diff --git a/platforms/network-schema.json b/platforms/network-schema.json index 059515dcce8..6335fa3b4fb 100755 --- a/platforms/network-schema.json +++ b/platforms/network-schema.json @@ -970,54 +970,16 @@ "type": "object", "properties": { "keystore": { - "type": "object", - "properties": { - "keystore": { - "type": "string" - }, - "idman": { - "type": "string" - }, - "networkmap": { - "type": "string" - }, - "subordinateca": { - "type": "string" - }, - "rootca": { - "type": "string" - }, - "tlscrlsigner": { - "type": "string" - } - }, + "type": "string", "required": [ - "keystore", - "idman", - "networkmap", - "subordinateca", - "rootca", - "tlscrlsigner" + "keystore" ], "additionalProperties": false }, "truststore": { - "type": "object", - "properties": { - "truststore": { - "type": "string" - }, - "rootca": { - "type": "string" - }, - "ssl": { - "type": "string" - } - }, + "type": "string", "required": [ - "truststore", - "rootca", - "ssl" + "truststore" ], "additionalProperties": false }, @@ -1052,8 +1014,7 @@ }, "required": [ "keystore", - "truststore", - "ssl" + "truststore" ], "additionalProperties": false }, diff --git a/platforms/r3-corda-ent/charts/README.md b/platforms/r3-corda-ent/charts/README.md index 872af5f8c28..96ad3257016 100644 --- a/platforms/r3-corda-ent/charts/README.md +++ b/platforms/r3-corda-ent/charts/README.md @@ -99,11 +99,10 @@ helm install notary ./enterprise-node --namespace supplychain-ent --values ./val # Install cenm services : Networkmap service helm install networkmap ./cenm-networkmap --namespace supplychain-ent --values ./values/proxy-and-vault/cenm.yaml - ``` -### To setup another node in a different namespace +### To setup another node in a different namespace ```bash kubectl create namespace manufacturer-ent # if the namespace does not exist already # Create the roottoken secret diff --git a/platforms/r3-corda-ent/charts/cenm-networkmap/templates/service.yaml b/platforms/r3-corda-ent/charts/cenm-networkmap/templates/service.yaml index 6fc2efabb26..bb492e1dfa0 100644 --- a/platforms/r3-corda-ent/charts/cenm-networkmap/templates/service.yaml +++ b/platforms/r3-corda-ent/charts/cenm-networkmap/templates/service.yaml @@ -47,7 +47,7 @@ kind: Host metadata: name: {{ .Release.Name }}-nms spec: - hostname: cenm-nms.{{ .Values.global.proxy.externalUrlSuffix }} + hostname: {{ .Values.cenm.prefix }}-nms.{{ .Values.global.proxy.externalUrlSuffix }} acmeProvider: authority: none requestPolicy: @@ -64,7 +64,7 @@ metadata: name: {{ .Release.Name }}-mapping namespace: {{ .Release.Namespace }} spec: - host: cenm-nms.{{ .Values.global.proxy.externalUrlSuffix }} + host: {{ .Values.cenm.prefix }}-nms.{{ .Values.global.proxy.externalUrlSuffix }} prefix: / service: {{ include "networkmap.name" . }}.{{ .Release.Namespace }}:{{ .Values.global.cenm.networkmap.port }} {{- end }} diff --git a/platforms/r3-corda-ent/configuration/deploy-network.yaml b/platforms/r3-corda-ent/configuration/deploy-network.yaml index b27be004b49..0d803aa585b 100644 --- a/platforms/r3-corda-ent/configuration/deploy-network.yaml +++ b/platforms/r3-corda-ent/configuration/deploy-network.yaml @@ -20,98 +20,103 @@ path: "./build" state: absent - # create namespace, service account and clusterrolebinding - - name: "Create namespace, service accounts and clusterrolebinding" - include_role: - name: create/namespace_serviceaccount + # Create namespaces for organizations + - name: "Create namespace" + include_role: + name: create/namespace + vars: + component_name: "{{ org.name | lower }}-ent" + component_type_name: "{{ org.type | lower }}" + kubernetes: "{{ org.k8s }}" + release_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}/{{ org.name | lower }}" + loop: "{{ network['organizations'] }}" + loop_control: + loop_var: org + + # Create necessary Kubernetes secrets for each organization + - name: "Create k8s secrets" + include_role: + name: create/secrets vars: component_ns: "{{ org.name | lower }}-ent" - organisation: "{{ org.name | lower }}" kubernetes: "{{ org.k8s }}" - gitops: "{{ org.gitops }}" + vault: "{{ org.vault }}" loop: "{{ network['organizations'] }}" loop_control: loop_var: org - # Create Storageclass that will be used for this deployment - - name: Create Storage Class + # # Setup Init + - name: "Setup Init" include_role: - name: "{{ playbook_dir }}/../../../platforms/shared/configuration/roles/setup/storageclass" + name: setup/init vars: org_name: "{{ org.name | lower }}" - sc_name: "{{ org_name }}-bevel-storageclass" - region: "{{ org.k8s.region | default('eu-west-1') }}" + component_name: "{{ org_name }}-init" + component_ns: "{{ org_name }}-ent" + kubernetes: "{{ org.k8s }}" + vault: "{{ org.vault }}" + values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}/{{ org_name }}/build" + charts_dir: "{{ org.gitops.chart_source }}" loop: "{{ network['organizations'] }}" loop_control: loop_var: org - # Setup CENM services for the network + # Setup CENM - name: "Setup cenm" include_role: name: "setup/cenm" vars: - services: "{{ org.services }}" - organisation: "{{ org.name | lower }}" - name: "{{ org.name | lower }}" - sc_name: "{{ name }}-bevel-storageclass" - component_ns: "{{ org.name | lower }}-ent" + org: "{{ network['organizations'] | first }}" + org_name: "{{ org.name | lower }}" + org_services: "{{ org.services }}" + component_name: "{{ org_name }}-cenm" + component_ns: "{{ org_name }}-ent" kubernetes: "{{ org.k8s }}" vault: "{{ org.vault }}" - gitops: "{{ org.gitops }}" - policy_type: "r3-corda-ent" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: org - when: org.type == 'cenm' - - # Wait for cenm services to respond - - name: Check that CENM uri are reachable - uri: - url: "{{ item.uri }}/status" - validate_certs: no - register: this - until: this.status == 200 - loop: "{{ network['network_services'] }}" - retries: "{{ network.env.retry_count}}" - delay: 50 + external_url_suffix: "{{ org.external_url_suffix }}" + charts_dir: "{{ org.gitops.chart_source }}" + values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}/{{ org_name }}/build" - # Setup Corda Node services for the network - - name: Setup Corda Node services + # Deploy notaries + - name: Deploy notary service include_role: - name: setup/node + name: setup/notary vars: - services: "{{ org.services }}" - organisation: "{{ org.name | lower }}" - name: "{{ org.name | lower }}" - sc_name: "{{ name }}-bevel-storageclass" - component_ns: "{{ org.name | lower }}-ent" + org_name: "{{ org.name | lower }}" + component_name: "{{ org_name }}-notary" + component_ns: "{{ org_name }}-ent" + cloud_provider: "{{ org.cloud_provider }}" + external_url_suffix: "{{ org.external_url_suffix }}" + node: "{{ org.services.notaries }}" kubernetes: "{{ org.k8s }}" vault: "{{ org.vault }}" gitops: "{{ org.gitops }}" - policy_type: "r3-corda-ent" + charts_dir: "{{ org.gitops.chart_source }}" + values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}/{{ org_name }}" loop: "{{ network['organizations'] }}" loop_control: loop_var: org - when: org.type == 'node' + when: + - org.services.notaries is defined - # Setup Additional Notary services for the network - - name: Setup Additional Notary services - include_role: - name: setup/notary + # Setup NETWORK_MAP + - name: "Setup network_map" + include_role: + name: "setup/network_map" vars: - services: "{{ org.services }}" - organisation: "{{ org.name | lower }}" - name: "{{ org.name | lower }}" - sc_name: "{{ name }}-bevel-storageclass" - component_ns: "{{ org.name | lower }}-ent" + org: "{{ network['organizations'] | first }}" + org_name: "{{ org.name | lower }}" + cloud_provider: "{{ org.cloud_provider | lower }}" + org_services: "{{ org.services }}" + component_name: "{{ org_name }}-nm" + component_ns: "{{ org_name }}-ent" kubernetes: "{{ org.k8s }}" vault: "{{ org.vault }}" gitops: "{{ org.gitops }}" - policy_type: "r3-corda-ent" - loop: "{{ network['organizations'] }}" - loop_control: - loop_var: org - when: org.type == 'notary' + external_url_suffix: "{{ org.external_url_suffix }}" + charts_dir: "{{ org.gitops.chart_source }}" + values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}/{{ org_name }}" + # These variables can be overriden from the command line vars: diff --git a/platforms/r3-corda-ent/configuration/roles/create/k8_component/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/create/k8_component/tasks/main.yaml index 9924d86642c..63491dc0ef2 100644 --- a/platforms/r3-corda-ent/configuration/roles/create/k8_component/tasks/main.yaml +++ b/platforms/r3-corda-ent/configuration/roles/create/k8_component/tasks/main.yaml @@ -13,29 +13,18 @@ ################################################################################################ --- -# Create and/or check if the target directory exists -- name: Ensures {{ release_dir }}/{{ component_name }} dir exists - file: - path: "{{ release_dir }}/{{ component_name }}" - state: directory +# Ensure that the directory exists for each entity, if not, it creates them +- name: Ensure {{ component_type_name }} dir exists + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/directory" + vars: + path: "{{ release_dir }}/{{ component_type_name }}" -# Create deployment file from a template -- name: Create {{ component_type }} file for {{ component_name }} +# Create the value file for the k8 components +- name: "Create {{ component_type }} file for {{ component_type_name }}" template: - src: "{{ dlt_templates[component_type] }}" + src: "{{ k8_templates[type] | default('default.tpl') }}" dest: "{{ values_file }}" vars: - values_file: "{{ release_dir }}/{{ component_name }}/{{ component_type }}.yaml" - -################################################################################################ -# Test the value file for syntax errors/ missing values -# This is done by calling the helm_lint role and passing the value file parameter -# When a new k8_component is added, changes should be made in helm_lint role as well -- name: Helm lint - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/helm_lint" - vars: - helmtemplate_type: "{{ component_type }}" - chart_path: "{{ charts_dir }}" - value_file: "{{ release_dir }}/{{ component_name }}/{{ helmtemplate_type }}.yaml" - when: helm_lint=="true" + values_file: "{{ release_dir }}/{{ component_type_name }}/{{ component_type }}.yaml" + type: "{{ component_type }}" diff --git a/platforms/r3-corda-ent/configuration/roles/create/k8_component/vars/main.yaml b/platforms/r3-corda-ent/configuration/roles/create/k8_component/vars/main.yaml index 346de7c7532..a9c2e610722 100644 --- a/platforms/r3-corda-ent/configuration/roles/create/k8_component/vars/main.yaml +++ b/platforms/r3-corda-ent/configuration/roles/create/k8_component/vars/main.yaml @@ -4,7 +4,7 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################################################## -dlt_templates: +k8_templates: namespace: namespace.tpl reviewer_rbac: reviewer_rbac.tpl vault-reviewer: reviewer.tpl diff --git a/platforms/r3-corda-ent/configuration/roles/create/namespace/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/create/namespace/tasks/main.yaml new file mode 100644 index 00000000000..19ecefdf744 --- /dev/null +++ b/platforms/r3-corda-ent/configuration/roles/create/namespace/tasks/main.yaml @@ -0,0 +1,39 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +############################################################################################# +# This role creates value files for namespaces of organizations +############################################################################################# + +# Check if namespace created +- name: Check namespace is created + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" + vars: + component_type: "Namespace" + type: "no_retry" + +# Assign the result of check namespace task to a local variable +- name: "Set Variable" + set_fact: + get_namespace: "{{ result }}" + +# Create the value file of Namespace for Organizations +- name: Create namespaces + include_role: + name: create/k8_component + vars: + component_type: "namespace" + when: get_namespace.resources|length == 0 + +# Git Push : Push the above generated files to git directory +- name: Git Push + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" + vars: + GIT_DIR: "{{ playbook_dir }}/../../../" + gitops: "{{ org.gitops }}" + msg: "[ci skip] Pushing deployment files for namespace" diff --git a/platforms/r3-corda-ent/configuration/roles/create/secrets/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/create/secrets/tasks/main.yaml new file mode 100644 index 00000000000..cc31dd73c32 --- /dev/null +++ b/platforms/r3-corda-ent/configuration/roles/create/secrets/tasks/main.yaml @@ -0,0 +1,32 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Wait for namespace to be created by flux +- name: "Wait for the namespace {{ component_ns }} to be created" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" + vars: + component_type: "Namespace" + component_name: "{{ component_ns }}" + type: "retry" + +# Create the vault roottoken secret +- name: "Create vault token secret" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/create/shared_k8s_secrets" + vars: + namespace: "{{ component_ns }}" + check: "token_secret" + +# Create the docker pull credentials for image registry +- name: "Create docker credentials secret" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/create/shared_k8s_secrets" + vars: + namespace: "{{ component_ns }}" + check: "docker_credentials" + when: + - network.docker.username is defined diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/helm_component/tasks/main.yaml index 2d9a4f45a3d..df2b22182c9 100644 --- a/platforms/r3-corda-ent/configuration/roles/helm_component/tasks/main.yaml +++ b/platforms/r3-corda-ent/configuration/roles/helm_component/tasks/main.yaml @@ -9,11 +9,11 @@ ############################################################################################# # Ensure that the directory exists, and creates it, if it does not exist -- name: "Ensures {{ values_dir }}/{{ name }} dir exists" +- name: "Ensures {{ values_dir }}/{{ org_name }} dir exists" include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/check/directory" vars: - path: "{{ values_dir }}/{{ name }}" + path: "{{ values_dir }}/{{ org_name }}" ############################################################################################ # Create the value file for the helm release @@ -22,7 +22,7 @@ - name: "create value file for {{ component_name }}" template: src: "{{ helm_templates[type] | default('helm_component.tpl') }}" - dest: "{{ values_dir }}/{{ name }}/{{ component_name }}.yaml" + dest: "{{ values_dir }}/{{ org_name }}/{{ component_name }}.yaml" vars: main_container_image: "{{ docker_images.cenm[corda_service_version] }}" init_container_image: "{{ docker_images.init_container }}" @@ -37,4 +37,4 @@ vars: helmtemplate_type: "{{ type }}" chart_path: "{{ charts_dir }}" - value_file: "{{ values_dir }}/{{ name }}/{{ component_name }}.yaml" + value_file: "{{ values_dir }}/{{ org_name }}/{{ component_name }}.yaml" diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/corda_ent_network_map.tpl b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/corda_ent_network_map.tpl new file mode 100644 index 00000000000..1c355e144a2 --- /dev/null +++ b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/corda_ent_network_map.tpl @@ -0,0 +1,75 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: {{ component_name }} + namespace: {{ component_ns }} + annotations: + fluxcd.io/automated: "false" +spec: + releaseName: {{ component_name }} + interval: 1m + chart: + spec: + chart: {{ charts_dir }}/cenm-networkmap + sourceRef: + kind: GitRepository + name: flux-{{ network.env.type }} + namespace: flux-{{ network.env.type }} + values: + global: + serviceAccountName: vault-auth + cluster: + provider: "{{ cloud_provider }}" + cloudNativeServices: false + vault: + type: hashicorp + role: vault-role + address: + authPath: "{{ org_name }}" + secretEngine: secretsv2 + secretPrefix: "data/{{ org_name }}" + proxy: + provider: "ambassador" + externalUrlSuffix: "{{ external_url_suffix }}" + cenm: + prefix: "{{ org_name }}-cenm" + sharedCreds: + truststore: {{ cred_truststore }} + keystore: {{ cred_keystore}} + identityManager: + internal: + port: {{ idman_int_port }} + port: {{ idman_ext_port }} + revocation: + port: {{ idman_rev_port }} + auth: + port: {{ auth_port }} + gateway: + port: {{ gateway_port }} + zone: + enmPort: {{ zone_enm_port }} + networkmap: + internal: + port: {{ network_map_int_port }} + port: {{ network_map_ext_port }} + + storage: + size: 1Gi + dbSize: 5Gi + allowedTopologies: + enabled: false + + database: + driverClassName: "org.h2.Driver" + jdbcDriver: "" + url: "jdbc:h2:file:./h2/networkmap-manager-persistence;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=10000;WRITE_DELAY=0;AUTO_SERVER_PORT=0" + user: "networkmap-db-user" + password: "networkmap-db-password" + runMigration: true + + nmapUpdate: false + sleepTimeAfterError: 120 + baseDir: /opt/cenm + + adminListener: + port: {{ network_map_admin_listener_port }} diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/templates/corda_ent_notary.tpl b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/corda_ent_notary.tpl new file mode 100644 index 00000000000..48303af3847 --- /dev/null +++ b/platforms/r3-corda-ent/configuration/roles/helm_component/templates/corda_ent_notary.tpl @@ -0,0 +1,106 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: {{ component_name }} + namespace: {{ component_ns }} + annotations: + fluxcd.io/automated: "false" +spec: + releaseName: {{ component_name }} + interval: 1m + chart: + spec: + chart: {{ charts_dir }}/enterprise-node + sourceRef: + kind: GitRepository + name: flux-{{ network.env.type }} + namespace: flux-{{ network.env.type }} + values: + global: + serviceAccountName: vault-auth + cluster: + provider: "{{ cloud_provider }}" + cloudNativeServices: false + kubernetesUrl: "{{ kubernetes_server }}" + vault: + type: hashicorp + role: vault-role + network: corda-enterprise + address: "{{ vault.url }}" + authPath: "{{ org_name }}" + secretEngine: secretsv2 + secretPrefix: "data/{{ org_name }}" + proxy: + provider: ambassador + externalUrlSuffix: {{ external_url_suffix }} + image: + notary: + repository: corda/corda-enterprise + tag: 4.10.3-zulu-openjdk8-alpine + network: + creds: + truststore: password + tls: + nameOverride: {{ node_name }} # should match the release name + enabled: true + sleepTimeAfterError: 180 + storage: + size: 1Gi + dbSize: 5Gi + allowedTopologies: + enabled: false + baseDir: /opt/corda + dataSourceProperties: + dataSource: + user: node-db-user + password: node-db-password + url: "jdbc:h2:file:./h2/node-persistence;DB_CLOSE_ON_EXIT=FALSE;WRITE_DELAY=0;LOCK_TIMEOUT=10000" + dataSourceClassName: org.h2.jdbcx.JdbcDataSource + nodeConf: + legalName: {{ subject }} + devMode: false + creds: + truststore: cordacadevpass + keystore: trustpass + crlCheckSoftFail: true + tlsCertCrlDistPoint: "" + tlsCertCrlIssuer: "" + monitoring: + enabled: true + port: 8090 + allowDevCorDapps: + enabled: true + p2pPort: {{ p2p_port }} + rpc: + port: {{ rpc_port }} + adminPort: {{ rpc_admin_port }} + users: + - name: node + password: nodeP + permissions: ALL + ssh: + enabled: true + sshdPort: 2222 + removeKeysOnDelete: false + firewall: + enabled: false + notary: + serviceLegalName: {{ service_name }} + validating: {{ validating }} + doormanPort: 443 + networkMapPort: 443 + doormanDomain: {{ org_name }}-cenm-doorman.