0 @@ -[//]: # (##############################################################################################) -[//]: # (Copyright Accenture. All Rights Reserved.) -[//]: # (SPDX-License-Identifier: Apache-2.0) -[//]: # (##############################################################################################) - -## ROLE: `setup/nmap` -This role creates deployment file for the Networkmap (nmap) and also pushes the generated value file into repository. - -### Tasks -(Variables with * are fetched from the playbook which is calling this role) - -(Loop variable: fetched from the playbook which is calling this role) - ---- - -#### 1. Check if the networkmap certs are already created -This tasks checks if the networkmap certificates are already created and stored in the vault -##### Input Variables -- *`VAULT_ADDR` - The Vault address -- *`VAULT_TOKEN` - Vault root/custom token which has the access to the path -##### Output Variables: -- `nmap_certs` - Variable that stores the result of the command (`nmap_certs.failed` will be `true` when the certs do not exist yet) - -**ignore_errors** is yes because certificates are not created for a fresh network deployment and this command will fail. - ---- - -#### 2. Waiting for `pki-generator` job to be completed -This tasks waits for pki-generator job to be completed calling shared/configuration/roles/check/helm_component role. -##### Input Variables -- `component_type` - Which component type to check for, i.e. `Job` -- `namespace` - The namespace where the `Job` to wait for, is created -- *`component_name` - Contains name of resource -- `kubernetes` - The resources of the K8s cluster (context and configuration file) - -**when**: It runs when **nmap_certs.failed** variable is `true` - ---- - -#### 3. "Create networkmap ambassador certificates" -This task will create the Ambassador certificates for Networkmap by calling the `create/certificates/cenm` role. -##### Input variables -- `tlscert_path` - The path where the TLS certificates will be stored -- `dest_path` - The destination path for the certificate file -- `service_name` - The name of the service (networkmap) - ---- - -#### 4. Get the network-root-truststore -This task gets the `network-root-truststore.jks` file from the Vault -#### Input variables -- *`VAULT_ADDR` - The Vault address -- *`VAULT_TOKEN` - Vault root/custom token which has the access to the path -- `cert_path` - The path on which the truststore will be saved - ---- - -#### 5. Check if the notary-registration is already completed -This tasks checks if the notary files are already created and stored in the vault -##### Input variables -- *`VAULT_ADDR` - The Vault address -- *`VAULT_TOKEN` - Vault root/custom token which has the access to the path -##### Output variables: -- notary_certs - Stores the status of the certificates in the vault - -ignore_errors is yes because certificates are not created for a fresh network deployment and this command will fail. - ---- - -#### 6. Create value file for notary registration job -This tasks creates the value file for notary registration by calling `setup/notary-initial-registration` role. - -**when**: It runs when **notary_certs.failed** variable is true - ---- - -#### 7. Waiting for notary initial registration job to complete -This tasks waits for notary-initial-registration job to be completed calling `shared/configuration/roles/check/helm_component` role. -##### Input Variables -- `component_type` - Which component type to check for, i.e. `Job` -- `namespace` - The namespace where the `Job` to wait for, is created -- *`component_name` - Contains name of resource -- `kubernetes` - The resources of the K8s cluster (context and configuration file) - -**when**: It runs when **notary_certs.failed** variable is true - ---- - -#### 8. "create nmap value files" -This tasks creates deployment file for nmap node by calling the `helm_component` role. -##### Input Variables -- `type` - The type of component, i.e. `nmap` -- *`name` - The name of the organization -- *`component_name` - The exact name of the component -- *`charts_dir` - path to nmap charts -- `values_dir` - The directory where the release files are stored -- `corda_service_version` - `idman{{ org.version }}`, this is used to find the Docker image from `helm_component/vars` -- *`idman_url` - The public URL of the Idman (with external URL suffix) -- `helm_lint` - Whether to lint the Helm chart, i.e. `true` - ---- - -#### 9. "Push the created deployment files to repository" -This task pushes the created value files into repository by calling the `git_push` role from shared. -##### Input Variables -- `GIT_DIR` - The base path of the GIT repository, default `{{ playbook_dir }}/../../../` -- `gitops` - *item.gitops* from `network.yaml` -- `msg` - The commit message to use when pushing deployment files. diff --git a/platforms/r3-corda-ent/configuration/roles/setup/nmap/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/nmap/tasks/main.yaml deleted file mode 100644 index fe9a395d422..