Merge pull request hyperledger#23 from wou43/mvp_v1.0

updated external deployment logic
blockchain-wmt · Jul 21, 2021 · f28a2fb · f28a2fb
2 parents c15ee20 + ecaf8d4
commit f28a2fb
Show file tree

Hide file tree

Showing 35 changed files with 813 additions and 110 deletions.
diff --git a/.gitignore b/.gitignore
@@ -36,3 +36,4 @@
 **/node_modules
 # custom config templates
 *_custom.tpl
+build
diff --git a/platforms/hyperledger-fabric/charts/external-chaincode/templates/deployment.yaml b/platforms/hyperledger-fabric/charts/external-chaincode/templates/deployment.yaml
@@ -88,17 +88,15 @@ spec:
             LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_CLIENT_TOKEN}" ${VAULT_ADDR}/v1/${vault_secret_key} | jq -r 'if .errors then . else . end')
             validateVaultResponse "secret (${vault_secret_key})" "${LOOKUP_SECRET_RESPONSE}"
 
-            echo ${LOOKUP_SECRET_RESPONSE};
-
             CACERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data["ca.crt"]')
             CLIENT_CERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data["client.crt"]')
             CLIENT_KEY=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data["client.key"]')
 
             mkdir -p ${MOUNT_PATH}
 
-            echo "${CACERT}" >> ${MOUNT_PATH}/ca.crt
-            echo "${CLIENT_CERT}" >> ${MOUNT_PATH}/client.crt
-            echo "${CLIENT_KEY}" >> ${MOUNT_PATH}/client.key
+            echo "${CACERT}" > ${MOUNT_PATH}/ca.crt
+            echo "${CLIENT_CERT}" > ${MOUNT_PATH}/client.crt
+            echo "${CLIENT_KEY}" > ${MOUNT_PATH}/client.key
           fi   
         volumeMounts:
         {{ if .Values.vault.tls  }}

diff --git a/platforms/hyperledger-fabric/charts/install_chaincode/templates/install_chaincode.yaml b/platforms/hyperledger-fabric/charts/install_chaincode/templates/install_chaincode.yaml
@@ -179,7 +179,9 @@ spec:
 
             #chaincode path
             CC_SRC_PATH="github.com/chaincode/${CHAINCODE_NAME}/${CHAINCODE_MAINDIR}"
-            
+            cd $GOPATH/src/$CC_SRC_PATH
+            GO111MODULE=on go mod vendor
+            cd $GOPATH/src/github.com/chaincode
           elif [ ${CC_RUNTIME_LANGUAGE} = "java" ]
           then
             ## Copying desired chaincode to a location 

