Merge pull request #2541 from saurabhkumarkardam/substrate-2484

[substrate] platform deployment via Helm
hyperledger-bevel · Apr 22, 2024 · 8cb9c5c · 8cb9c5c
2 parents 2122220 + 1bcbf68
commit 8cb9c5c
Show file tree

Hide file tree

Showing 19 changed files with 962 additions and 709 deletions.
diff --git a/platforms/substrate/charts/README.md b/platforms/substrate/charts/README.md
@@ -3,43 +3,119 @@
 [//]: # (SPDX-License-Identifier: Apache-2.0)
 [//]: # (##############################################################################################)
 
-# Charts for Parity Substrate components
+# Charts for Substrate components
 
 ## About
-This folder contains helm charts which are used by the ansible playbooks for the deployment of the Parity Substrate network. Each chart folder contain a folder for templates, chart file and the corresponding value file. 
+This folder contains the helm charts which are used for the deployment of the Hyperledger Substrate components. Each helm that you can use has the following keys and you need to set them. The `global.cluster.provider` is used as a key for the various cloud features enabled. Also you only need to specify one cloud provider, **not** both if deploying to cloud. As of writing this doc, AWS and Azure both are fully supported.
 
-## Example Folder Structure ###
+```yaml
+global:
+  serviceAccountName: vault-auth
+  cluster:
+    provider: aws   # choose from: minikube | aws
+    cloudNativeServices: false  # future: set to true to use Cloud Native Services 
+    kubernetesUrl: "https://yourkubernetes.com" # Provide the k8s URL, ignore if not using Hashicorp Vault
+  vault:
+    type: hashicorp # choose from hashicorp | kubernetes
+    network: substrate   # must be substrate for these charts
+    # Following are necesupplychain-subsary only when hashicorp vault is used.
+    addresupplychain-subs: http://vault.url:8200
+    authPath: supplychain
+    secretEngine: secretsv2
+    secretPrefix: "data/supplychain"
+    role: vault-role
 ```
 
-/substrate-node
-|-- templates
-|   |-- _helpers.tpl
-|   |-- configmap.yaml
-|   |-- ingress.yaml
-|   |-- service.yaml
-|   |-- statefulset.yaml
-|   |-- volume.yaml
-|-- Chart.yaml
-|-- values.yaml
+## Usage
+
+### Pre-requisites
+
+- Kubernetes Cluster (either Managed cloud option like AKS or local like minikube)
+- Accessible and unsealed Hahsicorp Vault (if using Vault)
+- Configured Ambassador AES (if using Ambassador as proxy)
+- Update the dependencies
+  ```
+  helm dependency update substrate-genesis
+  helm dependency update substrate-node
+  helm dependency update dscp-ipfs-node
+  ```
+
+
+## `Without Proxy and Vault`
+
+### 1. Install Genesis Node
+```bash
+# Install the genesis node
+helm install genesis ./substrate-genesis --namespace supplychain-subs --create-namespace --values ./values/noproxy-and-novault/genesis.yaml
 ```
 
-## Pre-requisites
+### 2. Install Bootnode
+```bash
+# Install bootnode
+helm install validator-1 ./substrate-node --namespace supplychain-subs --values ./values/noproxy-and-novault/node.yaml --set node.isBootnode.enabled=false
+```
 
- Helm to be installed and configured 
+### 3. Install Additional Nodes
 
-## Charts description ##
+To deploy additional nodes, update the following section in the `./values/noproxy-and-novault/node.yaml` file only once:
+```yaml
+...
+node:
+  ...
+  isBootnode:
+    enabled: true
+    bootnodeName: <bootnode-name> # Here it'll be "validator-1" as defined above
+    bootnodeAddr: <bootnode-name>-substrate-node-0-rc-p2p.<bootnode-namespace> # Supporting no-proxy as of now. TODO: enable proxy method.
+    bootnodePort: 30333
+  ...
+...
+```
+Then install the nodes using the following commands:
+```bash
+helm install validator-2 ./substrate-node --namespace supplychain-subs --values ./values/noproxy-and-novault/node.yaml
 
-### 1. substrate-genesis ###
-- This chart directory contains templates for building genesis file for the substrate network.
+helm install validator-3 ./substrate-node --namespace supplychain-subs --values ./values/noproxy-and-novault/node.yaml
 