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/nmap/tasks/main.yaml +++ /dev/null @@ -1,82 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -############################################################################################## -# This role creates the value file for nmap -############################################################################################## - -# Check if the networkmap certs are already created -- name: Check if the networkmap certs are already created - shell: | - vault kv get -field=networkmap {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ org.services.networkmap.name }}/certs - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: nmap_certs - ignore_errors: yes - -# Wait for the pki-generator job to get complete -- name: "waiting for pki-generator job to get complete" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Job" - namespace: "{{ component_ns }}" - component_name: "{{ org.name | lower }}-generate-pki" - kubernetes: "{{ org.k8s }}" - when: nmap_certs.failed - -# Create ambassador certificates for networkmap -- name: Create networkmap ambassador certificates - include_role: - name: create/certificates/cenm - vars: - tlscert_path: "./build/ambassador/{{ org.services.networkmap.name }}" - service_name: "{{ org.services.networkmap.name }}" - namespace: "{{ component_ns }}" - dest_path: "{{ network | json_query('network_services[?type==`networkmap`].certificate') | first }}" - -# Get the network-root-truststore and save locally -- name: Get the network-root-truststore - shell: | - vault kv get -field=network-root-truststore.jks {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/root/certs > "{{ cert_path }}" - vars: - cert_path: "{{ network | json_query('network_services[?type==`networkmap`].truststore') | first }}" - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - -# Check, Create and wait for notary-registration if not already completed -# TODO this is a workaround. Ideally notary registration should be done from setup/notary -- name: Check, Create and wait for notary-registration - include_role: - name: setup/notary-initial-registration - loop: "{{ org.services.notaries }}" - loop_control: - loop_var: notary - -# Create deployment file for CENM nmap service -- name: "create nmap value files" - include_role: - name: helm_component - vars: - type: "nmap" - name: "{{ org.name | lower }}" - component_name: "{{ org.name | lower }}nmap" - charts_dir: "{{ org.gitops.chart_source }}" - values_dir: "{{playbook_dir}}/../../../{{ org.gitops.release_dir }}" - corda_service_version: networkmap-{{ org.version }} - idman_url: "{{ network | json_query('network_services[?type==`idman`].uri') | first }}" # Keep this in ansible role to prevent confusion in template - helm_lint: "true" - -# Git Push: Push the nmap deployment files to repository -- name: "Push the created deployment files to repository" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" - vars: - GIT_DIR: "{{ playbook_dir }}/../../../" - gitops: "{{ org.gitops }}" - msg: "[ci skip] Pushing deployment files for nmap service" diff --git a/platforms/r3-corda-ent/configuration/roles/setup/node/tasks/create_secret.yaml b/platforms/r3-corda-ent/configuration/roles/setup/node/tasks/create_secret.yaml new file mode 100644 index 00000000000..ca38bfd2cb5 --- /dev/null +++ b/platforms/r3-corda-ent/configuration/roles/setup/node/tasks/create_secret.yaml @@ -0,0 +1,59 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## +- name: Set fact for files location + ansible.builtin.set_fact: + files_loc: "{{ playbook_dir }}/../../../{{ charts_dir }}/enterprise-node/build/" + +- name: Read network-root-truststore.jks content + ansible.builtin.slurp: + src: "{{ files_loc }}/network-root-truststore.jks" + register: network_root_truststore + +- name: Read doorman.crt content + ansible.builtin.slurp: + src: "{{ files_loc }}/doorman/tls.crt" + register: doorman_crt + +- name: Read nms.crt content + ansible.builtin.slurp: + src: "{{ files_loc }}/nms/tls.crt" + register: nms_crt + +- name: Create cenm-certs secret in manufacturer-ent namespace + community.kubernetes.k8s: + state: present + definition: + apiVersion: v1 + kind: Secret + metadata: + name: cenm-certs + namespace: "{{ component_ns }}" + data: + network-root-truststore.jks: "{{ network_root_truststore.content }}" + +- name: Create doorman-tls-certs secret in manufacturer-ent namespace + community.kubernetes.k8s: + state: present + definition: + apiVersion: v1 + kind: Secret + metadata: + name: doorman-tls-certs + namespace: "{{ component_ns }}" + data: + tls.crt: "{{ doorman_crt.content }}" + +- name: Create nms-tls-certs secret in manufacturer-ent namespace + community.kubernetes.k8s: + state: present + definition: + apiVersion: v1 + kind: Secret + metadata: + name: nms-tls-certs + namespace: "{{ component_ns }}" + data: + tls.crt: "{{ nms_crt.content }}" diff --git a/platforms/r3-corda-ent/configuration/roles/setup/node/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/node/tasks/main.yaml index 08cc3ac0ba2..c0ee8188799 100644 --- a/platforms/r3-corda-ent/configuration/roles/setup/node/tasks/main.yaml +++ b/platforms/r3-corda-ent/configuration/roles/setup/node/tasks/main.yaml @@ -8,159 +8,59 @@ # This role sets up all Corda node services ############################################################################################## -# Wait for namespace creation -- name: "Wait for namespace creation for {{ organisation }}" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" - vars: - component_type: "Namespace" - component_name: "{{ component_ns }}" - type: "retry" - -# Wait for vault-reviewer creation -- name: "Wait for vault-reviewer creation for {{ organisation }}" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" - vars: - component_type: "ServiceAccount" - component_name: "vault-reviewer" - type: "retry" - tags: - - notest - -# Setup cluster enviorment for float -- name: Setup cluster enviorment for float - include_role: - name: setup/float-environment - when: org.firewall.enabled - -# Create vault access policies -- name: "Setup vault access for nodes" +- name: Get doorman and nms certs include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault_kubernetes" + name: get/certs