{{ external_url_suffix }} + networkMapDomain: {{ org_name }}-cenm-nms.{{ external_url_suffix }} + doormanURL: https://{{ org_name }}-cenm-doorman.{{ external_url_suffix }} + networkMapURL: https://{{ org_name }}-cenm-nms.{{ external_url_suffix }} +{% if (org.cordapps is defined) and (org.cordapps|length > 0) %} + cordapps: + getcordapps: true + jars: +{% for jars in org.cordapps.jars %} + - url: {{ jars.jar.url }} +{% endfor %} +{% else %} + cordapps: + getcordapps: false +{% endif %} diff --git a/platforms/r3-corda-ent/configuration/roles/helm_component/vars/main.yaml b/platforms/r3-corda-ent/configuration/roles/helm_component/vars/main.yaml index e9fc7d6f2fc..2deb67e6a29 100644 --- a/platforms/r3-corda-ent/configuration/roles/helm_component/vars/main.yaml +++ b/platforms/r3-corda-ent/configuration/roles/helm_component/vars/main.yaml @@ -15,11 +15,12 @@ helm_templates: zone: zone.tpl notary-initial-registration: notary_initial_registration.tpl db: db.tpl - notary: notary.tpl bridge: bridge.tpl float: float.tpl node_registration: node_registration.tpl node: node.tpl + corda_ent_notary: corda_ent_notary.tpl + corda_ent_network_map: corda_ent_network_map.tpl docker_images: cenm: # list of various nodes supporting version 1.2 diff --git a/platforms/r3-corda-ent/configuration/roles/setup/cenm/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/cenm/tasks/main.yaml index 83a23d5860b..f3bf4fad139 100644 --- a/platforms/r3-corda-ent/configuration/roles/setup/cenm/tasks/main.yaml +++ b/platforms/r3-corda-ent/configuration/roles/setup/cenm/tasks/main.yaml @@ -3,88 +3,37 @@ # # SPDX-License-Identifier: Apache-2.0 ############################################################################################## - -############################################################################################## -# This role sets up all cenm services -############################################################################################## - -# Wait for namespace creation -- name: "Wait for namespace creation for {{ organisation }}" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" +# Gather Kubernetes cluster information +- name: Gather Kubernetes cluster information + community.kubernetes.k8s_cluster_info: + kubeconfig: "{{ kubernetes.config_file }}" + register: cluster_info + +# Set the Kubernetes server URL fact +- name: Set kubernetes_server_url fact + set_fact: + kubernetes_server: "{{ cluster_info.connection.host }}" + +# Install init node +- name: "Install init node" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/create/job_component" + vars: + type: "corda_ent_cenm" + cloud_provider: "{{ org.cloud_provider | lower }}" + root_ca: "{{ org.subject }}" + subordinate_ca: "{{ org.subordinate_ca_subject }}" + auth_subject: "{{ org_services.auth.subject }}" + signer_subject: "{{ org_services.signer.subject }}" + idman_subject: "{{ org_services.idman.subject }}" + idman_crlissuer_subject: "{{ org_services.idman.crlissuer_subject }}" + networkmap_subject: "{{ org_services.networkmap.subject }}" + secondaryInit: false + +# Check if the job is completed +- name: "Check if {{ component_name }} job is completed in the {{ org_name }} organization" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" vars: - component_type: "Namespace" - component_name: "{{ component_ns }}" - type: "retry" - -# Wait for vault-reviewer creation -- name: "Wait for vault-reviewer creation for {{ organisation }}" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" - vars: - component_type: "ServiceAccount" - component_name: "vault-reviewer" - type: "retry" - tags: - - notest - -# Create vault access policies -- name: "Setup vault access for cenm" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault_kubernetes" - vars: - name: "{{ org.name | lower }}" - component_name: "{{ org.name | lower }}-vaultk8s-job" - component_auth: "{{ network.env.type }}{{ name }}" - component_type: "{{ org.type | lower }}" - -# Check if the certs are already created -- name: Check if the root certs are already created - shell: | - vault kv get -field=corda-ssl-root-keys.jks {{ vault.secret_path | default('secretsv2') }}/{{ org.name | lower }}/root/certs - environment: - VAULT_ADDR: "{{ vault.url }}" - VAULT_TOKEN: "{{ vault.root_token }}" - register: root_certs - ignore_errors: yes - -# Generate crypto using pki-generator -- name: "Generate crypto using pki-generator" - include_role: - name: "setup/pki-generator" - when: root_certs.failed - -# Deploy Auth Service -- name: "Deploy Auth Service" - include_role: - name: "setup/auth" - -# Deploy gateway service -- name: Deploy gateway service - include_role: - name: setup/gateway - -# Deploy Zone service -- name: Deploy Zone service - include_role: - name: setup/zone - -# Deploy Signer node -- name: Deploy Signer service - include_role: - name: setup/signer - -# Deploy Idman service -- name: Deploy Idman service - include_role: - name: setup/idman - -# Deploy networkmap service -- name: Deploy networkmap service - include_role: - name: setup/nmap - -# Deploy notary service -- name: Deploy notary service - include_role: - name: setup/notary + component_type: Job + namespace: "{{ component_ns }}" diff --git a/platforms/r3-corda-ent/configuration/roles/setup/init/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/init/tasks/main.yaml new file mode 100644 index 00000000000..fbfcec3dd67 --- /dev/null +++ b/platforms/r3-corda-ent/configuration/roles/setup/init/tasks/main.yaml @@ -0,0 +1,25 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## + +# Gather Kubernetes cluster information +- name: Gather Kubernetes cluster information + community.kubernetes.k8s_cluster_info: + kubeconfig: "{{ kubernetes.config_file }}" + register: cluster_info + +# Set the Kubernetes server URL fact +- name: Set kubernetes_server_url fact + set_fact: + kubernetes_server: "{{ cluster_info.connection.host }}" + +# Install init node +- name: "Install init node" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/create/job_component" + vars: + cloud_provider: "{{ org.cloud_provider | lower }}" + type: "corda_ent_init" + secondaryInit: false diff --git a/platforms/r3-corda-ent/configuration/roles/setup/network_map/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/network_map/tasks/main.yaml new file mode 100644 index 00000000000..d8c50fbf5fb --- /dev/null +++ b/platforms/r3-corda-ent/configuration/roles/setup/network_map/tasks/main.yaml @@ -0,0 +1,49 @@ +############################################################################################## +# Copyright Accenture. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################################################## +# Gather Kubernetes cluster information +- name: Gather Kubernetes cluster information + community.kubernetes.k8s_cluster_info: + kubeconfig: "{{ kubernetes.config_file }}" + register: cluster_info + +# Set the Kubernetes server URL fact +- name: Set kubernetes_server_url fact + set_fact: + kubernetes_server: "{{ cluster_info.connection.host }}" + +# Create deployment file for network_map +- name: Create network_map deployment file + include_role: + name: helm_component + vars: + type: "corda_ent_network_map" + cred_truststore: "{{ org.credentials.truststore }}" + cred_keystore: "{{ org.credentials.keystore }}" + idman_int_port: "{{ org_services.idman.ports.internal }}" + idman_ext_port: "{{ org_services.idman.ports.external }}" + idman_rev_port: "{{ org_services.idman.ports.revocation }}" + auth_port: "{{ org_services.auth.port }}" + gateway_port: "{{ org_services.gateway.port }}" + zone_enm_port: "{{ org_services.zone.ports.enm }}" + network_map_int_port: "{{ org_services.networkmap.ports.internal }}" + network_map_ext_port: "{{ org_services.networkmap.ports.external }}" + network_map_admin_listener_port: "{{ org_services.networkmap.ports.admin_listener }}" + +# Git Push: Push the deployment files for network_map +- name: Push network_map deployment files + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" + vars: + GIT_DIR: "{{ playbook_dir }}/../../../" + msg: "[ci skip] Pushing