-### 2. substrate-key-mgmt ###
-- This chart directory contains templates for generating crypto material for substrate node.
+helm install validator-4 ./substrate-node --namespace supplychain-subs --values ./values/noproxy-and-novault/node.yaml
 
-### 3. substrate-node ###
-- This chart directory contains templates for deploying a substrate node.
+helm install    member-1 ./substrate-node --namespace supplychain-subs --values ./values/noproxy-and-novault/node.yaml --set node.role=full
+```
+## 4. Install IPFS Nodes
 
-### 4. vault-k8s-mgmt ###
-- This chart directory contains templates for authenticating vault with kubernetes cluster.
+**4.1.** Update the following section in the `./values/noproxy-and-novault/ipfs.yaml` file only once:
+
+```yaml
+config:
+  # Specify the name of any running member's node that can be considered as a bootnode for the current IPFS node.
+  nodeHost: <member-node>-substrate-node # Here, it can be modified either as member-1-substrate-node or member-2-substrate-node
+```
 
-### 5. dscp-ipfs-node
-- This chart directory contains templates to deploy ipfs node.
+**4.2.** Retrieve the `NODE_ID` from the Kubernetes secret:
+
+```bash
+NODE_ID=$(kubectl get secret "substrate-node-<member-node>-keys" --namespace supplychain-subs -o jsonpath="{.data['substrate-node-keys']}" | base64 -d | jq -r '.data.node_id')
+```
+
+**4.3.** Now, install the IPFS nodes:
+
+```bash
+helm install dscp-ipfs-node-1 ./dscp-ipfs-node --namespace supplychain-subs --values ./values/noproxy-and-novault/ipfs.yaml \
+--set config.ipfsBootNodeAddress="/dns4/dscp-ipfs-node-1-swarm.supplychain-subs/tcp/4001/p2p/$NODE_ID"
+
+helm install dscp-ipfs-node-2 ./dscp-ipfs-node --namespace supplychain-subs --values ./values/noproxy-and-novault/ipfs.yaml \
+--set config.ipfsBootNodeAddress="/dns4/dscp-ipfs-node-2-swarm.supplychain-subs/tcp/4001/p2p/$NODE_ID"
+```
+
+## Clean-up
+
+To clean up, simply uninstall the Helm releases. It's important to uninstall the genesis Helm chart at the end to prevent any cleanup failure.
+```bash
+helm uninstall validator-1      --namespace supplychain-subs
+helm uninstall validator-2      --namespace supplychain-subs
+helm uninstall validator-3      --namespace supplychain-subs
+helm uninstall validator-4      --namespace supplychain-subs
+helm uninstall member-1         --namespace supplychain-subs
+helm uninstall dscp-ipfs-node-1 --namespace supplychain-subs
+helm uninstall dscp-ipfs-node-2 --namespace supplychain-subs
+helm uninstall genesis          --namespace supplychain-subs
+```
diff --git a/platforms/substrate/charts/dscp-ipfs-node/Chart.yaml b/platforms/substrate/charts/dscp-ipfs-node/Chart.yaml
@@ -2,7 +2,7 @@
 #  This Chart is a fork from https://github.com/digicatapult/helm-charts/tree/main/charts/dscp-ipfs
 #  Please update if needed
 ##############################################################################################
-apiVersion: v2
+apiVersion: v1
 name: dscp-ipfs-node
 appVersion: '2.6.1'
 description: dscp-ipfs is a component of the DSCP project that provides a distributed IPFS based storage solution for the DSCP platform.
@@ -11,14 +11,6 @@ type: application
 annotations:
   hyperledger-bevel/platform: substrate
   licenses: Apache-2.0
-dependencies:
-  - name: dscp-node
-    alias: dscpNode
-    repository: https://digicatapult.github.io/helm-charts/
-    tags:
-      - dscp-node
-    version: 4.x.x
-    condition: dscpNode.enabled
 home: https://github.com/hyperledger/bevel
 keywords:
   - DSCP

