forked from hyperledger/bevel
-
Notifications
You must be signed in to change notification settings - Fork 0
/
install_external_chaincode.yaml
280 lines (254 loc) · 11.9 KB
/
install_external_chaincode.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
apiVersion: batch/v1
kind: Job
metadata:
name: installextchaincode-{{ $.Values.peer.name }}-{{ $.Values.chaincode.name }}-{{ $.Values.chaincode.version }}
namespace: {{ $.Values.metadata.namespace }}
labels:
app: installextchaincode-{{ $.Values.peer.name }}-{{ $.Values.chaincode.name }}-{{ $.Values.chaincode.version }}
app.kubernetes.io/name: installextchaincode-{{ $.Values.chaincode.name }}{{ $.Values.chaincode.version }}
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- include "labels.custom" . | nindent 2 }}
spec:
backoffLimit: 6
template:
metadata:
labels:
app: installextchaincode-{{ $.Values.peer.name }}-{{ $.Values.chaincode.name }}-{{ $.Values.chaincode.version }}
app.kubernetes.io/name: installextchaincode-{{ $.Values.chaincode.name }}{{ $.Values.chaincode.version }}
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
restartPolicy: OnFailure
serviceAccountName: {{ $.Values.vault.serviceaccountname }}
imagePullSecrets:
- name: {{ $.Values.vault.imagesecretname }}
volumes:
{{ if .Values.vault.tls }}
- name: vaultca
secret:
secretName: {{ $.Values.vault.tls }}
items:
- key: ca.crt.pem
path: ca-certificates.crt
{{ end }}
- name: certificates
emptyDir:
medium: Memory
- name: chaincodepackage
emptyDir:
medium: Memory
initContainers:
- name: certificates-init
image: {{ $.Values.metadata.images.alpineutils }}
imagePullPolicy: Always
env:
- name: VAULT_ADDR
value: {{ $.Values.vault.address }}
- name: KUBERNETES_AUTH_PATH
value: {{ $.Values.vault.authpath }}
- name: VAULT_APP_ROLE
value: {{ $.Values.vault.role }}
- name: VAULT_CHAINCODE_SECRET_PREFIX
value: "{{ $.Values.vault.chaincodesecretprefix }}"
- name: VAULT_PEER_SECRET_PREFIX
value: "{{ $.Values.vault.adminsecretprefix }}"
- name: VAULT_ORDERER_SECRET_PREFIX
value: "{{ $.Values.vault.orderersecretprefix }}"
- name: MOUNT_PATH
value: /secret
- name: NETWORK_VERSION
value: "{{ $.Values.metadata.network.version }}"
- name: CHAINCODE_TLS_DISABLED
value: "{{ $.Values.chaincode.tls_disabled }}"
command: ["sh", "-c"]
args:
- |-
#!/usr/bin/env sh
validateVaultResponse () {
if echo ${2} | grep "errors"; then
echo "ERROR: unable to retrieve ${1}: ${2}"
exit 1
fi
}
KUBE_SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
echo "Getting secrets from Vault Server: ${VAULT_ADDR}"
# Login to Vault and so I can get an approle token
VAULT_CLIENT_TOKEN=$(curl -sS --request POST ${VAULT_ADDR}/v1/auth/${KUBERNETES_AUTH_PATH}/login \
-H "Content-Type: application/json" \
-d '{"role":"'"${VAULT_APP_ROLE}"'","jwt":"'"${KUBE_SA_TOKEN}"'"}' | \
jq -r 'if .errors then . else .auth.client_token end')
validateVaultResponse 'vault login token' "${VAULT_CLIENT_TOKEN}"
vault_secret_key="${VAULT_ORDERER_SECRET_PREFIX}/tls"
echo "Getting Orderer TLS certificates from Vault using key $vault_secret_key"
OUTPUT_PATH="${MOUNT_PATH}/orderer/tls"
LOOKUP_SECRET_RESPONSE=$(curl -sS \
--header "X-Vault-Token: ${VAULT_CLIENT_TOKEN}" \
${VAULT_ADDR}/v1/${vault_secret_key} | jq -r 'if .errors then . else . end')
validateVaultResponse "secret (${vault_secret_key})" "${LOOKUP_SECRET_RESPONSE}"