notary deployment file for notary" + +# Check if the job is completed +- name: "Check if {{ component_name }} job is completed in the {{ org_name }} organization" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" + vars: + component_type: Job + namespace: "{{ component_ns }}" diff --git a/platforms/r3-corda-ent/configuration/roles/setup/notary/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/notary/tasks/main.yaml index 47249d4d59b..a925618ea87 100644 --- a/platforms/r3-corda-ent/configuration/roles/setup/notary/tasks/main.yaml +++ b/platforms/r3-corda-ent/configuration/roles/setup/notary/tasks/main.yaml @@ -5,16 +5,51 @@ ############################################################################################## ############################################################################################## -# This role creates the value file for notary +# This role creates the deployment files for node and pushes them to repository ############################################################################################## +# Gather Kubernetes cluster information +- name: Gather Kubernetes cluster information + community.kubernetes.k8s_cluster_info: + kubeconfig: "{{ kubernetes.config_file }}" + register: cluster_info ---- -# Create Notary related to cenm -- name: Create Notary for cenm org - include_tasks: notary_cenm.yaml - when: org.type == 'cenm' +# Set the Kubernetes server URL fact +- name: Set kubernetes_server_url fact + set_fact: + kubernetes_server: "{{ cluster_info.connection.host }}" -# Create Notary related to org -- name: Create Notary for notary org - include_tasks: notary_node.yaml - when: org.type == 'notary' +# Create deployment file for notary node +- name: Create notary node deployment file + include_role: + name: helm_component + vars: + type: corda_ent_notary + node_name: "{{ node.name | lower }}" + p2p_port: "{{ node.ports.p2p }}" + rpc_port: "{{ node.ports.rpc }}" + rpc_admin_port: "{{ node.ports.admin_rpc }}" + subject: "{{ node.subject }}" + legal_name: "{{ node.subject }}" + service_name: "{{ node.serviceName }}" + validating: "{{ node.validating }}" + # nms_url: "{{ network | json_query('network_services[?type==`idman`].uri') | first }}" + # doorman_url: "{{ network | json_query('network_services[?type==`networkmap`].uri') | first }}" + loop: "{{ node }}" + loop_control: + loop_var: node + +# Git Push: Push the deployment files for notary node +- name: Push notary deployment files + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" + vars: + GIT_DIR: "{{ playbook_dir }}/../../../" + msg: "[ci skip] Pushing notary deployment file for notary" + +# # Check if the job is completed +# - name: "Check if {{ component_name }} job is completed in the {{ org_name }} organization" +# include_role: +# name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" +# vars: +# component_type: Job +# namespace: "{{ component_ns }}" diff --git a/platforms/r3-corda-ent/configuration/roles/setup/notary/tasks/notary_cenm.yaml b/platforms/r3-corda-ent/configuration/roles/setup/notary/tasks/notary_cenm.yaml deleted file mode 100644 index ec6f81330a3..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/notary/tasks/notary_cenm.yaml +++ /dev/null @@ -1,64 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -############################################################################################## -# This role creates the value file for notary -############################################################################################## - ---- -# Wait till the nmap is running -- name: Waiting for nmap pod to come up - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Pod" - namespace: "{{ component_ns }}" - component_name: "{{ org.services.networkmap.name | lower }}" - kubernetes: "{{ org.k8s }}" - label_selectors: - - app = {{ component_name }} - -# Create notary ambassador certificates -- name: Create ambassador certficates for notary - include_role: - name: create/certificates/cenm - vars: - tlscert_path: "./build/ambassador/{{ notary.name }}" - service_name: "{{ notary.name }}" - namespace: "{{ component_ns }}" - dest_path: "./build/ambassador/{{ notary.name }}/notary.crt" - loop: "{{ org.services.notaries }}" - loop_control: - loop_var: notary - -# Create deployment file for CENM notary service -- name: Create value file for notary - include_role: - name: helm_component - vars: - type: "notary" - notary_service: "{{ notary }}" - component_name: "{{ notary_service.name | lower }}" - name: "{{ org.name | lower }}" - values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}" - charts_dir: "{{ org.gitops.chart_source }}" - idman_url: "{{ network | json_query('network_services[?type==`idman`].uri') | first }}" - idman_domain: "{{ idman_url.split(':')[1] | regex_replace('/', '') }}" - networkmap_url: "{{ network | json_query('network_services[?type==`networkmap`].uri') | first }}" - networkmap_domain: "{{ networkmap_url.split(':')[1] | regex_replace('/', '') }}" - corda_service_version: notary-{{ network.version }} - loop: "{{ org.services.notaries }}" - loop_control: - loop_var: notary - -# Git Push: Push the notary deployment files to repository -- name: Push the created deployment files to repository - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" - vars: - GIT_DIR: "{{ playbook_dir }}/../../../" - gitops: "{{ org.gitops }}" - msg: "[ci skip] Pushing deployment files for notary service" diff --git a/platforms/r3-corda-ent/configuration/roles/setup/notary/tasks/notary_node.yaml b/platforms/r3-corda-ent/configuration/roles/setup/notary/tasks/notary_node.yaml deleted file mode 100644 index 40bd9e060cc..00000000000 --- a/platforms/r3-corda-ent/configuration/roles/setup/notary/tasks/notary_node.yaml +++ /dev/null @@ -1,101 +0,0 @@ -############################################################################################## -# Copyright Accenture. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################################################## - -############################################################################################## -# This role sets up all Additional Notary orgs -############################################################################################## - -# Wait for namespace creation -- name: "Wait for namespace creation for {{ organisation }}" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" - vars: - component_type: "Namespace" - component_name: "{{ component_ns }}" - type: "retry" - -# Wait for vault-reviewer creation -- name: "Wait for vault-reviewer creation for {{ organisation }}" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/k8_component" - vars: - component_type: "ServiceAccount" - component_name: "vault-reviewer" - type: "retry" - tags: - - notest - -# create vault access policies -- name: "Setup vault access for nodes" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault_kubernetes" - vars: - component_name: "{{ org.name | lower }}-vaultk8s-job" - component_auth: "{{ network.env.type }}{{ org.name | lower }}" - component_type: "{{ org.type | lower }}" - -# Create ambassador certificates for notary -- name: Create ambassador certificates for notary - include_role: - name: create/certificates/notary - vars: - tlscert_path: "./build/ambassador/{{ notary.name }}" - node_name: "{{ notary.name | lower }}" - service_name: "{{ notary.name }}" - dest_path: "./build/ambassador/{{ notary.name }}/notary.crt" - loop: "{{ org.services.notaries }}" - loop_control: - loop_var: notary - -# Save tls certificates for network_services to Vault -- name: Save tls certificates for network_services to Vault - include_role: - name: setup/tlscerts - loop: "{{ network.network_services }}" - loop_control: - loop_var: services - -# Write the networkroot truststore, node truststore, node keystore, firewallca, float and bridge passwords to the vault -- name: Write the networkroot truststore, node truststore, node keystore, firewallca, float and bridge passwords to the vault - include_role: - name: setup/credentials - -# Create value file for notary-initial-registration -- name: Create value file for notary registration job - include_role: - name: setup/notary-initial-registration - loop: "{{ org.services.notaries }}" - loop_control: - loop_var: notary - -# Create deployment file for CENM notary service -- name: Create value file for notary - include_role: - name: helm_component - vars: - type: "notary" - notary_service: "{{ notary }}" - component_name: "{{ notary_service.name | lower }}" - name: "{{ org.name | lower }}" - values_dir: "{{ playbook_dir }}/../../../{{ org.gitops.release_dir }}" - charts_dir: "{{ org.gitops.chart_source }}" - idman_url: "{{ network | json_query('network_services[?type==`idman`].uri') | first }}" - idman_domain: "{{ idman_url.split(':')[1] | regex_replace('/', '') }}" - networkmap_url: "{{ network | json_query('network_services[?type==`networkmap`].uri') | first }}" - networkmap_domain: "{{ networkmap_url.split(':')[1] | regex_replace('/', '') }}" - corda_service_version: "notary-{{ network.version }}" - loop: "{{ org.services.notaries }}" - loop_control: - loop_var: notary - -# Push the notary deployment files to repository -- name: Push the