Quorum Configurations

In Hyperledger Bevel project, ansible is used to automate the certificate generation, putting them in vault and generate value files, which are then pushed to the repository for deployment, using GitOps. This is achieved using Ansible playbooks. Ansible playbooks contains a series of roles and tasks which run in sequential order to achieve the automation.

/quorum
|-- charts
|   |-- quorum-member-node
|   |-- quorum-tessera-node
|-- images
|-- configuration
|   |-- roles/
|   |-- samples/
|   |-- deploy-network.yaml
|-- releases
|   |-- dev/
|-- scripts

For Quorum, the ansible roles and playbooks are located at /platforms/quorum/configuration/ Some of the common roles and playbooks between Hyperledger-Fabric, Hyperledger-Indy, Hyperledger-Besu, R3 Corda and Quorum are located at /platforms/shared/configurations/

Roles for setting up a Quorum Network

Roles in ansible are a combination of logically inter-related tasks.

To deploy the quorum network, run the deploy-network.yaml in bevel\platforms\quorum\configuration\ The roles included in the file are as follows:

**check/k8_component

This role checks for the k8s resources in the cluster

  • Wait for {{ component_type }} {{ component_name }}

  • Wait for {{ component_type }} {{ component_name }} Follow Readme for detailed information.

**check/node_component

This role checks for the k8s resources in the cluster

  • Wait for {{ component_type }} {{ component_name }}

  • Wait for {{ component_type }} {{ component_name }} Follow Readme for detailed information.

create/certificates/ambassador

This role calls for ambassador certificate creation for each node.

  • Create Ambassador certificates

  • Ensure rootCA dir exists

  • Ensure ambassador tls dir exists

  • Check if certs already created

  • Get root certs

  • check root certs

  • Generate CAroot certificate

  • Check if ambassador tls already created

  • Get ambassador tls certs

  • Generate openssl conf file

  • Generate ambassador tls certs

  • Putting certs to vault

  • Check Ambassador cred exists

  • Create the Ambassador credentials Follow Readme for detailed information.

create/crypto/ibft

This role creates crypto for ibft.

  • Create crypto material for each peer with IBFT consensus

  • Check if nodekey already present in the vault

  • Create build directory if it does not exist

  • Generate enode url for each node and create a geth account and keystore

  • Copy the crypto material to Vault

Follow Readme for detailed information.

create/crypto/raft

This role creates crypto for raft.

  • Create crypto material for each peer with RAFT consensus

  • Check if nodekey already present in the vault

  • Create build directory if it does not exist

  • Generate crypto for raft consensus

  • Copy the crypto material to Vault

Follow Readme for detailed information.

create/crypto/tessera

This role creates crypto for tessera.

  • Create tessera tm crypto material for each peer

  • Check if tm key is already present in the vault

  • Create build directory if it does not exist

  • Check if tessera jar file exists

  • Download tessera jar

  • Generate node tm keys

  • Copy the crypto material to Vault

Follow Readme for detailed information.

create/genesis_nodekey

This role creates genesis nodekey.

  • Check if nodekey is present in vault

  • Call nested check for each node

  • Check if nodekey already present in the vault

  • vault_check variable

  • Fetching data of validator nodes in the network from network.yaml

  • Get validator node data

  • Create build directory if it does not exist

  • Generate istanbul files

  • Rename the directories created above with the elements of validator_node_list

  • Delete the numbered directories

Follow Readme for detailed information.

create/k8_component

This role creates deployment files for nodes, namespace storageclass, service accounts and clusterrolebinding. Deployment file for a node is created in a directory with name=nodeName, nodeName is stored in component_name

  • “Ensures {{ release_dir }}/{{ component_name }} dir exists”

  • create {{ component_type }} file for {{ component_name }}

  • Helm lint

Follow Readme for detailed information.

create/namespace_serviceaccount

This role creates the deployment files for namespaces, vault-auth, vault-reviewer and clusterrolebinding for each node

  • Check if namespace exists

  • Create namespace for {{ organisation }}

  • Create vault auth service account for {{ organisation }}

  • Create vault reviewer for {{ organisation }}

  • Create clusterrolebinding for {{ organisation }}

  • Push the created deployment files to repository

Follow Readme for detailed information.

