Corda Enterprise Configurations¶
In Hyperledger Bevel project, Ansible is used to automate the certificate generation, putting them in vault and generate value files, which are then pushed to the git repository for deployment, using GitOps. This is achieved using Ansible playbooks.
Ansible playbooks contains a series of roles and tasks which run in sequential order to achieve the automation.
For R3-Corda Enterprise, the ansible roles and playbooks are located at platforms/r3-corda-ent/configuration/
Some of the common roles and playbooks between Hyperledger-Fabric, Hyperledger-Indy, Hyperledger-Besu, R3 Corda and Quorum are located at platforms/shared/configurations/
platforms/r3-corda-ent/configuration
├── deploy-network.yaml
├── deploy-nodes.yaml
├── openssl.conf
├── README.md
├── reset-network.yaml
├── roles
│ ├── create
│ │ ├── certificates
│ │ ├── k8_component
│ │ ├── namespace_serviceaccount
│ │ └── storageclass
│ ├── delete
│ │ ├── flux_releases
│ │ ├── gitops_files
│ │ └── vault_secrets
│ ├── helm_component
│ │ ├── Readme.md
│ │ ├── tasks
│ │ ├── templates
│ │ └── vars
│ └── setup
│ ├── auth
│ ├── bridge
│ ├── cenm
│ ├── credentials
│ ├── float
│ ├── float-environment
│ ├── gateway
│ ├── get_crypto
│ ├── idman
│ ├── nmap
│ ├── node
│ ├── node_registration
│ ├── notary
│ ├── notary-initial-registration
│ ├── pki-generator
│ ├── pki-generator-node
│ ├── signer
│ ├── tlscerts
│ ├── vault_kubernetes
│ └── zone
└── samples
├── network-cordaent.yaml
│ ├── network-addNotary.yaml
└── README.md
Playbooks for setting up Corda Enterprise Network¶
Below are the playbooks availabe for the network operations.
deploy_network.yaml¶
This is the main ansible playbook which call all the roles in below sequence to setup Corda Enterprise network.
- Remove build directory
- Create Storage Class
- Create namespace and vault auth
- Deploy CENM services
- Check that network service uri are reachable
- Deploy nodes
deploy_nodes.yaml¶
This ansible playbook should be used when deploying only the nodes. This can be used when the CENM Services are already up and managed by a different network.yaml. This calls the below supporting roles in sequence.
- Remove build directory
- Create Storage Class
- Create namespace and vault auth
- Check that network service uri are reachable
- Deploy nodes
reset_network.yaml¶
This ansible playbook is used when deleting the network. This calls the below supporting roles in sequence.
- Deletes the Gitops release files
- Deletes the Vault secrets and authpaths
- Uninstalls Flux
- Deletes the helm releases from Kubernetes
- Remove build directory
Follow Readme for detailed information.
Roles defined for Corda Enterprise¶
Roles in ansible are a combination of logically inter-related tasks. Below are the roles that are defined for Corda Enterprise.
create/certificates/cenm¶
- Creates the Ambassador Proxy TLS Certificates for CENM components
- Saves them to Vault
- Creates Kubernetes secrets to be used by Ambassador pods
Follow Readme for detailed information.
create/certificates/node¶
- Creates the Ambassador Proxy TLS Certificates for Corda Nodes
- Saves them to Vault
- Creates Kubernetes secrets to be used by Ambassador pods
Follow Readme for detailed information.
create/k8_component¶
- Creates various Kubernetes components based on the
templates
- Checks-in to git repo
Add new tpl files in templates
folder when defining new storageclass.
Follow Readme for detailed information.
create/namespace_serviceaccount¶
- Creates the namespace, serviceaccounts and clusterrolebinding
- Checks-in to git repo
create/storageclass¶
- Creates the storageclass template with name “cordaentsc”
- Checks-in to git repo
Follow Readme for detailed information.
delete/flux_releases¶
- Deletes all helmreleases in the namespace
- Deletes the namespace
Follow Readme for detailed information.
delete/gitops_files¶
- Deletes all gitops files from release folder
- Checks-in to git repo
Follow Readme for detailed information.
delete/vault_secrets¶
- Deletes all contents of Vault
- Deletes the related Kubernetes secrets
- Deletes Vault access policies
Follow Readme for detailed information.
helm_component¶
- Creates various Helmrelease components based on the
templates
- Performs helm lint (when true)
Most default values are in the tpl files in templates
folder. If any need to be changed, these tpl files need to be edited.