created deployment files to repository - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" - vars: - GIT_DIR: "{{ playbook_dir }}/../../../" - gitops: "{{ org.gitops }}" - msg: "[ci skip] Pushing deployment files for notary service" diff --git a/platforms/r3-corda-ent/configuration/samples/network-addNotary.yaml b/platforms/r3-corda-ent/configuration/samples/network-addNotary.yaml index 3c2bb40fb81..301cd85531d 100644 --- a/platforms/r3-corda-ent/configuration/samples/network-addNotary.yaml +++ b/platforms/r3-corda-ent/configuration/samples/network-addNotary.yaml @@ -105,91 +105,70 @@ network: jars: - jar: # e.g https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-supply-chain/4.7/cordapp-supply-chain-4.7.jar - url: "https://repo/path/cordapp1.jar" + url: https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-supply-chain/4.9/cordapp-supply-chain-4.9.jar - jar: # e.g https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-contracts-states/4.7/cordapp-contracts-states-4.7.jar - url: "https://repo/path/cordapp2.jar" + url: https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-contracts-states/4.9/cordapp-contracts-states-4.9.jar username: "git_username" password: "git_access_token" credentials: - keystore: - keystore: cordacadevpass - idman: password - networkmap: password - subordinateca: password - rootca: password - tlscrlsigner: password - truststore: - truststore: trustpass - rootca: rootpassword - ssl: password - ssl: - networkmap: password - idman: password - signer: password - root: password - auth: password + keystore: password + truststore: password # Services maps to the pods that will be deployed on the k8s cluster # This sample has idman, networkmap, signer and notary on one cluster but different namespaces services: zone: - name: zone - type: cenm-zone + db: h2 # default: h2 ports: enm: 25000 admin: 12345 auth: - name: auth + db: h2 # default: h2 subject: "CN=Test TLS Auth Service Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - type: cenm-auth port: 8081 - username: admin - userpwd: p4ssWord + credentials: + username: admin + userpwd: p4ssWord gateway: - name: gateway subject: "CN=Test TLS Gateway Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - type: cenm-gateway - port: 8080 + port: 8080 idman: - name: idman - subject: "CN=Test Identity Manager Service Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" + db: h2 # default: h2 + subject: "CN=Test Identity Manager Service Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" # idmanca crlissuer_subject: "CN=Corda TLS CRL Authority,OU=Corda UAT,O=R3 HoldCo LLC,L=New York,C=US" - type: cenm-idman - port: 10000 + ports: + internal: 5052 + external: 10000 + revocation: 5053 + admin_listener: 6000 networkmap: - name: networkmap subject: "CN=Test Network Map Service Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - type: cenm-networkmap ports: - servicePort: 10000 - targetPort: 10000 + internal: 5050 + external: 10000 + admin_listener: 6000 signer: - name: signer subject: "CN=Test TLS Signer Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - type: cenm-signer ports: - servicePort: 8080 - targetPort: 8080 + admin_listener: 6000 notaries: - notary: - name: notary-1 - subject: "O=Notary,OU=Notary1,L=London,C=GB" - serviceName: "O=Notary Service,OU=Notary1,L=London,C=GB" + name: notary + subject: "O=Notary,OU=Notary,L=London,C=GB" # legalName: "O=Notary,OU=Notary,L=London,C=GB" + serviceName: "O=Notary Service,OU=Notary,L=London,C=GB" type: notary validating: true - emailAddress: "dev@bevel.com" - p2p: - port: 10002 - targetPort: 10002 - ambassador: 15005 #Port for ambassador service (must be from env.ambassadorPorts above) - rpc: - port: 30000 - targetPort: 10003 - rpcadmin: - port: 30009 - targetPort: 10005 + emailAddress: "dev@bevel.com" + db: h2 # default: h2 + credentials: + truststore: cordacadevpass + keystore: trustpass + ports: + p2p: 10002 + rpc: 10003 + admin_rpc: 10005 dbtcp: port: 9101 targetPort: 1521 @@ -198,21 +177,19 @@ network: targetPort: 81 - notary: name: notary-2 - subject: "O=Notary,OU=Notary2,L=London,C=GB" - serviceName: "O=Notary Service,OU=Notary2,L=London,C=GB" + subject: "O=Notary2,OU=Notary2,L=London,C=GB" + serviceName: "O=Notary2 Service,OU=Notary2,L=London,C=GB" type: notary validating: true - emailAddress: "dev@bevel.com" - p2p: - port: 10002 - targetPort: 10002 - ambassador: 15010 #Port for ambassador service (must be from env.ambassadorPorts above) - rpc: - port: 30000 - targetPort: 10003 - rpcadmin: - port: 30009 - targetPort: 10005 + emailAddress: "dev@bevel.com" + db: h2 # default: h2 + credentials: + truststore: cordacadevpass + keystore: trustpass + ports: + p2p: 10002 + rpc: 10003 + admin_rpc: 10005 dbtcp: port: 9101 targetPort: 1521 @@ -268,13 +245,13 @@ network: jars: - jar: # e.g https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-supply-chain/4.7/cordapp-supply-chain-4.7.jar - url: "https://repo/path/cordapp1.jar" + url: https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-supply-chain/4.9/cordapp-supply-chain-4.9.jar - jar: # e.g https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-contracts-states/4.7/cordapp-contracts-states-4.7.jar - url: "https://repo/path/cordapp2.jar" + url: https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-contracts-states/4.9/cordapp-contracts-states-4.9.jar username: "git_username" password: "git_access_token" - + # The participating nodes are named as peers services: notaries: diff --git a/platforms/r3-corda-ent/configuration/samples/network-cordaent.yaml b/platforms/r3-corda-ent/configuration/samples/network-cordaent.yaml index 21d857f6b07..96e446a416d 100644 --- a/platforms/r3-corda-ent/configuration/samples/network-cordaent.yaml +++ b/platforms/r3-corda-ent/configuration/samples/network-cordaent.yaml @@ -28,7 +28,7 @@ network: external_dns: enabled # Should be enabled if using external-dns for automatic route configuration # Docker registry details where images are stored. This will be used to create k8s secrets - # Please ensure all required images are built and stored in this registry. + # Please ensure all required images are built and stored in this registry. # Do not check-in docker_password. docker: url: "adopblockchaincloud0502.azurecr.io" @@ -48,7 +48,7 @@ network: type: networkmap uri: https://networkmap.test.corda.blockchaincloudpoc.com certificate: home_dir/platforms/r3-corda-ent/configuration/build/ambassador/networkmap/ambassador.pem - truststore: home_dir/platforms/r3-corda-ent/configuration/build/networkroottruststore.jks #Certificate should be encoded in base64 format + truststore: home_dir/platforms/r3-corda-ent/configuration/build/networkroottruststore.jks # Certificate should be encoded in base64 format truststore_pass: rootpassword # Allows specification of one or many organizations that will be connecting to a network. @@ -101,93 +101,70 @@ network: jars: - jar: # e.g https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-supply-chain/4.7/cordapp-supply-chain-4.7.jar - url: "https://repo/path/cordapp1.jar" + url: https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-supply-chain/4.9/cordapp-supply-chain-4.9.jar - jar: # e.g https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-contracts-states/4.7/cordapp-contracts-states-4.7.jar - url: "https://repo/path/cordapp2.jar" + url: https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-contracts-states/4.9/cordapp-contracts-states-4.9.jar username: "git_username" password: "git_access_token" credentials: - keystore: - keystore: cordacadevpass - idman: password - networkmap: password - subordinateca: password - rootca: password - tlscrlsigner: password - truststore: - truststore: trustpass - rootca: rootpassword - ssl: password - ssl: - networkmap: password - idman: password - signer: password - root: password - auth: password + keystore: password + truststore: password # Services maps to the pods that will be deployed on the k8s cluster # This sample has idman, networkmap, signer and notary on one cluster but different namespaces services: zone: - name: zone - type: cenm-zone + db: h2 # default: h2 ports: enm: 25000 admin: 12345 auth: - name: auth + db: h2 # default: h2 subject: "CN=Test TLS Auth Service Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - type: cenm-auth port: 8081 - username: admin - userpwd: p4ssWord + credentials: + username: admin + userpwd: p4ssWord gateway: - name: gateway subject: "CN=Test TLS Gateway Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - type: cenm-gateway - ports: - servicePort: 8080 - ambassadorPort: 15008 + port: 8080 idman: - name: idman - subject: "CN=Test Identity Manager Service Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" + db: h2 # default: h2 + subject: "CN=Test Identity Manager Service Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" # idmanca crlissuer_subject: "CN=Corda TLS CRL Authority,OU=Corda UAT,O=R3 HoldCo LLC,L=New York,C=US" - type: cenm-idman - port: 10000 + ports: + internal: 5052 + external: 10000 + revocation: 5053 + admin_listener: 6000 networkmap: - name: networkmap subject: "CN=Test Network Map Service Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - type: cenm-networkmap