diff --git a/platforms/substrate/charts/dscp-ipfs-node/requirements.yaml b/platforms/substrate/charts/dscp-ipfs-node/requirements.yaml
@@ -0,0 +1,14 @@
+dependencies:
+  - name: dscp-node
+    alias: dscpNode
+    repository: https://digicatapult.github.io/helm-charts/
+    tags:
+      - dscp-node
+    version: 4.x.x
+    condition: dscpNode.enabled
+  - name: bevel-storageclass
+    alias: storage
+    repository: "file://../../../shared/charts/bevel-storageclass"
+    tags:
+      - storage
+    version: ~1.0.0
diff --git a/platforms/substrate/charts/dscp-ipfs-node/templates/statefulset.yaml b/platforms/substrate/charts/dscp-ipfs-node/templates/statefulset.yaml
@@ -1,3 +1,9 @@
+##############################################################################################
+#  Copyright Accenture. All Rights Reserved.
+#
+#  SPDX-License-Identifier: Apache-2.0
+##############################################################################################
+
 {{ $fullname :=  include "dscp-ipfs.fullname" . }}
 apiVersion: apps/v1
 kind: StatefulSet
@@ -21,7 +27,7 @@ spec:
       labels:
         name: {{ include "dscp-ipfs.fullname" . }}
     spec:
-      serviceAccountName: {{ $.Values.vault.serviceaccountname }}
+      serviceAccountName: {{ $.Values.global.serviceAccountName }}
       {{- include "dscp-ipfs.imagePullSecrets" . | indent 6 }}
       volumes:
         - name: package-manager
@@ -82,21 +88,22 @@ spec:
             - mountPath: {{ .Values.config.ipfsDataPath }}
               name: ipfs-data
         {{- end }}
-        {{- if eq .Values.vault.provider "hashicorp" }}
         - name: ipfs-init
           image: {{ .Values.initContainer.image }}
           imagePullPolicy: {{ .Values.initContainer.pullPolicy | quote }}
           env:
             - name: MOUNT_PATH
               value: {{ .Values.config.ipfsDataPath }}
+{{- if eq .Values.global.vault.type "hashicorp" }}
             - name: VAULT_ADDR
-              value: {{ $.Values.vault.address }}
+              value: {{ $.Values.global.vault.address }}
             - name: KUBERNETES_AUTH_PATH
-              value: {{ $.Values.vault.authpath }}
+              value: {{ $.Values.global.vault.authpath }}
             - name: VAULT_APP_ROLE
-              value: {{ $.Values.vault.role }}
+              value: {{ $.Values.global.vault.role }}
             - name: CERTS_SECRET_PREFIX
-              value: {{ .Values.vault.certsecretprefix }}   
+              value: {{ .Values.global.vault.certsecretprefix }}
+{{- end }}
           volumeMounts:
             - mountPath: {{ .Values.config.ipfsDataPath }}
               name: ipfs-data
@@ -107,7 +114,7 @@ spec:
           args:
             - |-
               #!/usr/bin/env bash
-
+{{- if eq .Values.global.vault.type "hashicorp" }}
               echo "validating vault response"
               validateVaultResponse () {
                 if echo ${2} | grep "errors"; then
@@ -130,6 +137,7 @@ spec:
                 fi
               }
               echo "done validating vault response"
+{{- end }}
 
               . /scripts/package-manager.sh
               # Define the packages to install
@@ -141,6 +149,7 @@ spec:
               peer_id=$(cat config | jq -r .Identity.PeerID)
               private_key=$(cat config | jq -r .Identity.PrivKey)
 
+{{- if eq .Values.global.vault.type "hashicorp" }}
               echo "
                 {
                   \"data\": {
@@ -168,7 +177,7 @@ spec:
                 jq -r 'if .errors then . else .auth.client_token end')
               validateVaultResponse " secret $vault_secret_key" "${LOOKUP_SECRET_RESPONSE}" "LOOKUPSECRETRESPONSE"
               echo "Done saving keys in vault"
-        {{- end }}    
+{{- end }}
       containers:
         - name: {{ include "dscp-ipfs.fullname" . }}
           image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
@@ -252,7 +261,7 @@ spec:
       spec:
         accessModes: [ "ReadWriteOnce" ]
         {{- if .Values.storage.storageClass }}
-        storageClassName: {{ .Values.storage.storageClass }}
+        storageClassName: storage-{{ .Release.Name }}
         {{- end }}
         resources:
           requests:

diff --git a/platforms/substrate/charts/dscp-ipfs-node/values.yaml b/platforms/substrate/charts/dscp-ipfs-node/values.yaml
@@ -1,6 +1,36 @@
+##############################################################################################
+#  Copyright Accenture. All Rights Reserved.
+#
+#  SPDX-License-Identifier: Apache-2.0
+##############################################################################################
 