vars: - name: "{{ org.name | lower }}" - component_name: "{{ org.name | lower }}-vaultk8s-job" - component_auth: "{{ network.env.type }}{{ name }}" - component_type: "{{ org.type | lower }}" + component_ns: "{{ network.organizations[0].name }}-ent" + # when: network.organizations[0].type=='cenm' -# Create float vault access policies for the float cluster -- name: "Setup vault access for float" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault_kubernetes" - vars: - component_name: "{{ org.name | lower }}-vaultk8s-job-float" - component_auth: "{{ network.env.type }}{{ name }}float" - component_type: "{{ org.type | lower }}" - vault: "{{ org.services.float.vault }}" - kubernetes: "{{ org.services.float.k8s }}" - when: org.firewall.enabled - -# Create ambassador certificates for node when firewall is enabled -- name: Create ambassador certificates for node when firewall is enabled +- name: "Setup primary init with network-service org" include_role: - name: create/certificates/node + name: setup/init vars: - k8s: "{{ org.services.float.k8s }}" - vault: "{{ org.services.float.vault }}" - node_name: "{{ org.name | lower }}" - namespace: "{{ component_ns }}" - domain_name: "{{ org.services.float.name }}.{{ node_name }}.{{ org.services.float.external_url_suffix }}" - when: org.firewall.enabled - -# Create ambassador certificates for node when firewall is disabled -- name: Create ambassador certificates for node when firewall is disabled - include_role: - name: create/certificates/node - vars: - k8s: "{{ org.k8s }}" - vault: "{{ org.vault }}" - node_name: "{{ peer.name | lower }}" - namespace: "{{ component_ns }}" - domain_name: "{{ node_name }}.{{ org.external_url_suffix }}" - loop: "{{ org.services.peers }}" - loop_control: - loop_var: peer - -# Save tls certificates for network services to Vault -- name: Save tls certificates for network services to Vault - include_role: - name: setup/tlscerts - loop: "{{ network.network_services }}" - loop_control: - loop_var: service + build_path: "./build" + init_type: "corda_ent_secondary_init" + values_dir: "./build/{{ component_ns }}" -# Write the networkroot truststore, node truststore, node keystore, firewallca, float and bridge passwords to the vault -- name: Write the networkroot truststore, node truststore, node keystore, firewallca, float and bridge passwords to the vault - include_role: - name: setup/credentials +# Wait for namespace creation +- name: Gather Kubernetes cluster information + community.kubernetes.k8s_cluster_info: + kubeconfig: "{{ kubernetes.config_file }}" + register: cluster_info -# Create value file for generate-pki-node chart -- name: Create value files for generate-pki-node chart - include_role: - name: setup/pki-generator-node - loop: "{{ org.services.peers }}" - loop_control: - loop_var: peer - when: org.firewall.enabled +# Set the Kubernetes server URL fact +- name: Set kubernetes_server_url fact + set_fact: + kubernetes_server: "{{ cluster_info.connection.host }}" -# Create value file for node registration -- name: Create value file for node registration - include_role: - name: setup/node_registration - vars: - node_name: "{{ peer.name | lower }}" - loop: "{{ org.services.peers }}" - loop_control: - loop_var: peer +- name: "Create secrets for node" + include_tasks: create_secret.yaml -# Create value file for node -- name: "Create value file for node" - include_role: +# Create deployment file for notary node +- name: Create notary node deployment file + include_role: name: helm_component - vars: - helm_lint: "true" - type: node - git_url: "{{ org.gitops.git_url }}" - git_branch: "{{ org.gitops.branch }}" - charts_dir: "{{ org.gitops.chart_source }}" - component_name: "{{ peer.name | lower }}" - node_name: "{{ peer.name | lower }}" - values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}" - name: "{{ org.name | lower }}" - corda_service_version: node-{{ network.version }} - doorman_url: "{{ network | json_query('network_services[?type==`idman`].uri') | first }}" - networkmap_url: "{{ network | json_query('network_services[?type==`networkmap`].uri') | first }}" - loop: "{{ org.services.peers }}" + vars: + type: corda_ent_node + node_name: "{{ node.name | lower }}" + p2p_port: "{{ node.ports.p2p }}" + rpc_port: "{{ node.ports.rpc }}" + rpc_admin_port: "{{ node.ports.admin_rpc }}" + subject: "{{ node.subject }}" + legal_name: "{{ node.subject }}" + service_name: "{{ node.serviceName }}" + validating: "{{ node.validating }}" + nms_url: "{{ network | json_query('network_services[?type==`idman`].uri') | first }}" + doorman_url: "{{ network | json_query('network_services[?type==`networkmap`].uri') | first }}" + loop: "{{ node }}" loop_control: - loop_var: peer + loop_var: node -# Git Push : Pushes the above generated files to git directory -- name: Git Push +# Git Push: Push the deployment files for notary node +- name: Push notary deployment files include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" vars: GIT_DIR: "{{ playbook_dir }}/../../../" - gitops: "{{ org.gitops }}" - msg: "[ci skip] Pushing node files" - -# Create value file for bridge -- name: Create value file for bridge - include_role: - name: setup/bridge - loop: "{{ org.services.peers }}" - loop_control: - loop_var: peer - when: org.firewall.enabled - -# Create value file for float -- name: Create value file for float - include_role: - name: setup/float - vars: - k8s: "{{ org.services.float.k8s }}" - gitops: "{{ org.services.float.gitops }}" - loop: "{{ org.services.peers }}" - loop_control: - loop_var: peer - when: org.firewall.enabled + msg: "[ci skip] Pushing notary deployment file for notary" diff --git a/platforms/r3-corda-ent/configuration/roles/setup/node_registration/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/node_registration/tasks/main.yaml deleted file mode 100644 index 1e505a5fc81..