create/storageclass

This role creates value files for storage class

  • Check if storageclass exists

  • Create storageclass

  • Push the created deployment files to repository

  • Wait for Storageclass creation for {{ component_name }}

Follow Readme for detailed information.

create/tessera

  • Set enode_data_list to []

  • Get enode data for each node of all organization

  • Get enode data

  • Check if enode is present in the build directory or not

  • Create build directory if it does not exist

  • Get the nodekey from vault and generate the enode

  • Get enode_data

  • Get validator node data

  • Git Push

Follow Readme for detailed information.

helm_component

This role generates the value file for the helm releases.

  • Ensures {{ values_dir }}/{{ name }} dir exists

  • create value file for {{ component_name }}

  • Helm lint

Follow Readme for detailed information.

setup/bootnode

This role is used to setup bootnode.

  • Check bootnode

  • Check quorum repo dir exists

  • Clone the git repo

  • Make bootnode

  • Create bin directory

  • Copy bootnode binary to destination directory

Follow Readme for detailed information.

setup/get_crypto

This role saves the crypto from Vault into ansible_provisioner.

  • Ensure directory exists

  • Save cert

  • Save key

  • Save root keychain

  • Extracting root certificate from .jks

Follow Readme for detailed information.

setup/geth

This role setups geth.

  • Check geth

  • Check quorum repo dir exists

  • Clone the git repo

  • Make geth

  • Create bin directory

  • Copy geth binary to destination directory

Follow Readme for detailed information.

setup/golang

This role setups geth.

  • Register temporary directory

  • Check go

  • Download golang tar

  • Extract the Go tarball

  • Create bin directory

  • Copy go binary to destination directory

  • Test go installation

Follow Readme for detailed information.

setup/istanbul

This role setups instanbul.

  • Register temporary directory

  • Check istanbul

  • Clone the istanbul-tools git repo

  • Make istanbul

  • Create bin directory

  • Copy istanbul binary to destination directory

Follow Readme for detailed information.

setup/vault_kubernetes

This role setups communication between the vault and kubernetes cluster and install neccessary configurations.

  • Check namespace is created

  • Ensures build dir exists

  • Check if Kubernetes-auth already created for Organization

  • Vault Auth enable for organisation

  • Get Kubernetes cert files for organizations

  • Write reviewer token

  • Check if secret-path already created for Organization

  • Create Vault secrets path

  • Check if policy exists

  • Create policy for Access Control

  • Create Vault auth role

  • Create the docker pull credentials

Follow Readme for detailed information.

delete/flux_releases

This role deletes the helm releases and uninstalls Flux

  • Uninstall flux

  • Delete the helmrelease for each peer

  • Remove node helm releases

  • Deletes namespaces

Follow Readme for detailed information.

delete/gitops_files

This role deletes all the gitops release files

  • Delete release files

  • Delete release files (namespaces)

  • Git Push

Follow Readme for detailed information.

delete/vault_secrets

This role deletes the Vault configurations

  • Delete docker creds

  • Delete Ambassador creds

  • Delete vault-auth path

  • Delete Crypto material

  • Delete Access policies

Follow Readme for detailed information.

deploy-network.yaml

This playbook deploys a DLT/Blockchain network on existing Kubernetes clusters. The Kubernetes clusters should already be created and the infomation to connect to the clusters be updated in the network.yaml file that is used as an input to this playbook. It calls the following roles.

  • create/namespace_serviceaccount

  • create/storageclass

  • setup/vault_kubernetes

  • create/certificates/ambassador

  • create/crypto/raft

  • create/genesis_raft

  • setup/istanbul

  • create/genesis_nodekey

  • create/crypto/ibft

  • create/crypto/tessera

  • create/tessera

reset-network.yaml

This playbook deletes the DLT/Blockchain network on existing Kubernetes clusters which has been created using Hyperledger Bevel. It calls the following roles. THIS PLAYBOOK DELETES EVERYTHING, EVEN NAMESPACES and FLUX.

  • delete/vault_secrets

  • delete/flux_releases

  • delete/gitops_files

  • Remove build directory