diff --git a/...ledger-fabric/charts/install_external_chaincode/templates/install_external_chaincode.yaml b/...ledger-fabric/charts/install_external_chaincode/templates/install_external_chaincode.yaml
@@ -37,6 +37,9 @@ spec:
       - name: certificates
         emptyDir:
           medium: Memory
+      - name: chaincodepackage
+        emptyDir:
+          medium: Memory
       initContainers:
       - name: certificates-init
         image: {{ $.Values.metadata.images.alpineutils }}
@@ -146,6 +149,70 @@ spec:
         {{ end }}
         - name: certificates
           mountPath: /secret
+
+      - name: package-init
+        image: {{ $.Values.metadata.images.alpineutils }}
+        imagePullPolicy: Always
+        env:
+        - name: VAULT_ADDR
+          value: {{ $.Values.vault.address }}
+        - name: KUBERNETES_AUTH_PATH
+          value: {{ $.Values.vault.authpath }}
+        - name: VAULT_APP_ROLE
+          value: {{ $.Values.vault.role }}
+        - name: VAULT_CHAINCODE_PACKAGE_PREFIX
+          value: {{ $.Values.vault.chaincodepackageprefix}}
+        - name: CHAINCODE_NAME
+          value: "{{ $.Values.chaincode.name }}"
+        - name: CHAINCODE_VERSION
+          value: "{{ $.Values.chaincode.version }}"
+        - name: CHAINCODE_MOUNT_PATH
+          value: /chaincodepackage
+        command: ["sh", "-c"]
+        args:
+        - |-
+          #!/usr/bin/env sh
+          ## load encoded package bytes from vault
+
+          validateVaultResponse () {
+          if echo ${2} | grep "errors"; then
+           echo "ERROR: unable to retrieve ${1}: ${2}"
+           exit 1
+           fi
+          }
+
+          KUBE_SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+          echo "Getting secrets from Vault Server: ${VAULT_ADDR}"
+          # Login to Vault and so I can get an approle token
+          VAULT_CLIENT_TOKEN=$(curl -sS --request POST ${VAULT_ADDR}/v1/auth/${KUBERNETES_AUTH_PATH}/login \
+            -H "Content-Type: application/json" \
+            -d '{"role":"'"${VAULT_APP_ROLE}"'","jwt":"'"${KUBE_SA_TOKEN}"'"}' | \
+            jq -r 'if .errors then . else .auth.client_token end')
+          validateVaultResponse 'vault login token' "${VAULT_CLIENT_TOKEN}"
+
+          echo "Getting Package Base64 from Vault in ${VAULT_CHAINCODE_PACKAGE_PREFIX}"
+
+          LOOKUP_PACKAGE_BASE64_RESPONSE=$(curl -sS \
+            --header "X-Vault-Token: ${VAULT_CLIENT_TOKEN}" \
+            ${VAULT_ADDR}/v1/${VAULT_CHAINCODE_PACKAGE_PREFIX} | jq -r 'if .errors then . else . end')
+
+          validateVaultResponse "secret (${VAULT_CHAINCODE_PACKAGE_PREFIX})" "${LOOKUP_PACKAGE_BASE64_RESPONSE}"
+
+          PACKAGE_HASH=$(echo ${LOOKUP_PACKAGE_BASE64_RESPONSE} | jq -r '.data["package-base64"]')
+
+          PACKAGE_BASE64=$(echo ${LOOKUP_PACKAGE_BASE64_RESPONSE} | jq -r '.data["package-base64"]')
+
+          echo ${PACKAGE_BASE64} | base64 -d > ${CHAINCODE_MOUNT_PATH}/${CHAINCODE_NAME}_${CHAINCODE_VERSION}.tgz
+
+        volumeMounts:
+        {{ if .Values.vault.tls  }}
+        - name: vaultca
+          mountPath: "/etc/ssl/certs/"
+          readOnly: true
+        {{ end }}
+        - name: chaincodepackage
+          mountPath: /chaincodepackage
+          readOnly: false
       containers:
       - name: installextchaincode
         image: {{ $.Values.metadata.images.fabrictools }}
@@ -157,30 +224,8 @@ spec:
         - |-
           #!/bin/bash sh
           # tail -f /dev/null;
-          ## packaging chaincode
-          if [ "${CHAINCODE_TLS_DISABLED}" == "false" ]; then
-            CACERT=$(cat ${CHAINCODE_CERTS_PATH}/ca.crt);
-            CACERT=${CACERT//$'\n'/\\n};
-            CLIENT_CERT=$(cat ${CHAINCODE_CERTS_PATH}/client.crt);
-            CLIENT_CERT=${CLIENT_CERT//$'\n'/\\n};
-            CLIENT_KEY=$(cat ${CHAINCODE_CERTS_PATH}/client.key);
-            CLIENT_KEY=${CLIENT_KEY//$'\n'/\\n};
-            echo '{"address":"'${CHAINCODE_ADDR}'","dial_timeout":"10s","tls_required":true,"client_auth_required":true,"client_key":"'${CLIENT_KEY}'","client_cert":"'${CLIENT_CERT}'","root_cert":"'${CACERT}'"}' > connection.json;
-          fi
-          if [ "${CHAINCODE_TLS_DISABLED}" == "true" ]; then
-            echo '{"address":"'${CHAINCODE_ADDR}'","dial_timeout":"10s","tls_required":false,"client_auth_required":false,"client_key":"","client_cert":"","root_cert":""}' > connection.json;
-          fi
-
-          echo '{"path":"","type":"external","label":"'${CHAINCODE_NAME}_${CHAINCODE_VERSION}'"}' > metadata.json;
-
-          cat connection.json;
-          cat metadata.json;
-
-          tar cfz code.tar.gz connection.json;
-          tar cfz ${CHAINCODE_NAME}_${CHAINCODE_VERSION}.tgz code.tar.gz metadata.json
-
           ## Installing Chaincode
-          peer lifecycle chaincode install ${CHAINCODE_NAME}_${CHAINCODE_VERSION}.tgz
+          peer lifecycle chaincode install ${CHAINCODE_MOUNT_PATH}/${CHAINCODE_NAME}_${CHAINCODE_VERSION}.tgz
           echo "Chaincode installed for Fabric v.2.X"
           #query installed
           echo "peer query installed"
@@ -224,7 +269,12 @@ spec:
           value: "{{ $.Values.metadata.network.version }}"
         - name: CC_RUNTIME_LANGUAGE
           value: "{{ $.Values.chaincode.lang }}"
+        - name: CHAINCODE_MOUNT_PATH
+          value: /chaincodepackage
         volumeMounts:
         - name: certificates
           mountPath: /opt/gopath/src/github.com/hyperledger/fabric/crypto
           readOnly: true
+        - name: chaincodepackage
+          mountPath: /chaincodepackage
+          readOnly: true
diff --git a/platforms/hyperledger-fabric/charts/peernode/conf/default_core.yaml b/platforms/hyperledger-fabric/charts/peernode/conf/default_core.yaml
@@ -555,6 +555,9 @@ chaincode:
     # List of directories to treat as external builders and launchers for
     # chaincode. The external builder detection processing will iterate over the
     # builders in the order specified below.
+    # externalBuilders:
+    #     - path: /var/hyperledger/production/buildpacks
+    #       name: external-builder
     externalBuilders: []
         # - path: /path/to/directory
         #   name: descriptive-builder-name