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/node_registration/tasks/main.yaml +++ /dev/null @@ -1,62 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# This task creates the value file for the node registration as well the db required and push them to the git repository - -# Check if the node-registration is already completed -- name: Check if the node-registration is already completed - shell: | - vault kv get -field=nodekeystore.jks {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ peer.name | lower }}/certs/nodekeystore - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: node_certs - ignore_errors: yes - -# Create value file for the db required alongside node registration -- name: "Create value file of db for node registration" - include_role: - name: helm_component - vars: - component_name: "{{ peer.name | lower }}db" - type: "db" - name: "{{ org.name | lower }}" - node_name: "{{ peer.name | lower }}" - values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}" - charts_dir: "{{ org.gitops.chart_source }}" - container_name: "ghcr.io/hyperledger/h2:2018" - helm_lint: "true" - # These variables are needed as the db.tpl is used for both notary & node registration - # The values for the below variables are fetched from different parts in the network.yaml - tcp_port: "{{ peer.dbtcp.port }}" - tcp_targetport: "{{ peer.dbtcp.targetPort }}" - web_port: "{{ peer.dbweb.port }}" - web_targetport: "{{ peer.dbweb.targetPort }}" - -# Create value file for node registration -- name: "Create value file for node registration" - include_role: - name: helm_component - vars: - component_name: "{{ peer.name | lower }}registration" - type: node_registration - name: "{{ org.name | lower }}" - values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}" - charts_dir: "{{ org.gitops.chart_source }}" - corda_service_version: node-{{ org.version }} - doorman_url: "{{ network | json_query('network_services[?type==`idman`].uri') | first }}" - networkmap_url: "{{ network | json_query('network_services[?type==`networkmap`].uri') | first }}" - helm_lint: "true" - when: node_certs.failed - -# Git Push : Pushes the above generated files to git directory -- name: Git Push - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" - vars: - GIT_DIR: "{{ playbook_dir }}/../../../" - gitops: "{{ org.gitops }}" - msg: "[ci skip] Pushing node registartion and its db files" diff --git a/platforms/r3-corda-ent/configuration/roles/setup/notary-initial-registration/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/notary-initial-registration/tasks/main.yaml deleted file mode 100644 index 65bf522d1b1..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/notary-initial-registration/tasks/main.yaml +++ /dev/null @@ -1,32 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# Check if the notary-registration is already completed -- name: Check if the notary-registration is already completed - shell: | - vault kv get -field=nodekeystore.jks {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ notary.name | lower }}/certs/nodekeystore - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: notary_certs - ignore_errors: yes - -# Create value file for notary-initial-registration -# TODO this is a workaround. Ideally notary registration should be done from setup/notary -- name: Create value file for notary registration job - include_tasks: nested_main.yaml - when: notary_certs.failed - -# Wait for the notary initial registration job to complete -- name: "waiting for notary initial registration job to complete" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Job" - namespace: "{{ component_ns }}" - component_name: "{{ notary.name | lower }}-initial-registration" - kubernetes: "{{ org.k8s }}" - when: notary_certs.failed diff --git a/platforms/r3-corda-ent/configuration/roles/setup/notary-initial-registration/tasks/nested_main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/notary-initial-registration/tasks/nested_main.yaml deleted file mode 100644 index ff3dcec4937..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/notary-initial-registration/tasks/nested_main.yaml +++ /dev/null @@ -1,71 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -############################################################################################## -# This role creates the deployment files for node and pushes them to repository -############################################################################################## - -# Waiting for idman pod to come up -- name: "Waiting for idman pod to come up" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Pod" - namespace: "{{ component_ns }}" - component_name: "{{ org.services.idman.name }}" - kubernetes: "{{ org.k8s }}" - label_selectors: - - app = {{ component_name }} - when: org.type != "notary" - -# Create deployment file for CENM notary service db -- name: "Create db for notary" - include_role: - name: helm_component - vars: - component_name: "{{ notary.name | lower }}db" - type: "db" - name: "{{ org.name | lower }}" - node_name: "{{ notary.name | lower }}" - values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}" - charts_dir: "{{ org.gitops.chart_source }}" - container_name: "ghcr.io/hyperledger/h2:2018" - helm_lint: "true" - # These variables are needed as the db.tpl is used for both notary & node registration - # The values for the below variables are fetched from different parts in the