Follow Readme for detailed information.
setup/auth¶
- Wait for pki-generator job to “Complete”
- Create helmrelease files for Auth component
- Check-in to git repo
Follow Readme for detailed information.
setup/bridge¶
- Create helmrelease files for Bridge component
- Check-in to git repo
Follow Readme for detailed information.
setup/cenm¶
- Checks all the prerequisite namespaces and serviceaccounts are created
- Creates vault access for cenm organization
- Calls setup/pki-generator role to generate network crypto.
- Calls setup/auth role to generate network crypto.
- Calls setup/gateway role to generate network crypto.
- Calls setup/zone role to generate network crypto.
- Calls setup/signer role to deploy signer service.
- Calls setup/idman role to deploy idman service.
- Calls setup/nmap role to deploy nmap service.
- Calls setup/notary role to deploy notary service.
Follow Readme for detailed information.
setup/credentials¶
- Writes keystore, truststore, ssl passwords for CENM services
- Writes node keystore, node truststore, network root-truststore passwords for CENM services
Follow Readme for detailed information.
setup/float¶
- Create helmrelease files for Float component
- Check-in to git repo
Follow Readme for detailed information.
setup/gateway¶
- Wait for pki-generator job to “Complete”
- Create gateway ambassador certificates
- Create helmrelease files for Gateway component
- Check-in to git repo
Follow Readme for detailed information.
setup/get_crypto¶
- Saves the Ambassador cert and key file to local file from Vault when playbook is re-run.
Follow Readme for detailed information.
setup/idman¶
- Wait for Signer pod to be “Running”
- Creates Ambassador certs by calling create/certificates/cenm role
- Create idman value files
- Check-in to git repo
setup/nmap¶
- Wait for PKI Job to “Complete” if certificates are not on Vault
- Creates Ambassador certs by calling create/certificates/cenm role
- Gets network-root-truststore.jks from Vault to save to local
- Create Notary-registration Job if not done already
- Wait forNotary-registration Job to “Complete” if not done already
- Create nmap value files
- Check-in to git repo
Follow Readme for detailed information.
setup/node¶
- Wait for all the prerequisites (namespace, Vault auth, rbac, imagepullsecret)
- Create Vault access using setup/vault_kubernetes role
- Create ambassador certificates by calling create/certificates/node
- Save idman/networkmap tls certs to Vault for this org
- Create node initial registration by calling setup/node_registration role
- Create node value files
- Create bridge, if enabled, by calling setup/bridge
- Create float, if enabled, by calling setup/float
- Check-in to git repo
Follow Readme for detailed information.
setup/node_registration¶
- Create node db helm value files
- Create node initial registration helm value files, if not registered already
- Check-in to git repo
Follow Readme for detailed information.
setup/notary¶
- Wait for networkmap pod to be “Running”
- Create ambassador certificates by calling create/certificates/cenm
- Create notary value files
- Check-in to git repo
Follow Readme for detailed information.
setup/notary-initial-registration¶
- Wait for idman pod to be “Running”
- Create notary db helm value files
- Create notary initial registration helm value files, if not registered already
- Check-in to git repo
Follow Readme for detailed information.
setup/pki-generator¶
- Create pki-generator value files, if values are not in Vault
- Check-in to git repo
Follow Readme for detailed information.
setup/pki-generator-node¶
- Create pki-generator value files, if values are not in Vault
- Check-in to git repo
Follow Readme for detailed information.
setup/signer¶
- Wait for pki-generator Job to be “Completed”
- Create signer value files
- Check-in to git repo
Follow Readme for detailed information.
setup/tlscerts¶
- Copies the idman/nmap certificates and truststore to each node’s Vault
Follow Readme for detailed information.
setup/vault_kubernetes¶
- Creates vault auth path if it does not exist
- Gets Kubernetes CA certs
- Enables Kubernetes and Vault authentication
- Creates Vault policies if they do not exist
- Creates docker credentials if they do not exist
If the Vault policies need to be changed, then this role will need to be edited.
Follow Readme for detailed information.