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
+
+global:
+  # Provide the service account name autheticated to vault.
+  # NOTE: Make sure that the service account is already created and authenticated to use the vault.
+  # Eg. serviceAccountName: vault-auth
+  serviceAccountName: vault-auth
+  cluster:
+    provider: azure
+    cloudNativeServices: false
+# Vault section contains the vault provider configuration 
+  vault:
+    # Mention the vault provider. Currently hashicorp is supported
+    provider: kubernetes # kubernetes | hashicorp
+    # Provide the vault address
+    # Eg. address: http://vault.example.com:8200
+    address: ""
+    # Provide the vault role used.
+    # Eg. role: vault-role
+    role: vault-role
+    # Provide the authpath configured to be used.
+    authpath: ""
+    # Provide the vault path where the certificates are stored
+    # Eg. certsecretprefix: secret/cenm-org-name
+    certSecretPrefix: ""
+
 ## Provide a name to substitute for the full names of resources
 fullnameOverride: ""
 # This section contains the ipfs node config values
@@ -11,7 +41,7 @@ config:
   # External DSCP-Node hostname to query, this overrides dscpNode.enabled
   nodeHost: ""
   # External DSCP-Node port to query
-  nodePort: ""
+  nodePort: 9944
   # Public key for the IPFS subsystem
   publicKey: ""
   # Private key for the IPFS subsystem
@@ -89,7 +119,7 @@ dscpNode:
 proxy:
   # Mention the proxy provider. Currently ambassador is supported
   # eg. provider: ambassador
-  provider: ambassador
+  provider: none # none | ambassador
   # url that will be added in DNS recordset
   # eg. external_url: test.substrate.example.com
   external_url: ""
@@ -99,23 +129,3 @@ proxy:
   port: 15010
   # Provide the secret name which contains the certificate
   certSecret: ""
-
-# Vault section contains the vault provider configuration 
-vault:
-  # Mention the vault provider. Currently hashicorp is supported
-  provider: hashicorp
-  # Provide the vault address
-  # Eg. address: http://vault.example.com:8200
-  address: ""
-  # Provide the vault role used.
-  # Eg. role: vault-role
-  role: vault-role
-  # Provide the authpath configured to be used.
-  authpath: ""
-  # Provide the service account name autheticated to vault.
-  # NOTE: Make sure that the service account is already created and authenticated to use the vault.
-  # Eg. serviceaccountname: vault-auth
-  serviceAccountName: vault-auth
-  # Provide the vault path where the certificates are stored
-  # Eg. certsecretprefix: secret/cenm-org-name
-  certSecretPrefix: ""
diff --git a/platforms/substrate/charts/substrate-genesis/Chart.yaml b/platforms/substrate/charts/substrate-genesis/Chart.yaml
@@ -3,19 +3,24 @@
 #
 #  SPDX-License-Identifier: Apache-2.0
 ##############################################################################################
-apiVersion: v2
+apiVersion: v1
 name: substrate-genesis
-appVersion: 'latest'
 description: A Helm chart to generate the genesis for Substrate Nodes
-version: 1.0.0
 type: application
-annotations:
-  hyperledger-bevel/platform: substrate
-  licenses: Apache-2.0
-home: https://github.com/hyperledger/bevel
+version: 1.0.0
+appVersion: latest
 keywords:
-  - DSCP
-  - BEVEL
-  - SUBSTRATE
+  - bevel
+  - ethereum
+  - substrate
+  - hyperledger
+  - enterprise
+  - blockchain
+  - deployment
+  - accenture
+home: https://hyperledger-bevel.readthedocs.io/en/latest/
 sources:
   - https://github.com/hyperledger/bevel
+maintainers:
+  - name: Hyperledger Bevel maintainers
+    email: [email protected]