TLS_CA_CERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data["ca.crt"]')
mkdir -p ${OUTPUT_PATH}
echo "${TLS_CA_CERT}" >> ${OUTPUT_PATH}/ca.crt
vault_secret_key="${VAULT_PEER_SECRET_PREFIX}/msp"
echo "Getting MSP certificates from Vault using key $vault_secret_key"
OUTPUT_PATH="${MOUNT_PATH}/admin/msp"
LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_CLIENT_TOKEN}" ${VAULT_ADDR}/v1/${vault_secret_key} | jq -r 'if .errors then . else . end')
validateVaultResponse "secret (${vault_secret_key})" "${LOOKUP_SECRET_RESPONSE}"
ADMINCERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data["admincerts"]')
CACERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data["cacerts"]')
KEYSTORE=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data["keystore"]')
SIGNCERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data["signcerts"]')
TLSCACERTS=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data["tlscacerts"]')
mkdir -p ${OUTPUT_PATH}/admincerts
mkdir -p ${OUTPUT_PATH}/cacerts
mkdir -p ${OUTPUT_PATH}/keystore
mkdir -p ${OUTPUT_PATH}/signcerts
mkdir -p ${OUTPUT_PATH}/tlscacerts
echo "${ADMINCERT}" >> ${OUTPUT_PATH}/admincerts/admin.crt
echo "${CACERTS}" >> ${OUTPUT_PATH}/cacerts/ca.crt
echo "${KEYSTORE}" >> ${OUTPUT_PATH}/keystore/server.key
echo "${SIGNCERTS}" >> ${OUTPUT_PATH}/signcerts/server.crt
echo "${TLSCACERTS}" >> ${OUTPUT_PATH}/tlscacerts/tlsca.crt
if [ "${CHAINCODE_TLS_DISABLED}" == "false" ]; then
vault_secret_key="${VAULT_CHAINCODE_SECRET_PREFIX}"
echo "Getting chaincode certificates from Vault using key $vault_secret_key"
OUTPUT_PATH="${MOUNT_PATH}/chaincode"
LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_CLIENT_TOKEN}" ${VAULT_ADDR}/v1/${vault_secret_key} | jq -r 'if .errors then . else . end')
validateVaultResponse "secret (${vault_secret_key})" "${LOOKUP_SECRET_RESPONSE}"
CACERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data["ca.crt"]')
CLIENT_CERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data["client.crt"]')
CLIENT_KEY=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data["client.key"]')
mkdir -p ${OUTPUT_PATH}
echo "${CACERT}" >> ${OUTPUT_PATH}/ca.crt
echo "${CLIENT_CERT}" >> ${OUTPUT_PATH}/client.crt
echo "${CLIENT_KEY}" >> ${OUTPUT_PATH}/client.key
fi
volumeMounts:
{{ if .Values.vault.tls }}
- name: vaultca
mountPath: "/etc/ssl/certs/"
readOnly: true
{{ end }}
- name: certificates
mountPath: /secret
- name: package-init
image: {{ $.Values.metadata.images.alpineutils }}
imagePullPolicy: Always
env:
- name: VAULT_ADDR
value: {{ $.Values.vault.address }}
- name: KUBERNETES_AUTH_PATH
value: {{ $.Values.vault.authpath }}
- name: VAULT_APP_ROLE
value: {{ $.Values.vault.role }}
- name: VAULT_CHAINCODE_PACKAGE_PREFIX
value: {{ $.Values.vault.chaincodepackageprefix}}
- name: CHAINCODE_NAME
value: "{{ $.Values.chaincode.name }}"
- name: CHAINCODE_VERSION
value: "{{ $.Values.chaincode.version }}"
- name: CHAINCODE_MOUNT_PATH
value: /chaincodepackage
command: ["sh", "-c"]
args:
- |-
#!/usr/bin/env sh
## load encoded package bytes from vault
validateVaultResponse () {
if echo ${2} | grep "errors"; then
echo "ERROR: unable to retrieve ${1}: ${2}"
exit 1
fi
}
KUBE_SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
echo "Getting secrets from Vault Server: ${VAULT_ADDR}"