network.yaml - tcp_port: "{{ notary.dbtcp.port }}" - tcp_targetport: "{{ notary.dbtcp.targetPort }}" - web_port: "{{ notary.dbweb.port }}" - web_targetport: "{{ notary.dbweb.targetPort }}" - -# Create deployment files for job for notaries -- name: 'Create notary initial-registration job file' - include_role: - name: helm_component - vars: - type: "notary-initial-registration" - notary_service: "{{ notary }}" - component_name: "{{ notary_service.name }}-initial-registration" - name: "{{ org.name | lower }}" - notary_name: "{{ notary_service.name }}" - values_dir: "{{playbook_dir}}/../../../{{ org.gitops.release_dir }}" - charts_dir: "{{ org.gitops.chart_source }}" - git_url: "{{ org.gitops.git_url }}" - git_branch: "{{ org.gitops.branch }}" - idman_url: "{{ network | json_query('network_services[?type==`idman`].uri') | first }}" - idman_domain: "{{ idman_url.split(':')[1] | regex_replace('/', '') }}" - networkmap_url: "{{ network | json_query('network_services[?type==`networkmap`].uri') | first }}" - networkmap_domain: "{{ networkmap_url.split(':')[1] | regex_replace('/', '') }}" - corda_service_version: notary-{{ network.version }} - -# Git Push: Push the created deployment files to repository -- name: "Push the created deployment files to repository" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" - vars: - GIT_DIR: "{{ playbook_dir }}/../../../" - gitops: "{{ org.gitops }}" - msg: "[ci skip] Pushing DB and registration job deployment files for {{ notary.name }}" diff --git a/platforms/r3-corda-ent/configuration/roles/setup/pki-generator-node/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/pki-generator-node/tasks/main.yaml deleted file mode 100644 index 1b290c286f2..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/pki-generator-node/tasks/main.yaml +++ /dev/null @@ -1,41 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# Check if pki-generator is already run for the node -- name: "Checking if pki-generator job is already completed for the node" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - job_title: "{{ org.name | lower }}-generate-pki" - component_type: "OneTimeJob" - component_name: "{{ org.name | lower }}-generate-pki" - -- name: "Set Variable generate_pki" - set_fact: - generate_pki: "{{ result }}" - -# Loop over the network.yaml to fetch the node details -- name: Create value file for pki generator for the node - include_role: - name: helm_component - vars: - type: "pki-generator-node" - corda_service_version: pki-{{ org.cenm_version }} - values_dir: "{{playbook_dir}}/../../../{{ gitops.release_dir }}" - name: "{{ org.name | lower }}" - component_name: "{{ org.name | lower }}pkigenerator" - charts_dir: "{{ org.gitops.chart_source }}" - chart: generate-pki - when: generate_pki.resources|length == 0 - -# Git Push : Push the above generated files to git directory -- name: Git Push - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" - vars: - GIT_DIR: "{{ playbook_dir }}/../../../" - msg: "[ci skip] Pushing pki-generator files for the node" - when: generate_pki.resources|length == 0 diff --git a/platforms/r3-corda-ent/configuration/roles/setup/pki-generator/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/pki-generator/tasks/main.yaml deleted file mode 100644 index a2b6d873168..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/pki-generator/tasks/main.yaml +++ /dev/null @@ -1,49 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# This role creates the the value file for pki-generator chart and pushes it to the git repository - -# Write keystore, truststore, ssl credentials to the vault -- name: Write keystore, truststore, ssl credentials to the vault - include_role: - name: setup/credentials - -# Check if pki-generator is already run -- name: "Checking if pki-generator job is already completed" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - job_title: "{{ org.name | lower }}-generate-pki" - component_type: "OneTimeJob" - component_name: "{{ org.name | lower }}-generate-pki" - -# Set a Variable -- name: "Set Variable generate_pki" - set_fact: - generate_pki: "{{ result }}" - -# Loop over the network.yaml to fetch the cenm details -- name: Create value file for pki generator - include_role: - name: helm_component - vars: - type: "pki-generator" - corda_service_version: pki-{{ org.version }} - values_dir: "{{playbook_dir}}/../../../{{ gitops.release_dir }}" - name: "{{ org.name | lower }}" - component_name: "{{ org.name | lower }}pkigenerator" - charts_dir: "{{ org.gitops.chart_source }}" - chart: generate-pki - when: generate_pki.resources|length == 0 - -# Git Push : Push the above generated files to git directory -- name: Git Push - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" - vars: - GIT_DIR: "{{ playbook_dir }}/../../../" - msg: "[ci skip] Pushing pki-generator files" - when: generate_pki.resources|length == 0 diff --git a/platforms/r3-corda-ent/configuration/roles/setup/signer/tasks/main.yml b/platforms/r3-corda-ent/configuration/roles/setup/signer/tasks/main.yml deleted file mode 100644 index de7dfcdb9fd..