diff --git a/platforms/hyperledger-fabric/configuration/deploy-external-chaincode.yaml b/platforms/hyperledger-fabric/configuration/deploy-external-chaincode.yaml
@@ -0,0 +1,44 @@
+# This playbook executes required tasks to commit chaincode 
+# on existing Kubernetes clusters. The Kubernetes clusters should already be created and the infomation 
+# to connect to the clusters be updated in the network.yaml file that is used as an input to this playbook
+###########################################################################################
+# To Run this playbook from this directory, use the following command (network.yaml also in this directory)
+#  ansible-playbook platforms/hyperledger-fabric/configuration/commit-chaincode.yaml -e "@./network.yaml"
+############################################################################################
+# Please ensure that the ../../shared/configuration playbooks have been run using the same network.yaml
+---
+  # This will apply to ansible_provisioners. /etc/ansible/hosts should be configured with this group
+- hosts: ansible_provisioners
+  gather_facts: no
+  tasks:
+
+    ############################################################################################
+    # This task deploys the external chaincode server for desired org
+    - name: Deploy external chaincode server
+      include_role:
+        name: "create/external_chaincode"
+      vars:
+        docker_url: "{{ network.docker.url }}"
+        name: "{{ item.name | lower}}"
+        namespace: "{{ item.name | lower}}-net"
+        component_type: "{{ item.type | lower}}"
+        component_peers: "{{ item.services.peers }}"
+        org_name: "{{ item.name | lower }}"
+        org_ns: "{{ item.name | lower }}-net"
+        kubernetes: "{{ item.k8s }}"
+        vault: "{{ item.vault }}"
+        peers: "{{ item.services.peers }}"
+        git_url: "{{ item.gitops.git_url }}"
+        git_branch: "{{ item.gitops.branch }}"
+        charts_dir: "{{ item.gitops.chart_source }}"
+        values_dir: "{{playbook_dir}}/../../../{{item.gitops.release_dir}}/{{ item.name | lower }}"
+      loop: "{{ network['organizations'] }}"
+      when: item.type == 'peer' and item.org_status == 'new'
+
+  vars: #These variables can be overriden from the command line
+    privilege_escalate: false           #Default to NOT escalate to root privledges
+    install_os: "linux"                 #Default to linux OS
+    install_arch:  "amd64"              #Default to amd64 architecture
+    bin_install_dir:  "~/bin"            #Default to /bin install directory for binaries
+    add_new_org: 'false'                # Default to false as this is for main network creation
+    external_chaincode: false                # Default to false 
diff --git a/platforms/hyperledger-fabric/configuration/deploy-only-peers.yaml b/platforms/hyperledger-fabric/configuration/deploy-only-peers.yaml
@@ -126,7 +126,7 @@
         component_type: "{{ item.type | lower}}"
         component_services: "{{ item.services }}"
         vault: "{{ item.vault }}"
-        git_url: "{{ item.gitops.git_ssh }}"
+        git_url: "{{ item.gitops.git_url }}"
         git_branch: "{{ item.gitops.branch }}"
         docker_url: "{{ network.docker.url }}"
         charts_dir: "{{ item.gitops.chart_source }}"