# Login to Vault and so I can get an approle token
VAULT_CLIENT_TOKEN=$(curl -sS --request POST ${VAULT_ADDR}/v1/auth/${KUBERNETES_AUTH_PATH}/login \
-H "Content-Type: application/json" \
-d '{"role":"'"${VAULT_APP_ROLE}"'","jwt":"'"${KUBE_SA_TOKEN}"'"}' | \
jq -r 'if .errors then . else .auth.client_token end')
validateVaultResponse 'vault login token' "${VAULT_CLIENT_TOKEN}"
echo "Getting Package Base64 from Vault in ${VAULT_CHAINCODE_PACKAGE_PREFIX}"
LOOKUP_PACKAGE_BASE64_RESPONSE=$(curl -sS \
--header "X-Vault-Token: ${VAULT_CLIENT_TOKEN}" \
${VAULT_ADDR}/v1/${VAULT_CHAINCODE_PACKAGE_PREFIX} | jq -r 'if .errors then . else . end')
validateVaultResponse "secret (${VAULT_CHAINCODE_PACKAGE_PREFIX})" "${LOOKUP_PACKAGE_BASE64_RESPONSE}"
PACKAGE_HASH=$(echo ${LOOKUP_PACKAGE_BASE64_RESPONSE} | jq -r '.data["package-base64"]')
PACKAGE_BASE64=$(echo ${LOOKUP_PACKAGE_BASE64_RESPONSE} | jq -r '.data["package-base64"]')
echo ${PACKAGE_BASE64} | base64 -d > ${CHAINCODE_MOUNT_PATH}/${CHAINCODE_NAME}_${CHAINCODE_VERSION}.tgz
volumeMounts:
{{ if .Values.vault.tls }}
- name: vaultca
mountPath: "/etc/ssl/certs/"
readOnly: true
{{ end }}
- name: chaincodepackage
mountPath: /chaincodepackage
readOnly: false
containers:
- name: installextchaincode
image: {{ $.Values.metadata.images.fabrictools }}
imagePullPolicy: Always
stdin: true
tty: true
command: ["sh", "-c"]
args:
- |-
#!/bin/bash sh
# tail -f /dev/null;
## Installing Chaincode
peer lifecycle chaincode install ${CHAINCODE_MOUNT_PATH}/${CHAINCODE_NAME}_${CHAINCODE_VERSION}.tgz
echo "Chaincode installed for Fabric v.2.X"
#query installed
echo "peer query installed"
peer lifecycle chaincode queryinstalled
env:
- name: CORE_VM_ENDPOINT
value: unix:///host/var/run/docker.sock
- name: FABRIC_LOGGING_SPEC
value: {{ $.Values.peer.loglevel }}
- name: CORE_PEER_ID
value: {{ $.Values.peer.name }}.{{ $.Values.metadata.namespace }}
- name: CORE_PEER_ADDRESS
value: {{ $.Values.peer.address }}
- name: CORE_PEER_LOCALMSPID
value: {{ $.Values.peer.localmspid }}
- name: CORE_PEER_TLS_ENABLED
value: "{{ $.Values.peer.tlsstatus }}"
- name: CORE_PEER_TLS_ROOTCERT_FILE
value: /opt/gopath/src/github.com/hyperledger/fabric/crypto/admin/msp/cacerts/ca.crt
- name: ORDERER_CA
value: /opt/gopath/src/github.com/hyperledger/fabric/crypto/orderer/tls/ca.crt
- name: CORE_PEER_MSPCONFIGPATH
value: /opt/gopath/src/github.com/hyperledger/fabric/crypto/admin/msp
- name: CHAINCODE_CERTS_PATH
value: /opt/gopath/src/github.com/hyperledger/fabric/crypto/chaincode
- name: CHAINCODE_NAME
value: "{{ $.Values.chaincode.name }}"
- name: CHAINCODE_TLS_DISABLED
value: "{{ $.Values.chaincode.tls_disabled }}"
- name: CHAINCODE_ADDR
value: "{{ $.Values.chaincode.address }}"
- name: CHAINCODE_MAINDIR
value: "{{ $.Values.chaincode.maindirectory }}"
- name: CHAINCODE_VERSION
value: "{{ $.Values.chaincode.version }}"
- name: CHAINCODE_SEQUENCE
value: "{{ $.Values.chaincode.sequence }}"
- name: CORE_CHAINCODE_BUILDER
value: "{{ $.Values.chaincode.builder }}"
- name: NETWORK_VERSION
value: "{{ $.Values.metadata.network.version }}"
- name: CC_RUNTIME_LANGUAGE
value: "{{ $.Values.chaincode.lang }}"
- name: CHAINCODE_MOUNT_PATH
value: /chaincodepackage
volumeMounts:
- name: certificates
mountPath: /opt/gopath/src/github.com/hyperledger/fabric/crypto
readOnly: true
- name: chaincodepackage
mountPath: /chaincodepackage
readOnly: true