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/signer/tasks/main.yml +++ /dev/null @@ -1,55 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -############################################################################################## -# This role creates the value file for signer -############################################################################################## - -# Check if the signer certs are already created -- name: Check if the signer certs are already created - shell: | - vault kv get -field=corda-ssl-signer-keys.jks {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ org.services.signer.name }}/certs - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: signer_certs - ignore_errors: yes - -# Wait for the pki-generator job to complete -- name: "waiting for pki-generator job to complete" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Job" - namespace: "{{ component_ns }}" - component_name: "{{ org.name | lower }}-generate-pki" - kubernetes: "{{ org.k8s }}" - when: signer_certs.failed - -# Create deployment file for CENM signer service -- name: "create signer helmrelease files" - include_role: - name: helm_component - vars: - type: "signer" - chart: "cenm-signer" - corda_service_version: signer-{{ org.version }} - name: "{{ org.name | lower }}" - component_name: "{{ org.services.signer.name }}" - charts_dir: "{{ org.gitops.chart_source }}" - vault: "{{ org.vault }}" - component_auth: "{{ network.env.type }}{{ name }}" - values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}" - helm_lint: "true" - -# Git Push: Push the signer deployment files to repository -- name: "Push the created deployment files to repository" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" - vars: - GIT_DIR: "{{ playbook_dir }}/../../../" - gitops: "{{ org.gitops }}" - msg: "[ci skip] Pushing deployment files for signer service" diff --git a/platforms/r3-corda-ent/configuration/roles/setup/tlscerts/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/tlscerts/tasks/main.yaml deleted file mode 100644 index 00f3a6b3b1a..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/tlscerts/tasks/main.yaml +++ /dev/null @@ -1,23 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# This role push tlscerts to vault for each node ---- -# Push tls certificates to vault for nodes -- name: Push tls certificates to vault for nodes - include_tasks: nested_main.yaml - loop: "{{ org.services.peers }}" - loop_control: - loop_var: peer - when: org.type == "node" - -# Push tls certificates to vault for notary -- name: Push tls certificates to vault for notary - include_tasks: nested_notary.yaml - loop: "{{ org.services.notaries }}" - loop_control: - loop_var: peer - when: org.type == "notary" diff --git a/platforms/r3-corda-ent/configuration/roles/setup/tlscerts/tasks/nested_main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/tlscerts/tasks/nested_main.yaml deleted file mode 100644 index b9c5895b1de..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/tlscerts/tasks/nested_main.yaml +++ /dev/null @@ -1,46 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# This role puts the service certs to vault for each member organizations - -# Check if the tls certificate is already present in the vault -- name: Check if the tls certificate is already present in the vault - shell: | - vault kv get -field={{ service.name }}.crt {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name }}/{{ peer.name }}/certs/{{ service.name }} - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: vault_tlscert - ignore_errors: yes - -# Copy the tls certificate to each peer vault -- name: Copy the tls certificate to each peer vault - shell: | - vault kv put {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name }}/{{ peer.name }}/certs/{{ service.name }} {{ service.name }}.crt="$(cat {{ service.certificate }} | base64 )" - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - when: vault_tlscert.failed - -# Store the networkroottruststore to Vault when service.type == networkmap -# Check if the networkroottruststore is already present in the given directory -- name: Check if the networkroottruststore is already present in the given directory - stat: - path: "{{ service.truststore }}" - register: file_status - when: service.type == 'networkmap' - failed_when: not file_status.stat.exists - -# Copy the networkroottruststore to each org vault -- name: Copy the networkroottruststore to the Vault for each organisation - shell: | - vault kv put {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name }}/{{ peer.name }}/root/certs network-root-truststore.jks="$(cat {{ service.truststore }})" - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - when: - - service.type == 'networkmap' - - file_status.stat.exists diff --git a/platforms/r3-corda-ent/configuration/roles/setup/tlscerts/tasks/nested_notary.yaml b/platforms/r3-corda-ent/configuration/roles/setup/tlscerts/tasks/nested_notary.yaml deleted file mode 100644 index f89054e8f58..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/tlscerts/tasks/nested_notary.yaml +++ /dev/null @@ -1,46 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# This role puts the services certs to vault for each member organizations - -# Check if the tls certificate is already present in the vault -- name: Check if the tls certificate is already present in the vault - shell: | - vault kv get -field=tlscacerts {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name }}/{{ services.name }}/tlscerts - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: vault_tlscert - ignore_errors: yes - -# Copy the tls certificate to each peer vault -- name: Copy the tls certificate to each peer vault - shell: | - vault kv put {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name }}/{{ services.name }}/tlscerts tlscacerts="$(cat {{ services.certificate }} | base64 )" - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - when: vault_tlscert.failed - -# Store the networkroottruststore to Vault when services.type == networkmap -# Check if the networkroottruststore is already present in the given directory -- name: Check if the networkroottruststore is already present in the given directory - stat: - path: "{{ services.truststore }}" - register: file_status - when: service.type == 'networkmap' - failed_when: not file_status.stat.exists - -# Copy the networkroottruststore to each org vault -- name: Copy the networkroottruststore to the Vault for each organisation - shell: | - vault kv put {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name }}/root/certs network-root-truststore.jks="$(cat {{ services.truststore }})" - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - when: - - service.type == 'networkmap' - - file_status.stat.exists diff --git a/platforms/r3-corda-ent/configuration/roles/setup/zone/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/zone/tasks/main.yaml deleted file mode 100644 index 6672d00d71a..