diff --git a/platforms/hyperledger-fabric/configuration/external-chaincode.yaml b/platforms/hyperledger-fabric/configuration/external-chaincode.yaml
@@ -93,7 +93,6 @@
         name: "create/chaincode/install-external"
       vars:
         envspace: "{{ network.env.type }}"
-        docker_url: "{{ network.docker.url }}"
         name: "{{ item.name | lower}}"
         namespace: "{{ item.name | lower}}-net"
         component_type: "{{ item.type | lower}}"
@@ -152,7 +151,6 @@
         peers: "{{ item.services.peers }}"
         git_url: "{{ item.gitops.git_url }}"
         git_branch: "{{ item.gitops.branch }}"
-        docker_url: "{{ network.docker.url }}"
         charts_dir: "{{ item.gitops.chart_source }}"
         values_dir: "{{playbook_dir}}/../../../{{item.gitops.release_dir}}/{{ item.name | lower }}"
       loop: "{{ network['organizations'] }}"

diff --git a/platforms/hyperledger-fabric/configuration/install-chaincode.yaml b/platforms/hyperledger-fabric/configuration/install-chaincode.yaml
@@ -113,7 +113,7 @@
         kubernetes: "{{ item.k8s }}"
         vault: "{{ item.vault }}"
         peers: "{{ item.services.peers }}"
-        git_url: "{{ item.gitops.git_ssh }}"
+        git_url: "{{ item.gitops.git_url }}"
         git_branch: "{{ item.gitops.branch }}"
         docker_url: "{{ network.docker.url }}"
         charts_dir: "{{ item.gitops.chart_source }}"

