diff -Naur quorum-kubernetes/helm/charts/besu-genesis/templates/genesis-job-cleanup.yaml quorum-kubernetes/helm/charts/besu-genesis/templates/genesis-job-cleanup.yaml --- quorum-kubernetes/helm/charts/besu-genesis/templates/genesis-job-cleanup.yaml 2023-07-04 22:33:08.000000000 -0300 +++ quorum-kubernetes/helm/charts/besu-genesis/templates/genesis-job-cleanup.yaml 2023-07-04 18:31:46.000000000 -0300 @@ -4,9 +4,6 @@ metadata: name: {{ include "besu-genesis.name" . }}-cleanup labels: -{{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }} - aadpodidbinding: "{{ .Values.azure.identityName }}" -{{- end }} app.kubernetes.io/name: besu-genesis-job-cleanup app.kubernetes.io/component: genesis-job-cleanup app.kubernetes.io/part-of: {{ include "besu-genesis.fullname" . }} @@ -23,9 +20,6 @@ template: metadata: labels: -{{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }} - aadpodidbinding: "{{ .Values.azure.identityName }}" -{{- end}} app.kubernetes.io/name: besu-genesis-job-cleanup app.kubernetes.io/component: genesis-job-cleanup app.kubernetes.io/part-of: {{ include "besu-genesis.fullname" . }} @@ -36,7 +30,7 @@ serviceAccountName: {{ .Values.aws.serviceAccountName }} {{- else }} serviceAccountName: {{ include "besu-genesis.name" . }}-sa -{{- end }} +{{- end }} restartPolicy: "Never" containers: - name: delete-genesis @@ -51,11 +45,9 @@ - | {{- if .Values.quorumFlags.removeGenesisOnDelete }} - echo "Deleting genesis configmap in k8s ..." kubectl delete configmap --namespace {{ .Release.Namespace }} besu-genesis echo "Deleting node-enodes configmap in k8s ..." kubectl delete configmap --namespace {{ .Release.Namespace }} besu-peers - -{{- end}} +{{- end}} diff -Naur quorum-kubernetes/helm/charts/besu-genesis/templates/genesis-job-init.yaml quorum-kubernetes/helm/charts/besu-genesis/templates/genesis-job-init.yaml --- quorum-kubernetes/helm/charts/besu-genesis/templates/genesis-job-init.yaml 2023-07-04 22:33:08.000000000 -0300 +++ quorum-kubernetes/helm/charts/besu-genesis/templates/genesis-job-init.yaml 2023-07-04 18:31:46.000000000 -0300 @@ -4,9 +4,6 @@ metadata: name: {{ include "besu-genesis.name" . }}-init labels: -{{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }} - aadpodidbinding: "{{ .Values.azure.identityName }}" -{{- end }} app.kubernetes.io/name: besu-genesis-job app.kubernetes.io/component: genesis-job app.kubernetes.io/part-of: {{ include "besu-genesis.fullname" . }} @@ -22,9 +19,6 @@ template: metadata: labels: -{{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }} - aadpodidbinding: "{{ .Values.azure.identityName }}" -{{- end }} app.kubernetes.io/name: besu-genesis-job app.kubernetes.io/component: genesis-job app.kubernetes.io/part-of: {{ include "besu-genesis.fullname" . }} @@ -51,43 +45,31 @@ - -c args: - | -{{- if and (eq .Values.cluster.provider "azure") (.Values.cluster.cloudNativeServices) }} - function safeWriteSecret { - key=$1 - fpath=$2 - az keyvault secret show --vault-name {{ .Values.azure.keyvaultName }} --name $key > /dev/null 2>&1 - if [ $? -ne 0 ]; then - az keyvault secret set --vault-name {{ .Values.azure.keyvaultName }} --name $key --file $fpath --encoding utf-8 - else - # if the key exists pull it from keyvault so that when you update the enodes configmap, you have the right value - az keyvault secret show --vault-name {{ .Values.azure.keyvaultName }} --name $key | jq -r '.value' > $fpath - fi - } - az login --identity --debug - az account set --subscription {{ .Values.azure.subscriptionId }} - -{{- else if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }} - +{{- if and (eq .Values.cluster.provider "aws") (.Values.cluster.cloudNativeServices) }} function safeWriteSecret { key=$1 fpath=$2 + overwrite=$3 aws secretsmanager describe-secret --secret-id $key > /dev/null 2>&1 if [ $? -ne 0 ]; then aws secretsmanager create-secret --name $key --description $key --secret-string file://$fpath else - # if the key exists pull it from keyvault so that when you update the enodes configmap, you have the right value - aws secretsmanager get-secret-value --secret-id $key | jq -r '.SecretString' > $fpath + if [ "$overwrite" = "true" ]; then + echo "Updating $key" in Vault + aws secretsmanager update-secret --secret-id $key --secret-string file://$fpath + else + # if the key exists pull it from keyvault so that when you update the enodes configmap, you have the right value + aws secretsmanager get-secret-value --secret-id $key | jq -r '.SecretString' > $fpath + fi fi } - {{- else }} - + function safeWriteSecret { key=$1 fpath=$2 kubectl create secret generic ${key}-keys --namespace {{ .Release.Namespace }} --from-file=nodekey=${fpath}/nodekey --from-file=nodekey.pub=${fpath}/nodekey.pub --from-file=enode=${fpath}/nodekey.pub --from-file=accountPrivate.key=${fpath}/accountPrivateKey --from-file=accountPassword=${fpath}/accountPassword --from-file=accountKeystore=${fpath}/accountKeystore --from-file=accountAdddress=${fpath}/accountAddress } - {{- end }} function safeWriteBesuPeersConfigmap { @@ -109,11 +91,14 @@ echo "Creating config ..." FOLDER_PATH=$(quorum-genesis-tool --consensus {{ .Values.rawGenesisConfig.genesis.config.algorithm.consensus }} {{ if .Values.rawGenesisConfig.blockchain.nodes.generate }} --validators {{ .Values.rawGenesisConfig.blockchain.nodes.count }} {{ else }} --validators 0 {{ end }} --members 0 --bootnodes 0 --chainID {{ .Values.rawGenesisConfig.genesis.config.chainId }} --blockperiod {{ .Values.rawGenesisConfig.genesis.config.algorithm.blockperiodseconds }} --epochLength {{ .Values.rawGenesisConfig.genesis.config.algorithm.epochlength }} --requestTimeout {{ .Values.rawGenesisConfig.genesis.config.algorithm.requesttimeoutseconds }} --difficulty {{ .Values.rawGenesisConfig.genesis.difficulty }} --gasLimit {{ .Values.rawGenesisConfig.genesis.gasLimit }} --coinbase {{ .Values.rawGenesisConfig.genesis.coinbase }} {{ if .Values.rawGenesisConfig.blockchain.accountPassword }} --accountPassword {{ .Values.rawGenesisConfig.blockchain.accountPassword }} {{ end }} --quickstartDevAccounts {{ .Values.rawGenesisConfig.genesis.includeQuickStartAccounts }} --outputPath /generated-config | tail -1 | sed -e "s/^Artifacts in folder: //") - echo "Creating bootnodes configmap in k8s ..." - echo "[]" > /tmp/besu-bootnodes - kubectl create configmap --namespace {{ .Release.Namespace }} besu-bootnodes --from-file=bootnodes=/tmp/besu-bootnodes + echo "quorum-genesis-tool --consensus {{ .Values.rawGenesisConfig.genesis.config.algorithm.consensus }} {{ if .Values.rawGenesisConfig.blockchain.nodes.generate }} --validators {{ .Values.rawGenesisConfig.blockchain.nodes.count }} {{ else }} --validators 0 {{ end }} --members 0 --bootnodes 0 --chainID {{ .Values.rawGenesisConfig.genesis.config.chainId }} --blockperiod {{ .Values.rawGenesisConfig.genesis.config.algorithm.blockperiodseconds }} --epochLength {{ .Values.rawGenesisConfig.genesis.config.algorithm.epochlength }} --requestTimeout {{ .Values.rawGenesisConfig.genesis.config.algorithm.requesttimeoutseconds }} --difficulty {{ .Values.rawGenesisConfig.genesis.difficulty }} --gasLimit {{ .Values.rawGenesisConfig.genesis.gasLimit }} --coinbase {{ .Values.rawGenesisConfig.genesis.coinbase }} {{ if .Values.rawGenesisConfig.blockchain.accountPassword }} --accountPassword {{ .Values.rawGenesisConfig.blockchain.accountPassword }} {{ end }} --quickstartDevAccounts {{ .Values.rawGenesisConfig.genesis.includeQuickStartAccounts }} --outputPath /generated-config" - echo $FOLDER_PATH + # Disable because bootnode configmap will create into besu chart when isBootNode + # echo "Creating bootnodes configmap in k8s ..." + # echo "[]" > /tmp/besu-bootnodes + # kubectl create configmap --namespace {{ .Release.Namespace }} besu-bootnodes --from-file=bootnodes=/tmp/besu-bootnodes + + echo "Folder Path: "$FOLDER_PATH echo "Creating genesis configmap in k8s ..." safeWriteGenesisConfigmap $FOLDER_PATH @@ -126,25 +111,25 @@ echo $f echo "Creating keys in vault for validator-${i} ..." -{{- if and (ne .Values.cluster.provider "local") (.Values.cluster.cloudNativeServices) }} +{{- if and (ne .Values.cluster.provider "local") (.Values.cluster.cloudNativeServices) (eq .Values.cluster.provider "aws") }} - safeWriteSecret besu-node-validator-${i}-nodekey $FOLDER_PATH/${f}/nodekey - safeWriteSecret besu-node-validator-${i}-nodekeypub $FOLDER_PATH/${f}/nodekey.pub - safeWriteSecret besu-node-validator-${i}-enode $FOLDER_PATH/${f}/nodekey.pub - safeWriteSecret besu-node-validator-${i}-address $FOLDER_PATH/${f}/address + safeWriteSecret besu-node-validator-${i}-nodekey $FOLDER_PATH/${f}/nodekey {{ .Values.rawGenesisConfig.blockchain.nodes.overwrite }} + safeWriteSecret besu-node-validator-${i}-nodekeypub $FOLDER_PATH/${f}/nodekey.pub {{ .Values.rawGenesisConfig.blockchain.nodes.overwrite }} + safeWriteSecret besu-node-validator-${i}-enode $FOLDER_PATH/${f}/nodekey.pub {{ .Values.rawGenesisConfig.blockchain.nodes.overwrite }} + safeWriteSecret besu-node-validator-${i}-address $FOLDER_PATH/${f}/address {{ .Values.rawGenesisConfig.blockchain.nodes.overwrite }} kubectl create configmap --namespace {{ .Release.Namespace }} besu-node-validator-${i}-address --from-file=address=$FOLDER_PATH/${f}/address - safeWriteSecret besu-node-validator-${i}-accountPrivateKey $FOLDER_PATH/${f}/accountPrivateKey - safeWriteSecret besu-node-validator-${i}-accountPassword $FOLDER_PATH/${f}/accountPassword - safeWriteSecret besu-node-validator-${i}-accountKeystore $FOLDER_PATH/${f}/accountKeystore - safeWriteSecret besu-node-validator-${i}-accountAddress $FOLDER_PATH/${f}/accountAddress + safeWriteSecret besu-node-validator-${i}-accountPrivateKey $FOLDER_PATH/${f}/accountPrivateKey {{ .Values.rawGenesisConfig.blockchain.nodes.overwrite }} + safeWriteSecret besu-node-validator-${i}-accountPassword $FOLDER_PATH/${f}/accountPassword {{ .Values.rawGenesisConfig.blockchain.nodes.overwrite }} + safeWriteSecret besu-node-validator-${i}-accountKeystore $FOLDER_PATH/${f}/accountKeystore {{ .Values.rawGenesisConfig.blockchain.nodes.overwrite }} + safeWriteSecret besu-node-validator-${i}-accountAddress $FOLDER_PATH/${f}/accountAddress {{ .Values.rawGenesisConfig.blockchain.nodes.overwrite }} {{- else }} - + safeWriteSecret besu-node-validator-${i} "$FOLDER_PATH/${f}" kubectl create configmap --namespace {{ .Release.Namespace }} besu-node-validator-${i}-address --from-file=address=$FOLDER_PATH/${f}/address - {{- end }} + # add to the static-nodes pubkey=$(cat $FOLDER_PATH/${f}/nodekey.pub ) echo ",\"enode://$pubkey@besu-node-validator-$i-0.besu-node-validator-$i.{{ .Release.Namespace }}.svc.cluster.local:30303?discport=0\"" >> $FOLDER_PATH/static-nodes.json diff -Naur quorum-kubernetes/helm/charts/besu-genesis/values.yaml quorum-kubernetes/helm/charts/besu-genesis/values.yaml --- quorum-kubernetes/helm/charts/besu-genesis/values.yaml 2023-07-04 22:33:08.000000000 -0300 +++ quorum-kubernetes/helm/charts/besu-genesis/values.yaml 2023-07-04 18:31:46.000000000 -0300 @@ -4,25 +4,14 @@ removeGenesisOnDelete: true cluster: - provider: local # choose from: local | aws | azure - cloudNativeServices: false # set to true to use Cloud Native Services (SecretsManager and IAM for AWS; KeyVault & Managed Identities for Azure) + provider: aws # choose from: local | aws + cloudNativeServices: true # set to true to use Cloud Native Services (SecretsManager and IAM for AWS) aws: # the aws cli commands uses the name 'quorum-node-secrets-sa' so only change this if you altered the name serviceAccountName: quorum-node-secrets-sa # the region you are deploying to - region: ap-southeast-2 - -azure: - # the script/bootstrap.sh uses the name 'quorum-pod-identity' so only change this if you altered the name - identityName: quorum-pod-identity - # the clientId of the user assigned managed identity created in the template - identityClientId: azure-clientId - keyvaultName: azure-keyvault - # the tenant ID of the key vault - tenantId: azure-tenantId - # the subscription ID to use - this needs to be set explictly when using multi tenancy - subscriptionId: azure-subscriptionId + region: us-east-1 # the raw Genesis config # rawGenesisConfig.blockchain.nodes set the number of validators/signers @@ -41,11 +30,11 @@ blockchain: nodes: generate: true + overwrite: false count: 4 accountPassword: 'password' - image: repository: consensys/quorum-k8s-hooks - tag: qgt-0.2.11 + tag: qgt-0.2.6 pullPolicy: IfNotPresent