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/zone/tasks/main.yaml +++ /dev/null @@ -1,55 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -############################################################################################## -# This role creates the value file for zone service -############################################################################################## - -# Check if the idman ssl certs are already created -- name: Check if the idman ssl certs are already created - shell: | - vault kv get -field=corda-ssl-identity-manager-keys.jks {{ org.vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/{{ org.services.idman.name }}/certs - environment: - VAULT_ADDR: "{{ org.vault.url }}" - VAULT_TOKEN: "{{ org.vault.root_token }}" - register: idman_certs - ignore_errors: yes - -# Wait for the pki-generator job to complete -- name: "waiting for pki-generator job to complete" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Job" - namespace: "{{ component_ns }}" - component_name: "{{ org.name | lower }}-generate-pki" - kubernetes: "{{ org.k8s }}" - when: idman_certs.failed - -# Create deployment file for CENM zone service -- name: "create zone helmrelease files" - include_role: - name: helm_component - vars: - type: "zone" - chart: "cenm-zone" - corda_service_version: zone-{{ org.version }} - name: "{{ org.name | lower }}" - component_name: "{{ org.services.zone.name }}" - charts_dir: "{{ org.gitops.chart_source }}" - vault: "{{ org.vault }}" - component_auth: "{{ network.env.type }}{{ name }}" - values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}" - helm_lint: "false" - -# Git Push: Push the signer deployment files to repository -- name: "Push the created deployment files to repository" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" - vars: - GIT_DIR: "{{ playbook_dir }}/../../../" - gitops: "{{ org.gitops }}" - msg: "[ci skip] Pushing deployment files for zone service" diff --git a/platforms/r3-corda-ent/configuration/roles/update/nmap/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/update/nmap/tasks/main.yaml deleted file mode 100644 index 96ad64ee7ca..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/update/nmap/tasks/main.yaml +++ /dev/null @@ -1,54 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# Set node_list to empty -- name: Set node_list to [] - set_fact: - node_list: [] - -# Get notary details for all orgs -- name: Get notary data for each node of all organization - include_tasks: nodelist.yaml - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: notary_org - when: notary_org.type == 'notary' - -# Wait till the nmap is running -- name: Waiting for nmap pod to come up - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Pod" - namespace: "{{ component_ns }}" - component_name: "{{ org.services.networkmap.name | lower }}" - kubernetes: "{{ org.k8s }}" - label_selectors: - - app = {{ component_name }} - -# Create deployment file for CENM nmap service -- name: "Create nmap value files for update" - include_role: - name: helm_component - vars: - type: "nmap" - name: "{{ org.name | lower }}" - component_name: "{{ org.name | lower }}nmap" - charts_dir: "{{ org.gitops.chart_source }}" - values_dir: "{{playbook_dir}}/../../../{{ org.gitops.release_dir }}" - corda_service_version: networkmap-{{ org.version }} - idman_url: "{{ network | json_query('network_services[?type==`idman`].uri') | first }}" # Keep this in ansible role to prevent confusion in template - helm_lint: "true" - nmap_update: true - -# Git Push: Push the nmap deployment files to repository -- name: "Push the created deployment files to repository" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" - vars: - GIT_DIR: "{{ playbook_dir }}/../../../" - gitops: "{{ org.gitops }}" - msg: "[ci skip] Pushing deployment files for nmap service update" diff --git a/platforms/r3-corda-ent/configuration/roles/update/nmap/tasks/nodelist.yaml b/platforms/r3-corda-ent/configuration/roles/update/nmap/tasks/nodelist.yaml deleted file mode 100644 index 34a0c4c3f98..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/update/nmap/tasks/nodelist.yaml +++ /dev/null @@ -1,12 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# Get notary details for all orgs -- name: Get notary data for each notary of all organization - include_tasks: nodelist_nested.yaml - loop: "{{ notary_org.services.notaries }}" - loop_control: - loop_var: peer diff --git a/platforms/r3-corda-ent/configuration/roles/update/nmap/tasks/nodelist_nested.yaml b/platforms/r3-corda-ent/configuration/roles/update/nmap/tasks/nodelist_nested.yaml deleted file mode 100644 index 85df77f12d5..