diff --git a/platforms/hyperledger-fabric/configuration/install-external-chaincode-only.yaml b/platforms/hyperledger-fabric/configuration/install-external-chaincode-only.yaml
@@ -0,0 +1,92 @@
+# This playbook executes required tasks to instal, approve, commit and deploy an external chaincode 
+# on existing Kubernetes clusters. The Kubernetes clusters should already be created and the infomation 
+# to connect to the clusters be updated in the network.yaml file that is used as an input to this playbook
+###########################################################################################
+# To Run this playbook from this directory, use the following command (network.yaml also in this directory)
+#  ansible-playbook platforms/hyperledger-fabric/configuration/external-chaincode.yaml -e "@./network.yaml"
+############################################################################################
+# Please ensure that the ../../shared/configuration playbooks have been run using the same network.yaml
+---
+  # This will apply to ansible_provisioners. /etc/ansible/hosts should be configured with this group
+- hosts: ansible_provisioners
+  gather_facts: no
+  tasks:
+
+    ############################################################################################
+    # This task installs the external chaincode on the desired peers
+    - name: Install external chaincode
+      include_role:
+        name: "create/chaincode/install-external"
+      vars:
+        envspace: "{{ network.env.type }}"
+        name: "{{ item.name | lower}}"
+        namespace: "{{ item.name | lower}}-net"
+        component_type: "{{ item.type | lower}}"
+        component_peers: "{{ item.services.peers }}"
+        org_name: "{{ item.name | lower }}"
+        org_ns: "{{ item.name | lower }}-net"
+        kubernetes: "{{ item.k8s }}"
+        vault: "{{ item.vault }}"
+        peers: "{{ item.services.peers }}"
+        git_url: "{{ item.gitops.git_url }}"
+        git_branch: "{{ item.gitops.branch }}"
+        docker_url: "{{ network.docker.url }}"
+        charts_dir: "{{ item.gitops.chart_source }}"
+        values_dir: "{{playbook_dir}}/../../../{{item.gitops.release_dir}}/{{ item.name | lower }}"
+      loop: "{{ network['organizations'] }}"
+      when: item.type == 'peer' and item.org_status == 'new'
+
+    ############################################################################################
+    # This task approves desired installed chaincode on the peers
+    - name: "Approve chaincode"
+      include_role:
+        name: "create/chaincode/approve"
+      vars:
+        participants: "{{ item.participants }}"
+        docker_url: "{{ network.docker.url }}"
+      loop: "{{ network['channels'] }}"
+      when: participants is defined and '2.' in network.version
+
+    ############################################################################################
+    # This task commits the desired approved chaincode
+    - name: Commit chaincode
+      include_role:
+        name: "create/chaincode/commit"
+      vars:
+        participants: "{{ item.participants }}"
+        docker_url: "{{ network.docker.url }}"
+        approvers: "{{ item.endorsers }}"
+      loop: "{{ network['channels'] }}"
+      loop_control:
+        extended: true
+      when: add_new_org == 'false' and '2.' in network.version
+
+    ############################################################################################
+    # This task deploys the external chaincode server for desired org
+    - name: Deploy external chaincode server
+      include_role:
+        name: "create/external_chaincode"
+      vars:
+        docker_url: "{{ network.docker.url }}"
+        name: "{{ item.name | lower}}"
+        namespace: "{{ item.name | lower}}-net"
+        component_type: "{{ item.type | lower}}"
+        component_peers: "{{ item.services.peers }}"
+        org_name: "{{ item.name | lower }}"
+        org_ns: "{{ item.name | lower }}-net"
+        kubernetes: "{{ item.k8s }}"
+        vault: "{{ item.vault }}"
+        peers: "{{ item.services.peers }}"
+        git_url: "{{ item.gitops.git_url }}"
+        git_branch: "{{ item.gitops.branch }}"
+        charts_dir: "{{ item.gitops.chart_source }}"
+        values_dir: "{{playbook_dir}}/../../../{{item.gitops.release_dir}}/{{ item.name | lower }}"
+      loop: "{{ network['organizations'] }}"
+      when: item.type == 'peer' and item.org_status == 'new'       
+
+  vars: #These variables can be overriden from the command line
+    privilege_escalate: false           #Default to NOT escalate to root privledges
+    install_os: "linux"                 #Default to linux OS
+    install_arch:  "amd64"              #Default to amd64 architecture
+    bin_install_dir:  "~/bin"            #Default to /bin install directory for binaries
+    add_new_org: 'false'                # Default to false as this is for main network creation
diff --git a/platforms/hyperledger-fabric/configuration/roles/create/chaincode-cert/tasks/main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/chaincode-cert/tasks/main.yaml
@@ -5,6 +5,8 @@
   loop: "{{ services.peers }}"
   loop_control:
     loop_var: peer
+  vars:
+    first_peer_name: "{{ (services.peers | first)['name'] }}"
   when: 
     - peer.chaincode is defined
     - peer.chaincode.external_chaincode is defined