Configure Common Pre-requisites

• GitOps Authentication
• Vault Initialization and unseal
• Docker Images

GitOps Authentication

For synchronizing the Git repo with the cluster, Hyperledger Bevel configures Flux for each cluster. The authentication can be via SSH or HTTPS.

For HTTPS, generate a git access token and give that read-write access. Keep the token safe for use later.

For GitHub, you can follow these instrucitons on how to create a token.

For SSH, run the following command to generate a private-public key pair named gitops.

cd ~/.ssh
ssh-keygen -q -N "" -f ./gitops

The above command generates an SSH key-pair: gitops (private key) and gitops.pub (public key).

Warning

Ensure that the Ansible host has read-access to the private key file (gitops).

And add the public key contents (starts with ssh-rsa) as an Access Key (with read-write permissions) in your Github repository by following this guide.

Unseal Hashicorp Vault

The Hashicorp Vault must be initialised and unsealed. Complete the following steps to unseal and access the Vault.

• Install Vault client. Follow the instructions on Install Vault.

Important

Vault version should be > 1.13.1

• Set the environment Variable VAULT_ADDR as the Vault service.

  export VAULT_ADDR=http://my-vault-server:9000
  

Tip

Do not use 127.0.0.1 or localhost for any services like Kubernetes or Vault

Warning

The port should be accessible from the host where you are running this command from, as well as the Ansible controller and the Kubernetes nodes.

• To initiliase the Vault, execute the following:

  vault operator init -key-shares=1 -key-threshold=1
  

  It will give following output:

  Unseal Key 1: << unseal key>>
  
  Initial Root Token: << root token>>
  

  Save the root token and unseal key in a secure location.

• Unseal with the following command:

  vault operator unseal << unseal-key-from-above >>
  

• Run this command to check if Vault is unsealed:

  vault status
  

Tip

It is recommended to use Vault auto-unseal using Cloud KMS for Production Systems. And also, rotate the root token regularly.

Docker Images

Hyperledger Bevel provides pre-built docker images which are available on GitHub Repo. Ensure that the versions/tags you need are available. If not, ask a question.

Tip

Hyperledger Bevel recommends use of private container registry for production use. The username/password for the container registry can be provided in a network.yaml file so that the Kubernetes cluster can access the registry.

Corda Enterprise Docker Images

For Corda Enterprise, the corda_ent_node and corda_ent_firewall docker images should be built and put in a private docker registry. Please follow these instructions to build docker images for Corda Enterprise.

The official Corda images are available on Docker Hub. These are evaluation only, for production implementation, please aquire licensed images from R3, upload them into your private container registry and update the tags accordingly.

Following Corda Docker Images are used and needed by Hyperledger Bevel.

• Corda Network Map Service (Built as per these instructions)
• Corda Identity Manager Service
• Corda Signer
• Corda PKITool (Built as per these instructions)
• Corda Notary (Built as per these instructions)
• Corda Node (Built as per these instructions)
• Corda Firewall (Built as per these instructions)