ports: - servicePort: 10000 - targetPort: 10000 + internal: 5050 + external: 10000 + admin_listener: 6000 signer: - name: signer subject: "CN=Test TLS Signer Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - type: cenm-signer ports: - servicePort: 8080 - targetPort: 8080 + admin_listener: 6000 notaries: - notary: - name: notary-1 - subject: "O=Notary,OU=Notary1,L=London,C=GB" - serviceName: "O=Notary Service,OU=Notary1,L=London,C=GB" + name: notary + subject: "O=Notary,OU=Notary,L=London,C=GB" # legalName: "O=Notary,OU=Notary,L=London,C=GB" + serviceName: "O=Notary Service,OU=Notary,L=London,C=GB" type: notary validating: true emailAddress: "dev@bevel.com" - p2p: - port: 10002 - targetPort: 10002 - ambassador: 15005 #Port for ambassador service (must be from env.ambassadorPorts above) - rpc: - port: 30000 - targetPort: 10003 - rpcadmin: - port: 30009 - targetPort: 10005 + db: h2 # default: h2 + credentials: + truststore: cordacadevpass + keystore: trustpass + ports: + p2p: 10002 + rpc: 10003 + admin_rpc: 10005 dbtcp: port: 9101 targetPort: 1521 @@ -196,540 +173,22 @@ network: targetPort: 81 - notary: name: notary-2 - subject: "O=Notary,OU=Notary2,L=London,C=GB" - serviceName: "O=Notary Service,OU=Notary2,L=London,C=GB" + subject: "O=Notary2,OU=Notary2,L=London,C=GB" + serviceName: "O=Notary2 Service,OU=Notary2,L=London,C=GB" type: notary validating: true - emailAddress: "dev@bevel.com" - p2p: - port: 10002 - targetPort: 10002 - ambassador: 15010 #Port for ambassador service (must be from env.ambassadorPorts above) - rpc: - port: 30000 - targetPort: 10003 - rpcadmin: - port: 30009 - targetPort: 10005 - dbtcp: - port: 9101 - targetPort: 1521 - dbweb: - port: 8080 - targetPort: 81 - # Specification for the 2nd organization. Each organization maps to a VPC and a separate k8s cluster - - organization: - name: manufacturer - version: 4.7 - cenm_version: 1.5 - firewall_version: 4.4 # Supports 4.4 - country: CH - state: Zurich - location: Zurich - subject: "O=Manufacturer,OU=Manufacturer,L=Zurich,C=CH" - type: node - external_url_suffix: test.corda.blockchaincloudpoc.com - firewall: - enabled: true # true if firewall components are to be deployed - subject: "CN=Test Firewall CA Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - credentials: - firewallca: firewallcapassword - float: floatpassword - bridge: bridgepassword - - cloud_provider: aws # Options: aws, azure, gcp - aws: - access_key: "aws_access_key" # AWS Access key, only used when cloud_provider=aws - secret_key: "aws_secret_key" # AWS Secret key, only used when cloud_provider=aws - - # Kubernetes cluster deployment variables. The config file path and name has to be provided. - k8s: - context: "cluster_context" - config_file: "cluster_config" - - # Hashicorp Vault server address and root-token. Vault should be unsealed. - # Do not check-in root_token - vault: - url: "vault_addr" - root_token: "vault_root_token" - secret_path: "secretsv2" - # Git Repo details which will be used by GitOps/Flux. - # Do not check-in git_access_token - gitops: - git_protocol: "https" # Option for git over https or ssh - git_url: "https://github.com//bevel.git" # Gitops https url for flux value files - branch: "develop" # Git branch where release is being made - release_dir: "platforms/r3-corda-ent/releases/dev" # Relative Path in the Git repo for flux sync per environment. - chart_source: "platforms/r3-corda-ent/charts" # Relative Path where the Helm charts are stored in Git repo - username: "git_username" # Git Service user who has rights to check-in in all branches - password: "git_access_token" # Git Server user password/token (Optional for ssh; Required for https) - email: "git@email.com" # Email to use in git config - git_repo: "github.com//bevel.git" # Gitops git repository URL for git push - private_key: "path_to_private_key" # Path to private key file which has write-access to the git repo (Optional for https; Required for ssh) - - # Cordapps Repository details (optional if cordapps jar are store in a repository) - cordapps: - jars: - - jar: - # e.g https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-supply-chain/4.7/cordapp-supply-chain-4.7.jar - url: "https://repo/path/cordapp1.jar" - - jar: - # e.g https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-contracts-states/4.7/cordapp-contracts-states-4.7.jar - url: "https://repo/path/cordapp2.jar" - username: "git_username" - password: "git_access_token" - - # The participating nodes are named as peers - services: - float: - name: float - subject: "CN=Test Float Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - external_url_suffix: test.cordafloat.blockchaincloudpoc.com - cloud_provider: aws # Options: aws, azure, gcp - aws: - access_key: "aws_access_key" # AWS Access key, only used when cloud_provider=aws - secret_key: "aws_secret_key" # AWS Secret key, only used when cloud_provider=aws - k8s: - context: "float_cluster_context" - config_file: "float_cluster_config" - vault: - url: "float_vault_addr" - root_token: "float_vault_root_token" - gitops: - git_protocol: "https" # Option for git over https or ssh - git_url: "https://github.com//bevel.git" # Gitops https url for flux value files - branch: "develop" # Git branch where release is being made - release_dir: "platforms/r3-corda-ent/releases/float" # Relative Path in the Git repo for flux sync per environment. - chart_source: "platforms/r3-corda-ent/charts" # Relative Path where the Helm charts are stored in Git repo - username: "git_username" # Git Service user who has rights to check-in in all branches - password: "git_access_token" # Git Server user password/token (Optional for ssh; Required for https) - email: "git@email.com" # Email to use in git config - git_repo: "github.com//bevel.git" # Gitops git repository URL for git push - private_key: "path_to_private_key" # Path to private key file which has write-access to the git repo (Optional for https; Required for ssh) - ports: - p2p_port: 40000 - tunnelport: 39999 - ambassador_tunnel_port: 15021 - ambassador_p2p_port: 15020 - bridge: - name: bridge - subject: "CN=Test Bridge Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - peers: - - peer: - name: manufacturer - subject: "O=Manufacturer,OU=Manufacturer,L=47.38/8.54/Zurich,C=CH" # This is the node identity. L=lat/long is mandatory for supplychain sample app - type: node - credentials: - truststore: trustpass - keystore: cordacadevpass - hsm: # hsm support for future release - enabled: false - p2p: - port: 10002 - targetPort: 10002 - ambassador: 15010 #Port for ambassador service (must be from env.ambassadorPorts above) - rpc: - port: 30000 - targetPort: 10003 - rpcadmin: - port: 30009 - targetPort: 10005 - dbtcp: - port: 9101 - targetPort: 1521 - dbweb: - port: 8080 - targetPort: 81 - springboot: # This is for the springboot server - targetPort: 20001 - port: 20001 - expressapi: # This is for the express api server - targetPort: 3000 - port: 3000 - - - organization: - name: carrier - version: 4.7 - cenm_version: 1.5 - firewall_version: 4.4 # Supports 4.4 - country: GB - state: London - location: London - subject: "O=Carrier,OU=Carrier,L=London,C=GB" - type: node - external_url_suffix: test.corda.blockchaincloudpoc.com - firewall: - enabled: true # true if firewall components are to be deployed - subject: "CN=Test Firewall CA Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - credentials: - firewallca: firewallcapassword - float: floatpassword - bridge: bridgepassword - - cloud_provider: aws # Options: aws, azure, gcp - aws: - access_key: "aws_access_key" # AWS Access key, only used when cloud_provider=aws - secret_key: "aws_secret_key" # AWS Secret key, only used when cloud_provider=aws - - # Kubernetes cluster deployment variables. The config file path and name has to be provided in case - # the cluster has already been created. - k8s: - context: "cluster_context" - config_file: "cluster_config" - - # Hashicorp Vault server address and root-token. Vault should be unsealed. - # Do not check-in root_token - vault: - url: "vault_addr" - root_token: "vault_root_token" - secret_path: "secretsv2" - # Git Repo details which will be used by GitOps/Flux. - # Do not check-in git_access_token - gitops: - git_protocol: "https" # Option for git over https or ssh - git_url: "https://github.com//bevel.git" # Gitops https url for flux value files - branch: "develop" # Git branch where release is being made - release_dir: "platforms/r3-corda-ent/releases/dev" # Relative Path in the Git repo for flux sync per environment. - chart_source: "platforms/r3-corda-ent/charts" # Relative Path where the Helm charts are stored in Git repo - username: "git_username" # Git Service user who has rights to check-in in all branches - password: "git_access_token" # Git Server user password/token (Optional for ssh; Required for https) - email: "git@email.com" # Email to use in git config - git_repo: "github.com//bevel.git" # Gitops git repository URL for git push - private_key: "path_to_private_key" # Path to private key file which has write-access to the git repo (Optional for https; Required for ssh) - - # Cordapps Repository details (optional if cordapps jar are store in a repository) - cordapps: - jars: - - jar: - # e.g https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-supply-chain/4.7/cordapp-supply-chain-4.7.jar - url: "https://repo/path/cordapp1.jar" - - jar: - # e.g https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-contracts-states/4.7/cordapp-contracts-states-4.7.jar - url: "https://repo/path/cordapp2.jar" - username: "git_username" - password: "git_access_token" - - services: - float: - name: float - subject: "CN=Test Float Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - external_url_suffix: test.cordafloat.blockchaincloudpoc.com - cloud_provider: aws # Options: aws, azure, gcp - aws: - access_key: "aws_access_key" # AWS Access key, only used when cloud_provider=aws - secret_key: "aws_secret_key" # AWS Secret key, only used when cloud_provider=aws - k8s: - context: "float_cluster_context" - config_file: "float_cluster_config" - vault: - url: "float_vault_addr" - root_token: "float_vault_root_token" - gitops: - git_protocol: "https" # Option for git over https or ssh - git_url: "https://github.com//bevel.git" # Gitops https or ssh url for flux value files - branch: "develop" # Git branch where release is being made - release_dir: "platforms/r3-corda-ent/releases/float" # Relative Path in the Git repo for flux sync per environment. - chart_source: "platforms/r3-corda-ent/charts" # Relative Path where the Helm charts are stored in Git repo - username: "git_username" # Git Service user who has rights to check-in in all branches - password: "git_access_token" # Git Server user password/token (Optional for ssh; Required for https) - email: "git@email.com" # Email to use in git config - git_repo: "github.com//bevel.git" # Gitops git repository URL for git push - private_key: "path_to_private_key" # Path to private key file which has write-access to the git repo (Optional for https; Required for ssh) - ports: - p2p_port: 40000 - tunnelport: 39999 - ambassador_tunnel_port: 15031 - ambassador_p2p_port: 15030 - bridge: - name: bridge - subject: "CN=Test Bridge Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - peers: - - peer: - name: carrier - subject: "O=Carrier,OU=Carrier,L=51.50/-0.13/London,C=GB" # This is the node subject. L=lat/long is mandatory for supplychain sample app - type: node - credentials: - truststore: trustpass - keystore: cordacadevpass - hsm: # hsm support for future release - enabled: false - p2p: - port: 10002 - targetPort: 10002 - ambassador: 15030 #Port for ambassador service (must be from env.ambassadorPorts above) - rpc: - port: 30000 - targetPort: 10003 - rpcadmin: - port: 30009 - targetPort: 10005 - dbtcp: - port: 9101 - targetPort: 1521 - dbweb: - port: 8080 - targetPort: 81 - springboot: - targetPort: 20001 - port: 20001 - expressapi: - targetPort: 3000 - port: 3000 - - - organization: - name: store - version: 4.7 - cenm_version: 1.5 - firewall_version: 4.4 # Supports 4.4 - country: US - state: New York - location: New York - subject: "O=Store,OU=Store,L=New York,C=US" - type: node - external_url_suffix: test.corda.blockchaincloudpoc.com - firewall: - enabled: true # true if firewall components are to be deployed - subject: "CN=Test Firewall CA Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - credentials: - firewallca: firewallcapassword - float: floatpassword - bridge: bridgepassword - - cloud_provider: aws # Options: aws, azure, gcp - aws: - access_key: "aws_access_key" # AWS Access key, only used when cloud_provider=aws - secret_key: "aws_secret_key" # AWS Secret key, only used when cloud_provider=aws - - # Kubernetes cluster deployment variables. The config file path and name has to be provided in case - # the cluster has already been created. - k8s: - context: "cluster_context" - config_file: "cluster_config" - - # Hashicorp Vault server address and root-token. Vault should be unsealed. - # Do not check-in root_token - vault: - url: "vault_addr" - root_token: "vault_root_token" - secret_path: "secretsv2" - # Git Repo details which will be used by GitOps/Flux. - # Do not check-in git_access_token - gitops: - git_protocol: "https" # Option for git over https or ssh - git_url: "https://github.com//bevel.git" # Gitops https url for flux value files - branch: "develop" # Git branch where release is being made - release_dir: "platforms/r3-corda-ent/releases/dev" # Relative Path in the Git repo for flux sync per environment. - chart_source: "platforms/r3-corda-ent/charts" # Relative Path where the Helm charts are stored in Git repo - username: "git_username" # Git Service user who has rights to check-in in all branches - password: "git_access_token" # Git Server user password/token (Optional for ssh; Required for https) - email: "git@email.com" # Email to use in git config - git_repo: "github.com//bevel.git" # Gitops git repository URL for git push - private_key: "path_to_private_key" # Path to private key file which has write-access to the git repo (Optional for https; Required for ssh) - - # Cordapps Repository details (optional if cordapps jar are store in a repository) - cordapps: - jars: - - jar: - # e.g https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-supply-chain/4.7/cordapp-supply-chain-4.7.jar - url: "https://repo/path/cordapp1.jar" - - jar: - # e.g https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-contracts-states/4.7/cordapp-contracts-states-4.7.jar - url: "https://repo/path/cordapp2.jar" - username: "git_username" - password: "git_access_token" - - services: - float: - name: float - subject: "CN=Test Float Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - external_url_suffix: test.cordafloat.blockchaincloudpoc.com - cloud_provider: aws # Options: aws, azure, gcp - aws: - access_key: "aws_access_key" # AWS Access key, only used when cloud_provider=aws - secret_key: "aws_secret_key" # AWS Secret key, only used when cloud_provider=aws - k8s: - context: "float_cluster_context" - config_file: "float_cluster_config" - vault: - url: "float_vault_addr" - root_token: "float_vault_root_token" - gitops: - git_protocol: "https" # Option for git over https or ssh - git_url: "https://github.com//bevel.git" # Gitops https or ssh url for flux value files - branch: "develop" # Git branch where release is being made - release_dir: "platforms/r3-corda-ent/releases/float" # Relative Path in the Git repo for flux sync per environment. - chart_source: "platforms/r3-corda-ent/charts" # Relative Path where the Helm charts are stored in Git repo - username: "git_username" # Git Service user who has rights to check-in in all branches - password: "git_access_token" # Git Server user password/token (Optional for ssh; Required for https) - email: "git@email.com" # Email to use in git config - git_repo: "github.com//bevel.git" # Gitops git repository URL for git push - private_key: "path_to_private_key" # Path to private key file which has write-access to the git repo (Optional for https; Required for ssh) - ports: - p2p_port: 40000 - tunnelport: 39999 - ambassador_tunnel_port: 15041 - ambassador_p2p_port: 15040 - bridge: - name: bridge - subject: "CN=Test Bridge Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - peers: - - peer: - name: store - subject: "O=Store,OU=Store,L=40.73/-74/New York,C=US" # This is the node identity. L=lat/long is mandatory for supplychain sample app - type: node + emailAddress: "dev@bevel.com" + db: h2 # default: h2 credentials: - truststore: trustpass - keystore: cordacadevpass - hsm: # hsm support for future release - enabled: false - p2p: - port: 10002 - targetPort: 10002 - ambassador: 15040 #Port for ambassador service (must be from env.ambassadorPorts above) - rpc: - port: 30000 - targetPort: 10003 - rpcadmin: - port: 30009 - targetPort: 10005 - dbtcp: - port: 9101 - targetPort: 1521 - dbweb: - port: 8080 - targetPort: 81 - springboot: - targetPort: 20001 - port: 20001 - expressapi: - targetPort: 3000 - port: 3000 - - - organization: - name: warehouse - version: 4.7 - cenm_version: 1.5 - firewall_version: 4.4 # Supports 4.4 - country: US - state: Massachusetts - location: Boston - subject: "O=Warehouse,OU=Warehouse,L=Boston,C=US" - type: node - external_url_suffix: test.corda.blockchaincloudpoc.com - firewall: - enabled: true # true if firewall components are to be deployed - subject: "CN=Test Firewall CA Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - credentials: - firewallca: firewallcapassword - float: floatpassword - bridge: bridgepassword - - cloud_provider: aws # Options: aws, azure, gcp - aws: - access_key: "aws_access_key" # AWS Access key, only used when cloud_provider=aws - secret_key: "aws_secret_key" # AWS Secret key, only used when cloud_provider=aws - - # Kubernetes cluster deployment variables. The config file path and name has to be provided in case - # the cluster has already been created. - k8s: - context: "cluster_context" - config_file: "cluster_config" - - # Hashicorp Vault server address and root-token. Vault should be unsealed. - # Do not check-in root_token - vault: - url: "vault_addr" - root_token: "vault_root_token" - secret_path: "secretsv2" - # Git Repo details which will be used by GitOps/Flux. - # Do not check-in git_access_token - gitops: - git_protocol: "https" # Option for git over https or ssh - git_url: "https://github.com//bevel.git" # Gitops https or ssh url for flux value files - branch: "develop" # Git branch where release is being made - release_dir: "platforms/r3-corda-ent/releases/dev" # Relative Path in the Git repo for flux sync per environment. - chart_source: "platforms/r3-corda-ent/charts" # Relative Path where the Helm charts are stored in Git repo - username: "git_username" # Git Service user who has rights to check-in in all branches - password: "git_access_token" # Git Server user password/token (Optional for ssh; Required for https) - email: "git@email.com" # Email to use in git config - git_repo: "github.com//bevel.git" # Gitops git repository URL for git push - private_key: "path_to_private_key" # Path to private key file which has write-access to the git repo (Optional for https; Required for ssh) - - # Cordapps Repository details (optional if cordapps jar are store in a repository) - cordapps: - jars: - - jar: - # e.g https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-supply-chain/4.7/cordapp-supply-chain-4.7.jar - url: "https://repo/path/cordapp1.jar" - - jar: - # e.g https://maven.pkg.github.com/hyperledger/bevel/com.supplychain.bcc.cordapp-contracts-states/4.7/cordapp-contracts-states-4.7.jar - url: "https://repo/path/cordapp2.jar" - username: "git_username" - password: "git_access_token" - - services: - float: - name: float - subject: "CN=Test Float Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - external_url_suffix: test.cordafloat.blockchaincloudpoc.com - cloud_provider: aws # Options: aws, azure, gcp - aws: - access_key: "aws_access_key" # AWS Access key, only used when cloud_provider=aws - secret_key: "aws_secret_key" # AWS Secret key, only used when cloud_provider=aws - k8s: - context: "float_cluster_context" - config_file: "float_cluster_config" - vault: - url: "float_vault_addr" - root_token: "float_vault_root_token" - gitops: - git_protocol: "https" # Option for git over https or ssh - git_url: "https://github.com//bevel.git" # Gitops https or ssh url for flux value files - branch: "develop" # Git branch where release is being made - release_dir: "platforms/r3-corda-ent/releases/float" # Relative Path in the Git repo for flux sync per environment. - chart_source: "platforms/r3-corda-ent/charts" # Relative Path where the Helm charts are stored in Git repo - username: "git_username" # Git Service user who has rights to check-in in all branches - password: "git_access_token" # Git Server user password/token (Optional for ssh; Required for https) - email: "git@email.com" # Email to use in git config - git_repo: "github.com//bevel.git" # Gitops git repository URL for git push - private_key: "path_to_private_key" # Path to private key file which has write-access to the git repo (Optional for https; Required for ssh) + truststore: cordacadevpass + keystore: trustpass ports: - p2p_port: 40000 - tunnelport: 39999 - ambassador_tunnel_port: 15051 - ambassador_p2p_port: 15050 - bridge: - name: bridge - subject: "CN=Test Bridge Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" - peers: - - peer: - name: warehouse - subject: "O=Warehouse,OU=Warehouse,L=42.36/-71.06/Boston,C=US" # This is the node identity. L=lat/long is mandatory for supplychain sample app - type: node - credentials: - truststore: trustpass - keystore: cordacadevpass - hsm: # hsm support for future release - enabled: false - p2p: - port: 10002 - targetPort: 10002 - ambassador: 15050 #Port for ambassador service (must be from env.ambassadorPorts above) - rpc: - port: 30000 - targetPort: 10003 - rpcadmin: - port: 30009 - targetPort: 10005 + p2p: 10002 + rpc: 10003 + admin_rpc: 10005 dbtcp: port: 9101 targetPort: 1521 dbweb: port: 8080 targetPort: 81 - springboot: - targetPort: 20001 - port: 20001 - expressapi: - targetPort: 3000 - port: 3000 diff --git a/platforms/shared/configuration/roles/check/directory/tasks/main.yaml b/platforms/shared/configuration/roles/check/directory/tasks/main.yaml index 6c39a8c4b42..118db9034bd 100644 --- a/platforms/shared/configuration/roles/check/directory/tasks/main.yaml +++ b/platforms/shared/configuration/roles/check/directory/tasks/main.yaml @@ -19,4 +19,4 @@ recurse: yes mode: '0755' state: directory - when: not dir_check.stat.exists + # when: not dir_check.stat.exists diff --git a/platforms/shared/configuration/roles/create/job_component/templates/corda_ent_cenm.tpl b/platforms/shared/configuration/roles/create/job_component/templates/corda_ent_cenm.tpl new file mode 100644 index 00000000000..ef9eb6a3e09 --- /dev/null +++ b/platforms/shared/configuration/roles/create/job_component/templates/corda_ent_cenm.tpl @@ -0,0 +1,56 @@ +global: + serviceAccountName: vault-auth + cluster: + provider: "{{ cloud_provider }}" + cloudNativeServices: false + kubernetesUrl: "{{ kubernetes_server }}" + vault: + type: hashicorp + role: vault-role + network: corda-enterprise + address: "{{ vault.url }}" + authPath: "{{ org_name }}" + secretEngine: secretsv2 + secretPrefix: "data/{{ org_name }}" + proxy: + provider: ambassador + externalUrlSuffix: {{ external_url_suffix }} + cenm: + sharedCreds: + truststore: password + keystore: password + identityManager: + port: 10000 + revocation: + port: 5053 + internal: + port: 5052 + auth: + port: 8081 + gateway: + port: 8080 + zone: + enmPort: 25000 + adminPort: 12345 + networkmap: + internal: + port: 5050 +settings: + removeKeysOnDelete: true +tls: + enabled: true + settings: + networkServices: true +storage: + size: 1Gi + dbSize: 5Gi + allowedTopologies: + enabled: false +subjects: + auth: {{ auth_subject }} + tlscrlsigner: {{ signer_subject}} + tlscrlissuer: {{ idman_crlissuer_subject }} + rootca: {{ root_ca }} + subordinateca: {{ subordinate_ca }} + idmanca: {{ idman_subject }} + networkmap: {{ networkmap_subject }} diff --git a/platforms/shared/configuration/roles/create/job_component/templates/corda_ent_init.tpl b/platforms/shared/configuration/roles/create/job_component/templates/corda_ent_init.tpl new file mode 100644 index 00000000000..8710e7531b9 --- /dev/null +++ b/platforms/shared/configuration/roles/create/job_component/templates/corda_ent_init.tpl @@ -0,0 +1,18 @@ +global: + serviceAccountName: vault-auth + cluster: + provider: "{{ cloud_provider }}" + cloudNativeServices: false + kubernetesUrl: "{{ kubernetes_server }}" + vault: + type: hashicorp + role: vault-role + network: corda-enterprise + address: "{{ vault.url }}" + authPath: "{{ org_name }}" + secretEngine: secretsv2 + secretPrefix: "data/{{ org_name }}" +proxy: + provider: ambassador +settings: + secondaryInit: {{ secondaryInit }} diff --git a/platforms/shared/configuration/roles/create/job_component/vars/main.yaml b/platforms/shared/configuration/roles/create/job_component/vars/main.yaml index f43047eb558..36df51a75f2 100644 --- a/platforms/shared/configuration/roles/create/job_component/vars/main.yaml +++ b/platforms/shared/configuration/roles/create/job_component/vars/main.yaml @@ -9,17 +9,16 @@ job_templates: secondary_genesis: secondary_genesis.tpl primary_init: primary_init.tpl secondary_init: secondary_init.tpl - fabric_genesis: fabric_genesis.tpl indy_genesis: indy_genesis.tpl indy_endorser: indy_endorser.tpl + corda_ent_init: corda_ent_init.tpl + corda_ent_cenm: corda_ent_cenm.tpl charts: primary_genesis: "{{ network.type }}-genesis" secondary_genesis: "{{ network.type }}-genesis" primary_init: corda-init secondary_init: corda-init - fabric_genesis: fabric-genesis - -bevel_alpine_version: latest -fabric_tools_image: bevel-fabric-tools -indy_genesis: indy-genesis -indy_endorser: indy-register-identity + indy_genesis: indy-genesis + indy_endorser: indy-register-identity + corda_ent_init: enterprise-init + corda_ent_cenm: cenm diff --git a/platforms/shared/configuration/roles/helm_lint/tasks/main.yaml b/platforms/shared/configuration/roles/helm_lint/tasks/main.yaml index 1278e9d8106..f2b416cf20f 100644 --- a/platforms/shared/configuration/roles/helm_lint/tasks/main.yaml +++ b/platforms/shared/configuration/roles/helm_lint/tasks/main.yaml @@ -40,5 +40,5 @@ # Execute helm lint. If this fails, fix the errors - name: "Run helm lint" shell: | - helm lint -f "./build/test/{{metadata.name}}.yaml" "{{playbook_dir}}/../../../{{chart_path}}/{{charts[helmtemplate_type]}}" + helm lint -f "./build/test/{{ metadata.name }}.yaml" "{{ playbook_dir }}/../../../{{ chart_path }}/{{ charts[helmtemplate_type] }}" when: value_stat_result.stat.exists == True diff --git a/platforms/shared/configuration/roles/helm_lint/vars/main.yaml b/platforms/shared/configuration/roles/helm_lint/vars/main.yaml index f5c3142beb4..d983ca32962 100644 --- a/platforms/shared/configuration/roles/helm_lint/vars/main.yaml +++ b/platforms/shared/configuration/roles/helm_lint/vars/main.yaml @@ -5,7 +5,8 @@ ############################################################################################## charts: - ca-server: fabric-ca-server + ca-orderer: fabric-ca-server + ca-peer: fabric-ca-server ca-tools: fabric-catools cas: fabric-ca-server orderers: fabric-orderernode @@ -69,3 +70,5 @@ charts: generate-keys: indy-key-mgmt generate-genesis: indy-genesis stewards: indy-node + corda_ent_notary: enterprise-node + corda_ent_network_map: cenm-networkmap