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/update/nmap/tasks/nodelist_nested.yaml +++ /dev/null @@ -1,61 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -# Wait till the notary is running -- name: Waiting for notary pod to come up - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Pod" - namespace: "{{ notary_org.name }}-ent" - component_name: "{{ peer.name | lower }}" - kubernetes: "{{ notary_org.k8s }}" - label_selectors: - - app = {{ peer.name | lower }} - -# Check if the nodeinfo exist in build directory -- name: Check if nodeinfo is present in the build directory - stat: - path: "{{ build_path }}/{{ notary_org.name }}/{{ peer.name }}/nodeInfo" - register: file_status - -# Create the build directory if it does not exist -- name: Create build directory if it does not exist - file: - path: "{{ build_path }}/{{ notary_org.name }}/{{ peer.name }}" - state: directory - mode: '0755' - recurse: yes - when: file_status.stat.exists == False - -# Fetch nodeinfo from vault -- name: Get the nodeinfo from vault and generate the enode - shell: | - vault kv get -field=nodeInfoFile {{ vault.secret_path | default('secretsv2') }}/{{ notary_org.name }}/{{ peer.name }}/nodeInfo > {{ build_path }}/{{ notary_org.name }}/{{ peer.name }}/nodeInfo - environment: - VAULT_ADDR: "{{ vault.url }}" - VAULT_TOKEN: "{{ vault.root_token }}" - when: file_status.stat.exists == False - -# Get the nodeinfoFilename from vault -- name: Get the nodeinfoFilename from vault - shell: | - vault kv get -field=nodeInfoName {{ vault.secret_path | default('secretsv2') }}/{{ notary_org.name }}/{{ peer.name }}/nodeInfo - environment: - VAULT_ADDR: "{{ vault.url }}" - VAULT_TOKEN: "{{ vault.root_token }}" - register: nodeInfoName - when: file_status.stat.exists == False - -# Get nodeinfo data -- name: Get nodeinfo_data - set_fact: - nodeinfo_data: "{{ lookup('file', '{{ build_path }}/{{ notary_org.name }}/{{ peer.name }}/nodeInfo') }}" - -# Get information about each addl notary node present in network.yaml and store it as a list of notary_org,node -- name: Get notary nodeInfo - set_fact: - node_list={{ node_list|default([]) + [ {'peer_name':peer.name, 'nodeinfo':nodeinfo_data, 'validating':peer.validating, 'nodeinfo_name':nodeInfoName.stdout } ] }} diff --git a/platforms/r3-corda/configuration/roles/delete/vault_secrets/tasks/main.yaml b/platforms/r3-corda/configuration/roles/delete/vault_secrets/tasks/main.yaml index 52f873da6fd..210b6479375 100644 --- a/platforms/r3-corda/configuration/roles/delete/vault_secrets/tasks/main.yaml +++ b/platforms/r3-corda/configuration/roles/delete/vault_secrets/tasks/main.yaml @@ -12,7 +12,7 @@ - name: Delete docker creds k8s: kind: Secret - namespace: "{{ component_ns }}" + namespace: "{{ component_name }}" name: "regcred" state: absent kubeconfig: "{{ kubernetes.config_file }}" diff --git a/platforms/shared/configuration/roles/create/job_component/templates/corda_ent_init.tpl b/platforms/shared/configuration/roles/create/job_component/templates/corda_ent_init.tpl index 8710e7531b9..b1311083862 100644 --- a/platforms/shared/configuration/roles/create/job_component/templates/corda_ent_init.tpl +++ b/platforms/shared/configuration/roles/create/job_component/templates/corda_ent_init.tpl @@ -15,4 +15,4 @@ global: proxy: provider: ambassador settings: - secondaryInit: {{ secondaryInit }} + secondaryInit: false diff --git a/platforms/shared/configuration/roles/create/job_component/templates/corda_ent_secondary_init.tpl b/platforms/shared/configuration/roles/create/job_component/templates/corda_ent_secondary_init.tpl new file mode 100644 index 00000000000..9beb0bb919a --- /dev/null +++ b/platforms/shared/configuration/roles/create/job_component/templates/corda_ent_secondary_init.tpl @@ -0,0 +1,18 @@ +global: + serviceAccountName: vault-auth + cluster: + provider: "{{ cloud_provider }}" + cloudNativeServices: false + kubernetesUrl: "{{ kubernetes_server }}" + vault: + type: hashicorp + role: vault-role + network: corda-enterprise + address: "{{ vault.url }}" + authPath: "{{ org_name }}" + secretEngine: secretsv2 + secretPrefix: "data/{{ org_name }}" +proxy: + provider: ambassador +settings: + secondaryInit: true diff --git a/platforms/shared/configuration/roles/create/job_component/vars/main.yaml b/platforms/shared/configuration/roles/create/job_component/vars/main.yaml index c5784c53697..e8d207c7f28 100644 --- a/platforms/shared/configuration/roles/create/job_component/vars/main.yaml +++ b/platforms/shared/configuration/roles/create/job_component/vars/main.yaml @@ -17,6 +17,7 @@ job_templates: indy_endorser: indy_endorser.tpl corda_ent_init: corda_ent_init.tpl corda_ent_cenm: corda_ent_cenm.tpl + corda_ent_secondary_init: corda_ent_secondary_init.tpl charts: primary_genesis: "{{ network.type }}-genesis" secondary_genesis: "{{ network.type }}-genesis" @@ -26,10 +27,10 @@ charts: osn_create_channel_job: fabric-osnadmin-channel-create create_channel_job: fabric-channel-create join_channel_job: fabric-channel-join - -bevel_alpine_version: latest -fabric_tools_image: bevel-fabric-tools -indy_genesis: indy-genesis -indy_endorser: indy-register-identity -corda_ent_init: enterprise-init -corda_ent_cenm: cenm + bevel_alpine_version: latest + fabric_tools_image: bevel-fabric-tools + indy_genesis: indy-genesis + indy_endorser: indy-register-identity + corda_ent_init: enterprise-init + corda_ent_secondary_init: enterprise-init + corda_ent_cenm: cenm diff --git a/platforms/shared/configuration/roles/helm_lint/vars/main.yaml b/platforms/shared/configuration/roles/helm_lint/vars/main.yaml index d41ef961995..87176403ae7 100644 --- a/platforms/shared/configuration/roles/helm_lint/vars/main.yaml +++ b/platforms/shared/configuration/roles/helm_lint/vars/main.yaml @@ -71,3 +71,5 @@ charts: stewards: indy-node corda_ent_notary: enterprise-node corda_ent_network_map: cenm-networkmap + corda_ent_node: enterprise-node +